The Nine Malware Types at a Glance
Overview only β Chapters 41β43 cover each type in depth.
| Type | Spreads How | Primary Goal | Signature Behavior |
|---|---|---|---|
| Virus | Attaches to files; spreads when infected file runs | Corruption, propagation | File size changes; unexpected program behavior |
| Worm | Auto-propagates across network via vulnerabilities; no host file needed | Propagation, payload delivery | Unusual network traffic; high CPU/bandwidth |
| Ransomware | Delivered via phishing, drive-by, or worm; executes as payload | Extortion via data encryption | Mass file encryption; ransom note appears; extensions changed |
| Trojan Horse | User installs it voluntarily, believing it to be legitimate software | Initial access, backdoor creation | Unexpected outbound connections; new services/processes |
| Rootkit | Installed by other malware or attacker with existing access | Persistence, concealment of other malware | Security tools report clean despite behavioral anomalies |
| Keylogger | Delivered via Trojan, drive-by, or phishing | Credential theft, surveillance | Outbound transmissions of keystroke data; unknown processes monitoring input |
| Spyware | Bundled with software, drive-by, or phishing | Information gathering, behavior monitoring | Unexplained data exfiltration; camera/mic access without user action |
| Bloatware | Pre-installed on device or bundled with software installs | Revenue generation; may introduce vulnerabilities | Resource consumption; unexplained network activity |
| Logic Bomb | Planted by insiders or embedded in legitimate code | Timed sabotage or data destruction | Dormant until trigger β then sudden mass deletion or destruction |
How Malware Types Work Together β The Multi-Stage Chain
Malware is rarely a single event. Real-world attacks combine multiple types in a coordinated sequence.
Infection Vectors β How Malware Reaches a System
Most common vector. Phishing email delivers a malicious link (leads to exploit site) or infected attachment (PDF, Office macro, ZIP containing executable). User action required: clicking the link or opening the attachment.
Malicious advertisements (malvertising) or fake system alerts on compromised sites prompt the user to click. Clicking triggers a download or redirects to an exploit page.
Visiting a compromised page is sufficient β no click required. The page executes exploit code in the browser that targets a vulnerability in the browser itself, a plugin (PDF reader, media player), or JavaScript engine. Malware installs silently in the background.
Worms spread entirely without user interaction by exploiting network-facing vulnerabilities in operating systems or services. The victim system does not need to run anything β the worm finds it, exploits it, and installs itself automatically.
The Value of Data β Why Malware Exists
- Family photos and videos β irreplaceable; emotional leverage for ransom
- Personal documents β tax returns, contracts, legal records
- Credentials β banking logins, email passwords, social media accounts
- Financial data β account numbers, card numbers
Valuable for direct financial exploitation (account takeover) or ransomware extortion (pay to recover irreplaceable files).
- Employee PII β Social Security numbers, addresses, payroll records
- Financial records β accounts payable/receivable, banking details
- Strategic planning documents β competitive intelligence value
- Intellectual property β research data, source code, trade secrets
- Customer data β any data organization is responsible for protecting
Valuable for sale on criminal markets, ransomware extortion (pay or we publish), and espionage. Regulatory breach notification obligations add further cost to exposure.
The Four Defense Fundamentals
| Defense | What It Does | What It Stops | Critical Detail |
|---|---|---|---|
| Offline / Immutable Backups | Preserves a clean copy of data the malware cannot reach or encrypt | Recovery from ransomware, logic bombs, destructive worms | Backup must be offline or immutable β online/connected backups can be encrypted by ransomware |
| OS Patching | Closes known vulnerabilities in the operating system | Worm propagation, drive-by downloads, exploit-based delivery | Most worm/drive-by exploits target known CVEs that have patches available β unpatched = open door |
| Application Patching | Closes known vulnerabilities in browsers, plugins, office suites, etc. | Drive-by downloads, malicious documents, plugin exploits | Browsers and plugins are frequent attack targets; vendor patches must be applied promptly |
| AV / Anti-Malware Signatures | Enables security software to recognize known malware by its code pattern | Known malware variants distributed in the wild | New variants release hourly; signatures must be current to detect recent threats. Ineffective against zero-day malware (no signature exists) |
Ransomware: The OS Stays Running β Why
Ransomware deliberately encrypts data files (documents, images, databases) while leaving the operating system functional. This is intentional design, not a limitation:
- If the OS is destroyed, the victim cannot see the ransom demand
- If the OS is destroyed, the victim cannot navigate to the payment site
- If the OS is destroyed, the victim cannot transfer cryptocurrency
The attacker wants the victim operational but helpless β able to act on the ransom demand, but unable to use their own work files until they pay. The OS remaining functional is a feature of the attack, not an oversight.
Public-key cryptography as a weapon: The same mathematical tools used to secure communications are used to encrypt files. The attacker holds the private key; the public key embedded in the ransomware encrypts files. Without the private key, decryption is computationally infeasible. The "unfortunate use of cryptography" framing in the exam refers to this inversion β a defensive tool used offensively.