Malware
Short for malicious software β any program or code specifically designed to damage, disrupt, spy on, or gain unauthorized access to a computer system or its data. Malware is a broad category encompassing many distinct types (viruses, worms, ransomware, Trojans, rootkits, etc.), each with different behaviors, delivery mechanisms, and goals. The common thread is intent: the software performs actions the system owner would not authorize if they understood what the program actually does.
Virus
A type of malware that attaches itself to a legitimate file or program and spreads when that infected file is executed. Unlike a worm, a virus requires a host file and typically requires some human action (running the infected file) to spread. Viruses often corrupt data, alter system behavior, or deliver additional payloads. Covered in depth in Chapter 41.
Worm
A self-replicating malware that spreads automatically across networks by exploiting vulnerabilities, without requiring a host file or human interaction. Once a worm finds a vulnerable system, it copies itself there and continues scanning for new targets. Worms consume network bandwidth and commonly serve as delivery mechanisms for additional malware payloads. Covered in depth in Chapter 41.
Ransomware
Malware that encrypts the victim's data files (documents, images, databases) using strong public-key cryptography, then demands payment (typically cryptocurrency) in exchange for the decryption key. The operating system is left functional so the victim can see the ransom demand and navigate to the payment site. Ransomware targets both individuals and organizations. The key defense is an offline or immutable backup β a clean copy the ransomware cannot reach.
Trojan Horse
Malware disguised as legitimate, useful software. The victim installs it voluntarily, believing it serves a genuine purpose β a game, a productivity tool, a fake update. Once executed, it performs malicious actions: creating backdoors, downloading additional malware, stealing data, or opening a remote access channel. Trojan horses rely on deception rather than exploitation of technical vulnerabilities; they bypass defenses by making the user the delivery mechanism.
Rootkit
A collection of malware components that gain administrative-level control over a system while hiding their presence from security software and the OS. Rootkits operate deep within the OS β sometimes at the kernel level or below β making them extremely difficult to detect and remove with standard tools. Their primary function is concealment: a rootkit allows an attacker to maintain a persistent, invisible presence on a system and to hide other malware running alongside it.
Keylogger
Malware that records every keystroke typed on a system and transmits that log to the attacker. Keyloggers are used to capture usernames, passwords, PINs, credit card numbers, private messages, and any other information typed at a keyboard. Because they target credentials directly, keyloggers are a foundational component of many credential-theft and account-takeover attack chains.
Spyware
Malware that secretly observes user activity, collects information, and transmits it to a third party without the user's knowledge or consent. Spyware may capture browsing history, application usage, location data, microphone audio, camera images, or screen content β going beyond keystroke logging to build a comprehensive profile of the victim's behavior. Covered in depth in Chapter 42.
Bloatware
Unwanted software that is pre-installed on devices or bundled with legitimate software installations. While sometimes merely resource-wasteful (consuming CPU, RAM, and disk), bloatware may contain insecure code that introduces vulnerabilities, may collect and transmit usage data, or may serve as a delivery mechanism for additional unwanted software. The security concern is that bloatware expands the attack surface without providing user value. Covered in depth in Chapter 42.
Logic Bomb
Malicious code that lies dormant within a system until a specific trigger condition is met, at which point it executes its payload. Triggers can be date/time based (e.g., activates on January 1), event based (e.g., a specific user account is deleted or a file is accessed), or condition based. Logic bombs are often planted by insiders β disgruntled employees who embed them in legitimate code before departing. The delayed activation makes them difficult to detect before triggering.
Drive-by Download
A malware delivery method in which simply visiting a compromised web page causes malware to be automatically downloaded and executed on the visitor's system β without any intentional user interaction beyond loading the page. Drive-by downloads exploit vulnerabilities in web browsers, browser plugins (PDF readers, media players), or JavaScript engines. The victim does not click any download link; the exploit code runs silently within the browser's execution environment.
Botnet
A network of compromised computers (bots) under the remote control of an attacker (the botmaster). Individual systems are infected with malware that opens a command-and-control (C2) channel back to the attacker's infrastructure. Botnets are used to launch distributed denial-of-service (DDoS) attacks, send spam, distribute additional malware, mine cryptocurrency, and conduct credential-stuffing attacks β all using the computational resources of the victims' machines without their knowledge.
Personally Identifiable Information (PII)
Any information that can be used alone or in combination to identify a specific individual. Examples include: full name, Social Security number, date of birth, home address, email address, financial account numbers, medical records, and biometric data. PII is a high-value target for malware operators because it can be sold on criminal markets, used for identity theft, or leveraged to extort victims. The theft and mishandling of PII triggers regulatory obligations in most jurisdictions.
Offline Backup
A backup copy of data that is physically or logically disconnected from the production network β and therefore unreachable by ransomware or other malware running on connected systems. Offline backups (tape, disconnected drives, air-gapped systems) provide a recovery path even when all connected data is encrypted. An online backup β a backup stored on a network share or cloud drive connected to the infected system β may itself be encrypted by ransomware, eliminating the recovery path.