0 / 10 flipped
Virus vs. Worm
Tap to reveal
Virus: attaches to a host file; requires user action (executing the infected file) to spread; propagation limited by user behavior. Worm: standalone; no host file needed; spreads autonomously by exploiting network vulnerabilities without any user interaction; spreads exponentially. Key exam distinction: a worm can infect a machine with a vulnerable service even if the user does nothing wrong. WannaCry was a worm β no one clicked anything; machines were infected simply by having SMBv1 exposed on the network.
Trojan Horse
Tap to reveal
Malicious code disguised as legitimate, useful software. The user installs it voluntarily, believing they're getting a game, utility, or media codec. The visible application may function as advertised while the hidden payload β backdoor, keylogger, ransomware, RAT β executes in the background. Trojans do not self-replicate β they depend entirely on user installation. This is the key difference from viruses (need host execution to spread) and worms (spread autonomously). Delivered via phishing, fake download sites, software bundling.
WannaCry β Key Facts
Tap to reveal
Ransomware worm β May 2017. Exploited Windows SMBv1 vulnerability (MS17-010 / EternalBlue) for arbitrary code execution. Spread as a worm with no user interaction required. Encrypted user files; demanded Bitcoin ransom. Infected 230,000+ machines in 150 countries. Key institutions: UK NHS hospitals, TelefΓ³nica, FedEx, Deutsche Bahn. The patch (MS17-010) was available two months before the attack. Every infection was preventable by patching. A kill switch domain registered for $10.69 halted the spread of the initial variant.
British Airways XSS Attack
Tap to reveal
Cross-site scripting formjacking attack by Magecart β JuneβSeptember 2018. Attackers placed 22 lines of malicious JavaScript on the British Airways checkout pages. The script silently captured payment card data (card number, CVV, expiry, name, billing address) as customers typed it, transmitting it to an attacker-controlled server. Ran undetected for over two weeks. ~380,000 victims. BA fined Β£20 million under GDPR. Key lesson: one compromised website automatically becomes an attack against all its visitors.
SQL Injection
Tap to reveal
Malicious code injected into a database query by exploiting unsanitized user input. If a web application builds SQL queries by concatenating user-provided strings, an attacker can input SQL commands that alter the query's behavior β bypassing authentication, reading unauthorized data, modifying records, or deleting tables. The Estonian Central Health Database was breached this way β SQL injection provided access to every patient record in the country. Defense: parameterized queries (prepared statements) β user input is treated as data only, never as executable SQL.
Ransomware
Tap to reveal
Malware that encrypts the victim's files and demands payment for the decryption key. Delivery method varies: Trojan (user installs it), worm (self-propagating via vulnerability), phishing link, drive-by download. Payment is typically demanded in cryptocurrency. Paying doesn't guarantee key delivery. Defense: offline backups (restore without paying), patching (close delivery vulnerabilities), endpoint protection. WannaCry combined ransomware payload with worm propagation β the worm spread the ransomware autonomously across networks.
Rootkit
Tap to reveal
Malware that modifies the operating system to hide itself and other malicious software. Intercepts OS system calls to filter its own files, processes, and network connections from monitoring tools β the infected system appears clean when examined. Requires OS-level or kernel-level privileges. Detection: boot from a trusted external drive (bypasses the rootkit's hooks) and inspect the filesystem and processes from that clean context. Firmware-level rootkits survive OS reinstallation. Key characteristic: rootkits are about persistence and concealment, not direct damage.
Logic Bomb
Tap to reveal
Malicious code that lies dormant until a specific trigger condition is met β a date, a user action, the deletion of an account, or a system event. When triggered, the payload executes: deleting files, exfiltrating data, or encrypting the system. Often planted by malicious insiders who have legitimate system access β a disgruntled employee might embed one before departing. Difficult to detect through standard scans because the code does nothing suspicious until triggered. Code review and change control monitoring help catch logic bombs during the dormant phase.
Fileless Malware
Tap to reveal
Malware that operates entirely in memory without writing executable files to disk. Evades traditional signature-based anti-malware because there are no malicious files to scan. Typically abuses legitimate system tools β PowerShell, Windows Management Instrumentation (WMI), the Windows registry β to execute malicious code in memory. Leaves minimal forensic traces. Largely disappears on reboot (persistence requires abusing registry or scheduled tasks, which behavioral tools can detect). Detected by behavioral monitoring and EDR that watches for unusual use of system tools regardless of whether a malicious file is present.
Defense in Depth β Malicious Code
Tap to reveal
No single control protects against all malicious code types. Required stack: Anti-malware (signature, heuristic, behavioral) β catches known and suspicious executables. Firewall β blocks exploit traffic and C2 communications. Continuous patching β closes vulnerabilities before they're exploited (WannaCry lesson). Input validation / parameterized queries β prevents injection attacks. Secure computing habits β removes the human delivery vector for Trojans and macro viruses. Offline backups β mitigates ransomware. Each layer addresses attacks that other layers miss.