Chapter 50 Β· Glossary

Malicious Code Glossary

Key malware types, attack techniques, and defenses from executable viruses to fileless threats.

Malicious Code
Any software, script, or code designed to damage systems, steal data, disrupt operations, or gain unauthorized access. The technical alternative to non-technical intrusion methods like social engineering or misconfiguration exploitation. Forms include executables, scripts, macro viruses, worms, Trojans, ransomware, spyware, rootkits, keyloggers, and logic bombs. Defense requires multiple layers: anti-malware, firewalls, patching, and secure user behavior.
Virus
Malicious code that attaches itself to legitimate programs or files and spreads when users execute the infected host. Requires both a host file and user action to propagate β€” the user must run or open the infected file. Can infect executables, documents with macros, boot sectors, or scripts. A macro virus specifically infects office documents (Word, Excel) by embedding malicious macros that execute when the document is opened. Unlike worms, viruses cannot spread without the infected host being executed by a user.
Worm
Self-replicating malware that spreads across networks without requiring user interaction or a host file. A worm scans for vulnerable systems, exploits a vulnerability to install itself, then immediately begins scanning for additional targets. Each infected host becomes a new propagation point. Worms spread exponentially β€” one infected machine can infect thousands in minutes. WannaCry was delivered as a worm exploiting SMBv1. Unlike viruses, no user action is needed; a machine with a vulnerable exposed service can be infected silently.
Trojan Horse
Malicious code disguised as a legitimate, useful application to trick users into installing it voluntarily. Named for the Greek myth. The visible application may function as advertised (a game, a utility, a media player) while the hidden payload executes in the background β€” opening backdoors, installing keyloggers, or delivering ransomware. Unlike worms and viruses, Trojans do not self-replicate; they depend entirely on user installation. Delivered through phishing emails, fake download sites, and software bundling.
Ransomware
Malware that encrypts victim files and demands payment β€” typically in cryptocurrency β€” for the decryption key. The victim loses access to documents, photos, databases, or entire systems until the ransom is paid (if ever β€” payment doesn't guarantee key delivery). Can be delivered as a Trojan (user installs it), a worm (self-propagating via vulnerability), or dropped by a RAT. WannaCry combined ransomware payload with worm propagation. Defense: regular offline backups (so files can be restored without paying), patching (closes delivery vulnerabilities), and endpoint protection.
Spyware
Malware that covertly collects information about the victim and transmits it to the attacker. Collects keystrokes, screenshots, browsing history, credentials, banking information, and application data β€” without the user's knowledge. Designed to operate silently; visible disruption would trigger detection. Often bundled with free software (adware-spyware combination) or delivered as a Trojan. Stalkerware is a variant used for personal surveillance in domestic abuse contexts rather than financial theft.
Rootkit
Malware designed to hide itself and other malicious software by modifying the operating system. Intercepts OS system calls to filter its own files, processes, and network connections from monitoring tools β€” the infected system appears clean when examined with standard utilities. Typically requires OS-level or kernel-level privileges to install. Detecting rootkits often requires booting from a trusted external drive to inspect the system without the rootkit's hooks active. Firmware-level rootkits persist through OS reinstallation.
Keylogger
Malware that records every keystroke typed on the infected system, capturing passwords, usernames, credit card numbers, messages, and any other typed input. Can be software-based (installed as a program, driver, or browser extension) or hardware-based (a physical device between keyboard and computer, or embedded in the keyboard itself). Software keyloggers transmit captured data to the attacker via network connection or store it for later retrieval. Often a component of larger malware packages alongside RATs and spyware.
Logic Bomb
Malicious code embedded in a system that remains dormant until a specific trigger condition is met β€” a date, a user action, the presence or absence of a file, or a system event. When triggered, the payload executes: deleting files, exfiltrating data, encrypting the system. Often planted by malicious insiders who have legitimate access to the systems they target. Difficult to detect because the code performs no malicious activity until triggered; it may pass code reviews if the trigger and payload are sufficiently obfuscated.
Remote Access Trojan (RAT) / Backdoor
Malware that provides the attacker with persistent remote control of the infected system. A RAT opens a hidden channel allowing the attacker to control keyboard and mouse, access files, capture screenshots, activate the webcam/microphone, install additional malware, and exfiltrate data. A backdoor is any hidden access pathway β€” a listening service on an unusual port, a hidden admin account, or a modified authentication routine β€” that allows re-entry even if the primary compromise vector is closed. Both operate silently to avoid detection.
Fileless Malware
Malware that operates entirely in system memory without writing executable files to disk. Evades signature-based anti-malware that scans the filesystem because there are no malicious files to detect. Typically abuses legitimate system tools β€” PowerShell, Windows Management Instrumentation (WMI), the registry β€” to execute malicious code in memory. Particularly dangerous because it leaves minimal forensic traces and often disappears on reboot. Detected by behavioral monitoring that watches for unusual use of system tools regardless of whether a malicious file is present.
Arbitrary Code Execution
A vulnerability class that allows an attacker to run any code of their choosing on a target system, beyond what the application was designed to permit. The most severe type of vulnerability β€” arbitrary code execution gives the attacker full control over what the target system does. WannaCry's SMBv1 exploit provided arbitrary code execution: by sending a crafted packet to the SMB port, the attacker could install and run any software on the target without authentication. Used to install ransomware, RATs, or any other payload.