Malware is like different kinds of germs that can make your computer sick. Some germs spread when you touch something (like a virus that hides in files you download). Some travel on their own through the air (like worms that jump between computers). Others pretend to be medicine but are actually poison (like trojans that look like helpful programs). Just like doctors need to know different germs to treat them, security people need to know different types of malware to protect against each one.
Malware (malicious software) is any software intentionally designed to cause damage, gain unauthorized access, or disrupt operations. Understanding malware types is essential for the Security+ exam, as different types have distinct behaviors, delivery mechanisms, and indicators. Modern malware often combines multiple techniques and may operate entirely in memory to evade detection.
Key Concepts
Virus: Requires a host file to execute; spreads when the infected file is opened or executed
Worm: Self-replicating malware that spreads across networks without user interaction
Trojan: Disguised as legitimate software; provides backdoor access or delivers additional payloads
Rootkit: Hides deep in the OS (kernel-level or boot-level) to maintain persistent, stealthy access
Spyware: Secretly monitors user activity, capturing keystrokes, screenshots, or browsing habits
Keylogger: Records keystrokes to capture passwords, credit card numbers, and other sensitive input
Polymorphic malware: Changes its code signature with each infection to evade signature-based detection
Metamorphic malware: Completely rewrites its own code while maintaining functionality
Adware — software that automatically displays or downloads advertisements; may track browsing habits
Cryptojacking — unauthorized use of computing resources to mine cryptocurrency
Exam Tips
Remember
Virus = needs host file. Worm = self-replicates over network. Trojan = disguised as legit. Rootkit = hides in OS. Fileless = lives in memory. Polymorphic = changes signature. Know the DELIVERY and BEHAVIOR of each type.
Fileless malware is increasingly common and evades traditional antivirus — requires behavioral detection
Rootkits may require a full OS reinstall to remove; boot-level rootkits survive standard removal
Logic bombs are often planted by malicious insiders
Connections
ransomware is a specific malware type that encrypts files and demands payment
indicators-of-compromise help identify malware infections through hashes, C2 domains, and behavioral patterns
Practice Questions
Q-Bank: Malware Types (4 Questions)
Q1. A company discovers that malware is spreading rapidly across its network without any user interaction. The malware exploits an unpatched SMB vulnerability to propagate from system to system. Which type of malware does this BEST describe?
A. Virus
B. Trojan
C. Worm
D. Logic bomb
Show Answer C. Worm
A worm is self-replicating malware that spreads across networks without user interaction, often exploiting vulnerabilities. A virus (A) requires a host file and user action to spread. A trojan (B) disguises itself as legitimate software but does not self-replicate. A logic bomb (D) triggers on specific conditions and does not spread across networks.
Q2. An incident response team finds that malware is running entirely in memory using PowerShell and WMI, with no malicious files written to disk. Traditional antivirus scans find nothing. Which malware type is MOST likely involved?
A. Rootkit
B. Fileless malware
C. Polymorphic virus
D. Spyware
Show Answer B. Fileless malware
fileless-malware operates entirely in memory using legitimate tools like PowerShell and WMI, leaving no files on disk and evading traditional antivirus. A rootkit (A) hides deep in the OS but typically has persistent file-based components. Polymorphic virus (C) changes its signature but still exists as files on disk. Spyware (D) monitors user activity but typically installs persistent files.
Q3. A disgruntled systems administrator planted code that will delete all database backups if their Active Directory account is disabled. Which type of malware does this BEST represent?
A. RAT (Remote Access Trojan)
B. Worm
C. Keylogger
D. Logic bomb
Show Answer D. Logic bomb
A logic-bomb is malicious code that triggers when specific conditions are met — in this case, the administrator’s account being disabled. Logic bombs are often planted by malicious insiders. A RAT (A) provides remote control access, not conditional triggering. A worm (B) self-replicates across networks. A keylogger (C) records keystrokes, not conditional payload execution.
Q4. Security researchers observe that each time a particular malware sample infects a new system, its binary signature is different, causing signature-based antivirus to fail detection. Which malware characteristic does this BEST describe?
A. Fileless operation
B. Rootkit behavior
C. Polymorphic malware
D. Trojan disguise
Show Answer C. Polymorphic malware
polymorphic-malware changes its code signature with each infection to evade signature-based detection. Fileless operation (A) runs in memory without disk files but does not necessarily change signatures. Rootkit behavior (B) involves hiding in the OS for stealth, not signature mutation. Trojan disguise (D) means appearing as legitimate software, not changing binary signatures between infections.
Scenario
See case-malware-types for a practical DevOps scenario applying these concepts.