ELI5: What are Malware Types?
Malware is like different kinds of germs that can make your computer sick. Some germs spread when you touch something (like a virus that hides in files you download). Some travel on their own through the air (like worms that jump between computers). Others pretend to be medicine but are actually poison (like trojans that look like helpful programs). Just like doctors need to know different germs to treat them, security people need to know different types of malware to protect against each one.
Overview
Malware (malicious software) is any software intentionally designed to cause damage, gain unauthorized access, or disrupt operations. Understanding malware types is essential for the Security+ exam, as different types have distinct behaviors, delivery mechanisms, and indicators. Modern malware often combines multiple techniques and may operate entirely in memory to evade detection.
Key Concepts
- Virus: Requires a host file to execute; spreads when the infected file is opened or executed
- Worm: Self-replicating malware that spreads across networks without user interaction
- Trojan: Disguised as legitimate software; provides backdoor access or delivers additional payloads
- Rootkit: Hides deep in the OS (kernel-level or boot-level) to maintain persistent, stealthy access
- Spyware: Secretly monitors user activity, capturing keystrokes, screenshots, or browsing habits
- Keylogger: Records keystrokes to capture passwords, credit card numbers, and other sensitive input
- RAT (Remote Access Trojan): Gives attackers full remote control of a compromised system
- Fileless malware: Operates entirely in memory using legitimate tools (PowerShell, WMI) — leaves no files on disk
- Logic bomb: Malicious code that triggers when specific conditions are met (date, user action, system event)
- Potentially Unwanted Programs (PUPs): Adware, toolbars, and bundled software that may not be strictly malicious but degrades security
- Polymorphic malware: Changes its code signature with each infection to evade signature-based detection
- Metamorphic malware: Completely rewrites its own code while maintaining functionality
- Adware — software that automatically displays or downloads advertisements; may track browsing habits
- Cryptojacking — unauthorized use of computing resources to mine cryptocurrency
Exam Tips
Remember
Virus = needs host file. Worm = self-replicates over network. Trojan = disguised as legit. Rootkit = hides in OS. Fileless = lives in memory. Polymorphic = changes signature. Know the DELIVERY and BEHAVIOR of each type.
- Fileless malware is increasingly common and evades traditional antivirus — requires behavioral detection
- Rootkits may require a full OS reinstall to remove; boot-level rootkits survive standard removal
- Logic bombs are often planted by malicious insiders
Connections
- ransomware is a specific malware type that encrypts files and demands payment
- endpoint-security and edr-xdr provide detection and response capabilities against malware
- Malware is often delivered through application-attacks and phishing via email-security gaps
- indicators-of-compromise help identify malware infections through hashes, C2 domains, and behavioral patterns
Practice Questions
Q-Bank: Malware Types (4 Questions)
Q1. A company discovers that malware is spreading rapidly across its network without any user interaction. The malware exploits an unpatched SMB vulnerability to propagate from system to system. Which type of malware does this BEST describe?
A. Virus B. Trojan C. Worm D. Logic bomb
Show Answer C. Worm
A worm is self-replicating malware that spreads across networks without user interaction, often exploiting vulnerabilities. A virus (A) requires a host file and user action to spread. A trojan (B) disguises itself as legitimate software but does not self-replicate. A logic bomb (D) triggers on specific conditions and does not spread across networks.
Q2. An incident response team finds that malware is running entirely in memory using PowerShell and WMI, with no malicious files written to disk. Traditional antivirus scans find nothing. Which malware type is MOST likely involved?
A. Rootkit B. Fileless malware C. Polymorphic virus D. Spyware
Show Answer B. Fileless malware
fileless-malware operates entirely in memory using legitimate tools like PowerShell and WMI, leaving no files on disk and evading traditional antivirus. A rootkit (A) hides deep in the OS but typically has persistent file-based components. Polymorphic virus (C) changes its signature but still exists as files on disk. Spyware (D) monitors user activity but typically installs persistent files.
Q3. A disgruntled systems administrator planted code that will delete all database backups if their Active Directory account is disabled. Which type of malware does this BEST represent?
A. RAT (Remote Access Trojan) B. Worm C. Keylogger D. Logic bomb
Show Answer D. Logic bomb
A logic-bomb is malicious code that triggers when specific conditions are met — in this case, the administrator’s account being disabled. Logic bombs are often planted by malicious insiders. A RAT (A) provides remote control access, not conditional triggering. A worm (B) self-replicates across networks. A keylogger (C) records keystrokes, not conditional payload execution.
Q4. Security researchers observe that each time a particular malware sample infects a new system, its binary signature is different, causing signature-based antivirus to fail detection. Which malware characteristic does this BEST describe?
A. Fileless operation B. Rootkit behavior C. Polymorphic malware D. Trojan disguise
Show Answer C. Polymorphic malware
polymorphic-malware changes its code signature with each infection to evade signature-based detection. Fileless operation (A) runs in memory without disk files but does not necessarily change signatures. Rootkit behavior (B) involves hiding in the OS for stealth, not signature mutation. Trojan disguise (D) means appearing as legitimate software, not changing binary signatures between infections.
Scenario
See case-malware-types for a practical DevOps scenario applying these concepts.