This chapter covers the four major malware types tested on CompTIA Network+ N10-009: ransomware, worms, Trojans, and rootkits. Understanding these threats is critical for network security, as they represent common attack vectors that compromise confidentiality, integrity, and availability. Approximately 10-15% of exam questions on Network Security (Objective 4.1) involve identifying or differentiating malware types, their propagation methods, and mitigation strategies.
Jump to a section
Imagine a large apartment building with many units. A worm is like a burglar who walks through unlocked doors, moving from unit to unit without needing any help from residents. A Trojan is a burglar who disguises himself as a delivery person; a resident willingly lets him in, and then he steals valuables. A rootkit is like a burglar who, once inside, hides in the attic and modifies the building's security system logs so that cameras don't record him and alarms don't trigger. Ransomware is a burglar who breaks in, locks all your belongings in a reinforced safe, and demands payment for the combination. Each type exploits a different weakness: worms exploit unlocked doors (vulnerabilities), Trojans exploit trust (social engineering), rootkits exploit the ability to modify security systems (kernel access), and ransomware exploits the value of your data (extortion). The key is understanding the entry method, the behavior after entry, and the goal of the intruder.
Ransomware is a type of malware that encrypts a victim's files or entire system, then demands a ransom payment (usually in cryptocurrency) to restore access. The encryption typically uses strong algorithms like AES-256 for bulk data and RSA-2048 for key protection, making decryption without the attacker's key computationally infeasible.
How it works: 1. Delivery: Often via phishing emails with malicious attachments (e.g., macro-enabled Office documents) or drive-by downloads from compromised websites. 2. Execution: The payload runs, often dropping a binary that establishes persistence (e.g., registry run keys, scheduled tasks). 3. Key Exchange: The malware contacts a command-and-control (C2) server to retrieve an RSA public key. It generates a random AES symmetric key for file encryption. 4. Encryption: It scans for target file extensions (e.g., .docx, .xlsx, .pdf, .jpg) and encrypts each file with the AES key. The AES key is then encrypted with the RSA public key and stored with the file. 5. Ransom Note: After encryption, it drops a text file or displays a screen with payment instructions, typically demanding Bitcoin or Monero.
Propagation: Some ransomware variants (e.g., WannaCry) include worm-like capabilities, exploiting vulnerabilities (e.g., EternalBlue SMBv1 exploit) to spread across networks.
Defense: Regular offline backups, application whitelisting, email filtering, and patching (especially SMB vulnerabilities).
Worm
A worm is a standalone malware program that replicates itself to spread to other computers over a network, without requiring a host file or user interaction. It exploits vulnerabilities in network services or uses social engineering to propagate.
How it works: 1. Scanning: The worm scans IP addresses or network ranges for vulnerable targets (e.g., open port 445 for SMB). 2. Exploitation: It sends a crafted packet to exploit a vulnerability (e.g., buffer overflow) to gain remote code execution. 3. Replication: Once on a new host, it copies itself and repeats the scanning/exploitation cycle. 4. Payload: Some worms carry a payload (e.g., DDoS agent, backdoor, ransomware).
Example: The Morris Worm (1988) used multiple vectors: sendmail debug mode, fingerd buffer overflow, and password guessing. Modern worms like Conficker (2008) exploited MS08-067 (Windows Server service RPC vulnerability).
Propagation Speed: Worms can infect millions of hosts within hours due to automated scanning. For instance, the Slammer worm doubled every 8.5 seconds, infecting 90% of vulnerable hosts in 10 minutes.
Defense: Network segmentation, firewalls blocking unnecessary ports, patch management, and intrusion prevention systems (IPS).
Trojan
A Trojan (Trojan horse) is malware disguised as legitimate software. Unlike worms, Trojans do not self-replicate; they rely on user action to install them. Once executed, they perform malicious actions such as stealing data, creating backdoors, or installing additional malware.
How it works: 1. Disguise: The Trojan masquerades as a useful program (e.g., game, crack, system utility). 2. Installation: The user downloads and runs the executable, which installs the Trojan. 3. Execution: The Trojan may perform its malicious function immediately or wait for a trigger. Common actions: - Backdoor: Opens a port (e.g., 4444, 31337) for remote access. - Keylogger: Captures keystrokes to steal credentials. - Banking Trojan: Intercepts web forms to steal financial data. 4. Persistence: Adds registry entries, schedules tasks, or installs as a service.
Types: Remote Access Trojans (RATs), downloaders, droppers (install other malware), info-stealers.
Defense: Application whitelisting, user education, endpoint detection and response (EDR), and avoiding untrusted downloads.
Rootkit
A rootkit is a collection of software tools that enables an attacker to gain and maintain privileged (root-level) access to a computer while hiding its presence from standard detection methods. Rootkits modify the operating system kernel or system functions to conceal files, processes, network connections, and registry entries.
How it works:
1. Installation: Often installed via a Trojan or worm that exploits a vulnerability. The rootkit then elevates privileges to administrator/root.
2. Hooking: It intercepts system calls (e.g., file system, process enumeration) by modifying kernel data structures or function pointers. For example, a rootkit may hook the NtQuerySystemInformation API to hide processes.
3. Stealth: The rootkit removes its own files from directory listings, hides its processes from task managers, and may even hide network connections from netstat.
4. Persistence: It may install as a kernel driver (Windows .sys file) or kernel module (Linux .ko file) that loads at boot.
Types: - User-mode rootkits: Hook user-level APIs (e.g., IAT hooking). Easier to detect. - Kernel-mode rootkits: Modify kernel objects or drivers. More powerful and harder to detect. - Bootkits: Infect the Master Boot Record (MBR) or UEFI firmware, loading before the OS.
Detection: Rootkits are notoriously difficult to detect from within the compromised OS. Detection methods include: - Signature-based scanning: Antivirus may detect known rootkit files. - Behavioral analysis: Unusual system call patterns. - Memory forensics: Analyzing RAM dumps for hidden processes. - Boot-time scanning: Using a trusted boot CD or USB to scan the system offline.
Defense: Secure Boot (UEFI), driver signing enforcement, kernel patch protection (PatchGuard on 64-bit Windows), and regular system integrity checks (e.g., tripwire).
Comparison of Propagation and Payload
| Malware Type | Propagation | Payload Goal | User Interaction Required? | |--------------|-------------|--------------|----------------------------| | Ransomware | Often via phishing/worm; some self-propagate | Extortion via encryption | Usually (click attachment) | | Worm | Self-propagating via network | Various (DDoS, payload delivery) | No | | Trojan | User downloads disguised file | Data theft, backdoor | Yes (user executes) | | Rootkit | Via Trojan, worm, or exploit | Hide presence, maintain access | Usually (initial vector) |
Key Exam Numbers
WannaCry ransomware: Exploited SMBv1 vulnerability MS17-010 (EternalBlue).
Slammer worm: Doubled every 8.5 seconds.
Conficker: Infected millions of PCs; used MS08-067.
Rootkit detection: Often requires offline analysis.
Ransomware encryption: Typically AES-256 + RSA-2048.
Interplay with Network Security
Firewalls can block malicious C2 traffic, but many malware families use encrypted channels (HTTPS) or dynamic domain generation algorithms (DGAs) to evade.
Intrusion Detection Systems (IDS) can detect worm scanning patterns (e.g., rapid connection attempts to multiple IPs).
Network segmentation limits worm propagation; VLANs and ACLs restrict lateral movement.
Email security gateways filter phishing attachments that often deliver Trojans and ransomware.
Malware Lifecycle Example: Ransomware Attack
Initial Access: Phishing email with malicious macro.
Execution: User enables macros, drops ransomware binary.
Persistence: Adds run key to registry.
Privilege Escalation: Uses UAC bypass to gain admin rights.
Defense Evasion: Disables Windows Defender via PowerShell.
Credential Access: Steals cached credentials using Mimikatz.
Lateral Movement: Uses PsExec to spread to other systems.
Impact: Encrypts files and demands ransom.
Command Examples (Windows)
List running processes: tasklist
Check network connections: netstat -anob
View scheduled tasks: schtasks /query
Check startup programs: wmic startup list full
Scan for rootkits: sfc /scannow (System File Checker), chkdsk
Offline scan: Boot from Windows Defender Offline or Kaspersky Rescue Disk.
Worm: Scanning and Replication
A worm begins by scanning the network for vulnerable targets. It generates random IP addresses or reads a predefined list. For each target, it attempts to connect to a specific port (e.g., TCP 445 for SMB). If the connection succeeds, it sends a crafted exploit payload. Upon successful exploitation, the worm copies its executable to the new host, often using network shares or remote administrative tools. The new instance then starts scanning independently, creating exponential growth. In the case of the Slammer worm, it used UDP 1434 to exploit a buffer overflow in Microsoft SQL Server, and each infected host sent 376-byte packets at maximum speed, causing network congestion.
Trojan: Installation and Backdoor
A Trojan typically arrives as a seemingly benign file. When the user executes it, the Trojan installs itself in the system directory (e.g., %SystemRoot%\System32). It may create a registry entry under `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run` to ensure persistence. The Trojan then opens a listening port (e.g., TCP 4444) and waits for a connection from the attacker's C2 server. Once connected, the attacker can issue commands such as uploading/downloading files, capturing keystrokes, or launching additional malware. The Trojan may also beacon out to a dynamic DNS domain to bypass firewall egress filtering.
Ransomware: Encryption Process
After execution, ransomware generates a random AES-256 key for symmetric encryption. It then contacts a C2 server to retrieve an RSA-2048 public key. The malware enumerates all local drives, mapped network shares, and removable media. For each file with a target extension (e.g., .doc, .xls, .jpg), it reads the file into memory, encrypts it with the AES key, and overwrites the original file with the encrypted data. The AES key is then encrypted with the RSA public key and appended to the encrypted file or stored separately. Finally, the malware deletes shadow copies using `vssadmin.exe Delete Shadows /All /Quiet` to prevent recovery, then displays the ransom note.
Rootkit: Kernel Hooking
A kernel-mode rootkit loads as a device driver. Upon initialization, it locates the System Service Descriptor Table (SSDT) in Windows, which contains pointers to system call handlers. The rootkit modifies the table to point to its own functions, which filter out malicious activity. For example, to hide a process, the rootkit hooks the `NtQuerySystemInformation` API. When a user-mode tool like Task Manager enumerates processes, the rootkit intercepts the call, removes its own process from the list, and returns the modified list. Similarly, it may hook `NtOpenKey` to hide registry keys. The rootkit may also use Direct Kernel Object Manipulation (DKOM) to unlink its process from the active process list.
Detection: Offline Rootkit Analysis
When a rootkit is suspected, the first step is to power off the system and boot from a trusted forensic media (e.g., a Linux live USB). This ensures the rootkit is not active and cannot hide its artifacts. The analyst then mounts the suspect drive and examines critical areas: the Master Boot Record (MBR), boot sector, system files (e.g., `ntoskrnl.exe`), driver files in `%SystemRoot%\System32\drivers`, and registry hives. Tools like `chkrootkit` (Linux) or `GMER` (Windows) can be run from the offline environment. Integrity checking tools compare file hashes against known good values. Any discrepancies indicate a potential rootkit. The analyst may also perform memory analysis on a RAM dump using tools like Volatility to detect hidden processes.
Enterprise Scenario 1: Ransomware Attack on a Hospital
A hospital network was hit by Ryuk ransomware, which entered via a phishing email to an administrative assistant. The initial infection established a foothold, then used PowerShell to download Cobalt Strike beacon for C2 communication. The attackers used Mimikatz to extract domain admin credentials, then deployed ransomware to file servers and backups. The hospital lost access to patient records, imaging systems, and billing for three days. The ransom demand was $2 million in Bitcoin. Mitigation after the attack included: implementing multi-factor authentication, segmenting the network to isolate medical devices, enforcing least-privilege access, and deploying an EDR solution with behavior-based detection. The hospital also adopted daily offline backups with immutable storage.
Enterprise Scenario 2: Worm Propagation in a Corporate LAN
A large corporation experienced a Conficker outbreak. The worm exploited the MS08-067 vulnerability in unpatched Windows XP machines on the same subnet. It spread via SMB using a dictionary attack on weak passwords. Within hours, thousands of endpoints were infected, causing network slowdowns due to scanning traffic. The IT team contained the outbreak by blocking TCP 445 at the firewall, forcing all machines to patch via WSUS, and resetting all local admin passwords. They used Microsoft's Malicious Software Removal Tool (MSRT) to clean infected systems. The incident highlighted the need for automated patch management and network access control (NAC) to quarantine non-compliant devices.
Enterprise Scenario 3: Rootkit Persistence in a Financial Institution
A bank's server was compromised via a drive-by download that installed a Trojan, which then dropped a kernel-mode rootkit. The rootkit hid a backdoor process that exfiltrated customer data via encrypted DNS tunnels. The rootkit modified the TCP/IP stack to hide the outbound connections from netstat. Detection occurred when a security analyst noticed unusual DNS query patterns to a suspicious domain. The incident response team performed memory forensics on a RAM dump using Volatility, revealing hidden processes and kernel callbacks. The server was rebuilt from scratch, and the organization implemented Secure Boot, driver signing enforcement, and application whitelisting to prevent future rootkits.
N10-009 Objective 4.1: Malware Types
The exam tests your ability to differentiate between ransomware, worms, Trojans, and rootkits. Key points: - Ransomware: Focus on encryption (AES-256, RSA-2048) and propagation methods (email, worm-like). Know that WannaCry used EternalBlue. - Worm: Self-replicating, no user interaction. Memorize examples: Morris, Slammer, Conficker, Blaster. Know that Slammer used UDP 1434. - Trojan: Requires user action. Common payloads: backdoor, keylogger, info-stealer. Remember that Trojans do not self-replicate. - Rootkit: Hides presence, modifies kernel. Detection requires offline analysis. Know terms: SSDT hooking, DKOM, bootkit.
Common Wrong Answers
Confusing Trojan with worm: Candidates often say a worm requires user interaction — false. Worms are self-propagating.
Thinking all ransomware is a worm: Only some variants (e.g., WannaCry) have worm capabilities. Most ransomware relies on phishing.
Believing rootkits can be detected by standard antivirus: Rootkits hide from the OS; offline scanning is needed.
Assuming Trojans replicate: Trojans do not self-replicate; they rely on users to spread them.
Exam Numbers to Memorize
Slammer worm: 376-byte packets, doubled every 8.5 seconds.
WannaCry: Used SMBv1 (port 445), EternalBlue exploit.
Conficker: Used MS08-067, dictionary attack on admin passwords.
Ransomware encryption: AES-256 symmetric, RSA-2048 asymmetric.
Rootkit detection: Boot from trusted media, use chkrootkit/GMER.
Edge Cases
Polymorphic malware: Changes code signature to evade signature-based detection.
Armored malware: Uses techniques to hinder reverse engineering (e.g., packing, anti-debugging).
Fileless malware: Resides in memory only, no files written to disk. Often uses PowerShell scripts.
Elimination Strategy
When you see a question asking 'Which malware type...':
If it mentions self-replication without user action → worm.
If it mentions disguising as legitimate software → Trojan.
If it mentions encrypting files for ransom → ransomware.
If it mentions hiding processes and modifying OS → rootkit.
Ransomware encrypts files using AES-256 and RSA-2048; demands payment in cryptocurrency.
Worms self-replicate without user interaction; exploit network vulnerabilities like MS08-067.
Trojans require user action; they do not self-replicate but can install backdoors or steal data.
Rootkits modify the OS kernel to hide their presence; detection requires offline boot from trusted media.
WannaCry ransomware exploited SMBv1 (EternalBlue) to spread like a worm.
Slammer worm doubled every 8.5 seconds; used UDP 1434.
Rootkit detection tools: chkrootkit (Linux), GMER (Windows), Volatility (memory analysis).
Fileless malware resides in memory; uses PowerShell scripts to evade disk-based detection.
Network segmentation and least-privilege access limit lateral movement of worms and ransomware.
Regular offline backups are the best defense against ransomware.
These come up on the exam all the time. Here's how to tell them apart.
Worm
Self-replicating; no user interaction needed
Exploits network vulnerabilities
Spreads rapidly across networks
Can carry payloads like DDoS or ransomware
Examples: Morris, Slammer, Conficker
Trojan
Requires user execution to install
Disguised as legitimate software
Does not self-replicate
Commonly used for backdoors, keyloggers, info-stealing
Examples: Zeus, Emotet, Back Orifice
Mistake
Worms always require user interaction to spread.
Correct
Worms are self-replicating and spread automatically without user interaction. They exploit network vulnerabilities or use default passwords.
Mistake
All ransomware is a type of worm.
Correct
Most ransomware is delivered via phishing or Trojans. Only a few variants (e.g., WannaCry) have worm-like propagation.
Mistake
Trojans can replicate like worms.
Correct
Trojans do not self-replicate. They rely on users to download and execute them.
Mistake
Rootkits can be easily detected by standard antivirus running on the same system.
Correct
Rootkits hide their presence from the OS, making them invisible to standard scanning tools. Detection requires offline analysis or specialized tools.
Mistake
Ransomware only encrypts files on the local machine.
Correct
Ransomware often targets mapped network drives and network shares, encrypting files across the entire network.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
A worm is self-replicating and spreads automatically over a network without user interaction, exploiting vulnerabilities. A Trojan requires a user to execute it, is disguised as legitimate software, and does not self-replicate. On the exam, remember: worms spread on their own; Trojans trick users.
Yes, some ransomware variants have worm-like capabilities. For example, WannaCry used the EternalBlue exploit to spread across networks automatically. However, most ransomware is delivered via phishing emails or Trojans. The exam may test that WannaCry is both ransomware and a worm.
Rootkits modify the operating system kernel or system APIs to intercept and filter information. For example, they hook the `NtQuerySystemInformation` API to hide processes from Task Manager. Since antivirus relies on the same APIs, it cannot see the hidden objects. Detection requires offline scanning or memory forensics.
The Slammer worm exploited Microsoft SQL Server via UDP port 1434. It sent a 376-byte packet that caused a buffer overflow. The worm's rapid scanning caused network congestion. On the exam, know that Slammer used UDP 1434 and that it doubled every 8.5 seconds.
The best defense is regular offline backups stored in an immutable format. Also important: email filtering to block phishing, application whitelisting, patching vulnerabilities (especially SMB), and user education. The exam emphasizes backups as the primary mitigation.
A bootkit is a type of rootkit that infects the Master Boot Record (MBR) or UEFI firmware. It loads before the operating system, making it extremely difficult to detect. Detection requires booting from trusted media and scanning the MBR. On the exam, bootkits are a subcategory of rootkits.
A Trojan often adds a registry entry under `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run` or creates a scheduled task. It may also install as a Windows service. The exam may ask about common persistence mechanisms.
You've just covered Malware Types: Ransomware, Worm, Trojan, Rootkit — now see how well it sticks with free N10-009 practice questions. Full explanations included, no account needed.
Done with this chapter?