Malware Types and Indicators of Compromise
Malware is malicious software designed to damage, disrupt, or gain unauthorized access to systems. Understanding malware types and their indicators is critical for the Security+ exam.
Viruses and Worms
A virus is malicious code that attaches itself to a legitimate program or file and replicates when the infected program runs. Viruses require human action (like opening a file) to spread. They can corrupt files, steal data, or give attackers remote access.
A worm is self-replicating malware that spreads without human interaction. Worms exploit network vulnerabilities to move from system to system. Unlike viruses, worms are standalone programs that don't need a host file. The Morris Worm (1988) and WannaCry (2017) are famous examples — WannaCry spread by exploiting an SMB vulnerability and infected hundreds of thousands of systems worldwide.
- Virus: attaches to files, requires user action to spread
- Worm: self-replicating, spreads automatically over networks
- Both can carry payloads: data theft, destruction, ransomware, backdoors
- WannaCry: worm that spread using EternalBlue exploit, carried ransomware payload
Ransomware
Ransomware encrypts the victim's files and demands payment (usually cryptocurrency) for the decryption key. It's one of the most damaging and profitable malware types. Modern ransomware often combines encryption with data theft — attackers threaten to leak stolen data if the ransom isn't paid (double extortion).
Ransomware spreads through phishing emails, exploit kits, drive-by downloads, and Remote Desktop Protocol (RDP) brute force attacks. Prevention includes regular backups (the 3-2-1 rule), patching, email filtering, and restricting RDP access.
- Encrypts files and demands payment for decryption key
- Double extortion: encrypt files + steal data, threaten to leak
- Common vectors: phishing, RDP brute force, exploit kits
- Best defense: offline backups (3-2-1 rule), patch management, email security
- Paying ransoms does not guarantee data recovery
Trojans, Rootkits, and Spyware
A Trojan (or Trojan horse) appears as legitimate software but contains malicious code. Unlike viruses, trojans don't replicate — they rely on users willingly installing them. Types include backdoor trojans (give attackers remote control), banking trojans (steal financial credentials), and dropper trojans (install other malware).
A rootkit is designed to hide its presence and provide continued privileged access to a system. Rootkits modify the operating system to conceal processes, files, and registry entries from security tools. Kernel-mode rootkits are particularly dangerous because they run at the same privilege level as the OS. Detecting rootkits often requires booting from trusted media.
Spyware monitors user activity without consent — capturing keystrokes, browsing habits, login credentials, and other sensitive data. Keyloggers are a type of spyware that record every keystroke.
- Trojan: disguised as legitimate software, user installs voluntarily
- Rootkit: hides presence and maintains privileged access — very hard to detect
- Spyware: monitors user activity, captures keystrokes and data
- Rootkit detection often requires offline scanning from trusted boot media
Botnets and Other Malware
A botnet is a network of infected computers (bots or zombies) controlled by a command-and-control (C2) server. Botnets are used for DDoS attacks, spam distribution, cryptocurrency mining, and credential stuffing. Infected users may not notice their system is part of a botnet.
Other important malware types: Logic Bomb (malicious code that triggers on a specific condition — date, user action, file deletion), Fileless Malware (runs in memory without writing to disk — harder to detect), and RAT (Remote Access Trojan — provides backdoor control).
- Botnet: network of infected systems under attacker C2 control
- Used for DDoS, spam, credential stuffing, cryptomining
- Logic bomb: triggers on specific condition (date, event)
- Fileless malware: lives in memory only — evades traditional antivirus
Indicators of Compromise (IoCs)
Indicators of Compromise are forensic evidence that a system has been breached. Common IoCs include: unusual network traffic patterns (especially outbound connections at odd hours), unexpected file modifications or new files, registry changes, unusual privilege escalation, accounts with unexpected activity, and antivirus/EDR alerts.
For the Security+ exam, know how to identify malicious activity from logs: failed login attempts followed by success (password guessing), connections to known malicious IP addresses, unusual DNS queries (C2 beaconing), and large data transfers outside business hours.
- IoCs: evidence that a breach has occurred or is occurring
- Network IoCs: unusual outbound traffic, C2 beaconing, DNS anomalies
- Host IoCs: unexpected files, registry changes, privilege escalation
- Log analysis is the primary method of detecting IoCs
Exam Tip
Know the difference between viruses (need host, user action) and worms (self-replicating, network-spreading). Ransomware is tested heavily — understand double extortion and the 3-2-1 backup rule. Rootkits hide from the OS — detection requires booting from trusted media.