upgrade
upgrade

🔒Network Security and Forensics

Significant Malware Categories

Study smarter with Fiveable

Get study guides, practice questions, and cheatsheets for all your subjects. Join 500,000+ students with a 96% pass rate.

Get Started

Why This Matters

In network security and forensics, understanding malware categories isn't just about memorizing definitions—it's about recognizing attack vectors, persistence mechanisms, and propagation methods that determine how threats spread and how investigators trace them. You're being tested on your ability to classify threats based on their behavior, identify appropriate countermeasures, and understand the forensic artifacts each type leaves behind.

Each malware category exploits different system vulnerabilities and requires distinct detection and remediation strategies. Whether you're analyzing a compromised network, responding to an incident, or designing defensive architectures, knowing why each category behaves the way it does will help you connect symptoms to causes. Don't just memorize what each malware type does—understand what makes it unique, how it propagates, and what evidence it leaves for forensic analysis.

Self-Propagating Malware

These threats spread automatically across systems and networks, often without user interaction. The key distinction here is the propagation mechanism—understanding how malware moves helps you predict attack patterns and contain outbreaks.

Viruses

  • Requires a host file to execute—attaches to legitimate programs, documents, or boot sectors and activates when the host runs
  • User action triggers infection—opening an infected email attachment, running a compromised executable, or mounting infected media initiates the payload
  • Forensic indicators include modified file timestamps and checksums—investigators look for altered executables and anomalous file modifications in system logs

Worms

  • Self-replicating without user intervention—exploits network vulnerabilities to spread autonomously across connected systems
  • Network-based propagation creates bandwidth consumption—rapid replication can cause denial of service even without a destructive payload
  • Forensic analysis focuses on network traffic patterns—unusual connection attempts, port scanning activity, and spike in outbound connections indicate worm activity

Compare: Viruses vs. Worms—both self-replicate, but viruses need a host file and user action while worms spread independently through network vulnerabilities. For incident response questions, this distinction determines whether you focus on endpoint isolation (worms) or user education (viruses).

Deception-Based Malware

These categories rely on social engineering and disguise to gain initial access. The malware masquerades as legitimate software or hides within trusted applications, exploiting user trust rather than technical vulnerabilities.

Trojans

  • Disguised as legitimate software to bypass user suspicion—often delivered through fake updates, pirated software, or malicious downloads
  • Creates backdoors for persistent unauthorized access—allows attackers to return to compromised systems even after initial detection
  • Named after Greek mythology's deception tactic—the key forensic challenge is distinguishing malicious functionality hidden within apparently normal applications

Adware

  • Displays unwanted advertisements and pop-ups—often bundled with free software through potentially unwanted program (PUP) distribution
  • Tracks browsing behavior for targeted advertising—collects user data that may be sold to third parties, creating privacy violations
  • Lower severity but indicates compromised system hygiene—presence often signals other bundled malware and weak security practices

Compare: Trojans vs. Adware—both use deceptive bundling for installation, but Trojans enable serious compromise (backdoors, data theft) while adware primarily monetizes user attention. Forensic priority differs significantly based on this distinction.

Surveillance and Data Theft Malware

This category focuses on covert information gathering. The malware's success depends on remaining undetected while exfiltrating sensitive data—making detection and forensic recovery particularly challenging.

Spyware

  • Secretly monitors all user activity—captures browsing history, application usage, communications, and system information
  • Often bundled with legitimate software downloadsdrive-by installations make users unwitting accomplices in their own surveillance
  • Exfiltrates data to remote command servers—forensic analysis requires examining outbound network connections and identifying data staging locations

Keyloggers

  • Records every keystroke to capture credentials—targets passwords, credit card numbers, personal messages, and any typed sensitive data
  • Can be hardware-based or software-based—hardware keyloggers (USB devices) leave no software footprint, requiring physical inspection
  • Software keyloggers hook into keyboard input APIs—forensic detection involves examining running processes, startup entries, and API hooks

Compare: Spyware vs. Keyloggers—keyloggers are a specialized subset of spyware focused specifically on keyboard input, while spyware broadly captures all user activity. Both require stealth, but keyloggers may exist as physical devices invisible to software scans.

Persistence and Evasion Malware

These sophisticated threats are designed to maintain long-term access while evading detection. They represent advanced attacker capabilities and pose significant challenges for both real-time detection and forensic investigation.

Rootkits

  • Gains root/administrator-level system access—operates at the kernel level or below, giving complete control over the compromised system
  • Actively hides its presence and other malware—intercepts system calls to filter out evidence of infection from security tools
  • Requires specialized detection tools or offline analysis—standard antivirus often cannot detect rootkits; forensic boot media or memory analysis is typically required

Fileless Malware

  • Operates entirely in memory without disk artifacts—exploits legitimate system tools like PowerShell, WMI, or macros to execute malicious code
  • Leverages "living off the land" techniques—uses trusted system binaries (LOLBins) to avoid triggering file-based detection
  • Memory forensics is essential for detection—traditional disk imaging misses these threats; volatile memory capture and analysis becomes critical

Compare: Rootkits vs. Fileless Malware—rootkits achieve persistence through deep system integration and hiding, while fileless malware evades detection by avoiding disk writes entirely. Both challenge traditional forensics, but rootkits modify the system while fileless malware exploits it as-is.

Extortion and Coordinated Attack Malware

These categories represent monetized cybercrime operations. They leverage compromised systems for direct financial gain or as resources for larger attack campaigns.

Ransomware

  • Encrypts victim files and demands payment for decryption keys—uses strong cryptographic algorithms making recovery without payment nearly impossible
  • Spreads through phishing emails, exploit kits, and RDP compromise—initial access vectors are often preventable with proper security hygiene
  • Double extortion variants also threaten data publication—modern ransomware exfiltrates data before encryption, increasing pressure on victims to pay

Botnets

  • Networks of compromised devices under centralized command and control (C2)—infected machines (bots or zombies) await instructions from attackers
  • Used for DDoS attacks, spam campaigns, and credential stuffing—collective computing power enables attacks impossible from single systems
  • C2 communication patterns are key forensic indicators—identifying beaconing behavior and C2 infrastructure helps trace botnet membership and attribution

Compare: Ransomware vs. Botnets—ransomware directly monetizes individual victims, while botnets monetize collective resources (computing power, bandwidth) for various criminal services. Both represent organized cybercrime, but investigation approaches differ significantly.

Quick Reference Table

ConceptBest Examples
Self-propagationViruses, Worms
Social engineering/deceptionTrojans, Adware
Data exfiltrationSpyware, Keyloggers
Stealth and persistenceRootkits, Fileless Malware
Direct monetizationRansomware
Resource exploitationBotnets
Requires user actionViruses, Trojans, Adware
Network-based spreadWorms, Botnets

Self-Check Questions

  1. Which two malware categories both rely on deceptive bundling with legitimate software, and what distinguishes their severity levels?

  2. If a forensic investigator finds no suspicious files on disk but observes anomalous PowerShell activity and unusual memory patterns, which malware category should they suspect, and why does traditional disk imaging fail here?

  3. Compare and contrast how viruses and worms propagate—what specific incident response actions would differ based on which type you're facing?

  4. A compromised system is sending regular encrypted communications to an external IP address at fixed intervals. Which two malware categories might exhibit this behavior, and what forensic techniques would help distinguish between them?

  5. Why do rootkits and fileless malware both pose challenges for standard antivirus solutions, yet require different forensic approaches for detection and analysis?