Study smarter with Fiveable
Get study guides, practice questions, and cheatsheets for all your subjects. Join 500,000+ students with a 96% pass rate.
In network security and forensics, understanding malware categories is about recognizing attack vectors, persistence mechanisms, and propagation methods that determine how threats spread and how investigators trace them. You need to classify threats based on their behavior, identify appropriate countermeasures, and understand the forensic artifacts each type leaves behind.
Each malware category exploits different system vulnerabilities and requires distinct detection and remediation strategies. Whether you're analyzing a compromised network, responding to an incident, or designing defensive architectures, knowing why each category behaves the way it does helps you connect symptoms to causes. Don't just memorize what each malware type does. Understand what makes it unique, how it propagates, and what evidence it leaves for forensic analysis.
These threats spread automatically across systems and networks, often without user interaction. The key distinction here is the propagation mechanism. Understanding how malware moves helps you predict attack patterns and contain outbreaks.
A virus requires a host file to execute. It attaches to legitimate programs, documents, or boot sectors and activates when the host runs. That means user action triggers infection: opening an infected email attachment, running a compromised executable, or mounting infected media initiates the payload.
From a forensic standpoint, investigators look for modified file timestamps and altered checksums. Comparing known-good hashes against current file hashes is one of the fastest ways to spot virus infections. System logs showing anomalous file modifications, especially to executables in system directories, are strong indicators.
Unlike viruses, worms are self-replicating without user intervention. They exploit network vulnerabilities (unpatched services, open ports, weak credentials) to spread autonomously across connected systems.
Because worms propagate over the network, rapid replication can cause denial of service through bandwidth consumption alone, even without a destructive payload. Forensic analysis focuses on network traffic patterns: unusual connection attempts to many hosts on the same port, port scanning activity, and spikes in outbound connections all indicate worm activity.
Compare: Viruses vs. Worms: both self-replicate, but viruses need a host file and user action while worms spread independently through network vulnerabilities. For incident response, this distinction determines whether you prioritize endpoint isolation and network segmentation (worms) or user education and file-level scanning (viruses).
These categories rely on social engineering and disguise to gain initial access. The malware masquerades as legitimate software or hides within trusted applications, exploiting user trust rather than technical vulnerabilities.
Trojans are disguised as legitimate software to bypass user suspicion. Common delivery methods include fake software updates, pirated applications, and malicious downloads from untrusted sources.
Once installed, a Trojan typically creates a backdoor for persistent unauthorized access, allowing attackers to return to compromised systems even after initial detection. The name comes from Greek mythology's deception tactic, and the key forensic challenge mirrors that story: distinguishing malicious functionality hidden within apparently normal applications. Look for unexpected network connections, unauthorized listening ports, and new scheduled tasks or services that weren't part of the original software.
Adware displays unwanted advertisements and pop-ups, and it's often bundled with free software through potentially unwanted program (PUP) distribution channels. It also tracks browsing behavior for targeted advertising, collecting user data that may be sold to third parties and creating privacy violations.
Adware is lower severity than most malware categories, but its presence signals compromised system hygiene. Where you find adware, you'll often find other bundled malware and weak security practices. Treat it as a warning sign, not just a nuisance.
Compare: Trojans vs. Adware: both use deceptive bundling for installation, but Trojans enable serious compromise (backdoors, data theft) while adware primarily monetizes user attention. Forensic priority differs significantly based on this distinction.
This category focuses on covert information gathering. The malware's success depends on remaining undetected while exfiltrating sensitive data, making detection and forensic recovery particularly challenging.
Spyware secretly monitors all user activity, capturing browsing history, application usage, communications, and system information. It's often bundled with legitimate software downloads. Drive-by installations (where simply visiting a compromised website triggers a download) make users unwitting accomplices in their own surveillance.
Spyware exfiltrates collected data to remote command servers. Forensic analysis requires examining outbound network connections for unusual destinations and identifying data staging locations on the local disk where information is collected before transmission.
Keyloggers record every keystroke to capture credentials, targeting passwords, credit card numbers, personal messages, and any typed sensitive data. They come in two distinct forms:
Compare: Spyware vs. Keyloggers: keyloggers are a specialized subset of spyware focused specifically on keyboard input, while spyware broadly captures all user activity. Both require stealth, but hardware keyloggers are completely invisible to software scans, which is why physical security audits matter.
These sophisticated threats are designed to maintain long-term access while evading detection. They represent advanced attacker capabilities and pose significant challenges for both real-time detection and forensic investigation.
A rootkit gains root/administrator-level system access and operates at the kernel level or below, giving complete control over the compromised system. What makes rootkits especially dangerous is that they actively hide their own presence and the presence of other malware. They do this by intercepting system calls and filtering out evidence of infection before security tools can see it.
This means standard antivirus often cannot detect rootkits, since the rootkit controls what the antivirus is allowed to "see." Detection typically requires specialized tools, offline analysis, or forensic boot media that load a trusted operating system independent of the compromised one. Memory analysis from outside the infected OS is often the most reliable approach.
Fileless malware operates entirely in memory without writing to disk. Instead of dropping executable files, it exploits legitimate system tools like PowerShell, WMI (Windows Management Instrumentation), or Office macros to execute malicious code.
This approach is called "living off the land" because it uses trusted system binaries (sometimes called LOLBins, short for Living Off the Land Binaries) to avoid triggering file-based detection. Since nothing malicious is written to disk, traditional disk imaging misses these threats entirely. Volatile memory capture and analysis becomes critical: you need to grab RAM contents before the system is powered off, because a reboot destroys the evidence.
Compare: Rootkits vs. Fileless Malware: rootkits achieve persistence through deep system integration and hiding, while fileless malware evades detection by avoiding disk writes entirely. Both challenge traditional forensics, but the approaches differ. Rootkits modify the system (kernel hooks, altered system calls), so you look for integrity violations. Fileless malware exploits the system as-is, so you look for suspicious use of legitimate tools in memory and logs.
These categories represent monetized cybercrime operations. They leverage compromised systems for direct financial gain or as resources for larger attack campaigns.
Ransomware encrypts victim files and demands payment for decryption keys. It uses strong cryptographic algorithms (typically AES for file encryption combined with RSA for key exchange), making recovery without the decryption key nearly impossible.
Common initial access vectors include phishing emails, exploit kits, and compromised Remote Desktop Protocol (RDP) connections. Many of these are preventable with proper security hygiene. Modern double extortion variants add another layer of pressure: they exfiltrate data before encryption, then threaten to publish stolen data publicly if the ransom isn't paid. This means even organizations with good backups still face consequences.
A botnet is a network of compromised devices under centralized command and control (C2). Each infected machine (called a bot or zombie) sits quietly until it receives instructions from the attacker's C2 server.
Botnets are used for DDoS attacks, spam campaigns, credential stuffing, and cryptocurrency mining. The collective computing power of thousands or millions of compromised devices enables attacks that would be impossible from a single system. Forensically, C2 communication patterns are the key indicator. Look for beaconing behavior: regular, periodic connections to the same external IP or domain, often at fixed intervals, sometimes with encrypted payloads.
Compare: Ransomware vs. Botnets: ransomware directly monetizes individual victims through extortion, while botnets monetize collective resources (computing power, bandwidth) for various criminal services. Both represent organized cybercrime, but investigation approaches differ. Ransomware investigations focus on the encryption event, initial access vector, and data exfiltration. Botnet investigations focus on C2 infrastructure, communication patterns, and the scope of compromised devices.
| Concept | Best Examples |
|---|---|
| Self-propagation | Viruses, Worms |
| Social engineering/deception | Trojans, Adware |
| Data exfiltration | Spyware, Keyloggers |
| Stealth and persistence | Rootkits, Fileless Malware |
| Direct monetization | Ransomware |
| Resource exploitation | Botnets |
| Requires user action | Viruses, Trojans, Adware |
| Network-based spread | Worms, Botnets |
Which two malware categories both rely on deceptive bundling with legitimate software, and what distinguishes their severity levels?
If a forensic investigator finds no suspicious files on disk but observes anomalous PowerShell activity and unusual memory patterns, which malware category should they suspect, and why does traditional disk imaging fail here?
Compare and contrast how viruses and worms propagate. What specific incident response actions would differ based on which type you're facing?
A compromised system is sending regular encrypted communications to an external IP address at fixed intervals. Which two malware categories might exhibit this behavior, and what forensic techniques would help distinguish between them?
Why do rootkits and fileless malware both pose challenges for standard antivirus solutions, yet require different forensic approaches for detection and analysis?