upgrade
upgrade

🔒Cybersecurity and Cryptography

Types of Malware

Study smarter with Fiveable

Get study guides, practice questions, and cheatsheets for all your subjects. Join 500,000+ students with a 96% pass rate.

Get Started

Why This Matters

Malware isn't just a single threat—it's an entire ecosystem of attack methods, each exploiting different vulnerabilities in systems, networks, and human behavior. You're being tested on your ability to distinguish between malware types based on their propagation methods, persistence mechanisms, and attack objectives. Understanding these distinctions is essential for identifying appropriate countermeasures and analyzing real-world security incidents.

The concepts here connect directly to broader cybersecurity principles: defense in depth, the CIA triad (confidentiality, integrity, availability), and the human factor in security. Don't just memorize what each malware type does—know why it works, how it spreads, and what defensive strategies counter it. That's what separates surface-level recall from exam-ready understanding.

Self-Propagating Malware

These threats spread autonomously, multiplying across systems and networks. The key distinction here is whether they require a host file or user action to propagate.

Viruses

  • Requires a host file to spread—attaches to legitimate programs or documents and activates when the infected file is executed
  • User action triggers propagation, meaning viruses depend on people sharing files, opening attachments, or running infected software
  • Payload varies widely—from data corruption and deletion to information theft, depending on the attacker's objectives

Worms

  • Self-replicating and standalone—no host file needed, making them far more aggressive spreaders than viruses
  • Exploits software vulnerabilities to propagate automatically across networks without any user interaction
  • Primary impact is availability—consumes bandwidth and system resources, often causing denial-of-service conditions

Compare: Viruses vs. Worms—both self-replicate, but viruses need a host file and user action while worms spread autonomously through network vulnerabilities. If an exam question asks about malware causing network congestion without user involvement, think worms.

Deception-Based Malware

These threats rely on social engineering rather than technical exploits. They trick users into installing them by appearing legitimate or desirable.

Trojans

  • Disguises itself as legitimate software—named after the Greek myth, it relies entirely on deception for initial access
  • Does not self-replicate, distinguishing it from viruses and worms; spreads only through social engineering
  • Creates backdoors for attackers, enabling persistent unauthorized access, data exfiltration, or installation of additional malware

Adware

  • Displays unwanted advertisements—often bundled with free software downloads as a monetization strategy
  • Privacy risk through tracking—monitors browsing behavior to serve targeted ads, compromising user confidentiality
  • Gateway to worse infections—can evolve into spyware or serve as a delivery mechanism for more dangerous malware

Compare: Trojans vs. Adware—both often arrive through deceptive downloads, but Trojans focus on unauthorized access while adware prioritizes advertising revenue. Trojans are always malicious; adware exists in a gray area between annoying and harmful.

Data Theft and Surveillance Malware

These threats prioritize confidentiality attacks, secretly gathering sensitive information without the user's knowledge or consent.

Spyware

  • Covert surveillance software—monitors user activity, tracks browsing habits, and harvests personal data without consent
  • Operates invisibly in the background, making detection difficult for average users
  • Targets confidentiality directly—captures passwords, financial information, and behavioral data for exploitation or sale

Keyloggers

  • Records every keystroke—captures passwords, credit card numbers, messages, and any typed information
  • Can be hardware or software-based—hardware keyloggers are physical devices; software versions install through malware delivery
  • Enables identity theft and account compromise—provides attackers with credentials in plaintext, bypassing encryption

Compare: Spyware vs. Keyloggers—keyloggers are technically a subset of spyware, but the distinction matters. Spyware broadly monitors activity and collects data; keyloggers specifically capture typed input. Both attack confidentiality, but keyloggers are more targeted and dangerous for credential theft.

Extortion and Denial Malware

These threats focus on availability attacks, either denying access to data or systems until demands are met.

Ransomware

  • Encrypts victim's files and demands payment—uses strong cryptographic algorithms to lock data, with decryption key held by attackers
  • Spreads through phishing and malicious downloads, targeting individuals, businesses, hospitals, and government agencies
  • Payment doesn't guarantee recovery—attackers may not provide keys, and paying funds future attacks; backups are the primary defense

Botnets

  • Networks of compromised devices (bots) controlled remotely by attackers through command-and-control (C2) infrastructure
  • Used for DDoS attacks, spam campaigns, and credential stuffing—the collective power of thousands of infected machines enables massive-scale attacks
  • Decentralized architecture makes dismantling difficult—modern botnets use peer-to-peer communication to resist takedown efforts

Compare: Ransomware vs. Botnets—both can cause denial-of-service conditions, but through different mechanisms. Ransomware denies access to your own data through encryption; botnets deny access to services by overwhelming them with traffic. Ransomware targets individual victims; botnets weaponize victims to attack others.

Stealth and Persistence Malware

These threats prioritize evasion and long-term access, hiding from detection while maintaining attacker control over compromised systems.

Rootkits

  • Gains root/admin-level access while hiding its presence—modifies system files, processes, and logs to remain invisible
  • Conceals other malware, acting as a cloaking mechanism for additional threats on the system
  • Enables persistent access—allows attackers to maintain control even after reboots or partial remediation efforts

Fileless Malware

  • Operates entirely in memory—leaves no traditional files on disk, evading signature-based antivirus detection
  • Exploits legitimate system tools like PowerShell, WMI, or macros to execute malicious code (living off the land)
  • Requires behavior-based detection—traditional antivirus fails; organizations need endpoint detection and response (EDR) solutions

Compare: Rootkits vs. Fileless Malware—both prioritize evasion, but through different methods. Rootkits modify system components to hide files on disk; fileless malware avoids the disk entirely. Rootkits are about concealment; fileless malware is about leaving no evidence to conceal.

Quick Reference Table

ConceptBest Examples
Self-propagation (requires host)Virus
Self-propagation (standalone)Worm, Botnet
Social engineering deliveryTrojan, Adware
Confidentiality attacksSpyware, Keylogger
Availability/extortion attacksRansomware, Botnet (DDoS)
Stealth and evasionRootkit, Fileless Malware
Persistence mechanismsRootkit, Trojan (backdoor)
Requires user actionVirus, Trojan, Adware

Self-Check Questions

  1. Compare and contrast: What distinguishes a virus from a worm in terms of propagation requirements, and how does this difference affect their potential spread rate?

  2. A security analyst discovers malware that captured login credentials by recording everything typed on an infected workstation. Which two malware types could be responsible, and how would you distinguish between them?

  3. An organization's files are suddenly inaccessible, and a message demands Bitcoin payment. What type of malware is this, and why are backups—rather than payment—the recommended response?

  4. Which malware types specifically prioritize evasion as their primary characteristic, and what detection methods are required for each?

  5. FRQ-style prompt: Explain how a botnet attack differs from a ransomware attack in terms of the CIA triad element primarily targeted and the relationship between the attacker and the victim's system.