CompTIA Security+malware-types-and-indicators

Malware Types and Indicators of Compromise

Recognize the major malware families and the signs that a system is infected.

Security+ loves to give you a short scenario and ask "which type of malware is this?" or "which indicator points to a compromise?" Success comes from knowing the distinguishing behavior of each malware family and the observable symptoms an attacker leaves behind. Learn what makes a worm different from a virus, and which indicators of compromise (IoCs) the exam expects you to spot.

Core Idea

  • Match malware to its defining behavior, not its payload. A worm self-replicates across a network, a virus needs a host file and user action, and a trojan disguises itself as something legitimate — the exam keys on these differences.
  • Indicators of compromise are observable symptoms, not the malware itself: account lockouts, impossible travel, resource spikes, unusual outbound traffic, and missing logs all say "someone is already inside."
  • Mitigations are layered: patching, endpoint detection and response (EDR), least privilege, application allow-lists, network segmentation, and offline backups reduce both infection and impact.

Self-Replicating and Host-Dependent Malware

  • Virus – malicious code that attaches to a host file or program and requires a user to run it to activate and spread. A boot sector virus infects startup code; a macro virus hides in document macros.
  • Wormself-replicates and spreads across networks on its own, with no host file and no user action. Worms consume bandwidth and multiply fast, which is why network resource spikes are a classic sign.
  • Trojan – disguised as legitimate software so the user installs it willingly; it does not self-replicate. A Remote Access Trojan (RAT) gives an attacker remote control.
  • Fileless malware – runs in memory using trusted tools like PowerShell or Windows Management Instrumentation ("living off the land"). It writes little or nothing to disk, so signature-based antivirus often misses it.

Payload-Focused Malware

  • Ransomware – encrypts files (or entire drives) and demands payment; modern "double extortion" also leaks stolen data if the victim refuses.
  • Spyware – secretly gathers information about the user's activity.
  • Keylogger – records keystrokes to steal credentials and other typed data.
  • Rootkit – hides deep in the system (often kernel level) to conceal other malware and maintain access; hard to detect because it subverts the OS itself.
  • Logic bomb – dormant code that triggers on a condition (a date, or an employee record being deleted). It is an insider favorite.
  • Bloatware – unnecessary pre-installed software; not inherently malicious but expands the attack surface.
  • Potentially unwanted program (PUP) – bundled adware/toolbars the user did not really intend to install.

Bots, Botnets, and Command-and-Control

A bot is a compromised host under remote control; many bots together form a botnet. The attacker steers them through a command-and-control (C2) channel to launch distributed denial-of-service (DDoS) attacks, send spam, or mine cryptocurrency. Beaconing — regular, repeating outbound connections to the same external host — is the tell-tale sign of C2 traffic.

Indicators of Compromise (IoCs)

  • Account lockouts and failed logins – possible brute-force or password spraying.
  • Impossible travel – the same account logs in from two distant locations in an impossibly short time; a strong sign of stolen credentials.
  • Resource consumption / concurrent session usage – CPU, memory, or bandwidth spikes can mean cryptomining, worms, or exfiltration.
  • Unusual outbound / blocked traffic – data going to unexpected foreign hosts, or connections to known-bad IPs.
  • Missing logs – attackers delete logs to cover tracks; a gap is itself an indicator.
  • Published / leaked data – your data appearing publicly signals a completed breach.

High-Yield Exam Patterns

  • "Spreads across the network by itself with no user interaction" = worm; "needs the user to open a file" = virus.
  • "Looks like a legitimate app" = trojan; add "remote control" and it is a RAT.
  • "Runs in memory / uses PowerShell / nothing written to disk" = fileless malware.
  • "Encrypts files and demands payment" = ransomware; if data is also released, that is extortion / data exfiltration.
  • "Regular beaconing to an external server" = command-and-control for a botnet.
  • Impossible travel and account lockouts are the go-to IoCs for compromised credentials.

Common Traps to Avoid

  • Confusing virus (needs a host and user action) with worm (self-replicating, autonomous) — the most tested distinction.
  • Assuming antivirus catches fileless malware; signature scanning often misses in-memory attacks.
  • Treating an indicator of compromise as the malware itself — an IoC is a symptom that points to an intrusion.
  • Calling all unwanted software "malware" — bloatware and PUPs are unwanted but not inherently malicious.
  • Forgetting that a logic bomb stays dormant until its trigger condition fires.

Flashcards

Card 1 of 14

1/14

Keyboard: Space/Enter to flip • Arrow keys to navigate

Ready to Test Your Knowledge?

This quiz has 8 questions and each one has 4 options.

Quiz Details

8 Questions

Multiple choice with instant self-check

Final Review

See correct answers and explanations at the end

Build your own lesson in minutes.

Upload a source document and turn it into flashcards, quizzes, and a study-ready lesson bank.