Malware Types and Indicators of Compromise
Recognize the major malware families and the signs that a system is infected.
Security+ loves to give you a short scenario and ask "which type of malware is this?" or "which indicator points to a compromise?" Success comes from knowing the distinguishing behavior of each malware family and the observable symptoms an attacker leaves behind. Learn what makes a worm different from a virus, and which indicators of compromise (IoCs) the exam expects you to spot.
Core Idea
- Match malware to its defining behavior, not its payload. A worm self-replicates across a network, a virus needs a host file and user action, and a trojan disguises itself as something legitimate — the exam keys on these differences.
- Indicators of compromise are observable symptoms, not the malware itself: account lockouts, impossible travel, resource spikes, unusual outbound traffic, and missing logs all say "someone is already inside."
- Mitigations are layered: patching, endpoint detection and response (EDR), least privilege, application allow-lists, network segmentation, and offline backups reduce both infection and impact.
Self-Replicating and Host-Dependent Malware
- Virus – malicious code that attaches to a host file or program and requires a user to run it to activate and spread. A boot sector virus infects startup code; a macro virus hides in document macros.
- Worm – self-replicates and spreads across networks on its own, with no host file and no user action. Worms consume bandwidth and multiply fast, which is why network resource spikes are a classic sign.
- Trojan – disguised as legitimate software so the user installs it willingly; it does not self-replicate. A Remote Access Trojan (RAT) gives an attacker remote control.
- Fileless malware – runs in memory using trusted tools like PowerShell or Windows Management Instrumentation ("living off the land"). It writes little or nothing to disk, so signature-based antivirus often misses it.
Payload-Focused Malware
- Ransomware – encrypts files (or entire drives) and demands payment; modern "double extortion" also leaks stolen data if the victim refuses.
- Spyware – secretly gathers information about the user's activity.
- Keylogger – records keystrokes to steal credentials and other typed data.
- Rootkit – hides deep in the system (often kernel level) to conceal other malware and maintain access; hard to detect because it subverts the OS itself.
- Logic bomb – dormant code that triggers on a condition (a date, or an employee record being deleted). It is an insider favorite.
- Bloatware – unnecessary pre-installed software; not inherently malicious but expands the attack surface.
- Potentially unwanted program (PUP) – bundled adware/toolbars the user did not really intend to install.
Bots, Botnets, and Command-and-Control
A bot is a compromised host under remote control; many bots together form a botnet. The attacker steers them through a command-and-control (C2) channel to launch distributed denial-of-service (DDoS) attacks, send spam, or mine cryptocurrency. Beaconing — regular, repeating outbound connections to the same external host — is the tell-tale sign of C2 traffic.
Indicators of Compromise (IoCs)
- Account lockouts and failed logins – possible brute-force or password spraying.
- Impossible travel – the same account logs in from two distant locations in an impossibly short time; a strong sign of stolen credentials.
- Resource consumption / concurrent session usage – CPU, memory, or bandwidth spikes can mean cryptomining, worms, or exfiltration.
- Unusual outbound / blocked traffic – data going to unexpected foreign hosts, or connections to known-bad IPs.
- Missing logs – attackers delete logs to cover tracks; a gap is itself an indicator.
- Published / leaked data – your data appearing publicly signals a completed breach.
High-Yield Exam Patterns
- "Spreads across the network by itself with no user interaction" = worm; "needs the user to open a file" = virus.
- "Looks like a legitimate app" = trojan; add "remote control" and it is a RAT.
- "Runs in memory / uses PowerShell / nothing written to disk" = fileless malware.
- "Encrypts files and demands payment" = ransomware; if data is also released, that is extortion / data exfiltration.
- "Regular beaconing to an external server" = command-and-control for a botnet.
- Impossible travel and account lockouts are the go-to IoCs for compromised credentials.
Common Traps to Avoid
- Confusing virus (needs a host and user action) with worm (self-replicating, autonomous) — the most tested distinction.
- Assuming antivirus catches fileless malware; signature scanning often misses in-memory attacks.
- Treating an indicator of compromise as the malware itself — an IoC is a symptom that points to an intrusion.
- Calling all unwanted software "malware" — bloatware and PUPs are unwanted but not inherently malicious.
- Forgetting that a logic bomb stays dormant until its trigger condition fires.
Flashcards
Card 1 of 14
Question
What defines a worm and sets it apart from a virus?
Click or press Space to reveal answer
Answer
A worm self-replicates and spreads across networks on its own, needing no host file and no user action, while a virus requires a host file and a user to run it.
Keyboard: Space/Enter to flip • Arrow keys to navigate
Ready to Test Your Knowledge?
This quiz has 8 questions and each one has 4 options.
Quiz Details
8 Questions
Multiple choice with instant self-check
Final Review
See correct answers and explanations at the end
Build your own lesson in minutes.
Upload a source document and turn it into flashcards, quizzes, and a study-ready lesson bank.