Malware
Malware (“malicious software”) is any code written to compromise the confidentiality, integrity, or availability of a system without the owner’s consent. As a defender or authorised tester, you need to recognise the major families, understand how they get in, and know which controls actually stop them.
How Malware Is Classified
Two useful lenses: behaviour (what the code does) and propagation (how it spreads). A single sample often wears several labels — a phishing attachment might be a dropper (installs more code), which pulls down a trojan that opens a backdoor and finally deploys ransomware. Modern threats are modular, so treat these categories as overlapping roles rather than fixed boxes.
Viruses and Worms
A virus injects itself into a host file or program and runs when the victim executes it, requiring user action to spread. A worm is self-propagating: it exploits a network-reachable vulnerability and copies itself to new hosts without any interaction, which is why worm outbreaks scale so fast.
Trojans
A trojan masquerades as something legitimate — a cracked app, a fake installer, a document macro — while carrying a hidden payload. Trojans do not self-replicate; they rely on social engineering to get the victim to run them.
Ransomware
Ransomware encrypts files (or entire drives) and demands payment for the decryption key. The dominant model today is ransomware-as-a-service (RaaS), where operators lease the malware to affiliates, and double extortion, where attackers steal data before encrypting and threaten to leak it if the ransom is not paid. Offline, tested backups are the single most effective defence — see Encryption for how the underlying crypto works, and Incident Response for containment.
Spyware and Infostealers
Spyware quietly harvests data — keystrokes, screenshots, browsing habits. Infostealers are a booming subclass that scrape saved browser passwords, session cookies, crypto wallets, and autofill data, then sell them on criminal markets. Stolen session cookies are especially dangerous because they can let an attacker bypass a password and many 2FA prompts.
Rootkits and Bootkits
A rootkit hides malware from the operating system and security tools, often by hooking kernel functions or living below the OS in firmware. Because they subvert the very tools you would use to detect them, rootkits are among the hardest infections to find and remove.
Botnets, Cryptominers, and Adware
Bots enrol infected machines into a botnet for spam, credential stuffing, or DDoS campaigns. Cryptominers silently steal CPU/GPU cycles to mine currency. Adware injects ads and redirects traffic — less destructive, but often a symptom of a wider compromise.
Fileless and Living-off-the-Land Techniques
Not all malware ships as a .exe on disk. Fileless attacks run entirely in memory, and living-off-the-land (LOTL) techniques abuse trusted, signed system tools — PowerShell, wmic, certutil, rundll32 on Windows, or curl and cron on Linux — so activity blends into normal administration. Signature-based antivirus struggles here; detection leans on behavioural monitoring (EDR) that flags how a process behaves rather than what file it is.
How Malware Gets In
- Phishing: malicious attachments and links remain the number-one entry vector — see The Art of Phishing.
- Drive-by downloads: compromised or malicious sites exploit an unpatched browser or plugin.
- Software supply chain: trojanised installers, poisoned package-manager dependencies, or backdoored updates.
- Exposed services: internet-facing RDP, SSH, or unpatched servers taken over by brute force or exploitation.
- Removable media: infected USB drives, still effective against air-gapped or careless environments.
Detection, Prevention, and Removal
Defence works in layers; no single control is enough.
- Patch aggressively. Most worms and drive-bys depend on known, unpatched vulnerabilities.
- Least privilege. Users and services running without admin/root rights sharply limit what a payload can do. See Operating System Security.
- Segment and filter. A well-configured firewall and network segmentation slow lateral movement and cut off command-and-control traffic.
- Back up offline. Keep versioned backups isolated from the network so ransomware cannot reach them.
- Use behavioural detection. Modern endpoint tools catch fileless and LOTL activity that signatures miss.
If you suspect an infection, isolate the host from the network first, then investigate. Reimaging from known-good media is often faster and safer than cleaning, especially where a rootkit may persist. To understand what a sample does before you eradicate it, study Malware Analysis and preserve evidence with sound Forensics practice.
Only analyse or detonate live malware in an isolated lab you control — an air-gapped virtual machine or dedicated sandbox — never on production systems or hardware you rely on.