Objective 2.4High Priority12 min read

Malware Types and Indicators

Recognition of different malware categories and their indicators including ransomware, trojans, worms, spyware, viruses, keyloggers, logic bombs, rootkits, and bloatware. Understanding malware behavior helps identify infections.

Understanding Malware Types and Indicators

Malware (malicious software) encompasses any software designed to harm, exploit, or compromise systems. Different malware types have distinct behaviors, propagation methods, and indicators that help defenders detect and respond to infections.

Key malware categories:Self-replicating — Viruses, worms • Access-providing — Trojans, RATs, rootkits • Data-stealing — Spyware, keyloggers • Extortion — Ransomware • Time-triggered — Logic bombs • Unwanted — Bloatware, PUPs

Recognizing malware indicators enables faster detection and response, limiting damage from infections.

Why This Matters for the Exam

Malware identification is heavily tested on SY0-701. Questions require distinguishing between malware types based on behavior descriptions and recognizing indicators of infection.

Understanding malware characteristics helps with incident response—knowing what type of malware you're dealing with guides containment and remediation.

The exam tests precise terminology. Knowing the difference between a virus and a worm, or a trojan and a RAT, is essential.

Deep Dive

Ransomware

Malware that encrypts files or locks systems, demanding payment for restoration.

Ransomware Behavior:

  • Encrypts user files with strong encryption
  • Displays ransom demand (usually cryptocurrency)
  • May exfiltrate data before encryption (double extortion)
  • May threaten to publish stolen data (triple extortion)

Ransomware Indicators:

  • Files renamed with unusual extensions (.encrypted, .locked)
  • Ransom notes appearing (README.txt, DECRYPT_INSTRUCTIONS)
  • Inability to open files
  • Unusual encryption process activity
  • Network traffic to known C2 servers

Ransomware Types:

  • Crypto ransomware — Encrypts files
  • Locker ransomware — Locks entire system
  • RaaS — Ransomware-as-a-Service (criminal business model)

Trojans

Malware disguised as legitimate software to trick users into execution.

Trojan Characteristics:

  • Appears legitimate or useful
  • Requires user to execute
  • Does NOT self-replicate
  • Often provides backdoor access

Trojan Types:

TypePurpose
RAT (Remote Access Trojan)Full remote control of system
Banking TrojanSteal financial credentials
DownloaderDownload additional malware
DropperInstall embedded malware

Trojan Indicators:

  • Unexpected software installations
  • System running slower
  • Unusual network connections
  • Programs launching automatically
  • Webcam/microphone activating unexpectedly

Worms

Self-replicating malware that spreads without user interaction.

Worm Characteristics:

  • Self-replicates automatically
  • Spreads across networks
  • No user action required
  • Exploits vulnerabilities for propagation

Worm vs. Virus:

  • Worm: Standalone, spreads over network automatically
  • Virus: Requires host file, requires user action

Worm Indicators:

  • Rapid spread across network
  • Bandwidth consumption spikes
  • Multiple systems infected simultaneously
  • Exploitation attempts in logs
  • Automated scanning traffic

Spyware

Malware that secretly monitors and collects user information.

Spyware Activities:

  • Browser history tracking
  • Keystroke logging
  • Screen capture
  • Credential harvesting
  • Location tracking

Spyware Indicators:

  • Browser redirects
  • New toolbars or extensions
  • Slow system performance
  • Pop-up advertisements
  • Changed browser homepage
  • Unknown programs in startup

Viruses

Malware that attaches to files and requires user action to spread.

Virus Characteristics:

  • Attaches to executable files
  • Requires user to run infected file
  • Replicates when host file executes
  • Cannot spread without user action

Virus Types:

TypeDescription
Boot sectorInfects boot process
File infectorAttaches to executables
Macro virusEmbeds in documents (Office macros)
PolymorphicChanges code to evade detection
MetamorphicCompletely rewrites itself

Virus Indicators:

  • Files changing size unexpectedly
  • Programs not working correctly
  • Unusual error messages
  • Files appearing or disappearing
  • Slow system startup

Keyloggers

Software or hardware that records keystrokes.

Keylogger Types:

  • Software — Program running on system
  • Hardware — Physical device between keyboard and computer

Keylogger Indicators:

  • Unknown processes running
  • Lag when typing
  • Unfamiliar hardware attached
  • Credentials compromised without phishing

Logic Bombs

Malicious code triggered by specific conditions.

Logic Bomb Triggers:

  • Specific date/time
  • User action (file opened, program run)
  • Absence of action (employee not logging in)
  • System event

Logic Bomb Characteristics:

  • Dormant until triggered
  • Often planted by insiders
  • Difficult to detect before activation
  • Can be devastating when triggered

Logic Bomb Indicators:

  • Code with date/time checks
  • Conditional destructive code
  • Unusual scheduled tasks
  • Code checking for employee status

Rootkits

Malware designed to hide its presence and maintain persistent access.

Rootkit Levels:

LevelDescription
User-modeRuns in user space, easier to detect
Kernel-modeRuns in kernel, very difficult to detect
BootkitInfects boot process, loads before OS
FirmwareIn hardware firmware, survives reinstall

Rootkit Indicators:

  • Antivirus failing to run
  • Hidden files/processes (visible from live boot)
  • System instability
  • Network traffic from "invisible" processes
  • Integrity check failures

Detection Challenge:

  • Rootkits hide themselves—may need to boot from clean media to detect.

Bloatware / PUPs

Potentially Unwanted Programs—not strictly malicious but unwanted.

Bloatware Types:

  • Pre-installed manufacturer software
  • Bundled software with downloads
  • Adware
  • Browser toolbars

Bloatware Indicators:

  • Unwanted programs after install
  • Excessive advertisements
  • Slower system performance
  • Browser changes
  • Programs launching at startup

How CompTIA Tests This

Example Analysis

Scenario: Users report they cannot open their documents. Files have been renamed with a ".CRYPTED" extension. A text file on every desktop demands 2 Bitcoin payment to restore files. Network logs show large amounts of data transferred to an external IP before the encryption began.

Analysis - Ransomware with Double Extortion:

Indicators Present: • Files encrypted (.CRYPTED extension) • Ransom demand (Bitcoin payment) • Data exfiltration before encryption • Widespread impact across users

Malware Type: Ransomware (Double Extortion)

Why Double Extortion: • Data was exfiltrated BEFORE encryption • Attackers can threaten to publish data • Victim pressured even if they have backups • Pay to decrypt AND to prevent publication

Immediate Response: 1. Isolate affected systems 2. Preserve evidence 3. Assess backup status 4. Determine data exposure 5. Engage incident response 6. Consider law enforcement notification

Key insight: Data exfiltration before encryption indicates double extortion ransomware—backups alone won't solve the problem if sensitive data will be published.

Key Terms to Know

malware typesransomwaretrojanswormsspywareviruskeyloggerlogic bombrootkitbloatwaremalware indicators

Common Mistakes to Avoid

Confusing viruses and worms—viruses require user action and host files. Worms self-replicate across networks automatically.
Thinking trojans spread on their own—trojans rely on user deception to execute. They don't self-replicate.
Assuming rootkits are easy to detect—rootkits specifically hide themselves. May need to boot from clean media.
Ignoring bloatware—while not malicious, bloatware can have security vulnerabilities and impact performance.

Exam Tips

Virus = Needs host file + user action. Worm = Self-replicates across network automatically.
Trojan = Disguised as legitimate. RAT = Remote Access Trojan (full control).
Ransomware indicators: encrypted files, ransom notes, unusual extensions.
Logic bomb = Triggered by condition (date, event, absence).
Rootkit = Hides itself. Kernel-mode hardest to detect.
Double extortion ransomware = Encrypts AND threatens to publish stolen data.

Memory Trick

"RTWSVKLRB" - Malware Types

  • Ransomware (encrypts for payment)
  • Trojan (disguised, RAT)
  • Worm (self-replicates network)
  • Spyware (monitors user)
  • Virus (needs host + user)
  • Keylogger (records keystrokes)
  • Logic bomb (triggered by condition)
  • Rootkit (hides itself)
  • Bloatware (unwanted programs)
  • Virus vs. Worm Memory:
  • Virus = Voluntary (needs user action)
  • Worm = Wireless/automatic (spreads alone)

Trojan Horse Story: Greeks HID inside → Trojans trick users Trojan = HIDES true purpose

Rootkit Detection: "Root" = Goes deep, hides at root level Boot from clean media to see hidden malware

  • Ransomware Extortion Levels:
  • Single = Encrypt only
  • Double = Encrypt + threaten publish
  • Triple = + DDoS if you don't pay

Test Your Knowledge

Q1.Malware spreads rapidly across the network without any user interaction, exploiting a vulnerability in the SMB protocol. What type of malware is this?

Q2.An administrator discovers malicious code in a script that checks if a specific employee's account exists. If the account is deleted, the code will delete critical database files. This is an example of:

Q3.Users report files encrypted with unusual extensions and ransom demands. Logs show 500GB of data transferred to an external server before encryption. What variant of attack is this?

Want more practice with instant AI feedback?

Practice with AI

Continue Learning

Behavioral Indicators of CompromiseApplication Attack Indicators

Ready to test your knowledge?

Practice questions on malware types and indicators and other Objective 2.4 concepts.

Start Practice
Back to Domain 2Physical Attack Indicators