Domain 2 of 5 · Chapter 3 of 6

Malware and Malicious Activity

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing CompTIA Security+ premium course — no separate purchase.

Included in this chapter:

  • Propagation taxonomy: virus vs worm vs trojan
  • Payload and persistence types: RAT, rootkit, fileless, ransomware, logic bomb, botnet
  • Exam-pattern recognition for SY0-701 malware items

SY0-701 malware types: propagation, goal, and example trigger

TypeHow it propagatesPrimary goalDistinguishing trait
VirusAttaches to a host file; runs when user executes itCorrupt/spread payload via infected filesNeeds user action; not self-propagating
WormSelf-replicates across networks, no user actionRapid mass infectionSpreads autonomously over the network
TrojanDisguised as legitimate software the user runsDeliver a hidden payloadRelies on deception; does not self-replicate
RATDelivered as a trojan payloadInteractive remote control of the hostGives attacker a remote console / backdoor
RansomwareOften via phishing, RDP, or worm-like spreadExtort payment by encrypting/locking dataEncryption + ransom demand (double-extortion = also leak)
Spyware / KeyloggerBundled with trojans or drive-by installsCovertly collect activity / capture keystrokesExfiltrates user data; keylogger = keystrokes specifically
RootkitInstalled post-compromise at kernel/boot/firmwareHide presence and maintain privileged accessSubverts the OS; survives reinstall (bootkit)
Fileless malwareLoads into memory via legitimate tools (LOLBins)Execute without writing to diskNo on-disk artifact; evades signature AV
Logic bombEmbedded by an insider or in trusted codeDetonate payload when a condition is metTrigger-based (date/event), not propagation-based
BotnetHosts recruited via worms/trojans, joined to C2Coordinated DDoS, spam, distributed attacksMany bots controlled via command-and-control
BloatwarePreinstalled by OEM/vendorGenerally unwanted, not malicious by designEnlarges attack surface; not a malicious payload

Decision tree

Disguised as legitimate software the user ran? Yes Gives interactive remote control of the host? Yes RAT remote-access trojan No Trojan deceptive installer No Self-spreads over network, no user action? Yes Worm autonomous spread No Rode in on an infected file the user ran? Yes Virus needs a carrier file No What is the dominant behavior? Hides at kernel/boot Rootkit reimage to remediate In-memory, LOLBins Fileless malware evades signature AV Encrypts + demands pay Ransom-ware Trigger-based (date/event) = logic bomb · many bots under one C2 controller = botnet Unwanted-but-not-malicious preinstalled software = bloatware (not classified above)

Cheat sheet

  • Classify malware by how it spreads before its payload
  • A virus attaches to a host file and runs only when the user does
  • A worm self-replicates across the network with no user action
  • A trojan is disguised software the user runs voluntarily
  • A RAT is the trojan payload that grants interactive remote control
  • A backdoor is the hidden re-entry path that bypasses authentication
  • A rootkit hides the attacker by subverting a privileged layer
  • Fileless malware runs in memory by abusing trusted LOLBins
  • Ransomware encrypts or locks access and extorts payment to restore it
  • Double extortion adds a data-leak threat on top of encryption
  • Spyware covertly collects user activity and reports it out
  • A keylogger is the spyware subtype that captures keystrokes
  • A logic bomb is defined by its trigger, not its spread
  • A botnet is many bots driven by one command-and-control channel
  • Bloatware is unwanted preinstalled software, not malware
  • Trojan, RAT, and backdoor are one delivery-to-control chain, not synonyms
  • Signature-AV failure points to fileless malware or a rootkit
  • Rootkit remediation is reimaging, not in-place AV removal

Unlock with Premium — includes all practice exams and the complete study guide.

References

  1. malware, Glossary
  2. rootkit, Glossary
  3. Botnet, Glossary
  4. SP 800-83 Rev. 1: Guide to Malware Incident Prevention and Handling for Desktops and Laptops Whitepaper
  5. Security+ (Plus) Certification