Malware Types and Indicators of Compromise Explained for Security+

A virus attaches itself to a legitimate host file and requires that file to be executed to spread. When the user opens an infected document or runs an infected program, the virus activates and may infect other files. Viruses require human action to propagate. The defining characteristic is the host file dependency.

A worm self-replicates and spreads across networks without any human action or host file. It exploits network vulnerabilities or services to copy itself from system to system. WannaCry spread through the EternalBlue exploit in SMB, hitting hundreds of thousands of machines in hours without anyone clicking anything. The defining characteristic is network-based self-propagation without human interaction.

A Trojan horse disguises itself as legitimate, useful software. A user voluntarily runs it, believing it is a game, a utility, or an update. Once running, it installs a backdoor, steals data, or downloads additional malware. Trojans do not self-replicate. Remote Access Trojans (RATs) give attackers persistent remote control over the infected machine.

Ransomware encrypts the victim's files or entire disk and demands payment for the decryption key. Some ransomware variants also exfiltrate data before encrypting to create additional extortion leverage. Ransomware is typically delivered through phishing emails or exploit kits. The defining characteristic is file encryption combined with a ransom demand.

A rootkit hides itself and other malicious software by modifying OS components at a deep level. Kernel rootkits modify the operating system kernel. Bootkits infect the boot process before the OS loads. Rootkits make malware on the system invisible to standard tools because the tools themselves are compromised. Detection requires booting from an external drive and scanning the filesystem from outside the infected OS.

Fileless malware never writes to disk. It exists only in memory and uses legitimate system tools like PowerShell, WMI, or mshta to execute. Traditional signature-based antivirus that scans files on disk finds nothing. Detection requires behavioral analysis and memory scanning.

A botnet is a network of infected machines (bots or zombies) controlled remotely by an attacker through a command-and-control (C2) server. Individual bot infections are typically invisible to the user. The attacker uses the botnet for DDoS attacks, spam campaigns, credential stuffing, or cryptocurrency mining. The defining characteristic is remote control via a C2 server.

Indicators of Compromise (IOCs) are artifacts that suggest a system has been compromised. Unusual outbound network connections to unknown IPs or on unusual ports suggest a backdoor or C2 communication. Unexpected processes running under system accounts, new scheduled tasks or registry run keys, files appearing in system directories with random names, and unexplained spikes in CPU or disk activity all indicate potential compromise.

Behavioral IOCs are the most important for detecting modern threats: lateral movement (a user account accessing systems it has never accessed before), privilege escalation attempts, disabling of security tools, and mass file encryption activity all signal active attack even when specific malware signatures are not matched.

Self-replicates across networks without human action = worm. Requires infected file execution to spread = virus. Disguised as legitimate software, no self-replication = trojan. Encrypts files, demands ransom = ransomware. Hides itself by modifying the OS = rootkit. Runs only in memory using PowerShell/WMI = fileless malware. Controlled by remote C2 server = botnet/zombie.

IOC scenarios: unusual outbound connection = C2 communication. Mass file rename with new extension = ransomware encryption. New scheduled task with random name = persistence mechanism. Sudden spike in CPU with no user activity = crypto mining botnet.