Malware Types

Virus

Program that attaches to legitimate files and spreads when users execute those files.

Worm

Self-contained malware that spreads automatically across networks without user intervention.

Trojan Horse

Program that appears benign but performs hidden malicious actions.

Backdoor

Secret method of accessing a system, bypassing normal authentication.

Rootkit

Software designed to hide malicious activity and evade detection by the operating system.

Ransomware

Malware that encrypts files or locks systems and demands payment for recovery.

Cryptojacker

Malware that secretly uses system resources to mine cryptocurrency.

Adware

Software that displays unwanted advertisements for profit.

Spyware

Malware that monitors user activity and collects sensitive information.

Keylogger

Program that records keystrokes to capture credentials and personal data.

Information Stealer

Malware that collects stored credentials, browser data, or financial information.

Bot

Individual infected computer under remote control by an attacker.

Zombie

Alternate term for a compromised system that performs automated tasks under attacker control.

Botnet

Network of infected computers remotely controlled by an attacker.

Remote Access Trojan (RAT)

Malware that gives attackers full control over an infected system.

Wiper

Malware that erases data and damages systems without financial motivation.

Scareware

Software that tricks users into installing fake security tools or paying for non-existent threats.

Browser Hijacker

Alters browser settings to redirect users or insert ads.

Infection and Propagation

Dropper

Small program that installs or downloads the main malware payload.

Loader

Program that unpacks and executes the embedded payload.

Zero-Click Attack

Compromise that requires no user interaction by exploiting flaws in message parsing, image rendering, or network protocol handling.

Drive-by Download

Automatic malware download from a compromised or malicious website.

Supply Chain Attack

Compromise of trusted software distribution channels or update mechanisms.

USB Drop Attack Leaving infected or malicious USB devices where victims are likely to plug them in.

Malicious USB Firmware (BadUSB)

USB devices with altered firmware that impersonate trusted device classes such as keyboards or network adapters.

Keystroke Injection Device (e.g., USB Rubber Ducky)

USB devices that emulate keyboards and automatically execute scripted commands when plugged in.

Wormable Vulnerability

Network flaw that allows malware to spread automatically without human action.

Autorun Exploit

Technique that uses removable media to automatically execute malware.

Typosquatting

Registering domains with slight misspellings of legitimate names to deceive users.

Combosquatting

Registering domains that combine a legitimate name with additional words (e.g., paypal-secure.com).

Social Engineering

Phishing

Fraudulent email impersonating legitimate entities to steal information.

Spear Phishing

Targeted phishing attack customized to a specific person or organization.

Vishing

Voice-based phishing via phone calls.

Smishing

SMS-based phishing attack with malicious links.

Pretexting

Creating a fabricated scenario to trick victims into revealing information.

Psychological Manipulation Principles

Authority

Exploiting trust in perceived experts, officials, or executives.

Urgency

Creating artificial time pressure to prompt rash decisions.

Trust

Leveraging relationships or a legitimate appearance to gain cooperation.

Fear

Threatening harm or consequences to coerce compliance.

Curiosity

Exploiting interest or intrigue to prompt unsafe actions.

Greed

Offering rewards or financial gain to manipulate behavior.

Malware Lifecycle

Persistence

Mechanisms to ensure malware survives reboots (registry keys, cron jobs, services).

Trigger Condition

Event or condition that activates malware execution.

Time Bomb

Malware that activates at a specific date or time.

Logic Bomb

Code that executes when specific conditions are met.

Payload

The main malicious function or purpose of the malware.

Propagation

Mechanism by which malware spreads to other systems or files.

Command and Control (C2)

Command and Control (C2) Server

Remote server used to issue instructions and receive stolen data.

Domain Generation Algorithm (DGA)

Algorithm that generates multiple potential domain names for C2 servers.

Fast Flux

Rapidly changing DNS records to hide C2 server locations.

DNS Tunneling

Encoding data in DNS queries to bypass network defenses.

Domain Fronting

Masking real destinations by routing through legitimate domains.

Peer-to-Peer (P2P) C2

Decentralized control mechanism where infected systems communicate directly.

Evasion and Anti-Analysis

Crypter

Tool that encrypts malware to hide its contents.

Packer

Program that compresses and obfuscates executables.

Polymorphic Malware

Malware that alters its code appearance on each infection to evade signatures (typically in the packer/crypter)

Metamorphic Malware

Malware that rewrites its payload code each time it spreads.

Beaconing

Periodic communication between infected hosts and C2 servers.

Virtual Machine Detection

Technique to identify and avoid running in analysis environments.

Sandbox Evasion

Behavior modification to avoid detection inside virtual analysis environments.

Debugger Detection

Identifying active debuggers to alter or terminate execution.

Fileless Malware

Malware that operates solely in memory without leaving files on disk.

Living-off-the-Land

Abuse of legitimate system tools (e.g., PowerShell) for malicious purposes.

PowerShell-Based Malware

Malware that uses PowerShell to download, decode, or execute payloads entirely in memory.

Registry-Resident Malware

Malware stored in registry keys rather than written to disk.

Privilege Escalation and Defense

Kernel Exploit

Attack targeting OS kernel vulnerabilities to gain full control.

Least Privilege Principle

Security practice limiting users to only the access needed for their tasks.

Application Whitelisting

Allowing execution only of pre-approved programs.

Network Segmentation

Dividing networks into isolated zones to contain attacks.

Detection and Defense Techniques

Signature-Based Detection

Identifies known malware by matching unique byte patterns.

Heuristic Analysis

Detects suspicious behavior or structure without specific signatures.

Behavioral Analysis

Observes real-time program behavior to detect anomalies.

Sandboxing

Running untrusted code in isolation to observe effects safely.

Patch Management

Regularly updating software to eliminate known vulnerabilities.

SPF (Sender Policy Framework)

Email authentication protocol that defines allowed mail servers for a domain.

DKIM (DomainKeys Identified Mail)

Email authentication method using digital signatures.

DMARC

Policy that coordinates SPF and DKIM to prevent email spoofing.

Security Concepts

Zero-Day Exploit

An attack that targets a previously unknown and unpatched vulnerability.

Zero-Day Vulnerability

The underlying flaw that attackers exploit before the vendor releases a patch.

N-Day Vulnerability

A known software flaw for which a patch or mitigation exists, but some systems remain unpatched and exploitable.

N-Day Exploit

Code or techniques that take advantage of an N-day vulnerability to compromise unpatched systems.

Reflections on Trusting Trust

Ken Thompson’s demonstration that trust in compilers and software supply chains is fundamental and potentially exploitable.

Defense in Depth

Layered security approach combining multiple protection methods.

Arms Race

Ongoing cycle where defenses and attacks continually evolve against each other.