2.2 Indicators of malicious activity
📘CompTIA Security+ SY0-701
What is Malware?
Malware (short for malicious software) is any software created with the intent to damage, disrupt, steal, or gain unauthorized access to computer systems, networks, or data.
It can infect a single computer or spread across entire organizations, causing data breaches, service disruptions, or financial losses.
For the Security+ exam, you need to understand:
- How different types of malware work
- What indicators show they are present
- How they spread and cause harm
🦠 Types of Malware
Below are the main malware types you must know for the exam.
1. Ransomware
Definition:
Ransomware is malware that encrypts the victim’s files or system and demands a ransom payment (usually in cryptocurrency) to restore access.
How it works:
- It often spreads through phishing emails, malicious attachments, or compromised websites.
- Once executed, it encrypts files on the system or shared network drives.
- It displays a ransom note demanding payment for the decryption key.
Indicators of ransomware:
- Files suddenly have strange extensions (e.g.,
.locked,.crypt). - Users cannot open their documents.
- A ransom message appears on the screen.
Goal:
Financial gain through extortion.
2. Trojan (Trojan Horse)
Definition:
A Trojan is malware that pretends to be a legitimate program but hides malicious code inside.
Once installed, it allows attackers to control the infected system or steal data.
How it works:
- Delivered as fake software (e.g., a “free antivirus” or “system update”).
- Once run, it can install backdoors, log keystrokes, or download more malware.
Indicators of a trojan infection:
- Unknown applications running in Task Manager.
- Slow system performance.
- Network connections to suspicious IP addresses.
Goal:
To gain remote access or steal sensitive data without the user’s knowledge.
3. Worm
Definition:
A worm is a self-replicating piece of malware that spreads automatically through networks without human interaction or attachment to other files.
How it works:
- Exploits software vulnerabilities in systems or network protocols.
- Once inside one device, it scans for other vulnerable systems and infects them.
- Consumes bandwidth and resources.
Indicators of a worm:
- Unexpected spikes in network traffic.
- Multiple computers slowing down simultaneously.
- Security logs showing repeated attempts to connect to multiple hosts.
Goal:
To spread rapidly, often preparing the network for further attacks or system overloads.
4. Spyware
Definition:
Spyware secretly monitors user activities and collects information such as browsing habits, credentials, or system data without permission.
How it works:
- Installed when users download free software or click on suspicious links.
- Runs silently in the background, recording data or capturing screenshots.
- Sends collected data back to the attacker’s server.
Indicators of spyware:
- Increased CPU or memory usage.
- Unexpected pop-ups or browser redirections.
- Unauthorized data transmissions seen in network monitoring tools.
Goal:
To steal information such as login credentials, personal data, or financial information.
5. Bloatware (Potentially Unwanted Programs – PUPs)
Definition:
Bloatware refers to unnecessary or unwanted software that comes pre-installed on a system or gets installed alongside other applications.
While not always malicious, it can slow down systems or create vulnerabilities.
How it works:
- Often bundled with legitimate software installations.
- May collect usage data, display ads, or install toolbars.
Indicators of bloatware:
- Unrecognized software running at startup.
- Frequent pop-ups or advertisements.
- Reduced system performance.
Goal:
Usually profit-based — collects data, shows ads, or sells additional features.
6. Virus
Definition:
A virus is malware that attaches itself to legitimate files or programs and executes when the infected file is run.
It requires user interaction to spread.
How it works:
- Infects executable files (like
.exeor.dll). - When a user runs the infected file, the virus activates and spreads to other files or systems.
- It can corrupt data, delete files, or disable programs.
Indicators of a virus:
- Unusual file size changes.
- Programs crashing frequently.
- Antivirus alerts or disabled security software.
Goal:
To damage systems, spread to other devices, or disrupt operations.
7. Keylogger
Definition:
A keylogger records every keystroke made on a keyboard to capture credentials, messages, or other sensitive data.
How it works:
- Can be software-based (installed by malware) or hardware-based (physical device connected to keyboard ports).
- Logs are sent to the attacker over the internet.
Indicators of a keylogger:
- Delayed keyboard responses.
- Unknown processes consuming CPU.
- Unexplained outbound network traffic.
Goal:
To steal usernames, passwords, and other sensitive input data.
8. Logic Bomb
Definition:
A logic bomb is malicious code triggered by a specific event or condition — such as a date, time, or user action.
How it works:
- Often placed by insiders within scripts or legitimate applications.
- Lies dormant until triggered (e.g., an employee’s account removal, a specific date).
- Executes destructive actions like deleting data or disabling systems.
Indicators of a logic bomb:
- Unexpected data deletion or shutdowns after a specific event.
- Suspicious code snippets in system scripts.
- Unusual changes in scheduled tasks or automation scripts.
Goal:
To cause intentional damage when certain conditions are met, often as sabotage or revenge.
9. Rootkit
Definition:
A rootkit is malware designed to hide its presence and give attackers administrative (root) control over a system.
It’s one of the hardest types of malware to detect.
How it works:
- Installs deep within the operating system (kernel or firmware level).
- Hides malicious files, processes, or registry entries.
- May disable antivirus software or system logs to remain undetected.
Indicators of a rootkit:
- Disabled security tools or updates.
- System processes running without visible source.
- Unexpected reboots or OS crashes.
Goal:
To maintain long-term, hidden control of a compromised system.
⚙️ Summary Table for Quick Revision
| Malware Type | Spreads Automatically? | Requires User Action? | Primary Goal | Common Indicator |
|---|---|---|---|---|
| Ransomware | No | Yes | Encrypt files and demand payment | Files encrypted, ransom note displayed |
| Trojan | No | Yes | Create backdoor / steal data | Fake software installs, system slowdown |
| Worm | Yes | No | Spread rapidly via network | Network slowdown, increased traffic |
| Spyware | No | Yes | Monitor user activity | Unexpected data transmissions |
| Bloatware | No | Yes | Generate ad revenue | System slowdown, pop-ups |
| Virus | No | Yes | Damage or corrupt data | Crashes, file corruption |
| Keylogger | No | Yes | Record user input | Delayed typing, unknown processes |
| Logic Bomb | No | No (trigger-based) | Damage when triggered | Events causing system damage |
| Rootkit | No | Yes | Hide presence & gain admin access | Security tools disabled, hidden processes |
🛡️ How to Protect Against Malware
- Use updated antivirus and antimalware tools.
- Regularly patch and update systems and applications.
- Avoid downloading unverified software.
- Use strong email filtering to block phishing attempts.
- Perform regular system and network monitoring.
- Backup data frequently (especially protection against ransomware).
- Use least privilege access and monitor admin rights.
✅ Exam Tip
In the Security+ exam, expect questions that:
- Ask you to identify malware based on its behavior (e.g., “Which malware encrypts files and demands payment?” → Ransomware).
- Compare malware types (e.g., Trojan vs. Worm).
- Test your understanding of indicators of compromise (IOCs) for each malware type.
Focus on how the malware spreads, what triggers it, and what its goal is — these are key exam clues.
