Malware Types and Behavior
"Malware" is a category, not a thing — viruses, worms, trojans, ransomware, rootkits, botnets, and info-stealers each behave differently and need different defenses. What matters for a defender is less the label than the behavior: how it spreads, what it wants, and what it does on a host.
This topic organizes the malware landscape by behavior so you can reason about defense rather than memorize a taxonomy, and sets up the analysis topics that follow. The common thread across nearly all of it is the command-and-control channel — which is also the defender's best detection point.
Classifying by Propagation
How malware spreads dictates the containment strategy. A virus attaches to a file and needs that host to run; a worm self-propagates across the network with no user action, which is why worms spread explosively; a trojan masquerades as legitimate software the user installs. Network segmentation counters worms, user training counters trojans, and knowing which you face tells you which control leads.
Classifying by Objective
The objective tells you what to protect. Ransomware encrypts for payment (its own topic in this chapter); info-stealers take credentials and tokens (the credential harvesting of Chapter 5); banking trojans, cryptominers that steal compute, and wipers that simply destroy each target something different. Defending by objective means protecting the data and resource each one is actually after.
Delivery and the Loader Pattern
Modern malware is modular: a small loader gains execution and then pulls the real payload from command-and-control. This is why "the file looked harmless" is common — the first-stage loader often is harmless-looking, and the malicious payload arrives later, defeating any first-look file inspection. It is also why behavioral detection beats file signatures for this class.
Botnets and Command-and-Control
Compromised hosts are controlled at scale as a botnet — for DDoS, spam, or resale as access. The command-and-control channel is both the malware's lifeline and the defender's best detection point: egress monitoring (Chapters 4 and 10) that spots the beacon to an unusual destination catches malware that file scanning misses, because nearly all modern malware needs to phone home.
Virus — attaches to a file or program and spreads when that host runs; needs user action.
Worm — self-propagates across the network automatically, with no user needed — hence explosive spread.
Trojan — disguised as wanted software, relying on the user to install it. The distinction is how it spreads, which drives whether segmentation, training, or app control is the primary counter.
- Fixating on malware family names instead of behavior, so defenses do not map to what the malware actually does.
- Assuming a harmless-looking file is safe, when modular loaders fetch the real payload later and defeat first-look inspection.
- Ignoring egress and command-and-control monitoring, the channel nearly all modern malware depends on and the best place to catch it.
- Treating malware as only a file problem when fileless and living-off-the-land techniques leave no file to scan.
- Defending every malware type the same way instead of by its propagation and objective.
- Defend by behavior and objective, not family label: protect the data each objective targets and monitor the propagation path.
- Monitor egress and command-and-control patterns (Chapters 4 and 10), since the control channel is common to nearly all malware.
- Use behavioral EDR (Chapter 7) to catch loaders and fileless techniques that signatures miss.
- Layer application control and allow-listing so unknown executables cannot run in the first place.
- Segment the network to slow worms and train users against trojans, matching the control to the propagation.
Knowledge Check
Why does a worm spread so much faster than a virus?
- It self-propagates with no user action; a virus is run
- Worms are always much smaller files on disk than viruses
- Viruses are simply unable to spread across a network at all
- Worms disguise themselves as ordinary legitimate software
Why is the command-and-control channel the defender's best detection point for malware?
- Nearly all malware phones home, so egress catches it
- C2 traffic is always unencrypted and therefore easy to read
- Malware only ever communicates during normal business hours
- The C2 channel is the only part carrying a real file signature
Why is a modular loader such an effective delivery technique?
- A harmless-looking loader fetches the real payload later
- Loaders are completely immune to every form of detection
- A loader immediately encrypts the machine's entire hard drive
- Loaders can only ever run on servers, never on laptops
You got correct