3.4.1. Malware Attacks
š” First Principle: Malware is software designed to cause harm. Each type has distinctive behaviors that serve as indicators. Recognizing these behaviors ā not just knowing the definitions ā is what the exam tests.
Ransomware encrypts files and demands payment for decryption keys. Indicators: mass file encryption events, ransom notes appearing on desktops, file extensions changed to unfamiliar types, unusually high disk I/O activity, connections to known C2 infrastructure.
Trojan disguises itself as legitimate software. Unlike viruses, Trojans don't self-replicate ā they rely on the user to install them. Indicators: unexpected outbound connections, new processes running after installing "legitimate" software, behavioral changes in the system.
Worm self-replicates across networks without user interaction. Indicators: sudden network bandwidth spikes, multiple systems showing identical infections, rapid propagation across subnets.
Spyware covertly monitors user activity and exfiltrates data. Indicators: unexpected data transmissions, browser setting changes, new toolbars or extensions, degraded system performance.
Bloatware ā pre-installed software that consumes resources. While not always malicious, it increases attack surface and can contain vulnerabilities.
Virus ā malware that attaches to legitimate programs and requires user action to spread. Unlike worms, viruses need a host file.
Keylogger captures keystrokes to steal credentials and sensitive data. Indicators: unexpected processes with keyboard hooks, data exfiltration to unknown destinations.
Logic bomb ā malicious code that triggers on a specific condition (date, event, user action). Difficult to detect before activation because the code lies dormant.
Rootkit ā hides deep in the OS (kernel-level) to maintain persistent access while evading detection. Indicators: discrepancies between low-level disk analysis and OS-reported files, unexplained system behavior that antivirus can't identify.
ā ļø Exam Trap: Worms self-replicate without user interaction. Viruses require a host file and user action. Trojans disguise as legitimate software. If the scenario says "spread across the network without any user clicking anything," that's a worm ā not a virus or Trojan.
