Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

3.4.1. Malware Attacks

šŸ’” First Principle: Malware is software designed to cause harm. Each type has distinctive behaviors that serve as indicators. Recognizing these behaviors — not just knowing the definitions — is what the exam tests.

Ransomware encrypts files and demands payment for decryption keys. Indicators: mass file encryption events, ransom notes appearing on desktops, file extensions changed to unfamiliar types, unusually high disk I/O activity, connections to known C2 infrastructure.

Trojan disguises itself as legitimate software. Unlike viruses, Trojans don't self-replicate — they rely on the user to install them. Indicators: unexpected outbound connections, new processes running after installing "legitimate" software, behavioral changes in the system.

Worm self-replicates across networks without user interaction. Indicators: sudden network bandwidth spikes, multiple systems showing identical infections, rapid propagation across subnets.

Spyware covertly monitors user activity and exfiltrates data. Indicators: unexpected data transmissions, browser setting changes, new toolbars or extensions, degraded system performance.

Bloatware — pre-installed software that consumes resources. While not always malicious, it increases attack surface and can contain vulnerabilities.

Virus — malware that attaches to legitimate programs and requires user action to spread. Unlike worms, viruses need a host file.

Keylogger captures keystrokes to steal credentials and sensitive data. Indicators: unexpected processes with keyboard hooks, data exfiltration to unknown destinations.

Logic bomb — malicious code that triggers on a specific condition (date, event, user action). Difficult to detect before activation because the code lies dormant.

Rootkit — hides deep in the OS (kernel-level) to maintain persistent access while evading detection. Indicators: discrepancies between low-level disk analysis and OS-reported files, unexplained system behavior that antivirus can't identify.

āš ļø Exam Trap: Worms self-replicate without user interaction. Viruses require a host file and user action. Trojans disguise as legitimate software. If the scenario says "spread across the network without any user clicking anything," that's a worm — not a virus or Trojan.

Alvin Varughese
Written byAlvin Varughese
Founder•15 professional certifications