Malware Basics: Understanding Different Types of Malware and How They Operate

Before examining the specific payloads (what the malware actually does once it infects a system), it is critical to categorize malware by its propagation mechanism—how it moves from an attacker's infrastructure to a victim's endpoint, and how it subsequently spreads across an internal corporate network.

1. Viruses: The Parasitic Paradigm

Historically, the computer virus was the most prevalent form of malware, though its dominance has waned significantly in the modern era. The defining, absolute characteristic of a true computer virus is that it is fundamentally parasitic.

A virus cannot exist as a standalone executable file. It requires a "host" file to survive and replicate. When an attacker creates a virus, they program it to aggressively inject its malicious code directly into the body of legitimate, executable files (like standard Windows .exe files, Microsoft Word macros, or boot sectors) existing on the victim's hard drive.

The Mechanics of Execution: When an unsuspecting user double-clicks the infected, legitimate application (for example, Microsoft Excel), the operating system unwittingly executes the malicious viral code first. The virus rapidly scans the local hard drive for new, uninfected host files, injects copies of itself into them, and only then passes execution back to the legitimate Excel application so the user remains unaware. Because viruses rely entirely on human interaction (sharing infected files via USB drives or email attachments) to spread, their propagation speed is relatively slow compared to modern threats.

2. Worms: The Autonomous Hunters

If a virus is a parasite requiring human interaction to spread, a computer worm is an apex predator. The defining characteristic of a worm is autonomous self-replication and independent network propagation.

A worm is a fully standalone, independent program; it does not need to attach itself to a host file, and it absolutely does not require a user to click a link or open an attachment to spread.

The Mechanics of Execution: Once a worm successfully breaches a single machine on a corporate network, it immediately begins aggressively scanning the internal subnet. It hunts for other computers that possess a specific, unpatched software vulnerability (such as a flaw in the Windows SMB protocol). When it finds a vulnerable machine, the worm autonomously fires an exploit over the network, copies its own binary file to the new machine, and executes it. This process repeats exponentially. Because worms operate at machine speed without human intervention, they can completely saturate and compromise a massive, global enterprise network within a matter of minutes (as famously demonstrated by the Conficker worm and the WannaCry ransomware outbreak).

3. Trojans: The Art of Deception

The Trojan Horse—named after the ancient Greek mythological tactic—is currently the most prevalent and successful delivery mechanism in modern cyberspace. Unlike worms, Trojans possess absolutely no automated self-replication capabilities. Their entire operational success relies exclusively on Social Engineering and human deception.

A Trojan is malicious software deliberately disguised as legitimate, highly desirable, or benign software. Attackers masquerade their payloads as cracked video games, free PDF converters, urgent invoice documents, or critical software updates.

The Mechanics of Execution: The attacker distributes the Trojan via targeted spear-phishing emails or compromised software download sites. The victim, believing the file is legitimate, willfully downloads and executes it. Once the user double-clicks the file, the Trojan often installs the promised software (to maintain the illusion) while simultaneously, silently installing a malicious backdoor, a keylogger, or a ransomware payload in the background. Trojans completely bypass network firewalls and perimeter defenses because the user explicitly invites the threat inside.

Once the malware has successfully utilized a virus, worm, or trojan mechanism to bypass defenses and execute on the endpoint, its classification is further defined by its specific payload—its ultimate, malicious objective.

1. Ransomware: Digital Extortion

Ransomware has evolved into the most devastating, financially crippling cyber threat facing global organizations today. Once executed, ransomware is designed to completely deny the victim access to their own data or computing infrastructure until a massive financial ransom (invariably demanded in cryptocurrency) is paid.

The Mechanics of Execution: Modern "Crypto-Ransomware" utilizes advanced, unbreakable military-grade cryptography (typically a combination of AES for file encryption and RSA for key protection). It silently traverses the victim's hard drives and mapped network shares, rapidly encrypting all valuable documents, databases, and configuration files. It then leaves a ransom note demanding payment in exchange for the decryption key. Advanced "Double Extortion" ransomware variants go a step further: before encrypting the data, they silently exfiltrate terabytes of highly sensitive corporate data to the attacker's servers, threatening to leak it publicly if the ransom is not met, creating massive regulatory and reputational pressure.

2. Spyware and Keyloggers

As the name implies, Spyware is specifically engineered for stealthy, long-term espionage and data theft. It is frequently deployed by nation-state Advanced Persistent Threats (APTs) seeking intellectual property, or cybercriminals seeking financial credentials.

The Mechanics of Execution: Spyware operates invisibly in the background. It may activate the computer's webcam and microphone, silently steal saved passwords from web browsers, or monitor network traffic. A specific, highly dangerous sub-variant is the Keylogger. A keylogger meticulously records every single physical keystroke the user types on their keyboard—capturing complex passwords, credit card numbers, and confidential emails as they are being typed—and periodically transmits this massive log file back to the attacker's Command and Control (C2) server.

3. Rootkits: The Invisible Subversion

A rootkit is arguably the most technically sophisticated and difficult-to-detect form of malware in existence. Its primary objective is not necessarily to cause immediate damage, but to provide the attacker with deep, permanent, and entirely invisible access to the compromised system.

The Mechanics of Execution: Standard malware operates in "User Mode" (Ring 3 of the CPU architecture), where it is easily visible to standard Antivirus software and the Windows Task Manager. A rootkit, however, exploits vulnerabilities to install itself deeply into the "Kernel Mode" (Ring 0)—the absolute core of the operating system that controls all hardware and software. Once installed in the kernel, the rootkit subverts the operating system itself. If an Antivirus program asks the operating system to list all running processes, the rootkit intercepts the request and simply removes its own malicious process from the list before presenting it to the Antivirus. It essentially lies to the security software, making its files, network connections, and registry keys mathematically invisible to standard detection mechanisms. Removing a well-designed kernel rootkit often requires completely formatting the hard drive and reinstalling the operating system from scratch.

4. Botnets and DDoS Agents

A single, compromised computer is often referred to as a "Zombie." When an attacker successfully infects tens of thousands (or even millions) of these zombies across the globe with a specific type of trojan, they link them together to form a massive, distributed network known as a Botnet.

The Mechanics of Execution: The infected computers quietly listen for commands issued by the "Botmaster" from a centralized C2 server. While the individual zombie computers may not suffer localized damage, the Botmaster can command the entire massive swarm to simultaneously flood a specific target website or corporate network with overwhelming amounts of garbage network traffic. This coordinated assault, known as a Distributed Denial of Service (DDoS) attack, completely exhausts the target's bandwidth and server resources, knocking critical internet infrastructure offline.