Malware Types & Threat Mitigation
Key Takeaways
- Ransomware encrypts user files and demands payment for the decryption key — the best defense is maintaining offline backups and never paying the ransom.
- Trojans disguise themselves as legitimate software to trick users into installing them; worms self-replicate across networks without user interaction; viruses require a host file and user action to spread.
- Rootkits are extremely dangerous because they embed themselves at the OS or firmware level, hiding from standard antimalware tools — they may require a full OS reinstall to remove.
- Phishing uses fake emails/websites that impersonate trusted entities to steal credentials; spear phishing targets specific individuals; whaling targets executives.
- Anti-malware best practices include keeping definitions updated, running real-time protection, performing regular scans, using multiple layers of defense, and educating users about social engineering.
Last updated: March 2026
Malware Types & Threat Mitigation
Malware Types
| Malware Type | How It Works | Spread Method |
|---|---|---|
| Virus | Attaches to a host file; executes when the file is opened | User action (opening infected file) |
| Worm | Self-replicating; spreads across networks independently | Network exploitation (no user action needed) |
| Trojan | Disguised as legitimate software | User downloads and installs it |
| Ransomware | Encrypts files; demands payment for decryption key | Email attachments, malicious websites, exploits |
| Spyware | Secretly monitors user activity and steals information | Bundled with software, malicious websites |
| Adware | Displays unwanted advertisements | Software bundles, browser extensions |
| Rootkit | Hides deep in the OS/firmware to avoid detection | Exploits, bundled with other malware |
| Keylogger | Records all keystrokes (passwords, messages) | Trojans, physical devices, spyware |
| Botnet/Zombie | Infected computer controlled remotely by attacker | Worms, trojans |
| Cryptominer | Uses device resources to mine cryptocurrency secretly | Websites, malware, browser scripts |
| Logic Bomb | Malicious code triggered by a specific event or date | Insider threat, hidden in legitimate code |
| Fileless Malware | Operates in memory only — no files written to disk | PowerShell scripts, exploits, macros |
Social Engineering Attacks
| Attack | Description |
|---|---|
| Phishing | Fake emails impersonating trusted entities (banks, IT dept) to steal credentials |
| Spear Phishing | Targeted phishing directed at a specific individual or organization |
| Whaling | Phishing targeting high-level executives (CEO, CFO) |
| Vishing | Voice phishing — fraudulent phone calls |
| Smishing | SMS/text phishing |
| Shoulder Surfing | Watching someone enter passwords or sensitive information |
| Tailgating | Following authorized personnel into a secured area |
| Dumpster Diving | Searching trash for sensitive documents or information |
| Evil Twin | Fake Wi-Fi access point mimicking a legitimate network |
| Pretexting | Creating a fabricated scenario to manipulate the victim |
| Baiting | Leaving malware-infected USB drives for victims to find and plug in |
| Watering Hole | Compromising a website frequently visited by the target group |
Malware Detection and Removal
Detection Tools
| Tool | Purpose |
|---|---|
| Antivirus/Antimalware | Real-time protection and on-demand scanning |
| Windows Defender | Built-in Windows antimalware (free, adequate for most users) |
| Task Manager | Identify suspicious processes consuming resources |
| Autoruns (Sysinternals) | View ALL auto-start programs (more comprehensive than msconfig) |
| Process Explorer | Advanced process viewer with VirusTotal integration |
| Netstat | Check for suspicious network connections |
Malware Removal Process
- Investigate and verify — Identify symptoms of infection (slow performance, pop-ups, unknown processes, strange network activity)
- Quarantine the infected system — Disconnect from the network to prevent spread
- Disable System Restore — Prevents malware from hiding in restore points
- Boot to Safe Mode or use a bootable rescue disk
- Run a full antimalware scan with updated definitions
- Remove or quarantine detected threats
- Run a second scan with a different antimalware tool for verification
- Schedule a follow-up scan to ensure the threat is fully eliminated
- Re-enable System Restore and create a new restore point
- Educate the user on how the infection occurred to prevent recurrence
Special Case: Rootkit Removal
- Standard antimalware may not detect rootkits
- Use specialized rootkit scanners (GMER, Kaspersky TDSSKiller, Malwarebytes Anti-Rootkit)
- May require booting from external media to scan
- In severe cases, a full OS reinstall is the only reliable solution
Special Case: Ransomware
- DO NOT pay the ransom — payment does not guarantee file recovery and funds criminal operations
- Disconnect from the network immediately to stop encryption of network shares
- Report to law enforcement (FBI IC3 in the US)
- Restore from clean, verified backups
- Check nomoreransom.org for free decryption tools
- Implement stronger email filtering, user training, and backup procedures
Browser Security
| Threat | Description | Prevention |
|---|---|---|
| Malicious browser extensions | Extensions that spy, inject ads, or steal data | Only install from official stores, review permissions |
| Pop-up redirects | Redirects to malicious sites | Enable pop-up blocker, keep browser updated |
| Drive-by downloads | Automatic download from visiting a website | Keep browser/plugins updated, use content blockers |
| Certificate warnings | Invalid or expired SSL certificates | Do NOT proceed — the site may be compromised or fake |
| Browser hijacking | Homepage, search engine, or new tab changed without consent | Run antimalware, reset browser settings |
Test Your Knowledge
A user receives an email that appears to be from their bank, asking them to click a link and verify their account information. What type of attack is this?
A
B
C
D
Test Your Knowledge
Which type of malware self-replicates across networks WITHOUT requiring user interaction?
A
B
C
D
Test Your Knowledge
What is the FIRST step when you suspect a computer is infected with ransomware?
A
B
C
D
Test Your KnowledgeMatching
Match each social engineering attack to its description:
Match each item on the left with the correct item on the right
1
Spear Phishing
2
Vishing
3
Tailgating
4
Evil Twin