Malware Behaviors and Indicators
Key Takeaways
- Malware questions usually test behavior, impact, indicators, and the best containment or mitigation.
- Ransomware encrypts or steals data for extortion; worms self-propagate; Trojans hide malicious functions inside apparently useful software.
- Fileless malware abuses trusted tools such as scripting engines and memory-resident execution to reduce disk artifacts.
- Rootkits and bootkits focus on stealth and persistence, while spyware and keyloggers focus on collection.
- Good indicators include process behavior, network beacons, persistence changes, file modifications, and authentication anomalies.
Last updated: April 2026
Malware Behaviors and Indicators
Malware is tested by behavior more than by vocabulary. Read the scenario for what the code does: encrypts files, steals credentials, hides itself, spreads without help, opens remote control, or abuses a trusted process.
| Malware type | Primary behavior | Common indicators | First mitigation focus |
|---|---|---|---|
| Virus | Attaches to files and needs execution | Modified files, unexpected hash changes | Remove infected files, restore clean copies |
| Worm | Self-propagates across systems | Rapid scanning, repeated connection attempts | Segment, block propagation path, patch flaw |
| Trojan | Pretends to be legitimate software | Unknown app, unexpected outbound sessions | Remove app, reimage if trust is lost |
| Ransomware | Encrypts and may exfiltrate data | File renames, ransom note, mass write activity | Isolate host, disable compromised account, preserve evidence |
| Spyware | Secretly collects user or system data | Browser changes, unusual data uploads | Remove software, review privacy and endpoint controls |
| Keylogger | Captures keystrokes or form data | Credential theft, suspicious input hooks | Reset exposed credentials from a clean device |
| Rootkit | Hides processes, files, or privileges | Security tool blind spots, kernel anomalies | Rebuild from trusted media when integrity is uncertain |
| Backdoor/RAT | Provides unauthorized remote access | Beaconing, new listener, remote shell activity | Block C2, isolate host, rotate credentials |
| Logic bomb | Triggers on a condition | Timed or event-based destructive action | Code review, change control, remove trigger |
| Cryptominer | Uses resources for mining | High CPU/GPU, pool connections | Remove process, close initial access vector |
Behavior Patterns
| Behavior | What it suggests |
|---|---|
| Mass file encryption | Ransomware or destructive malware |
| Credential access from memory or browsers | Infostealer, Trojan, post-exploitation tool |
| Scheduled task or run key creation | Persistence |
| PowerShell or shell downloads encoded content | Fileless malware or staged payload |
| DNS queries to odd domains at fixed intervals | Command-and-control beaconing |
| Lateral movement with admin shares | Compromised privileged credentials |
Worked Scenario
A workstation logs these events:
| Time | Evidence |
|---|---|
| 09:12 | User opens invoice_viewer.exe from email attachment |
| 09:13 | powershell.exe starts with encoded command line |
| 09:14 | Dozens of documents renamed with a new extension |
| 09:15 | File server logs show the same user modifying shared files |
The behavior points to ransomware delivered by a Trojan-like attachment, followed by script execution and file share impact. The best immediate action is containment: isolate the endpoint, disable or reset the compromised account, and stop access to affected shares. Recovery from backups comes after containment and eradication.
Common Traps
| Trap | Better exam reasoning |
|---|---|
| "Run antivirus only" while malware is spreading | Contain first if active spread is confirmed |
| "Restore backups" before the infection path is closed | Recovery can be reinfected if root cause remains |
| "Delete logs" to save disk space | Preserve evidence and timeline data |
| "Assume rootkit can be cleaned safely" | Rebuild from trusted media if system integrity cannot be trusted |
Quick Drill
For each clue, name the likely behavior:
- Hundreds of connection attempts to TCP 445 across subnets: worm-like propagation or lateral movement.
- Browser sessions are normal, but credentials are used from a new country minutes later: credential theft or keylogging.
- A server sends small encrypted packets to one external host every 60 seconds: beaconing to command and control.
- Security tools cannot see a process that network logs prove is communicating: possible rootkit or tampering.
Test Your Knowledge
A workstation suddenly renames thousands of files and writes a note demanding payment. What malware behavior is most likely?
A
B
C
D
Test Your Knowledge
An analyst confirms a host is actively encrypting shared folders. What should be done first?
A
B
C
D
Test Your KnowledgeMulti-Select
Which indicators most strongly suggest command-and-control activity? Select two.
Select all that apply
Periodic outbound connections to an unusual domain
A user opening a local text file
DNS requests with encoded-looking subdomains
A printer running out of paper