Malware
Malicious software designed to damage, disrupt, or gain unauthorized access to computer systems, encompassing a broad category of threats including viruses, worms, trojans, ransomware, spyware, adware, and rootkits. Malware can be delivered through phishing emails, malicious downloads, drive-by downloads, USB drives, or supply chain attacks. Defense strategies include endpoint protection (antivirus/EDR), application whitelisting, user awareness training, and keeping software patched. Malware analysis (static and dynamic) is a specialized skill used in incident response and threat intelligence. Malware types and defenses are fundamental topics in Security+, CEH, and CySA+ certifications.
Why It Matters
In practice, malware is critical to understand because it remains the primary tool attackers use to achieve their objectives, from data theft and espionage to financial fraud and infrastructure destruction. Organizations that fail to implement layered malware defenses face ransomware shutdowns, data exfiltration, and persistent backdoors that survive remediation attempts. Fileless malware that operates entirely in memory and living-off-the-land techniques using legitimate system tools now evade traditional signature-based antivirus solutions, requiring behavioral detection and EDR capabilities. The malware economy has industrialized through malware-as-a-service platforms on dark web marketplaces. On certification exams such as Security+, CEH, and CySA+, expect questions about classifying malware types by behavior, analyzing malware indicators of compromise, comparing static versus dynamic analysis techniques, and selecting appropriate prevention and detection controls for different malware categories.
Practice this topic
Test your knowledge of Malware concepts with exam-style practice questions.
Related Threats & Attacks terms
Ransomware
A type of malware that encrypts a victim's files or locks system access and demands a ransom payment (typically in cryptocurrency) for the decryption key. Modern ransomware attacks often involve double extortion — encrypting data and threatening to leak it publicly. Ransomware-as-a-Service (RaaS) has lowered the barrier for attackers, with groups like LockBit, BlackCat, and Cl0p operating affiliate programs. Prevention includes offline backups, network segmentation, email filtering, endpoint detection, and patch management. Ransomware incident response is a critical topic in CISSP, CySA+, and incident response certifications.
Phishing
A social engineering attack that uses fraudulent emails, text messages (smishing), or phone calls (vishing) to trick users into revealing sensitive information like credentials, financial data, or installing malware. Phishing is the most common initial attack vector, responsible for over 80% of reported security incidents. Variants include spear phishing (targeted), whaling (targeting executives), and business email compromise (BEC). Defenses include email authentication (SPF, DKIM, DMARC), security awareness training, URL filtering, and multi-factor authentication. Phishing recognition is tested in Security+, CEH, and every major cybersecurity certification.
SQL Injection
A code injection technique that exploits vulnerabilities in a web application's database layer by inserting malicious SQL statements into input fields or URL parameters. Successful attacks can extract, modify, or delete database contents, bypass authentication, or execute operating system commands. Types include in-band (UNION-based, error-based), blind (boolean-based, time-based), and out-of-band SQL injection. Prevention requires parameterized queries (prepared statements), input validation, stored procedures, and web application firewalls (WAFs). SQL injection is consistently ranked in the OWASP Top 10 and is heavily tested in CEH, OSCP, and web security certifications.
Cross-Site Scripting (XSS)
A web security vulnerability that allows attackers to inject malicious client-side scripts (usually JavaScript) into web pages viewed by other users, potentially stealing session cookies, credentials, or performing actions on behalf of victims. Three main types exist: Stored XSS (persisted in the database), Reflected XSS (included in the server response from user input), and DOM-based XSS (executed entirely in the browser). Prevention includes output encoding, Content Security Policy (CSP) headers, input validation, and using modern frameworks with built-in XSS protection. XSS is a persistent OWASP Top 10 vulnerability and a core topic in CEH, OSCP, and web application security exams.
DDoS (Distributed Denial of Service)
An attack that overwhelms a target system, service, or network with a flood of traffic from multiple distributed sources (often a botnet), making it unavailable to legitimate users. DDoS attacks operate at different layers: volumetric (bandwidth flooding), protocol (SYN floods, Ping of Death), and application layer (HTTP floods, Slowloris). Mitigation strategies include CDN-based protection (Cloudflare, AWS Shield), rate limiting, traffic scrubbing centers, and anycast routing. DDoS attacks can cause significant financial damage through downtime and are a common threat assessed in Security+, CEH, and CISSP certifications.
Man-in-the-Middle (MITM)
An attack where the attacker secretly intercepts and potentially alters communications between two parties who believe they are communicating directly with each other. Common techniques include ARP spoofing, DNS spoofing, SSL stripping, and rogue Wi-Fi access points. The attacker can eavesdrop on sensitive data, modify transactions, or inject malicious content. Defenses include HTTPS/TLS with certificate pinning, HSTS headers, VPNs, and mutual authentication. MITM attacks are demonstrated extensively in CEH and OSCP practical labs and tested in Security+ and CISSP exams.