Chapter 3 – Malware Analysis & Types

Vocabulary flashcards covering key malware concepts, detection tools, attack types, Indicators of Compromise, and common defenses from Chapter 3 lecture notes.

Sandbox

An isolated, controlled environment used to execute and observe suspicious code safely for analysis.

Manual analysis (strings)

Technique of reading a binary’s printable character sequences to uncover hard-coded URLs, commands, or clues to its behavior without running the file.

VirusTotal

Online service that scans files and URLs with dozens of antivirus engines to see if a sample is already known as malware.

Rootkit

Stealthy malicious toolkit that grants attackers persistent, privileged access while hiding its presence on the system.

Master Boot Record (MBR) infection

Attack that embeds malicious code in a disk’s boot sector so it runs before the operating system loads.

Integrity checking

Security technique that compares current system files or responses with trusted baselines to spot unauthorized changes such as rootkits.

File hash

Cryptographic checksum (e.g., SHA-256) used as an Indicator of Compromise to uniquely identify a specific malicious file.

Logic bomb

Malicious code hidden inside legitimate software that activates only when predefined conditions are met.

Keylogger

Hardware or software that covertly records keystrokes (and sometimes other inputs) for later retrieval by an attacker.

Self-replicating virus

Malware that copies itself into other files or areas of the same computer but does not automatically spread across networks.

Memory-resident virus

Virus that stays active in RAM after execution, enabling it to infect additional files as they are opened or executed.

Non-memory-resident virus

Virus that runs, infects its targets, then terminates, leaving no component active in memory.

Boot sector virus

Virus that installs itself in a disk’s boot sector and executes during system start-up.

Macro virus

Virus written in a macro language (e.g., VBA) that embeds in documents and runs when the document is opened.

Email virus

Malware that propagates via email attachments, exploiting client vulnerabilities to run on recipients’ machines.

Fileless virus

Malware that resides only in memory—often delivered through scripts or browser exploits—leaving little or no trace on disk.

Bloatware

Unwanted software pre-installed on a device; not usually malicious but can consume resources and enlarge the attack surface.

Spyware

Malware that secretly gathers information about a user’s activities, system, or environment and transmits it to an attacker.

Worm

Stand-alone malicious program that self-replicates and autonomously spreads across networks without user action.

Trojan

Malicious code disguised as legitimate software that performs harmful actions once executed by the user.

Remote Access Trojan (RAT)

Trojan variant that offers attackers interactive, remote control of the victim system over a network.

Command and Control (C2) server

Remote infrastructure used by attackers to send instructions to, and receive data from, compromised machines.

Botnet

Collection of compromised computers remotely controlled as a group, often via C2 channels.

Ransomware

Malware that encrypts or otherwise blocks access to a victim’s data and demands payment for restoration.

Indicator of Compromise (IoC)

Forensic artifact—such as a file hash, domain, IP address, or specific behavior—that signals potential malware activity.

Privilege management

Defensive practice of restricting user and process permissions to the minimum necessary to limit malware impact.

Patching

Applying software updates that fix vulnerabilities, preventing malware from exploiting them.

Two-factor authentication (2FA)

Security mechanism requiring two independent credentials, mitigating damage if passwords are captured by keyloggers or other malware.

Anti-malware software

Programs that detect, block, and remove malicious code through signatures, heuristics, and behavioral analysis.

Firewall

Network security device or software that monitors and controls traffic based on rules, helping block worm propagation and C2 connections.