Malware MCQs: 60 Practice Questions
PerfectNotes TeamUpdated: May 2026~15 min practice 60 Questions Β· 3 Levels 60 Questions Β· 3 Levels
Malware MCQ practice questions are essential for preparing for competitive exams, certifications, and technical interviews. This comprehensive MCQ platform provides 60 carefully curated practice questions covering every malware type and analysis concept from standard viruses, worms, and trojans through ransomware, spyware, rootkits, botnets, and fileless malware, all the way to advanced reverse engineering, evasion, and threat hunting techniques.
These questions are organized into three progressive difficulty levels of 20 questions each: Basics (covering virus vs. worm vs. trojan, ransomware mechanics, spyware, adware, keyloggers, backdoors, and basic delivery vectors), Concepts (covering rootkits, botnets, C2 infrastructure, polymorphic signatures, fileless malware execution, static vs. dynamic analysis, obfuscation, and Windows persistence), and Advanced (covering nation-state APT campaigns, DGAs, process hollowing, reflective DLL injection, YARA rules, Stuxnet SCADA sabotage, anti-debugging evasion, and COM/AppInit DLL hijacking). Each question includes a verified, in-depth explanation to reinforce learning.
Practice in Study Mode to reveal answers and detailed explanations instantly, or use Exam Mode for timed testing and real-time scoring to simulate CompTIA Security+, CEH, and CISSP exam conditions.
Contents
- 1.Basics (20 Questions)Virus vs. worm vs. trojan Β· ransomware mechanics Β· spyware Β· adware Β· keyloggers
- 2.Concepts (20 Questions)Rootkits Β· botnets Β· C2 infrastructure Β· polymorphic Β· fileless malware Β· IOCs
- 3.Advanced (20 Questions)APT campaigns Β· DGA Β· process hollowing Β· reflective DLL Β· YARA Β· Stuxnet
- 4.Conclusionsummary Β· next steps Β· study tips
- 5.Key Takeawaysquick-fire bullet recap of essential facts
- 6.Quick Review Summaryconcept Β· definition Β· key fact table
- 7.FAQcommon questions answered
Malware β Basics
1What is the broad definition of malware?
CorrectD: Malicious software intentionally designed to disrupt, damage, or gain unauthorized access to a computer system
"Malware" is short for malicious software β any software intentionally designed to disrupt, damage, or gain unauthorized access to a computer system. This broad category includes viruses, worms, ransomware, spyware, adware, rootkits, botnets, and more.
IncorrectD: Malicious software intentionally designed to disrupt, damage, or gain unauthorized access to a computer system
"Malware" is short for malicious software β any software intentionally designed to disrupt, damage, or gain unauthorized access to a computer system. This broad category includes viruses, worms, ransomware, spyware, adware, rootkits, botnets, and more.
2How does a computer virus fundamentally differ from a worm?
CorrectC: A virus requires a host file and user interaction to execute, whereas a worm can self-replicate and spread across networks independently
A virus must attach itself to a legitimate host file and requires a user to execute that file to activate. A worm, by contrast, is self-contained and autonomously self-replicates, spreading to other systems over networks without requiring any user interaction.
IncorrectC: A virus requires a host file and user interaction to execute, whereas a worm can self-replicate and spread across networks independently
A virus must attach itself to a legitimate host file and requires a user to execute that file to activate. A worm, by contrast, is self-contained and autonomously self-replicates, spreading to other systems over networks without requiring any user interaction.
3What is the primary characteristic of a Trojan Horse?
CorrectB: It disguises itself as legitimate or desirable software to trick the user into executing it
A Trojan Horse masquerades as legitimate, useful, or desirable software (a game, utility, or update) to trick the user into voluntarily installing and executing it. Unlike viruses and worms, it does not self-replicate; it relies entirely on social engineering.
IncorrectB: It disguises itself as legitimate or desirable software to trick the user into executing it
A Trojan Horse masquerades as legitimate, useful, or desirable software (a game, utility, or update) to trick the user into voluntarily installing and executing it. Unlike viruses and worms, it does not self-replicate; it relies entirely on social engineering.
4What is the specific function of Ransomware?
CorrectC: To encrypt the victim's files or lock the system, demanding financial payment for the decryption key
Ransomware encrypts the victim's files (or locks the entire OS), rendering data inaccessible. The attacker then demands a ransom payment β increasingly in cryptocurrency β in exchange for the decryption key. Modern ransomware operations also threaten to leak stolen data (double extortion).
IncorrectC: To encrypt the victim's files or lock the system, demanding financial payment for the decryption key
Ransomware encrypts the victim's files (or locks the entire OS), rendering data inaccessible. The attacker then demands a ransom payment β increasingly in cryptocurrency β in exchange for the decryption key. Modern ransomware operations also threaten to leak stolen data (double extortion).
5What is the function of a Keylogger?
CorrectD: It covertly records every keystroke made by the user to steal credentials and sensitive data
A keylogger (keystroke logger) covertly records every key pressed on a keyboard, capturing passwords, credit card numbers, messages, and other sensitive data. The recorded data is typically exfiltrated to the attacker's C2 server for credential theft and financial fraud.
IncorrectD: It covertly records every keystroke made by the user to steal credentials and sensitive data
A keylogger (keystroke logger) covertly records every key pressed on a keyboard, capturing passwords, credit card numbers, messages, and other sensitive data. The recorded data is typically exfiltrated to the attacker's C2 server for credential theft and financial fraud.
6Which statement best describes "Spyware"?
CorrectA: Software that secretly monitors and gathers information about a user's computer activities and transmits it to a third party
Spyware silently monitors a user's computer activity β browsing habits, keystrokes, screenshots, and microphone/camera input β without their knowledge, then transmits this intelligence to a remote third party for purposes ranging from targeted advertising to corporate espionage.
IncorrectA: Software that secretly monitors and gathers information about a user's computer activities and transmits it to a third party
Spyware silently monitors a user's computer activity β browsing habits, keystrokes, screenshots, and microphone/camera input β without their knowledge, then transmits this intelligence to a remote third party for purposes ranging from targeted advertising to corporate espionage.
7What defines an "Adware" infection?
CorrectC: The aggressive and unauthorized display of unwanted advertising, often tracking user browsing habits to serve targeted ads
Adware aggressively displays unsolicited and unwanted advertisements β pop-ups, banners, and redirects β often by tracking browsing habits to serve targeted ads. While sometimes bundled legally with free software, it crosses into malware territory when installed without clear consent.
IncorrectC: The aggressive and unauthorized display of unwanted advertising, often tracking user browsing habits to serve targeted ads
Adware aggressively displays unsolicited and unwanted advertisements β pop-ups, banners, and redirects β often by tracking browsing habits to serve targeted ads. While sometimes bundled legally with free software, it crosses into malware territory when installed without clear consent.
8In malware terminology, what is a "Payload"?
CorrectA: The core component of the malicious software that executes the intended harmful action, such as data deletion or exfiltration
The payload is the core functional component of malware that performs the attacker's intended goal β deleting files, encrypting data, stealing credentials, opening a backdoor, or exfiltrating data. The rest of the malware (delivery mechanism, persistence) exists purely to deliver this payload.
IncorrectA: The core component of the malicious software that executes the intended harmful action, such as data deletion or exfiltration
The payload is the core functional component of malware that performs the attacker's intended goal β deleting files, encrypting data, stealing credentials, opening a backdoor, or exfiltrating data. The rest of the malware (delivery mechanism, persistence) exists purely to deliver this payload.
9What is a "Botnet"?
CorrectA: A network of compromised computers controlled remotely by a central attacker to perform coordinated tasks
A botnet (robot network) is a collection of internet-connected devices (bots/zombies) compromised and controlled by a threat actor via a C2 server. Botnets are used for DDoS attacks, spam campaigns, credential stuffing, and cryptomining at massive scale.
IncorrectA: A network of compromised computers controlled remotely by a central attacker to perform coordinated tasks
A botnet (robot network) is a collection of internet-connected devices (bots/zombies) compromised and controlled by a threat actor via a C2 server. Botnets are used for DDoS attacks, spam campaigns, credential stuffing, and cryptomining at massive scale.
10What is the primary function of "Scareware"?
CorrectB: It uses social engineering to shock or frighten the user into purchasing fake security software to fix a fabricated problem
Scareware uses alarming pop-ups or alerts β typically fake virus warnings claiming the system is critically infected β to frighten the user into purchasing bogus security software (rogue AV) that either does nothing or installs actual malware.
IncorrectB: It uses social engineering to shock or frighten the user into purchasing fake security software to fix a fabricated problem
Scareware uses alarming pop-ups or alerts β typically fake virus warnings claiming the system is critically infected β to frighten the user into purchasing bogus security software (rogue AV) that either does nothing or installs actual malware.
11How does a "Logic Bomb" operate?
CorrectD: It remains dormant in a system until a specific condition, event, or scheduled time triggers its malicious payload
A logic bomb lies dormant within a system until a pre-defined trigger condition is met β a specific date/time, a user action (such as a disgruntled employee being terminated), or a particular system state. Only then does it execute its malicious payload, making proactive detection extremely difficult.
IncorrectD: It remains dormant in a system until a specific condition, event, or scheduled time triggers its malicious payload
A logic bomb lies dormant within a system until a pre-defined trigger condition is met β a specific date/time, a user action (such as a disgruntled employee being terminated), or a particular system state. Only then does it execute its malicious payload, making proactive detection extremely difficult.
12What is the main characteristic of a "Rootkit"?
CorrectB: It is designed to hide its presence and the presence of other malware deep within the operating system, often operating at the kernel level
A rootkit is engineered for stealth. Its primary purpose is to hide its own presence β and that of other malware β from the operating system, security tools, and the user. Advanced rootkits operate at the kernel level (Ring 0), giving them control over what the OS reports to user-space scanners.
IncorrectB: It is designed to hide its presence and the presence of other malware deep within the operating system, often operating at the kernel level
A rootkit is engineered for stealth. Its primary purpose is to hide its own presence β and that of other malware β from the operating system, security tools, and the user. Advanced rootkits operate at the kernel level (Ring 0), giving them control over what the OS reports to user-space scanners.
13What is the purpose of an Antivirus "Signature"?
CorrectC: A unique hash or byte pattern used by security software to identify known malicious files during a system scan
An antivirus signature is a unique string of bytes, hash, or binary pattern that corresponds to a known piece of malware. When a scanner finds this exact pattern in a file, it identifies the file as malicious. Signature-based detection is effective against known threats but fails against novel or polymorphic malware.
IncorrectC: A unique hash or byte pattern used by security software to identify known malicious files during a system scan
An antivirus signature is a unique string of bytes, hash, or binary pattern that corresponds to a known piece of malware. When a scanner finds this exact pattern in a file, it identifies the file as malicious. Signature-based detection is effective against known threats but fails against novel or polymorphic malware.
14What is a "Backdoor"?
CorrectA: A hidden method of bypassing normal authentication or encryption to secure persistent remote access to a compromised system
A backdoor is a covert bypass of standard authentication that provides an attacker with persistent, privileged access to a compromised system. Backdoors are installed post-exploitation to ensure continued access even if credentials change or the initial vulnerability is patched.
IncorrectA: A hidden method of bypassing normal authentication or encryption to secure persistent remote access to a compromised system
A backdoor is a covert bypass of standard authentication that provides an attacker with persistent, privileged access to a compromised system. Backdoors are installed post-exploitation to ensure continued access even if credentials change or the initial vulnerability is patched.
15Which vector is most commonly used to deliver ransomware into corporate networks?
CorrectB: Spear-phishing emails containing malicious macro-enabled attachments or deceptive links
Spear-phishing emails are the most prevalent ransomware delivery vector. They typically contain macro-laden Office attachments (Word, Excel) or links directing users to exploit kit landing pages where drive-by downloads silently deploy the ransomware payload.
IncorrectB: Spear-phishing emails containing malicious macro-enabled attachments or deceptive links
Spear-phishing emails are the most prevalent ransomware delivery vector. They typically contain macro-laden Office attachments (Word, Excel) or links directing users to exploit kit landing pages where drive-by downloads silently deploy the ransomware payload.
16What does "Drive-by Download" mean?
CorrectC: The unintended and silent installation of malware simply by visiting a compromised website, without any active user clicks or approvals
A drive-by download occurs when malware is silently installed on a visitor's machine simply by loading a compromised or malicious webpage. No explicit user confirmation is needed β the exploit kit automatically targets browser or plugin vulnerabilities (Java, Flash, PDF reader) to execute the payload.
IncorrectC: The unintended and silent installation of malware simply by visiting a compromised website, without any active user clicks or approvals
A drive-by download occurs when malware is silently installed on a visitor's machine simply by loading a compromised or malicious webpage. No explicit user confirmation is needed β the exploit kit automatically targets browser or plugin vulnerabilities (Java, Flash, PDF reader) to execute the payload.
17What is a "Macro Virus"?
CorrectC: Malware written in the internal scripting language of applications like Microsoft Word or Excel, executing automatically upon opening the document
Macro viruses exploit the embedded VBA/macro scripting capabilities of productivity applications like Microsoft Word and Excel. When an infected document is opened, the macros execute automatically, deploying malware. They surged with Office phishing campaigns and remain a common initial access vector.
IncorrectC: Malware written in the internal scripting language of applications like Microsoft Word or Excel, executing automatically upon opening the document
Macro viruses exploit the embedded VBA/macro scripting capabilities of productivity applications like Microsoft Word and Excel. When an infected document is opened, the macros execute automatically, deploying malware. They surged with Office phishing campaigns and remain a common initial access vector.
18What is "Wiper" malware?
CorrectD: A destructive payload specifically designed to permanently erase data and render the system unbootable, with no intent of recovery or financial extortion
Wiper malware is a purely destructive payload with no financial motive β its sole purpose is to permanently and irreversibly destroy data, overwrite the MBR/VBR, and render systems unbootable. NotPetya (2017) and Shamoon are notorious examples, typically deployed by nation-state actors for sabotage.
IncorrectD: A destructive payload specifically designed to permanently erase data and render the system unbootable, with no intent of recovery or financial extortion
Wiper malware is a purely destructive payload with no financial motive β its sole purpose is to permanently and irreversibly destroy data, overwrite the MBR/VBR, and render systems unbootable. NotPetya (2017) and Shamoon are notorious examples, typically deployed by nation-state actors for sabotage.
19Why do attackers use a "Dropper" in an infection chain?
CorrectA: To act as an initial, lightweight delivery vehicle that quietly downloads and installs the larger, primary malware payload from the internet
A dropper is a small, lightweight executable used as the first stage in a multi-stage attack. It is designed to evade detection, establish a foothold, and then silently download or extract and execute the main, heavier malware payload (RAT, ransomware, or banking trojan).
IncorrectA: To act as an initial, lightweight delivery vehicle that quietly downloads and installs the larger, primary malware payload from the internet
A dropper is a small, lightweight executable used as the first stage in a multi-stage attack. It is designed to evade detection, establish a foothold, and then silently download or extract and execute the main, heavier malware payload (RAT, ransomware, or banking trojan).
20What is the primary goal of "Cryptojacking"?
CorrectB: To silently hijack a victim's processing power and electricity to mine cryptocurrency for the attacker's financial gain
Cryptojacking secretly uses the victim's CPU/GPU processing power and electricity to mine cryptocurrency (typically Monero, due to its privacy features) for the attacker. The victim experiences degraded performance and higher power bills, often without realizing they are infected.
IncorrectB: To silently hijack a victim's processing power and electricity to mine cryptocurrency for the attacker's financial gain
Cryptojacking secretly uses the victim's CPU/GPU processing power and electricity to mine cryptocurrency (typically Monero, due to its privacy features) for the attacker. The victim experiences degraded performance and higher power bills, often without realizing they are infected.
Malware β Concepts
1What is "Polymorphic Malware"?
CorrectD: Malware that constantly changes its identifiable features (such as its hash or file signature) via encryption while keeping its core function intact to evade traditional antivirus
Polymorphic malware uses an encryption engine to constantly re-encrypt its payload with a different key on each infection cycle, changing its binary signature (hash/byte pattern) with every copy while the core functional code remains constant. This defeats signature-based AV detection effectively.
IncorrectD: Malware that constantly changes its identifiable features (such as its hash or file signature) via encryption while keeping its core function intact to evade traditional antivirus
Polymorphic malware uses an encryption engine to constantly re-encrypt its payload with a different key on each infection cycle, changing its binary signature (hash/byte pattern) with every copy while the core functional code remains constant. This defeats signature-based AV detection effectively.
2How does "Heuristic Analysis" differ from signature-based detection in endpoint security?
CorrectB: It evaluates the behavioral patterns and characteristics of code to identify previously unknown malware, rather than relying on a database of known hashes
Heuristic analysis examines the behavioral patterns and structural characteristics of code (e.g., attempts to modify registry Run keys, call unusual API sequences, disable security tools) to identify potentially malicious intent without needing a database match β enabling detection of zero-day and novel malware.
IncorrectB: It evaluates the behavioral patterns and characteristics of code to identify previously unknown malware, rather than relying on a database of known hashes
Heuristic analysis examines the behavioral patterns and structural characteristics of code (e.g., attempts to modify registry Run keys, call unusual API sequences, disable security tools) to identify potentially malicious intent without needing a database match β enabling detection of zero-day and novel malware.
3What is a "C2" (Command and Control) server?
CorrectA: A centralized infrastructure used by threat actors to issue instructions to compromised machines and receive exfiltrated data
A C2 (Command and Control) server β also written C&C β is the remote infrastructure controlled by an attacker to direct compromised machines (bots), issue commands (download payloads, execute code, exfiltrate data), and receive stolen information. Disrupting C2 infrastructure is a key malware remediation strategy.
IncorrectA: A centralized infrastructure used by threat actors to issue instructions to compromised machines and receive exfiltrated data
A C2 (Command and Control) server β also written C&C β is the remote infrastructure controlled by an attacker to direct compromised machines (bots), issue commands (download payloads, execute code, exfiltrate data), and receive stolen information. Disrupting C2 infrastructure is a key malware remediation strategy.
4What is the purpose of a "Domain Generation Algorithm" (DGA) in malware?
CorrectC: To dynamically generate thousands of pseudo-random domain names for C2 communication, making it difficult for defenders to block the IP addresses
A DGA uses a pseudo-random algorithm (seeded by date, time, or other shared values) to generate hundreds or thousands of domain names daily. The malware iterates through these until it finds a live C2. Only the attacker knows which domain is active, making it nearly impossible to sink-hole all potential C2 addresses.
IncorrectC: To dynamically generate thousands of pseudo-random domain names for C2 communication, making it difficult for defenders to block the IP addresses
A DGA uses a pseudo-random algorithm (seeded by date, time, or other shared values) to generate hundreds or thousands of domain names daily. The malware iterates through these until it finds a live C2. Only the attacker knows which domain is active, making it nearly impossible to sink-hole all potential C2 addresses.
5What is the primary characteristic of "Fileless Malware"?
CorrectA: It operates entirely in the system's volatile RAM and leverages legitimate administrative tools (like PowerShell), leaving almost no footprint on the hard drive
Fileless malware resides entirely in RAM and leverages legitimate, trusted OS tools β PowerShell, WMI, mshta.exe, regsvr32.exe β to execute malicious code without writing executable files to disk. This leaves minimal forensic artifacts and bypasses traditional file-based AV scanners.
IncorrectA: It operates entirely in the system's volatile RAM and leverages legitimate administrative tools (like PowerShell), leaving almost no footprint on the hard drive
Fileless malware resides entirely in RAM and leverages legitimate, trusted OS tools β PowerShell, WMI, mshta.exe, regsvr32.exe β to execute malicious code without writing executable files to disk. This leaves minimal forensic artifacts and bypasses traditional file-based AV scanners.
6In the context of malware analysis, what is "Sandboxing"?
CorrectC: Executing a suspicious file in a securely isolated, monitored virtual environment to observe its behavior without risking the host network
A sandbox is an isolated, closely monitored virtual environment where suspicious files are detonated and executed. The sandbox records all behavioral indicators β registry changes, network connections, dropped files, spawned processes, API calls β without risk to production infrastructure.
IncorrectC: Executing a suspicious file in a securely isolated, monitored virtual environment to observe its behavior without risking the host network
A sandbox is an isolated, closely monitored virtual environment where suspicious files are detonated and executed. The sandbox records all behavioral indicators β registry changes, network connections, dropped files, spawned processes, API calls β without risk to production infrastructure.
7What is the function of "Obfuscation" in malware development?
CorrectD: Deliberately complicating the source code and execution flow to make reverse engineering and static analysis extremely difficult
Obfuscation deliberately garbles code β through string encoding, control-flow flattening, junk code insertion, and packing β to make the malware's logic extremely difficult to understand during reverse engineering and to evade static analysis by security tools searching for identifiable patterns.
IncorrectD: Deliberately complicating the source code and execution flow to make reverse engineering and static analysis extremely difficult
Obfuscation deliberately garbles code β through string encoding, control-flow flattening, junk code insertion, and packing β to make the malware's logic extremely difficult to understand during reverse engineering and to evade static analysis by security tools searching for identifiable patterns.
8What is "Living off the Land" (LotL) in a cyber attack?
CorrectB: Utilizing native, built-in operating system tools (like WMI, PsExec, or certutil) to carry out malicious activities, bypassing tools that monitor external executables
LotL attackers abuse native, pre-installed OS tools β PowerShell, WMI, certutil, mshta, regsvr32, PsExec β to carry out their attack. Because these are legitimate Microsoft-signed binaries, they are trusted by application whitelisting solutions and generate minimal alerts compared to external executables.
IncorrectB: Utilizing native, built-in operating system tools (like WMI, PsExec, or certutil) to carry out malicious activities, bypassing tools that monitor external executables
LotL attackers abuse native, pre-installed OS tools β PowerShell, WMI, certutil, mshta, regsvr32, PsExec β to carry out their attack. Because these are legitimate Microsoft-signed binaries, they are trusted by application whitelisting solutions and generate minimal alerts compared to external executables.
9How does malware typically establish "Persistence" on a Windows machine?
CorrectB: By modifying the registry Run keys, creating scheduled tasks, or installing malicious services that execute automatically upon reboot
Common Windows persistence mechanisms include adding entries to registry Run/RunOnce keys (HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run), creating scheduled tasks via schtasks.exe, installing malicious services, abusing startup folders, and DLL hijacking.
IncorrectB: By modifying the registry Run keys, creating scheduled tasks, or installing malicious services that execute automatically upon reboot
Common Windows persistence mechanisms include adding entries to registry Run/RunOnce keys (HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run), creating scheduled tasks via schtasks.exe, installing malicious services, abusing startup folders, and DLL hijacking.
10What is a "Crypter" in malware distribution?
CorrectA: A software tool that encrypts, obfuscates, and manipulates a malware payload to prevent it from being detected by static security scanners
A crypter encrypts, encodes, and obfuscates a malware payload to make it undetectable by static antivirus scanners. It includes a decryption stub that unpacks the real payload in memory at runtime. Crypter-as-a-Service is a common underground market offering used widely in phishing campaigns.
IncorrectA: A software tool that encrypts, obfuscates, and manipulates a malware payload to prevent it from being detected by static security scanners
A crypter encrypts, encodes, and obfuscates a malware payload to make it undetectable by static antivirus scanners. It includes a decryption stub that unpacks the real payload in memory at runtime. Crypter-as-a-Service is a common underground market offering used widely in phishing campaigns.
11Which specific component of the operating system do "Bootkits" infect?
CorrectC: The Master Boot Record (MBR) or Volume Boot Record (VBR), allowing the malware to execute before the OS even loads
Bootkits infect the MBR or VBR β the first code executed when a computer powers on, before the OS kernel loads. This gives bootkits near-complete control over the boot process, enabling them to load before any security software and persist through OS reinstalls and reformats.
IncorrectC: The Master Boot Record (MBR) or Volume Boot Record (VBR), allowing the malware to execute before the OS even loads
Bootkits infect the MBR or VBR β the first code executed when a computer powers on, before the OS kernel loads. This gives bootkits near-complete control over the boot process, enabling them to load before any security software and persist through OS reinstalls and reformats.
12What is "Steganography" in the context of malware delivery?
CorrectA: Hiding malicious code or configuration data within the pixels of a seemingly benign digital image or audio file
Steganography hides data (malicious code, C2 configurations, encryption keys) within the least-significant bits of seemingly innocent image, audio, or video files. To an observer the carrier file looks perfectly normal, allowing hidden payloads to bypass network security scanners that inspect file content.
IncorrectA: Hiding malicious code or configuration data within the pixels of a seemingly benign digital image or audio file
Steganography hides data (malicious code, C2 configurations, encryption keys) within the least-significant bits of seemingly innocent image, audio, or video files. To an observer the carrier file looks perfectly normal, allowing hidden payloads to bypass network security scanners that inspect file content.
13What is a "Remote Access Trojan" (RAT)?
CorrectC: Malware that provides an attacker with comprehensive, interactive control over a victim's system, akin to a malicious remote desktop protocol
A RAT provides the attacker with comprehensive, interactive remote control over the infected machine β including file system access, command execution, screenshot capture, keylogging, webcam activation, and lateral movement capabilities β functioning as a covert, malicious remote desktop.
IncorrectC: Malware that provides an attacker with comprehensive, interactive control over a victim's system, akin to a malicious remote desktop protocol
A RAT provides the attacker with comprehensive, interactive remote control over the infected machine β including file system access, command execution, screenshot capture, keylogging, webcam activation, and lateral movement capabilities β functioning as a covert, malicious remote desktop.
14How do attackers use "Process Hollowing"?
CorrectB: By creating a suspended instance of a legitimate process, unmapping its memory, and replacing it with a malicious executable payload
In process hollowing, the attacker spawns a legitimate process (like svchost.exe) in a suspended state, unmaps its legitimate memory image, and replaces it with a malicious payload. When resumed, the OS Task Manager shows a legitimate process name while executing the attacker's code.
IncorrectB: By creating a suspended instance of a legitimate process, unmapping its memory, and replacing it with a malicious executable payload
In process hollowing, the attacker spawns a legitimate process (like svchost.exe) in a suspended state, unmaps its legitimate memory image, and replaces it with a malicious payload. When resumed, the OS Task Manager shows a legitimate process name while executing the attacker's code.
15What is the primary purpose of an "Indicator of Compromise" (IoC)?
CorrectD: To provide specific, observable forensic artifactsβsuch as IP addresses, file hashes, or URLsβthat definitively signal a network intrusion
IoCs are forensic evidence β specific file hashes, malicious IP addresses, C2 domain names, registry keys, mutex names, or YARA rule matches β that definitively indicate a system has been compromised. They are shared via threat intelligence platforms (MISP, VirusTotal) to enable proactive network-wide detection.
IncorrectD: To provide specific, observable forensic artifactsβsuch as IP addresses, file hashes, or URLsβthat definitively signal a network intrusion
IoCs are forensic evidence β specific file hashes, malicious IP addresses, C2 domain names, registry keys, mutex names, or YARA rule matches β that definitively indicate a system has been compromised. They are shared via threat intelligence platforms (MISP, VirusTotal) to enable proactive network-wide detection.
16What does the term "Lateral Movement" describe in a malware infection lifecycle?
CorrectA: The process by which attackers navigate through a compromised network, escalating privileges and infecting additional internal systems
After gaining an initial foothold, attackers use lateral movement techniques β Pass-the-Hash, Pass-the-Ticket, RDP pivoting, SMB exploitation β to traverse the internal network, escalate privileges, and compromise additional high-value targets like domain controllers or data stores.
IncorrectA: The process by which attackers navigate through a compromised network, escalating privileges and infecting additional internal systems
After gaining an initial foothold, attackers use lateral movement techniques β Pass-the-Hash, Pass-the-Ticket, RDP pivoting, SMB exploitation β to traverse the internal network, escalate privileges, and compromise additional high-value targets like domain controllers or data stores.
17What is the mechanism of a "USB Drop" malware vector?
CorrectC: Relying on human curiosity to insert a malicious, physical flash drive that exploits AutoRun features or mimics human interface devices
USB drop attacks exploit human curiosity: an attacker leaves infected USB drives in public areas (parking lots, lobbies). When a curious employee plugs one in, the drive exploits Windows AutoRun features or emulates a keyboard (HID attack via Rubber Ducky) to automatically execute malicious code.
IncorrectC: Relying on human curiosity to insert a malicious, physical flash drive that exploits AutoRun features or mimics human interface devices
USB drop attacks exploit human curiosity: an attacker leaves infected USB drives in public areas (parking lots, lobbies). When a curious employee plugs one in, the drive exploits Windows AutoRun features or emulates a keyboard (HID attack via Rubber Ducky) to automatically execute malicious code.
18How does "Metamorphic Malware" differ from polymorphic malware?
CorrectD: While polymorphic malware only encrypts its payload with different keys, metamorphic malware completely rewrites its own core logic and structure every time it propagates
Polymorphic malware re-encrypts its payload with different keys (the underlying code is unchanged). Metamorphic malware goes further by completely rewriting its own instruction-level code engine with each propagation β substituting instructions, reordering blocks, changing registers β producing a structurally unique binary every time.
IncorrectD: While polymorphic malware only encrypts its payload with different keys, metamorphic malware completely rewrites its own core logic and structure every time it propagates
Polymorphic malware re-encrypts its payload with different keys (the underlying code is unchanged). Metamorphic malware goes further by completely rewriting its own instruction-level code engine with each propagation β substituting instructions, reordering blocks, changing registers β producing a structurally unique binary every time.
19What is the function of a "Web Shell"?
CorrectB: A malicious script uploaded to a compromised web server that provides a persistent, remote command-line interface for the attacker via HTTP
A web shell is a malicious script (PHP, ASP, JSP) uploaded to a compromised web server that provides the attacker with a persistent, browser-accessible command-line interface. Via an HTTP request to the shell's URL, the attacker can execute OS commands, exfiltrate data, and pivot deeper into the network.
IncorrectB: A malicious script uploaded to a compromised web server that provides a persistent, remote command-line interface for the attacker via HTTP
A web shell is a malicious script (PHP, ASP, JSP) uploaded to a compromised web server that provides the attacker with a persistent, browser-accessible command-line interface. Via an HTTP request to the shell's URL, the attacker can execute OS commands, exfiltrate data, and pivot deeper into the network.
20In advanced malware analysis, what is "Static Analysis"?
CorrectA: Examining the malware's binary structure, strings, and headers without actually executing the code
Static analysis involves examining a malware binary without executing it β inspecting PE headers, embedded strings, imported API calls, packer signatures, entropy values, and disassembled code (via IDA Pro, Ghidra). It provides safe, offline insight into capabilities before any live detonation is attempted.
IncorrectA: Examining the malware's binary structure, strings, and headers without actually executing the code
Static analysis involves examining a malware binary without executing it β inspecting PE headers, embedded strings, imported API calls, packer signatures, entropy values, and disassembled code (via IDA Pro, Ghidra). It provides safe, offline insight into capabilities before any live detonation is attempted.
Malware β Advanced
1What is "Reflective DLL Injection"?
CorrectC: Loading a dynamic-link library directly into the memory of a host process from a buffer, completely bypassing the Windows loader and leaving no file on disk
Reflective DLL injection loads a DLL entirely from memory (typically from shellcode or a network buffer) into a host process, bypassing the standard Windows loader (LoadLibrary). Since no file is written to disk and no standard loader registry entry is created, it is extremely evasive against file-based and standard injection detection.
IncorrectC: Loading a dynamic-link library directly into the memory of a host process from a buffer, completely bypassing the Windows loader and leaving no file on disk
Reflective DLL injection loads a DLL entirely from memory (typically from shellcode or a network buffer) into a host process, bypassing the standard Windows loader (LoadLibrary). Since no file is written to disk and no standard loader registry entry is created, it is extremely evasive against file-based and standard injection detection.
2Which infamous malware utilized zero-day exploits (like EternalBlue) to spread autonomously across global networks in 2017, effectively combining a worm with ransomware?
CorrectD: WannaCry
WannaCry (May 2017) used the NSA-developed EternalBlue exploit (targeting SMBv1, patched in MS17-010) to autonomously spread across networks, encrypting files on over 200,000 systems in 150 countries within hours. It caused billions in damages, crippling hospitals (NHS), telecoms, and government infrastructure.
IncorrectD: WannaCry
WannaCry (May 2017) used the NSA-developed EternalBlue exploit (targeting SMBv1, patched in MS17-010) to autonomously spread across networks, encrypting files on over 200,000 systems in 150 countries within hours. It caused billions in damages, crippling hospitals (NHS), telecoms, and government infrastructure.
3In reverse engineering, what is the purpose of a "Disassembler" like IDA Pro or Ghidra?
CorrectD: To translate compiled machine code back into human-readable assembly language for analysis
A disassembler (IDA Pro, Ghidra, Binary Ninja) translates a compiled binary's raw machine code back into human-readable assembly language (x86/x64 instructions). This allows reverse engineers to analyze malware logic, identify decryption routines, find hardcoded C2 addresses, and understand full capabilities without access to source code.
IncorrectD: To translate compiled machine code back into human-readable assembly language for analysis
A disassembler (IDA Pro, Ghidra, Binary Ninja) translates a compiled binary's raw machine code back into human-readable assembly language (x86/x64 instructions). This allows reverse engineers to analyze malware logic, identify decryption routines, find hardcoded C2 addresses, and understand full capabilities without access to source code.
4How does malware utilize "API Hooking"?
CorrectA: By intercepting function calls between the operating system and applications to monitor, alter, or block the execution of specific system processes
API hooking intercepts calls between an application and the Windows API (e.g., NtCreateFile, ReadFile, RegSetValueEx). Malware uses inline hooks or IAT patching to monitor sensitive operations, steal credentials, or bypass EDR hooks. Rootkits also use SSDT hooks to falsify what the OS returns to user-space queries.
IncorrectA: By intercepting function calls between the operating system and applications to monitor, alter, or block the execution of specific system processes
API hooking intercepts calls between an application and the Windows API (e.g., NtCreateFile, ReadFile, RegSetValueEx). Malware uses inline hooks or IAT patching to monitor sensitive operations, steal credentials, or bypass EDR hooks. Rootkits also use SSDT hooks to falsify what the OS returns to user-space queries.
5What is the primary characteristic of an "APT" (Advanced Persistent Threat) malware campaign?
CorrectB: It involves highly sophisticated, well-funded attackers who maintain long-term, covert access to a specific, high-value target network
APT campaigns β typically attributed to nation-states or sophisticated criminal groups β are characterized by long-dwell-time, highly stealthy intrusions against specific, high-value targets (government, defense, critical infrastructure). Attackers invest significant resources in custom tooling, zero-days, and patience to achieve strategic objectives.
IncorrectB: It involves highly sophisticated, well-funded attackers who maintain long-term, covert access to a specific, high-value target network
APT campaigns β typically attributed to nation-states or sophisticated criminal groups β are characterized by long-dwell-time, highly stealthy intrusions against specific, high-value targets (government, defense, critical infrastructure). Attackers invest significant resources in custom tooling, zero-days, and patience to achieve strategic objectives.
6What is "Fast Flux" in malware C2 infrastructure?
CorrectC: Rapidly changing the IP addresses associated with a single malicious domain name via DNS to create a resilient, moving target
Fast flux rapidly cycles the IP addresses mapped to a malicious domain (using DNS TTLs of 60β300 seconds) through thousands of compromised proxy hosts. This creates a highly resilient, moving target that is extremely difficult to block or take down, as the real C2 server remains hidden behind perpetually shifting frontline hosts.
IncorrectC: Rapidly changing the IP addresses associated with a single malicious domain name via DNS to create a resilient, moving target
Fast flux rapidly cycles the IP addresses mapped to a malicious domain (using DNS TTLs of 60β300 seconds) through thousands of compromised proxy hosts. This creates a highly resilient, moving target that is extremely difficult to block or take down, as the real C2 server remains hidden behind perpetually shifting frontline hosts.
7How does malware use "Direct System Calls" (Syscalls) to evade detection?
CorrectB: By invoking kernel-level functions directly from user mode, completely bypassing user-mode API monitoring hooks placed by EDR solutions
EDR solutions typically hook user-mode Windows API functions in ntdll.dll to monitor system activity. By directly invoking kernel syscall numbers (bypassing ntdll entirely via the syscall instruction), malware communicates with the Windows kernel without passing through monitored API wrappers, effectively blind-siding user-mode EDR hooks.
IncorrectB: By invoking kernel-level functions directly from user mode, completely bypassing user-mode API monitoring hooks placed by EDR solutions
EDR solutions typically hook user-mode Windows API functions in ntdll.dll to monitor system activity. By directly invoking kernel syscall numbers (bypassing ntdll entirely via the syscall instruction), malware communicates with the Windows kernel without passing through monitored API wrappers, effectively blind-siding user-mode EDR hooks.
8What was the groundbreaking capability of the "Stuxnet" worm?
CorrectC: It was specifically engineered to sabotage physical, industrial control systems (SCADA) by manipulating programmable logic controllers in uranium enrichment centrifuges
Stuxnet (discovered 2010, attributed to US/Israel) was the world's first known cyberweapon with kinetic physical effects. It specifically targeted Siemens S7-315 PLCs controlling Iranian uranium enrichment centrifuges at Natanz, reprogramming them to spin at destructive speeds while falsely reporting normal operations to operators.
IncorrectC: It was specifically engineered to sabotage physical, industrial control systems (SCADA) by manipulating programmable logic controllers in uranium enrichment centrifuges
Stuxnet (discovered 2010, attributed to US/Israel) was the world's first known cyberweapon with kinetic physical effects. It specifically targeted Siemens S7-315 PLCs controlling Iranian uranium enrichment centrifuges at Natanz, reprogramming them to spin at destructive speeds while falsely reporting normal operations to operators.
9What is "Process DoppelgΓ€nging"?
CorrectD: A technique where malware utilizes Windows Transactional NTFS (TxF) to map a malicious executable into memory, making it appear as a legitimate, unmodified file to security scanners
Process DoppelgΓ€nging abuses the Windows Transactional NTFS (TxF) API: the attacker creates a transaction, writes a malicious executable to a file within that transaction, creates a process image from the transacted (uncommitted) file, then rolls back the transaction. Security scanners see the process mapped to the original, clean file.
IncorrectD: A technique where malware utilizes Windows Transactional NTFS (TxF) to map a malicious executable into memory, making it appear as a legitimate, unmodified file to security scanners
Process DoppelgΓ€nging abuses the Windows Transactional NTFS (TxF) API: the attacker creates a transaction, writes a malicious executable to a file within that transaction, creates a process image from the transacted (uncommitted) file, then rolls back the transaction. Security scanners see the process mapped to the original, clean file.
10Why do advanced malware strains employ "Anti-Debugging" techniques?
CorrectB: To detect if they are being executed within an analysis environment like OllyDbg or x64dbg, triggering the malware to crash or behave benignly
Anti-debugging techniques (IsDebuggerPresent, CheckRemoteDebuggerPresent, RDTSC timing checks, NtQueryInformationProcess, heap flag checks) detect if the malware is being analyzed inside a debugger. Upon detection, the malware may crash, delete itself, or behave benignly to frustrate the analyst and hide its real capabilities.
IncorrectB: To detect if they are being executed within an analysis environment like OllyDbg or x64dbg, triggering the malware to crash or behave benignly
Anti-debugging techniques (IsDebuggerPresent, CheckRemoteDebuggerPresent, RDTSC timing checks, NtQueryInformationProcess, heap flag checks) detect if the malware is being analyzed inside a debugger. Upon detection, the malware may crash, delete itself, or behave benignly to frustrate the analyst and hide its real capabilities.
11What is "Code Cave Injection"?
CorrectC: Inserting malicious shellcode into unused, empty sections of memory within a legitimate compiled executable to avoid expanding the file size
A code cave is a region of zeroed or unused memory within an existing legitimate executable's sections. Malware authors inject shellcode into these caves and redirect execution flow (by patching the entry point or a call) to execute it. Since no additional file is created and the file size barely changes, it is harder to detect.
IncorrectC: Inserting malicious shellcode into unused, empty sections of memory within a legitimate compiled executable to avoid expanding the file size
A code cave is a region of zeroed or unused memory within an existing legitimate executable's sections. Malware authors inject shellcode into these caves and redirect execution flow (by patching the entry point or a call) to execute it. Since no additional file is created and the file size barely changes, it is harder to detect.
12How does the "Emotet" malware typically function in modern threat ecosystems?
CorrectB: It operates as a highly modular, polymorphic botnet infrastructure that primarily serves as a "dropper-as-a-service" to deliver other banking trojans and ransomware
Emotet evolved from a basic banking trojan into a highly sophisticated, modular malware distribution platform. Its polymorphic dropper infrastructure (initially spread via malicious Word documents) was rented out as Malware-as-a-Service to deliver Ryuk ransomware, TrickBot, and QakBot to compromised enterprise networks.
IncorrectB: It operates as a highly modular, polymorphic botnet infrastructure that primarily serves as a "dropper-as-a-service" to deliver other banking trojans and ransomware
Emotet evolved from a basic banking trojan into a highly sophisticated, modular malware distribution platform. Its polymorphic dropper infrastructure (initially spread via malicious Word documents) was rented out as Malware-as-a-Service to deliver Ryuk ransomware, TrickBot, and QakBot to compromised enterprise networks.
13What is the significance of the DllMain entry point in the context of malware?
CorrectB: It dictates the execution flow when a malicious dynamic library is loaded by an exploited process, triggering the payload
DllMain is the entry point function of a Windows DLL, called by the OS loader when the DLL is loaded into a process via DLL_PROCESS_ATTACH. Malicious DLLs use DllMain to automatically execute their payload the moment they are loaded by an exploited process, making it a critical trigger point in DLL injection and sideloading attacks.
IncorrectB: It dictates the execution flow when a malicious dynamic library is loaded by an exploited process, triggering the payload
DllMain is the entry point function of a Windows DLL, called by the OS loader when the DLL is loaded into a process via DLL_PROCESS_ATTACH. Malicious DLLs use DllMain to automatically execute their payload the moment they are loaded by an exploited process, making it a critical trigger point in DLL injection and sideloading attacks.
14What is a "Kernel-Mode Rootkit" (Ring 0)?
CorrectA: A highly privileged malware variant that alters the core operating system structures, allowing it to manipulate data returned to the user-mode, making it practically invisible to standard antivirus
Operating at kernel privilege (Ring 0), kernel-mode rootkits can directly manipulate OS kernel data structures via DKOM (Direct Kernel Object Manipulation), hooking SSDT (System Service Descriptor Table) entries or patching kernel functions to intercept and falsify what the OS reports to user-space security tools.
IncorrectA: A highly privileged malware variant that alters the core operating system structures, allowing it to manipulate data returned to the user-mode, making it practically invisible to standard antivirus
Operating at kernel privilege (Ring 0), kernel-mode rootkits can directly manipulate OS kernel data structures via DKOM (Direct Kernel Object Manipulation), hooking SSDT (System Service Descriptor Table) entries or patching kernel functions to intercept and falsify what the OS reports to user-space security tools.
15How do attackers use "Domain Fronting" to hide malware C2 traffic?
CorrectD: By utilizing high-reputation Content Delivery Networks (CDNs) and placing a legitimate domain in the SNI header, while routing the actual HTTP request to an attacker-controlled endpoint within the same CDN
Domain fronting exploits major CDN infrastructures (CloudFront, Fastly). The TLS SNI field contains a legitimate high-reputation CDN domain (allowing it through firewalls and DPI), while the HTTP Host header routes the actual request to the attacker's backend server hosted on the same CDN β making C2 traffic indistinguishable from normal HTTPS.
IncorrectD: By utilizing high-reputation Content Delivery Networks (CDNs) and placing a legitimate domain in the SNI header, while routing the actual HTTP request to an attacker-controlled endpoint within the same CDN
Domain fronting exploits major CDN infrastructures (CloudFront, Fastly). The TLS SNI field contains a legitimate high-reputation CDN domain (allowing it through firewalls and DPI), while the HTTP Host header routes the actual request to the attacker's backend server hosted on the same CDN β making C2 traffic indistinguishable from normal HTTPS.
16What is the primary function of "YARA Rules" in malware defense?
CorrectA: To create pattern-matching descriptions based on textual or binary patterns to identify and classify specific malware families across a network
YARA is an open-source pattern-matching framework for malware researchers. Rules define textual or binary conditions β hex byte sequences, string patterns, PE section names, or Boolean combinations β to identify and classify malware families. YARA is widely integrated into SIEMs, sandboxes (Cuckoo), EDRs, and proactive threat hunting workflows.
IncorrectA: To create pattern-matching descriptions based on textual or binary patterns to identify and classify specific malware families across a network
YARA is an open-source pattern-matching framework for malware researchers. Rules define textual or binary conditions β hex byte sequences, string patterns, PE section names, or Boolean combinations β to identify and classify malware families. YARA is widely integrated into SIEMs, sandboxes (Cuckoo), EDRs, and proactive threat hunting workflows.
17Which notorious banking trojan utilized HTML injection and web-injects to seamlessly alter online banking pages in real-time, prompting users for their MFA tokens?
CorrectB: Zeus
Zeus (ZeuS, Zbot) pioneered real-time HTML injection via browser hooking (man-in-the-browser). It transparently injected fake form fields into banking websites displayed in the victim's browser, silently capturing one-time passwords and MFA tokens as they were typed β before the transaction ever reached the bank.
IncorrectB: Zeus
Zeus (ZeuS, Zbot) pioneered real-time HTML injection via browser hooking (man-in-the-browser). It transparently injected fake form fields into banking websites displayed in the victim's browser, silently capturing one-time passwords and MFA tokens as they were typed β before the transaction ever reached the bank.
18What is "COM Hijacking" in the context of Windows persistence?
CorrectA: Modifying the registry to replace legitimate Component Object Model class references with paths to malicious DLLs, ensuring the malware executes when the software relies on that COM object
Windows resolves COM objects via registry lookups first in HKCU (user hive), then HKLM (machine hive). By registering a malicious DLL path under HKCU for a CLSID normally defined in HKLM, an attacker causes any software that instantiates that COM object to silently load the malicious DLL β no admin rights required, providing stealthy persistence.
IncorrectA: Modifying the registry to replace legitimate Component Object Model class references with paths to malicious DLLs, ensuring the malware executes when the software relies on that COM object
Windows resolves COM objects via registry lookups first in HKCU (user hive), then HKLM (machine hive). By registering a malicious DLL path under HKCU for a CLSID normally defined in HKLM, an attacker causes any software that instantiates that COM object to silently load the malicious DLL β no admin rights required, providing stealthy persistence.
19How does malware abuse "AppInit_DLLs" in Windows?
CorrectD: By adding a malicious DLL path to a specific registry key, forcing the user32.dll library to inject the payload into every newly created graphical process
The HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs registry value instructs Windows to inject specified DLLs into every process that loads user32.dll (virtually every GUI application). By adding a malicious DLL path here, the malware achieves system-wide process injection and persistence with a single registry write.
IncorrectD: By adding a malicious DLL path to a specific registry key, forcing the user32.dll library to inject the payload into every newly created graphical process
The HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs registry value instructs Windows to inject specified DLLs into every process that loads user32.dll (virtually every GUI application). By adding a malicious DLL path here, the malware achieves system-wide process injection and persistence with a single registry write.
20What is "Return-Oriented Programming" (ROP) in the context of exploit payloads?
CorrectB: A technique that chains together small snippets of existing, executable machine code ("gadgets") already present in memory to bypass hardware security like DEP and NX bits
ROP bypasses hardware-enforced Data Execution Prevention (DEP/NX) by chaining together pre-existing small instruction sequences ending in a RET instruction ("gadgets") found in trusted executable memory (OS DLLs, application code). By manipulating return addresses on the stack, the attacker performs arbitrary operations without injecting new executable code.
IncorrectB: A technique that chains together small snippets of existing, executable machine code ("gadgets") already present in memory to bypass hardware security like DEP and NX bits
ROP bypasses hardware-enforced Data Execution Prevention (DEP/NX) by chaining together pre-existing small instruction sequences ending in a RET instruction ("gadgets") found in trusted executable memory (OS DLLs, application code). By manipulating return addresses on the stack, the attacker performs arbitrary operations without injecting new executable code.
Conclusion: Malware Defense Requires Layered Strategy
Malware is the attack vector that underlies most cybersecurity incidents β from ransomware destroying availability to rootkits enabling long-term espionage. These 60 MCQs cover the taxonomy of malware, detection techniques (signature-based antivirus, behavioral EDR, memory analysis), and hardening strategies (least privilege, application whitelisting, network isolation).
No single tool stops all malware β defense requires layered controls: network segmentation to limit lateral movement, host-based hardening to prevent execution, behavioral monitoring (EDR) to detect zero-days, and incident response playbooks to minimize dwell time.
Master malware concepts by reviewing missed questions, analyzing real malware samples in a safe sandbox environment (Cuckoo/Any.run), and staying current with threat intelligence on emerging malware families.
Key Takeaways β Malware
- Virus vs. Worm vs. Trojan: Virus = host file + user execution; Worm = self-contained + autonomous spread; Trojan = deception (no self-replication). Each requires different containment strategy.
- Ransomware Economics: Encrypt or lock system β demand payment (crypto) β exfiltrate data (double extortion). Defense: immutable backups, offline backups, monitoring for encryption activity, network segmentation to stop lateral spread.
- Rootkits Hide in Kernel: User-mode antivirus cannot see kernel-mode rootkits because the OS itself is compromised. Detection requires kernel-mode monitoring or offline forensic analysis from another system.
- Botnets Are Rental Services: Compromised computers are controlled via C2 servers and rented to other criminals for spam, DDoS, mining, credential theft. Disrupting C2 infrastructure is key to botnet takedown.
- Fileless Malware Bypasses Disk Scanning: Uses legitimate OS tools (PowerShell, WMI) and executes in RAM only. Detection requires behavioral/memory monitoring (EDR), not signature scanning.
- APTs Are Targeted & Persistent: State-sponsored or elite groups; custom malware + zero-days; long-term campaigns. Common malware is mass-distributed for immediate impact. APT defense requires threat intelligence and continuous hunting.
- Antivirus vs. EDR: Antivirus = pre-execution signature matching; EDR = runtime behavior monitoring. EDR detects zero-days and obfuscated malware that antivirus misses.
- IOCs Enable Threat Hunting: File hashes, IPs, domains, registry keys left by malware. Share IOCs via MISP/ISACs. Hunt for IOCs across your infrastructure to expand breach assessment.
- Defense In Depth Required: No single tool stops all malware. Layer: network segmentation, application whitelisting, least privilege accounts, behavioral monitoring (EDR), incident response playbooks, immutable backups.
Quick Review & Summary
Use this summary table to consolidate key concepts before or after attempting the questions above.
| Malware Category | Key Characteristics | Primary Detection / Defense |
|---|---|---|
| Virus | Requires host file & user interaction to execute. Self-replicating. | Signature-based AV, file integrity monitoring. |
| Worm | Self-contained, autonomous network propagation. No user action needed. | Network segmentation, IDS/IPS, patch management. |
| Trojan | Disguised as legitimate software. Relies on deception. Does not self-replicate. | User awareness, application whitelisting. |
| Ransomware | Encrypts data or locks system. Extorts payment. Often double extortion. | Offline immutable backups, EDR, network segmentation. |
| Rootkit | Hides in kernel mode (Ring 0). Intercepts OS API calls to hide processes/files. | Hardware-based monitoring, memory analysis, secure boot. |
| Botnet | Network of compromised hosts controlled via C2 server. Used for DDoS/spam. | Sinkholing C2 domains, endpoint isolation, Egress filtering. |
| Fileless Malware | Resides in RAM, uses legitimate tools (PowerShell). No disk footprint. | EDR (behavioral monitoring), PowerShell logging, AMSI. |
| APT | Targeted, persistent, stealthy. Nation-state actors. Custom malware. | Threat intelligence, proactive threat hunting, defense-in-depth. |
Frequently Asked Questions
What is the difference between a virus, a worm, and a trojan?
What is ransomware and what is the attacker's business model?
What are rootkits and why are they harder to detect than other malware?
What is a botnet and how do threat actors monetize it?
What is fileless malware and why is it dangerous?
What is the difference between an APT (Advanced Persistent Threat) and a common malware outbreak?
How do antivirus and endpoint detection & response (EDR) tools differ in detecting malware?
What are indicators of compromise (IOCs) and how are they used to detect malware?
Struggling with some questions? Re-read the full Theory Guide: Malware