Malware — Types, Analysis, and Defense

Explain Defining Malware.

Explain A Brief History of Malware.

Explain — The Creeper.

Explain — Brain: The First PC Virus.

Malware (a portmanteau of malicious software ) refers to any software intentionally designed to cause harm to a computer system, network, or user.

This broad definition encompasses an enormous variety of programs with different mechanisms, objectives, and behaviors.

What unites them is intent: malware is designed by adversaries to do something the system's legitimate owner would not authorize.

Malware (a portmanteau of malicious software ) refers to any software intentionally designed to cause harm to a computer system, network, or user.

This broad definition encompasses an enormous variety of programs with different mechanisms, objectives, and behaviors.

What unites them is intent: malware is designed by adversaries to do something the system's legitimate owner would not authorize.

Malware can pursue many objectives simultaneously.

The history of malware is the history of computing itself, shadowing every major technological development with a corresponding evolution in malicious code.

A Brief History of Malware connects to risk, controls, and evidence.

A Brief History of Malware connects to risk, controls, and evidence.

The first program that could be considered malware was Creeper , a self-replicating experimental program created by Bob Thomas at BBN Technologies.

It infected ARPANET machines, displaying the message "I'M THE CREEPER, CATCH ME IF YOU CAN!" Creeper was not malicious in intent but established the concept of a self-propagating…

Reaper , a program created to remove Creeper, is sometimes considered the first antivirus software.

The Brain virus , released by Pakistani brothers Basit and Amjad Farooq Alvi in January 1986, is widely regarded as the first virus for IBM-compatible personal computers.

Brain targeted the boot sector of 5.25-inch floppy disks.

The authors included their names, phone number, and address in the virus's code — ostensibly as an anti-piracy measure for their software business.

Brain was relatively benign, causing no data damage, but it established the template for boot sector viruses.

The Morris Worm , created by Cornell graduate student Robert Tappan Morris, was the first worm to gain widespread media attention.

It exploited vulnerabilities in Unix sendmail, fingerd, and rsh/rexec to propagate across the early internet, infecting approximately 6,000 machines (a significant fraction of the…

Morris claimed the worm was not intended to cause damage, but a programming error caused infected machines to become overloaded and unusable.

Morris was the first person prosecuted under the Computer Fraud and Abuse Act.

The 1990s saw an explosion of viruses spread via floppy disks and, later, email.

The Melissa virus (1999) was a macro virus that spread via email, using Microsoft Word macros to mail itself to the first 50 contacts in victims' Outlook address books.

s — Viruses and Early Email Worms connects to risk, controls, and evidence.

The 2000s established the modern cybercrime economy.

The Conficker worm (2008) infected millions of Windows machines and created a massive botnet.

Organized criminal groups began operating malware as a business, with ransomware (in primitive form), banking trojans, and credential-stealing malware becoming primary tools.

Modern ransomware operations are run with business-like professionalism, including customer support for victims, affiliate programs for distributing malware, and negotiation…

s–Present — Nation-State Weapons, Ransomware Crises, and Supply Chain Attacks connects to risk, controls, and evidence.

s–Present — Nation-State Weapons, Ransomware Crises, and Supply Chain Attacks connects to risk, controls, and evidence.

A computer virus is a type of malware that attaches itself to a legitimate program or file, and replicates itself by inserting copies into other programs or files when the…

Like biological viruses, computer viruses require a host to propagate.

File infectors attach themselves to executable files (.exe, .com, .dll).

When the infected executable runs, the virus first executes its own code, potentially infecting other executables on the system.

A worm is malware that self-propagates across networks without requiring human interaction or a host file.

Worms spread by exploiting network vulnerabilities, sending copies of themselves via email, or scanning for vulnerable systems.

The key distinguishing characteristic is self-propagation without user action.

Worms can spread with extraordinary speed: the SQL Slammer worm (2003) infected 75,000 systems in the first 10 minutes after release, doubling its infection count every 8.5…

A Trojan horse (or simply "Trojan") is malware disguised as legitimate or desirable software.

Unlike viruses and worms, Trojans do not self-replicate — they rely on users to download and execute them, deceived by their benign appearance.

Remote Access Trojans (RATs) give attackers remote control over infected systems, typically through a command-and-control (C2) server.

The attacker can view the user's screen, access the file system, activate the webcam and microphone, log keystrokes, and execute arbitrary commands.

Ransomware encrypts victims' files or locks access to their systems, then demands payment (typically in cryptocurrency) in exchange for the decryption key.

It is among the most destructive and profitable forms of malware in the current threat landscape.

Crypto ransomware encrypts files using strong asymmetric cryptography.

Without the private key held by the attacker, decryption is computationally infeasible.

Spyware covertly monitors user activity and collects information without the user's knowledge or consent.

It may capture keystrokes, screenshots, browsing history, passwords, and personal data, sending them to a remote attacker.

Commercial spyware (sometimes marketed as "stalkerware") is used in domestic abuse situations.

Adware displays unwanted advertisements, typically generating revenue for the malware author via ad impressions or click fraud.

A rootkit is a collection of tools that allow an attacker to maintain privileged, covert access to a system while hiding their presence from the OS, security software, and users.

User-mode rootkits operate in user space, manipulating system APIs to hide malicious processes, files, and network connections from system tools.

They are detectable by tools that bypass standard APIs and directly examine system structures.

Kernel-mode rootkits operate at the kernel level, modifying the OS kernel itself.

A botnet is a network of compromised computers (called "bots" or "zombies") controlled by an attacker via a Command-and-Control (C2) server.

Individual bots receive instructions from the C2 server and execute them — sending spam, conducting DDoS attacks, mining cryptocurrency, or distributing additional malware.

Botnets and Command-and-Control (C2) Infrastructure connects to risk, controls, and evidence.

Fileless malware operates without writing executable files to disk, instead residing entirely in memory or exploiting legitimate system tools.

It uses built-in operating system utilities (such as PowerShell, WMI, and the Windows Registry) as its execution environment, making it far harder for traditional signature-based…

Fileless attacks often use techniques such as living off the land (LotL) — abusing legitimate system administration tools to achieve malicious objectives.

Because fileless malware leaves minimal forensic artifacts, detecting it typically requires behavioral analysis rather than file scanning.

A keylogger records every keystroke made on an infected system, capturing passwords, credit card numbers, private messages, and any other typed content.

Keyloggers may be implemented as software (running as a background process) or hardware (a physical device inserted between keyboard and computer).

Software keyloggers are often components of larger malware packages (RATs, banking trojans) rather than standalone tools.

Logic bombs are particularly insidious because they may lie dormant for months or years before triggering, and their code is embedded within otherwise legitimate systems.

A notable case involved a contractor at a financial institution who inserted a logic bomb that would have deleted critical files if his employment status was ever changed to…

The bomb was discovered during a routine code review before it triggered.

Understanding how malware reaches victims is as important as understanding what it does after infection.

Malware Infection Vectors connects to risk, controls, and evidence.

Malware Infection Vectors connects to risk, controls, and evidence.

Email remains the most common initial infection vector.

Email Attachments and Malicious Links connects to risk, controls, and evidence.

Email Attachments and Malicious Links connects to risk, controls, and evidence.

Defining Malware

A Brief History of Malware

— The Creeper

— Brain: The First PC Virus

Where Defining Malware applies.

Where A Brief History of Malware applies.

How the difference changes the security decision.

Identify the asset or process at risk.

Choose a preventive, detective, or corrective control.

Explain what evidence would prove the control is working.

Define one core concept in plain language.

Compare two controls or threats from the week.

Apply one idea to a campus or business system.

Evaluate why a solution might fail in practice.

Collect evidence, not just screenshots.

Explain what the artifact proves.

Connect the proof back to risk and control selection.

Malware — Types, Analysis, and Defense

Security is a decision process, not just a tool list.

Use the reading to justify practical choices.