By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.
Malware (malicious software) is any program designed to harm, exploit, or infiltrate systems without consent. You study malware to detect threats, analyze attacks, or build defenses—critical for cybersecurity, incident response, and secure software development.
Malware costs businesses $6 trillion annually (Cybersecurity Ventures, 2023). It steals data, disrupts operations, and enables ransomware attacks. Understanding malware helps you: - Prevent breaches (e.g., phishing, supply-chain attacks).- Respond to incidents (e.g., reverse-engineering ransomware).- Secure applications (e.g., hardening code against exploits).
Each type serves a distinct purpose:
How malware enters systems: - Phishing emails (e.g., malicious attachments/links).- Exploit kits (e.g., drive-by downloads via vulnerable browsers).- Supply-chain attacks (e.g., SolarWinds hack).- USB drops (e.g., BadUSB attacks).- Malvertising (malicious ads on legitimate sites).
Malware survives reboots by: - Adding registry keys (Windows).- Creating cron jobs (Linux).- Installing bootkits (modifying bootloaders).
Malware avoids detection by: - Obfuscation: Encrypting or packing code.- Polymorphism: Mutating code to change signatures.- Living-off-the-land (LOLBins): Using legitimate tools (e.g., PowerShell) for attacks.
Most malware follows this lifecycle:
Dropper fetches the full payload from a command-and-control (C2) server.
Execution
Escalates privileges (e.g., exploiting CVE-2021-4034 in Linux).
CVE-2021-4034
Persistence
Adds itself to startup processes or scheduled tasks.
Action
Steals data (e.g., keylogging), encrypts files (ransomware), or spreads laterally (worms).
Exfiltration
Example: Ransomware Workflow
Phishing Email → User Clicks Link → Dropper Downloads Encryptor → Encryptor Scans Files → Displays Ransom Note → C2 Server Generates Decryption Key
Goal: Safely detonate malware and observe its behavior.
Take a snapshot (restore point) before analysis.
Download a Sample (Safely!)
EICAR
Never download real malware without a sandbox.
Run Cuckoo Sandbox bash # Install Cuckoo (Linux host) git clone https://github.com/cuckoosandbox/cuckoo.git cd cuckoo pip install -r requirements.txt cuckoo init cuckoo -d
bash # Install Cuckoo (Linux host) git clone https://github.com/cuckoosandbox/cuckoo.git cd cuckoo pip install -r requirements.txt cuckoo init cuckoo -d
Submit the sample via the web interface (http://localhost:8000).
http://localhost:8000
Analyze the Report
Check:
cmd.exe /c powershell
ransom_note.txt
Expected Outcome
Fix: Always use a VM with snapshots and no network access.
Ignoring Fileless Malware
Fix: Monitor memory (e.g., with Volatility) and processes (e.g., PowerShell scripts).
Overlooking Evasion Techniques
Fix: Use anti-anti-sandbox tricks (e.g., fake mouse movements, delayed execution).
Not Updating Tools
Fix: Subscribe to threat intelligence feeds (e.g., AlienVault OTX).
Focusing Only on Windows
yara rule Detect_Ransomware { meta: description = "Detects common ransomware file extensions" strings: $ext1 = ".locked" nocase $ext2 = ".crypt" nocase condition: any of them }
svchost.exe
cmd.exe
apt upgrade
Action:
Banking Trojan Investigation (Finance)
APT Attack Analysis (Government)
A user receives an email with a Word document attachment. After opening it, their files are encrypted. What type of malware is this most likely?
A) Worm B) Trojan C) Ransomware D) Adware
Correct Answer: C) RansomwareExplanation: Ransomware encrypts files for extortion. The Word doc likely contained a macro that downloaded the ransomware payload.Why the Distractors Are Tempting: - A) Worm: Spreads autonomously, but doesn’t typically encrypt files.- B) Trojan: Disguised as legitimate software, but the payload here is encryption, not just deception.- D) Adware: Displays ads, not encryption.
You’re analyzing a malware sample and notice it checks for virtual machines before executing. What technique is it using?
A) Polymorphism B) Obfuscation C) Anti-sandboxing D) Living-off-the-land
Correct Answer: C) Anti-sandboxingExplanation: Malware uses anti-sandboxing to detect VMs (e.g., checking for VBoxGuest drivers) and avoid analysis.Why the Distractors Are Tempting: - A) Polymorphism: Changes code to evade signature detection, not VM checks.- B) Obfuscation: Hides code, but doesn’t specifically target VMs.- D) Living-off-the-land: Uses legitimate tools (e.g., PowerShell), not VM detection.
VBoxGuest
Which of these is not a common persistence mechanism for malware?
A) Adding a registry run key B) Creating a cron job C) Modifying the hosts file D) Installing a bootkit
Correct Answer: C) Modifying the hosts fileExplanation: The hosts file is used for DNS redirection (e.g., blocking security updates), not persistence. Persistence mechanisms survive reboots.Why the Distractors Are Tempting: - A) Registry run key: Classic persistence (e.g., HKCU\Software\Microsoft\Windows\CurrentVersion\Run).- B) Cron job: Linux persistence (e.g., @reboot /path/to/malware).- D) Bootkit: Modifies the bootloader to load malware at startup.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
@reboot /path/to/malware
Join 4M+ learners. Unlock unlimited quizzes, wrong-answer tracking, flashcards + reminders, study guides, and 1-on-1 challenges.