Skip to content
Athenian Tech

Glossary

Types of Malware: A Practical Field Guide to Malicious Software

6 min read1,262 words

Most people picture malware as a single thing: a “virus” that pops up a scary message and slows your computer down. That mental model is decades out of date. Modern malware is a diverse ecosystem of specialized tools, each engineered for a specific job — stealing credentials, encrypting files for ransom, quietly mining cryptocurrency, or turning your machine into one soldier in a botnet army. Understanding the categories matters because defenses that stop one type often do nothing against another. A backup strategy that saves you from ransomware won’t detect a keylogger siphoning your passwords, and an antivirus signature that catches a known trojan is useless against fileless malware that never touches disk.

The other common misconception is that malware types are neatly separated. In practice they blend. A single intrusion might start with a phishing dropper, deploy a trojan for persistence, load a rootkit to hide, and end with ransomware. Thinking in categories helps, but real attacks stack them.

The Core Categories

Malware is usually classified by two questions: how does it spread, and what does it do once it’s inside? Those two axes produce the familiar taxonomy.

  • Viruses attach themselves to a legitimate file or program and execute when that host runs. They need a human or process to launch the infected file, and they replicate by injecting copies into other files. True self-replicating viruses are less common today than the term’s casual usage suggests.
  • Worms are the self-propagating cousins of viruses. They spread across networks on their own, exploiting vulnerabilities without needing anyone to click anything. WannaCry (2017) is the classic example — it used a Windows SMB exploit to jump machine-to-machine and infected hundreds of thousands of systems in days.
  • Trojans disguise themselves as something benign — a cracked game, a PDF invoice, a software update. They don’t self-replicate; they rely on tricking the user into running them. Once executed, a trojan typically opens a door for further payloads.
  • Ransomware encrypts the victim’s files (or entire drives) and demands payment for the decryption key. Modern strains practice “double extortion”: they exfiltrate data first, then encrypt, so even a victim with good backups faces the threat of public leaks.
  • Spyware and keyloggers operate quietly, recording keystrokes, capturing screenshots, and harvesting credentials, browsing history, and financial data. Their whole value proposition is staying undetected as long as possible.
  • Adware is the least harmful in intent but still unwanted — it injects advertisements, redirects searches, and often bundles tracking. It frequently rides along with free software installers.
  • Rootkits burrow deep into the operating system (sometimes into firmware or the boot process) to hide the presence of other malware. They subvert the tools you’d normally use to detect an infection, which is what makes them so dangerous.
  • Bots and botnets turn infected machines into a remotely controlled network. The operator can issue commands to thousands of nodes at once for DDoS attacks, spam, or credential stuffing.
  • Cryptojackers hijack CPU and GPU cycles to mine cryptocurrency. They aim for stealth over destruction — a slower machine and a higher electricity bill are the only visible symptoms.
  • Fileless malware lives in memory and abuses legitimate system tools (PowerShell, WMI, mshta) rather than dropping executable files. Because there’s no file to scan, traditional signature-based antivirus often misses it entirely.

How Defenders Actually Spot It

Classification isn’t just academic — it drives detection. Analysts inspect suspicious files in isolated environments before they ever run on a production machine. A few examples of the everyday tooling:

Shell
# Compute a file's hash and check it against threat-intel databases
sha256sum suspicious_invoice.exe

# Inspect an ELF binary's strings for hardcoded URLs, IPs, or commands
strings -n 8 malware_sample | grep -Ei 'http|\.onion|cmd|powershell'

The hash lets you look the sample up in services like VirusTotal to see if it’s a known family. The strings pass is a fast, low-effort way to surface indicators of compromise — command-and-control domains, ransom-note text, or the names of tools the malware calls.

Behavioral clues matter more than static ones for fileless and heavily obfuscated threats. On Windows, a defender watching process activity might flag a chain like this:

Text
winword.exe  ->  powershell.exe -enc <base64 blob>  ->  outbound connection to unknown IP

A word processor spawning an encoded PowerShell command that immediately phones home is a textbook attack pattern, even if no file was written to disk. This is why endpoint detection and response (EDR) tools focus on process lineage and behavior rather than file signatures alone. The MITRE ATT&CK framework catalogs these behaviors as techniques, giving defenders a shared vocabulary for what they’re seeing.

Why It Costs Businesses So Much

The damage from malware rarely shows up as a single line item. Ransomware is the obvious headline — a successful attack can halt operations for days or weeks, and the ransom itself is often the smallest cost. The larger expenses are downtime, incident response, regulatory fines when personal data is exposed, and the long tail of reputational harm. Healthcare, manufacturing, and municipal governments have all seen operations grind to a stop.

The quieter categories can be just as expensive. Spyware and banking trojans that harvest credentials enable fraud and business email compromise, where an attacker impersonates an executive to redirect a wire transfer. Botnet infections can quietly implicate a company’s IP addresses in attacks on others, dragging it into legal and cleanup obligations. Cryptojacking inflates cloud compute bills and wears down hardware. And because modern intrusions dwell in networks for weeks or months before acting, the cost of a breach compounds the longer it goes undetected.

Building a Layered Defense

No single control stops every category, so effective defense is layered — the security world calls this defense in depth. The goal is that if one layer fails, another catches what slips through.

  • Patch aggressively. Worms and many trojans exploit known, already-fixed vulnerabilities. Timely patching removes the doorway they use.
  • Segment your network. Flat networks let worms and ransomware spread freely. Segmentation contains an infection to one zone instead of the whole estate.
  • Enforce least privilege. Malware inherits the permissions of whatever runs it. Users and services without admin rights sharply limit what a payload can do.
  • Maintain tested, offline backups. This is the single best defense against ransomware — but only if backups are isolated and you’ve actually rehearsed restoring from them.
  • Deploy behavioral EDR, not just signature antivirus. Behavioral detection is what catches fileless and novel threats.
  • Filter email and web traffic. The majority of malware still arrives through phishing links and malicious attachments, so stopping it at the gateway prevents most infections.
  • Train people. The user who doesn’t open the invoice, doesn’t enable macros, and reports the odd email is a defensive layer that no software replaces.

The Takeaway

Malware isn’t one enemy — it’s a portfolio of specialized tools that attackers mix and match to fit their goal, whether that’s a quick payday, long-term espionage, or free compute. The categories matter because they map directly to defenses: patching blunts worms, backups blunt ransomware, least privilege blunts nearly everything, and behavioral monitoring catches the stealthy threats that signatures miss. You don’t need to memorize every family name to stay safe. You need to understand that different malware behaves differently, that any real attack likely combines several types, and that no single tool is a silver bullet. Layered, tested defenses — plus the assumption that something will eventually get through — are what actually keep the damage contained.