What You'll Learn
How Trojans disguise themselves and deliver RAT backdoors
How modern ransomware uses double extortion to maximize leverage
How rootkits subvert the OS kernel to evade all detection
The full malware comparison table for exam identification
Trojans exploit user trust. Worms exploit unpatched vulnerabilities. Rootkits exploit the operating system itself. A sophisticated attack chain uses all three.
Beyond Basic Viruses: The Modern Threat Landscape
The lines between malware types often blur in real attacks. A single intrusion may involve a Trojan for initial delivery, a Rootkit establishing persistence in the kernel, and a Ransomware payload deployed weeks later after the attacker has mapped the entire network. SY0-701 tests you on the defining behavior of each individual type.
Malware Behavioral Profiles
A Trojan masquerades as legitimate, desirable software to trick users into executing it. Once executed, it drops its malicious payload silently. Critical distinction: Trojans do NOT self-replicate. They require human interaction to run.
RAT (Remote Access Trojan): A specialized Trojan that silently establishes a backdoor connection to the attacker's C2 server, granting persistent remote control, keylogging, screenshot capture, and file access. RATsoperate on any port that appears legitimate — often Port 443 (HTTPS) to blend with normal traffic.
Exam Clue: 'User downloaded a free utility, but network traffic shows an unknown outbound connection' → Trojan/RAT.
Worms self-replicate across networks without requiring any human interaction. They exploit known unpatched vulnerabilities (e.g., EternalBlue MS17-010) to propagate from host to host automatically across the LAN or internet.
Key differences from virus: A worm is standalone (does not need a host file). A virus attaches itself to a legitimate executable file.
Famous example: WannaCry (2017) — exploited EternalBlue to spread across 200,000 systems in 150 countries within 48 hours, encrypting files and demanding Bitcoin ransom.
Exam Clue: 'Infection spread to hundreds of systems over the weekend while the office was closed' → Worm.
Modern ransomware (Cryptomalware) uses high-grade AES + RSA hybrid encryption to render all files unusable. The attacker holds the decryption key on their server until ransom is paid.
Double Extortion (2024-standard): Attackers first exfiltrate data to their own servers, then encrypt it on the victim's systems. If the victim has backups and refuses to pay, the attacker threatens to leak sensitive corporate data on their public 'shame blog.' This makes backups alone an insufficient defense.
Triple Extortion: The exfiltrated data is used to target the victim's own customers, demanding payment from them too.
Exam Clue: 'Files are encrypted and a countdown timer appears demanding cryptocurrency' → Ransomware.
Rootkits embed themselves deep within the operating system at Ring 0 (kernel level) and intercept native API calls to hide their presence. They can lie to every OS tool — the task manager, antivirus, and netstat all receive falsified results, making traditional scanning useless.
Types: Kernel rootkits (Ring 0 — deepest), Bootkit (infects the MBR/UEFI, runs before the OS loads), Hypervisor rootkit (runs beneath the victim OS in a rogue hypervisor layer), User-mode rootkit (less powerful, easier to detect).
Detection: Requires external verification — scanning with a clean Live USB, memory analysis via RAM dump, or out-of-band integrity checks against a known-good baseline.
Exam Clue: 'Antivirus reports the system is clean, but an unusual outbound connection exists that the OS cannot explain' → Rootkit.
A Logic Bomb is malicious code inserted into legitimate software that remains dormant until a specific trigger condition is met — a date, a user action, or the system reaching a certain state. Often planted by insider threats (disgruntled employees) to trigger destruction upon their termination.
Exam Clue: 'Code was found in the payroll system that would have deleted all records if the employee's account was disabled' → Logic Bomb.
Malware Identification Table for Exam Day
| Malware Type | Primary Motive | Self-Replicates? | Key Identifying Behavioral Marker |
|---|---|---|---|
| Virus | System damage | Yes (needs host file) | Infects and modifies executable files |
| Worm | Mass propagation | Yes (standalone) | Spreads autonomously over network without user action |
| Trojan | Initial access / backdoor | No | Disguised as legitimate software, user must execute |
| RAT | Persistent remote control | No | Covert C2 connection, often blends into HTTPS traffic |
| Rootkit | Stealth & persistence | No | Hides processes/files from OS tools and antivirus |
| Ransomware | Financial extortion | Varies | Encrypts user files, demands cryptocurrency ransom |
| Logic Bomb | Delayed sabotage | No | Dormant until trigger condition; often insider threat |
| Spyware | Data exfiltration | No | Silently monitors keystrokes, clipboard, browser history |
| Adware | Ad revenue | No | Injects unwanted advertising into browser sessions |
Real-World Scenario
An analyst notices that an endpoint's antivirus shows no threats, but the SIEM alerts on outbound traffic from the machine on Port 443 at irregular intervals with unusually consistent packet sizes — suggesting encrypted C2 beaconing. Neither the task manager nor netstat on the machine shows the responsible process. This behavioral pattern (OS blindness + covert C2) indicates a kernel-level rootkit paired with a RAT. The correct response is to take a forensic RAM dump and analyze it with an offline tool like Volatility — not run another scan on the infected host.
The SY0-701 frequently tests the scenario: 'Attacker exfiltrates data, THEN encrypts it.' This is Double Extortion ransomware. The correct organizational mitigation extends beyond backups — it requires Data Loss Prevention (DLP) controls and network egress monitoring to detect the initial exfiltration.
Key Takeaways
- Trojan: disguised, requires user execution, no replication. RAT = Trojan with persistent C2 backdoor.
- Worm: fully autonomous, exploits vulnerabilities, no human needed — 'weekend spread' is the exam clue.
- Ransomware: encrypts files + demands payment. Double extortion = exfiltrates data first.
- Rootkit: kernel-level, makes OS lie to its own security tools. Requires external forensic analysis.
- Logic Bomb: dormant until trigger condition — classic insider threat mechanism.
Next Steps
Ready to test your knowledge?
Take a free full-length practice exam with 90 questions and instant feedback.
Start Practice Exam