HolyGhost logoHolyGhost
← cd ..
Learn

What Is Malware? A Field Guide to the Types

Virus, worm, trojan, ransomware, spyware, rootkit. A beginner friendly guide to what malware is, the main families and how they differ, and the habits that keep it out.

HolyGhost··9 min read

Picture opening an email that looks like it came from a courier. It says a parcel is waiting and asks you to open the attached label. You click, nothing seems to happen, and you get on with your day. Behind the scenes, though, a tiny program just quietly moved into your computer and started working for a stranger. That program is malware, and this scenario is how most people meet it for the first time.

Malware is just short for malicious software: any program written to do harm. The word is an umbrella, and underneath it sits a whole zoo of types that behave very differently. Some sneak, some smash and grab, some sit patiently for months. Knowing which is which is not trivia. It is the thing that makes the rest of security make sense, because almost every defence you will ever read about exists to stop one of these families from doing its job. This is a plain field guide to the main ones.

First, what makes software "malicious"?

A normal program does what you asked and only what you asked. A calculator adds numbers. A photo app shows photos. Malware is software that does something you did not ask for and would not agree to, usually while trying to hide the fact. That "something" might be stealing your passwords, locking your files, spying on your screen, or turning your machine into a tool for attacking other people.

The important mental shift for a beginner is this: malware is not magic and it is not alive. It is ordinary code running on your computer with whatever permissions it managed to get. Everything it can do, it does because your system let it run. That single idea shapes every defence later in this guide.

The families

The types are usually distinguished by two things: how they spread, and what they do once they arrive. Here are the main families you will hear named again and again.

  • Virus. Attaches itself to a legitimate file or program and spreads when that host is run or shared. Like a biological virus, it needs a host to travel. Copy the infected file to a friend, run it, and the virus wakes up on their machine too.
  • Worm. Spreads by itself across networks, with no host file and no human needed. This self propagation is what makes worms so fast and dangerous, as the EternalBlue outbreaks showed, where a single infected machine could reach thousands of others in minutes.
  • Trojan. Disguises itself as something useful or harmless to trick you into running it. Named after the wooden horse, it relies on you inviting it in. The fake courier label from the opening scene is a classic trojan.
  • Ransomware. Encrypts your files, meaning it scrambles them so they are unreadable, then demands payment for the key that unscrambles them. One of the most damaging types for businesses today, because it can freeze an entire company in an afternoon.
  • Spyware. Quietly watches and steals information: what you type, your logins, your activity. A keylogger is a common example, a program that records every key you press, including passwords, and quietly sends them off.
  • Rootkit. Buries itself deep in the system to hide its own presence and keep control, which makes it hard to detect and remove. The name comes from "root", the all powerful account on Unix systems. A rootkit is malware that has tunnelled into the foundations.
  • Adware. Floods you with unwanted ads. Often more nuisance than disaster, but it is still a sign that something unwanted found its way in, and where one thing gets in, worse things can follow.
  • Botnet. Not a type of harm so much as a purpose. Infected machines are quietly linked into a network the attacker controls, called a botnet, and then rented out or used together for large scale attacks. Your laptop could be one of thousands of "bots" and you might never notice.

These labels overlap

Real world malware often combines categories. A single sample might arrive as a trojan, behave like a worm to spread, install a rootkit to hide, and drop ransomware as the payload. The families describe behaviours, and one program can wear several hats.

Here is a quick way to keep them straight in your head. Think of the family as answering two separate questions.

HOW DOES IT TRAVEL?          WHAT DOES IT DO?
Virus   needs a host file    Ransomware  locks your files
Worm    spreads on its own   Spyware     watches and steals
Trojan  tricks you to run it Adware      shows you ads
                             Rootkit     hides and holds control
                             Botnet      obeys the attacker

Most real infections mix and match from both columns.

What does malware actually want?

Beginners often imagine malware as chaos for its own sake. Occasionally it is, but modern malware is overwhelmingly about money. Understanding the motive helps you predict the behaviour.

  • Direct payment. Ransomware is the clearest example. Lock the files, sell back the key.
  • Selling access. Some attackers break in, then sell that foothold to another criminal who does the real damage. Your machine becomes a product.
  • Stealing data to sell. Logins, credit card numbers, and personal records all have a price on criminal markets.
  • Borrowing your resources. Botnets rent out your bandwidth and computing power. Some malware quietly mines cryptocurrency using your electricity.

Follow the money

When you are trying to guess what a piece of malware is up to, ask "how does this make someone money?" The answer usually points straight at what it is trying to steal or lock, and therefore what you most need to protect.

How it gets in

Malware almost always relies on one of a few doors. There are not that many, which is good news, because it means a handful of habits cover most of them.

  • Phishing. A malicious attachment or link, sent by email or message, still the most common way in. It works because it targets the person, not the machine. See what is phishing for how these messages are built and spotted.
  • Unpatched vulnerabilities. A vulnerability is a flaw in software that an attacker can abuse. When a flaw lets malware install with no click at all, worms use it to spread on their own. Software makers release fixes, called patches, but a machine that has not applied them stays wide open.
  • Trojanised downloads. Pirated software, fake installers, cracked games, and dodgy browser extensions. You went looking for something free and got something extra.
  • Removable media. A USB stick left in a car park is a genuine classic, and it still works, because curiosity is reliable. Plug in an unknown drive and you may be running a stranger's code.

What an infection can look like

You will not always get an obvious warning. Some malware is deliberately quiet. Still, a few signs are worth knowing.

Sudden slowness or fans running hard for no reason
Files renamed, missing, or with a ransom note in the folder
Pop up ads or a browser home page you did not choose
Programs launching, or the mouse moving, on their own
Friends receiving odd messages you never sent

Any one of these can have an innocent cause, but together they are a nudge to look closer.

Keeping it out

No single tool is enough, so defence is a stack of habits layered on top of each other. If one layer misses, another catches. Here is the short list that does the heavy lifting.

  1. Patch everything. Applying updates closes known vulnerabilities and removes the doors that worms and no click attacks rely on. Turn on automatic updates where you can.
  2. Be wary of attachments and links. Most infections start with a human action. Slow down before you click, especially when a message creates urgency or fear. That urgency is often the bait.
  3. Run as a normal user, not an admin. An administrator account can change anything on the machine. Malware can only do what the account running it can do, so a normal, lower privilege account limits the blast radius. Fewer privileges means less damage.
  4. Keep good, tested backups, offline. This is your escape hatch from ransomware. "Offline" matters, because ransomware will happily encrypt any backup it can reach. If a copy is disconnected and you have actually tested restoring from it, you do not have to pay anyone.
  5. Use reputable security software and keep it current. Also turn on multifactor authentication, which asks for a second proof of identity such as a code on your phone, so that stolen passwords alone are not enough to log in as you.

Paying the ransom is not a plan

It is tempting to think you can just pay and get your files back. Sometimes that works, often it does not, and every payment funds the next attack and marks you as someone who pays. Tested offline backups turn a catastrophe into an afternoon of restoring. Backups are the plan. Payment is the thing you build backups to avoid.

Defence in depth, in one sentence

Assume every single layer will eventually fail, and stack enough of them that no single failure is a disaster. That is the whole philosophy behind everything above.

The takeaway

Malware is any software built to do harm, and its families, virus, worm, trojan, ransomware, spyware, rootkit, differ mainly in how they spread and what they do once they arrive. It is not magic. It is code running with whatever permissions it obtained, almost always in pursuit of money. Most of it still walks in through phishing or unpatched software, the same few doors year after year. The defences are boring and they work: patch quickly, think before you click, use a low privilege account, keep offline backups you have actually tested, and layer on multifactor authentication. Stack those habits and you turn most malware from a disaster into a non event.