Security+: 11 malware types and identifying indicators of compromise

Indicators of compromise (IOC) reveal malicious activity on a network or system and artifacts that indicate an intrusion with high confidence. The artifacts could involve the use of multiple sophisticated malware. Identifying indicators of compromise and differentiating different types of malware is an integral aspect of cybersecurity and is covered on the CompTIA Security+ exam.

There are 28 objectives on the updated SY0-701 exam, and one of those objectives (2.4) is "Given a scenario, analyze indicators of malicious activity." Understanding the different types of malicious activity is essential for professionals in incident response, threat hunting, penetration testing, malware analysis, organizational risk, security awareness and many other roles. 

With that in mind, here’s how to analyze indicators of compromise and determine the type of malware. For more information on the Security+ exam, download our free Security+ ebook or explore Infosec's Security+ Training Boot Camp.

Become a SOC Analyst: get Security+ certified!

More than 47,000 new SOC analysts will be needed by 2030. Get your CompTIA Security+ to leap into this rapidly growing field — backed with an Exam Pass Guarantee.

View Pricing

1. Ransomware

Several different indicators can help organizations determine whether a ransomware infiltration has occurred. For instance, a company concerned about ransomware should monitor their systems for bulk file renames. Ransomware-based malware can be undertaken rapidly, and if a large number of files were renamed in a short span of time, this could be a visible indicator. Another indicator is when data files on your PC are encrypted, and the encryption process modifies the files, appending extensions to them. If the added extensions aren’t standard, a ransomware attack is likely on the horizon.

To learn more, download The ransomware paper: Real-life insights and predictions from the trenches.

2. Trojan

Trojans are self-contained programs created to mimic useful or necessary applications on your system that you would never consider risky. An indicator of compromise could be a message or a command prompt window that pops up and disappears quickly while using a program. Applications becoming suddenly unresponsive to usual commands can also indicate the presence of Trojans. 

Case in point: if a co-worker shows you a program he/she has been using for a while, and a command prompt opens and closes quickly while you’re being educated on its capabilities, there’s a likely chance that you’re seeing a Trojan malware, which your work colleague may or may not be aware of.

3. Worms

Worms are malware capable of rapidly infecting many systems on an enterprise network by transmitting copies of itself from one system to another via network connections. At first, they allowed hackers to disrupt network bandwidth but have evolved to carry payloads (a piece of malware code created to inflict real, tangible harm). Payload-carrying worms can cause several forms of damage, ranging from recording keystrokes to deleting files. 

An indicator of compromise is a series of infected systems, with infections occurring in different departments and in scenarios where users didn’t use any programs.

4. Keylogger

A keylogger is a type of surveillance technology cybercriminals use to monitor and record keystrokes typed on a victim’s keyboard. Common goals of keylogger malware include stealing login credentials, critical enterprise data and personally identifiable information. In the past few years, keyloggers have become more sophisticated; they are also being used to track sites visited by the target and only log keystrokes entered on domains of particular interest to adversaries.

The indicator of compromise for this type of malware is relatively straightforward. You must look out for any suspicious activity regarding your online accounts (personal and professional). For instance, if you receive a notification from your email client stating someone accessed your account from outside your town of residence, it could be that your system is infected with keylogger malware.

5. Adware

Adware is a form of malware that generates money. Its creators use different tactics to make revenue by forcefully showcasing ads. The malware can modify the victim’s system configuration to show ads on their internet browser or pop-ups. Adware by itself isn’t a severe cause for concern but has become the gateway for other malware.

 An indicator of compromise could be an employee of your firm experiencing issues with his/her browser. Every time he/she launches Chrome or Firefox, different pop-ups appear every few seconds, regardless of the website being visited.

6. Virus

A virus is a malicious program that infects and damages a system, such as a tablet, smartphone or computer. It can destroy data on the device, prevent it from booting up or using resources, and result in a slowdown or malfunction. Indicators of compromise include the failure of applications and files to open on the enterprise system. Other include hardware (such as scanners) that no longer responds to users’ commands.

7. Spyware

Spyware is malicious software that collects information regarding a user’s or a group’s habits or activities on a system. If someone in your organization recently searched, and another unauthorized browser popped up to complete it for them, it could be a sign of spyware. If you try removing it, it returns immediately.

Another indicator is a reduction in the systems’ connection speed. Since spyware functions in the background, it takes up valuable disk space and can cause severe performance issues.

8. Rootkit

A rootkit is software commonly used to obtain root-level access and hide specific things from a system’s OS. One of its symptoms is that a system’s antivirus keeps turning itself off, leaving it unprotected. Also, if you or someone within your company is seeing Blue Screens with White Text displaying Windows Error Messages and continually rebooting, then a Rootkit infection is probable. Additionally, an incorrect system clock and date could also be an indicator of rootkit compromise.

9. Bot

Bots refer to an automated malicious program that gathers information on the internet. Usually, they’re executed from compromised systems remotely controlled by adversaries. An indicator of compromise is that you’re having issues downloading antimalware software updates or visiting vendors’ sites. Bots often attempt to prevent antimalware software from functioning or being installed. Likewise, you could have issues with downloading operating system updates when hit by a malicious bot.

10. Backdoor

A backdoor is a malicious program that creates a converted channel for aiding adversaries. It can access and control the compromised system through phones and other mobile gadgets. If you’re surfing the internet and suddenly a weird message states you’re locked out of the PC, it could be a sign of backdoor malware. Pop-up ads are another indicator; they distract the user from investigating other symptoms, such as knowing why a message they didn’t send appeared in their sent message box on Facebook.

11. Logic bomb

Also referred to as a slag code, a logic bomb is designed to explode (or execute) under conditions such as a failure of a user to react to a command prompt or a lapse of a specific amount of time. After execution, it may be designed to erase critical files, display spurious text or have other devastating effects. If an organization had someone in to do any custom programming and things went awry after a few weeks, it could indicate a logic bomb compromise. 

Custom programming gives programmers complete access to your system, just the kind someone who wanted to place a trap door or a logic bomb would desire to have. Hence, it’s important to independently verify the work was done in good faith and correctively.

Final verdict

By understanding indicators of compromise, the time from infection to system revitalization can be significantly reduced. Moreover, organizations can use this knowledge to improve the fidelity of their mitigation efforts, offer stakeholders a detailed picture of the potential intrusion, and provide greater assurance of IT security. 

For more on the Security+ certification, view our Security+ certification hub.