← Concepts
Threats, Vulnerabilities, and MitigationsSY0-701 · Task 2.4

Malware types — SY0-701

Master malware types for Security+ SY0-701: NIST-grounded definitions for viruses, worms, Trojans, spyware, rootkits, logic bombs, and backdoors.

WHAT IT IS

Malware — short for malicious software — is, per NIST SP 800-171r3, "software or firmware intended to perform an unauthorized process that will have an adverse impact on the confidentiality, integrity, or availability of a system." The term is an umbrella: it names a category of threat, not a single behavior. Each malware type is distinguished by how it spreads, what it needs to execute, and what it does once active.

Mental model

Think of malware types as answers to three diagnostic questions:

  1. Does it need a host to run? A virus needs one; a worm does not.
  2. Does it hide that it is malicious? A Trojan horse disguises itself as useful software; a worm does not.
  3. What is its primary payload? Surveillance (spyware), concealment (rootkit), trigger-based destruction (logic bomb), or access maintenance (backdoor).

When a scenario describes malware on the exam, work through these three questions before choosing a type.

When to use it

The table below maps each type to its NIST-grounded distinguishing characteristic — the single fact that separates it from the type it is most often confused with.

TypeNIST-grounded distinguishing characteristicMost confused with
VirusReplicates by attaching to a host program; "cannot run independently — it requires its host program to execute" (NIST SP 800-82r3 / RFC 4949)Worm
Worm"Self-replicating… propagates itself through a network… without requiring a host program or any user intervention" (NIST SP 800-28 Version 2)Virus
Trojan horse"Appears to have a useful function, but also has a hidden and potentially malicious function" (CNSSI 4009-2015)Virus
Spyware"Secretly or surreptitiously installed… to gather information on individuals or organizations without their knowledge" (NIST SP 800-128)Keylogger (a form of spyware)
Rootkit"A set of tools… to conceal the attacker's activities… and permit the attacker to maintain root-level access… through covert means" (NIST SP 800-150)Backdoor
Logic bomb"A piece of code… that will set off a malicious function when specified conditions are met" (CNSSI 4009-2015)Trojan horse
Backdoor"An undocumented way of gaining access to a computer system" (CNSSI 4009-2015); or a "malicious program that listens for commands on a certain TCP or UDP port" (NIST SP 800-83 Rev. 1)Rootkit

COMMON MISCONCEPTION

The most exploitable trap: confusing a worm with a virus.

NIST SP 800-82r3 (citing RFC 4949) is explicit: a virus "cannot run independently; it requires its host program to execute." A worm, by contrast, is "self-contained" and "uses networking mechanisms to spread itself" without any host program (CNSSI 4009-2015). The exam frequently presents a scenario in which malware spreads across systems automatically without user interaction and without attaching to files — that is a worm, not a virus. Labeling autonomous network propagation as a virus is the error.

A secondary trap involves logic bombs and Trojans. Both can be delivered inside apparently legitimate software. The distinction is timing and trigger: a logic bomb fires "when specified conditions are met" (CNSSI 4009-2015) — a date, an event, a credential change. A Trojan's malicious function is present and potentially active from the moment it runs; it does not require a future triggering condition.

How it shows up on the exam

The cognitive target for malware-type questions is identification and classification: given a behavioral description of malware, select the correct type — or, inversely, given a type name, select the description that matches it.

Signal phrases to watch for in scenarios:

  • "spreads across the network without user interaction" — points toward autonomous propagation (worm characteristic per NIST SP 800-28 Version 2)
  • "disguised as a legitimate utility" — points toward deceptive appearance (Trojan horse characteristic per CNSSI 4009-2015)
  • "activates on a specific date" — points toward conditional trigger (logic bomb characteristic per CNSSI 4009-2015)
  • "collects information without the user's knowledge" — points toward covert data gathering (spyware characteristic per NIST SP 800-128)
  • "conceals the attacker's presence after compromise" — points toward post-access concealment (rootkit characteristic per NIST SP 800-150)

Candidates often over-apply "virus" to any self-spreading malware. Checking the host-dependency criterion first — does it need another program to execute? — resolves most virus/worm ambiguities.

Related concepts

  • Ransomware — a malware payload that restricts access to data or systems, typically demanding payment, and is classified under the broader malware taxonomy.
  • Rootkits and logic bombs — two types covered in this domain that combine concealment and trigger-based execution.
  • Denial of service — worms in particular have historically been weaponized to degrade availability, bridging malware types and DoS threats.

Sources

Every claim on this page traces to the public exam blueprint and official documentation:

CutScore is an independent study tool and is not affiliated with, authorized by, endorsed by, or sponsored by Amazon Web Services. “AWS” and “AWS Certified AI Practitioner” are trademarks of Amazon.com, Inc. or its affiliates. All content is independently authored from the public exam blueprint and official documentation — no real exam content is used.

The exam-readiness instrument. Know if you’re ready before you book.

Product
PricingConceptsBlog
Legal
PrivacyTermsRefund policy
Company
Contact
© 2026 The Plain Works Co.AWS and AWS Certified AI Practitioner are trademarks of Amazon.com, Inc. or its affiliates. CutScore is independent and not affiliated with, endorsed by, or sponsored by Amazon Web Services.