← Concepts
Threats, Vulnerabilities, and MitigationsSY0-701 · Task 2.4

Rootkits, keyloggers, and logic bombs — SY0-701

NIST-grounded definitions of rootkits, keyloggers, and logic bombs for CompTIA Security+ SY0-701 — with key distinctions and exam signal phrases.

WHAT IT IS

Three distinct malware categories that Security+ groups together under stealthy or condition-triggered threats:

Rootkit — "A set of tools used by an attacker after gaining root-level access to a host to conceal the attacker's activities on the host and permit the attacker to maintain root-level access to the host through covert means." (CNSSI 4009-2015, via NIST CSRC Glossary). A second NIST definition (SP 800-83 Rev. 1) frames it as "a collection of files that is installed on a host to alter the standard functionality of the host in a malicious and stealthy way."

Key logger — "A program designed to record which keys are pressed on a computer keyboard used to obtain passwords or encryption keys and thus bypass other security measures." (NIST SP 800-82r3, via NIST CSRC Glossary).

Logic bomb — "A piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met." (CNSSI 4009-2015 / NIST SP 800-12 Rev. 1, via NIST CSRC Glossary).

Mental model

Think of the three roles in a covert operation:

  • The rootkit is the safe house — it hides everything and lets the attacker stay undetected.
  • The keylogger is the wiretap — it silently records credentials and input for later exfiltration.
  • The logic bomb is the time-delayed charge — it waits for a specific trigger before detonating its payload.

Each can exist independently, but attackers often combine them: a rootkit conceals a keylogger, and a logic bomb detonates the cleanup or destruction phase.

When to use it

The exam tests whether you can map a described behavior to the correct malware type. Use this table to anchor the decision:

Malware typePrimary purposeDefining characteristicTiming
RootkitConcealment and persistenceAlters host functionality to hide attacker presence and maintain accessContinuous — active after installation
Key loggerCredential and input captureRecords keystrokes to obtain passwords or encryption keysContinuous — silently collects while present
Logic bombConditional payload deliveryExecutes a malicious function only when specified conditions are metDormant until trigger fires

Key differentiator: Rootkits and keyloggers are continuously active once installed. A logic bomb is dormant until its trigger condition is satisfied.

COMMON MISCONCEPTION

Misconception: A rootkit is a type of virus or worm that spreads on its own.

NIST defines a rootkit as a set of tools or a collection of files installed after root-level access is already obtained — not as a self-replicating program. The rootkit's defining purpose is concealment and persistence, not propagation. Candidates who conflate rootkits with viruses or worms will misidentify scenarios where an attacker has already escalated privilege and is hiding their presence.

Misconception: A logic bomb is triggered by a timer alone.

The NIST definition specifies "specified conditions" — which may include a date, a login event, a file deletion, or any detectable system state. Time is one possible condition, but equating logic bombs with "time bombs" is an oversimplification that can lead to wrong answers when a scenario describes a non-time trigger.

Misconception: A keylogger and spyware are the same thing.

NIST defines spyware as software that "gathers information on individuals or organizations without their knowledge" (CNSSI 4009-2015). A keylogger is a specific mechanism focused on recording keystrokes to obtain passwords or bypass security measures (NIST SP 800-82r3). Spyware is the broader category; a keylogger is one technique that may or may not be bundled with spyware.

How it shows up on the exam

The cognitive target for this group is recognition and differentiation — given a described behavior, select the correct malware category.

Candidates often confuse these types because all three are covert. The signal phrases to watch:

  • "The attacker maintained access without detection" or "concealed activities" — points toward a rootkit (NIST: "conceal the attacker's activities… maintain root-level access through covert means").
  • "Passwords were captured" or "credentials were recorded" — points toward a key logger (NIST: "record which keys are pressed… to obtain passwords or encryption keys").
  • "The malicious function did not execute until…" or "triggered when conditions were met" — points toward a logic bomb (NIST: "will set off a malicious function when specified conditions are met").

A common misconception — that rootkits are the initial attack vector rather than a post-compromise persistence tool — may surface in scenarios where the question describes how access was gained (e.g., via a Trojan horse) versus how it was maintained. The NIST rootkit definition explicitly places it after root-level access is already obtained.

Related concepts

Sources

Every claim on this page traces to the public exam blueprint and official documentation:

CutScore is an independent study tool and is not affiliated with, authorized by, endorsed by, or sponsored by Amazon Web Services. “AWS” and “AWS Certified AI Practitioner” are trademarks of Amazon.com, Inc. or its affiliates. All content is independently authored from the public exam blueprint and official documentation — no real exam content is used.

The exam-readiness instrument. Know if you’re ready before you book.

Product
PricingConceptsBlog
Legal
PrivacyTermsRefund policy
Company
Contact
© 2026 The Plain Works Co.AWS and AWS Certified AI Practitioner are trademarks of Amazon.com, Inc. or its affiliates. CutScore is independent and not affiliated with, endorsed by, or sponsored by Amazon Web Services.