Skip to content
>_ITDITDWeb Security Platform

Glossary

What is malware? Types, infection routes, and the basic defenses

What malware is, the main types (virus, worm, trojan, ransomware, spyware, bot), how it spreads, and the shared defense — updates, EDR, least privilege, and backups. Defensive, no attack steps.

Published 2026-07-02 Updated 2026-07-02 6 min read

"Malicious software that harms your devices or data" — that umbrella term is malware. Here are the main types, and the defense that stays the same no matter which type it is (no attack steps).

The types of malware (a map)

There are a lot of names, but all you really need is a rough map of "these families exist" — because, as below, the defense is shared.

Virus

Attaches to a legitimate file and, when run, replicates and spreads. Can't act on its own.

Worm

Self-replicates on its own and spreads automatically across the network. Explodes through unhardened networks.

Trojan

Poses as useful, legitimate software to get in, then acts maliciously in the background. You install it yourself.

Ransomware

Encrypts files and demands a ransom. Now usually paired with data theft — double extortion (→ dedicated article).

Spyware

Hides unnoticed and steals keystrokes, credentials, and browsing history.

Bot / botnet

Remote-controls infected machines and herds many together for attacks. Orders arrive from a C2 (→C2).

The main types of malware. However different they look, the defense is shared (entry, detection, recovery).

In practice a single piece of malware often wears several of these hats at once (e.g. it gets in as a trojan, acts as spyware to steal data, and finally drops ransomware). That's exactly why it's more useful to firm up your entry / detection / recovery defenses than to spend time on "which type is this?"

Main infection routes (know the entry)

Malware doesn't appear by magic; it comes in through a predictable set of doors. Here are the high-level routes only (no specific techniques).

Attachments/macros
Phishing email attachments and Office-document macros. The most common entry
Fake downloads
Distribution posing as legitimate software, or a tampered website
Unpatched flaws
A known hole in internet-facing software gets exploited
USB / stray apps
Brought in via removable media or apps of unknown origin

In every case the entry is a gap in people and operations — opening something carelessly, leaving software outdated, not checking where it came from. The flip side: the defenses below close most of them.

Defense (the type differs, the work doesn't)

You don't need a separate countermeasure per type. Stack the three layers that work against malware in general.

1

Close the entry: updates, suspicious files, MFA

Update your OS and software regularly so known holes don't linger. Don't open unexpected attachments, macros, or links. Protect key accounts with multi-factor authentication (MFA) so stolen credentials don't mean instant compromise (→ how to choose MFA).

2

Add a detection layer: antivirus / EDR

Block known threats with antivirus (including your OS's built-in), and where you need more, use EDR to watch behavior and catch unknown malware too (→ what EDR is). Detection isn't perfect, though — never rely on it alone.

3

Limit the blast radius: least privilege

Don't run everyday work as an administrator. Keeping privileges to the minimum means that even if something does execute, it can't spread far — one device or one account doesn't cascade to everything.

4

Be able to recover: backups

The last line is a backup. Against ransomware especially, an offline / immutable copy plus regular restore tests is the decider (→ backup and recovery essentials).

Traditional antivirus (matching the known)

  • detects by matching a known malware "fingerprint" (signature)
  • lightweight and effective against widely-circulating threats
  • tends to miss unknown / freshly-made variants
  • often mistaken for "install it and you're safe"

EDR (watching behavior)

  • detects by suspicious behavior (odd encryption, outbound calls), not filename
  • notices unknown attacks and "abuse of legitimate tools"
  • leaves a record you can use to investigate and contain after an infection
  • still not a substitute for entry (updates) and recovery (backups)

This site's view: memorizing types is not a defense strategy

Attackers keep changing the names and the looks. Chasing "this month's malware name" won't make your defense stronger. What works universally is the structure of three layers — entry, detection, recovery. This site applies the same principle to itself: we keep dependencies updated to close the entry, machine-monitor CVEs to detect, and keep our setup reproducible so we can recover. Defending against malware isn't special — it's an extension of these basics.

The blind spot: "I have antivirus, so I'm fine" isn't true

The most common mistake is treating one detection tool as a lucky charm. Detection always misses a certain fraction, and the moment that's breached your defense drops to zero. What's strong is layering: cut the volume at the entry (don't open, do update), catch what's left with detection (antivirus / EDR), and neutralize whatever still slips through with recovery (backups). Not leaning on any single layer is where malware defense begins.

FAQ

QWhat's the difference between malware and a virus?
A

A virus is one type of malware. Malware is the umbrella term for all 'malicious software,' and it includes viruses, worms, trojans, ransomware, spyware, and bots. In everyday speech people call everything a 'virus,' but strictly a virus is the specific type that copies itself by attaching to other files, while malware is the big umbrella word that covers all of them.

QIs free antivirus enough?
A

For personal basics, the built-in protection your OS ships with (like Microsoft Defender on Windows) plus regular updates, backups, and least privilege already covers a lot. But antivirus mostly matches 'known bad' things, so novel or clever malware can slip past. Where you need stronger defense, EDR complements it by watching behavior and catching unknown attacks. Either way, don't rely on detection alone — pair it with the entry side (updates, not opening suspicious files) and recovery (backups).

QI think I'm infected. What should I do?
A

First, don't panic-pay anything. The order is: (1) disconnect that device from the network to stop it spreading and calling out, (2) from a separate, safe device, change the passwords for email, banking, and key accounts and turn on multi-factor authentication, (3) restore from a clean backup or reset the device to get back to a known-good state, and (4) cut off the entry you suspect (the attachment you opened, the app you installed, the USB you plugged in). For a device holding important data, consider bringing in a professional.