Malware & Social Engineering

A+ Core 2 — 220-1102 | Domain 2: Security

Malware &
Social Engineering

Threat types, attack techniques, malware removal, and the defenses that stop them. The most-tested security domain on the A+ Core 2 exam.

21 Slides Domain 2 Security — 25% Malware • Social Engineering • Removal Exam 220-1102

Slide 2 of 21

The Malware Infection Chain

Every attack follows a predictable progression from initial delivery to exfiltration.

Why This Matters

Defenders interrupt the chain at any stage to stop an attack. Understanding each step tells you which controls prevent or detect what. Patching stops stage 2-3; EDR stops stage 4; segmentation stops stage 5.

Slide 3 of 21

Malware Types at a Glance

Six core threat categories with distinctive behaviors and detection signatures.

Type	Key Behavior	Spreads Via	Exam Keyword
Virus	Attaches to files; needs user to open	Infected files, email attachments	Requires host + user action
Worm	Self-replicates across networks	Network exploits, no user needed	Autonomous spread
Trojan	Disguised as legitimate software	Social engineering, fake downloads	Deception, not self-replicating
Ransomware	Encrypts files, demands payment	Phishing emails, exploit kits	AES/RSA encryption, ransom note
Spyware	Silently collects and transmits data	Bundled software, drive-by download	Privacy violation, keylogger
Rootkit	Hides in OS kernel to evade detection	Exploits, trojan droppers	Kernel-mode, near impossible to remove

Slide 4 of 21

Viruses & Worms

The distinction between these two is heavily tested on A+ Core 2.

Virus — Needs the File

Worm — Spreads on Its Own

Virus

Requires a host file to attach to and user action to execute. Replicates by infecting other files. Types: boot sector, macro, polymorphic, armored. Cannot spread on its own.

Worm

Standalone code — no host file, no user action needed. Exploits OS or application vulnerabilities to spread autonomously across networks. Can consume massive bandwidth.

Trojan & RAT

Disguised as legitimate software. Trojans open backdoors. A RAT (Remote Access Trojan) gives the attacker complete remote control: files, webcam, keystrokes, mic. Communicates via C2 server.

Rootkit

Hides deep in kernel or firmware. Bootkit = MBR/UEFI. Evades standard AV. Kernel-mode rootkits often require full OS reinstall. Firmware rootkits may require hardware replacement.

Logic Bomb

Triggers on a specific condition (date, account deletion, event). Lies dormant until trigger. Typically planted by insiders. Payload is destructive. Hard to detect before detonation.

Exam Tip

Virus needs a host and user action. Worm is self-contained and self-propagating. This is the #1 distinction tested. Trojans rely on deception, not exploitation.

Slide 5 of 21

Ransomware, Cryptominers & Fileless Malware

Ransomware

Encrypts victim files with AES-256/RSA. Displays ransom note with deadline. Double extortion = encrypts AND threatens to publish data. Do NOT pay. Restore from backups. WannaCry, NotPetya, DarkSide are exam examples.

Cryptominer

Hijacks CPU/GPU to mine cryptocurrency for attacker. Symptom: sustained high CPU usage, overheating, slow performance, increased power bills. Browser-based variant: cryptojacking via malicious JavaScript.

Fileless Malware

Lives entirely in RAM — no files on disk for AV to scan. Abuses legitimate tools: PowerShell, WMI, Windows Registry. Called "living off the land." Requires EDR and behavioral detection.

Botnet

Network of compromised "zombie" machines controlled by a botmaster via C2 servers. Used for DDoS, spam, credential stuffing, cryptomining. Individual infected machine = bot or zombie.

Spyware / Keylogger

Spyware monitors activity and steals credentials. Keylogger records every keystroke. Software keyloggers = detectable by AV. Hardware keylogger = physical device between keyboard and PC; invisible to software scans.

Slide 6 of 21

Recognizing Malware Symptoms

Symptoms across three categories — performance, behavior, and security indicators.

Performance Symptoms

CPU or RAM at high % with no visible programs

Disk LED constantly lit; disk at 100%

System freezes, crashes, or BSODs frequently

Apps take much longer to open or respond

Suspicious Behavior

Pop-ups when browser is closed (adware)

Homepage or search engine changed without permission

Files encrypted, renamed, or inaccessible

Mouse moves on its own (RAT activity)

Security Indicators

Antivirus disabled; cannot be re-enabled

Windows Update or firewall turned off

Unknown programs in startup or Task Manager

Unexpected outbound network connections

A user calls help desk: "My computer is really slow and I'm getting a lot of pop-ups even when I close Chrome." This describes a likely adware or PUP infection. Step 1: quarantine the machine from the network immediately.

Slide 7 of 21

The 7-Step Malware Removal Process

CompTIA's official procedure. Memorize this order — it appears directly on the exam.

1

Investigate and verify malware symptoms — Document what user reports. Confirm via Task Manager, Event Viewer, and network connections.

2

Quarantine infected systems — Disconnect from network (unplug Ethernet, disable Wi-Fi). Stops spread and cuts off C2 communication.

3

Disable System Restore — Prevents malware from hiding in restore points that could reinfect the system during recovery.

4

Remediate the infected system — Boot to Safe Mode. Update AV signatures. Run full scan with multiple tools. Use bootable rescue media for persistent threats.

5

Schedule scans and run updates — Set up automatic scheduled scans. Ensure OS and all applications are fully patched.

6

Re-enable System Restore and create a restore point — Now that the system is clean, create a new known-good restore point.

7

Educate the end user — Explain how the infection occurred. Teach safe browsing habits, email caution, and importance of updates.

Critical Exam Fact

Step 3 (Disable System Restore) comes BEFORE Step 4 (Remediate). If you restore the system before disabling restore points, you may restore the malware.

Slide 8 of 21

Remediation Deep Dive (Step 4)

Safe Mode Boot

Loads minimal drivers — most malware won't run. Access: Shift+Restart → Troubleshoot → Advanced Options → Startup Settings. Safe Mode with Networking allows definition updates.

Scanning Strategy

Update definitions BEFORE scanning. Run full system scan (not quick). Use multiple tools: Windows Defender + Malwarebytes or HitmanPro. Check startup: msconfig, Autoruns, Task Manager Startup tab.

Anti-Malware Scan Types

Scan	Use When
Quick	Routine daily checks
Full	Suspected infection
Offline	Persistent threats, rootkits
Custom	Specific suspicious file/folder

Quarantine vs Delete

Quarantine = isolates file (preserves for review). Delete = permanently removes. Always quarantine first to rule out false positives. Delete only confirmed threats.

Slide 9 of 21

Malware Comparison Chart

All ten malware types with key behaviors, spread method, and exam indicator.

Type	Behavior	Spread Method	Key Indicator
Virus	Attaches to files	User opens infected file	Corrupted/altered files
Worm	Self-replicates autonomously	Network exploits, no user needed	Network slowdown
Trojan	Disguised legitimate program	Social engineering	Unexpected programs
Rootkit	Hides in OS kernel/firmware	Exploits, trojan droppers	Hidden processes, AV bypass
Ransomware	Encrypts files	Phishing, exploit kits	Ransom note, locked files
Spyware	Steals data silently	Bundled software	Privacy violations
Adware	Displays ads, redirects	Bundled installs	Pop-ups, changed homepage
Cryptominer	Mines crypto for attacker	Downloads, browser scripts	Sustained high CPU
Fileless	Lives in RAM only	Exploits, PowerShell	Suspicious processes, no disk artifacts
Logic Bomb	Triggers on condition	Insider threat	Delayed destruction

Slide 10 of 21

Phishing & Social Engineering

Deceptive communications designed to steal credentials or deliver malware.

Attack Type	Method	Target
Phishing	Mass deceptive emails with malicious links or attachments	Anyone (broad net)
Spear Phishing	Targeted, personalized emails using researched personal info	Specific individuals
Whaling	High-value executives targeted (the "big fish")	CEO, CFO, board
Vishing	Voice phishing over phone calls (fake IT support calls)	Anyone with a phone
Smishing	SMS/text message phishing with malicious links	Mobile users

Phishing Red Flags

Sender domain doesn't match claimed org • Urgent language ("Your account will be suspended!") • Link URL differs from displayed text • Unexpected attachments (.exe, .zip, .docm) • Generic greeting ("Dear Customer")

Defense Principle

Verify through a SEPARATE channel. If "IT" calls requesting your password, hang up and call IT directly using a number you look up yourself. Never use contact info provided by the suspected attacker.

Slide 11 of 21

Social Engineering Psychological Tactics

Technique	How It Works	Example
Pretexting	Creates a false scenario to build trust	"I'm from IT — I need your password to fix your email"
Impersonation	Poses as an authority figure	Wearing fake uniform or badge
Authority	Claims power to pressure compliance	"The CEO needs this file immediately"
Urgency	Creates time pressure to bypass critical thinking	"Transfer the funds now or we lose the contract"
Intimidation	Uses threats to compel action	"You'll be fired if you don't comply"
Consensus	Claims others have already complied	"Everyone else in your department gave us access"

Tailgating / Piggybacking

Following authorized person through secure door without badging. Tailgating = without knowledge. Piggybacking = person holds door knowingly. Prevented by access vestibules (mantraps).

Shoulder Surfing

Observing credentials or sensitive data being entered. Defense: privacy screens, screen positioning, awareness training.

Dumpster Diving / Baiting

Dumpster diving = searching trash for data. Defense: shredders. Baiting = leaving infected USB drives in parking lots. Defense: USB port locks, Group Policy to disable autorun.

Slide 12 of 21

Windows Security / Defender Configuration

Key Defender Features

Real-time protection — continuous file system monitoring

Cloud-delivered protection — Microsoft threat intelligence

Controlled folder access — blocks ransomware from modifying protected folders

Tamper protection — prevents malware from disabling Defender

Exploit protection — DEP, ASLR memory protection

Browser Security

SmartScreen / Safe Browsing — warns on known phishing sites

Pop-up blocker — blocks malicious pop-up windows

Install extensions from official stores only

Review extension permissions carefully

HTTPS-only mode forces secure connections

Prevention Best Practices

Keep OS and software patched • Enable real-time AV with current definitions • Use MFA on all accounts • Disable AutoRun on removable media • Apply 3-2-1 backup rule (3 copies, 2 media types, 1 offsite)

Slide 13 of 21

Real-World Case Studies

WannaCry (2017)

Exploited EternalBlue SMBv1 vulnerability (MS17-010). Worm-like propagation hit 200,000+ systems in 150 countries in 72 hours. NHS hospitals, FedEx, Telefonica. Patch existed months before attack. Lesson: patch management is non-negotiable.

SolarWinds (2020)

Attackers compromised the Orion software build pipeline. Trojanized updates distributed to 18,000+ orgs including US government agencies. Called a supply chain attack. Lesson: even trusted software can be weaponized.

Colonial Pipeline (2021)

DarkSide ransomware shut down the largest US fuel pipeline for 6 days. Entry point: single compromised VPN password with no MFA enabled. $4.4M ransom paid. Lesson: one weak credential + no MFA = catastrophic breach.

Ransomware Response Rule

Do NOT pay the ransom. Payment funds criminal operations, does not guarantee file recovery, and marks you as a future target. The correct response: restore from clean backups and report to law enforcement (FBI IC3).

Slide 14 of 21

Adware & Browser Hijacking

Adware

Displays unwanted advertisements for revenue. Symptoms: pop-up ads (even without browser open), browser redirects, new toolbars, changed homepage. Often bundled with free software installs. Not always criminal but degrades performance and privacy.

PUP / PUA

Potentially Unwanted Programs/Applications. Legitimate but undesirable software bundled with free downloads. Includes toolbars, download managers, fake system optimizers. Remove with Malwarebytes or AdwCleaner.

Browser Hijacker Removal Steps

1. Remove unknown extensions from all browsers • 2. Reset browser homepage and default search engine • 3. Clear cookies and cache • 4. Uninstall suspicious programs from Apps & Features • 5. Run anti-malware full scan • 6. Check hosts file for malicious entries (C:\Windows\System32\drivers\etc\hosts)

Browser Setting	Location (Chrome)	Why Check It
Extensions	chrome://extensions	Rogue extensions steal data, redirect traffic
On startup	Settings → On startup	Hijackers set a malicious homepage
Search engine	Settings → Search engine	Redirects all searches to attacker-controlled engine
Permissions	Settings → Privacy → Site settings	Review camera, mic, location grants

Slide 15 of 21

Zero-Day Exploits & Vulnerability Lifecycle

Zero-Day Vulnerability

A flaw in software or hardware that is unknown to the vendor. The term means the vendor has had "zero days" to develop a patch. These are extremely valuable on the dark web and used in targeted attacks.

Exploit Kit

Automated attack toolkit that probes a system for multiple known vulnerabilities simultaneously. Delivered via malicious websites (drive-by download). Examples: RIG EK, Neutrino EK. Typically drops ransomware or banking trojans.

CVE System

Common Vulnerabilities and Exposures — a public database of known vulnerabilities. Each gets a CVE-YEAR-NUMBER (e.g., CVE-2021-44228 = Log4Shell). CVSS score rates severity 0-10. Patch based on CVSS severity and exposure.

Patch Management Lifecycle

Vulnerability disclosed → CVE assigned → Vendor releases patch → Test patch in staging environment → Deploy to production → Verify deployment → Monitor for new vulnerabilities. Window between disclosure and patching is the most dangerous period.

Slide 16 of 21

Endpoint Protection Technologies

AV vs EDR

AV (Antivirus) — signature-based, detects known malware

EDR (Endpoint Detection & Response) — behavioral analysis, detects unknown and fileless threats

EDR records all endpoint activity for forensic investigation

Modern platforms combine both (next-gen AV)

Host-Based vs Network Controls

HIDS — Host Intrusion Detection System, monitors endpoint

NIDS — Network Intrusion Detection System, monitors traffic

Firewall — blocks unauthorized connections by port/IP/protocol

DNS filtering — blocks resolution of known malicious domains

Tool	What It Detects	Limitation
Signature AV	Known malware by hash/pattern	Misses zero-day and polymorphic threats
Heuristic AV	Suspicious code behavior patterns	Higher false positive rate
EDR	Behavioral anomalies, fileless attacks	Requires tuning; generates alert volume
SIEM	Correlated events across multiple sources	Requires skilled analyst to triage

Slide 17 of 21

Defense Against Social Engineering

Technical Controls

Email filtering with spam detection • DMARC/DKIM/SPF email authentication • MFA on all accounts • URL rewriting to inspect links • Attachment sandboxing • USB port controls

Physical Controls

Access vestibules (mantraps) stop tailgating • Security cameras and guards • Visitor logs and escort policies • Privacy screens prevent shoulder surfing • Shredders for sensitive documents

Training & Policy

Security awareness training (the #1 defense) • Phishing simulation campaigns • Incident reporting culture • Clear acceptable use policy • Verification procedures for sensitive requests

The User is the Last Line of Defense

No technical control fully prevents social engineering. A well-trained user who questions suspicious requests, verifies through independent channels, and reports anomalies stops attacks that bypass all other defenses.

Slide 18 of 21

Malware Removal Tools & Resources

Primary Scan Tools

Windows Defender Offline Scan — scans before OS loads

Malwarebytes — second-opinion scanner, excellent PUP detection

HitmanPro — cloud-based second-opinion scanner

AdwCleaner — adware and PUP focused

Rootkit & Advanced Threats

GMER — kernel-level rootkit detection

Kaspersky TDSSKiller — bootkits and TDL rootkits

Bootable rescue disk — scans offline, bypasses infected OS

For kernel/firmware rootkits: OS reinstall or hardware replacement

Startup & Process Analysis

Autoruns (Sysinternals) — all auto-start locations

Process Explorer — advanced task manager with parent process view

msconfig — startup programs, services, boot options

netstat -an — shows all active network connections

Slide 19 of 21

Prevention Best Practices

Technical Controls

Keep OS and all software patched and current

Antivirus with real-time protection and current definitions

Enable host-based firewall on all endpoints

Email filtering with sandboxed attachment analysis

DNS-based content filtering (block known-bad domains)

Disable AutoRun/AutoPlay on removable media

User Practices

Never click links in suspicious emails — go directly to site

Download software only from official vendor sources

Use strong, unique passwords for every account

Enable MFA on all accounts, especially email and banking

Apply 3-2-1 backup rule religiously

Report any suspicious activity immediately to IT

3-2-1 Backup Rule

Keep 3 copies of your data, on 2 different media types, with 1 copy stored offsite or in the cloud. This guarantees ransomware cannot destroy all your backups simultaneously.

Slide 20 of 21

Knowledge Check

Three exam-style questions covering the core malware concepts.

Q1: Self-Replication

Which malware type self-replicates across networks WITHOUT requiring user action?

A) Virus • B) Worm • C) Trojan • D) Logic Bomb

Answer: B) Worm — Worms require no host file and no user interaction. They exploit network vulnerabilities to spread autonomously.

Q2: Removal Step Order

What is Step 3 of CompTIA's 7-step malware removal process?

A) Quarantine the system • B) Educate end user • C) Disable System Restore • D) Run antivirus scan

Answer: C) Disable System Restore — This prevents malware from surviving in restore points.

Q3: Executive Target

Which social engineering attack specifically targets high-value executives?

A) Vishing • B) Spear Phishing • C) Whaling • D) Smishing

Answer: C) Whaling — Whaling targets the "big fish" — CEO, CFO, board members.

Slide 21 of 21

Chapter Summary

01

Virus requires a host file and user action. Worm self-replicates across networks without any user interaction.

02

Trojans disguise as legitimate software. RATs provide complete remote attacker control over webcam, files, and keystrokes.

03

Rootkits hide in OS kernel or firmware. Kernel-mode rootkits typically require full OS reinstall to remove.

04

Ransomware encrypts files and demands payment. Do NOT pay. Restore from clean backups and report to FBI IC3.

05

Fileless malware lives only in RAM, abusing PowerShell and WMI. Requires behavioral EDR detection — signatures alone fail.

06

Phishing = email • Vishing = voice/phone • Smishing = SMS • Whaling = targeting executives specifically.

07

7-step removal: Investigate → Quarantine → Disable Restore → Remediate → Schedule scans → Re-enable Restore → Educate user.

08

Quarantine preserves the file for review. Delete permanently removes it. Quarantine first to avoid false-positive data loss.

09

Hardware keyloggers are invisible to software scans — inspect physical ports on sensitive machines.

10

3-2-1 backup rule is the primary ransomware defense. Patches and MFA close the entry points.

Malware & Social Engineering | A+ Core 2