Malware

Not all software is on your side. Malware — short for malicious software — is any program written on purpose to harm, take control of, or steal from a computer or its user. It is not a bug or a crash caused by sloppy code; it is code that does exactly what its author intended, and what its author intended is bad for you.

A single word covers a whole family. A program that quietly copies your bank password, one that locks up every file on your school network, and one that turns your laptop into part of a stranger's army of machines are all "malware" — but they behave very differently. The rest of this page is really about telling those behaviours apart, because knowing how a piece of malware spreads and hides is the first step to stopping it.

The main types

The types below are grouped by the trick they use to get onto your machine and the damage they do once they are there. The same nasty program can wear more than one label at once (a worm can carry ransomware, for example), but for GCSE you need to know the classic definition of each one.

Virus

A virus attaches itself to an existing file or program — a document, a game, a photo viewer. It does nothing on its own. It only springs to life when a person runs the infected file. When it runs, it copies itself into other files, and those files can carry the infection onward. Think of it like a cold: it needs a host to live in and someone to carry that host around.

Worm

A worm is the self-propelled cousin of the virus. It does not need a host file and it does not need a human to run it. It spreads by itself across a network, hunting for other machines with a weakness it can slip through, copying itself to each one, and repeating. Because no one has to click anything, a worm can flood an entire network in minutes.

Trojan

A trojan (named after the wooden horse of the Trojan War) is malware disguised as something you want — a free game, a "video codec", a cracked app, a helpful-looking email attachment. It cannot force its way in and it cannot spread by itself. Instead it relies on tricking the user into running it. You invite it in, believing it is useful; once open, it does its real job in the background.

Ransomware

Ransomware is defined by what it does, not how it arrives. Once running, it encrypts your files — scrambling them so they are unreadable — and then demands a ransom (usually in cryptocurrency) for the key to unlock them. Paying is never guaranteed to work, which is why regular backups are the real defence: if you have a clean copy, the attacker has nothing to sell back to you.

Spyware

Spyware hides quietly and watches. It can log the keys you press (a keylogger), record the sites you visit, or harvest passwords and card numbers, then send all of it back to the attacker — often without ever damaging a file, so you never notice it is there.

Spot the difference at a glance

The exam favourite is the difference between the first three: how each one spreads. Step through the diagram below to line them up side by side.

The pattern to remember: a virus needs a host file and a person to run it; a worm needs neither — it travels the network alone; a trojan pretends to be useful so the person runs it willingly.

These three get muddled in almost every exam. Pin them down by the one question "what does it need in order to spread?":

So the sharpest line is worm vs virus: self-spreading (worm) versus needs-a-host-file-to-be-run (virus).

How malware gets in

Almost all infections come through one of a small handful of doors. Learn the doors and you learn where to be careful:

How to protect against it

No single tool makes you safe; defence is a stack of habits and software working together:

The story comes from Homer: the Greeks, unable to break into the city of Troy after ten years of siege, left a giant wooden horse as a fake "gift", hid soldiers inside, and sailed away as if giving up. The Trojans wheeled it through their own gates in triumph — and at night the soldiers climbed out and opened the city from within. Whether it truly happened is debated by historians, but it is the perfect picture of malware: the danger did not break in, it was welcomed in. That is why disguised malware carries the name.

In 2003 a worm called SQL Slammer needed no file and no clicks — it just fired copies of itself at other machines over the network. It infected around 75{,}000 computers in about ten minutes, doubling its numbers roughly every 8.5 seconds early on, and slowed chunks of the internet worldwide. That is the whole point of the virus/worm distinction: a virus waits politely for someone to run a file; a worm never waits at all.