Malware — short for malicious software — is any program or code intentionally designed to damage a system, disrupt its operation, steal data, or gain unauthorised access. It's an umbrella term covering dozens of specific attack types, from viruses that spread between files to ransomware that holds your business to ransom. Understanding the landscape helps you recognise threats and choose the right defences.
The main types of malware
Virus
The oldest form. A virus attaches itself to a legitimate file or program and replicates when that file is executed, spreading to other files and systems. True viruses require human action (opening an infected file) to spread. They can corrupt data, crash systems or act as a delivery mechanism for other malware. Less common than they once were — modern attackers prefer more targeted approaches.
Trojan (Trojan horse)
Malware disguised as legitimate software. A trojan doesn't replicate on its own — it relies on users downloading and running it, believing it's something useful (a free game, a cracked tool, a fake software update). Once running, it can install backdoors, steal credentials, log keystrokes, or download additional malware. The most common initial access method for sophisticated attacks.
Ransomware
Encrypts files and demands payment for the decryption key. Often delivered via phishing email or a trojan loader. One of the most damaging malware types for businesses because it directly interrupts operations and can cause permanent data loss. See our dedicated ransomware guide for a full breakdown.
Spyware
Silently collects information about you or your system and sends it to the attacker — keystrokes, screenshots, passwords, browsing history, financial data. Often bundled with free software or browser extensions. Designed to be invisible; victims rarely know it's there.
Adware
Injects unwanted advertising into your browser or system — pop-ups, redirected search results, replaced ads on legitimate sites. Usually less destructive but can degrade performance and expose users to malicious ads. The boundary between adware and spyware is often blurry.
Worm
Self-replicating malware that spreads across networks without requiring user action. Once inside a network, a worm can propagate to every reachable system automatically — making it especially dangerous in enterprise environments. WannaCry (2017) was a famous worm-ransomware combination.
Rootkit
Designed to hide the attacker's presence at a deep system level — modifying the operating system to conceal processes, files, network connections and registry entries. Rootkits are hard to detect because they subvert the very tools used to look for them. Often used to maintain persistent, hidden access after initial compromise.
Botnet malware
Turns your device into a "bot" — remotely controlled by the attacker as part of a larger network. Botnets are used to launch DDoS attacks, send spam, mine cryptocurrency, or conduct credential-stuffing campaigns. The device owner typically has no idea.
Keylogger
Records every keystroke typed on a device and sends them to the attacker — capturing passwords, credit card numbers, messages. Often a component of a broader trojan rather than standalone.
How malware spreads
- Phishing emails — malicious attachments (Word documents with macros, PDF exploits) or links to drive-by download sites. The leading delivery mechanism for most malware families.
- Drive-by downloads — visiting a compromised or malicious website triggers an exploit (usually targeting the browser or a plugin) and silently installs malware without any user click.
- Malvertising — malicious code embedded in advertising networks, served even on legitimate high-traffic websites.
- Software supply chain — malware hidden in legitimate software updates or open-source packages (a growing attack vector).
- Removable media — infected USB drives, still used in targeted attacks against air-gapped environments.
- Exploiting unpatched vulnerabilities — network worms and bots scan for systems with known unpatched CVEs and compromise them automatically, no user interaction required.
- Credential theft — using stolen passwords to log in to a system and install malware directly.
Signs your device or site may be infected
- Unexpected slowdowns, crashes or reboots
- New browser toolbars, extensions or homepage changes you didn't make
- Unexpected redirects to other websites
- Antivirus disabled or refusing to update
- Unusual network traffic or connections to unknown IPs
- Files modified or encrypted without explanation
- Users reporting spam sent from your email address
- Google flagging your site as dangerous (check Search Console)
How to remove malware
On a device:
- Disconnect from the network immediately to stop spread and exfiltration
- Boot from a clean external drive or use a live antivirus rescue disk — malware running in the OS can hide from scanners running within it
- Run a reputable malware scanner (Malwarebytes, Windows Defender Offline, ESET Online Scanner)
- For severe infections or rootkits, the safest path is wiping and rebuilding from known-clean backups — rootkits can survive a standard antivirus scan
- Change all passwords from a clean device after removing malware
On a website:
Follow the steps in our guide on how to fix a hacked website — identify the entry point, clean or restore from backup, patch the vulnerability, and harden before going back online.
How to prevent malware
- Keep everything patched — OS, browsers, plugins, server software. Most malware exploits known vulnerabilities.
- Use endpoint protection — modern EDR (Endpoint Detection and Response) detects behaviour patterns, not just known signatures. Much more effective against new and custom malware.
- Train staff on phishing — since phishing is the top delivery mechanism, humans are the first line of defence. Test with simulated phishing campaigns.
- Least privilege — limit what any account or process can do. Malware running as a standard user does far less damage than malware with admin rights.
- Disable macros by default — Office macros are a classic trojan delivery vector. Block untrusted macros in your organisation's Office settings.
- Maintain clean, offline backups — the recovery plan when prevention fails.