Malware Types and Prevention for Home Users

Malware — malicious software engineered to infiltrate, damage, or exploit computing devices — poses direct operational risks to home users across the United States. This page covers the major malware classifications, the mechanisms by which each type operates, the scenarios home users most commonly encounter, and the decision thresholds that determine appropriate response actions. The National Online Safety Authority's online safety listings catalog professional service providers equipped to assist home users navigating these threats.

Definition and scope

Malware is the umbrella classification for any software designed to cause harm, extract data, or enable unauthorized access to a computing system without the owner's informed consent. The Cybersecurity and Infrastructure Security Agency (CISA) defines malware as software that compromises the operation, integrity, or confidentiality of a system. Within that umbrella, the National Institute of Standards and Technology (NIST) formalizes the term in NIST SP 800-83 Rev 1 as "a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim's data, applications, or operating system."

For home users, the scope encompasses devices running consumer operating systems — Windows, macOS, iOS, Android, and Linux-based platforms — as well as smart home devices and routers running embedded firmware. The Federal Trade Commission (FTC) has documented malware as a primary vector in identity theft complaints, which reached 1.1 million reports in 2022 (FTC Consumer Sentinel Network Data Book 2022).

The major recognized malware categories include:

1. Viruses — Self-replicating code that attaches to legitimate files and spreads when those files are executed.
2. Worms — Standalone programs that propagate across networks without requiring user interaction or host file attachment.
3. Trojans — Malicious programs disguised as legitimate software; they do not self-replicate but open backdoors or drop additional payloads.
4. Ransomware — Encrypts user files or locks device access, demanding payment for decryption keys.
5. Spyware — Covertly monitors user activity, capturing keystrokes, credentials, and browsing behavior.
6. Adware — Generates unauthorized advertisements; frequently bundled with spyware components.
7. Rootkits — Embed at the kernel or firmware level to conceal other malicious processes from detection.
8. Botnets — Networks of compromised devices controlled remotely for coordinated attacks such as distributed denial-of-service (DDoS) campaigns.

How it works

Malware delivery and execution follow a repeatable attack chain, regardless of variant. CISA's incident response frameworks describe this sequence in terms consistent with the MITRE ATT&CK framework:

1. Initial access — The attacker delivers the malicious payload through phishing email attachments, drive-by downloads on compromised websites, infected USB drives, or vulnerability exploitation in unpatched software.
2. Execution — The payload executes, often exploiting operating system permissions or user-granted administrative rights.
3. Persistence — The malware establishes a foothold by modifying registry keys, scheduled tasks, or startup entries to survive reboots.
4. Privilege escalation — The malware attempts to gain elevated permissions beyond those of the standard user account.
5. Lateral movement or data collection — Depending on type: ransomware begins file enumeration and encryption; spyware activates keyloggers; botnets register with command-and-control infrastructure.
6. Exfiltration or impact — Data is transmitted to attacker-controlled servers, files are encrypted for ransom, or the device is weaponized for further attacks.

The contrast between viruses and worms illustrates a foundational classification boundary. A virus requires a host file and user-initiated execution; a worm requires neither, propagating autonomously by exploiting network services. NIST SP 800-83 Rev 1 identifies this self-replication mechanism as the primary technical differentiator. Ransomware occupies a distinct category by monetizing the attack directly rather than enabling downstream theft — CISA reported 2,385 ransomware complaints to the FBI Internet Crime Complaint Center (IC3) in 2022, with adjusted losses exceeding $34.3 million (FBI IC3 Internet Crime Report 2022).

Common scenarios

Home user exposure to malware concentrates around four documented attack surfaces:

• Phishing emails remain the leading delivery method for trojans and ransomware. The Anti-Phishing Working Group (APWG) reported more than 4.7 million phishing attacks in 2022 (APWG Phishing Activity Trends Report Q4 2022).
• Unpatched software and operating systems create exploitable entry points. The Microsoft Security Intelligence Report and NIST National Vulnerability Database (NVD) both document that the majority of exploited vulnerabilities had patches available at the time of the attack.
• Malicious downloads and pirated software bundle trojans, adware, and spyware with apparently functional applications.
• Compromised home routers expose every device on the local network; firmware vulnerabilities allow attackers to intercept traffic or redirect DNS queries without touching endpoint devices.

Home users navigating these scenarios can reference the purpose and scope of this directory to identify vetted service categories for professional remediation support.

Decision boundaries

Not all malware encounters require the same response. The decision boundaries separating self-remediation from professional intervention from law enforcement reporting are determined by impact scope and data exposure.

Self-remediation is appropriate when: the infection is isolated to adware or low-severity spyware on a single device, no financial account credentials or Social Security numbers are stored on the affected device, and a reputable anti-malware scanner (evaluated against AV-TEST or AV-Comparatives benchmarks) achieves confirmed clean status.

Professional remediation is indicated when: ransomware has encrypted files across 2 or more devices or a NAS/backup drive; rootkit presence is suspected; credentials for banking, email, or government accounts may have been captured; or device behavior persists after initial remediation attempts. The online safety listings directory structures professional service providers by service type.

Law enforcement reporting is required when: financial loss has occurred, ransomware demands have been received, or personal identifying information appears to have been exfiltrated. Reports should be filed with the FBI IC3 at ic3.gov and with the FTC at reportfraud.ftc.gov.

Home users uncertain about classification thresholds can reference CISA's #StopRansomware guidance for ransomware-specific triage, or consult the how to use this resource page for navigating available service listings.

References

• CISA — Malware Topics and Advisories
• NIST SP 800-83 Rev 1 — Guide to Malware Incident Prevention and Handling
• NIST Glossary — Malware
• FBI IC3 Internet Crime Report 2022
• FTC Consumer Sentinel Network Data Book 2022
• APWG Phishing Activity Trends Report
• CISA StopRansomware
• MITRE ATT&CK Framework
• NIST National Vulnerability Database (NVD)