The glossary below contains definitions for some of the most common terms with the top ones linked just below.
AdvWare
Programs designed to launch advertisements, often pop-up banners, on host machines and/or to re-direct search engine results to promotional web sites. Adware programs are often built into freeware or shareware programs, where the adware forms an indirect ‘price’ for using the free program. Sometimes a Trojan silently downloads an adware program from a web site and installs it onto a user’s machine. Or hacker tools, often referred to as Browser Hijackers (because they subvert the web browser to install a program without the user’s knowledge), download the adware program using a web browser vulnerability.
Browser Hijackers may change browser settings, re-direct incorrect or incomplete URLs, or change the default homepage. They may also re-direct searches to ‘pay-to-view’ (often pornographic) web sites.
Typically, many adware programs do not show themselves in the system in any way: no listing under Start | Programs, no icons in the system tray, nothing in the task list. In addition, adware programs seldom come with a de-installation procedure and attempts to remove them manually may cause the original carrier program to malfunction.
Adware
A legitimate, non-replicating program designed to display ads to the end-user, often based on monitoring of browsing habits. Often adware contains spyware in order for the program to know which advertisements to display based on the current user’s preference. Adware displays ads often in exchange for the right to use a program free of charge (a variation on the shareware concept).
Backdoor
A program that opens secret access to systems, and is often used to bypass system security. A Backdoor program does not infect other host files, but nearly all Backdoor programs make low-level operating system modifications (i.e. it makes changes to the registry). Backdoors usually hitch a ride in on trojans. Once they are in place and they have executed, they hide themselves while opening a port on your computer to allow others in. Some backdoors are placed by hackers once they gain access allowing themselves easier entrance later, or if their original entryway is blocked.
Bimodal virus
A bimodal virus infects both boot records and files. It is also called a bipartite virus. Also see: boot-sector infector, file virus, multipartite.
Blended Threat
A virus which uses multiple infection techniques. This may include the exploitation of various program vulnerabilities, incorporation of trojan behavior, file infection routines, Internet propagation routines, network share propagation routines, and spreading without any human intervention.
Boot sector virus
A boot sector virus is one that infects by replacing code in the boot sector of a floppy disk (and sometimes a hard disk) with its own code. This ensures that whenever an attempt is made to boot from the infected disk, the virus loads before the operating system.
These viruses are very uncommon now, but in the first half of the 1990s, when floppy disks were the main means of transferring data, they represented the main threat to PC users. Typically, a boot sector virus infected the hard disk when a user inadvertently left an infected floppy disk in drive A. When the PC was next booted, the system would try to boot from the floppy disk and the virus code would execute, regardless of whether or not the floppy disk was a system disk or just a data disk. Most boot sector viruses then infected the MBR [Master Boot Record] of the hard disk, rather than the boot sector.
Bot network
A bot network is a network of hijacked zombie computers controlled remotely by a hacker. The hacker uses the network to send spam and launch Denial of Service attacks, and may rent the network out to other cyber criminals. Also see: zombie.
Browser Hijacker
Browser Hijackers modify the user’s web browser settings. This may involve changing the default home page, re-directing searches to unwanted web sites, adding unwanted (sometimes pornographic) bookmarks or generating unwanted pop-up windows.
Brute-force attack
A brute-force attack is an attack in which each possible key or password is attempted until the correct one is found. Also see: attack.
Cracker
A cracker is someone who tries to break security on computer software. The term is often used synonymously with hacker, but implies only illegal or malicious intent.
Crackers originally targeted protected or copyrighted software, breaching protection to enable copying or modification. The term nowadays also encompasses many types of cybercriminal who bypass computer security methods for criminal ends.
Dialer
Dialers are programs that use a system, without your permission or knowledge, to dial out through the Internet to a 900 number or FTP site, typically to accrue charges.
DNS cache poisoning, Pharming
DNS servers located throughout the Internet are used to map domain names to IP addresses. When a user types in a URL, a nearby DNS server will map the domain to an IP address or pass it to another DNS server. In fact, there are a relatively small number of very big DNS servers. These provide many smaller DNS servers with DNS entries that are stored in the cache of the smaller DNS servers.
DNS poisoning is the manipulation of IP addresses for entries stored in the cache of a smaller DNS server: the aim is to make the DNS server respond, not with the correct IP address, but with one that contains malicious code. Here’s an example. If a user types the URL ‘www.kaspersky.com’ in the web browser, the DNS server should respond with the IP address 81.176.69.70. However, a poisoned DNS server would map this domain name to an IP address that contains malicious code.
DNS poisoning is only possible where there is a vulnerability or other security weakness in the operating system running on the DNS server.
Dropper
A dropper is a carrier file that installs a virus on a computer system. Virus authors often use droppers to shield their viruses from anti-virus software. The term injector often refers to a dropper that installs a virus only in memory.
Email worm
Worms are generally considered to be a subset of viruses, but with key differences. A worm is a computer program that replicates, but does not infect other files: instead, it installs itself on a victim computer and then looks for a way to spread to other computers.
From a user’s perspective, there are observable differences. In the case of a virus, the longer it goes undetected, the more infected files there will be on the victim computer. In the case of a worm, by contrast, there is just a single instance of the worm code. Moreover, the worm’s code is ‘self-standing’, rather than being added to existing files on the disk.
Like viruses, worms are often sub-divided according to the means they use to infect a system. E-mail worms are distributed as attachments to e-mail messages, IM worms are attached to messages sent using instant messaging programs (such as IRC or ICQ). P2P [peer-to-peer] worms use file-sharing networks to spread. Network worms spread directly over the LAN [Local Area Network] or across the Internet, often making use of a specific vulnerability.
The term ‘worm’ was coined by sci-fi writer John Brunner in his 1975 novel Shockwave Rider. The hero, a talented programmer, created self-replicating computer programs that tunneled their way through a worldwide network.
Exploit
The term exploit describes a program, piece of code or even some data written by a hacker or virus writer that is designed to take advantage of a bug or vulnerability in an application or operating system. Using the exploit, an attacker gains unauthorized access to, or use of, the application or operating system.
The use of exploits by hackers and virus writers has increased during the last few years. Typically, exploit code is used to gain access to confidential data or to use the victim machine for further unauthorized use.
Exploits are often named after the vulnerability they use to penetrate systems: a buffer overflow, for example.
File virus
Viruses are often classified according to the objects they infect. File viruses, as the name suggests, are designed to add their code to files (generally program files).
Hacker
Traditionally, the term 'hacker' applied to anyone tinkering with the internals of computer systems and software. Nowadays, it is generally used to refer to those attempting to breach computer security, either for research, finding and fixing vulnerabilities, or for malicious or fraudulent purposes.
The term is also used by several long-running communities, and many legitimate hackers object to the term being used to indicate criminality, preferring to retain the separation between the terms 'hacker' and 'cracker'.
Hoax
This usually consists of an email message warning recipients about a new and terribly destructive virus. It ends by suggesting that the reader should warn his or her friends and colleagues, perhaps by simply forwarding the original message to everyone in their address book. The result is a rapidly growing proliferation of pointless emails that can increase to such an extent that they overload systems.
Keylogger
A trojan that, upon execution, logs every keystroke or activity in a system. Although they are similar to third-party parenting/monitoring software, some keyloggers actually employ the same techniques as parenting/monitoring software to gather valuable data such as usernames, passwords, and personal information from unsuspecting users.
Link virus
Viruses are often classified according to the technique they use to infect. A link virus, as the name suggests, does not add its code directly to infected files. Instead, it spreads by manipulating the way files are accessed under the FAT file system.
When an infected file is run, the virus goes memory resident and a writes a (typically hidden) file to the disk: this file contains the virus code. Subsequently, the virus modifies the FAT to cross-link other files to the disk sector containing the virus code. The result is that whenever the infected file is run, the system jumps first to the virus code and runs it.
The cross-linking is detectable if the CHKDSK program is run, although a virus could use stealth to conceal the changes if the virus was in memory (in other words, if the user did not boot from a clean system disk).
Macro Virus
A "macro" is a saved set of instructions that users may create or edit to automate tasks within certain applications or systems. A Macro Virus is a malicious macro that a user may execute inadvertently and that may cause damage or replicate itself. Some macros replicate, while others infect documents. Unlike other virus types, macro viruses aren't specific to an operating system and spread with ease via email attachments, floppy disks, Web downloads, file transfers, and cooperative applications. Macro viruses are typically written in Visual Basic and are relatively easy to create. They can infect at different points during a file's use (for example, when a file is opened, saved, closed, or deleted).
Malware (Malicious Software)
Programs that are intentionally designed to perform some unauthorized (and often harmful or undesirable) act such as viruses, worms, and trojans.
Malicious code
Malicious code refers to any program that is deliberately created to perform an unauthorized, often harmful, action.
Master boot sector virus
Master boot-sector viruses infect the master boot sector of hard disks, though they spread through the boot record of floppy disks. The virus stays in memory, waiting for DOS to access a floppy disk. It then infects the boot record on each floppy disk DOS accesses. They are also called master boot-record viruses. Also see: boot record.
Phishing
Phishing is a form of cyber crime based on social engineering techniques. The name ‘phishing’ is a conscious misspelling of the word 'fishing' and involves stealing confidential data from a user’s computer and subsequently using the data to steal the user’s money.
The cyber criminal creates an almost 100% perfect replica of a financial institution or online commerce web site. He then tries to lure unsuspecting users to the site to enter their login, password, credit card number, PIN, etc. into a fake form. This data is collected by the phisher who later uses it to access users’ accounts fraudulently.
Some financial institutions now make use of a graphical keyboard, where the user selects characters using a mouse, instead of using a physical keyboard. This prevents collection of confidential data by phishers who trap keyboard input, but is of no avail against so-called ‘screenscraper’ techniques: where a Trojan that takes a snapshot of the user’s screen and forwards it to the server controlled by the Trojan author or ‘master’.
There are several different ways of trying to drive users to a fake web site.
Spam e-mail, spoofed to look like correspondence from a legitimate financial institution.
Hostile profiling, a targeted version of the above method: the cyber criminal exploits web sites that use e-mail addresses for user registration or password reminders and directs the phishing scam at specific users (asking them to confirm passwords, etc.).
Install a Trojan that edits the hosts file, so that when the victim tries to browse to their bank’s web site, they are re-directed to the fake site.
Pharming, also known as DNS poisoning.
‘Spear phishing’, an attack on a specific organization in which the phisher simply asks for one employee’s details and uses them to gain wider access to the rest of the network.
Polymorphic Virus
A virus that contains a special routine that changes parts of the virus code with each replication to evade detection by antivirus software.
PSW Trojans
These Trojans are designed to steal passwords from the victim machine (although some steal other types of information also: IP address, registration details, e-mail client details, and so on). This information is then sent to an e-mail address coded into the body of the Trojan. The first PSW Trojans were AOL password stealing Trojans: and they are so numerous that they form a specific subset of PWS Trojans.
Riskware
‘Riskware’ is the generic term used by Kaspersky Lab to describe programs that are legitimate in themselves, but that have the potential for misuse by cyber criminals: for example, remote administration utilities. Such programs have always had the potential to be misused, but they now have a higher profile. During the last few years, there has been a fusion of ‘traditional’ virus techniques with those of hackers. In the changing climate, such ‘riskware’ programs have come in to their own as a means of controlling machines for malicious purposes.
Rootkit
A rootkit is a collection of programs used by a hacker to evade detection while trying to gain unauthorized access to a computer. This is done either by replacing system files or libraries, or by installing a kernel module. The hacker installs the rootkit after obtaining user-level access: typically this is done by cracking a password or by exploiting a vulnerability. This is then used to gather other user IDs until the hacker gains root, or administrator, access to the system.
The term originated in the Unix world, although it has since been applied to the techniques used by authors of Windows-based Trojans to conceal their activities. Rootkits have been used increasingly as a form of stealth to hide Trojan activity, something that is made easier because many Windows users log in with administrator rights.
Self-encrypting virus
Self-encrypting viruses attempt to conceal themselves from anti-virus programs. Most anti-virus programs attempt to find viruses by looking for certain patterns of code (known as virus signatures) that are unique to each virus. Self-encrypting viruses encrypt these text strings differently with each infection to avoid detection. Also see: self-garbling virus, encrypted virus.
Sniffer
A sniffer is a software program that monitors network traffic. Hackers use sniffers to capture data transmitted over a network.
Spam
Spam is the name commonly given to unsolicited e-mail. It is effectively unwanted advertising, the e-mail equivalent of physical junk mail delivered through the post or from unsolicited telemarketing calls.
Spyware
A software program that monitors a user’s computing habits and personal information and sends this information to third parties without the user’s authorization or knowledge.
Stealth virus
Stealth viruses attempt to evade antivirus scanners by presenting clean data when queried by an antivirus product. Some of these viruses display a clean version of the infected file during scans. Other stealth viruses hide the new size of the infected file and display the pre-infection size.
Trojan (Trojan Horse)A program or a part of program code that performs unexpected or unauthorized, often malicious, actions. The main difference between a trojan and a virus is the Trojan's inability to replicate. Trojans cause damage, unexpected system behavior, and compromise the security of systems, but do not replicate. If a malicious program replicates, then it should be classified as a virus. A Trojan, coined from Greek mythology's Trojan Horse, typically comes in good packaging but has some hidden malicious intent within its code. When a Trojan is executed users will likely experience unwanted system errors, problems in operation, and sometimes loss of valuable data.
VirusA program or a part of program code that replicates - that is, "infects" another program, boot sector, partition sector, or document that supports macros, by inserting itself or attaching itself to that medium. Most viruses only replicate, though, many do a large amount of damage as well.
WormA self-contained program (or set of programs) that is able to spread functional copies of itself or its segments to other computer systems. The propagation usually takes place via network connections or email attachments. The worm may do damage and compromise the security of the computer. It may arrive in the form of a joke program or software of some sort.
Zero-day exploit
A zero-day exploit is one where an exploit written to take advantage of a bug or vulnerability in an application or operating system appears immediately after the vulnerability has been discovered. This leaves almost no time for a vendor to create a patch, or for IT administrators to implement other defensive measures.
Zip bomb
A zip bomb is a file compressed into some archive format - often, but not necessarily, zip - which expands to an enormous size when uncompressed. Often the bomb is in the form of a loop, with the file inside the archive in fact a link back up to the top level of the archive, which will thus continuously unpack itself until all space and resources on the system are exhausted.
Zip bombs can also cause problems for anti-malware software trying to scan inside them, again using up large amounts of system resources. Scanners should be able to spot a zip bomb attack and stop scanning after a certain level.
Zombie
A zombie is a PC that has been infected with a virus or Trojan horse that puts it under the remote control of an online hijacker. The hijacker uses it to generate spam or launch Denial of Service attacks. Also see: spam, Denial of Service.
Resources:
http://www.upenn.edu/computing/virus/glossary.html
http://www.securelist.com/en/glossary
http://home.mcafee.com/VirusInfo/Glossary.aspx
http://www.cuhk.edu.hk/itsc/security/isglosry/index.html
http://www.virusbtn.com/resources/glossary/hacker.xml
