GLOSSARY SECURITY THREAT TERMS

[zbeng]

##############################################################

##

## Author: LightiningLord™ < [mail]fbi.hack.gov@gmail.com[/mail] >

## Description: Glossary Security Threat Terms

## Sources: Base on research AV sites & few various security sites.

## Note: If u want to rip it atleast give a credit back to my site Smile

##

##############################################################

Uhmmm...at time i always came across with people asking me what is differences all the viruses mean..well just to be a little precise i decided to make up this to help u differentiate the various kinds of viruses and how they function.

Reference in Alphabetical Order,

• A B C D E

• F G H I J

• K L M N O

• P Q R S T

• U V W X Y Z

[zbeng]

ACTIVE "X" CONTROLS

ActiveX controls are components that add dynamic and interactive features to Web pages. With ActiveX tools, multimedia effects, animation, and functional applications can be added to Web sites. HouseCall from TrendM's online virus scanner is an example of the application of ActiveX.

ActiveX controls are typically installed with user permission. However, security measures can be circumvented. In some instances, ActiveX components in Web pages are able to run automatically when the Web pages are opened. Visiting users are also sometimes tricked into accepting unwanted ActiveX controls. The unauthorized installation and execution of ActiveX controls can open opportunities for malicious code to install components or to make modifications on visiting systems.

ADWARE

Adware is software that displays advertising banners on Web browsers such as Internet Explorer and Mozilla. While not categorized as malware, many users consider adware invasive. Adware programs often create unwanted effects on a system, such as annoying popup ads and the general degradation in either network connection or system performance.

Adware programs are typically installed as separate programs that are bundled with certain free software. Many users inadvertently agree to installing adware by accepting the End User License Agreement (EULA) on the free software.

Adware are also often installed in tandem with spyware programs. Both programs feed off of each other's functionalities - spyware programs profile users' Internet behavior, while adware programs display targeted ads that correspond to the gathered user profiles.

AFFECTED FILE TYPE

Malware and grayware may arrive as files of a certain type. The term “affect” here could mean the file format (eg. PE or Win32) that the malware or grayware comes as, or the formats that it attaches to in the case of file infectors.

AFFECTED SOFTWARE

Affected software, Platform and Systems Affected indicate the area(s) affected by a particular threat, whether it is malware, grayware, or vulnerabilities. This list contains the operating systems or applications that need to be installed in the user’s system before the threat performs its malicious rountines. It is known that a threat may behave differently across different platforms.

ALIASES

Different vendors often have their own approaches towards detection, whether it involves malware, grayware, or vulnerabilities, which can result in different naming conventions. The aliases field in the Virus Encyclopedia, Spyware/Grayware and Vulnerabilities pages indicate other names used to refer to the same threat.

BACKDOOR

The term backdoor often refers to backdoor programs - applications that open computers for access by remote systems. These programs typically respond to specially-built client programs, but can be designed to respond to legitimate messaging applications. Many backdoor programs actually make use of the IRC backbone, receiving commands from common IRC chat clients via the IRC network.

Backdoor programs (detected by MOST antivirus as BKDR_malwarename) typically cannot propagate on their own.

BOOT SECTOR VIRUSES

Boot sector viruses infect the boot sector or the partition table of a disk. Computer systems are typically infected by these viruses when started with infected floppy disks - the boot attempt does not have to be successful for the virus to infect the computer hard drive. Once a computer is infected, boot sector viruses usually attempt to infect every disk accessed on the infected system. In general, boot sector viruses can be successfully removed.

There are a few viruses that can infect the boot sector after executing as a program. They are known as multi-partite viruses and are relatively rare.

BROWSER HELPER OBJECTS

Browser Helper Objects (BHOs) are companion applications for Microsoft Internet Explorer. They usually come in the form of toolbars, search helpers, and monitoring applications. Some adware and spyware programs have employed BHOs to monitor user browsing habits and deliver targeted advertising as well as to steal information.

CHRACTERISTICS

The characteristics listed on the Virus Encyclopedia includes the possible avenues of distribution.

COMPRESSION

Compression reduces a file's size for processing, storage, and transmission. Malware and grayware authors may use different compression types or algorithms to reduce their program's size or hide the original digital structure of their program. Recent outbreaks were due to the application of different compression algorithms on existing malware variants to produce new ones that eluded antivirus scanners.

COMPUTER INFECTED SINCE (DATE)

This table displays the number of affected computers, by region, since detection first became available for a particular threat. See World Virus Tracking Center for additional information.

COOKIES

Cookies are text files that are created on computers when visiting Web sites. They contain information on user browsing habits. When a user returns to a Web site, a cookie provides information on the user's preferences and allows the site to display in customized formats and to show targeted content such as advertising. Cookies can collect user information that can then be obtained by another site or program.

DAMAGE POTENTIAL

A malware's damage potential rating may be high, medium, or low based on its inherent capacity to cause both direct and indirect damage to systems or networks. Certain malware are designed specifically to delete or corrupt files, causing direct damage. Denial of service (DoS) malware may also cause direct and intended damage by flooding specific targets. Mass-mailers and network worms usually cause indirect damage when they clog mail servers and network bandwidth, respectively.

HIGH

- System becomes unusable (e.g. flash bios, format HDD)

- System data or files are unrecoverable (e.g. encryption of data)

- System cannot be automatically recovered using tools

- Recovery requires restoring from backup

- Causes large amounts of network traffic (packet flooders, mass-mailers)

- Data/files are compromised and sent to a third party (backdoor capabilities)

MEDIUM

- System/files can be recovered using AV products or cleaning tools

- Minor data/file modification (e.g. file infectors)

- Malware that write minimal amount of data to the disk

- Malware that kill applications in memory

- Causes medium amount of network traffic (e.g. slow mailers)

- Automatically executes unknown programs

- Deletes security-related applications (e.g. antivirus, firewall)

LOW

- No system changes

- Deletion of less significant files in the system

- Changes can be recovered by users without using any tools

- Damage can be reversed just by restarting the system

DATA MINERS(TRACKING COOKIES)

Data Miners are applications that monitor, analyze, and collect specific information found in a database or volume of data from various sources. Data miners are not always used with malicious intent. Data mining programs allow companies to compile important client information, in order to enhance their services.

Data miners may be used by Web sites to monitor, analyze, and collect particular user activities on a computer to collect information that typically will be used for marketing purposes. Usually, data miners are uploaded to a computer to search for Web sites visited, products searched, and services used. The data is then sent back to be used for targeted advertising.

Data miners may be used maliciously and in some instances have been employed to steal personal information like logon credentials and credit card numbers.

DENIAL OF SERVICE/DISTRIBUTED DENIAL OF SERVICE

Denial of service (DoS) is a malware routine that interrupts or inhibits the normal flow of data into and out of a system. Most DoS attacks consume system resources, such that, in a short period of time, the target is rendered useless. A form of DoS attack is when a Web service (like a Web site or a download location) is accessed massively and repeatedly from different locations, preventing other systems from accessing the service and retrieving data from it. When a DoS attack is launched from different locations in coordinated fashion, it is often referred to as a distributed denial of service attack (DDoS).

DESTRUCTIVE THREAT

A threat tagged as destructive causes direct damage to files or computer systems, often resulting in the loss of important data. Routines such as corrupting or deleting important files and formatting the hard drive are considered destructive. A program that was designed to consume resources in a denial of service attack is also tagged as destructive.

DIALERS

Dialers, as the name implies, dial to predefined numbers to connect to certain sites. Many users run dialers without knowing that some of these programs actually dial long distance numbers or connect to pay-per-call sites; and that they are being charged for the calls. Dialers are often offered as programs for accessing adult sites.

DISTRIBUTION POTENTIAL

Distribution potential is derived from the characteristics of the malicious program. Fast-spreading network worms can spread across continents within just minutes. Some malicious programs also use numerous infection and spreading techniques – often referred to as blended threats or mixed threats. The Nimda virus, for example, was able to spread via email, network shares, infected Web sites, as well as Web traffic (http/port 80).

As new systems are made and improved with added functionality, proof-of-concept malware often follows. This uniqueness, as well as the widespread implementation of a particular operating system or software, also influences the potential distribution of each malware. Many viruses written in the past do not run or spread on newer operating systems or operating systems that have all the latest security patches installed.

HIGH

- Blended threats (i.e. spreads via email, P2P, IM, network shares)

- Mass mailers

- Spreads via network shares

MEDIUM

- Mailers

- has spread via third-party or media

- spreads in IRC, IM, or P2P

- requires user intervention to spread

- URL/Web site download

LOW

- no network spreading

- requires manual distribution to spread

DROPPERS DETECTION<?xml:namespace prefix = "o" ns = "urn:schemas-microsoft-com:office:office" /><o:p></o:p>

A dropped detection is a detection that has been removed from the pattern file due to one or several reasons. Typically, a threat detection is dropped when it conflicts with other detections or with unrelated files. Detections that cause performance issues, as well as other technical conflicts, are also dropped from the pattern file if AV deems that these detections do not pose as immediate threats.

DROPPER

Droppers are programs designed to extract other files from their own code. Typically, these programs extract several files into the computer to install a malicious program package. Droppers may have other functions apart from dropping files.

ELF- EXECUTABLE & LINK FORMAT

ELF (Executable and Link Format) is an executable file format for the Linux and Unix platforms. Antivirus detects malicious executable code for Linux and UNIX as ELF_malwarename.

ENCRYPTION

Encryption is the process of converting data into a form that cannot easily be read without knowledge of the conversion mechanism (often called a key).

Certain malware have the ability to encrypt copies of themselves such that antivirus scanners may find it diffucult to detect them using existing signatures of available samples. More complex malware use variable encryption keys for each new copy, requiring more complex formula-based patterns from antivirus vendors.

END USER LICENSE AGREEMENT (EULA)

An End User License Agreement or EULA is a legal contract between a software publisher and the software user. It typically outlines restrictions on the side of the user, who can refuse to enter into the agreement by not clicking "I accept" during installation. Clicking "I do not accept" will, of course, end the installation of the software product.

Many users inadvertently agree to the installation of spyware and adware into their computers when they click "I accept" on EULA prompts displayed during the installation of certain free software.

EXPLOIT

An exploit is code that takes advantage of a software vulnerability or security hole. Exploits are often incorporated into malware, which are consequently able to propagate into and run intricate routines on vulnerable computers.

[zbeng]

FILE INFECTING VIRUSES

File infecting viruses or file infectors generally copy their code onto executable programs such as .COM and .EXE files. Most file infectors simply replicate and spread, but some inadvertently damage host programs. There are also file infectors that overwrite host files. Some file infectors carry payloads that range from the highly destructive, such as hard drive formatting, or the benign, such as the display of messages.

GRAYWARE

Grayware is AV's general classification for applications that have annoying, undesirable, or undisclosed behavior.

Grayware applications do not fall into any of the major threat (ie. Virus or Trojan horse) categories as they are subject to system functionality, as well as user debate.

Some items in the Grayware category have been linked to malicious activities, while others are used to provide users with targeted information in terms of product announcements.

Organizations dealing with sensitive information should be generally alarmed by the capability of any application with data gathering functionality.

The majority of grayware fall into the following classes:

- Adware

- Data Miners (Tracking Cookies)

- Dialers

- Hacking tools

- Joke programs

- Keyloggers

- Password cracking applications

- Remote Access Programs

- Spyware

Most AV recognizes that some users prefer to have tools to determine whether grayware are running on their systems, and thus, provides additional options to scan for and/or remove them.

HACKING TOOLS

Hacking tools are programs that generally crack or break computer and network security measures. Hacking tools have different capabilities depending on the systems they have been designed to penetrate. System administrators have been known to use similar tools - if not the same programs - to test security and identify possible avenues for intrusion.

JAVA APPLETS

Java applets allow Web developers to create interactive, dynamic Web pages with broader functionality. They are small, portable Java programs embedded in HTML pages and can run automatically when the pages are viewed. Malware authors have used Java applets as a vehicle for attack. Most Web browsers, however, can be configured so that these applets do not execute - sometimes by simply changing browser security settings to "high."

JOKE PROGRAMS

Joke programs are considered relatively harmless and are often designed to annoy or make fun of users. They do not infect files, cause damage, or spread to other systems.

Many joke programs are designed to cause unnecessary panic - especially those that cause computers to behave as if something has been damaged. Abnormal system behaviors caused by joke programs include the closing and opening of the CD-ROM tray and the display of numerous message boxes.

[zbeng]

URBAN LEGENDS

Urban legends are stories told around day-to-day things, but are incorporated with unusual twists in the form of unlikely facts that are difficult to verify. Designed to elicit emotional response, the most popular urban legends are health and animal scares. Many urban legends are gaining popularity as they spread along with other email hoaxes.

VIRUS TYPES

The majority of viruses fall into five main classes:

- Boot-sector

- File-infector

- Multi-partite

- Macro

- Worm

VULNERABILITY

A vulnerability is a security weakness in a computing system that is typically found in programs and operating systems. The presence of known vulnerabilities in computing systems can leave these systems very much open to malware and hacker attack. This is because programs that take advantage of known vulnerabilities, commonly referred to as exploits, are often publicly available as source code, which can be customized to create a malware or a hacking tool.

Software vendors typically provide fixes or patches for vulnerabilities found on their products.

WORM

A computer worm is a self-contained program (or set of programs) that is able to spread functional copies of itself or its segments to other computer systems. The propagation usually takes place via network connections or email attachments.