Professional Documents
Culture Documents
March
2016
The glossary explains the terms of art relating to malware, malicious software.
Information security glossary
Term Meaning
0-day See zero-day.
Adwind, AlienSpy, Frutas, Heavily obfuscated species of RAT malware available to rent on
Unrecom, Sockrat, JSocket, jRat the black market (MaaS - Malware as a Service!). Built in Java
to execute on Windows, Linux, Android and MacOS.
Term Meaning
App, application Computer program or suite of programs providing a useful
function. Apps on smartphones, tablet and portable PCs,
particularly free social media or security apps downloaded
from the Web and installed by nave users, may be Trojans,
spyware, worms or other malware, especially on jailbroken
devices.
Term Meaning
Bayesian Heuristic technique based on probability theory, originally
developed by Thomas Bayes, often used to identify potential
information security events (such as spam and malware).
BHO Program that loads and runs automatically when the Internet
(Browser Helper Object) Explorer is launched. Some BHOs are malware.
Blended threat, Form of attack that combines methods such as using social
blended attack engineering to dupe a target into infecting their systems with
malware.
Boot sector virus Form of malware that infects the boot sector (Master Boot
Record, MBR) on a disk i.e. that part of the disk which is
accessed first by the bootloader (itself stored in firmware) in
order to load the operating system and so start up the
computer. This precedes the loading of most security
software, including basic antivirus programs, which execute
only after the operating system has started.
Term Meaning
Bot, Short for robot. (a) Networked computer under the remote
zombie control of hackers, often compromised using Trojans. The
owner of the computer usually remains oblivious. Often
corralled together in botnets. Also known as a zombie, as in
the living dead of Hammer horror fame. (b) Any autonomous
piece of software capable of roaming systems and/or
networks, whether for benign (e.g. indexing Web pages for
search engines) or malicious (e.g. spyware) purposes.
Bot master, botmaster Hacker or cracker who commands and controls a botnet.
BRAIN.A Widely held to have been the first personal computer virus,
created in 1986 as a proof-of-concept by two Pakistani geeks
who subsequently set up an ISP called Brain Communications.
Spread on floppy disks. Strictly speaking, it was not a true virus
since it did not attach itself to executable programs, and it was
pre-dated by viruses on other platforms such as Creeper (DEC
PDP-10, 1971), ANIMAL/PERVADE (Univac, 1974) and Elk
Cloner (Apple II, 1981).
Browser hijack Malware attack that changes the users normal browser home
page selection to some other inappropriate/unsafe website.
Carberp Crimeware kit for building Trojans. As with Zeus, the source
code for Carberp was released onto the Internet.
Term Meaning
Certifi-Gate Vulnerability in digital certificate handling by some privileged
remote access/administration tools on Android systems,
exploited by malware in 2015.
Christmas tree One of the earliest worms, released in 1987. Less damaging
than The Internet Worm.
Citadel Trojan RAT generated using the Zeus crimeware kit installs a
remotely-configurable botnet to mount various attacks.
CME (Common Malware Process run by MITRE to assign a common ID to new malware
Enumeration) that may otherwise be identified/named independently by
several antivirus companies or malware analysts, causing
confusion.
Code Red A worm that infected insecure unpatched Web servers running
Microsoft IIS software in 2001. Defaced websites with HELLO!
Welcome to http://www.worm.com! Hacked By Chinese!
Term Meaning
Command and Control Generally, systems and processes for directing and monitoring
(C2, C&C) diverse operations. In the hacking context, C2 normally refers
to the covert remote direction and management of malware
botnets by the bot master. In the military context, C&C refers
to the command structure, lines of communication etc. used
to monitor and direct operations.
Conficker Very prolific worm, released in 2008 and still in the wild in
2016.
Term Meaning
Crimeware, Software package used to generate and/or distribute malware
crimeware kit, using libraries of technical exploits, plus the infection and
attack toolkit, remote-control elements including functions to report
exploit kit statistics on the status of the exploitation process. A few
crimeware kits (such as Carberp and Zeus) have been released
onto the Internet. Some are traded commercially on the black
market or hacker underground. Most are jealously guarded by
the hackers who created and maintain them and/or the
criminals who pay for and exploit them.
Term Meaning
Cyberthreat Threat or threat agent active in the cybersecurity domain -
particularly substantial, highly capable ones backed by
governments and other resourceful and determined
adversaries.
Term Meaning
DLP Security technology designed to monitor, identify, log/alert
(Data Leakage [or Loss] and if appropriate block the inappropriate transfer of
Prevention) confidential information through a network port or firewall, for
example to prevent workers, malware or hackers passing
personal information, credit card numbers or trade secrets to
third parties through the Internet, whether by accident or on
purpose.
Drive-by download Mode of malware infection involving the user merely browsing
to an infectious website where vulnerabilities in the browser
software are silently exploited, usually without the user being
aware.
Term Meaning
Easter egg A Trojan horse function hidden within an otherwise legitimate
program. Although normally benign (such as a simple
computer game or audio-visual tribute to the programmers),
the fact that a covert function has been coded and passed
through program testing hints at a possible governance issue
with the SDLC, begging the question What else might be going
on in there?. Hidden functionality within an application
program, which becomes activated when an undocumented,
and often convoluted, set of commands and keystrokes are
entered. Easter eggs are typically used to display the credits for
the development team and are intended to be nonthreatening
(NIST SP 800-28).
Term Meaning
Exfiltration, Covert extraction of sensitive/valuable information assets
exfiltrate from a supposedly secure system, network or organization.
Normally implies that the information is being pushed out or
carried out by an agent within (a person or malware), but it
may also be pulled out by someone on the outside (a social
engineer, hacker etc.). Cf. infiltration.
Fork bomb, Malware that spawns one or more copies and itself starts
wabbit those copies running, thus exponentially increasing in number
until it exhausts finite system resources and thus, generally,
brings the entire system to a halt i.e. a denial of service attack.
Grayware,
See Potentially Unwanted Program (PUP).
greyware
Term Meaning
Hypervisor, Program that mediates interactions between virtual systems
Virtual Machine Monitor and the underlying hardware platform. Some malware
(VMM) covertly installs a hypervisor in order to manipulate the
operating systems access to disk and memory resources and
conceal its presence from antivirus software. Security
vulnerabilities in hypervisor programs may result in
inappropriate interactions such as escape.
ILOVEU, Well-known worm from the year 2000 that used social
Love letter engineering to spread via email to the first 50 addresses found
in Outlook, fooling victims into thinking they had received a
love letter from a friend.
In the wild Malware or other forms of exploit that are actually circulating
and causing real-world impacts, as opposed to those which
have only ever been seen in laboratories or in the furtive
imaginations of malware analysts.
Term Meaning
ISO/IEC 27036-3:2013 International standard Information security for supplier
relationships Part 3: Guidelines for ICT supply chain security
guides both suppliers and buyers of information and
communications technology-based goods and services,
specifically, on information security risk management relating
to the supply chain, including risks such as malware and
counterfeit products, and the integration of risk management
with system and software lifecycle processes.
Keylogger Malware that covertly records the users keystrokes. There are
hardware and software types. Hardware keyloggers are
devices inserted into the keyboard cable or connector where
they may appear to be ferrite RF interference suppressors, or
fitted inside the keyboard or PC case or wireless keyboard
receiver. Software keyloggers are typically Trojans.
Macro virus Form of malware that infects data files used by word
processing, spreadsheet and other programs that have a
sufficiently powerful and yet insecure built-in scripting or
command language.
Term Meaning
Malicious With malice, mean and nasty, intending to cause or knowingly
causing harm to another. Cf. benign.
Term Meaning
Memory-scraping malware, Type of malware that monitors and captures confidential data
RAM-scraper in working memory in the course of processing. While such
malware commonly infects point-of-sale systems implying a
criminal motive, the technique has broader application for
national and industrial espionage and other nefarious
purposes such as stealing valuable intellectual assets such as
cryptographic keys and passwords (e.g. keyloggers), for
surveillance or cybertage.
Michelangelo Well known virus from 1992, widely hyped by the news media
but negligible in impact since most infected systems had been
successfully disinfected prior to the payload being triggered on
Michelangelos birthday, March 6th. Based on Stoned.
Term Meaning
Multifunction device Modern networked printers (particularly those that also offer
scanning and FAXing) are typically built around embedded
microprocessors running Linux-based operating systems with
minimal security. As such, they are often vulnerable to hackers
and malware on the network, in addition to user and
configuration errors, physical attacks/damage/accidents,
software bugs etc. Many contain significant data storage
capacity, potentially exposing cached copies of
printed/scanned/FAXed documents etc.
Multifunctional malware Malware that has the capability for multiple functions or
modes of operation (e.g. having the characteristics of, or being
able to switch between, a worm, Trojan, spyware and
ransomware), generally achieved by downloading modules,
exploits and parameters through a command and control
channel.
Nimda Worm derived from Code Red in 2001. Used multiple modes
of infection to spread widely and quickly. Nimda is admin
spelt backwards, hinting at the VXers geeky sense of humor.
Online chat Electronic messaging services (such as IM, SMS and email) used
for personal communications through networks such as the
Internet. Vulnerable to malware, disclosure of confidential
information, social engineering, spam/SPIM, misinterpretation
and various other information security threats.
Term Meaning
Outbreak A rapidly-spreading malware incident, analogous to an
escalating biological viral or bacterial infection that puts the
authorities on high alert. See also Warhol worm.
Packing, packer Hacker or VXer term for a code obfuscation technique or tool
which encodes executable code within a program that is
decoded at runtime, thereby making simple pattern-matching
signature detection against the packed file ineffective as an
antivirus technique.
Term Meaning
POS memory-scraping malware Type of Trojan that covertly captures, encrypts and stores
plaintext payment card information from the working memory
of infected Point Of Sale systems as sales are processed. The
encrypted data files may then be sent through the Internet to
be exploited by criminals through identity fraud etc. A specific
application of memory-scraping malware.
Potentially Unwanted Program Software of dubious value, potentially a threat to the person
(PUP), using the computer, such as adware. Antivirus companies use
Potentially Unwanted Software such politically-correct term mostly to avoid overtly accusing
(PUS), the authors and distributors of having malicious intent as
Potentially Unwanted implied by terms such as malware, spyware etc., and partly to
Application (PUA), acknowledge that some users presumably find the software
grayware worthwhile.
Term Meaning
Restore point Through the system protection function, modern Windows
systems automatically backup their system settings (critical
operating system files, programs, and registry settings) weekly
by default, and manually at any time, to the System Volume
Information hidden system folder on the root drive. Provided
a backup is available and not corrupted, overwritten or lost,
the user can restore it in order to revert subsequent changes
and hopefully correct problems created by, for instance, a
failed software installation, malware infection or user error.
Term Meaning
Scareware Malware intended to scare or extort the user of a system into
parting with money, usually. One example claims that the
system has been flagged by the FBI due to illegal content, so
the user must pay a fine to avoid being prosecuted (they seem
a bit confused about the process!). More malicious forms
include ransomware. See also crimeware.
SEH (Structured Exception Windows security technique to control the way various events
Handling) are dealt with during the execution of programs, in an attempt
to trap and gracefully resolve issues arising from flaws and
bugs, whether accidentally or deliberately caused, such as
divide-by-zero errors, program crashes, buffer overflows,
malware and hacks. SEH is meant to ensure that designated
exception or termination code cannot be bypassed e.g. by
redirection at run time. See also DEP.
Term Meaning
Signature (a) Characteristic way that a person writes their own name,
providing a means to authenticate them (i.e. a biometric).
(b) Set of characteristics that uniquely identify a species of
malware.
Silk Road, Online black markets where the tools (including malware and
Silk Road 2.0 related services) and proceeds of crime (fullz, illicit drugs and
more) were traded anonymously through the Tor network for
Bitcoins. The original Silk Road was active from 2011 until
being shut down by the FBI in 2013. It was resurrected as Silk
Road 2.0 and lasted another year before again being shut
down.
Social proofing, People in tight-knit social groups tend to believe in, trust and
group affirmation respect the same things. Therefore if a friend (or more likely
someone who has stolen our friends ID) recommends a link or
an app, we are inclined to load it without necessarily
considering the risks of malware, fraud etc.
[The] Sony hack Major information security incident at the end of 2014
affecting Sony Pictures Entertainment. Malicious hackers
allegedly working for the North Vietnamese compromised
Sonys corporate network, stealing a large quantity of sensitive
proprietary and personal information over several months
which they then used to extort Sony by disclosing some
(creating a media storm) and threatening to disclose more
embarrassing and damaging content. Presumably in an effort
to cover their tracks (scorched earth), the hackers also
unleashed a worm that displayed a scary graphic and threats
on desktop screens, destroyed data and took IT systems out of
service for months, massively disrupting Sonys business
activities and causing serious commercial, legal and brand
impacts.
Term Meaning
Soraya One of several memory-scraping malware programs in the
wild.
Spyware Type of malware which spies on the user, for example covertly
sending information about the programs run, websites visited
or data submitted, to a remote system or hacker.
Stealth virus Cryptic virus that attempts to conceal its presence on the
system by intercepting and manipulating directory/disk access
requests. When for example an unskilled user or a crude
antivirus program searches the disk, the virus dynamically
removes or changes program names, file names etc. in the
information provided/presented by the operating system.
Term Meaning
Surveillance The process of covertly observing, snooping or spying on
someones activities, whether literally watching them,
monitoring their activities and movements, or tapping-in to
their network/online and/or telephone communications
e.g. using spyware.
The Internet Worm, The first worm that spread widely across the early Internet in
Morris Worm, 1988. Written and released by Robert Tappan Morris as an
UNIX Worm experiment to determine the size of the Internet.
Term Meaning
Trojan, A program that appears to the user to offer a useful function
Trojan horse or to do nothing, but in fact contains hidden malicious
functions, typically allowing remote control of the system by
hackers, or installing keyloggers to steal personal information,
passwords, PINs, credit card numbers or online banking
credentials (e.g. Man-In-The-Browser). A form of malware. A
computer program that appears to have a useful function, but
also has a hidden and potentially malicious function that
evades security mechanisms, sometimes by exploiting
legitimate authorizations of a system entity that invokes the
program (CNSSI-4009).
Virus hoax, Chain letter spreading a false virus warning. A form of social
hoax engineering. Hoaxes can cause alarm and waste time but are
generally benign rather than malicious.
Term Meaning
Wapomi, Species of malware (described as a virus with Trojan and
Simfect worm-like features a smorgasbord of nasties) that
established a massive, mostly Chinese botnet in 2015.
Watering hole attack Hacking method that uses social engineering to entice victims
to an interesting website where their systems are
compromised through drive-by downloads, Trojans or other
exploits.
Wetware People, or more specifically our brains. Alludes to the fact that
human beings are about 60% water. Cf. hardware, software,
firmware and malware.
Term Meaning
Worm Form of malware consisting of mobile code that exploits
network connections to spread itself between systems and
often performs unauthorized functions such as sending
unsavory emails or spam, denial of service attacks (including
unintentional attacks due to overwhelming networks/systems)
etc. Unlike a virus, a worm is self-contained and does not need
to hitch a ride on other programs. Unlike a Trojan, it does not
appear to be a useful program and does not mislead humans
into executing it. Unlike the living creature, it is not slimy and
its no good for your compost heap.
YiSpecter In the wild malware targeting Apple devices running iOS prior
to version 8.4.
* * * E n d o f g l o s s a r y * * *
Disclaimer
Language is a moving target, constantly evolving and sometimes misused or
misunderstood by mere humans including the fallible author of this
glossary. Whereas I have done my level best to research and define the
terms carefully, they often have or take on different, flexible meanings or
implications in practice, and I am not necessarily correct in my
interpretations. I am biased, prejudiced even and certainly jaundiced after
three decades in the industry. Furthermore, context is important.
This is, in parts, a parody. A few definitions are decidedly tongue-in-cheek,
but, hey, it would be even more tedious otherwise
Some definitions include quoted text in italics, drawn mostly from published
or draft security standards. The quoted text may be neither complete nor
accurate, while drafts may not even make it into print, at least not without
changes. Please refer to the original cited sources and the published final
versions for the definitive text and supporting information.
To be crystal clear, IANAL and this is not legal advice. In some jurisdictions
and circumstances, some of the terms in this glossary have specific legal
interpretations and implications that differ materially from those stated
herein. Do not rely on this glossary for anything important.
This is also not information risk, security, privacy, compliance or
governance advice, except in the very general and vague sense of espousing
the authors understanding of generic good practice. Your information risks,
and your information security and privacy requirements and obligations,
undoubtedly differ from those noted in or implied by the glossary. Seek
advice from competent, trustworthy, qualified and experienced
professional advisors, and weigh it up. Ask a grown up. Caveat lector.