Information security awareness

March
2016
The glossary explains the terms of art relating to malware, malicious software.
 Information security glossary

Term Meaning
0-day See zero-day.

Account hijack, Taking unauthorized control of a targets bank, credit card,

account takeover email, IT system or telephone account by means of hacking,
social engineering, malware etc., typically as part of identity
fraud or some other attack.

ActiveX Microsoft technology for interactive web pages. Malicious

ActiveX controls (a form of malware) may potentially
compromise the users systems: if the browser security
settings allow, even unauthenticated (unsigned) ActiveX
controls may access files on the users hard drive for example.

Ad injection Browser malware that displays advertisements and (in some

cases) steals personal data from infected systems. See also
adware.

Adware Annoying software that displays advertisements etc.

Considered by some to be malware since it is often covert,
seldom knowingly authorized, consumes resources and may
have undesirable effects. See also ad injection.

Adwind, AlienSpy, Frutas, Heavily obfuscated species of RAT malware available to rent on
Unrecom, Sockrat, JSocket, jRat the black market (MaaS - Malware as a Service!). Built in Java
to execute on Windows, Linux, Android and MacOS.

Angler A crimeware kit, in the wild as of 2016.

Anomaly, Something different, unusual, unexpected or out of the

anomalous ordinary. Such anomalies are inherently interesting, hinting at
the possibility of unexpected relationships, biases or events,
perhaps even information security incidents such as bugs,
flaws, frauds, malware or hacks.

Antivirus [software, program, Software designed to minimize the risk of malware by

package] detecting, preventing and/or removing various forms of
malware infection such as viruses, worms, Trojans, rootkits etc.

APN Malware may surreptitiously alter the APN on mobile devices,

(Access Point Name) redirecting users to access points monitored and controlled by
hackers.

Copyright 2016 IsecT Ltd. Page 1 of 27

 Information security glossary

Term Meaning
App, application Computer program or suite of programs providing a useful
function. Apps on smartphones, tablet and portable PCs,
particularly free social media or security apps downloaded
from the Web and installed by nave users, may be Trojans,
spyware, worms or other malware, especially on jailbroken
devices.

APT A highly sophisticated, sustained and ultimately damaging

(Advanced Persistent Threat)
attack, or a series of attacks, by a very resourceful, determined
and capable adversary. Generally involves a combination of
methods and tools, such as custom malware, social
engineering, hacking (including hacked hardware, software or
firmware, including things) and/or physical intrusion.

Autonomous weapon A fire-and-forget cyberweapon capable of acting

autonomously or semi-autonomously using smarts (artificial
intelligence) to complete complex reconnaissance,
surveillance and/or combat missions with little if any direct
involvement and real-time control by human operators, in
contrast to remote-controlled or dumb weapons. May be a
physical device or malware.

Autorooter Software tool that gives hackers or script kiddies fully

privileged access to vulnerable systems.

Backdoor, Cryptic control bypass function in a program allowing users to

trapdoor access the system without proper authorization. Sometimes
coded in for legitimate software development, testing or
support purposes (e.g. cheat codes used to bypass the early
stages in an electronic game or make a game character
invincible, immune to attacks), occasionally for dubious,
unethical, nefarious or malicious purposes (e.g. hacking,
coercion, embezzlement, fraud, espionage or covert license
compliance checks, or introduced by malware).

Bank Trojan, Trojan (such as Zeus) that captures user authentication

banking Trojan, credentials (typically by keylogging) or hijacks web sessions
online banking Trojan, (usually via man-in-the-middle attacks) to steal funds from
banker Trojan online bank accounts.

Bashdoor See shellshock.

Copyright 2016 IsecT Ltd. Page 2 of 27

 Information security glossary

Term Meaning
Bayesian Heuristic technique based on probability theory, originally
developed by Thomas Bayes, often used to identify potential
information security events (such as spam and malware).

BHO Program that loads and runs automatically when the Internet
(Browser Helper Object) Explorer is launched. Some BHOs are malware.

Binder Hacker term for a program that combines multiple executables

within one program.

Bit-bucket, Notional device or network address where unwanted

sinkhole data/traffic can be sent to expire. Antivirus analysts
sometimes hijack the command-and-control features of
malware to send stolen data down a sinkhole instead of going
to the criminals behind the scams.

Black market, Unofficial, covert, unregulated and untaxed commercial

criminal underground market for stolen property (both physical and intellectual) plus
the knowledge, tools, processes (such as money laundering)
and other resources of the criminal fraternity.

BlackPOS Species of POS memory-scraping malware in the wild. Used to

compromise the US retailer Target in 2014.

Blaster Infamous worm from 2003.

Blended threat, Form of attack that combines methods such as using social
blended attack engineering to dupe a target into infecting their systems with
malware.

Boot sector virus Form of malware that infects the boot sector (Master Boot
Record, MBR) on a disk i.e. that part of the disk which is
accessed first by the bootloader (itself stored in firmware) in
order to load the operating system and so start up the
computer. This precedes the loading of most security
software, including basic antivirus programs, which execute
only after the operating system has started.

Copyright 2016 IsecT Ltd. Page 3 of 27

 Information security glossary

Term Meaning
Bot, Short for robot. (a) Networked computer under the remote
zombie control of hackers, often compromised using Trojans. The
owner of the computer usually remains oblivious. Often
corralled together in botnets. Also known as a zombie, as in
the living dead of Hammer horror fame. (b) Any autonomous
piece of software capable of roaming systems and/or
networks, whether for benign (e.g. indexing Web pages for
search engines) or malicious (e.g. spyware) purposes.

Bot master, botmaster Hacker or cracker who commands and controls a botnet.

Botnet Networks of bots that are used for hacking/criminal activities

such as spamming, identity theft, carrying out DDoS attacks or
as launch pads for attacking other systems. Botnets
comprising hundreds or thousands of compromised machines
are rented out to hackers on the black market.

Botware Malware used to command and control a bot, for example

allowing the bot master to download, install and run a code
module for a particular type of network attack.

BRAIN.A Widely held to have been the first personal computer virus,
created in 1986 as a proof-of-concept by two Pakistani geeks
who subsequently set up an ISP called Brain Communications.
Spread on floppy disks. Strictly speaking, it was not a true virus
since it did not attach itself to executable programs, and it was
pre-dated by viruses on other platforms such as Creeper (DEC
PDP-10, 1971), ANIMAL/PERVADE (Univac, 1974) and Elk
Cloner (Apple II, 1981).

Breach Form of information security incident normally involving

deliberate action by someone, as opposed to those with purely
accidental causes, for example penetrating a defensive barrier
of some form, such as a wall or firewall, or actively
compromising security in general.

Browser hijack Malware attack that changes the users normal browser home
page selection to some other inappropriate/unsafe website.

Carbanak Bank Trojan in-the-wild, built using Carberp.

Carberp Crimeware kit for building Trojans. As with Zeus, the source
code for Carberp was released onto the Internet.

Copyright 2016 IsecT Ltd. Page 4 of 27

 Information security glossary

Term Meaning
Certifi-Gate Vulnerability in digital certificate handling by some privileged
remote access/administration tools on Android systems,
exploited by malware in 2015.

ChewBacca One of several memory-scraping malware programs in the

wild.

Christmas tree One of the earliest worms, released in 1987. Less damaging
than The Internet Worm.

Citadel Trojan RAT generated using the Zeus crimeware kit installs a
remotely-configurable botnet to mount various attacks.

Click bait Something attractive that lures unsuspecting computer users

to click a link, open an attachment, install or run a program or
whatever, leading typically to their devices being infected with
malware and/or their being defrauded or otherwise
compromised. A form of social engineering.

Click fraud Fraud techniques targeting click-through affiliate marketing

schemes that pay a bounty for visitors clicks. In one form,
malware surreptitiously swaps genuine affiliate codes
embedded in URLs and cookies for codes to the fraudsters
own accounts. In another, malware racks up large pay-per-
click charges and/or artificially inflates website reputational
ratings by clicking online advertisements.

Clickjacking Hacking technique that surreptitiously diverts visitors clicks on

one website to another website, typically then launching
malware attacks against the visitors PCs.

Click-regret The sinking feeling that follows an unwise click on a dubious

link, app, attachment or security warning message.

CME (Common Malware Process run by MITRE to assign a common ID to new malware
Enumeration) that may otherwise be identified/named independently by
several antivirus companies or malware analysts, causing
confusion.

Code Red A worm that infected insecure unpatched Web servers running
Microsoft IIS software in 2001. Defaced websites with HELLO!
Welcome to http://www.worm.com! Hacked By Chinese!

Copyright 2016 IsecT Ltd. Page 5 of 27

 Information security glossary

Term Meaning
Command and Control Generally, systems and processes for directing and monitoring
(C2, C&C) diverse operations. In the hacking context, C2 normally refers
to the covert remote direction and management of malware
botnets by the bot master. In the military context, C&C refers
to the command structure, lines of communication etc. used
to monitor and direct operations.

Companion virus Virus that takes advantage of the operating systems

prioritization of file names with certain extensions e.g. a virus
calling itself game.com may be executed in preference to
game.exe, the program the user intended to run. Companion
viruses typically execute covertly then launch the intended
program hoping that the user remains blissfully unaware of the
subterfuge.

Concept One of the first macro viruses dating back to 1995.

Conficker Very prolific worm, released in 2008 and still in the wild in
2016.

Contingency Unanticipated and often inherently unpredictable situation or

information security incident or disaster (e.g. a bomb, plane
crash, flood or fire), logical/technical disaster (e.g. malware
outbreak, equipment breakdown, software flaw/bug, hack or
similar attack on a major business system or network),
business disaster (e.g. a serious fraud or hostile takeover
attempt), which other controls have failed to prevent. The
appropriate responses are contingent (dependent) on the
exact nature of the incident and the situation in which it
occurs.

Corruption Common form of integrity failure e.g. data corruption caused

by malware, bugs and user errors, and human corruption
caused by coercion or bribery and poor ethics.

Crash Unplanned sudden computer system failure resulting from an

unhandled exception/error condition triggered accidentally by
a bug, deliberately by a hack or malware, or accidentally by a
power cut etc.

Copyright 2016 IsecT Ltd. Page 6 of 27

 Information security glossary

Term Meaning
Crimeware, Software package used to generate and/or distribute malware
crimeware kit, using libraries of technical exploits, plus the infection and
attack toolkit, remote-control elements including functions to report
exploit kit statistics on the status of the exploitation process. A few
crimeware kits (such as Carberp and Zeus) have been released
onto the Internet. Some are traded commercially on the black
market or hacker underground. Most are jealously guarded by
the hackers who created and maintain them and/or the
criminals who pay for and exploit them.

Cross Site Scripting, Web hacking technique in which badly-designed websites

XSS (e.g. some bulletin-board systems) with inadequate data entry
validation are made to return malicious URLs, HTML, JavaScript
or other executable code (malware) to the users browser for
execution (e.g. to manipulate or disclose their supposedly
private cookies or other local data). [Denoted XSS to avoid
being confused with Cascading Style Sheets.]

CryptoLocker A nasty example of ransomware in the wild that surreptitiously

encrypts victims data, coercing them into paying a ransom for
the decryption keys.

Cryptowall Another example of ransomware that surreptitiously encrypts

victims data, coercing them into paying a ransom for the
decryption keys. The current version uses strong encryption.

Cyber-extortion Criminal exploitation of illegitimate access to and control over

sensitive and/or valuable information in order to coerce
victims out of money etc. Attacks typically involve the use of
hacking, malware, theft of data storage media or ICT devices,
and/or social engineering. See also extortion.
Cybertage Sabotage in cyberspace that compromises IT systems/devices,
databases, networks, data or information e.g. destroys or
damages them, interrupts or delays business activities, or
leads to the loss of valuable business or the inappropriate
disclosure of confidential information. Whereas sabotage
usually implies inflicting physical damage (such as arson),
cybertage often affects intangible information assets
(e.g. using malware).

Copyright 2016 IsecT Ltd. Page 7 of 27

 Information security glossary

Term Meaning
Cyberthreat Threat or threat agent active in the cybersecurity domain -
particularly substantial, highly capable ones backed by
governments and other resourceful and determined
adversaries.

Cyber-vandalism Computer-enabled wanton damage, or wanton damage of

computers.

Cyber-vigilante Person who uses hacking, malware, social engineering etc. to

further a malicious personal agenda or obsession.

Cyberweapon Tool or technique (such as a computer, malware, hacking,

social engineering, cybertage, spying, coercion or EMP
weapon) capable of being used offensively to attack an
adversarys critical infrastructure as part of cyberwar or a
similar military mission, and/or to defend against such attacks.

Data miner Form of malware that covertly collects information on web

users, for example secretly recording personal data submitted
by users of online forms.

Data stealing/thieving/theft Malware that surreptitiously harvests and exfiltrates valuable

malware proprietary or personal data from infected systems and
networks to be exploited directly or sold on the black market.

DEP Operating system security feature intended to prevent pages

(Data Execution Prevention) in memory that happen to contain executable code from
actually being executed by the CPU unless they have been
designated as executable using the NX (No eXecute) bit. Helps
prevent buffer overflow and similar attacks. See also SEH.

Dexter One of several memory-scraping malware programs in the

wild.

Dialer Old-skool form of malware which silently calls a premium rate

phone number via a modem, committing toll fraud.

Copyright 2016 IsecT Ltd. Page 8 of 27

 Information security glossary

Term Meaning
DLP Security technology designed to monitor, identify, log/alert
(Data Leakage [or Loss] and if appropriate block the inappropriate transfer of
Prevention) confidential information through a network port or firewall, for
example to prevent workers, malware or hackers passing
personal information, credit card numbers or trade secrets to
third parties through the Internet, whether by accident or on
purpose.

Dorkbot Windows malware in the wild. RAT spreads via social

networks, IM and USB devices, delivering various payloads
including bank Trojans, keyloggers and DDoS engines.

Double extension Operating systems and applications often determine a files

type according to the final extension on its name, preceded by
a period (e.g. files containing executable programs often end
with .exe). Systems may not display the extension for known
file types. Additional periods and characters preceding the
final extension (such as .txt.exe) may be treated as part of the
file name. Some malware uses this and other social
engineering techniques to fool victims, for instance an email
might entreat the user to open the attached text file
containing a disputed invoice, whereas the attachment is
actually a malicious program that executes when the victim
opens it.

Downloader Form or component of malware which downloads additional

code (usually the payload) from the Internet. This
arrangement allows criminals to change the malware
dynamically, for example to evade antivirus software, attack
specific new targets or extend previous attacks.

Drive-by download Mode of malware infection involving the user merely browsing
to an infectious website where vulnerabilities in the browser
software are silently exploited, usually without the user being
aware.

Dropper Program which delivers/contains, unpacks and installs

malware on an infected system.

Duqu APT worm similar to and perhaps derived from Stuxnet.

Copyright 2016 IsecT Ltd. Page 9 of 27

 Information security glossary

Term Meaning
Easter egg A Trojan horse function hidden within an otherwise legitimate
program. Although normally benign (such as a simple
computer game or audio-visual tribute to the programmers),
the fact that a covert function has been coded and passed
through program testing hints at a possible governance issue
with the SDLC, begging the question What else might be going
on in there?. Hidden functionality within an application
program, which becomes activated when an undocumented,
and often convoluted, set of commands and keystrokes are
entered. Easter eggs are typically used to display the credits for
the development team and are intended to be nonthreatening
(NIST SP 800-28).

Egress filtering Blocking of traffic as it exits a network, for example to prevent

malware-infected or hacked computers on corporate networks
from sending spam or attacking systems on external networks,
or to block highly classified information from passing onto an
unclassified network. Cf. ingress filtering.

Email Popular communications mechanism that originally used

(Electronic mail) private commercial networks (such as AOL, CompuServe and
internal corporate networks) then moved over to the Internet
in the 1980s/90s. Emails are sent and received
asynchronously, meaning they wait in the recipients mailbox
until being opened and read, as opposed to real-time and near-
real-time online chat systems such as IM. Vulnerable to
numerous information security threats and incidents such as
malware, spam, 419s and other frauds, coercion, social
engineering, unpredictable delays and occasional non-delivery
or mis-delivery of messages, interception or inappropriate and
unauthorized disclosure of confidential information, hacking of
email servers/systems, spoofing of email headers and message
content etc.

Embedded malware Malware (such as APTs) hidden so deeply within a system

(possibly in the hardware, microcode, firmware, device drivers
or operating system kernel) that only forensic analysis
(possibly involving access to the source code, compilers and
specialist tools) may reveal its presence.

Copyright 2016 IsecT Ltd. Page 10 of 27

 Information security glossary

Term Meaning
Exfiltration, Covert extraction of sensitive/valuable information assets
exfiltrate from a supposedly secure system, network or organization.
Normally implies that the information is being pushed out or
carried out by an agent within (a person or malware), but it
may also be pulled out by someone on the outside (a social
engineer, hacker etc.). Cf. infiltration.

Extortion The use of coercion (typically involving threats of cybertage,

disclosure of confidential information or denial of service
through ransomware) to obtain assets (generally money) from
a target (an individual or organization).

Fork bomb, Malware that spawns one or more copies and itself starts
wabbit those copies running, thus exponentially increasing in number
until it exhausts finite system resources and thus, generally,
brings the entire system to a halt i.e. a denial of service attack.

Grayware,
See Potentially Unwanted Program (PUP).
greyware

Hacker underground A somewhat covert social network or community of individuals

and groups of hackers, crackers, malware authors (VXers),
script kiddies, bot masters etc. through Internet websites, chat
rooms, bulletin boards, conferences and club meetings etc.
Increasingly linked to criminal gangs, criminal activities
(e.g. the use of crimeware) and the black market.

Heap overflow Class of software vulnerability similar to buffer overflow in

memory leak which conditions such as inadequate type or bounds checking
and exception handling in programs lead to variable values
exceeding their allocated space on the heap and issues such as
program or system crashes, and unauthorized disclosure of
confidential data such as passwords and cryptographic keys.

Heuristic Method involving learning from experience, such as a rule-of-

thumb. Some antivirus software uses heuristic techniques to
identify possible malware by its unusual patterns of behavior,
while Bayesian anti-spam methods learn from user selections
to differentiate spam from ham.

Honeypot, Networked computers deliberately configured as decoys to

honeynet lure hackers or malware for forensic investigation, or more
simply as a security alerting/early-warning mechanism.

Copyright 2016 IsecT Ltd. Page 11 of 27

 Information security glossary

Term Meaning
Hypervisor, Program that mediates interactions between virtual systems
Virtual Machine Monitor and the underlying hardware platform. Some malware
(VMM) covertly installs a hypervisor in order to manipulate the
operating systems access to disk and memory resources and
conceal its presence from antivirus software. Security
vulnerabilities in hypervisor programs may result in
inappropriate interactions such as escape.

ILOVEU, Well-known worm from the year 2000 that used social
Love letter engineering to spread via email to the first 50 addresses found
in Outlook, fooling victims into thinking they had received a
love letter from a friend.

Infect, By analogy to the biological process, malware is said to infect

infection, vulnerable systems when it spreads to, executes on and
infectious compromises them.

Infiltrator, An outsider who somehow manages to work their way into a

infiltration privileged position of trust within the organization or
penetrate its systems and network, gaining internal/insider
access to corporate assets typically with the intent of stealing
proprietary information (industrial espionage), sabotaging
critical business processes, committing cybertage and/or
recruiting insiders. Long-term physical infiltration by moles
and sleepers is popular in spy novels but not so common in the
commercial world due to the high costs and risks compared to,
say, employing, bribing or coercing insiders, social engineering,
short-term physical site penetration (e.g. trespass, draining),
deploying malware, hacking etc. Cf. exfiltration.

Instant Messaging A form of real-time person-to-person communication

(IM) originally using typed messages similar to SMS, but gradually
expanded to include audio and video modes. Used for online
chatting, such as conversations between customers and
technical support functions. Vulnerable to malware,
disclosure of confidential information, social engineering,
SPIM and various other information security threats.

In the wild Malware or other forms of exploit that are actually circulating
and causing real-world impacts, as opposed to those which
have only ever been seen in laboratories or in the furtive
imaginations of malware analysts.

Copyright 2016 IsecT Ltd. Page 12 of 27

 Information security glossary

Term Meaning
ISO/IEC 27036-3:2013 International standard Information security for supplier
relationships Part 3: Guidelines for ICT supply chain security
guides both suppliers and buyers of information and
communications technology-based goods and services,
specifically, on information security risk management relating
to the supply chain, including risks such as malware and
counterfeit products, and the integration of risk management
with system and software lifecycle processes.

Jailbroken, Sandbox constraints on the use of some ICT devices, primarily

jailbreak for information security or commercial reasons (e.g. to
prevent the installation of apps not obtained through the
official app store), can be (partially) disabled by users running
jailbreak software, and perhaps covertly exploited by hackers
or malware.

Jerusalem One of the earliest viruses.

Keylogger Malware that covertly records the users keystrokes. There are
hardware and software types. Hardware keyloggers are
devices inserted into the keyboard cable or connector where
they may appear to be ferrite RF interference suppressors, or
fitted inside the keyboard or PC case or wireless keyboard
receiver. Software keyloggers are typically Trojans.

Likejacking Hack that substitutes the legitimate JavaScript or other code

that runs in the browser when someone clicks a like button
on social media, with malware.

Logic bomb Form of malware designed to lay dormant but self-activate at

some point e.g. at a certain time (i.e. a time bomb), when a
certain user logs on, or when a particular event or combination
of events occurs on the system (e.g. the programmer is
removed from the payroll), leading to some malicious action
(e.g. shutdown the system, modify or delete data, disable
security controls).

Macro virus Form of malware that infects data files used by word
processing, spreadsheet and other programs that have a
sufficiently powerful and yet insecure built-in scripting or
command language.

Copyright 2016 IsecT Ltd. Page 13 of 27

 Information security glossary

Term Meaning
Malicious With malice, mean and nasty, intending to cause or knowingly
causing harm to another. Cf. benign.

Malvertising Online advertisement that attempts to exploit vulnerabilities

in visitors browsers to infect their systems with malware.
Often placed on otherwise benign and normally trustworthy
websites without the website owner even being aware of the
threat, but sometimes on blatantly malicious sites using
various deceptive tricks to lure victims.

Malware Contraction of malicious software meaning programs

designed and written with malicious intent or purposes (such
as damaging computer systems, data, networks etc. and/or
harming their users interests) including viruses, worms,
Trojans, rootkits, logic bombs, time bombs, ransomware,
spyware, scareware etc. Malicious software designed
specifically to damage or disrupt a system, attacking
confidentiality, integrity, or availability. Note: Viruses and
Trojan horses are examples of malware (ISO/IEC 27033-1).

Man-In-The-Browser Man-In-The-Middle attack involving a keylogger that hijacks

(MITB) the users privileged online session, intercepting and
manipulating his keystrokes through the browser,
injecting/altering transactions and tricking the user into
unknowingly authenticating fraudulent transactions using his
password and/or security token. See also bank Trojan.

Man-In-The-Middle Attack in which the attacker intercepts and compromises

(MITM), messages passing between two parties, generally using
session hijack masquerading to fool each party into believing that the
attacker is the legitimate counterparty. May involve stolen,
faked or genuine digital certificates obtained under false
pretenses, and/or malware (malware-in-the-middle). Exploits
the trust placed in connections that communicating parties
believe are direct and secure.

Copyright 2016 IsecT Ltd. Page 14 of 27

 Information security glossary

Term Meaning
Memory-scraping malware, Type of malware that monitors and captures confidential data
RAM-scraper in working memory in the course of processing. While such
malware commonly infects point-of-sale systems implying a
criminal motive, the technique has broader application for
national and industrial espionage and other nefarious
purposes such as stealing valuable intellectual assets such as
cryptographic keys and passwords (e.g. keyloggers), for
surveillance or cybertage.

Michelangelo Well known virus from 1992, widely hyped by the news media
but negligible in impact since most infected systems had been
successfully disinfected prior to the payload being triggered on
Michelangelos birthday, March 6th. Based on Stoned.

Mobile code Programs capable of executing on different types of system,

for example well-designed Java programs can be executed on
any operating system which hosts a compliant Java virtual
machine. While such portability can be tremendously
convenient for programmers and users, malware such as
worms may exploit security vulnerabilities in the technical
architecture (e.g. breaking out of the sandbox) to spread far
and wide.

Mobile device Portable computing and telecommunications device such as a

smartphone or tablet PC. Thanks to innovative technologies,
modern mobile devices are effective IT platforms but
constraints such as miniaturization, portability, wireless
connections, battery power and price limit the processing and
memory capacity, which in turn makes them hard to secure
against malware and hacks, plus plain old theft and loss. On
top of that, nave users dont always appreciate and use
security features properly, sometimes ill-advisedly disabling
controls e.g. jailbreaking.

Monetize Steal or misappropriate money, for example malware that

causes smartphones to call or send text messages to a
premium rate number (toll fraud).

Muieblackcat Botnet in the wild in 2015, based on a PHP bot or vulnerability

scanner that has been in use since at least 2011.

Copyright 2016 IsecT Ltd. Page 15 of 27

 Information security glossary

Term Meaning
Multifunction device Modern networked printers (particularly those that also offer
scanning and FAXing) are typically built around embedded
microprocessors running Linux-based operating systems with
minimal security. As such, they are often vulnerable to hackers
and malware on the network, in addition to user and
configuration errors, physical attacks/damage/accidents,
software bugs etc. Many contain significant data storage
capacity, potentially exposing cached copies of
printed/scanned/FAXed documents etc.

Multifunctional malware Malware that has the capability for multiple functions or
modes of operation (e.g. having the characteristics of, or being
able to switch between, a worm, Trojan, spyware and
ransomware), generally achieved by downloading modules,
exploits and parameters through a command and control
channel.

Nagware Neologism referring to software that repeatedly displays

annoying reminders to do something (such as upgrade to
Windows 10), regardless of user preferences. Whether it
qualifies as adware, malware or a PUP is a moot point: nobody
enjoys being nagged. It is an unwelcome diversion, at best.

Nimda Worm derived from Code Red in 2001. Used multiple modes
of infection to spread widely and quickly. Nimda is admin
spelt backwards, hinting at the VXers geeky sense of humor.

Nuclear A crimeware kit.

O-day, oh-day See zero-day.

Obfuscation Deliberately hiding or concealing the true nature or extent of

something, such as a hackers location, the fact that an attack
is taking place, or malware code. An example of
misinformation.

Online chat Electronic messaging services (such as IM, SMS and email) used
for personal communications through networks such as the
Internet. Vulnerable to malware, disclosure of confidential
information, social engineering, spam/SPIM, misinterpretation
and various other information security threats.

Copyright 2016 IsecT Ltd. Page 16 of 27

 Information security glossary

Term Meaning
Outbreak A rapidly-spreading malware incident, analogous to an
escalating biological viral or bacterial infection that puts the
authorities on high alert. See also Warhol worm.

Packing, packer Hacker or VXer term for a code obfuscation technique or tool
which encodes executable code within a program that is
decoded at runtime, thereby making simple pattern-matching
signature detection against the packed file ineffective as an
antivirus technique.

Password vault Trusted program and/or hardware designed to store

passwords, cryptographic keys, PIN codes, user IDs and other
credentials or highly confidential pieces of information
securely (meaning encrypted using a key derived from the one
strong password that the user must remember), and
regurgitate them on demand by the authorized user when
logging-on to the relevant systems or websites. Good
password vaults help the user generate much stronger
(i.e. longer and more complex) passwords or passphrases than
anyone other than a memory freak can manage and store
reliably in their heads, limited only by the constraints of the
target systems. Bad password vaults may be rogue software,
Trojans or spyware, and may have design flaws and bugs
creating security vulnerabilities.

Payload Destructive function (the business end) of malware that

performs unauthorized functions such as deleting or modifying
files, stealing secrets etc.

Pharming Fraud involving the manipulation of DNS or other network

addressing (such as the hosts file) in order to redirect users
silently to fake websites that appear legitimate.

Polymorphic Type of malware which changes its code (morphs or mutates)

as it infects successive systems/files, making reliable detection
by signature identification, and disinfection, somewhat
challenging.

Polyransom Highly polymorphic species of ransomware, in the wild in 2015.

PoSeidon Species of POS memory-scraping malware in the wild in 2016.

Includes keylogging and other capabilities.

Copyright 2016 IsecT Ltd. Page 17 of 27

 Information security glossary

Term Meaning
POS memory-scraping malware Type of Trojan that covertly captures, encrypts and stores
plaintext payment card information from the working memory
of infected Point Of Sale systems as sales are processed. The
encrypted data files may then be sent through the Internet to
be exploited by criminals through identity fraud etc. A specific
application of memory-scraping malware.

Potentially Unwanted Program Software of dubious value, potentially a threat to the person
(PUP), using the computer, such as adware. Antivirus companies use
Potentially Unwanted Software such politically-correct term mostly to avoid overtly accusing
(PUS), the authors and distributors of having malicious intent as
Potentially Unwanted implied by terms such as malware, spyware etc., and partly to
Application (PUA), acknowledge that some users presumably find the software
grayware worthwhile.

Power Worm A species of ransomware in the wild that evidently contains a

bug or flaw which corrupts as well as encrypts the victims
data, making them irretrievable even if the ransom is paid.
Nasty.

Quarantine Safe holding area on a system to which suspected malware is

diverted by antivirus software pending further investigation.

RAM-scraper See memory-scraping malware.

Ransomware, Malware that restricts access to information on an IT system

crypto-ransomware, (e.g. by encrypting the data i.e. crypto-ransomware) or to the
lock-screen ransomware system itself (e.g. by damaging or replacing essential operating
system files i.e. lock-screen ransomware) in order to coerce
the victim into paying a ransom to regain access. CryptoLocker
is just one of several examples in the wild. See also scareware
and crimeware.

RAT Software that allows privileged remote control of a system,

(Remote Administration Tool) normally for legitimate system administration purposes unless
a hacker somehow gains access to the facility (e.g. by socially
engineering the user into launching a RAT session) or a users
system is infected with RAT malware

Copyright 2016 IsecT Ltd. Page 18 of 27

 Information security glossary

Term Meaning
Restore point Through the system protection function, modern Windows
systems automatically backup their system settings (critical
operating system files, programs, and registry settings) weekly
by default, and manually at any time, to the System Volume
Information hidden system folder on the root drive. Provided
a backup is available and not corrupted, overwritten or lost,
the user can restore it in order to revert subsequent changes
and hopefully correct problems created by, for instance, a
failed software installation, malware infection or user error.

Reverse engineering Working out the internals of a device, program, malware,

system, process etc. through painstaking analysis without
access to its original design, source code, documentation etc.
Generally performed without the owners permission and/or
knowledge, for example to steal intellectual property, identify
exploitable vulnerabilities in software or cryptographic
processes, to understand how malware operates or to hack.

Rogue software Free or cheap software that is advertised and appears to be

legitimate software, often security-related (e.g. antivirus
programs, anti-spyware software and password vaults), but is
itself a Trojan, spyware or other malware. See also PUP.

Rootkit Hacker toolset typically containing malware such as Trojans

used to take and retain control of a compromised computer
system. Often includes hacked variants of normal operating
system or utility programs with backdoors and other covert
functions. May be surreptitiously installed at any stage of the
system lifecycle, including during manufacture (perhaps
inserted by the authorities for national security reasons).
Usually hidden deep in the system kernel, device drivers,
firmware or microcode, and may actively evade detection
(e.g. by manipulating the system calls and functions used for
directory listings), hence very hard to identify and eradicate.

Sality Species of malware in the wild since 2010 or before,

responsible for large botnets in 2015.

Copyright 2016 IsecT Ltd. Page 19 of 27

 Information security glossary

Term Meaning
Scareware Malware intended to scare or extort the user of a system into
parting with money, usually. One example claims that the
system has been flagged by the FBI due to illegal content, so
the user must pay a fine to avoid being prosecuted (they seem
a bit confused about the process!). More malicious forms
include ransomware. See also crimeware.

Script kiddie, Pejorative term for an unsophisticated/novice hacker or

skid wannabe who relies on hacking script, tools or malware
created by more highly skilled, capable and competent
hackers.

Scorched earth Term with military origins referring to the systematic

destruction of assets that might benefit adversaries when
retreating from hostile territory e.g. using flamethrowers and
explosives. As we saw in the Sony hack, hackers, fraudsters
etc. sometimes use equivalent methods such as malware in an
attempt to cover their tracks i.e. destroy any remaining digital
evidence of their activities such as hacking tools, log files and
audit trails. Leads to denial of service, a destructive and
disruptive information security incident.

SEH (Structured Exception Windows security technique to control the way various events
Handling) are dealt with during the execution of programs, in an attempt
to trap and gracefully resolve issues arising from flaws and
bugs, whether accidentally or deliberately caused, such as
divide-by-zero errors, program crashes, buffer overflows,
malware and hacks. SEH is meant to ensure that designated
exception or termination code cannot be bypassed e.g. by
redirection at run time. See also DEP.

Shellcode Malware that covertly opens a command line interpreter (the

shell) in order to call powerful low-level system commands.

Shellshock, A festering cluster of bugs in the Bash shell/command

Bashdoor interpreter, some of which trivially permit hackers or malware
root access to vulnerable UNIX systems. Nasty. Responsible
disclosure of the vulnerability by its discoverer and ready
availability of patches towards the end of 2014 did not prevent
Shellshock being widely exploited as a result of patching delays
caused by lax/incompetent system administration and slow
change authorization and implementation processes.

Copyright 2016 IsecT Ltd. Page 20 of 27

 Information security glossary

Term Meaning
Signature (a) Characteristic way that a person writes their own name,
providing a means to authenticate them (i.e. a biometric).
(b) Set of characteristics that uniquely identify a species of
malware.

Silk Road, Online black markets where the tools (including malware and
Silk Road 2.0 related services) and proceeds of crime (fullz, illicit drugs and
more) were traded anonymously through the Tor network for
Bitcoins. The original Silk Road was active from 2011 until
being shut down by the FBI in 2013. It was resurrected as Silk
Road 2.0 and lasted another year before again being shut
down.

Snort Network intrusion detection system. Open source in free and

commercial versions. With the appropriate rules in place,
Snort can detect, alert and in some cases respond to thousands
of different network attacks/hacks, worms etc.

Social proofing, People in tight-knit social groups tend to believe in, trust and
group affirmation respect the same things. Therefore if a friend (or more likely
someone who has stolen our friends ID) recommends a link or
an app, we are inclined to load it without necessarily
considering the risks of malware, fraud etc.

Software One or more computer programs. Cf. hardware, firmware,

data, wetware, malware, ransomware and scareware.

[The] Sony hack Major information security incident at the end of 2014
affecting Sony Pictures Entertainment. Malicious hackers
allegedly working for the North Vietnamese compromised
Sonys corporate network, stealing a large quantity of sensitive
proprietary and personal information over several months
which they then used to extort Sony by disclosing some
(creating a media storm) and threatening to disclose more
embarrassing and damaging content. Presumably in an effort
to cover their tracks (scorched earth), the hackers also
unleashed a worm that displayed a scary graphic and threats
on desktop screens, destroyed data and took IT systems out of
service for months, massively disrupting Sonys business
activities and causing serious commercial, legal and brand
impacts.

Copyright 2016 IsecT Ltd. Page 21 of 27

 Information security glossary

Term Meaning
Soraya One of several memory-scraping malware programs in the
wild.

Species [of malware] By analogy to living organisms, the population of malware is

rapidly evolving. Several distinct families of malware are
known, containing one or more species often with multiple
variants or mutants millions of them in the case of highly
polymorphic or heavily obfuscated types.

Spyware Type of malware which spies on the user, for example covertly
sending information about the programs run, websites visited
or data submitted, to a remote system or hacker.

Stack overflow Class of software vulnerability similar to buffer overflow in

which programs exceed the allocated bounds of the stack
(e.g. due to excessively numerous or large variables having
been saved to the stack), leading to the unauthorized
execution of code inserted by a hacker or malware.

Stagefright Exploit for older/unpatched versions of Android, arising from a

buffer overflow bug in an operating system library used to
process video files. A malware-infected video message sent to
a vulnerable mobile device may be pre-processed and
compromise the devices on receipt, before the user even has
the chance to open, check or delete it.

Stealth virus Cryptic virus that attempts to conceal its presence on the
system by intercepting and manipulating directory/disk access
requests. When for example an unskilled user or a crude
antivirus program searches the disk, the virus dynamically
removes or changes program names, file names etc. in the
information provided/presented by the operating system.

Stoned One of the earliest boot-sector viruses, allegedly written by

students at the University of Wellington, New Zealand in 1987.
It displayed the message Your PC is now Stoned! on some
infected systems. Copycat variants followed, displaying
different messages.

Stuxnet APT malware allegedly created by the US and Israeli

governments to attack a supposedly highly secure but patently
vulnerable Iranian nuclear fuel processing facility in 2010.

Copyright 2016 IsecT Ltd. Page 22 of 27

 Information security glossary

Term Meaning
Surveillance The process of covertly observing, snooping or spying on
someones activities, whether literally watching them,
monitoring their activities and movements, or tapping-in to
their network/online and/or telephone communications
e.g. using spyware.

Target, Person, organization, system, network, program, database etc.

mark, subject to a deliberate attack such as a hack, malware infection
patsy or fraud.

Tarpit System specifically designed to delay worms and network

probes using TCP/IP timeouts, malformed responses, multiple
retransmissions etc., either in the hope that attackers will go
after easier targets or giving analysts time to examine their
activities and perhaps respond. Often combined with
honeynets.

Teslacrypt A species of ransomware, in the wild as of 2016.

The Internet Worm, The first worm that spread widely across the early Internet in
Morris Worm, 1988. Written and released by Robert Tappan Morris as an
UNIX Worm experiment to determine the size of the Internet.

Threat A person, situation or event (whether deliberate, targeted,

generic or accidental in nature) that is capable of causing an
information security incident. Potential cause of an
unwanted incident, which may result in harm to a system or
organization (ISO/IEC 27000). Any circumstance or event
with the potential to adversely impact organizational
operations (including mission, functions, image, or reputation),
organizational assets, individuals, other organizations, or the
Nation through an information system via unauthorized
access, destruction, disclosure, modification of information,
and/or denial of service (CNSSI-4009).

Time bomb A form of logic bomb triggered at a specific time. Resident

computer program that triggers an unauthorized act at a
predefined time (CNSSI-4009).

Copyright 2016 IsecT Ltd. Page 23 of 27

 Information security glossary

Term Meaning
Trojan, A program that appears to the user to offer a useful function
Trojan horse or to do nothing, but in fact contains hidden malicious
functions, typically allowing remote control of the system by
hackers, or installing keyloggers to steal personal information,
passwords, PINs, credit card numbers or online banking
credentials (e.g. Man-In-The-Browser). A form of malware. A
computer program that appears to have a useful function, but
also has a hidden and potentially malicious function that
evades security mechanisms, sometimes by exploiting
legitimate authorizations of a system entity that invokes the
program (CNSSI-4009).

TSR DOS program that appears to terminate but actually continues

(Terminate and Stay Resident)
processing in the background, waiting for specific interrupts.
Overcomes the DOS mono-threading limitation. Early viruses
were often TSR programs, as were various utilities (known as
services in Windows) and suspended user programs that could
be reactivated at short notice (e.g. Sidekick).

Typosquatter Someone who registers a domain name remarkably similar to

a popular website intending to deceive website visitors who
make typos when typing the intended URL into believing that
they are interacting with the popular website. May be a
prelude to social engineering, identity theft and other
frauds/scams, malware infection etc. May infringe
trademarks.

Victim The person or organization harmed by an incident, whether

deliberate (e.g. a malware infection) or accidental.

Virus Strictly speaking, a form of malware that replicates by

attaching itself to other programs, but loosely refers to
malware in general. Usually contains a payload that performs
unauthorized functions such as deleting or modifying files etc.

Virus hoax, Chain letter spreading a false virus warning. A form of social
hoax engineering. Hoaxes can cause alarm and waste time but are
generally benign rather than malicious.

VXer A miscreant who creates malware.

Wabbit See fork bomb.

Copyright 2016 IsecT Ltd. Page 24 of 27

 Information security glossary

Term Meaning
Wapomi, Species of malware (described as a virus with Trojan and
Simfect worm-like features a smorgasbord of nasties) that
established a massive, mostly Chinese botnet in 2015.

Warhol worm A worm that spreads at maximum possible speed throughout

the entire vulnerable population of systems on the Internet,
ensuring its fifteen minutes of fame. SQL Slammer was a
prime example in 2002, infecting roughly 90% of vulnerable
systems within ten minutes.

Watering hole attack Hacking method that uses social engineering to entice victims
to an interesting website where their systems are
compromised through drive-by downloads, Trojans or other
exploits.

Website defacement Vandalistic hacker/cracker attack on a web server, altering or

replacing the websites content typically to demonstrate the
hackers prowess, to infect website visitors systems with
malware, to make some ideological or political statement (see
hacktivism), to demonstrate the hackers prowess, or to
discredit/embarrass the websites real owner (cybertage).

Wetware People, or more specifically our brains. Alludes to the fact that
human beings are about 60% water. Cf. hardware, software,
firmware and malware.

Wifatch Worm that infects vulnerable network routers running Linux,

then patches them (presumably to prevent them being
compromised by further malware or hacks) and joins them to
a botnet.

WireLurker Trojan targeting Apple Mac OS X mobile devices. The infection

spread via unofficial app stores, side-stepping the official Apple
app stores anti-malware controls.

Copyright 2016 IsecT Ltd. Page 25 of 27

 Information security glossary

Term Meaning
Worm Form of malware consisting of mobile code that exploits
network connections to spread itself between systems and
often performs unauthorized functions such as sending
unsavory emails or spam, denial of service attacks (including
unintentional attacks due to overwhelming networks/systems)
etc. Unlike a virus, a worm is self-contained and does not need
to hitch a ride on other programs. Unlike a Trojan, it does not
appear to be a useful program and does not mislead humans
into executing it. Unlike the living creature, it is not slimy and
its no good for your compost heap.

YiSpecter In the wild malware targeting Apple devices running iOS prior
to version 8.4.

Zero-day, Originally meant pirated software that was available on the

0-day, black market before the legitimate original had officially been
O-day, released. Evolved into a term for exploits against software
oh-day security vulnerabilities that have not yet been recognized as
such by the general public or by the software authors, and for
which security patches are not yet available. The term is
misused so often that nobody except the writer really knows
for sure what it means any more, except that it is bad.

Zeus, ZeuS, Crimeware kit to generate Windows malware, discovered in

Zbot 2007, used by bank Trojans, CryptoLocker etc. Spread by drive-
by downloads, phishing attacks and infectious email
attachments. The crimeware was released onto the Internet.

Zip bomb Malware that decompresses a massive file, consuming system

resources until the system crawls to a halt and crashes.

Zombie See bot.

Zoo Malware collection typically maintained by security

researchers and antivirus companies, as well as by VXers,
hackers and crackers.

* * * E n d o f g l o s s a r y * * *

For more information

For further information and advice on malware, talk to your manager, browse the intranet Security
Zone or contact the Help Desk.

Copyright 2016 IsecT Ltd. Page 26 of 27

 Information security glossary

Disclaimer
Language is a moving target, constantly evolving and sometimes misused or
misunderstood by mere humans including the fallible author of this
glossary. Whereas I have done my level best to research and define the
terms carefully, they often have or take on different, flexible meanings or
implications in practice, and I am not necessarily correct in my
interpretations. I am biased, prejudiced even and certainly jaundiced after
three decades in the industry. Furthermore, context is important.
This is, in parts, a parody. A few definitions are decidedly tongue-in-cheek,
but, hey, it would be even more tedious otherwise
Some definitions include quoted text in italics, drawn mostly from published
or draft security standards. The quoted text may be neither complete nor
accurate, while drafts may not even make it into print, at least not without
changes. Please refer to the original cited sources and the published final
versions for the definitive text and supporting information.
To be crystal clear, IANAL and this is not legal advice. In some jurisdictions
and circumstances, some of the terms in this glossary have specific legal
interpretations and implications that differ materially from those stated
herein. Do not rely on this glossary for anything important.
This is also not information risk, security, privacy, compliance or
governance advice, except in the very general and vague sense of espousing
the authors understanding of generic good practice. Your information risks,
and your information security and privacy requirements and obligations,
undoubtedly differ from those noted in or implied by the glossary. Seek
advice from competent, trustworthy, qualified and experienced
professional advisors, and weigh it up. Ask a grown up. Caveat lector.

Copyright 2016 IsecT Ltd. Page 27 of 27