Glossary

This suffix is often attached to a virus’ name to indicate the virus is a slow mailer. An important distinction, in terms of threat assessment, is made between slow mailers (which send one ‘infected’ message at a time or occasionally send small batches of infected messages) and mass mailers.

This suffix is often attached to a virus’ name to indicate a virus that distributes itself from victim machines via mass mailing. An important distinction, in terms of threat assessment, is made between mass mailers (which send large numbers of infected messages at once) and slow mailers.

The 419 scam, aka the ‘Letter from Nigeria’, is a form of Advance Fee Fraud, a modern variation on the ‘Spanish Prisoner’ scam which dates back to the 16th century.

The scam arrives in the form of a spammed email, often claiming to come from a relative of a senior politician, lawyer or businessman in a third-world country, who apparently has access to large amounts of money. The recipient is offered a share of the money – often millions of dollars -if they can help move the money out of the country. The victim is then lured into putting up some seed money to pay for lawyers, bank charges etc., which can often amount to thousands or even hundreds of thousands in itself. Of course, the story is entirely fabricated, the millions of dollars do not exist and the victim ends up with nothing.

The scam takes its name from the Nigerian law against such fraud, as many early versions originated from Nigeria. The scam has evolved to use a wide range of lures including treasure found in Iraq by US soldiers, lottery winnings and charitable donations, and many hundreds of victims around the world have been defrauded of large sums of money. There are even reports of victims having been lured to the scam’s originating country where they have been imprisoned, tortured and occasionally even lost their lives.

Components that add dynamic and interactive features to Web pages. With ActiveX tools, multimedia effects, animation, and functional applications can be added to Web sites. Online virus scanners are an example of the application of ActiveX.

ActiveX controls are typically installed with user permission. However, security measures can be circumvented. In some instances, ActiveX components in Web pages are able to run automatically when the Web pages are opened. Visiting users are also sometimes tricked into accepting unwanted ActiveX controls. The unauthorized installation and execution of ActiveX controls can open opportunities for malicious code to install components or to make modifications on visiting systems.

Alteration of a browser’s address bar to display a legitimate address. This is done by running a script that removes the browser’s address bar and replaces it with a fake one, which is made up of text or images.

Software that displays pop-up/pop-under advertisements when the primary user interface is not visible, or which do not appear to be associated with the product.

Accelerated Graphics Port; this is a high speed graphics card expansion port designed by Intel that is designed for the display adapter (video card) only, and resides on the motherboard of a computer. It provides a direct connection between the card and memory. If you’re installing an AGP or PCI card in your computer, the AGP slot is usually the shortest and should be brown. The PCI slots are slightly longer and are colored white. The actual size of the cards can vary as much as a few inches, though the pins on the bottom of the card should match the correct slot. PCI graphics ports typically run at 33 MHz and have a maximum transfer rate of 132 MB/sec. AGP ports, on the other hand, run at 66 MHz and can transfer data up to 528 MB/sec.

Unfortunately, there is no one standard, accepted rule for naming malware, spyware and other types of malicious or unwanted applications. Hence, even though informal groups, such as CARO, have discussed conventions for virus naming, differences still exist between antivirus and antispyware software companies and research organizations. Thus where the term ‘alias’ or ‘also known as’ occurs, it refers to different names that the same malware or spyware may be given by other sources.

Arithmetic Logic Unit; the high-speed CPU circuit that does calculating and comparing.

A cross-industry group dedicated to improving testing standards within the anti-malware industry. The group provides a discussion forum for testing issues, with regular meetings and online debates. It aims to produce guideline documents to help reviewers ensure tests are run properly and results presented clearly, as well as other resources of use to testers.

American National Standards Institute; the first American Standard Safety Code was approved in 1921 and covered the protection of heads and eyes of industrial workers. Today there are over 1,200 ANSI-approved safety standards designed to protect the workforce, consumers and the general public. Overall, there are approximately 10,500 ANSI-approved american National Standards.

A term used to describe security software that covers a range of malware and security threats. While many people continue to use the term ‘anti-virus’ to refer to software that also detects other types of malware, many product vendors have relabelled their software ‘anti-malware’ to make it clear that spyware, trojans and so on are covered, as well as traditional viruses.

A term used to describe security software designed to detect, and in most cases block or remove, malicious spyware (and in many cases adware) on computer systems.

When the problem of spyware first began to impact computer users, many makers of anti-virus software did not include coverage for such items in their products – generally due to the complex legality involved (with many items using social engineering and complex EULAs to trick users into installing their wares, it could be argued that the software was in place with the permission of the user). Thus many specialised products began to be developed to target the menace of spyware, with many simply scanning machines for the presence of known items and removing them, while more sophisticated products used active monitoring to block the installation and activities of spyware.

Over time many products have merged to provide virus and spyware protection in a unified fashion, although spyware-specific products are still available.

A term used to describe security software designed to detect viruses. Originally, AV software simply scanned a system to spot viruses. Nowadays products may be much more complex, with on-access protection almost universal, updating of detection information generally automated, and detection for non-replicating malware such as trojans and spyware, and even unwanted software like adware, rolled in. More complex suites add firewalls and a range of other utilities, but simple anti-virus products offering only scanning remain available.

The idea of making an antivirus program itself viral so it can propagate to where it is most needed is a very old one. Such a program would be an antivirus virus. It is universally agreed among reputable antivirus researchers to be a very bad – even dangerous – idea, and should be avoided at all costs.

A very popular public domain as well as a Unix-based Web server from the Apache Software Foundation (www.apache.org). There are versions for all popular Unix flavors, as well as Windows, and it is considered the most widely used HTTP server on the Internet. Developed by a large group of volunteers, Apache was originally based on Version 1.3 of the HTTPd (HTTP daemon) server from the National Center for Supercomputing Applications (NCSA). First released in 1995, its name was coined after the Native American Apache tribe for their legendary endurance. Because there were many “patch” files added to the original body of code, “a patchy server” was also coined as a pun on the name.

A virus that inserts a copy of its code at the end of its victim file.

A program that can be downloaded over the web and run on a user’s computer. Most often written in Java.

Viruses that use special tricks to make tracing them in a debugger and/or disassembling them difficult. The purpose of armoring is primarily to hinder virus analysts reaching a complete understanding of the virus’ code. An early example of an armored virus is Whale.

American Standard Code for Information Interchange; a set of 128 alphanumeric and special control characters used for computer storing and printing of text. Used primarily by HTML when transmitting data over the web.

Advanced Technology Attachment; a type of disk drive that integrates the drive controller directly on the drive itself. Computers can use ATA hard drives without a specific controller to support the drive. The motherboard must still support an ATA connection, but a separate card (such as a SCSI card for a SCSI hard drive) is not needed. Some different types of ATA standards include ATA-1, ATA-2 (a.k.a. Fast ATA), ATA-3, Ultra ATA (33 MBps maximum transfer rate), ATA/66 (66 MBps), and ATA/100 (100 MBps). The term IDE, or “Integrated Drive Electronics,” is also used to refer to ATA drives. Sometimes (to add extra confusion to people buying hard drives), ATA drives are labeled as “IDE/ATA.” Technically, ATA uses IDE technology, but the important thing to know is that they refer to the same thing.

Any hacker tool intended to disable a user’s anti-virus software to help elude detection. Some will also disable personal firewalls.

AntiVirus Emergency Discussion; a mailing list for professional antivirus researchers allowing them to alert other researchers to emerging or ongoing ‘crisis’ or ‘emergency’ virus events. These may be localized to a geographic or language-based region or known to be approaching a wordlwide scale. It also acts as a forum for these researchers to discuss such events, what precursors count as sufficient grounds to make posting alerts to users about a newly discovered virus and at what point involving the news media seems appropriate. Aside from the discussion list, another list facilitates the secure distribution of emergency samples and members of the list are expected to send samples of any viruses the organizations they work for consider worthy of raising public warnings about.

An administration utility that opens infected machines to external control via the Internet or a local network.

Not the final version of a program, but close enough to show in public and work the bugs out.

Browser Helper Object; a component that Internet Explorer will load whenever it starts, shares IE’s memory context, can perform any action on the available windows and modules. A BHO can detect events, create windows to display additional information on a viewed page, monitor messages and actions. Microsoft calls it “a spy we send to infiltrate the browser’s land.” BHOs are not stopped by personal firewalls, because they are seen by the firewall as your browser itself. Some exploits of this technology search all pages you view in IE and replace banner advertisements with other ads. Some monitor and report on your actions. Some change your home page.

An encrypted virus that has two forms of the decryption code, usually randomly selecting between them when writing its decryptor to a new replicant.

A software utility that combines two or more files into a single file.

Basic Input Output System; an essential set of routines in a PC, which is stored on a chip and provides an interface between the operating system and the hardware. The BIOS supports all peripheral technologies and internal services such as the realtime clock (time and date).

A Windows error that turns your computer screen blue while displaying an error message. It’s sometimes called “blue screen of death” because it can cause an operating system to “freeze” or “lock up,” requiring a reboot (restart) and deleting all unsaved data.

The program recorded in a boot sector. Boot sectors usually contain boot code because these small programs have the job of starting to load a PC’s operating system once the BIOS completes its POST checks, although some types of boot sector seldom, if ever, contain boot code. Good examples of boot sectors that do not normally contain boot code are those at the head of extended partitions – under DOS and Windows OSes, such partitions cannot be made bootable so those OSes usually only place a partition table (which they do require) in such boot sectors. Thus, the system boot sectors of diskettes and partitions (logical drives) on hard drives, and the MBRs of hard drives, normally all contain boot code of some kind. It is this code, or at least the room reserved for it, that boot viruses target. Once the BIOS completes its hardware checks, it simply reads the appropriate boot sector (depending on which device it is set to boot from first and whether that device is ready) without doing any ’sanity checking’ on its contents.

The program recorded in the Boot Sector. All floppies have a boot record, whether or not the disk is actually bootable. Whenever you start or reset your computer with a disk in the A: drive, DOS reads the boot record from that diskette. If a boot virus has infected the floppy, the computer first reads the virus code (because the boot virus placed its code in the boot sector), then jumps to whatever sector the virus tells the drive to read, where the virus has stored the original boot record.

A generic term encompassing system boot sectors and master boot records. Technically, this means the first logical sector of any drive (what DOS or Windows would consider to be sector 1 of that drive) and the MBR (sector 0,0,1 in CHS notation) of hard drives. As floppy disks do not have partitions, the logical drive and physical drive map sector for sector and their first logical sector is also 0,0,1. On hard drives, there is a boot sector for each logical drive (or partition, such as C: and D:) plus one for the MBR. (The ‘root’ entries of any extended partitions may or may not be counted – if so, the total number of boot sectors is higher than the preceding description suggests, with the final count depending on the number and nesting of extended partitions.) Most boot sectors contain boot code, which (under DOS and Windows) is usually created by FORMAT or SYS if the boot code is in a system boot sector, or by FDISK if in the master boot record of a hard drive. Sometimes the term ‘boot sector’ is ambiguously used to also refer to only the boot sectors of logical drives. This usage is avoided as far as possible in this glossary and the rarely used term ’system boot sector’ used when this distinction needs to be made.

A virus which infects the boot sector or the partition table of a disk. Computer systems are typically infected by these viruses when started with infected floppy disks – the boot attempt does not have to be successful for the virus to infect the computer hard drive. Once a computer is infected, boot sector viruses usually attempt to infect every disk accessed on the infected system. In general, boot sector viruses can be successfully removed.

There are a few viruses that can infect the boot sector after executing as a program. They are known as multi-partite viruses and are relatively rare.

A shortened form of ‘robot’. Bot describes a non-human automated program that may perform functions or tasks. These tasks often involve the exchange of information. Bots can operate on a variety of platforms such as IRC.

A number of bots grouped to perform a task or a unique group of tasks, often cooperatively. The term botnet was created by combining the words “robot network”.

BIOS Parameter Block; a data table in the system boot sector of all FAT format logical drives, containing information about the formatting of the drive. This includes details such as the number tracks, the number of sectors per track, the size of the sectors and the number of sectors per logical cluster, which are critical to reading the drive properly.

A fault in a computer system, usually associated with software.

The common unit of computer storage from desktop computer to mainframe. It is made up of eight binary digits (bits).

A programming language developed by Bell Laboratories in the 1970s.

A graphics oriented programming language developed in the 1980s.

A virus that searches for a ‘hole’ in the infection target to insert its code. This infection technique has the advantage of not increasing the size of the target – a common telltale of viral infection that can giveaway the virus’ presence to observant victims. Many programs have pre-initialized arrays (usually filled with null characters) and/or stack space filled with common patterns and viruses can easily search for areas matching these patterns. If a cavity infector finds a suitably sized ‘hole’, it copies itself into that hole then patches the program’s entry point so the virus code runs first (or makes whatever other change to the host to gain control). This gives the virus a chance to copy itself elsewhere in memory or just run and be done with before the host program possibly uses the data area overwritten by the virus. Although cavity infection is a rarely used technique, one of the first parasitic file infectors Lehigh, was a cavity virus.

Computer Gateway Interface; a means of transmitting information from a Web server by executing programs in response to a Web browser’s requests using HTTP. CGI programs process information requests and return the appropriate document to the client computer.

A class infector is a macro virus whose code resides in one or more class modules. Class infectors became popular among macro virus writers shortly after the SR-1 (Service Release 1) version of Word 97 became available. With that version of Word, Microsoft introduced an undocumented antivirus feature that prevented the successful replication of most existing Word macro viruses. Under that version of Word, the most that earlier viruses can do is infect the normal template. They are not able to spread from there to documents. (This feature is present in all later versions of Word, including Word 98 for the Macintosh). Class infection, per se, was not necessary to subvert the SR-1 measures, but the first virus writer who realized what was happening coincidentally moved to infecting the default document class object.

A computer or program that receives services from another computer or user. For example, the computer running the Web browser you use when accessing the World Wide Web is the client of the Web server delivering the Web documents.

Apart from directly infecting host files as appenders and prependers do, there are other ways to intercept calls to an executable file and have some other code run instead of, or before, the code from the intended file. One such method is cluster infection, used by a small number of DOS viruses.

On a FAT file system this method usually involves saving the virus’ code to the hard drive then altering the directory entry of an ‘infected’ file. The required directory entry change is to set the field that points to the first cluster of the file to the cluster holding the virus code and record the original initial cluster of the infected file in an unused field in the directory entry. When the user tries to execute an infected program, the operating system reads the virus from the apparent first cluster of the executable file and runs it. The virus does whatever else it is designed to do then loads and executes the original file, using the correct first cluster information it saved during the infection process. Dir-II was the first cluster virus and in the wild for some time.

Because the cluster infection technique interferes with the linking of cluster chains apparently assigned to a file, these viruses are occasionally referred to as ‘link viruses’, although this usage should be avoided.

Common Malware Enumeration; a number which is a unique, vendor-neutral identifier for a particular threat.

The CME initiative is an effort headed by the United States Computer Emergency Readiness Team (US-CERT), in collaboration with key organizations within the security community. Through the adoption of a neutral, shared identification method, the CME initiative seeks to: reduce the public’s confusion in referencing threats during malware incidents; enhance communication between anti-virus vendors; and improve communication and information sharing between anti-virus vendors and the rest of the information security community.

Complementary Metal Oxide Semiconductor; pronounced “c-moss.” The most widely used integrated circuit design. CMOS semiconductors use both NMOS (negative polarity) and PMOS (positive polarity) circuits. Since only one of the circuit types is on at any given time, CMOS chips require less power than chips using just one type of transistor. This makes them particularly attractive for use in battery-powered devices, such as portable computers. Personal computers also contain a small amount of battery-powered CMOS memory to hold the date, time, and system setup parameters.

Short for Compressor/Decompressor. A codec is any technology for compressing and decompressing data. Codecs can be implemented in software, hardware, or a combination of both. Some popular codecs for computer video include MPEG, Indeo and DivX. Most audio and video formats use some sort of compression so that they don’t take up a ridiculous amount of disk space. Audio and video files are compressed with a certain codec when they are saved and then decompressed by the codec when they are played back. Common codecs include MPEG2 and AVI for video files and WAV and AIFF for audio files. Codecs can also be used to compress streaming media (live audio and video) which makes it possible to broadcast a live audio or video clip over a broadband Internet connection.

A powerful scanner that disinfects malicious viruses, worms and trojans in all major file types. Command-line scanner is commonly used for Unix based platforms.

There are other methods of infecting a system other than the most commonly used one of modifying an existing file. Given the way command-line interpreters (or shells) of several operating systems work, a virus can copy itself onto the system as an entire program yet be sure that much of the time, attempts to invoke a program will result in the virus’ code being run first. Such programs are known as companion viruses and there are several forms of this infection method.

For example, under DOS (and at least from the command-line or ‘Command Prompt’ of its Windows relatives), if the shell is given a command that does not begin with a fully-specified filename, it searches the current directory, then each directory in the PATH environment variable (in the order they are listed), for a COM file matching the command name, then an EXE file and then a BAT file. Thus, a companion virus can ‘infect’ an EXE file by copying itself to the same directory as that file and using its filename but with a COM extension. (Similarly a BAT file could be ‘infected’ by copying the virus code to either an EXE or COM with the same filename.) Once the virus has done its work, it loads and executes the original program file. If the virus acts quickly the user is unlikely to notice the short delay this introduces and the fact the target runs ‘normally’ also reduces the likelihood of user suspicion. This infection technique is known as the program execution order companion method or the execution precedence companion method.

Another companion infection method should be obvious from the preceding description of DOS’ command interpretation process. Known as the path order companion method or the path precedence companion method, it depends on a copy of the virus being made in a directory earlier in the path than the directory housing the target. The virus file is given the same name as the target file (although it need not have the same extension – any executable extension will do) so the virus program will be found and executed instead of its target. As with execution order companions, path companions must take steps to ensure the original program runs after the virus has done its thing. Unlike execution order companions, path companions should also be successful on operating systems that do not depend on filename extensions to determine whether a file is ‘executable’, so long as they have something akin to the concept of a PATH variable.

Yet another companion infection method involves renaming the target program to a non-executable extension then copying the virus to the same location, filename and extension as the target. When the user calls the program, instead of the intended one running, the virus is executed. Again, to avoid immediate detection, such renaming companion viruses must load and execute the original program. This approach has the advantage of being more likely to work under GUI shells (such as the Windows desktop) because such environments usually record full path and filenames when configuring desktop and menu shortcuts and the like. Under such an environment, path and execution order companions will have little effect as they leave the original program intact. Of course, replacing the original program as a renaming companion virus must, makes them much more visible to integrity checking methods.

Although quite simple (because they are not required to alter existing executable files), companion viruses have been rarely seen until recently, when another companion infection technique started to become popular. Windows 95 and NT introduced (or, more correctly, promoted) more complex techniques for controlling how the usual operating system shell (normally Windows Explorer) handles files. Complex inter-relationships between file extensions and more finely described file types exist in the registry. For example, handling of EXE files is defined through a series of values in HKEY_CLASSES_ROOT. This sequence includes a handler for the ‘opening’ of EXE files. Normally the shell just loads and executes EXE files, much as earlier versions of Windows and DOS did. However, this can be usurped by altering the appropriate registry values so another program runs. So long as the introduced handler launches the original EXE ‘as normal’, the user will not become suspicious.

Companion infection methods that do not involve replacing the target program defeat simple integrity checkers that only look for modifications to existing programs. For this reason, good integrity checkers also monitor the addition of new program files to a system.

Some virus writers are not content with writing their own viruses and have wondered about bringing the ‘opportunity’ of becoming a virus writer to the masses. The solution to this is usually some form of ‘construction kit’ – a program even a non-programmer can run, feed some parameters into and then produce a virus. Many have been produced over the years covering simple COM and/or EXE infectors, polymorphics, batch, macro and script viruses. Perhaps the best-known of the early ones were the Virus Construction Laboratory (VCL) and Phalcon/Skism Mass-Produced Code Generator (MS-MPC).

A piece of data such as login and user information, user preferences, and shopping information automatically sent by a Website through a Web server and stored by a Web Browser. It is the intent of the Website sending the cookie to recognize a user who has visited them in the past. On subsequent visits, the information contained in the cookie returns to the originating site, allowing the operator to offer specific products and services tailored to the user’s preferences as determined by previous visits. Due to certain privacy issues regarding the gathering of personal information, users sometimes have the option of disabling cookies.

Central Processing Unit; the part of a computer that interprets and carries out the instructions contained in the software.

A person who gains unauthorized entry into a computer system through the Internet and copies commercial software, sometimes simply to see if it can be done and sometimes for financial gain. In certain circles, a cracker would be considered less proficient than a hacker, though the terms are often interchangeable.

Any tool designed to modify other software for the purpose of removing usage restrictions. An example is a ‘patcher’ or ‘patch generator’ that will replace bytes at specified locations in a file, transforming it into a fully-functional version.

This is a popular name for a virus that contains a data modifying payload. This type of virus may, for example, change 0’s to 9’s in an Excel spreadsheet or, like Jal.A, it may replace certain words. Unfortunately, the changes made by some of these viruses may be almost unnoticable in large amounts of data. Hence, users may not realize that they are infected for quite some time, necessitating possibly lengthy and costly clean-up procedures.

Applications that monitor, analyze, and collect specific information found in a database or volume of data from various sources. Data miners are not always used with malicious intent. Data mining programs allow companies to compile important client information, in order to enhance their services.

Data miners may be used by Web sites to monitor, analyze, and collect particular user activities on a computer to collect information that typically will be used for marketing purposes. Usually, data miners are uploaded to a computer to search for Web sites visited, products searched, and services used. The data is then sent back to be used for targeted advertising.

Data miners may be used maliciously and in some instances have been employed to steal personal information like logon credentials and credit card numbers.

A computerized filing system. Organized information stored so that a computer may have fast access to specific sections. For example, a large database might contain all corporations registered in the state of California. Another database might contain information on the buying habits of married couples between the ages of 25 and 35.

Distributed Denial of Service; attempts to DoS large sites using most forms of resource exhaustion attack, and particularly network bandwidth wasting strategies, are often impossible for a single attacking machine because of the sheer scale of resources available to the attacked site. One solution to this is the distributed denial of service approach, whereby a number of machines with ‘attack services’ installed on them are simultaneously commanded to attack a target system. Each of these DDoS ‘agents’ contributes part of the total ‘load’ that eventually topples the attacked service or server, or each agent contributes part of the bandwidth necessary to clog the network connections to the attacked server. By late 1999, code from several DDoS systems had been captured from compromised machines. These were mostly the agents (the part that implements the attack service), but a few examples of masters – the component that keeps track of the agents availability and sends the commands to begin and end an attack – were also captured. At the time, some networks of these DDoS agents were discovered to contain several hundred active agents. Although most of these systems have been designed and written for Unix (and particularly Linux) machines, some implementations for PCs also exist.

A threat tagged as destructive causes direct damage to files or computer systems, often resulting in the loss of important data. Routines such as corrupting or deleting important files and formatting the hard drive are considered destructive. A program that was designed to consume resources in a denial of service attack is also tagged as destructive.

Dynamic Host Configuration Protocol; an Internet protocol for automating the configuration of computers that use TCP/IP. DHCP can be used to automatically assign IP addresses, to deliver TCP/IP stack configuration parameters such as the subnet mask and default router, and to provide other configuration information such as the addresses for printer, time and news servers. DHCP’s purpose is to enable individual computers on an IP network to extract their configurations from a server (the ‘DHCP server’) or servers, in particular, servers that have no exact information about the individual computers until they request the information. The overall purpose of this is to reduce the work necessary to administer a large IP network. The most significant piece of information distributed in this manner is the IP address.

As the name implies, dial to predefined numbers to connect to certain sites. Many users run dialers without knowing that some of these programs actually dial long distance numbers or connect to pay-per-call sites; and that they are being charged for the calls. Dialers are often offered as programs for accessing adult sites.

A virus that attempts to locate and infect one or more targets when it is run, and then exits. In single-tasking operating systems such as DOS, direct action viruses usually only infect a small number of targets during each run, as the ‘find then infect’ process slows the normal execution of the infected host from which the virus is running and significant slowing of a machine is likely to warn its user of the presence of something ‘untoward’.

Cleaning or deleting a virus infection.

Derived from the characteristics of the malicious program. Fast-spreading network worms can spread across continents within just minutes. Some malicious programs also use numerous infection and spreading techniques – often referred to as blended threats or mixed threats. The Nimda virus, for example, was able to spread via email, network shares, infected Web sites, as well as Web traffic (http/port 80).

As new systems are made and improved with added functionality, proof-of-concept malware often follows. This uniqueness, as well as the widespread implementation of a particular operating system or software, also influences the potential distribution of each malware. Many viruses written in the past do not run or spread on newer operating systems or operating systems that have all the latest security patches installed.

High – Blended threats (i.e. spreads via email, P2P, IM, network shares) Mass mailers Spreads via network shares

Medium – Mailers has spread via third-party or media spreads in IRC, IM, or P2P requires user intervention to spread URL/Web site download

Low – No network spreading requires manual distribution to spread

Dynamic Link Library; an executable program module in Windows that performs one or more functions at runtime. Every time you open a program on your computer, it loads certain processes into your system’s RAM (random access memory). Some programs – in an effort to save RAM space – group those same processes into a dll file. Then, when the program needs to execute a particular process, it can dynamically link the process from this ‘library’ into the system RAM.

The Digital Millennium Copyright Act; passed by Congress in 1998 amends existing US copyright law to make it a crime to bypass any copy protection mechanism, thus making it illegal to copy protected DVDs and CDs, mod your Xbox or PS/2, or in any way defeat a copy protection scheme regardless of your intent. Many have protested this law, saying it effectively eliminates fair use and represents an (unintended?) instrusion into Americans’ homes.

Domain Name Server or System; a computer set to translate IP addresses into domain names. Web addresses are read by the DNS numerically. For example, http://www.TrojanLibrary.net might have the IP address, 64.233.167.99 but that would be hard for a user to remember, so www.TrojanLibrary.net, an alphabetic name, is used. The DNS translates the name into its numeric equivalent.

Denial of service; a malware routine that interrupts or inhibits the normal flow of data into and out of a system. Most DoS attacks consume system resources, such that, in a short period of time, the target is rendered useless. A form of DoS attack is when a Web service (like a Web site or a download location) is accessed massively and repeatedly from different locations, preventing other systems from accessing the service and retrieving data from it. When a DoS attack is launched from different locations in coordinated fashion, it is often referred to as a distributed denial of service attack (DDoS).

A downloader is a program that automatically downloads and runs and/or installs other software without the user’s knowledge or permission. In addition to downloading and installing other software, it may download updated versions of itself. A downloader may install itself in a manner that allows it to constantly check for updated files. For example, it may add an entry to the following registry key: ‘HKLM\Software\Microsoft\Windows\CurrentVersion\Run’.

A program designed to extract other files from their own code. Typically, these programs extract several files into the computer to install a malicious program package. Droppers may have other functions apart from dropping files.

Digital Subscriber Line; an always-on Internet connection that normally terminates in a socket on your wall, one that looks much like a phone socket. In the US, the socket is exactly a phone socket, and, for the popular residential DSL, (ADSL), the same housewiring carries both phone and data. There are two main categories of DSL service. Asymmetric DSL (ADSL) is for Internet access, where fast downstream is required, but slow upstream is acceptable. Symmetric DSL (SDSL, HDSL, etc.) is designed for connections that require high speed in both directions.

Digital Signal Processor; a special-purpose CPU used for digital signal processing and ultra-fast instruction sequences. The first DSP chip used in a commercial product was believed to be from TI, which was used in its very popular Speak & Spell game in the late 1970s. Intel’s MMX instruction set was the first attempt to make the x86 processors (specifically the Pentium processor line) more capable of DSP operations.

Electrically Erasable and Programmable Read-Only Memory; a type of ROM whose contents are non-volatile but modifiable through the application of appropriate chip reprogramming voltages. EEPROM was an advance on EPROM technology, replacing the requirement for a source of ultra-violet light with a purely electronic mechanism to erase a chip’s contents. Some early ‘updateable BIOSes’ were shipped on EEPROM chips, but flash memory has become the preferred non-volatile memory technology for holding BIOSes in recent years.

European Institute for Computer Antivirus Research. A group of academics, researchers, law enforcement specialists and other technologists united against ‘writing and proliferation of malicious code like computer viruses or Trojan Horses, and, against computer crime, fraud and the misuse of computers or networks’.

A commonly used misnomer for mass mailing viruses.

An early attempt at evading scan string driven virus detectors was self-encryption with a variable key. Cascade was the first example of an encrypting virus, but this approach was not much of a challenge to scanners as the decryption code of such viruses is constant across replicants and thus can be used as a scan string. Of course, if another virus or program uses the same decryption routine, precise identification of each would require reliably detecting more than just the common decryption code. Extending the idea of an encrypting virus so as to beat the limitation of scanners detecting just the decryption code resulted in the development of polymorphic viruses.

The process of converting data into a form that cannot easily be read without knowledge of the conversion mechanism (often called a key). Certain malware have the ability to encrypt copies of themselves such that antivirus scanners may find it diffucult to detect them using existing signatures of available samples. More complex malware use variable encryption keys for each new copy, requiring more complex formula-based patterns from antivirus vendors.

Entry Point Obscuring; one technique virus writers have tried to make it more difficult for a scanner to detect a virus is entry point obscuration. Simple parasitic viruses alter the code at the entry point of their hosts in some way. Some alter the fields in the executable’s header so the pointer to the start of the program’s code points to where the virus’ code has been inserted or added to the file. Others leave the header alone, but alter the original program code at the entry point itself, either inserting the virus there, or inserting or overwriting code to jump to the virus’ code elsewhere in the executable. These approaches pose no problems for virus scanners as most scanners adopted entry point tracing techniques long ago to speed up their scanning. Entry point tracing meant that instead of grunt scanning a whole executable file, only the parts of an executable that were likely to contain a virus’ code were scanned. Entry point obscuring viruses employ various methods in attempts to complicate entry point tracing, by inserting the virus’ code elsewhere in the target executable than at the entry point of the host program’s code. Several approaches have been used. The crudest is randomly inserting the virus’ code into the target and ‘hoping’ both that this does not corrupt the program and that execution branches through the code at the insertion point often enough to give the virus a chance to replicate. More sophisticated methods involve disassembling the host looking for a suitable code sequence (such as an interrupt call or a long jump) to replace with a call to the virus. A minor variation on this, but easier to implement, is to simply scan the host for a suitable byte sequence. However, this involves the risk that the target sequence may be found somewhere that it does not represent the intended machine code sequence and thus infection will corrupt the executable. The first viruses to use EPO techniques were Omud and Lucretia.

Erasable and Programmable Read-Only Memory; a type of ROM whose contents are non-volatile but modifiable through the application of appropriate chip reprogramming voltages. Before reprogramming an EPROM, it has to be exposed to source of ultra-violet light. Some early ‘updateable BIOSes’ were shipped on EPROM chips, but EEPROMs became more popular. More recently, flash memory has become the preferred non-volatile memory technology for holding BIOSes.

Any software that resets your browser’s settings to display a new error page when a requested URL is not found. Hijacks may reroute your info and address requests through an unseen site, capturing that info. In such hijacks, your browser may behave normally, but be slower.

End User License Agreement; a legal contract between a software publisher and the software user. It typically outlines restrictions on the side of the user, who can refuse to enter into the agreement by not clicking “I accept” during installation. Clicking “I do not accept” will, of course, end the installation of the software product.

Many users inadvertently agree to the installation of spyware and adware into their computers when they click “I accept” on EULA prompts displayed during the installation of certain free software.

Code that takes advantage of a software vulnerability or security hole. Exploits are often incorporated into malware, which are consequently able to propagate into and run intricate routines on vulnerable computers.

These terms derive from their use in statistics. If it is claimed that a file or boot sector is infected by a virus when in reality it is clean, a false positive (or Type-I) error is said to have occurred. Conversely, if a file or boot sector that is infected is claimed to not be infected, a false negative (or Type-II) error has been made. From an antivirus perspective, false negatives probably seem more serious than false positives, but both are undesirable. False positives can cause a great deal of down-time and lost productivity because proving a program cannot replicate under some condition or other is generally much more time consuming than discovering the conditions under which a viral program will replicate. With good known-virus scanners, false positives are rare. However, they can arise if the scan string for a virus is poorly chosen, say because it is also present in some benign programs. False negatives are a more common problem with virus scanners because known-virus scanners tend to miss completely new or heavily modified viruses. False positives have, historically, been quite a problem for scanners that make heavy use of heuristic detection mechanisms.

Another related, serious problem is the situation where a scanner detects a virus, but incorrectly identifies which. Such misdiagnosed positives can lead to terrible problems if the scanner, or its user, then engages in a virus-specific disinfection routine based on detailed knowledge of the ‘detected’ virus’ characteristics. ‘Generic disinfection’ procedures are not entirely immune from such problems either.

When programs infected with common file infectors (such as Jerusalem in days of yore, and many others since) are run, the virus code usually gets control first. It then checks it has not already gone resident, copies itself into memory, and hooks a system interrupt or event handler associated with the host platform’s ‘load and execute’ function. When that function is subsequently called, the virus’ infection routine runs, checking whether the program that is about to run has been infected already, and infecting it if not. In contrast, a fast infector not only infects programs as they are executed, but even those that are just opened. Even more aggressive fast infectors will infect suitable targets as they are accessed in the most peripheral of ways, such as by reading their directory information as happens during a ‘DIR’ listing under DOS, or Explorer accessing a directory to display its contents under Windows. Thus, if a fast infector is active in memory, running a virus scanner or integrity checker can result in all of the virus’ potential victim files being infected. Early examples were the Dark Avenger and Frodo viruses and more recently CIH became very widespread, partly as a result of being a fast infector.

Note that, technically, most macro viruses are fast infectors. For example, Word macro viruses tend to infect the Word application environment (by deliberately targeting one or more global templates) so they are always present in the Word environment following initial infection. Also, most utilize some form of auto or system macros, or standard event handlers, which are normally triggered during the opening, closing or other user-initiated processing of document files (saving, for example) within the Word application environment. However, unlike executable infectors, such macro viruses are not spread by normal virus scanners, as the finding and opening of files occasioned by the use of a scanner happens outside the host application’s environment (i.e. it is the operating system’s file processing functions being used, not those of Word, Excel, etc. and thus the viral macros are not invoked during this processing of the files).

Also note that residency is associated with fast infection. This was a poorly chosen term, as it was settled on before multi-threaded or multi-process operating systems were targeted by viruses. A virus can be written for such systems to run as a separate process from its host, staying loaded as long as it takes it to find and infect all potential victim files, then exit (this has been done, for example by Libertine.31672.). As this results in the near-immediate infection of all hosts, the term ‘fast infector’ probably seems a good description for such a virus despite it being a direct action infector. However, the term ‘fast infector’ is intended for resident viruses that infect on most file accesses – the development of such viruses resulted in the addition of memory scanning to on-demand virus scanners.

File Allocation Table; the original file system used in DOS, Windows and OS/2. A file allocation table (FAT) is a table that an operating system maintains on a hard disk that provides a map of the clusters (the basic units of logical storage on a hard disk) that a file has been stored in. When you write a new file to a hard disk, the file is stored in one or more clusters that are not necessarily next to each other; they may be rather widely scattered over the disk. A typical cluster size is 2,048 bytes, 4,096 bytes, or 8,192 bytes. The operating system creates a FAT entry for the new file that records where each cluster is located and their sequential order. When you read a file, the operating system reassembles the file from clusters and places it as an entire file where you want to read it. For example, if this is a long Web page, it may very well be stored on more than one cluster on you hard disk. The FAT system for older versions of Windows 95 is called FAT16, and the one for new versions of Windows 95 and Windows 98 is called FAT32. FAT is supported by virtually all existing operating systems for personal computers, and because of that it is often used to share data between several operating systems booting on the same computer (a multiboot environment). It is also used on solid-state memory sticks and other similar devices.

These are viruses that attach themselves to .COM and .EXE files, although in some cases they will infect files with other extensions such as .SYS, .DRV, .BIN, .OVL, .CPL, .DLL, .SCR and others. The most common file viruses are resident viruses, loading into memory at the time the first copy is run, and taking clandestine control of the computer. Such viruses commonly infect additional program files as they are run or even just accessed. But there are many non-resident viruses, too, which simply infect one or more files whenever an infected file is run.

Some applications store information in unsecured files and folders like the temp directory. A file race condition occurs where an attacker has the chance to modify these files before the original application has finished with them. If the attacker successfully monitors, attacks and edits these temp files the original application will then process them as if they were legitimate. The name of this kind of attack is from the attackers ‘race to edit the file’.

A program or device that blocks network access either incoming or outgoing from the computers on your local area network. Most of the time firewalls are useful for keeping unwanted intruders out of your home network. For most people a broadband router will work very well as a firewall. Windows XP also comes with an adequate firewall. Linux and Mac OS X come with built-in firewalls as well.

Also known as IEEE-1394. FireWire is a cross-platform implementation of the high-speed serial data bus — defined by the IEEE 1394–1995, IEEE 1394a-2000, and IEEE 1394b standards at speeds of up to 800 megabits per second (on machines that have a Firewire card installed).

File Transfer Protocol; a protocol used to transfer files over a TCP/IP network.

A link between two different types of otherwise incompatible networks allowing users the benefits of both.

Gigabyte; the basic unit is a byte. If you have 1000 bytes, you can then call it 1 kilobyte, (KB). If you have 1000 kilobytes, you can then call it 1 megabyte, (MB). The same happens when you go up from megabytes to gigabytes, (GB) = One billion bytes.

This is a specific form of false positive, in which the error is due to ‘leftover pieces’ or ‘remnants’ of a virus that are incorrectly detected and reported as an infection. As the virus is not present, no longer present (in the sense that it cannot be activated through normal actions of the user or system), or present but inactive, it is erroneous for a scanner to report an (active) infection.

For example, under DOS or Windows, accessing a diskette to obtain a listing of its root directory causes the diskette’s system boot sector to be read because details from the BPB must be obtained to correctly access the rest of the disk’s contents. Imagine a diskette that had previously been infected with a boot virus and disinfected by writing a very short boot program that simply displays a message warning the diskette is not a functional system diskette. Such a short program could easily leave a couple hundred bytes of the virus’ boot sector code intact if the disinfecting program did not overwrite the rest of the boot sector. Some scanners may see this part of the virus’ code and consequently report the virus’ presence.

In the early days of scanner development, some scanners would false alarm on other scanners, or report viruses in memory after another scanner had run. This was usually a form of ghost positive caused by one scanner ’seeing’ the scan strings of another scanner. The simple solution to this was to not store scan strings in plain text, but to cipher them in some way. Of course, once this was done, the scanner had to work with them ciphered, as deciphering them even just in memory could still lead to their detection in-memory on a subsequent scanning run.

GigaHertz; a billion hertz or a thousand megahertz, a measure of frequency. Each cycle is one nanosecond. As of 2003, most of the commonly sold microprocessors work with clocks that have frequencies ranging from one to three gigahertz.

Globbing is the use of wildcard characters or arguments to greatly increase the amount of data requested. An example is Dir *.* in DOS, this command is asking for all file names with all file extensions (everything) in the current directory. By making globbing requests to a web server it is sometimes possible to cause a Denial of Service attack as the the server is too busy to deal with legitimate requests.

Some generic approaches to virus detection create ‘dummy’ program files which are written to the drives of the machines being monitored. These files are regularly checked for modification, or created, checked and then deleted. Such files are sometimes called ‘goat files’, ‘decoy files’ or ‘bait files’ because they are not intended to be run for any practicable purpose, and act solely as ‘bait’ to trap and detect the presence of an active virus. Goat file is also widely used to refer to the ’standard’ files antivirus researchers commonly use to replicate viruses onto. Such files can make it easier to analyze the virus, because the researchers know what parts of the infected files they are dealing with are part of the original ‘goats’, and thus can readily ignore that code during their analysis of the virus. Different researchers generally use different goats.

General-Purpose computation on GPUs; with the increasing programmability of graphics processing units (GPUs), these chips are capable of performing more than the specific graphics computations for which they were designed. They are now capable coprocessors, and their high speed makes them useful for a variety of applications.

Global Positioning System; a worldwide radio-navigation system formed from a constellation of 24 satellites placed into orbit by the U.S. Department of Defense. GPS was originally intended for military applications, but in the 1980s, the government made the system available for civilian use. GPS uses these “man-made stars” as reference points to calculate positions accurate to a matter of meters. In fact, with advanced forms of GPS you can make measurements to better than a centimeter! In a sense it’s like giving every square meter on the planet a unique address. The basis of GPS is “triangulation” from satellites. To triangulate, a GPS receiver measures distance using the travel time of radio signals. To measure travel time, GPS needs a very accurate timing clock which it achieves with some tricks. Along with distance, you need to know exactly where the satellites are in space. High orbits and careful monitoring are the secret.

Graphics Processing Unit; a single-chip processor used primarily for computing 3D functions. This includes things such as lighting effects, object transformations, and 3D motion. GPUs form the heart of modern graphics cards, relieving the CPU (central processing units) of much of the graphics processing load. GPUs allow products such as desktop PCs, portable computers, and game consoles to process real-time 3D graphics that only a few years ago were only available on high-end workstations. August 31, 1999 marks the introduction of the Graphics Processing Unit for the PC industry by NVIDIA Inc. Its GeForce 256 GPU is capable of billions of calculations per second, can process a minimum of 10 million polygons per second, and has over 22 million transistors, compared to the 9 million found on the Pentium III. The technical definition of a GPU is “a single chip processor with integrated transform, lighting, triangle setup/clipping, and rendering engines that is capable of processing a minimum of 10 million polygons per second.”

A general classification for applications that have annoying, undesirable, or undisclosed behavior. Grayware applications do not fall into any of the major threat (ie. Virus or Trojan horse) categories as they are subject to system functionality, as well as user debate. Some items in the Grayware category have been linked to malicious activities, while others are used to provide users with targeted information in terms of product announcements. Organizations dealing with sensitive information should be generally alarmed by the capability of any application with data gathering functionality.

The majority of grayware fall into the following classes:

Adware
Data Miners (Tracking Cookies)
Dialers
Hacking tools
Joke programs
Keyloggers
Password cracking applications
Remote Access Programs
Spyware

To alter a computer program or gain unauthorized entry into a program, computer, or computer system.

The term Hacker has been associated primarily with people who endeavor to violate computer or software security in some manner. The primary definition refers to an individual who is exceptionally skilled as a computer programmer. The other common meaning for the term is someone who gains unauthorized entry into a computer system or software program for the sake of mischief or financial gain. In light of many of the malicious deeds and pranks being played as of late, such as the malicious introduction of viruses via email, and the intentional crippling of large Websites, the accepted use of the term has unfortunately become negative.

Programs that generally crack or break computer and network security measures. Hacking tools have different capabilities depending on the systems they have been designed to penetrate. System administrators have been known to use similar tools – if not the same programs – to test security and identify possible avenues for intrusion.

The unit of measurement for frequency of electrical, electromagnetic (radio), and sound vibrations in cycles per second. Abbreviated “Hz,” one Hz is equal to one cycle per second.

Heuristics means ‘rule based’. Normally, for an Anti-Virus product to detect a virus, the virus must have been seen before, analyzed and detection added to the signature update files. Heuristics are used as there are some families of viruses that continually change their appearance and it is not possible to detect every variant. Heuristics allow us to set up some rules so if it smells like a virus, and it acts like a virus we can detect it, even if we have never seen the virus before.

Hoax warnings are typically scare alerts started by malicious people and passed on by innocent users who think they are helping the community by spreading the warning. If you receive a warning about a security threat, please look into it further before you forward it to other users.

HyperText Transfer Protocol; the protocol that allows the transfer of many documents on the World Wide Web. This is the familiar http:// seen at the beginning of the majority of all URLs.

Internet Corporation for Assigned Names and Numbers; pronounced “I can”. A non-profit, international association founded in 1998 and incorporated in the U.S. It is the successor to IANA (Internet Assigned Numbers Authority), which manages Internet addresses, domain names and the huge number of parameters associated with Internet protocols (port numbers, router protocols, multicast addresses, etc.). ICANN provides a list of accredited registrars.

Internet Control Message Protocol; a TCP/IP protocol defined by RFC 792. Used to send error and control and informational messages. For example, a router uses ICMP to notify the sender that its destination node is not available. A ping utility sends ICMP echo requests to verify the existence of an IP address.

Integrated Drive Electronics; IDE, ATA & ATAPI refers to the three names used by various hard drive manufacturers for the same drive technology. With IDE, the controller electronics are built into the drive itself, requiring a simple circuit in the PC for connection. IDE drives were attached to earlier PCs using an IDE host adapter card. Subsequently, two Enhanced IDE (EIDE) sockets were built onto the motherboard, with each socket connecting two drives via a 40-pin ribbon cable for CD-ROMs and similar devices and an 80-wire cable for fast hard disks.

Institute of Electrical and Electronics Engineers; founded in 1884 as the AIEE. IEEE is an organization composed of engineers, scientists, and students. The IEEE is best known for developing standards for the computer and electronics industry.

Threats tagged as in-the-wild are those seen in real world computers, as opposed to test systems, in present time.

The Net; the worldwide network of computers originally set up by the US Department of Defense in the late 1960s. Originally called ARPANET (Advanced Research Projects Agency Network), it was designed to function as a continuing method of communication should any part of the system be destroyed by nuclear attack or sabotage. In time, it was used as a means of communication among university scholars throughout the United States. It eventually evolved into the popular electronic forum for international communication by way of interactive discussion, email, commercial Websites, entertainment and so much more. The term internet written with a lower case “i” indicates a local computer network.

Internet Protocol; a set of protocols that allow computers to communicate with each other.

Internet Protocol Address; a computer’s numeric identity on the Internet. All computers of Web surfers are identified by a number. As a user, the number assigned may either be static (always remains the same) or may be offered on an “as available” basis each time the individual logs on. A user’s number is assigned by thheir ISP.

Internet Relay Chat; used for group communication without any registration. IRC was created by Jarkko Oikarinen in 1988, and is used by many people from many demographics.

Integrated Services Digital Network; a system of digital phone connections which has been available since the late 1990s. This system allows voice and data to be transmitted simultaneously across the world using end-to-end digital connectivity. Most recently, ISDN service has largely been displaced by broadband internet service, such as xDSL and Cable Modem service. These services are faster, less expensive, and easier to set up and maintain than ISDN. Still, ISDN has its place, as backup to dedicated lines, and in locations where broadband service is not yet available.

The International Organization for Standardization; a network of national standards institutes from 151 countries, with a Central Secretariat in Geneva, Switzerland. Founded in February 23, 1947, the organization produces world-wide industrial and commercial standards. The organization is usually referred to simply as ISO (pronounced eye-so). It is a common misconception that ISO stands for International Standards Organization, or something similar. ISO is not an acronym; it comes from the Greek word isos, meaning equal. In English its name is International Organization for Standardization, while in French it is called Organisation Internationale de Normalisation; to use an acronym would result in different acronyms in English (IOS) and French (OIN), thus the founders of the organization chose ISO as the universal short form of its name.

A file that represents a one-to-one copy of a specific computer filesystem, most widely used for the compact disc medium (i.e an entire CD or DVD-ROM). There are many different ISO image formats to choose from. The most common includes the .cue/.bin and .iso image formats. Many Linux, BSD, or other free operating systems are distributed for download using an ISO image.

Internet Service Provider; a company that provides Internet service to a customer, usually in exchange for a fee. The company provides access to the Internet and one or more email accounts. Many providers offer unlimited monthly usage for a flat fee of around $20. It’s important to use an ISP that provides a local dial-up number, otherwise the user is charged long distance rates while connected to the Internet. It has become increasingly popular for some ISPs to offer free access to the Internet. Under this arrangement, the provider displays some type of advertising on the user’s screen (which can’t be removed) for the duration of the online session.

An image-oriented programming language developed by Sun Microsystems in the mid 1990s. Java applets are small programs that a user may download from the Internet without fear of introducing viruses and run on a Web browser. Java applets often display active animation and other clever action-oriented functions.

Scripts that allow Web developers to create interactive, dynamic Web pages with broader functionality. They are small, portable Java programs embedded in HTML pages and can run automatically when the pages are viewed. Malware authors have used Java applets as a vehicle for attack. Most Web browsers, however, can be configured so that these applets do not execute – sometimes by simply changing browser security settings to “high.”

A programming language developed by Netscape that allows Web designers to create interactive Websites.

A software utility that combines two or more files into a single file.

There is no firm definition of a joke program, but, there are many programs about that are so classified. In general, they aim to entertain either the recipient or the supplier of the program, although it is probably the case that the joke is usually at the expense of the recipient. Human nature seems to turn many of these recipients into senders though, once they realize the program did no obvious harm beyond briefly increasing their personal anxiety levels (which was, in fact, the purpose of the person who sent the program to them).

So, what is a joke program? Joke programs are usually seen as programs that do no real damage but in some way attempt to raise the program user’s concern for the contents of their computer. A classic example is a program that suggests the user’s hard drive is about to be reformatted unless they click the ‘Cancel’ button in time and then starts a ten-second countdown – when the user tries to click the ‘Cancel’ button, the button jumps away from the cursor. If left to run until the countdown completes, a message is displayed explaining that it was dangerous to run a program sent via e-mail. Although such programs do not perpetrate any direct harm against the user, they can represent a serious risk. The problem that many such ‘harmless’ joke programs introduce is that some users panic and, decide that rather than risking the loss of their files, they would be better off turning their machine off. In so doing, they will lose any unsaved changes to current work and may corrupt the file system on their machine, causing even greater losses.

Any program that records keystrokes is, technically, a key logger. The term tends to be used in malware circles for programs that surreptitiously record keystrokes and then make the log of keyboard activity available to someone other than the logged user(s). Commonly these log files are e-mailed to the person who planted the logging software, but on public access machines (in cyber-cafes, school and university computer labs, etc) that level of sophistication is not necessary as the ‘attacker’ can simply access the log file from the compromised machine at a later date, revealing usernames and passwords for accessing other systems and other potentially sensitive information. Although more common in Trojan Horse programs and remote access Trojans, key loggers are sometimes used in the payloads of viruses.

Sometimes called hang time. A delay or waiting period encountered while a computer processes data or a Web page loads onto a browser.

An alternative to the Windows and OS/2 operating systems that is open source and free. A few examples are Mandrake, Fedora, SuSE, Slackware, Gentoo, Red Hat, and Debian. Linux is widely used on production and enterprise level servers, where it is known for stability and low maintenace costs. These qualities also make it ideal for the desktop; however, it can initially be more difficult to set up than other desktop operating systems. There is a vast amount of free software available for Linux, that can do almost anything that you can buy expensive software for in other operating systems.

Local Area Network; normally refers to a network confined to a tightly defined area, usually the same floor or building. Or your home computer and connected devices such as your printer if you are behind a router. Each single-user workstation or personal computer is called a node. A LAN can have from two to several hundred such nodes, each separated by distances of several feet to as much as a mile, and should be distinguished from connections among computers over public carriers, such as telephone circuits, by a router or a server that acts as a router. Because of the relatively small areas involved, the nodes in a LAN can be connected by special high-data-rate cables. With a router installed you and your machine become a LAN, the rest of the world (including your ISP) is the WAN. Without a router, your home computer is a node on your ISP’s LAN.

Local Area Wireless Network; a type of local area network that transfers data using high frequency radio transmission instead of telephone wires.

Liquid-Crystal Display; super-thin displays that are used in laptop computer screens and flat panel monitors. Smaller LCDs are used in handheld TVs, PDAs, and portable video game devices. The image on an LCD screen is created by sandwiching an electrically reactive substance between two electrodes. The color of this substance can be changed by increasing or reducing the electrical current. Since LCD screens are based on the principle of blocking light (rather than emitting it), they use up much less power than standard CRT (Cathode-Ray Tube) monitors.

Any program designed to load another program.

Usually of payloads; code that only runs when particular logical conditions are met while executing the virus or Trojan carrying it. For example, many viruses have payloads that only run on a certain date or between two dates or times, whereas others have payloads that only run after a specific number of files or boot sectors have been infected, and yet others check for any number and manner of other conditions. Logic bombs that depend on date, time or elapsed time triggers are often called time bombs. Those that will normally run when a virus or Trojan first executes are referred to as immediate acting.

Macro viruses consist of instructions in Word Basic, Visual Basic for applications and other application macro languages. They often reside in documents or other file types that are traditionally thought of as ‘just data’, and although that is not critical to determining whether something is a macro virus or not, it has been a crucial factor in the relative success of certain kinds of macro viruses. Another factor contributing to the success of macro viruses in the popular Microsoft Office application suite and related products (such as Microsoft Project) is that not only can the document files of these applications carry macro code, those macros can automatically run when certain basic events (such as opening and closing documents) occur and/or when the user expects that standard functions within the application should occur (such as selecting the Save item from the File menu). While few users tend to think of ‘documents’ as capable of being infected, any application which supports document-bound macros that automatically execute or usurp standard application functions is a potentially welcoming platform for macro viruses. By the late 1990s, documents had become much more widely shared than diskettes (assisted by the extensive adoption of networking technologies and particularly Internet e-mail) and document-based viruses dominated prevalence statistics. This seems likely to continue for the early years of the 21st century.

Software that will flood a victim’s inbox with hundreds or thousands of pieces of mail. Such mail generally does not correctly reveal its source.

Short for ‘Malicious Software’, a form of software designed with malicious intent. This intent may be to cause annoying pop-up ads with the hope you click on one and generate revenue, or forms of spyware and viruses that can be used to steal your identity or track your activities.

A virus that distributes itself via e-mail to multiple addressees at once is known as a mass mailer. Probably the first mass mailer was the CHRISTMA EXEC worm of December 1987 (and a couple of copycats in succeeding years), but the technique then all but disappeared until the Melissa outbreak of 1999. There have, however, been many mass mailers since Melissa. An important distinction between mass mailers and slow mailers, at least in terms of threat assessment, is the scale or rate at which they send infective messages. In sending a large number of messages (and hence copies of themselves) at once, mass mailers aim to achieve rapid, widespread distribution. Presumably their writers hope enough recipients of these messages will be lulled into running the attachments (or simply opening the messages in the case of HTML-embedded script viruses) to ensure the virus’ distribution outstrips spread of news about the outbreak and/or updates to virus scanners and other countermeasures. With the apparently ever-growing number of people on the Internet through the late 1990s, there was a continuous supply of fresh, very naïve, inexperienced users to be fooled into double-clicking what they should not. Through the use of ‘obvious’ social engineering tricks, viruses such as VBS/VBSWG.J had a fair shot at their fifteen minutes of fame.

Mass mailers often have the ‘@mm’ suffix to their names, making the additional threat they may pose readily identifiable to the informed. Mass mailers are often referred to as ‘worms’, but this usage is not entirely accepted, and as ‘e-mail worms’ (perhaps to distinguish them from ‘real worms’).

The boot sector at the beginning of a hard drive (sector location 0,0,1 in CHS notation) is known as the master boot sector or, more commonly, the master boot record. Boot code in this disk sector is loaded by the BIOS, should it attempt to boot from the hard drive. Normally, the MBR’s boot code checks the MBR’s partition table to determine which partition to load an OS from. It then loads the contents of the boot partition’s system boot sector (the first sector in the partition) and transfers control to that load location. This should be the beginning of the boot code of that partition and it is up to that code to ‘know’ how to boot the OS on that partition. The master boot record is usually referred to as such or as the MBR, sometimes as the master boot sector (or MBS) and occasionally, but incorrectly, as the partition table (which is actually just a part of the contents of the MBR). Normally the master boot record of a DOS or Windows machine is created when partitioning the drive with FDISK, although all manner of third-party partitioning and boot management tools may also write to the partition table and/or the MBR’s boot code. Because the MBR contains a program (the boot code) it can be infected by a suitably crafted virus.

A virus that infects master boot records. In reality, a virus that only infected MBRs would not be very successful because its chances of replicating would be very limited as new hard drives are seldom added to systems. Its chances of spreading would be even more limited as it is even rarer for hard drives to be moved from machine to machine. MBR infectors usually also infect other boot sectors (particularly those on diskettes) or are multipartite, infecting program files and MBRs (and possibly other boot sectors as well).

Megabyte; the basic unit is a byte. If you have 1000 bytes, you can then call it 1 kilobyte, (KB). If you have 1000 kilobytes, you can then call it 1 megabyte, (MB) = About a million bytes.

The ability to stay in computer memory after execution and continuously run. This capability is generally expected of certain malware types, specifically backdoors, which stay in memory to await commands. Certain file infectors also stay in memory to infect files as they are opened; while some worms stay in memory to continually send email.

Programs that stay in memory are generally referred to as memory-resident. The files related to these running programs cannot be modified, deleted, or moved unless they are terminated.

MegaHertz; one megahertz equals one million cycles per second. Used to measure the transmission speed of electronic devices, including channels, buses and the computer’s internal clock. A one-megahertz clock (1MHz) means some number of bits (16, 32, 64, etc.) are manipulated one million times per second. A one-gigahertz clock (1GHz) means one billion times.

This is not a widely used term, but generally refers to an entry point obscuring (EPO) virus. Due to design considerations in some scanners, some non-EPO viruses are referred to as middle infectors and may require special handling.

A digital music format that offers CD quality sound at about 1/10th the size.

A virus that infects two or more different target types is generally referred to as a multipartite virus. Early multipartite viruses infected boot sectors and DOS executables, but more esoteric combinations have been seen.

An extension of the cavity infection technique, a multiple cavity infector is able to break its code into two or more pieces, placing each piece in a suitable-sized ‘hole’ in the infection target. As with the standard cavity infection technique, this has the advantage of not increasing the size of the target, but adds the flexibility of infecting files that do not have a single ‘hole’ large enough for the virus’ entire code. This is a very rare infection technique and made famous by the first multiple cavity virus – CIH (although Commander_Bomber can lay claim to using much the same technique, it made its own cavities, moving pieces of the original executable image around to accommodate slivers of its code).

MuTual Exclusion; mutex is a program object that allows multiple threads to share the same resource. Any thread that needs the resource must lock the mutex from other threads while it is using the resource. The mutex is unlocked when it is no longer needed or the thread is terminated. The difference between mutex and semaphore is that a mutex is owned by the thread which locked it (that is, only the process which locked the mutex can unlock it). Whereas a semaphore can be changed by another thread or process.

Network Address Translation; created as one of the responses to the IPv4 address shortage. Using NAT allows a private or local network to use a different addressing scheme to that of the Internet, and yet still communicate sensibly with the Internet. It also translates all internal network addresses by forwarding only the IP address of the NAT device when traffic leaves the private network. For example, when a message is sent from a machine internal to the network, say with the private IP address of 10.10.10.10, it is stopped by the device and its private IP address is changed to a public address (say, 155.35.171.12) that can then be routed correctly on the Internet.

Viruses that spread to new hosts by finding writable network drives (or ’shares’) and copying themselves there or infecting files on those shares are sometimes referred to as network creepers. Note that a distinction is made between network creepers and other viruses that just happen to infect files on network shares because they infect files on all local and mapped drives. To be a network creeper, a virus has to specifically search for shared network resources, and will find ones that are not currently in use by its host machine. VBS/Netlog has shown how surprisingly successful this technique can be when depending solely on Microsoft Networking and open shares (ones with write-access but no password). Some antivirus researchers consider network creepers to be worms.

Refers to the shape of a network, or a network’s layout, and can be either physical or logical. A network’s topology determines how its nodes are connected and how they communicate. The five most common network topologies are Mesh, Star, Bus, Ring, and Tree.

Network Operating System; an operating system that is designed for network use. Normally, it is a complete operating system with file, task and job management; however, with some earlier products, it was a separate component that ran under the OS; for example, LAN Server required OS/2, and LANtastic required DOS. Unix, Linux, NetWare, Windows 2000 Server and Windows Server 2003 are examples of network operating systems designed for use in stand-alone servers. Such products may also include a Web server, directory services, messaging system, network management and multiprotocol routing capabilities.

Any tool designed for stealth notification of an attacker that a victim has installed and run some pest. Such notification might be done by FTP, SMS, SMTP, or other method, and might contain a variety of information. Often used in combination with a Packer, a Binder and a Downloader.

New Technology File System; the standard file system of Microsoft Windows NT and its descendants Windows 2000, Windows XP and Windows Server 2003. It allows for larger disk drives with smaller cluster sizes. NTFS replaced Microsoft’s previous FAT32 file system, used in MS-DOS and early version of Windows. For large applications, NTFS supports spanning volumes, which means files and directories can be spread out across several physical disks.

Now a generic term for several TCP/IP DoS attacks, but originally made (in)famous by the WinNuke DoS attack which crashed Windows machines that had not been suitably patched or firewalled. eTrust Pest Patrol uses this definition to specifically refer to a program that disables a machine through damage to the registry, key files, the file system, or other aspects of the system.

Original Equipment Manufacturer; the equipment & software as it was originally supplied by the manufacturer when your machine was new. In the automotive trade, OEM parts are parts from the dealerships of the various brands. In computing, computer makers receive special distributions of operating system software to include with their machines. This OEM software is often slightly different than the same brand of software bought ala-carte.

An encrypted virus that has several forms of its decryption code, selecting between them (usually randomly) when writing its decryptor to a new replicant.

Operating System; the job of an operating system is to orchestrate the various parts of the computer — the processor, the on-board memory, the disk drives, keyboards, video monitors, etc. — to perform useful tasks. The operating system is the master controller of the computer, the glue that holds together all the components of the system, including the administrators, programmers, and users. When you want the computer to do something for you, like start a program, copy a file, or display the contents of a directory, it is the operating system that must perform those tasks for you. More than anything else, the operating system gives the computer its recognizable characteristics. It would be difficult to distinguish between two completely different computers, if they were running the same operating system. Conversely, two identical computers, running different operating systems, would appear completely different to the user.

In general, the simplest form of a virus is a program that just copies itself over the top of other programs. Such viruses are known as overwriters and are commonly the first types of viruses written for newly ‘virused’ platforms (e.g. Phage, the first PalmOS virus, discovered in late 2000, was a simple overwriter). Because they do not preserve the functionality of their host programs, overwriters tend to be very obvious and thus not very ’successful’.

Any peer-to-peer file swapping program, such as Audiogalaxy, Bearshare, Blubster, E-Mule, Gnucleus, Grokster, Imesh, KaZaa, Limewire, Morpheus, Shareaza, WinMX and Xolox. In an organization, can degrade network performance and consume vast amounts of storage. May create security issues as outsiders are granted access to internal files. Often bundled with Adware or Spyware.

Sometimes referred to as Datagram; a packaged unit of characters or other form of computer output sent from one computer to another over a network. Packets are digitally encoded with the address of the sender and recipient so they reach their intended destinations as well as letting the receiver of the data know that it came from an authorized or recognized source.

The method used to send information over a network. Each packet has the address of the sender as well as the destination address. This allows information to intermingle with other packets of data, without being lost or misdirected, while making it’s journey over the network.

Parasitic viruses are those that modify some existing code resource to effect replication. The major distinction here is that companion viruses are not parasitic, and the standalone ‘worms’ (such the mass mailers and network creepers) tend not to be parasitic. Overwriters tend not to be considered parasitic either. Although macro virus infection necessitates the modification of document files, it has been common for macro viruses to remove pre-existing macros, making them more akin to overwriters. Thus, usually only those macro viruses with a replication method that retains (some of) the pre-existing macros from a target are considered parasitic. Some researchers consider such viruses parasitic only if macros within a module used by the virus are retained.

The dividing of a hard disk’s storage space into independent parts called partitions.

A confusing term, at best. It seems to mainly be used to mean the system boot sector of the active partition. Unfortunately, without some additional context, it seems likely this term would easily be mistaken to be a reference to the master boot sector because this houses the partition table.

Partition tables are a crucial part of how DOS and related operating systems understand the layout of partitions (or logical drives) on hard disks. For the sake of interoperability, most OSes that run on PCs also follow the dictates of these fundamental partition information resources. A partition table is a 64 byte data array located at offset 1BEh of master boot records and the boot sectors of extended partitions. Each table has space for only four 16 byte partition definition entries. Each such entry records such data as the beginning and ending sector of the partition, a partition type indicator byte and whether the partition is marked ‘active’ (or ‘bootable’). Beginning and ending sector locations are recorded in absolute CHS terms (relative to any drive geometry translation the BIOS may be set to use).

As the partition table is just data, it cannot be infected. Occasionally the term ‘partition virus’ or ‘partition table virus’ is seen or heard. It is a misconception and what is meant is usually a boot virus that infects MBRs.

A tool to decrypt a password or password file. PestPatrol uses the term both for programs that take an algorithmic approach to cracking, as well as those that use brute force with a password cracking word list. Password crackers have legitimate uses by security administrators, who want to find weak passwords in order to change them and improve system security.

If a virus has any damaging routines (other than apparently unintended side-effects or bugs), they are known as payloads or warheads. The term is drawn by analogy with military rocket and munitions talk, where the virus is seen as the ‘delivery vehicle’ and the damage routine the payload or warhead. We also borrow the term trigger from this analogy.

Peripheral Component Interconnect; a hardware bus designed by Intel and used in both PCs and Macs. Most add-on cards such as SCSI, Firewire, and USB controllers, use a PCI connection. Some graphics cards use a PCI slot, but most new graphics cards connect to the AGP slot. PCI slots are found inside of your computer on the motherboard and are about 3.5″ long and about 0.5″ high.

Portable Document Format; the file format in Adobe’s Acrobat document exchange technology.

The act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft. The e-mail directs the user to visit a Web site where they are asked to update personal information, such as passwords and credit card, social security, and bank account numbers, that the legitimate organization already has.

An audio broadcast that has been converted to an MP3 file or other audio format and made available via an RSS syndication feed. Podcasting is similar in nature to RSS, which allows subscribers to subscribe to a set of feeds to view syndicated Web site content. The term podcasting plays upon the terms broadcasting and webcasting and is derived from the name of the iPod portable music player, the playback device of choice of many early podcast listeners. While not directly associated with Apple’s iPod device or iTunes jukebox software, the company did contribute both the desire and the technology for this capability. Podcasting is similar to time-shifted video software and devices like TiVo, which let you watch what you want when you want by recording and storing video, except that podcasting is used for audio and is currently free of charge. Note, however, that this technology can be used to pull any kind of file, including software updates, pictures, and videos.

In a sense, polymorphic viruses were an extension of the simpler idea of encrypted viruses. Although the replicants of encrypted viruses vary, they can still be detected (albeit imprecisely identified) by simple string scanning because they have a constant decryptor. The development of polymorphism was an attempt to overcome that shortcoming of encrypted viruses. The simplest approach to not having a constant decryptor was for the virus writer to produce several implementations of the decryption algorithm and slot just one of those forms into the small unencrypted area of each replicant. A very similar method was to have several different encryptor/decryptor pairs, randomly selecting among them at infection time. The very simplest form of this approach employs just two forms of the decryption code or two encryption/decryption pairs and thus is sometimes referred to as bimorphism. More complex variations on this approach involve more than two forms, but still a number fixed by the fact that the code for each decryptor or encrypt/decryptor pair is present in the virus’ code. Whale was the first example of this approach, carrying 30 encryptor/decryptor pairs in its code. Aside from adding some overhead to analyzing the virus, such approaches were still not difficult for scanners to deal with – all the scanner developers had to do was add a scan string for each decryptor.

True polymorphism, however, requires more complexity than simply selecting from a group of constant encryptor/decryptor pairs. Viruses in the V2Px family were the first truly polymorphic viruses, employing such techniques as inserting a variable number of ‘do nothing’ or ‘noise’ instructions between the ‘viral’ instructions, interchanging equivalent but different instructions, and swapping code blocks where the order of execution of the blocks was not important to the overall effect of the code. Such code permutations could be applied to all of a virus’ code or just to the decryption routine of an encrypting virus.

One of the most sophisticated forms of polymorphism at the time, in some ways setting the standard against which subsequent polymorphs were judged, was the ‘Mutation Engine’ (or MtE). It was distributed in the form of an object module which could be linked to the code of a virus body (the code responsible for replication), making that virus polymorphic. More recently, polymorphic viruses have ‘benefited’ from the advance of 32-bit computing, with some polymorphic engines theoretically capable of reproducing their host virus into 4 billion different forms. Scanning technology has obviously had to evolve well past simple string scanning to deal with such complexity while not labeling every other ‘innocent’ executable a virus too.

Post Office Protocol Version 3; a standard protocol used to allow users to download their e-mail from the mail server to their computer.

In hacker reconnaissance, a port scan attempts to connect to all 65536 ports on a machine in order to see if anybody is listening on those ports. Ports scans are not illegal in many places, in part because they don’t actually compromise the system, in part because they can easily be spoofed, so it is hard to prove guilt, and in part because virtually any machine on the Internet can be induced to scan another machine. Many people think that port scanning is an overt hostile act and should be made illegal. An attacker will often sweep thousands (or millions) of machines rather than a single machine looking for any system that might be vulnerable. Port scans are always automated through tools called Port Scanners.

Power On Self Test; when a PC is powered up or restarted, the first thing the BIOS does is perform some basic tests for the existence and/or functionality of various hardware components (e.g. whether there is enough RAM to run the rest of the BIOS code, whether there is functional display adaptor with text-mode capabilities, etc). Should any of these tests fail, the BIOS simply beeps to indicate the error, and stops – the machine just freezes. The number of beeps describes which of the sub-system tests failed. Unfortunately, there is no explicit standard between manufacturers (and even between models) for these error codes, so you need to contact technical support or the manufacturers web site to obtain this information.

A virus that inserts a copy of its code at the beginning of the code of its victim file.

A pre-set parameter used by a computer to communicate with another computer over a network. Protocols include how data is compressed, and the method for recognizing and acknowledging the sender of data over a modem.

An Internet connection device. It accepts requests for Internet resources (such as when a Web browser opens a Web page) and attempts to provide the resources if it has it in cache. It will request the page from the actual site if it doesn’t have it in cache.

Apart from its caching function, a proxy server can control connection to specific sites. The single point of contact also improves manageability of Internet connections for huge networks. Some malware have been known to function as proxy servers on infected machines, allowing unauthorized computers to connect to the Internet via infected systems.

Random Access Memory; made up of small memory chips that are connected to the motherboard of your computer. The “random” in RAM means that the contents of each byte of storage in the chip can be directly accessed without regard to the bytes before or after it. This is also true of other types of memory chips, including ROMs and PROMs. However, unlike ROMs and PROMs, RAM chips require power to maintain their content, which is why you must save your data onto disk before you turn the computer off. Everytime you open a program, it gets loaded from the hard drive into the RAM. This is because reading data from the RAM is much faster than reading data from the hard drive. Running programs from the RAM of the computer allows them to function without any lag time. The more RAM your computer has, the more data can be loaded from the hard drive into the RAM, which can help speed up your computer. In fact, adding RAM can be more beneficial to your computer’s performance than upgrading the CPU. When personal computers first came on the market in the late 1970s, 64KB (64 kilobytes) of RAM was the upper limit. Today, 64MB (64 megabytes) of RAM is entry level for a desktop computer, and 255MB, 512MB or 1024MB of RAM is even common.

Remote Access Server; allows users to access networks through dial-up modem connections.

One of the scanning options that only operates in the background. It automatically monitors the computer system to provide high security against unknown threats. The Real-time Scanner’s uses minimal memory usage allows users to continue working at a normal speed.

The configuration database in all 32-bit versions of Windows. The Registry is made up of the SYSTEM.DAT and USER.DAT files. In the Microsoft Windows operating systems beginning with Windows 95, the registry is a single place for keeping information such as what hardware is attached, what system options have been selected, how computer memory is set up, and what application programs are to be present when the operating system is started. It contains information and settings for all the hardware, software, users, and preferences of the PC. Whenever a user makes changes to their Control Panel settings, or file associations, system policies, or installed software, the changes are reflected and stored in the registry.

This list contains other threats that are related to a specific threat. This could be other components that work in conjunction with the malware or grayware being discussed – typically as part of a multi-component malware/grayware package. It could also include variants of the specific threat being described.

A program that surreptitiously allows access to a computer’s resources (files, network connections, configuration information, etc) via a network connection is known as a remote access Trojan, or RAT. Note that such functionality is often included in legitimate software designed and intended to allow such access. For example, software that allows remote administration of workstations on a company network, or that allows helpdesk staff to ‘take over’ a machine to remotely demonstrate how a user can achieve some desired result, are genuinely useful tools (and even desirable in many settings). The difference between remote access Trojans and remote administration tools is that the latter are designed into a system and installed and used with the knowledge and support of the system administrator’s and the other support staff they involve. Remote access Trojans are also commonly referred to as remote access trapdoors and backdoors, although the terms trapdoor and backdoor tend to have their own specialized and slightly different meanings.

Loosely based on the biological concept with the same name, computer viruses that attack antivirus products are sometimes referred to as retro-viruses. Examples range from including code that is known to cause code emulators to exit early, through disabling loading of well-known antivirus products and disabling resident antivirus products by patching them in memory to deleting the checksum data files of products offering such features.

Rapid Exchange of Virus Samples; a mailing list for antivirus companies, allowing their virus analysis staff to securely send samples of ‘emergency’ viruses to other antivirus developers and for the lab staff to discuss emerging ‘virus emergencies’. REVS member companies are expected to send samples of any ‘urgent’ viruses they isolate to the mailing list no later than the time they make press releases or other public announcements about such viruses.

Read-Only Memory; apart from its contents normally not being modifiable, ROM is usually also non-volatile. This type of memory is traditionally used to hold a PC’s BIOS and little else, although various kinds of ‘modifiable ROM’ memory technologies, such as EPROM, EEPROM and flash memory, have been used through the years, with flash memory being preferred in recent years.

Software that conceals logins, processes, files, logs or system data. Rootkits are often used to hide malware or other unwanted processes that are installed on, or operating on a system.

A network device that forwards packets from one network to another.

Really Simple Syndication; a method of providing website content such as news stories or software updates in a standard XML format.

Occurring while a program is executing. For example, a runtime error is an error that occurs during program execution and a runtime library is a library of routines that are bound to the program during execution. For a number of years, technical writers resisted runtime as a term, insisting that something like “when a program is run” would obviate the need for a special term. Gradually, the term crept into general usage.

Scripts are generally written code that are interpreted and implemented by another application. In contrast, compiled programs can run on their own, but are often harder to produce as they have to be compiled.

Malware authors have taken advantage of relative ease of producing scripts and have produced significant numbers of script malware – many of which are written using Visual Basic Script, JavaScript, and HTML.

Many scripts can run on most systems without the installation of a special interpreter program. For example, certain Windows systems have Windows Scripting Host, which can interpret different script types. Also, HTML scripts are loaded by Web browsers, which are commonly installed on most computers.

Any software that resets your browser’s settings to point to other sites when you perform a search. Hijacks may reroute your info and address requests through an unseen site, capturing that info. In such hijacks, your browser may behave normally, but be slower. Search results when such a hijacker is running will sometimes differ from non-hijacked results.

A network computer or software that performs a wide variety of functions such as delivering data to client computers. Servers store and deliver, upon demand, files to other computers on the network. A Web server, for example, stores Web pages that are simply files. When a Web browser, prompted by a user, sends a request for a particular page, the server calls up the file from its hard disk and sends it to the browser over the network. Web servers need to have large data storage disks to store multiple pages. The term also refers to computers other than Web servers. A server on a LAN might maintain files needed exclusively by the users of that network, while an e-commerce server would maintain and deliver data essential to the transfer of funds for commercial transactions on the Internet.

Software that is distributed without payment ahead of time as is common for small software companies. Typically shareware is obtained free of charge by downloading from the net, allowing one to try out the program ahead of time. A shareware program is usually accompanied by a request for payment, and often payment is required per the terms of the license past a set period of time or to unlock certian features. The term shareware was coined by Bob Wallace to describe his word processor PC-Write in the mid-1980s.

Most resident viruses attempt to maximize their hit rate by infecting at least the commonly used programs on a system. Some go so far as to attempt to infect all possible targets such as a Fast Infector. However, infecting many targets tends to increase the likelihood of being detected so some resident viruses only infect files as they are modified or created. This beats integrity checking methods, as the addition of a new file or modification of an existing one reported by an integrity checker would normally be expected so the user will ignore the reported change, assuming it to be entirely due to (legitimate) reasons for the file’s creation or modification. An early example is the Darth Vader virus. A related, though different, technique for reducing the likelihood of detection is that of the sparse infector.

A slow mailer is a virus that distributes itself from victim machines via e-mail but not in the ‘explosive’ manner attributed to mass mailers. Ska (aka Happy99) and Kak are classic examples of slow mailers, respectively sending itself once to each addressee the victim sends e-mail to or embedding itself in all outgoing HTML messages the victim sends. Despite the mass mailers such as Melissa and LoveLetter hogging the media spotlight, Ska and Kak are also excellent examples of how slow mailers ‘last the distance’. For example, several sources of prevalence statistics show roughly twice as many Kak incidents in 2000 as LoveLetter incidents, with the explosive nature of LoveLetter – then the most prevalent virus in history – seen in the fact that most LoveLetter incidents were recorded in a single month (May). Slow mailers often have the ‘@m’ suffix to their names, making the additional threat they may pose readily identifiable to the informed.

Simple Mail Transfer Protocol; a TCP/IP protocol used in sending and receiving e-mail.

The network of inter-personal contacts that existed before ethernet made LANs commonplace and long before the Internet as we know it today existed. The name is a play on ’sneaker’ and ‘ethernet’ and refers to the sharing patterns seen when data files and programs were mainly distributed and copied between workmates, other professional colleagues and friends via diskette. As all diskettes have boot sectors and most PCs will attempt to boot from a diskette left in a floppy drive, boot sector infectors were the most prevalent viruses when sneakernet was the predominant sharing mechanism.

A wiretap that eavesdrops on computer networks. The attacker must be between the sender and the receiver in order to sniff traffic. This is easy in corporations using shared media. Sniffers are frequently used as part of automated programs to sift information off the wire, such as clear-text passwords, and sometimes password hashes (to be cracked).

Socks (or “SOCKS”) is an IETF standard protocol for TCP/IP-based networking applications. A proxy server (a server that sits between a client application and a real server) can use SOCKS to accept requests from clients so that they can be forwarded across the Internet. Socks uses sockets to represent and keep track of individual connections.

SOCKS proxy servers are widespread, and used legitimately for improving system performance, caching web pages and filtering client requests. Unfortunately, SOCKS proxy servers can also be used for undermining system security; attackers can hide their IP address by “bouncing” their requests off a victim’s computer with an open SOCKS proxy.

Unsolicited junk e-mail. From the sender’s point of view, it is a form of bulk mail. To the receiver, it is usually considered to be junk e-mail. It’s roughly equivalent to unsolicited telephone marketing calls except that the user pays for part of the message since everyone shares the cost of maintaining the Internet. Spammers typically send an e-mail to a distribution list with millions of addresses, expecting only a tiny number of readers to respond to their offer. Spam has become a major problem for all Internet users.

Any software designed to extract email addresses from web sites and other sources, remove ‘dangerous’ or ‘illegal’ addresses, and/or efficiently send unsolicited (and perhaps untraceable) mail to these addresses.

Although not an approach to beat integrity checking, like slow infection methods, sparse infection is also an approach to reduce the chances of early detection. The main idea is to replicate only occasionally; for example, only infecting one in every 100 programs that are executed. Another approach a sparse infector may take to deciding which files to infect is to only target files that meet certain criteria such as having a size divisible by a particular value or with a creation date of a certain day of the month and so on.

To spoof is to forge your identity. Attackers use spoofers to forge their IP address (IP spoofing). The most common use of spoofing today is smurf and fraggle attacks. These attacks use spoofed packets against amplifiers in order to overload the victim’s connection. This is done by sending a single packet to a broadcast address with the victim as the source address. All the machines within the broadcast domain then respond back to the victim, overloading the victim’s Internet connection. Since smurfing accounts for more than half the traffic on some backbones, ISPs are starting to take spoofing seriously and have started implementing measures within their routers that verify valid source addresses before passing the packets.

Software that sends information about your web surfing habits to a third party. Spyware is often installed without the user’s knowledge or explicit permission in combination with a free download.

A Trojan that gathers information from a system. The most common form of stealers are those that gather logon information, like usernames and passwords, and then send the information to another system either via email or over a network. Other stealers, called keyloggers, log user keystrokes which may reveal sensitive information.

Some viruses take other steps to make themselves difficult to detect. For example, stealth boot viruses intercept attempts to read the boot sector (where they reside) and return copies of the original boot sector so it is seen as it was prior to infection – one of the first PC viruses, Brain, is an example of this. More sophisticated boot sector stealth also intercepts write functions, preventing the viral code being overwritten and perhaps redirecting such writes to the ’safe’ copy of the original boot sector. Stealth file infectors typically hide any file size increases they are responsible for when a file’s properties are read from the disk – Number of the Beast and Frodo were early examples. Macro viruses have also attempted many stealth techniques, such as replacing the standard list of macros with a list from which the virus’ macros are missing, and preventing users from accessing the Visual Basic Editor. For their stealth functions to work, a virus must be ‘resident’. With executable viruses, this residency means the virus’ modifications go undetected by antivirus programs as well as preventing the user from noticing changes (such as in file sizes and the like). However, with macro viruses, such stealth mechanisms only help prevent the user noticing or reporting changes because virus scanners look directly at the document files containing the viruses and are not dependent on internal functions of Word – the only functions a macro virus can usurp – in order to detect these viruses.

In general, to counter stealth mechanisms you must be able to re-establish a ‘clean’ environment. With boot and program stealth, restarting from a clean system is necessary to ensure there is no possibility of the normal system functions being interfered with. With stealth macro viruses a clean user environment is needed. This can be attained by assuring that all global templates and other code resources that may be loaded during the host application’s startup phase, and as a result of loading a (potentially) infected document, do not get a chance to run.

Transmission Control Protocol; the reliable transport protocol within the TCP/IP protocol suite. TCP ensures that all data arrive accurately and 100% intact at the other end. TCP’s unreliable counterpart is UDP, which is used for streaming media, VoIP and videoconferencing.

Transmission Control Protocol/Internet Protocol; a standard protocol that allows computers to process and display information such as Web pages and email that originate in the various networks that comprise the Internet.

Software that allows a remote user of a Telnet client to connect as a remote terminal from anywhere on the Internet and control a computer in which the server software is running.

Thin-Film Transisto; these transistors are used in high-quality flat panel liquid-crystal displays (LCDs). TFT-based displays have a transistor for each pixel on the screen. This allows the electrical current that illuminates the display to be turned on and off at a faster rate, which makes the display brighter and shows motion smoother. LCDs that use TFT technology are called “active-matrix” displays, which are higher-quality than older “passive-matrix” displays. So if you ever see a TFTAMLCD monitor at a computer store, it is a “thin-film transistor active-matrix liquid crystal display.” That’s just a fancy way of saying it is a good flat-screen display.

Top of Memory; the end of a PC’s conventional memory, which, as a matter of architectural design, was limited to 640KB on most PCs and is always a multiple of 64KB. Early PCs were seldom fully populated with RAM, with 64KB, 128KB and 512KB being common values for very early models. During startup, the BIOS initializes a value in the BIOS Data Area (BDA) noting, in kilobytes, how much conventional memory it found. Boot sector viruses typically read this value, copy their code to just below the memory location it represents and then decrease the value in the BDA. This means the virus’ resident code ends up above the TOM subsequently reported to the operating system or to any programs (boot viruses load before the OS). With OSes such as DOS, this ensures the virus’ code is not overwritten, but with some more complex OSes this may not be the case. Monitoring the TOM value in the BDA for unexpected changes can help detect a virus, but there are legitimate reasons for it to change.

It is a common misconception that PCs reporting less than 640KB of conventional memory necessarily have a virus. While it is the case that boot viruses (and many simple DOS executable infectors) steal RAM from the TOM, this is far from the only explanation for less than 640KB being reported. For example, many expansion cards that have their own BIOSes and other common BIOS extensions (such as on SCSI controllers embedded in a PC’s main logic board) liberate a small amount of conventional RAM from the TOM for their own purposes (1KB, 2KB and 4KB are common amounts for this). Similarly, many system BIOSes have an option to move the Extended DIOS Data Area (EBDA) to the TOM, accounting for 1KB of RAM if enabled. Further, the various startup modes of Windows 9x and ways of getting to a DOS prompt to discover the TOM setting of a machine can also affect what is reported (for example, a machine in the current author’s test network variously reports 640KB, 639KB and 636KB depending whether a straight DOS boot is made, the DOS prompt is accessed from inside Windows and whether safe mode is used or not).

The condition that determines the launching of a virus’ or Trojan’s payload is usually called the trigger or trigger condition. Trigger is also used as a verb to indicate the activation of a payload.

Coined by MIT-hacker-turned-NSA-spook Dan Edwards, a Trojan Horse is a malicious, security breaking program that is disguised as something benign, such as a directory lister, archiver, game, picture, or even a program to find and destroy viruses.

A program designed to create Trojans. Some of these tools merely wrap existing Trojans, to make them harder to detect. Others add a trojan to an existing product (such as RegEdit.exe), making it a Dropper.

Source code is written by a programmer in a high-level language and readable by people but not computers. Source code must be converted to object code or machine language before a computer can read or execute the program. Trojan Source can be compiled to create working trojans, or modified and compiled by programmers to make new working trojans.

Terminate but Stay Resident. This term is properly used of DOS programs that stay loaded in memory and functional, but allow the user to return to DOS and continue using the PC for other purposes. It is a type of poor person’s multi-tasking and in the early days of DOS was very much a black art as several important details of undocumented DOS internals had to be understood before a reliable TSR could be written, and many stability problems were attributed to TSRs. The DOS MEM utility (with the ‘/C’ parameter), and many third-party utilities, can display a list of what TSRs are loaded and have ‘followed the rules’.

User Datagram Protocol; a protocol within the TCP/IP protocol suite that is used in place of TCP when a reliable delivery is not required. There is less processing of UDP packets than there is for TCP. UDP is widely used for streaming audio and video, voice over IP (VoIP) and videoconferencing, because there is no time to retransmit erroneous or dropped packets.

An operating system that evolved from an effort by a group of computer scientists from MIT, Bell Labs and GE in 1965 called the Multics (Multiplexed Information and Computing Service) mainframe timesharing system, in an effort to provide a multiuser, multitasking system for use by programmers. The philosophy behind the design of Unix was to provide simple, yet powerful utilities that could be pieced together in a flexible manner to perform a wide variety of tasks. Today’s Unix systems are split into various branches, developed over time by AT&T, several other commercial vendors, as well as several non-profit organizations. The Unix operating system comprises of three parts: the kernel, the standard utility programs, and the system configuration files.

Universal Resource Locator or Uniform Resource Locator; the addresses by which individuals are able to find information on the Internet. The first component of the address indicates what protocol is to be used such as http:// The next part of the address is the location of the document, such as www for World Wide Web. The remaining elements point to the particular document stored on a server.

A technique that involves masking a URL to conceal its true destination. By using a malformed link, which triggers vulnerability in Internet Explorer, a URL is displayed in the address bar, which loads the contents of another Web site. The malicious Web site can thus control what is seen in the address bar.

United States Computer Emergency Readiness Team; established in 2003 to protect the USA’s Internet infrastructure, US-CERT coordinates defense against and responses to cyber attacks across the nation. US-CERT interacts with federal agencies, industry, the research community, state and local governments, and others to disseminate reasoned and actionable cyber security information to the public.

Usage tracks permit any user (or their software agent) with access to your computer to see what you’ve been doing. Such tracks benefit you if you have left the tracks, but might benefit another user as well.

Universal Serial Bus; a widely used hardware interface for attaching peripheral devices.

From the analogy with biological viruses. A virus is a cracker program that searches out other programs and ‘infects’ them by embedding a copy of itself inside, so that they become a Trojan. When these programs are executed, the embedded virus is executed as well, thus propagating the ‘infection’. This normally happens invisibly to the user. Unlike a worm, a virus cannot infect other computers without assistance from the cracker.

A program designed to generate viruses. Even early virus creation tools were able to generate hundreds or thousands of different, functioning viruses, which were initially undetectable by current scanners.

Antivirus scanning engines rely on virus signature files to feed them information on new security threats. Virus signature files are usually updated at least once a week.

Source code is written by a programmer in a high-level language and readable by people but not computers. Source code must be converted to object code or machine language before a computer can read or execute the program. Virus Source can be compiled to create working viruses, or modified and compiled by programmers to make new working viruses.

The majority of viruses fall into five main classes:

Boot-sector
File-infector
Multi-partite
Macro
Worm

Voice Over Internet Protocol; a telephone service that uses the Internet as a global telephone network. Many companies, including Vonage, AT&T, Packet 8, Primus Lingo, Skype Technologies and BroadVoice, typically offer calling within the country for a fixed fee and a low per-minute charge for international. Broadband Internet access (cable or DSL) is required, and regular house phones plug into an analog telephone adapter (ATA) provided by the company or purchased from a third party.

A security weakness in a computing system that is typically found in programs and operating systems. The presence of known vulnerabilities in computing systems can leave these systems very much open to malware and hacker attack. This is because programs that take advantage of known vulnerabilities, commonly referred to as exploits, are often publicly available as source code, which can be customized to create a malware or a hacking tool.

Software vendors typically provide fixes or patches for vulnerabilities found on their products.

Wide Area Network; a WAN interconnects LANs, which then provide access to computers or file servers in other locations. A network device called a router connects LANs to a WAN. In IP networking, the router maintains both a LAN address and a WAN address. With a router installed you and your machine become a LAN, the rest of the world (including your ISP) is the WAN. Without a router, your home computer is a node on your ISP’s LAN.

War-dialing was popularized in the 1983 movie War Games. It is the process of dialing all the numbers in a range in order to find any machine that answers. Many corporations have desktop computers with attached modems; attackers can dial in order to break into the desktop, and thereafter the corporation. Similarly, many companies have servers with attached modems that aren’t considered as part of the general security scheme. Since most security emphasis these days is on Internet-related attacks, war-dialing represents the ’soft underbelly’ of the security infrastructure that can be exploited.

An address by which individuals are able to find information on the Internet. The first component of the address indicates what protocol is to be used such as http:// The next part of the address is the location of the document, such as www for World Wide Web. The remaining elements point to the particular document stored on a server.

A software application that retrieves Web pages or files on the World Wide Web. Web browsers are the programs that allow users to call for and view information online. Popular Web browsers include Microsoft Internet Explorer, Netscape Navigator, and Mozilla Firefox.

A Web Bug is a device used in html web pages and e-mail that is used to monitor who is reading the web page or e-mail. The name “Bug” is used as, just like a bug in a spy movie, these are small, hidden, difficult to detect eavesdropping devices. Most of the time, you will not even be aware that these bugs exist, as they hide within 1 by 1 pixel html image tags, although any graphic on a web page or in an e-mail can be configured to act as a web bug. This is not to say that all invisible .gifs on web pages are web bugs; some invisible .gif files are used for alignment and design purposes. When you view a page or e-mail that contains a Web Bug, the following information is sent to the Bug’s owner:

Your IP address
Information regarding the browser you are using
The time the page or e-mail is viewed
The URL of the page that the bug is on
Cookie values

Web bugs can be used by advertising networks to gather and store information on user’s personal profiles. They are also used to count the numbers of people visiting particular sites, and to gather information regarding browser usage.

A software program used to access web pages. Sometimes the same as a Web Browser, but often used as a broad term.

A computer that delivers web content to web browsers.

Making an entire replica of a trusted site, all links visible in a spoofed site are under one phishing domain. Logos, fonts and colors of existing legitimate sites are used to make the spoofed site look realistic.

Wired Equivalent Privacy; an old IEEE standard security protocol for wireless 802.11 networks. Superseded by WPA, WPA2 and 802.11i.

Displays information about a domain name or IP address. For example, if a user enters a domain name such as Microsoft.com, whois will return the name and address of the domain’s owner (in this case, Microsoft Corporation).

Wireless Fidelity; a method of allowing internet access wirelessly by means of waves through the air. The technical name for the standard is “IEEE 802.11.” The main use of WiFi is found in homes by means of wireless access points or routers, by such companies as Linksys, Netgear, and Belkin, for the main reason of sharing internet access amongst multiple computers in your household. Another popular use of WiFi is in public shops, cafes, and the like. Starbucks coffee chains are now set up for WiFi, so ic McDonalds and numerous other high-traffic businesses. To access a WiFi network, a special adapter is needed to enable reception of the signal. This can be in the form of a PC card for notebooks, or a USB adapter (external) or PCI adapter (internal) for desktop computers. Modern operating systems, such as Windows XP, usually work quite well with most WiFi setups. In some stores, access to the wireless network is for a small fee; at others, access is completely free.

Although there are many thousands of known viruses, few actually cause any real-world concern, and those that do are often said to be ‘in the wild’. However, the term ‘in the wild’ has been used in many different contexts and with many different shades of meaning. In an attempt to clear this situation up, as it regards computer viruses, antivirus researcher Joe Wells instigated what he called the WildList. Its purpose was to provide a listing of viruses that could (or should) be considered ‘in the wild’ by set criteria. The approach chosen was quite simple – from a reasonably sized and distributed group of reporters (comprised of antivirus researchers and other IT professionals working in, or closely with, the antivirus community), collate monthly reports of virus infection incidents that have been verified by the reporter receiving a sample of the virus involved. The criteria applied to counting these reports were equally simple – if two or more reporters claimed to have received two or more independent, sample-verified reports of infection by the same virus, that virus would be listed on the WildList.

In reality, the WildList consists of two parts. Those viruses currently reported and meeting these criteria are listed first (in what is sometimes called ‘the top-half of the list’). That is the WildList and such viruses can be said to be ‘in the wild’. However, as an indication of viruses that may be ‘bubbling under’, all viruses reported to have met the ‘two or more independent, sample-verified reports’ criterion by only one WildList reporter are also listed. This is often referred to as ‘the bottom-half of the list’ and such viruses can be said to have been ‘reported from the field’.

The WildList has been used as a ‘reference standard’ by many antivirus testing organizations that require 100% detection of acknowledged ‘in the wild’ viruses for tested products to attain various, ‘desirable’ certification levels. The list has not, however, been without its critics and it must be acknowledged that the WildList does not list all viruses that have been seen ‘in the field’. That it should be such a list is a common expectation of those with different backgrounds where the term is also used (for example, the general computer security community uses the term ‘in the wild’ and members of that community are accustomed to the term meaning ‘an exploit of a security hole has been seen used in a real-world attack’).

An archive of the WildLists and details about the organization that compiles and maintains it are available from http://www.wildlist.org.

Windows Management Instrumentation; a set of extensions to the Windows Driver Model. WMI provides an operating system interface through which instrumented components can provide information and notification.

Derived from the parasite ‘tapeworm’. A worm is a program that propagates itself, reproducing as it goes until it fills all of the storage space on the selected drive or network.

A program designed to generate worms. Worm creation tools can often generate hundreds or thousands of different, functioning worms, most of which are initially undetectable by current scanners.

WiFi Protected Access; a security protocol for wireless 802.11 networks from the WiFi Alliance that was developed to provide a migration from WEP. The WPA logo certifies that devices are compliant with a subset of the IEEE 802.11i protocol. WPA2 certifies full support for 802.11i.

World Wide Web; an extremely large group of computers linked together utilizing many networks, offering information to users via Web servers and browsers. Most of the information found on the Web is formatted in a programming language called HyperText Markup Language (HTML) and transmitted using Hypertext Transfer Protocol (HTTP). Navigating the World Wide Web is often as easy as clicking a hyperlink located on one Website leading to another. Though the terms Internet and Web are used interchangeably, there is a distinction between the two. The Internet is actually a global collection of computers linked to exchange information, of which the World Wide Web is a part. The distinction lies in that Web pages are characteristically linked through hyperlinks and most of the information found on the Web is formatted in HTML. The World Wide Web was officially established by Tim Berners-Lee in 1989 at CERN, a research institute in Switzerland.

Those viruses not known to have accounted for any real-world infection incident, or that have been bypassed by computing developments, perhaps despite having once been common, are known as zoo viruses. Many thousands of trivial, uninteresting viruses are held in antivirus developer virus collections and are widely considered to pose little, if any, real threat. However, they are kept closely guarded to prevent whatever consequences may befall their victims, should they ever be released. As these viruses are not known to have occurred outside such collections, they are likened to rare and exotic animals that are seldom or ever seen other than in nature parks and zoos. The term ‘collection virus’ is a synonym. (c.f. In the Wild) Other viruses that are often referred to as zoo viruses are those left behind by technological advances. A classic example is Brain – widely regarded as the first PC virus. It only infected diskette boot sectors, and only those of 360 KB diskettes at that. These days, that probably seems a most unusual design decision, but given the computing milieu of the time, it made sense. The main (in fact, all but only) means of software or data exchange between PCs at the time was via diskette (see Sneakernet). With hard drives being very expensive and most software running on single floppy systems (and running well on dual-floppy systems), users were accustomed to booting from a system diskette, swapping the disk in the A: drive for a program disk and putting their data disks in the B: drive. Thus, booting from and swapping diskettes was common practice (in fact, booting from diskette was ‘normal’).