The glossary below contains definitions for some of the most common terms with the top ones linked just below.
ActiveX
ActiveX controls are software modules based on the Microsoft® Component Object Model (COM) architecture. They add functionality to software applications by seamlessly incorporating pre-made modules with the basic software package. Modules can be interchanged but still appear as parts of the original software.
On the Internet, ActiveX controls can be linked to web pages and downloaded by an ActiveX-compliant browser. ActiveX controls turn web pages into software pages that perform like any other program launched from a server. ActiveX controls can have full system access. In most instances this access is legitimate, but one should be cautious of malicious ActiveX applications.
AdvWare
Programs designed to launch advertisements, often pop-up banners, on host machines and/or to re-direct search engine results to promotional web sites. Adware programs are often built into freeware or shareware programs, where the adware forms an indirect ‘price’ for using the free program. Sometimes a Trojan silently downloads an adware program from a web site and installs it onto a user’s machine. Or hacker tools, often referred to as Browser Hijackers (because they subvert the web browser to install a program without the user’s knowledge), download the adware program using a web browser vulnerability.
Browser Hijackers may change browser settings, re-direct incorrect or incomplete URLs, or change the default homepage. They may also re-direct searches to ‘pay-to-view’ (often pornographic) web sites.
Typically, many adware programs do not show themselves in the system in any way: no listing under Start | Programs, no icons in the system tray, nothing in the task list. In addition, adware programs seldom come with a de-installation procedure and attempts to remove them manually may cause the original carrier program to malfunction.
Adware
A legitimate, non-replicating program designed to display ads to the end-user, often based on monitoring of browsing habits. Often adware contains spyware in order for the program to know which advertisements to display based on the current user’s preference. Adware displays ads often in exchange for the right to use a program free of charge (a variation on the shareware concept).
Anti-virus databases
Anti-virus databases hold the data needed to find and remove malicious code. The databases contain a series of virus definitions (or signatures), unique sequences of bytes specific to each piece of malicious code. Signature analysis is one of the key methods used to find and remove malicious code.
Anti-virus engine
The engine, the core of any anti-virus product, is a software module that is purpose-built to find and remove malicious code. The engine is developed independently of any specific product implementation. So it ‘plugs-in’ equally well into personal products (such as personal scanners or real-time monitors), or solutions for servers, mail scanners, file servers, firewalls and proxy-servers. These products may be developed by the engine developer, or they may be developed by third parties who integrate the engine into their application or business process using the engine SDK.
The reliability of malicious code detection, and hence the security level provided by the products that use it, is determined by the quality of the engine.
Backdoor
A program that opens secret access to systems, and is often used to bypass system security. A Backdoor program does not infect other host files, but nearly all Backdoor programs make low-level operating system modifications (i.e. it makes changes to the registry). Backdoors usually hitch a ride in on trojans. Once they are in place and they have executed, they hide themselves while opening a port on your computer to allow others in. Some backdoors are placed by hackers once they gain access allowing themselves easier entrance later, or if their original entryway is blocked.
Behavioral analysis
This refers to the technique of deciding whether an application is malicious or not, according to what it does. If an application does something that falls outside the range of ‘acceptable’ actions, its operation is restricted. For example, trying to write to certain parts of the system registry, or writing to pre-defined folders, may be defined as a threat. The action can be blocked, or the user notified about the attempted action. This fairly simple approach can be further refined. It's possible, for example, to restrict the access of one application (let's say allowing a web browser read-only access to limited portions of the system registry) while giving unrestricted access to other programs that do not use the Internet.
An alternative behavioral method is to 'wrap' a downloaded application and restrict its action on the local system. Here the application is run in a protective 'sandbox' [sometimes called a ‘playground’, or ‘secure cache’] to limit its actions according to a pre-defined policy. The activity performed by the program is checked against a set of rules. Depending on the policy, the program’s actions may be considered a violation of the policy, in which case the rogue action is blocked.
Bimodal virus
A bimodal virus infects both boot records and files. It is also called a bipartite virus. Also see: boot-sector infector, file virus, multipartite.
BIOS
The BIOS [Basic Input-Output System] refers to the instructions contained in one of the chips in the PC. It is used to start the PC and is used by the operating system to access the computer’s hardware.
Blended Threat
A virus which uses multiple infection techniques. This may include the exploitation of various program vulnerabilities, incorporation of trojan behavior, file infection routines, Internet propagation routines, network share propagation routines, and spreading without any human intervention.
Boot
The process of starting a PC, during which the BIOS then the operating system are loaded.
Boot disk
Synonyms: System disk
A disk containing the system files required to load an operating system. These files may be located on a hard disk or removable media (floppy disk, CD or USB memory storage device).
Boot sector virus
A boot sector virus is one that infects by replacing code in the boot sector of a floppy disk (and sometimes a hard disk) with its own code. This ensures that whenever an attempt is made to boot from the infected disk, the virus loads before the operating system.
These viruses are very uncommon now, but in the first half of the 1990s, when floppy disks were the main means of transferring data, they represented the main threat to PC users. Typically, a boot sector virus infected the hard disk when a user inadvertently left an infected floppy disk in drive A. When the PC was next booted, the system would try to boot from the floppy disk and the virus code would execute, regardless of whether or not the floppy disk was a system disk or just a data disk. Most boot sector viruses then infected the MBR [Master Boot Record] of the hard disk, rather than the boot sector.
Bot network
A bot network is a network of hijacked zombie computers controlled remotely by a hacker. The hacker uses the network to send spam and launch Denial of Service attacks, and may rent the network out to other cyber criminals. Also see: zombie.
Browser Helper Object
A Browser Helper Object [BHO] is a DLL that loads every time Microsoft® Internet Explorer runs. Typically, a BHO is installed by a third party program to enhance the functionality of the web browser (many Internet Explorer plugins, for example, are BHOs).
BHOs can be installed silently, or can be installed ‘quietly’ (many users fail to read the small print that comes with the EULA [End User License Agreement] displayed by the freeware program). Also, because they’re programs, they can do anything that other programs can do. On top of this, there’s no easy way to list the BHOs installed on the PC. As a result, BHO functionality can be misused (to install adware or track browsing habits, for example).
Browser Hijacker
Browser Hijackers modify the user’s web browser settings. This may involve changing the default home page, re-directing searches to unwanted web sites, adding unwanted (sometimes pornographic) bookmarks or generating unwanted pop-up windows.
Brute-force attack
A brute-force attack is an attack in which each possible key or password is attempted until the correct one is found. Also see: attack.
Bug
A bug is an unintentional fault in a program.
Some people mistakenly refer to viruses, worms or Trojans as ‘bugs’. This is incorrect: bugs are unintentional, whereas malicious code represents a deliberate misuse of a user’s computer.
Cookie
A cookie is the name given to a small piece of information saved to a user’s machine by a web site that the user visits. Cookies are often used to store user preferences about a web site, login information or even advertising information that has been displayed to the user during their visit to the site.
Computer worm
Synonyms: Worm, Email worm, Internet worm, Network worm
Worms are generally considered to be a subset of viruses, but with key differences. A worm is a computer program that replicates, but does not infect other files: instead, it installs itself on a victim computer and then looks for a way to spread to other computers.
From a user’s perspective, there are observable differences. In the case of a virus, the longer it goes undetected, the more infected files there will be on the victim computer. In the case of a worm, by contrast, there is just a single instance of the worm code. Moreover, the worm’s code is ‘self-standing’, rather than being added to existing files on the disk.
Like viruses, worms are often sub-divided according to the means they use to infect a system. E-mail worms are distributed as attachments to e-mail messages, IM worms are attached to messages sent using instant messaging programs (such as IRC or ICQ). P2P [peer-to-peer] worms use file-sharing networks to spread. Network worms spread directly over the LAN [Local Area Network] or across the Internet, often making use of a specific vulnerability.
The term ‘worm’ was coined by sci-fi writer John Brunner in his 1975 novel Shockwave Rider. The hero, a talented programmer, created self-replicating computer programs that tunneled their way through a worldwide network.
Cracker
A cracker is someone who tries to break security on computer software. The term is often used synonymously with hacker, but implies only illegal or malicious intent.
Crackers originally targeted protected or copyrighted software, breaching protection to enable copying or modification. The term nowadays also encompasses many types of cybercriminal who bypass computer security methods for criminal ends.
Dialer
Dialers are programs that use a system, without your permission or knowledge, to dial out through the Internet to a 900 number or FTP site, typically to accrue charges.
DNS cache poisoning, Pharming
DNS servers located throughout the Internet are used to map domain names to IP addresses. When a user types in a URL, a nearby DNS server will map the domain to an IP address or pass it to another DNS server. In fact, there are a relatively small number of very big DNS servers. These provide many smaller DNS servers with DNS entries that are stored in the cache of the smaller DNS servers.
DNS poisoning is the manipulation of IP addresses for entries stored in the cache of a smaller DNS server: the aim is to make the DNS server respond, not with the correct IP address, but with one that contains malicious code. Here’s an example. If a user types the URL ‘www.kaspersky.com’ in the web browser, the DNS server should respond with the IP address 81.176.69.70. However, a poisoned DNS server would map this domain name to an IP address that contains malicious code.
DNS poisoning is only possible where there is a vulnerability or other security weakness in the operating system running on the DNS server.
DoS [Denial of Service] attack
A DoS attack is designed to hinder or stop the normal functioning of a web site, server or other network resource. There are various ways for hackers or virus writers to achieve this. One common method is simply to flood a server with more network traffic than it is able to handle. This prevents it from carrying out its normal functions and in some circumstances crashes the server completely.
A DDoS attack differs only in the fact that the attack is conducted using multiple machines. The hacker or virus writer typically use one compromised machine as the ‘master’ and co-ordinates the attack across other, so-called ‘zombie’, machines. Both master and zombie machines are typically compromised by exploiting a vulnerability in an application on the machine, to install a Trojan or other piece of malicious code.
Dropper
A dropper is a carrier file that installs a virus on a computer system. Virus authors often use droppers to shield their viruses from anti-virus software. The term injector often refers to a dropper that installs a virus only in memory.
Email worm
Worms are generally considered to be a subset of viruses, but with key differences. A worm is a computer program that replicates, but does not infect other files: instead, it installs itself on a victim computer and then looks for a way to spread to other computers.
From a user’s perspective, there are observable differences. In the case of a virus, the longer it goes undetected, the more infected files there will be on the victim computer. In the case of a worm, by contrast, there is just a single instance of the worm code. Moreover, the worm’s code is ‘self-standing’, rather than being added to existing files on the disk.
Like viruses, worms are often sub-divided according to the means they use to infect a system. E-mail worms are distributed as attachments to e-mail messages, IM worms are attached to messages sent using instant messaging programs (such as IRC or ICQ). P2P [peer-to-peer] worms use file-sharing networks to spread. Network worms spread directly over the LAN [Local Area Network] or across the Internet, often making use of a specific vulnerability.
The term ‘worm’ was coined by sci-fi writer John Brunner in his 1975 novel Shockwave Rider. The hero, a talented programmer, created self-replicating computer programs that tunneled their way through a worldwide network.
Executable file
Synonyms: Program
Programs (also known as executables) contain binary code in a form that is ready to be run on a computer. Programs are written using a computer language (‘C’ or ‘C++’, for example), where the programmer writes the language-specific instructions using a text editor: this is known as source code. The source code is then compiled into instructions that can be interpreted by the computer.
The most common file extension for programs in a Microsoft® Windows® environment is EXE, but there are other files that contain program code, including COM and DLL. Batch files (which have the extension BAT) are themselves text files, but they contain a list of instructions for the computer to carry out unattended.
Exploit
The term exploit describes a program, piece of code or even some data written by a hacker or virus writer that is designed to take advantage of a bug or vulnerability in an application or operating system. Using the exploit, an attacker gains unauthorized access to, or use of, the application or operating system.
The use of exploits by hackers and virus writers has increased during the last few years. Typically, exploit code is used to gain access to confidential data or to use the victim machine for further unauthorized use.
Exploits are often named after the vulnerability they use to penetrate systems: a buffer overflow, for example.
False alarm
Synonyms: False positive
A false positive is another way of saying ‘mistake’. As applied to the field of anti-virus programs, a false positive occurs when the program mistakenly flags an innocent file as being infected. This may seem harmless enough, but false positives can be a real nuisance.
You waste productivity due to user down-time.
You may take e-mail offline, as a security precaution, thus causing a backlog and more lost productivity
You waste even more time and resources in futile attempts to disinfect ‘infected’ files. And if you load a backup, to replace ‘infected files, the backup appears to be infected too.
In short, false positives can be costly nuisances.
The term is not confined just to the anti-virus world. It also applies, for example, to anti-spam protection, where it refers to the misidentification of a legitimate e-mail message as spam. This too could be very costly, since the undelivered e-mail may be a business critical message.
False negative
A false negative is simply another name for missing something. Applied to anti-virus programs, it refers to a failure to detect malware that is present on a system.
File virus
Viruses are often classified according to the objects they infect. File viruses, as the name suggests, are designed to add their code to files (generally program files).
Format
Formatting is the process by which a new disk is prepared for use by the operating system.
Hacker
Traditionally, the term 'hacker' applied to anyone tinkering with the internals of computer systems and software. Nowadays, it is generally used to refer to those attempting to breach computer security, either for research, finding and fixing vulnerabilities, or for malicious or fraudulent purposes.
The term is also used by several long-running communities, and many legitimate hackers object to the term being used to indicate criminality, preferring to retain the separation between the terms 'hacker' and 'cracker'.
Heuristic analysis
The word heuristic is derived from the Greek ‘to discover’ and refers to a learning method based on speculation or guess-work, rather than a fixed algorithm. In the anti-virus world, heuristic analysis involves using non-specific detection methods to find new, unknown malware.
The technique, which has been in use for many years, involves inspecting the code in a file (or other object) to see if it contains virus-like instructions. If the number of virus-like instructions crosses a pre-defined threshold, the file is flagged as a possible virus and the customer is asked to send a sample for further analysis. Heuristic analysis has been refined over the years and has brought positive results in detecting many new threats.
Of course, if heuristics aren’t tuned carefully, there’s a risk of false positives. That’s why most anti-virus vendors using heuristics reduce their sensitivity to minimize the risk of false alarms. And many vendors disable heuristics by default.
A further drawback is that heuristics is 'find-only'. In order to clean, it’s necessary to know what specific changes the malware has made to the affected object.
Extensive use of heuristic analysis is also made in anti-spam solutions, to highlight those characteristics of an e-mail message that are spam-like.
Hoax
This usually consists of an email message warning recipients about a new and terribly destructive virus. It ends by suggesting that the reader should warn his or her friends and colleagues, perhaps by simply forwarding the original message to everyone in their address book. The result is a rapidly growing proliferation of pointless emails that can increase to such an extent that they overload systems.
Hosts file
The hosts file is a sort of ‘mini DNS server’ on every Microsoft® Windows® system. When a user types a URL into the web browser, the browser checks the local hosts file to see if the requested domain name is listed there, before it looks for a DNS server. This is very efficient: if the web browser finds a match in the hosts file, it doesn’t need to go looking on the Internet for a DNS server.
Unfortunately, writers of malicious code, ‘spyware’ or phishing scams can tamper with the data stored in the hosts file. For example, a malware author might re-direct all search requests (through Google, Yahoo, etc.) simply by editing the hosts file: listing these domain names but matching them to the IP address of a web site containing malicious code. Or a worm might prevent anti-virus programs from updating themselves by matching anti-virus domain names in the hosts file to the IP address of the victim machine.
IDS [Intrusion Detection Systems]
Synonyms: Intrusion detection, IPS [Intrusion Prevention Systems]
Intrusion detection is designed to prevent an attack on a computer system by analyzing traffic into, and through, a network.
Originally, intrusion detection was restricted to information gathering: the IT administrator was required to assess the data and take any remedial action required to secure the system. These days, IDS applications often provide an automated response to attacks based on a set of pre-defined rules. This is referred to as IPS [Intrusion Prevention Systems] and may be seen as a development of behavioral analysis.
IDS (and IPS) fall into two categories. ‘Host-based’ systems are designed to protect individual computers and typically employ behavioral analysis to detect malicious code. They do this by monitoring all calls made to the system and matching them against policies based on ‘normal’ behavior. Such policies can be quite granular, since behavior may be applied to specific applications. In this way, activity such as opening ports on the system, port scanning, attempts to escalate privileges on the system and injection of code into running processes can be blocked as ‘abnormal’ behavior. Some systems supplement behavioral analysis using signatures of known hostile code.
‘Network-based’ systems are deployed inline to protect each network segment. They filter packets for malicious code, looking for ‘abnormal’ bandwidth usage or for non-standard traffic (such as malformed packets). Network-based systems are particularly useful for detecting DoS attacks, or the traffic generated by network worms.
JavaScript
Java Script is a script language developed by Netscape®. Like VBS, JavaScript is often used in the development of web pages. For specific tasks, it’s often easier to write a script than to use a formal programming language like ‘C’ or ‘C++’.
However, as with a formal program, it’s also possible to use JavaScript to create malicious code. Since a script can be easily embedded in HTML, a virus author can embed a malicious script within an HTML e-mail: and when the user reads the e-mail, the script runs automatically.
Junk e-mail
Synonyms: Spam, UCE [Unsolicited Commercial E-mail]
Spam is the name commonly given to unsolicited e-mail. It is effectively unwanted advertising, the e-mail equivalent of physical junk mail delivered through the post or from unsolicited telemarketing calls.
Kernel
The term kernel refers to the core of an operating system that supports all other operations. By contrast, the term shell is used to describe the user interface.
Keylogger
A trojan that, upon execution, logs every keystroke or activity in a system. Although they are similar to third-party parenting/monitoring software, some keyloggers actually employ the same techniques as parenting/monitoring software to gather valuable data such as usernames, passwords, and personal information from unsuspecting users.
Link virus
Viruses are often classified according to the technique they use to infect. A link virus, as the name suggests, does not add its code directly to infected files. Instead, it spreads by manipulating the way files are accessed under the FAT file system.
When an infected file is run, the virus goes memory resident and a writes a (typically hidden) file to the disk: this file contains the virus code. Subsequently, the virus modifies the FAT to cross-link other files to the disk sector containing the virus code. The result is that whenever the infected file is run, the system jumps first to the virus code and runs it.
The cross-linking is detectable if the CHKDSK program is run, although a virus could use stealth to conceal the changes if the virus was in memory (in other words, if the user did not boot from a clean system disk).
Macro Virus
A "macro" is a saved set of instructions that users may create or edit to automate tasks within certain applications or systems. A Macro Virus is a malicious macro that a user may execute inadvertently and that may cause damage or replicate itself. Some macros replicate, while others infect documents. Unlike other virus types, macro viruses aren't specific to an operating system and spread with ease via email attachments, floppy disks, Web downloads, file transfers, and cooperative applications. Macro viruses are typically written in Visual Basic and are relatively easy to create. They can infect at different points during a file's use (for example, when a file is opened, saved, closed, or deleted).
Malware (Malicious Software)
Programs that are intentionally designed to perform some unauthorized (and often harmful or undesirable) act such as viruses, worms, and trojans.
Malicious code
Malicious code refers to any program that is deliberately created to perform an unauthorized, often harmful, action.
Master boot sector virus
Master boot-sector viruses infect the master boot sector of hard disks, though they spread through the boot record of floppy disks. The virus stays in memory, waiting for DOS to access a floppy disk. It then infects the boot record on each floppy disk DOS accesses. They are also called master boot-record viruses. Also see: boot record.
Network worm
Synonyms: Worm, Computer worm, Email worm, Internet worm
Worms are generally considered to be a subset of viruses, but with key differences. A worm is a computer program that replicates, but does not infect other files: instead, it installs itself on a victim computer and then looks for a way to spread to other computers.
From a user’s perspective, there are observable differences. In the case of a virus, the longer it goes undetected, the more infected files there will be on the victim computer. In the case of a worm, by contrast, there is just a single instance of the worm code. Moreover, the worm’s code is ‘self-standing’, rather than being added to existing files on the disk.
Like viruses, worms are often sub-divided according to the means they use to infect a system. E-mail worms are distributed as attachments to e-mail messages, IM worms are attached to messages sent using instant messaging programs (such as IRC or ICQ). P2P [peer-to-peer] worms use file-sharing networks to spread. Network worms spread directly over the LAN [Local Area Network] or across the Internet, often making use of a specific vulnerability.
The term ‘worm’ was coined by sci-fi writer John Brunner in his 1975 novel Shockwave Rider. The hero, a talented programmer, created self-replicating computer programs that tunneled their way through a worldwide network.
NTFS [New Technology File System]
NTFS is the file system used by Microsoft® Windows® NT, Windows® 2000 and Windows® XP. It was developed after the FAT file system implemented in MS DOS and provides more efficient and secure methods for storage and retrieval of files (including support for very large files, integrated file compression, a more efficient directory system and access control for specific files). By contrast with the FAT system, information about each file is stored in the clusters belonging to that file (although there is also a MTF [Master File Table] that keeps track of all the clusters on the disk).
Patch
Synonyms: Service pack, Maintenance pack
A patch provides additional, revised or updated code for an operating system or application. Except for open source software, most software vendors do not publish their source code: so patches are normally pieces of binary code that are ‘patched’ into an existing program (using an install program).
The term ‘patching’ refers to the process of downloading and installing additional code supplied by an application vendor. However, the terms used may vary. Typically, a minor fix is referred to as a patch, while a significant fix is referred to as a Maintenance Pack or Service Pack.
Patching has become an integral part of computer security, since vulnerabilities in popular operating systems and applications are among the primary targets for virus writers and hackers. It is crucial to patch in a timely manner. During recent years, the time-lag between the discovery of a vulnerability and the creation of exploit code that makes use of it has diminished. The worse-case scenario, of course, is a so-called ‘zero-day exploit’, where an exploit appears immediately after a vulnerability has been discovered. This leaves almost no time for a vendor to create a patch, or for IT administrators to implement other defensive measures.
Phishing
Phishing is a form of cyber crime based on social engineering techniques. The name ‘phishing’ is a conscious misspelling of the word 'fishing' and involves stealing confidential data from a user’s computer and subsequently using the data to steal the user’s money.
The cyber criminal creates an almost 100% perfect replica of a financial institution or online commerce web site. He then tries to lure unsuspecting users to the site to enter their login, password, credit card number, PIN, etc. into a fake form. This data is collected by the phisher who later uses it to access users’ accounts fraudulently.
Some financial institutions now make use of a graphical keyboard, where the user selects characters using a mouse, instead of using a physical keyboard. This prevents collection of confidential data by phishers who trap keyboard input, but is of no avail against so-called ‘screenscraper’ techniques: where a Trojan that takes a snapshot of the user’s screen and forwards it to the server controlled by the Trojan author or ‘master’.
There are several different ways of trying to drive users to a fake web site.
Spam e-mail, spoofed to look like correspondence from a legitimate financial institution.
Hostile profiling, a targeted version of the above method: the cyber criminal exploits web sites that use e-mail addresses for user registration or password reminders and directs the phishing scam at specific users (asking them to confirm passwords, etc.).
Install a Trojan that edits the hosts file, so that when the victim tries to browse to their bank’s web site, they are re-directed to the fake site.
Pharming, also known as DNS poisoning.
‘Spear phishing’, an attack on a specific organization in which the phisher simply asks for one employee’s details and uses them to gain wider access to the rest of the network.
Polymorphic Virus
A virus that contains a special routine that changes parts of the virus code with each replication to evade detection by antivirus software.
PSW Trojans
These Trojans are designed to steal passwords from the victim machine (although some steal other types of information also: IP address, registration details, e-mail client details, and so on). This information is then sent to an e-mail address coded into the body of the Trojan. The first PSW Trojans were AOL password stealing Trojans: and they are so numerous that they form a specific subset of PWS Trojans.
Riskware
‘Riskware’ is the generic term used by Kaspersky Lab to describe programs that are legitimate in themselves, but that have the potential for misuse by cyber criminals: for example, remote administration utilities. Such programs have always had the potential to be misused, but they now have a higher profile. During the last few years, there has been a fusion of ‘traditional’ virus techniques with those of hackers. In the changing climate, such ‘riskware’ programs have come in to their own as a means of controlling machines for malicious purposes.
Rootkit
A rootkit is a collection of programs used by a hacker to evade detection while trying to gain unauthorized access to a computer. This is done either by replacing system files or libraries, or by installing a kernel module. The hacker installs the rootkit after obtaining user-level access: typically this is done by cracking a password or by exploiting a vulnerability. This is then used to gather other user IDs until the hacker gains root, or administrator, access to the system.
The term originated in the Unix world, although it has since been applied to the techniques used by authors of Windows-based Trojans to conceal their activities. Rootkits have been used increasingly as a form of stealth to hide Trojan activity, something that is made easier because many Windows users log in with administrator rights.
Router
A router is a device, located at the point where one network meets another, that decides the next point to which a network packet should be passed on its way to its final destination.
Sandbox
In the context of computer security, a sandbox provides a tightly-controlled environment in which semi-trusted programs or scripts can be safely run in memory (or with limited access to the local hard disk). The sandbox concept can be implemented in a web browser, to safeguard the user from potentially harmful content, or it can be used as a method for analyzing programs in order to determine if they are safe or harmful.
Self-encrypting virus
Self-encrypting viruses attempt to conceal themselves from anti-virus programs. Most anti-virus programs attempt to find viruses by looking for certain patterns of code (known as virus signatures) that are unique to each virus. Self-encrypting viruses encrypt these text strings differently with each infection to avoid detection. Also see: self-garbling virus, encrypted virus.
Shell
The term shell describes the user interface of an operating system, used to launch programs and give other commands. By contrast, the term kernel refers to the core of the operating system that supports all other operations.
Sniffer
A sniffer is a software program that monitors network traffic. Hackers use sniffers to capture data transmitted over a network.
Spam
Spam is the name commonly given to unsolicited e-mail. It is effectively unwanted advertising, the e-mail equivalent of physical junk mail delivered through the post or from unsolicited telemarketing calls.
Spyware
A software program that monitors a user’s computing habits and personal information and sends this information to third parties without the user’s authorization or knowledge.
Stealth virus
Stealth viruses attempt to evade antivirus scanners by presenting clean data when queried by an antivirus product. Some of these viruses display a clean version of the infected file during scans. Other stealth viruses hide the new size of the infected file and display the pre-infection size.
TCP/IP port
Synonyms: Port
In computing, ports are connection points.
They may be physical connection points, as in the COM (or serial) and parallel ports used by physical input or output devices. Before the advent of USB ports, monitor, keyboard, mouse and modem typically used a COM port (where data is transferred ‘serially’, one bit at a time), while printers typically used a parallel port (where data is transferred ‘in parallel’, eight bits at a time). Today, most computers are equipped with a number of USB ports. USB allows up to 127 devices to connect to a single computer and allows for rapid transfer of data.
They may also be logical connection points for data transferred via TCP/IP or UDP networks. Some port numbers are reserved: port 80, for example, is reserved for the HTTP service. Others are assigned dynamically for each connection. Ports are used by authors of malicious code to transfer data from a victim machine to the ‘master’, or to download additional malicious.
Trojan (Trojan Horse)
A program or a part of program code that performs unexpected or unauthorized, often malicious, actions. The main difference between a trojan and a virus is the Trojan's inability to replicate. Trojans cause damage, unexpected system behavior, and compromise the security of systems, but do not replicate. If a malicious program replicates, then it should be classified as a virus. A Trojan, coined from Greek mythology's Trojan Horse, typically comes in good packaging but has some hidden malicious intent within its code. When a Trojan is executed users will likely experience unwanted system errors, problems in operation, and sometimes loss of valuable data.
VPN [Virtual Private Network]
A VPN is used to provide remote users with secure access to the private network of a corporation or other organization, over the Internet (rather than using an expensive dedicated leased line). Privacy is maintained by implementing encryption and other security features, preventing unauthorized access to the private network.
Virus
A program or a part of program code that replicates - that is, "infects" another program, boot sector, partition sector, or document that supports macros, by inserting itself or attaching itself to that medium. Most viruses only replicate, though, many do a large amount of damage as well.
Worm
A self-contained program (or set of programs) that is able to spread functional copies of itself or its segments to other computer systems. The propagation usually takes place via network connections or email attachments. The worm may do damage and compromise the security of the computer. It may arrive in the form of a joke program or software of some sort.
Zero-day exploit
A zero-day exploit is one where an exploit written to take advantage of a bug or vulnerability in an application or operating system appears immediately after the vulnerability has been discovered. This leaves almost no time for a vendor to create a patch, or for IT administrators to implement other defensive measures.
Zip bomb
A zip bomb is a file compressed into some archive format - often, but not necessarily, zip - which expands to an enormous size when uncompressed. Often the bomb is in the form of a loop, with the file inside the archive in fact a link back up to the top level of the archive, which will thus continuously unpack itself until all space and resources on the system are exhausted.
Zip bombs can also cause problems for anti-malware software trying to scan inside them, again using up large amounts of system resources. Scanners should be able to spot a zip bomb attack and stop scanning after a certain level.
Zombie
A zombie is a PC that has been infected with a virus or Trojan horse that puts it under the remote control of an online hijacker. The hijacker uses it to generate spam or launch Denial of Service attacks. Also see: spam, Denial of Service.
Resources:
http://www.upenn.edu/computing/virus/glossary.html
http://www.securelist.com/en/glossary
http://home.mcafee.com/VirusInfo/Glossary.aspx
http://www.cuhk.edu.hk/itsc/security/isglosry/index.html
http://www.virusbtn.com/resources/glossary/hacker.xml
