• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
It kamus virus   security glossary
 

It kamus virus security glossary

on

  • 323 views

 

Statistics

Views

Total Views
323
Views on SlideShare
323
Embed Views
0

Actions

Likes
0
Downloads
1
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    It kamus virus   security glossary It kamus virus security glossary Document Transcript

    • Security Glossary http://www.viruslist.com/en/glossary 3 3G 3G (short for 3rd Generation) is the general term for technologies and standards designed to combine high speed mobile access with IP [Internet Protocol]-based services. 3G will improve the performance of wireless services, including greater data speeds and improved capacity for accessing multimedia data. The ultimate goal is to provide broadband, always-on access to Internet-based services. The term is used to distinguish emerging wireless technologies from the earlier analog cellular phone systems (1G) and the digital technologies that succeeded them (and are still in use today). A Adware Synonyms: AdvWare Programs designed to launch advertisements, often pop-up banners, on host machines and/or to re-direct search engine results to promotional web sites. Adware programs are often built into freeware or shareware programs, where the adware forms an indirect ‘price’ for using the free program. Sometimes a Trojan silently downloads an adware program from a web site and installs it onto a user’s machine. Or hacker tools, often referred to as Browser Hijackers (because they subvert the web browser to install a program without the user’s knowledge), download the adware program using a web browser vulnerability.
    • Browser Hijackers may change browser settings, re-direct incorrect or incomplete URLs, or change the default homepage. They may also re-direct searches to ‘payto-view’ (often pornographic) web sites. Typically, many adware programs do not show themselves in the system in any way: no listing under Start | Programs, no icons in the system tray, nothing in the task list. In addition, adware programs seldom come with a de-installation procedure and attempts to remove them manually may cause the original carrier program to malfunction. AIM [AOL Instant Messenger] AIM is a specific implementation of IM [Instant Messaging]. Anti-virus databases Anti-virus databases hold the data needed to find and remove malicious code. The databases contain a series of virus definitions (or signatures), unique sequences of bytes specific to each piece of malicious code. Signature analysis is one of the key methods used to find and remove malicious code. Anti-virus engine The engine, the core of any anti-virus product, is a software module that is purpose-built to find and remove malicious code. The engine is developed independently of any specific product implementation. So it ‘plugs-in’ equally well into personal products (such as personal scanners or real-time monitors), or solutions for servers, mail scanners, file servers, firewalls and proxy-servers. These products may be developed by the engine developer, or they may be developed by third parties who integrate the engine into their application or business process using the engine SDK. The reliability of malicious code detection, and hence the security level provided by the products that use it, is determined by the quality of the engine.
    • Anti-virus update Synonyms: Anti-virus upgrade Nearly all anti-virus programs make use of signature analysis: that is, using a database that contains byte sequences belonging to known viruses, worms, Trojans or other malicious code. As the list of known threats grows, new virus definitions (or signatures) are added to the anti-virus databases. Anti-virus researchers at Kaspersky Lab, for example, add around 200 new records to the database every day. Enhanced protection is passed on to users in the form of an update. In addition, new anti-virus engine functionality may also be delivered as part of an anti-virus database update. Signature analysis is not the only protection method available. Anti-virus solutions have become increasingly sophisticated over the years, to counter the growing complexity of malicious programs. Proactive detection mechanisms designed to detect new threats before they appear in the field, such as heuristic analysis, generic detection or behavioral analysis, are also an important first line of defense. Nevertheless, regular updating of anti-virus protection remains important, given the speed at which today’s threats are able to spread. Anti-virus vendors have successively reduced the time interval between virus definition updates: first quarterly, then monthly, then weekly, then daily updates. Kaspersky Lab now provides incremental virus definition updates every hour. API [Application Program Interface] An API defines the way that a piece of software communicates with other programs, allowing these programs to make use of its functionality. The API provides a series of commonly-used functions that third party developers might need. For example, an operating system vendor provides an API that allows developers to write applications that are consistent with the operating system. Typically, the API comes with a set of routines, modules and protocols that can be used to access the program’s functionality, known as an SDK [Software
    • Development Kit]. Although distinct, the two terms are often used interchangeably. An anti-virus engine API provides a way for third parties to integrate anti-virus scanning into their application or business process. Archive bomb This is a seemingly small archive file that is actually highly compressed and expands into a huge file or several identical files. Such archives typically take quite a long time to scan, thus potentially forming a DDoS attack on an anti-virus program that tries to scan them. Good anti-virus programs include a smart algorithm to avoid extracting such files. Archive file An archive file is a collection of data files that have been packaged together. This is done to save space (when backing up a series of files to removable media, for example) or to save data transmission time (when making files available for download or when transferring them via e-mail, for example). Programs that compress data into archive files are called archivers. WinZip is probably the best known of these: in fact, many people equate ‘zipping’ a file with archiving it, even when using a different archiver. There are numerous archiving programs on the market, though the most familiar include WinZip and WinRAR. Most are capable of creating and accessing ZIP files, in addition to whatever format the program is designed to product. The most common archive file formats are ZIP, RAR, ARJ and CAB. The CAB format is used to archive many Microsoft® Windows® distribution files. It’s important for anti-virus programs to scan inside these files. Otherwise any archived file could provide a convenient hiding place for malicious code. Some email worms have even been deliberately distributed as archive attachments.
    • Good anti-virus programs also scan recursively (a ZIP within a ZIP, for example) and include a smart algorithm to avoid extracting archive bombs. ASCII [American Standard Code for Information Interchange] Developed by ANSI [American National Standards Institute], ASCII is one of the most common standards for representing text in a computer. Each character (alphanumeric or special character) is represented by a binary number. DOS- and Unix-based operating systems use ASCII. Windows® NT, Windows® 2000 and Windows® XP use a more recent standard called Unicode. Attack signature A file containing a data sequence used to identify an attack on the network, typically using an operating system or application vulnerability. Such signatures are used by an Intrusion Detection System [IDS] or firewall to flag malicious activity directed at the system. B Backdoor Trojans These are the most dangerous, and most widespread, type of Trojan. Backdoor Trojans provide the author or ‘master’ of the Trojan with remote ‘administration’ of victim machines. Unlike legitimate remote administration utilities, they install, launch and run invisibly, without the consent or knowledge of the user. Once installed, backdoor Trojans can be instructed to send, receive, execute and delete files, harvest confidential data from the computer, log activity on the computer and more. Bandwidth In computer networking, bandwidth refers to data transfer rate (how fast data travels) and is normally measured in bits per second (bps). For example, a modem operating at 57,600 bps has twice the bandwidth of a modem working at 28,800 bps.
    • Batch file A batch file (which has the extension BAT) is designed to automate the execution of multiple commands on a computer. The batch file itself is a text file. However, it contains a list of instructions (including commands to run programs) that are carried out unattended when the batch file is run. Behavioral analysis This refers to the technique of deciding whether an application is malicious or not, according to what it does. If an application does something that falls outside the range of ‘acceptable’ actions, its operation is restricted. For example, trying to write to certain parts of the system registry, or writing to pre-defined folders, may be defined as a threat. The action can be blocked, or the user notified about the attempted action. This fairly simple approach can be further refined. It's possible, for example, to restrict the access of one application (let's say allowing a web browser read-only access to limited portions of the system registry) while giving unrestricted access to other programs that do not use the Internet. An alternative behavioral method is to 'wrap' a downloaded application and restrict its action on the local system. Here the application is run in a protective 'sandbox' [sometimes called a ‘playground’, or ‘secure cache’] to limit its actions according to a pre-defined policy. The activity performed by the program is checked against a set of rules. Depending on the policy, the program’s actions may be considered a violation of the policy, in which case the rogue action is blocked. Binary code Synonyms: Object code This term is applied to the compiled instructions contained within an executable file. Binary code is not human-readable and can only be ‘understood’ by the computer’s processor when the program is run.
    • Source code, by contrast, is made up of the statements created by a programmer using a text editor. Source code is human-readable, for anyone who understands the conventions used by that programming language (‘C’, ‘C++’, etc.), but can not be executed by a computer’s processor until it has been compiled. BIOS The BIOS [Basic Input-Output System] refers to the instructions contained in one of the chips in the PC. It is used to start the PC and is used by the operating system to access the computer’s hardware. Bit Bit is a contraction of ‘binary digit’ and is the smallest unit of measurement for computer data. As the name suggests, bits are counted in base-2, so the value of any given bit will be either 0 or 1 (its value being defined by whether it is above or below a set level of electrical charge within a capacitor). Eight bits (called a byte) are required for a single alphanumeric character. Higher multiples used to measure data are the kilobyte (1,024 bytes), the megabyte (1,048,576 bytes), the gigabyte (1,073,741,824 bytes) and the terabyte (1,000 gigabytes). Bandwidth (how fast data travels) is normally measured in bits per second. Blacklist Synonyms: Black hole list, Realtime black list, RBL [Realtime Blocklist] Used as one method of filtering spam, blacklists provide a list of known sources of unwanted e-mail. Traffic from listed IP addresses is simply blocked. Several public blacklists are available, one of the best known being the Mail Abuse Prevention System [MAPS].
    • The use of blacklists helps to force ISPs [Internet Service Providers] to monitor their own outgoing e-mail and so avoid the negative commercial effects of being ‘blacklisted’. Blended threat Blended threats is a general description for malicious programs or bundles of malicious programs that combine the functionality of different types of malware: viruses, worms, Trojans and so forth. As applications and operating systems as well as security products have become more sophisticated, virus writers have retaliated by creating more and more complex malicious programs. A malicious program needs to meet most of the following criteria to be called a blended threat: Have more than one payload - launch a DoS attack, install a backdoor, damage a local system etc. Replicate and/or spread in a number of ways - via email, IRC channels, filesharing networks, download copies of itself from compromised web sites etc. Use multiple attack methods - infect exe files, modify more than one registry key, modify HTML files etc. Bluetooth Bluetooth is a specification for short-range wireless connectivity between Bluetooth-enabled devices (PCs, PDAs, smartphones or pagers fitted with the appropriate chip). Bluetooth has a range of 10 metres and currently supports a transfer rate of 1Mbps. The Bluetooth specification is maintained by the Bluetooth SIG [Special Interest Group], set up in 1998 and made up of more than 2,000 members (including Microsoft®, IBM, Intel, Nokia, Toshiba, Motorola, Sony Ericsson and many others). Boot
    • The process of starting a PC, during which the BIOS then the operating system are loaded. Boot disk Synonyms: System disk A disk containing the system files required to load an operating system. These files may be located on a hard disk or removable media (floppy disk, CD or USB memory storage device). Boot sector The boot sector is the area on a hard disk and floppy disks containing instructions that are executed during the boot process, i.e. when the PC starts. Among other things, the boot sector specifies the location of the operating system files. On a hard disk, the boot sector is the first sector(s) on the bootable partition, i.e. the partition containing the system files. On a floppy disk, the boot sector if the first sector on the disk: all floppy disks contain a boot sector, even if they are just data disks. Boot sector virus A boot sector virus is one that infects by replacing code in the boot sector of a floppy disk (and sometimes a hard disk) with its own code. This ensures that whenever an attempt is made to boot from the infected disk, the virus loads before the operating system. These viruses are very uncommon now, but in the first half of the 1990s, when floppy disks were the main means of transferring data, they represented the main threat to PC users. Typically, a boot sector virus infected the hard disk when a user inadvertently left an infected floppy disk in drive A. When the PC was next booted, the system would try to boot from the floppy disk and the virus code would execute, regardless of whether or not the floppy disk was a system disk or just a data disk. Most boot sector viruses then infected the MBR [Master Boot Record] of the hard disk, rather than the boot sector.
    • Bridge A bridge connects two LANs [Local Area Networks]: it examines data sent across the network to determine which LAN it should be delivered to. Broadband Synonyms: DSL Broadband (delivered through a Digital Subscriber Line [DSL]) is generally applied to telecommunications in which a wide range of frequencies is available for transmission of data, typically voice and data together. So broadband provides an always-on connection, allowing home user to access the Internet while still being able to use the telephone. Clearly this is more efficient than using a dial-up connection, which makes exclusive use of a telephone line. In addition, broadband typically also provides a faster connection, of 512Kbps, 1Mbps, 2Mbps or more. Browser Helper Object A Browser Helper Object [BHO] is a DLL that loads every time Microsoft® Internet Explorer runs. Typically, a BHO is installed by a third party program to enhance the functionality of the web browser (many Internet Explorer plugins, for example, are BHOs). BHOs can be installed silently, or can be installed ‘quietly’ (many users fail to read the small print that comes with the EULA [End User License Agreement] displayed by the freeware program). Also, because they’re programs, they can do anything that other programs can do. On top of this, there’s no easy way to list the BHOs installed on the PC. As a result, BHO functionality can be misused (to install adware or track browsing habits, for example). Browser Hijacker Browser Hijackers modify the user’s web browser settings. This may involve changing the default home page, re-directing searches to unwanted web sites, adding unwanted (sometimes pornographic) bookmarks or generating unwanted pop-up windows.
    • Bug A bug is an unintentional fault in a program. Some people mistakenly refer to viruses, worms or Trojans as ‘bugs’. This is incorrect: bugs are unintentional, whereas malicious code represents a deliberate misuse of a user’s computer. Byte A byte is made up of eight bits and is the data required for a single alphanumeric character. C Cache A cache is used to store data temporarily, typically recently accessed files (cache memory, disk cache or web browser cache, for example). Since accessing the cache is quicker than accessing regular Random Access Memory [RAM] or disk, files stored in the cache can be accessed without the need for the processor to carry out the more intensive work of reading data from regular memory or disk. CARO [Computer Anti-Virus Research Organization] CARO, set up in December 1990, is an informal forum in which anti-virus experts who trust each other could exchange ideas and information on malware. Classic virus (Virus) Synonyms: Computer virus, Malicious program Today the term virus is often loosely used to refer to any type of malicious program, or is used to describe any ‘bad thing’ that a malicious program does to a
    • host system. Strictly speaking, however, a virus is defined as program code that replicates. Of course, this simple definition leaves plenty of scope for further sub-division. Sometimes viruses are further classified by the types of object they infect. For example, boot sector viruses, file viruses, macro viruses. Or they may be classified by the method they use to select their host. ‘Indirect action file viruses’ load into memory and hook into the system such that they can infect files as they are accessed. Conversely, ‘direct action file viruses’ do not go memory resident, simply infecting a file (or files) when an infected program is run and then ‘going to sleep’ until the next time an infected file is run. Another way of classifying viruses is by the techniques they use to infect. There are ‘appending viruses’ that add their code to the end of a host file, ‘prepending viruses’ that put their code at the start of a host file and overwriting viruses that replace the host file completely with their own code. By contrast, companion viruses and link viruses avoid adding code to a host file at all. Then there are stealth viruses that manipulate the system to conceal changes they make and polymorphic viruses that encrypt their code to make it difficult to analyze and detect. Of course, there are also viruses that fail to work: they either fail to infect or fail to spread. Such would-be viruses are sometimes referred to as ‘wanabees’. Command line Synonyms: Command Line Prompt, CLI [Command Line Interface], Command Prompt, DOS prompt The command line provides a keyboard-driven interface between a computer and the user. The user types in a command and the computer processes the appropriate
    • instruction for that command, after which it displays a specified prompt indicating to the user that the system is ready for further commands. MS-DOS was a command line driven system. Microsoft® Windows®, by contrast, offers a Graphical User Interface [GUI] and the means to input instructions using a mouse (in addition to command line access. Most Unix-based operating systems also offer both command line and GUI interfaces. Companion virus A specific type of virus where the infected code is stored not in the host program, but in a separate ‘companion’ file. For example, the virus might rename the standard NOTEPAD.EXE file to NOTEPAD.EXD and create a new NOTEPAD.EXE containing the virus code. When the user subsequently runs the Notepad application, the virus will run first and then pass control to the original program, so the user doesn’t see anything suspicious. Compound threat This general description, first used in the wake of the Nimda outbreak in September 2001, is used to describe those threats that come as a composite ‘bundle’ of malicious programs, using several mechanisms to spread and/or attack their victims. This includes the following. Spread via e-mail, the Internet, IRC channels, file-sharing networks, download from compromised web sites, etc. The use of application vulnerabiities. Making use of Trojans to steal confidential data, download other malicious code, launch a DDoS attack, etc. In the days when MS-DOS was the primary PC operating system, the term ‘multipartite’ was used to describe viruses that used more than one technique to spread (infecting programs and system sectors). Compressed file
    • Synonyms: Packed file A compressed file is one where the data belonging to the file has been reduced in size to save space or data transmission time. For example, software developers make use of various compression utilities to reduce the size of installation files distributed on removable media. At run-time, of course, the file is de-compressed automatically, with no user intervention needed. There are thousands of different compression methods and the compression algorithms used by them vary. At the simplest level, however, compression could be as straightforward as removing repeating characters in a file (a data area in a program, for example, may be initialized with zeroes) and replacing them with a short marker that specifies how many bytes have been removed and what character should be there. While compression is used in legitimate programs, it is also used by authors of malicious code. It is very common for Trojans, in particular, to be released in compressed form (and sometimes re-released in a re-packaged form). Worm Synonyms: Computer worm, Email worm, Internet worm, Network worm Worms are generally considered to be a subset of viruses, but with key differences. A worm is a computer program that replicates, but does not infect other files: instead, it installs itself on a victim computer and then looks for a way to spread to other computers. From a user’s perspective, there are observable differences. In the case of a virus, the longer it goes undetected, the more infected files there will be on the victim computer. In the case of a worm, by contrast, there is just a single instance of the worm code. Moreover, the worm’s code is ‘self-standing’, rather than being added to existing files on the disk.
    • Like viruses, worms are often sub-divided according to the means they use to infect a system. E-mail worms are distributed as attachments to e-mail messages, IM worms are attached to messages sent using instant messaging programs (such as IRC or ICQ). P2P [peer-to-peer] worms use file-sharing networks to spread. Network worms spread directly over the LAN [Local Area Network] or across the Internet, often making use of a specific vulnerability. The term ‘worm’ was coined by sci-fi writer John Brunner in his 1975 novel Shockwave Rider. The hero, a talented programmer, created self-replicating computer programs that tunneled their way through a worldwide network. Cookie A cookie is the name given to a small piece of information saved to a user’s machine by a web site that the user visits. Cookies are often used to store user preferences about a web site, login information or even advertising information that has been displayed to the user during their visit to the site. D DDoS [Distributed Denial of Service] attack A DDoS attack is broadly similar to a DoS attack, designed to hinder or stop the normal functioning of a web site, server or other network resource. A DDoS attack differs only in the fact that the attack is conducted using multiple machines. The hacker or virus writer typically use one compromised machine as the ‘master’ and co-ordinates the attack across other, so-called ‘zombie’, machines. Both master and zombie machines are typically compromised by exploiting a vulnerability in an application on the machine to install a Trojan or other piece of malicious code. DHA [Directory Harvest Attack]
    • A DHA is one method used by spammers to collect valid e-mail addresses. Spammers either target these addresses directly in their own spam attack, or to sell them on to other spammers. The spammer first selects a domain (let’s say ‘victim_domain.com’) and then sends speculative e-mail messages to possible addresses within that domain (for example, ‘jack@victim_domain.com’, ‘jill@victim_domain.com’, etc.). If the email server at ‘victim_domain.com’ doesn’t reject the e-mail, the spammer knows that a given e-mail address is valid and can be used as a target in a spam attack. Dial-up connection A dial-up connection is one that makes exclusive use of a standard telephone line to send and receive data. The connection is made using a modem. Disassembler A disassembler is a program used to convert binary code into assembler language, a human-readable version of machine code. It’s a form of reverse engineering, used by programmers to debug code. Virus researchers use various tools (including purpose-built, bespoke programs) to disassemble malicious code and determine how it works. DNS poisoning Synonyms: DNS cache poisoning, Pharming DNS servers located throughout the Internet are used to map domain names to IP addresses. When a user types in a URL, a nearby DNS server will map the domain to an IP address or pass it to another DNS server. In fact, there are a relatively small number of very big DNS servers. These provide many smaller DNS servers with DNS entries that are stored in the cache of the smaller DNS servers. DNS poisoning is the manipulation of IP addresses for entries stored in the cache of a smaller DNS server: the aim is to make the DNS server respond, not with the
    • correct IP address, but with one that contains malicious code. Here’s an example. If a user types the URL ‘www.kaspersky.com’ in the web browser, the DNS server should respond with the IP address 81.176.69.70. However, a poisoned DNS server would map this domain name to an IP address that contains malicious code. DNS poisoning is only possible where there is a vulnerability or other security weakness in the operating system running on the DNS server. DNS [Domain Name System] server DNS servers located throughout the Internet are responsible for the translation of domain names into IP addresses. When a user types in a URL, a nearby DNS server will map the domain to an IP address or pass it to another DNS server. There is also a sort of ‘mini DNS server’ stored within Microsoft® Windows® operating systems, called the hosts file. Domain name Domain names are used to locate an organization on the Internet. Each domain name maps to a specific IP address. So, for example, in the URL www.kaspersky.com, the ‘com’ part of the domain name is the top-level and indicates the general purpose of the organization, in this case ‘commercial’ (others include ‘org’, ‘net’, or geographic domains like ‘co.uk’). The ‘kaspersky’ part of the domain name is the second-level and is a descriptor for the organization itself: this can be thought of as a human readable version of the IP address. Second-level domain names must be unique (and are registered through ICANN [Internet Corporation for Assigned Names and Numbers]). The ‘www’ part of the domain name indicates the server (in this case, web server) that handles Internet request.
    • The translation of domain names into IP addresses is carried out by DNS servers located throughout the Internet. When a user types in a URL, a nearby DNS server will map the domain to an IP address or pass it to another DNS server. There is also a sort of ‘mini DNS server’ stored within Microsoft® Windows® operating systems, called the hosts file. DoS [Denial of Service] attack A DoS attack is designed to hinder or stop the normal functioning of a web site, server or other network resource. There are various ways for hackers or virus writers to achieve this. One common method is simply to flood a server with more network traffic than it is able to handle. This prevents it from carrying out its normal functions and in some circumstances crashes the server completely. A DDoS attack differs only in the fact that the attack is conducted using multiple machines. The hacker or virus writer typically use one compromised machine as the ‘master’ and co-ordinates the attack across other, so-called ‘zombie’, machines. Both master and zombie machines are typically compromised by exploiting a vulnerability in an application on the machine, to install a Trojan or other piece of malicious code. Download Where a file is transferred from one computer to another, the receiver is said to download the file. For example, anti-virus updates are downloaded to a user’s computer from an anti-virus vendor’s server. E E-mail
    • E-mail (short for ‘electronic mail’) is a method of sending messages electronically from one computing device to another. Plain text e-mails are normally encoded in ASCII text, although many e-mail client applications (Microsoft® Outlook®, for example) support HTML, allowing non-text messages to be sent. It is also possible to send non-text files as a binary attachment to an e-mail message. SMTP is the standard protocol used for sending e-mail across the Internet, although the POP3 protocol is also commonly used for receiving e-mail that has been stored on a remote server (by an ISP, for example). Many web browsers (including Microsoft® Internet Explorer) also provide support for POP3. EICAR [European Institute for Computer Anti-Virus Research] EICAR was formally set up in September 1991 (although an inaugural meeting had taken place in the previous year), with the aim of providing a forum for technical, security and legal experts from the security industry, government and corporate bodies to combine their efforts against malicious code. EICAR was designed to complement the CARO organization, which is made up solely of antivirus experts. EICAR is probably best known for providing an industry-standard test file (the ‘EICAR Standard Anti-Virus Test File’) that can be used to check that anti-virus software has been installed correctly, is working and responds appropriately when a virus has been detected. Encryption Encryption describes the process of jumbling up data in such a way that it can not be easily understood by those who are not authorized to do so. The jumbled data is stored as ‘ciphertext’. A key, known as a decryption key, is required in order to access the original data.
    • Encryption is used to keep prying eyes away from data that is in transit between sender and recipient (data sent over the World Wide Web during an online banking transaction, for example). Modern encryption methods require both sender and recipient (or software installed on sender and recipient computers) to hold compatible decryption keys. This may take the form of a single shared key. Or it may be the combination of a private key created by the recipient and a public key available to anyone wishing to send data to the recipient: this is known as a PKI [Public Key Infrastructure]. Encryption is a two-way street in the computer world today. While individuals and businesses use it to protect legitimate communication, virus writers encrypt malicious programs to conceal them from anti-virus products: in this case, since the virus writer wants the user to run the encrypted attachment, he must include the key as part of the transmission (by including the password in an e-mail message, for example). Executable files Synonyms: EXE files, PE EXE files An executable file is a program in binary code that is ready to be run by the computer without any further human intervention. Common file extensions for executable fields in Windows include .exe, .com, .dll, .bat. An executable file that is dynamically linked to another program is called a dynamic link library. Windows Portable Executable (PE) files are simply executable files that work across all Microsoft 32-bit operating systems, which is why the majority of malware for Windows written today is written in this format. In Unix, executable files are marked with a special permission flag in the file attributes.
    • Exploit The term exploit describes a program, piece of code or even some data written by a hacker or virus writer that is designed to take advantage of a bug or vulnerability in an application or operating system. Using the exploit, an attacker gains unauthorized access to, or use of, the application or operating system. The use of exploits by hackers and virus writers has increased during the last few years. Typically, exploit code is used to gain access to confidential data or to use the victim machine for further unauthorized use. Exploits are often named after the vulnerability they use to penetrate systems: a buffer overflow, for example. F False positive Synonyms: False alarm A false positive is another way of saying ‘mistake’. As applied to the field of antivirus programs, a false positive occurs when the program mistakenly flags an innocent file as being infected. This may seem harmless enough, but false positives can be a real nuisance. You waste productivity due to user down-time. You may take e-mail offline, as a security precaution, thus causing a backlog and more lost productivity You waste even more time and resources in futile attempts to disinfect ‘infected’ files. And if you load a backup, to replace ‘infected files, the backup appears to be infected too. In short, false positives can be costly nuisances.
    • The term is not confined just to the anti-virus world. It also applies, for example, to anti-spam protection, where it refers to the misidentification of a legitimate email message as spam. This too could be very costly, since the undelivered e-mail may be a business critical message. False negative A false negative is simply another name for missing something. Applied to antivirus programs, it refers to a failure to detect malware that is present on a system. FAT [File Allocation Table] The term FAT is used to describe the file system used by Microsoft® MS-DOS, Windows® 9x and Windows® ME operating systems. Specifically, the file allocation table is the index used by the operating system to keep track of the clusters (a group of disk sectors) belonging to each file stored on a disk. Clusters are the basic unit of logical storage used by the operating system: and the FAT is required because the clusters belonging to a file may not be stored contiguously. When a file is written to the disk, the operating system creates a FAT entry for the file: this notes the location of the file’s start cluster and its overall size. When access to the file is later required, the operating system can then piece together each cluster belonging to the file and load the file into memory for processing. Alternative file systems are NTFS, used by Windows® NT, Windows® 2000 and Windows® XP, and HPPS [High Performance File System] used by OS/2. File virus Viruses are often classified according to the objects they infect. File viruses, as the name suggests, are designed to add their code to files (generally program files). Firewall Synonyms: Personal Firewall This term is taken from the world of fire fighting, where a firewall is a barrier created to block the spread of a fire.
    • In computing, a firewall forms a barrier between a computer system (either a corporate system or a single user) and the outside world: the aim is to prevent outsiders from gaining unauthorized access to the protected network. The firewall monitors incoming and outgoing network traffic and decides whether to forward it or block it depending on the security policy that has been set. Typically, a firewall is installed on a router at the Internet gateway, although it may also be used to guard the boundaries between networks and user groups. Today, most enterprises use ‘stateful’ firewalls: they monitor the state of network connections over a period of time (rather than simply examining packet headers). The system administrator creates lists of legitimate data packets for each connection and the firewall passes only packets which match known connections and reject all others. Personal firewalls are software-based. They protect single users from hacker attacks and potentially damaging data packets sent via the Internet and also limit the scope of applications on the protected computer. Such protection, as a supplement to anti-virus protection, has become a ‘must’ for those with always-on broadband connections. Format Formatting is the process by which a new disk is prepared for use by the operating system. FTP [File Transfer Protocol] FTP is a protocol for exchanging files between computers on the Internet and is often used to download files. FTP can be accessed from the command prompt, or through a web browser.
    • G Gateway A gateway connects one network to another. An Internet gateway, for example, controls access to the Internet. Generic detection Generic detection refers to the detection and removal of multiple threats using a single virus definition. The starting-point for generic detection is that successful threats are often copied by others, or further refined by the original author(s). The result is a spate of viruses, worms or Trojans, each one distinct but belonging to the same family. In many cases, the number of variants can run into tens, or even hundreds. Generic detection involves creating a virus definition that is able to identify all threats belonging to the same family. So when ‘NewVirus’ appears, the definition created to detect it will also successfully identify ‘NewVius.b’, ‘NewVirus.c’, ‘NewVirus.d’, etc. if and when they’re created. Such techniques extend also to detection of exploit code that may be used by a virus or worm. While generic detection is not guaranteed to find all variants in the family, it has been used with considerable success by a number of anti-virus vendors. Gigabyte A gigabyte [GB] is a unit of measurement for computer storage and is equivalent to a thousand million kilobytes, or 1,073,741,824 bytes. H Hacker
    • This term was once used to describe a clever programmer. In recent years, this term has been applied to those who exploit security vulnerabilities to try and break into a computer system. Originally, those who break into computer systems (for malicious purposes or as a challenge) were known as ‘crackers’. Hardware The term hardware refers to the physical components of a computer (system unit, monitor, keyboard, mouse, etc.). Heuristic analysis The word heuristic is derived from the Greek ‘to discover’ and refers to a learning method based on speculation or guess-work, rather than a fixed algorithm. In the anti-virus world, heuristic analysis involves using non-specific detection methods to find new, unknown malware. The technique, which has been in use for many years, involves inspecting the code in a file (or other object) to see if it contains virus-like instructions. If the number of virus-like instructions crosses a pre-defined threshold, the file is flagged as a possible virus and the customer is asked to send a sample for further analysis. Heuristic analysis has been refined over the years and has brought positive results in detecting many new threats. Of course, if heuristics aren’t tuned carefully, there’s a risk of false positives. That’s why most anti-virus vendors using heuristics reduce their sensitivity to minimize the risk of false alarms. And many vendors disable heuristics by default. A further drawback is that heuristics is 'find-only'. In order to clean, it’s necessary to know what specific changes the malware has made to the affected object. Extensive use of heuristic analysis is also made in anti-spam solutions, to highlight those characteristics of an e-mail message that are spam-like.
    • Hexadecimal Hexadecimal (or ‘hex’ for short) refers to the counting of numbers in base-16, in which there are 16 sequential digits in each unit. Since our standard decimal counting system only goes as far as 9 before we have to switch to another unit, hexadecimal is represented using the numbers 0-9 and the letters A-F. The following table provides a few examples of how decimal numbers ‘translate’ into hexadecimal. Hexadecimal is often used by low-level programmers since it makes it easier to represent the binary numbers used at machine level (when debugging a program, or examining sectors on a disk using a sector editor, for example). A byte contains eight bits (binary digits), but the same eight bits can be represented using just two hexadecimal numbers. Hoax A hoax is a fake warning about a virus or other piece of malicious code. Typically a hoax takes the form of an e-mail message warning the reader of a dangerous new virus and suggesting that the reader pass the message on. Hoaxes cause no damage in themselves, but their distribution by well-meaning users often causes fear and uncertainty. Most anti-virus vendors include hoax information on their web sites and it is always advisable to check before forwarding warning messages. Hosts file The hosts file is a sort of ‘mini DNS server’ on every Microsoft® Windows® system. When a user types a URL into the web browser, the browser checks the
    • local hosts file to see if the requested domain name is listed there, before it looks for a DNS server. This is very efficient: if the web browser finds a match in the hosts file, it doesn’t need to go looking on the Internet for a DNS server. Unfortunately, writers of malicious code, ‘spyware’ or phishing scams can tamper with the data stored in the hosts file. For example, a malware author might redirect all search requests (through Google, Yahoo, etc.) simply by editing the hosts file: listing these domain names but matching them to the IP address of a web site containing malicious code. Or a worm might prevent anti-virus programs from updating themselves by matching anti-virus domain names in the hosts file to the IP address of the victim machine. Hot spot Synonyms: Wireless access point A hot spot provides access to a wireless network. Hot spots are now common in businesses, homes, hotels, airports and even fast food outlets. HTML [Hypertext Markup Language] HTML comprises the set of codes used in a file that enables specified data (also known generically as ‘web content’) to be displayed on a web page. These codes (also known as ‘tags’) specify how a web browser should display text, graphics, video and sound. In general, web browser developers adhere to the standard set by the World Wide Web Consortium [W3C], although some also make use of additional codes. HTTP [Hypertext Transfer Protocol] HTTP is the protocol used for transferring data (including text, graphics, video and sound) across the World Wide Web. This data is stored in web pages, on a web server. When an HTTP request is sent to the server from a web browser, the server delivers the data (also known generically as ‘web content’) to the requesting computer. The request for data is made by typing the URL into the web browser, or by clicking on a hyperlink (or link for short): this link may be
    • specified on a web page or in a piece of text in a document, spreadsheet, etc. The URL forms the address of the content on the Internet. I ICQ ICQ [‘I Seek You’] is a specific implementation of IM [Instant Messaging]. IDS [Intrusion Detection Systems] Synonyms: Intrusion detection, IPS [Intrusion Prevention Systems] Intrusion detection is designed to prevent an attack on a computer system by analyzing traffic into, and through, a network. Originally, intrusion detection was restricted to information gathering: the IT administrator was required to assess the data and take any remedial action required to secure the system. These days, IDS applications often provide an automated response to attacks based on a set of pre-defined rules. This is referred to as IPS [Intrusion Prevention Systems] and may be seen as a development of behavioral analysis. IDS (and IPS) fall into two categories. ‘Host-based’ systems are designed to protect individual computers and typically employ behavioral analysis to detect malicious code. They do this by monitoring all calls made to the system and matching them against policies based on ‘normal’ behavior. Such policies can be quite granular, since behavior may be applied to specific applications. In this way, activity such as opening ports on the system, port scanning, attempts to escalate privileges on the system and injection of code into running processes can be blocked as ‘abnormal’ behavior. Some systems supplement behavioral analysis using signatures of known hostile code. ‘Network-based’ systems are deployed inline to protect each network segment. They filter packets for malicious code, looking for ‘abnormal’ bandwidth usage or
    • for non-standard traffic (such as malformed packets). Network-based systems are particularly useful for detecting DoS attacks, or the traffic generated by network worms. IM [Instant Messaging] IM is a generic term that describes a system that allows users to see if a contact is online and communicate with them in real time, over the Internet. IM may be textonly, although some IM systems support HTML or file sharing. Examples of IM implementations are AIM, ICQ, IRC and MSN Messenger. IMAP [Internet Message Access Protocol] IMAP is a protocol for receiving e-mail. IMAP is useful where e-mail is stored on a remote server and then forwarded to the user. This is useful, for example, where a home user connects to the Internet through an ISP and downloads e-mail periodically. In this case, SMTP is used to send e-mail across the Internet to the ISP, while IMAP is used to download the e-mail from the ISP. IMAP is similar to, but more sophisticated than, POP3. Internet The Internet (sometimes referred to simply as ‘the net’) is a global system of connected networks. The Internet developed out of ‘ARPANET’, set up in 1969 by the US government agency ARPA [Advanced Research Projects Agency] to provide a network of computers that would connect various academic and research organizations. Today the Internet is the sum total of the countless computers around the world that connect to each other using the public telecommunications infrastructure. The ‘glue’ that holds the Internet together is TCP/IP [Transmission Control Protocol/Internet Protocol]. ‘TCP’ splits data into packets for transmission across
    • the Internet and re-assembles them at the other end. ‘IP’ addresses the packets to the right location. Sitting on top of TCP/IP are other protocols that provide specific functions to users on the Internet. These include FTP (for file transfer) SMTP (for e-mail) and HTTP (for transferring data across the World Wide Web). IP address An IP [Internet Protocol] address is a 32-bit number used to identify a computer sending or receiving packets across the Internet. The number, normally expressed as four numbers separated by full stops (each representing eight bits) identifies the network on the Internet and the host machine within that network. Of course, few of us can easily remember long numbers so, to make things easier, we use domain names that map to each IP address. The domain name ‘kaspersky.com’, for example, maps to the IP address ‘81.176.69.70’. IRC [Internet Relay Chat] IRC is a specific implementation of IM [Instant Messaging]. ISP [Internet Service Provider] ISPs provide users and organizations with access to the Internet. The ISP typically has what’s known as a ‘point of presence’ on the Internet: they have the equipment necessary to provide Internet access to many users and a dedicated IP address. Some ISPs rely on the infrastructure of telecoms providers, other have their own dedicated leased lines. Increasingly, ISPs provide value-add services along with Internet access: such as anti-virus and anti-spam filtering. J JavaScript
    • Java Script is a script language developed by Netscape®. Like VBS, JavaScript is often used in the development of web pages. For specific tasks, it’s often easier to write a script than to use a formal programming language like ‘C’ or ‘C++’. However, as with a formal program, it’s also possible to use JavaScript to create malicious code. Since a script can be easily embedded in HTML, a virus author can embed a malicious script within an HTML e-mail: and when the user reads the e-mail, the script runs automatically. Joke program Joke programs are not harmful, but do something that the author considers to be funny. This often includes behavior that simulates the destructive effects of malicious code: for example, displaying a message telling the user that their hard drive is being formatted. Junk e-mail (Spam) Synonyms: UCE [Unsolicited Commercial E-mail] Spam is the name commonly given to unsolicited e-mail. It is effectively unwanted advertising, the e-mail equivalent of physical junk mail delivered through the post or from unsolicited telemarketing calls. K Kernel The term kernel refers to the core of an operating system that supports all other operations. By contrast, the term shell is used to describe the user interface. Keylogger Synonyms: Keystroke logger A keylogger can be used by a third-party to obtain confidential data (login details, passwords, credit card numbers, PINs, etc.) by intercepting key presses. Backdoor Trojans typically come with a built-in keylogger; and the confidential data is
    • relayed to a remote hacker to be used to make money illegally or gain unauthorized access to a network or other company resource. Kilobyte A kilobyte [KB] is a unit of measurement for computer storage and is equivalent to 1,024 bytes. L Link virus Viruses are often classified according to the technique they use to infect. A link virus, as the name suggests, does not add its code directly to infected files. Instead, it spreads by manipulating the way files are accessed under the FAT file system. When an infected file is run, the virus goes memory resident and a writes a (typically hidden) file to the disk: this file contains the virus code. Subsequently, the virus modifies the FAT to cross-link other files to the disk sector containing the virus code. The result is that whenever the infected file is run, the system jumps first to the virus code and runs it. The cross-linking is detectable if the CHKDSK program is run, although a virus could use stealth to conceal the changes if the virus was in memory (in other words, if the user did not boot from a clean system disk). M Macro virus Viruses are often classified according to the objects they infect. Macro viruses, as the name suggests, are designed to add their code to the macros associated with documents, spreadsheets and other data files.
    • The first macro virus, called Concept, appeared in July 1995 and macro viruses subsequently became the dominant type of virus. There were three major reasons for this. First, they were the first type of virus to deliberately add their code to data files: this meant they weren’t just reliant on the exchange of floppy disks or programs. Second, they were very easy for would-be virus authors to write (or copy), so a new macro virus spawned many new variants. Third, they ‘cashed-in’ on the emergence of e-mail as a key business tool, so that infected users inadvertently spread them quicker than any other type of virus had spread before. The vast majority of macro viruses were designed to spread on the back of Microsoft® Office data files (Word, Excel, Access, PowerPoint and Project), although there were a few ‘proof-of-concept’ macro viruses for other formats (Lotus AmiPro®, for example). Macro viruses dominated the scene until the appearance of the first ‘mass-mailers’ early in 1999. Malicious code Malicious code refers to any program that is deliberately created to perform an unauthorized, often harmful, action. Malware Synonyms: Malicious software Malware (short for malicious software) refers to any program that is deliberately created to perform an unauthorized, often harmful, action. Mass-mailer Mass-mailing refers to the technique, used by many worms, of ‘hijacking’ the email system to send malicious code automatically to e-mail addresses harvested from an already infected computer.
    • MBR [Master Boot Record] Synonyms: Partition sector The MBR is the first sector on a hard disk and contains the partition table, which holds information on the number of partitions, their size and which one is ‘active’ (i.e. which one contains the operating system used to boot the machine). Megabyte A megabyte [MB] is a unit of measurement for computer storage and is equivalent to a thousand kilobytes, or 1,048,576 bytes. Modem A modem converts digital signals from a computer into to analog signals that can be transferred across a standard telephone line and vice versa. The capacity of modems has increased considerably in recent years from 14.4Kbps (Kilobits per second), to 28.8Kbps, to 56Kbps. However, even higher capacity can be achieved using a digital IDSL [Integrated Services Digital Network] adaptor (up to 128Kbps) or a broadband connection (these days measured in Mbps). MS-DOS Short for Microsoft® Disk Operating System, MS-DOS was a command line driven operating system developed for the PC. MS-DOS 1.0 was released ion 1981 and the final version, MS-DOS 6.22, was released in 1994. Microsoft® Windows® also provides command line access through its Command Prompt. MSN Messenger MSN Messenger is a specific implementation of IM [Instant Messaging]. Multipartite
    • Multipartite viruses are those that use multiple attack methods. In the days when MS-DOS was the primary PC operating system, the term multipartite was used to describe viruses that infected programs and system sectors. N Network A network is a group of computers that are connected with each other and able to send and receive data. The computers within a network are sometimes referred to as ‘nodes’ or ‘workstations’ and the way they are connected to each other is referred to as the network’s ‘topology’. A typical type of network is the LAN [Local Area Network], where all nodes are connected to a dedicated server used for disk storage and shared applications. Some smaller organizations, by contrast, may have a peer-to-peer network: in this case, all computers on the network are connected to each other, but there is no dedicated server. In larger organizations, which may be geographically dispersed, several LANs (at each physical site, for example) may be connected to a WAN [Wide Area Network], often using the public telecommunications infrastructure. The Internet can be seen as a ‘super network’ that uses public telecommunications infrastructure to combine countless individual networks through the common use of the TCP/IP protocol. NTFS [New Technology File System] NTFS is the file system used by Microsoft® Windows® NT, Windows® 2000 and Windows® XP. It was developed after the FAT file system implemented in MS DOS and provides more efficient and secure methods for storage and retrieval of files (including support for very large files, integrated file compression, a more efficient directory system and access control for specific files). By contrast with
    • the FAT system, information about each file is stored in the clusters belonging to that file (although there is also a MTF [Master File Table] that keeps track of all the clusters on the disk). O Open relay The term open relay is applied to an SMTP server that is set up to process e-mail from an unknown sender, even if it is not intended for a recipient within the organization. The open relay acts as a sort of ‘blind go-between’, routing all email regardless of its source or destination. Using tools that are easily available on the Internet, spammers are able to use open relays to deliver large volumes of spam while covering their tracks. Since the email they send out is routed through the SMTP server of a legitimate organization, it looks like it has come from a legitimate source. Open source software Open source software is software that is developed, maintained and distributed freely, based on open collaboration between programmers. As the name suggests, the source code for the operating system or application is published openly. Various Unix-based operating systems have been developed on the open source principle. Operating system An operating system (sometimes abbreviated as OS) is the collection of programs that loads when a computer boots and subsequently manages the operation of all other functions on the computer. This includes access to the computer’s hardware, use of the computer’s processor, memory management, etc. Examples of operating systems are MS-DOS, Windows® XP, Linux, NetWare®, etc.
    • Overwriting virus Viruses are often classified according to the technique they use to infect. An overwriting virus, as the names suggests, completely replaces the code in the infected file with its own. Of course, the original program no longer runs, so the infection becomes obvious. For this reason, overwriting viruses have never been successful at spreading in the field. P Peer-to-peer Synonyms: P2P The term ‘peer-to-peer’ can be applied to a network system in which there is no dedicated network server and in which each machine has both server and client capabilities. Today, the term P2P is more commonly applied to a temporary connection shared by users running the same application, allowing them to share files on each other’s computers (typically to share music or other multimedia files over the Internet, as with Napster, Gnutella and Kazaa). Packet A packet is a unit of data transferred between two points on the Internet. When data is sent across the Internet (an e-mail message, for example), it is divided into convenient sections. Each of these packets may travel via different routes, to be re-assembled at their destination. Partition A partition is a logical division of a hard disk into several sections, allowing the user to install different operating systems on the same hard disk. Partitions are created using the FDISK.EXE program. Information on the number of partitions,
    • their size and which one is ‘active’ (i.e. which one contains the operating system used to boot the machine) is stored within the MBR, in the partition table. PSW Trojans Synonyms: Password-stealing Trojans These Trojans are designed to steal passwords from the victim machine (although some steal other types of information also: IP address, registration details, e-mail client details, and so on). This information is then sent to an e-mail address coded into the body of the Trojan. The first PSW Trojans were AOL password stealing Trojans: and they are so numerous that they form a specific subset of PWS Trojans. Patch Synonyms: Service pack, Maintenance pack A patch provides additional, revised or updated code for an operating system or application. Except for open source software, most software vendors do not publish their source code: so patches are normally pieces of binary code that are ‘patched’ into an existing program (using an install program). The term ‘patching’ refers to the process of downloading and installing additional code supplied by an application vendor. However, the terms used may vary. Typically, a minor fix is referred to as a patch, while a significant fix is referred to as a Maintenance Pack or Service Pack. Patching has become an integral part of computer security, since vulnerabilities in popular operating systems and applications are among the primary targets for virus writers and hackers. It is crucial to patch in a timely manner. During recent years, the time-lag between the discovery of a vulnerability and the creation of exploit code that makes use of it has diminished. The worse-case scenario, of course, is a so-called ‘zero-day exploit’, where an exploit appears immediately after a vulnerability has been discovered. This leaves almost no time for a vendor to create a patch, or for IT administrators to implement other defensive measures.
    • Payload In the world of malicious code, the term payload is used to describe what a virus, worm or Trojan has been coded to do to a victim machine. For example, a virus could be designed to display a message on the screen on a particular day of the week, or erase all EXE files on a given day, or ... anything else that software can be coded to do. In fact, many viruses contain no payload at all. That’s not to say that they will have no adverse effect on an infected system. Many viruses are poorly written and may interfere with other programs running on the machine. They may also cause unintended side-effects if they are run in an environment they were not ‘designed’ for. PDA [Personal Digital Assistant] PDA is the term given to small handheld computers that provide many of the functions of a standard PC, including e-mail, web browser, calendar (and other personal information) functions, network access, synchronization between the PDA and a PC. Increasingly, PDA functions are becoming combined with those of a wireless phone in a smartphone. Phishing Phishing is a form of cyber crime based on social engineering techniques. The name ‘phishing’ is a conscious misspelling of the word 'fishing' and involves stealing confidential data from a user’s computer and subsequently using the data to steal the user’s money. The cyber criminal creates an almost 100% perfect replica of a financial institution or online commerce web site. He then tries to lure unsuspecting users to the site to enter their login, password, credit card number, PIN, etc. into a fake form. This data is collected by the phisher who later uses it to access users’ accounts fraudulently.
    • Some financial institutions now make use of a graphical keyboard, where the user selects characters using a mouse, instead of using a physical keyboard. This prevents collection of confidential data by phishers who trap keyboard input, but is of no avail against so-called ‘screenscraper’ techniques: where a Trojan that takes a snapshot of the user’s screen and forwards it to the server controlled by the Trojan author or ‘master’. There are several different ways of trying to drive users to a fake web site. Spam e-mail, spoofed to look like correspondence from a legitimate financial institution. Hostile profiling, a targeted version of the above method: the cyber criminal exploits web sites that use e-mail addresses for user registration or password reminders and directs the phishing scam at specific users (asking them to confirm passwords, etc.). Install a Trojan that edits the hosts file, so that when the victim tries to browse to their bank’s web site, they are re-directed to the fake site. Pharming, also known as DNS poisoning. ‘Spear phishing’, an attack on a specific organization in which the phisher simply asks for one employee’s details and uses them to gain wider access to the rest of the network. Polymorphism The term ‘polymorphic’ comes from the Greek for ‘many forms’. Polymorphic viruses are variably-encrypted. They try to evade detection by changing their ‘shape’ with each infection, so there’s no constant sequence of bytes for an antivirus program to search for. As a result, anti-virus programs must use various other techniques to identify and remove polymorphic viruses, including emulating the code, or using mathematical algorithms to ‘see through’ the code. POP3 [Post Office Protocol 3] POP3 is a protocol for receiving e-mail. POP3 is useful where e-mail is stored on a remote server and then forwarded to the user. This is useful, for example, where
    • a home user connects to the Internet through an ISP and downloads e-mail periodically. In this case, SMTP is used to send e-mail across the Internet to the ISP, while POP3 is used to download the e-mail from the ISP. Many e-mail client applications (Microsoft® Outlook®, for example) and web browsers (Internet Explorer, for example) support POP3. Pornware ‘Pornware’ is the generic term used by Kaspersky lab to describe malware-related programs that either use the computer’s modem to connect to pornographic payto-view services, or download pornographic content from the web, without the consent of the user. Port Synonyms: TCP/IP port In computing, ports are connection points. They may be physical connection points, as in the COM (or serial) and parallel ports used by physical input or output devices. Before the advent of USB ports, monitor, keyboard, mouse and modem typically used a COM port (where data is transferred ‘serially’, one bit at a time), while printers typically used a parallel port (where data is transferred ‘in parallel’, eight bits at a time). Today, most computers are equipped with a number of USB ports. USB allows up to 127 devices to connect to a single computer and allows for rapid transfer of data. They may also be logical connection points for data transferred via TCP/IP or UDP networks. Some port numbers are reserved: port 80, for example, is reserved for the HTTP service. Others are assigned dynamically for each connection. Ports are used by authors of malicious code to transfer data from a victim machine to the ‘master’, or to download additional malicious. Port scanning
    • Port scanning is the process of sending messages to ports on a computer to see what response comes back: the response indicates whether or not the port is being used and may be vulnerable to attack. Program Synonyms: Executable file Programs (also known as executables) contain binary code in a form that is ready to be run on a computer. Programs are written using a computer language (‘C’ or ‘C++’, for example), where the programmer writes the language-specific instructions using a text editor: this is known as source code. The source code is then compiled into instructions that can be interpreted by the computer. The most common file extension for programs in a Microsoft® Windows® environment is EXE, but there are other files that contain program code, including COM and DLL. Batch files (which have the extension BAT) are themselves text files, but they contain a list of instructions for the computer to carry out unattended. Proxy server A proxy server stands between users on a network and the Internet. When a user requests a web page through their browser, the request goes through the proxy server. The proxy server checks its cache, to see if the page has been requested before: if it has, there’s no need for the proxy server to access the Internet, so the user gets quicker access to cached pages. Many organizations install a proxy server at the Internet gateway, on the same computer as its firewall. PSW Trojans Synonyms: Password-stealing Trojans These Trojans are designed to steal passwords from the victim machine (although some steal other types of information also: IP address, registration details, e-mail
    • client details, and so on). This information is then sent to an e-mail address coded into the body of the Trojan. The first PSW Trojans were AOL password stealing Trojans: and they are so numerous that they form a specific subset of PWS Trojans. R RAM [Random Access memory] Synonyms: Memory RAM is used by the operating system and other software to hold data that is currently being used. Applications and data held on the hard disk or removable media are loaded into RAM before being processed. It’s faster to read from, and write to, RAM than a hard disk or removable media. However, RAM can be used only for temporary storage: it is cleared whenever the PC is switched off. Registry key Synonyms: System registry key, Key In Microsoft® Windows®, registry keys are used to store configuration information: the value of a relevant key is changed every time a program is installed or when its configuration settings have been modified. Many malicious programs change key values, or create new ones, to ensure that their code runs automatically: in addition, they can have an adverse effect on legitimate programs. Riskware ‘Riskware’ is the generic term used by Kaspersky Lab to describe programs that are legitimate in themselves, but that have the potential for misuse by cyber criminals: for example, remote administration utilities. Such programs have always had the potential to be misused, but they now have a higher profile. During the last few years, there has been a fusion of ‘traditional’ virus techniques with
    • those of hackers. In the changing climate, such ‘riskware’ programs have come in to their own as a means of controlling machines for malicious purposes. Rootkit A rootkit is a collection of programs used by a hacker to evade detection while trying to gain unauthorized access to a computer. This is done either by replacing system files or libraries, or by installing a kernel module. The hacker installs the rootkit after obtaining user-level access: typically this is done by cracking a password or by exploiting a vulnerability. This is then used to gather other user IDs until the hacker gains root, or administrator, access to the system. The term originated in the Unix world, although it has since been applied to the techniques used by authors of Windows-based Trojans to conceal their activities. Rootkits have been used increasingly as a form of stealth to hide Trojan activity, something that is made easier because many Windows users log in with administrator rights. Router A router is a device, located at the point where one network meets another, that decides the next point to which a network packet should be passed on its way to its final destination. S Sandbox In the context of computer security, a sandbox provides a tightly-controlled environment in which semi-trusted programs or scripts can be safely run in memory (or with limited access to the local hard disk). The sandbox concept can be implemented in a web browser, to safeguard the user from potentially harmful content, or it can be used as a method for analyzing programs in order to determine if they are safe or harmful.
    • SDK [Software Development Kit] A SDK is a set of routines, modules and protocols that can be used to access a program’s functionality, through its Application Program Interface [API]. Although these two terms are distinct, they are often used interchangeably. An anti-virus engine SDK provides the tools necessary for third parties to integrate anti-virus scanning into their application or business process. Sector Synonyms: Disk sector A sector is an area on a PC disk (hard disk or floppy disk) used to store data. Sectors, which resemble the slices of a cake, are laid down on the disk when it is prepared for use, or formatted. The size of each sector varies depending on the operating system and is defined in the disk’s boot sector. A disk is also divided into cylinders (or tracks) and heads (or sides). Data on a disk is accessed, at a low-level, according to its cylinder, head and sector number. Of course, the user doesn’t need to worry about this low-level information, since the operating system handles the storage and retrieval of data in a user-friendly way. Shell The term shell describes the user interface of an operating system, used to launch programs and give other commands. By contrast, the term kernel refers to the core of the operating system that supports all other operations. Smartphone The term ‘smartphone’ is generally applied to a mobile device that combines the functions of a wireless phone with functions more typically associated with a PDA. These include wireless e-mail access, wireless access to online banking and other web browsing capabilities, wireless access to a network, calendar (and other personal information) functions, wireless and wired synchronization between the
    • device and a PC. Symbian OS and Windows® CE are the most common operating systems installed on smartphones. SMTP [Simple Mail Transfer Protocol] SMTP is a protocol for sending e-mail across the Internet. While any individual organization may implement a specific application for handling e-mail internally (Microsoft® Exchange, Lotus Domino®, etc.), SMTP is the common format into which all messages are converted before being sent over the Internet. In situations where e-mail is stored on a remote server and then forwarded to the user (where a home user connects to the Internet through an ISP and downloads email periodically, for example), POP3 or IMAP protocols are often used also. Social engineering Social engineering refers to a non-technical breach of security that relies heavily on human interaction, i.e. tricking end users into breaking normal security measures. Virus writers and spammers alike depend heavily on disguising malware and spam as innocent messages or software, which may even pretend to be fighting against the very form of cyber crime that is about to be committed. The objective is to get the user to respond: click on an infected e-mail attachment, click on a link to a compromised web site, or respond to a fake unsubscribe notice ... the list is endless. Software The general term used for programs that run on a computer. This includes system software (related to the operating system) and application software used to carry out specific tasks (word processors, spreadsheet software, etc.). Stealth
    • Stealth is the term used to describe techniques used to make a virus inconspicuous – that is, to conceal any changes a virus makes to the infected system. Stealth virus Stealth viruses attempt to evade antivirus scanners by presenting clean data when queried by an antivirus product. Some of these viruses display a clean version of the infected file during scans. Other stealth viruses hide the new size of the infected file and display the pre-infection size. System files System files are operating system files, used to carry out basic functions on a computer. System registry Synonyms: Windows registry The Windows system registry is a database used by all modern Windows platforms. This database contains the information needed to configure the system. Windows constantly refers to the registry for information ranging from user profiles, to which applications are installed on the machine, to what hardware is installed and which ports are registered. Registry keys replace .ini files in previous version of Windows. The registry data is stored as binary code. T TCP/IP [Transmission Control Protocol/Internet Protocol] TCP/IP is the protocol that is used by the countless computers around the world that connect to each other through the Internet. ‘TCP’ splits data into packets for transmission across the Internet and re-assembles them at the other end. The ‘IP’ part of the protocol is responsible for addressing the packets to the right location.
    • Terabyte A terabyte [TB] is a unit of measurement for computer storage and is equivalent to a thousand gigabytes. Trojan Synonyms: Trojan horse The term Trojan is taken from the wooden horse used by the Greeks to sneak inside the city of Troy and capture it. The first Trojans, which appeared in the late 1980s, masqueraded as innocent programs. Once the unsuspecting user ran the program, the Trojan would deliver its harmful payload. Hence the copy-book definition of a Trojan as a non-replicating program that appears to be legitimate but is designed to carry out some harmful action on the victim computer. One of the key factors distinguishing Trojans from viruses and worms is that they don’t spread by themselves. In the early days of PC malware, Trojans were relatively uncommon since the author had to find some way of distributing the Trojan manually. The widespread use of the Internet and the development of the Word Wide Web provided an easy mechanism for distributing Trojans far and wide. Today, Trojans are very common. They typically install silently and carry out their function(s) invisible to the user. Like viruses and worms, Trojans are often sub-divided into different categories based on their function. - Backdoor Trojans provide the author or ‘master’ of the Trojan with remote ‘administration’ of victim machines. - PSW Trojans steal passwords from victim machines (although some steal other types of information also: IP address, registration details, e-mail client details, and so on).
    • - Trojan Clickers re-direct victim machines to a specified web site, either to raise the ‘hit-count’ of a site, or for advertising purposes, or to organize a DoS attack on a specified site, or to direct the victim to a web site containing other malicious code. - Trojan Droppers and Trojan Downloaders install malicious code on a victim machine, either a new malicious program or a new version of some previously installed malware. - Trojan Proxies function as a proxy server and provide anonymous access to the Internet: they are commonly used by spammers for large-scale distribution of spam e-mail. - Trojan Spies track user activity, save the information to the user’s hard disk and then forward it to the author or ‘master’ of the Trojan. - Trojan Notifiers inform the author or ‘master’ that malicious code has been installed on a victim machine and relay information about the IP address, open ports, e-mail address and so on. - Archive bombs are designed to sabotage anti-virus programs. They take the form of a specially constructed archive file that ‘explodes’ when the archive is opened for scanning by the anti-virus program’s de-compressor. The result is that the machine crashes, slows down or is filled with garbage data. Trojan Clickers Trojan Clickers re-direct victim machines to a specified web site. This is done either to raise the ‘hit-count’ of a site, for advertising purposes, or to organize a DDoS attack on a specified site, or to direct the victim to a web site containing other malicious code (another Trojan, for example). The Trojan does this either by sending commands to the web browser or by simply replacing system files that contain URLs (the Windows® ‘hosts file’, for example). Trojan Downloaders These Trojans (like Trojan Droppers) are used to install malicious code on a victim machine. However, they can be more useful to malware authors. First, Downloaders are much smaller than Droppers. Second, they can be used to
    • download endless new versions of malicious code, adware or ‘pornware’ programs. Like Droppers, Downloaders are also typically written in script languages such as VBS or JavaScript. They also often exploit Microsoft® Internet Explorer vulnerabilities. Trojan Droppers The purpose of Trojan Droppers, as the name suggests, is to install malicious code on a victim machine. They either install another malicious program or a new version of some previously installed malware. Trojan Droppers often carry several completely unrelated pieces of malware that may be different in behavior or even written by different coders: in effect, they’re a kind of malware archive containing many kinds of different malicious code. They may also include a joke or hoax, to distract the user from the real purpose of the Dropper, the background installation of malicious code, or adware or ‘pornware’ programs. Droppers are often used to carry known Trojans, since it is significantly easier to write a dropper than a brand new Trojan that anti-virus programs will not be able to detect. Most droppers are written using VBS or JavaScript: they are, therefore, easy to write and can be used to perform multiple tasks. Trojan Notifiers The purpose of these Trojans is to inform the author or ‘master’ that malicious code has been installed on the victim machine and to relay information about the IP address, open ports, e-mail address and so on. Trojan Notifiers are typically included in a Trojan ‘pack’ that contains other malware. Trojan Proxies These Trojans function as a proxy server and provide anonymous access to the Internet: they are commonly used by spammers for large-scale distribution of spam e-mail. Trojan Spies
    • Trojan Spies, as the name suggests, track user activity, save the information to the user’s hard disk and then forward it to the author or ‘master’ of the Trojan. The information collected includes keystrokes and screen-shots, used in the theft of banking data to support online fraud. U UDP [User Datagram Protocol] UDP is a protocol used to transfer data (in the form of ‘datagrams’) across the Internet. Unlike TCP/IP, UDP doesn’t split up messages and re-assemble them at the other end. It is useful for sending small amounts of data, since it saves processing time that would be used to re-assemble packets. Unicode Unicode, used in Microsoft® Windows® NT, Windows 2000 and Windows XP, succeeded ASCII as a means of using binary codes to represent text characters used in the world’s principal languages. Unix The Unix operating system originated at AT&T’s Bell Labs in 1969. Unix is an open source operating system. Since it is not owned by a single vendor, many different Unix versions have been developed since its creation (including Unixderivative operating systems like Linux). The Open Group holds the ‘Single UNIX Specification’ and the UNIX® trademark and certifies different Unix implementations. Upload Where a file is transferred from one computer to another, the sender is said to upload the file. For example, anti-virus updates are uploaded by an anti-virus vendor to their server, to make them available for users of their software. URL [Universal Resource Locator]
    • The URL specifies the address of a piece of content on the World Wide Web. The request is made by typing the URL into the web browser, or by clicking on a hyperlink (or link for short): this link may be specified on a web page or in a piece of text in a document, spreadsheet, etc. USB [Universal Serial Bus] USB provides a ‘plug-and-play’ standard for connecting many peripheral devices to a computer simultaneously, without the need for a specific device adapter card for each device. USB allows up to 127 devices to connect to a single computer and allows for rapid transfer of data. USB 1.1 (the original USB specification, developed by Compaq, IBM, DEC, Intel, Microsoft and Northern Telecom) supports data speeds of up to 12Mbps. USB 2.0 (developed by Compaq, Hewlett Packard, Intel, Lucent, NEC and Philips) supports data transfer speeds of up to 480Mbps. V Variant The term variant refers to a modified version of an existing piece of malicious code. Virus writers are often quick to create new versions of a virus, worm or Trojan that has been ‘successful’, or if the source code for the malware has been published. VBS [Visual Basic Script] VBS is a script language developed by Microsoft®. Like JavaScript is often used in the development of web pages. For specific tasks, it’s often easier to write a script than to use a formal programming language like ‘C’ or ‘C++’. However, as with a formal program, it’s also possible to use VBS to create malicious code. Since a script can be easily embedded in HTML, a virus author
    • can embed a malicious script within an HTML e-mail: and when the user reads the e-mail, the script runs automatically. Virus Synonyms: Computer virus, Malicious program, Classic virus Today the term virus is often loosely used to refer to any type of malicious program, or is used to describe any ‘bad thing’ that a malicious program does to a host system. Strictly speaking, however, a virus is defined as program code that replicates. Of course, this simple definition leaves plenty of scope for further sub-division. Sometimes viruses are further classified by the types of object they infect. For example, boot sector viruses, file viruses, macro viruses. Or they may be classified by the method they use to select their host. ‘Indirect action file viruses’ load into memory and hook into the system such that they can infect files as they are accessed. Conversely, ‘direct action file viruses’ do not go memory resident, simply infecting a file (or files) when an infected program is run and then ‘going to sleep’ until the next time an infected file is run. Another way of classifying viruses is by the techniques they use to infect. There are ‘appending viruses’ that add their code to the end of a host file, ‘prepending viruses’ that put their code at the start of a host file and overwriting viruses that replace the host file completely with their own code. By contrast, companion viruses and link viruses avoid adding code to a host file at all. Then there are stealth viruses that manipulate the system to conceal changes they make and polymorphic viruses that encrypt their code to make it difficult to analyze and detect. Of course, there are also viruses that fail to work: they either fail to infect or fail to spread. Such would-be viruses are sometimes referred to as ‘wanabees’.
    • Virus definition Synonyms: Virus signature Virus definitions (or signatures) contain a unique sequence of bytes used by an anti-virus program to identify each piece of malicious code. Signature analysis is one of the key methods used to find and remove malicious code. VoIP [Voice over IP] VoIP is a technology that lets subscribers to the VoIP service make telephone calls using a computer network that supports IP [Internet Protocol]. VoIP converts the analog signal used in a converntional telephone, into a digital signal that can be carried over the Internet in packets (and converts it back again at the other end). This means that users with a broadband Internet connection can replace their existing telephone connection with VoIP. Some VoIP services only allow telephone calls to people using the same service. Others allow calls to any number. Some VoIP services work just through the computer. Others require a special VoIP telephone or a VoIP adapter fitted to a conventional telephone. VPN [Virtual Private Network] A VPN is used to provide remote users with secure access to the private network of a corporation or other organization, over the Internet (rather than using an expensive dedicated leased line). Privacy is maintained by implementing encryption and other security features, preventing unauthorized access to the private network. Vulnerability A vulnerability is a bug or security flaw in an application or operating system that provides the potential for a hacker or virus writer to gain unauthorized access to, or use of, a user’s computer. The hacker does this by writing specific exploit code.
    • Once a vulnerability has been discovered (either by the developer of the software or someone else) the vendor of the application typically creates a ‘patch’ or ‘fix’ to block the security hole. As a result, vendors, security experts and virus writers are engaged in a never-ending race to find vulnerabilities first. During recent years, the time-lag between the discovery of a vulnerability and the creation of exploit code that makes use of it has diminished. The worse-case scenario, of course, is a so-called ‘zero-day exploit’, where the exploit appears immediately after the vulnerability has been discovered. This leaves almost no time for a vendor to create a patch, or for IT administrators to implement other defensive measures. W War chalking War chalking refers to the act of walking round a city or town to locate wireless access points, or ‘hot spots’, in order to gain unauthorized access to unsecured wireless networks. It is so-called from the act of indicating the hot-spot using a chalk mark. War driving War driving refers to the act of driving round a city or town to locate wireless access points, or ‘hot spots’, in order to gain unauthorized access to unsecured wireless networks. The specific process of mapping Bluetooth devices is referred to as ‘war nibbling’. Web browser A web browser is an application that lets a user access and display content from the World Wide Web. Whitelist
    • Used as one method of filtering spam, a whitelist provides a list of legitimate email addresses or domain names: all messages from whitelisted addresses or domains are automatically passed through to the intended recipient. WiFi Synonyms: Wireless network WiFi (short for ‘wireless fidelity’) is the name commonly given to wireless networks that conform to the 802.11 specification laid down by IEEE [Institute of Electrical and Electronic Engineers]. WiFi provides for fast data transfer rates (up to 11Mbs) and has become increasingly popular in recent years. Today, many PCs and mobile devices are fitted with wireless cards that enable them to connect to a wireless network. WiFi has become a more common way of connecting to a network and wireless access points, or ‘hot spots’, can be found in businesses, homes, hotels, airports and even fast food outlets. By design, no wires are required to connect to a wireless network. If the wireless network is unsecured, it can be accessed easily by hackers or other users wishing to obtain free Internet access: so-called ‘war driving’ or ‘war chalking’. WildList The WildList was established in July 1993 by anti-virus researcher Joe Wells, was subsequently published monthly by the WildList Organization and is now published by ICSA Labs (part of TrueSecure Corporation). It aims to keep track of which viruses are spreading in the real world (the WildList FAQ cites the WildList as ‘the world’s authority on which viruses users should really be concerned with’). Detection of 'in the wild' viruses, as defined by the WildList, has become the de facto measure by which anti-virus products are judged. Fee-based anti-virus certification tests, most notably ICSA Labs. and West Coast Labs, are based on detection of WildList samples. In addition, the Virus Bulletin ‘VB100%’ is awarded on the basis of a product's ability to detect WildList viruses.
    • However, in today’s wired world, there’s a higher risk of being hit by new malware, with around 80% of new malicious programs being found in the field, not just in so-called ‘zoo’ collections. As a result, the WildList has become somewhat outmoded as a measure of the real threat. World Wide Web The World Wide Web (or WWW for short) was developed by Tim Berners-Lee, a British software consultant who was looking for a way to track associations between pieces of information using a computer (much like a thesaurus does manually). His initial program for doing this was called ‘Enquire’, developed in the 1980s. He subsequently developed the idea, and the standards, to allow the sharing of data across the Internet. He created HTML as the standard method for coding web content. He designed an addressing scheme (contained in the URL) for locating web content. And he created HTTP as the protocol for transferring web content across the Internet. The World Wide Web as we now know it appeared in 1991 and has grown exponentially since. Tim Berners-Lee founded the World Wide Web Consortium [the W3C], the body that sets WWW standards. The W3C defines the World Wide Web as ‘the universe of network-accessible information, an embodiment of human knowledge’. Worm Synonyms: Computer worm, Email worm, Internet worm, Network worm Worms are generally considered to be a subset of viruses, but with key differences. A worm is a computer program that replicates, but does not infect other files: instead, it installs itself on a victim computer and then looks for a way to spread to other computers.
    • From a user’s perspective, there are observable differences. In the case of a virus, the longer it goes undetected, the more infected files there will be on the victim computer. In the case of a worm, by contrast, there is just a single instance of the worm code. Moreover, the worm’s code is ‘self-standing’, rather than being added to existing files on the disk. Like viruses, worms are often sub-divided according to the means they use to infect a system. E-mail worms are distributed as attachments to e-mail messages, IM worms are attached to messages sent using instant messaging programs (such as IRC or ICQ). P2P [peer-to-peer] worms use file-sharing networks to spread. Network worms spread directly over the LAN [Local Area Network] or across the Internet, often making use of a specific vulnerability. The term ‘worm’ was coined by sci-fi writer John Brunner in his 1975 novel Shockwave Rider. The hero, a talented programmer, created self-replicating computer programs that tunneled their way through a worldwide network. X xx-bit processor Computer processors are often defined in terms of the ‘word’ size they can handle. In computing, the term ‘word’ refers to the block of data (specified in number of bits) that can be manipulated in a single clock cycle. So a 16-bit processor has a word size of 16 bits, a 32-bit processor has a word size of 32-bits and a 64-bit processor has a word size of 64-bits. From this, it’s clear that a 64-bit processor is able to handle more data in the same clock cycle and is therefore more efficient. Newer processors are backwardly compatible. 64-bit processors, for example, are able to detect 16-bit and 32-bit applications and process them appropriately.
    • Z Zero-day exploit A zero-day exploit is one where an exploit written to take advantage of a bug or vulnerability in an application or operating system appears immediately after the vulnerability has been discovered. This leaves almost no time for a vendor to create a patch, or for IT administrators to implement other defensive measures. Zoo The term zoo refers to malicious code that has not been seen in the field. Antivirus vendors include detection for such malicious code, since there’s no way of knowing if it will spread successfully in the future. downloaded/created/modified by allfaishalloriginall@yahoo.co.id 0857 3024 5131 (and may be) then uploaded and shared by http://my.opera.com/allfaishall / http://faishalhimawan.wordpress.com / http://download-writing.blogspot.com http://emha2indonesia.multiply.com / http://faishalhimawan.blogspot.com / http://ebookzfaishal.blogspot.com / / http://www.4shared.com/u/stmmkqg/969d0e36/httpmyoperacomallfaishall.html / http://www.4shared.com/u/vmgtpgt/7cedb28d/httpmyoperacomallfaishall.html &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& Contemplation Every Day, Contemplation Never Die Melangkah adalah Tanah, Merenung adalah Gunung (Quotes originally by Faishal Himawan Emkai) &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& File Checked by Kaspersky Anti-Virus 7 (KAV 7) - Database Published: 12/12/2008