The term ‘polymorphic’ comes from the Greek for ‘many forms’. Polymorphic viruses are variably-encrypted. They try to evade detection by changing their ‘shape’ with each infection, so there’s no constant sequence of bytes for an anti-virus program to search for. As a result, anti-virus programs must use various other techniques to identify and remove polymorphic viruses, including emulating the code, or using mathematical algorithms to ‘see through’ the code.
Synonyms: Service pack, Maintenance pack
A patch provides additional, revised or updated code for an operating system or application. Except for open source software, most software vendors do not publish their source code: so patches are normally pieces of binary code that are ‘patched’ into an existing program (using an install program).
The term ‘patching’ refers to the process of downloading and installing additional code supplied by an application vendor. However, the terms used may vary. Typically, a minor fix is referred to as a patch, while a significant fix is referred to as a Maintenance Pack or Service Pack.
Patching has become an integral part of computer security, since vulnerabilities in popular operating systems and applications are among the primary targets for virus writers and hackers. It is crucial to patch in a timely manner. During recent years, the time-lag between the discovery of a vulnerability and the creation of exploit code that makes use of it has diminished. The worse-case scenario, of course, is a so-called ‘zero-day exploit’, where an exploit appears immediately after a vulnerability has been discovered. This leaves almost no time for a vendor to create a patch, or for IT administrators to implement other defensive measures.
Synonyms: Executable files, EXE files
An executable file is a program in binary code that is ready to be run by the computer without any further human intervention.
Common file extensions for executable fields in Windows include .exe, .com, .dll, .bat. An executable file that is dynamically linked to another program is called a dynamic link library.
Windows Portable Executable (PE) files are simply executable files that work across all Microsoft 32-bit operating systems, which is why the majority of malware for Windows written today is written in this format.
In Unix, executable files are marked with a special permission flag in the file attributes.
Synonyms: TCP/IP port
In computing, ports are connection points.
They may be physical connection points, as in the COM (or serial) and parallel ports used by physical input or output devices. Before the advent of USB ports, monitor, keyboard, mouse and modem typically used a COM port (where data is transferred ‘serially’, one bit at a time), while printers typically used a parallel port (where data is transferred ‘in parallel’, eight bits at a time). Today, most computers are equipped with a number of USB ports. USB allows up to 127 devices to connect to a single computer and allows for rapid transfer of data.
They may also be logical connection points for data transferred via TCP/IP or UDP networks. Some port numbers are reserved: port 80, for example, is reserved for the HTTP service. Others are assigned dynamically for each connection. Ports are used by authors of malicious code to transfer data from a victim machine to the ‘master’, or to download additional malicious.
This term is taken from the world of fire fighting, where a firewall is a barrier created to block the spread of a fire.
In computing, a firewall forms a barrier between a computer system (either a corporate system or a single user) and the outside world: the aim is to prevent outsiders from gaining unauthorized access to the protected network. The firewall monitors incoming and outgoing network traffic and decides whether to forward it or block it depending on the security policy that has been set.
Typically, a firewall is installed on a router at the Internet gateway, although it may also be used to guard the boundaries between networks and user groups.
Today, most enterprises use ‘stateful’ firewalls: they monitor the state of network connections over a period of time (rather than simply examining packet headers). The system administrator creates lists of legitimate data packets for each connection and the firewall passes only packets which match known connections and reject all others.
Personal firewalls are software-based. They protect single users from hacker attacks and potentially damaging data packets sent via the Internet and also limit the scope of applications on the protected computer. Such protection, as a supplement to anti-virus protection, has become a ‘must’ for those with always-on broadband connections.
Phishing is a form of cyber crime based on social engineering techniques. The name ‘phishing’ is a conscious misspelling of the word 'fishing' and involves stealing confidential data from a user’s computer and subsequently using the data to steal the user’s money.
The cyber criminal creates an almost 100% perfect replica of a financial institution or online commerce web site. He then tries to lure unsuspecting users to the site to enter their login, password, credit card number, PIN, etc. into a fake form. This data is collected by the phisher who later uses it to access users’ accounts fraudulently.
Some financial institutions now make use of a graphical keyboard, where the user selects characters using a mouse, instead of using a physical keyboard. This prevents collection of confidential data by phishers who trap keyboard input, but is of no avail against so-called ‘screenscraper’ techniques: where a Trojan that takes a snapshot of the user’s screen and forwards it to the server controlled by the Trojan author or ‘master’.
There are several different ways of trying to drive users to a fake web site.
POP3 is a protocol for receiving e-mail. POP3 is useful where e-mail is stored on a remote server and then forwarded to the user. This is useful, for example, where a home user connects to the Internet through an ISP and downloads e-mail periodically. In this case, SMTP is used to send e-mail across the Internet to the ISP, while POP3 is used to download the e-mail from the ISP.
Many e-mail client applications (Microsoft® Outlook®, for example) and web browsers (Internet Explorer, for example) support POP3.
Synonyms: Compressed file
A compressed file is one where the data belonging to the file has been reduced in size to save space or data transmission time. For example, software developers make use of various compression utilities to reduce the size of installation files distributed on removable media. At run-time, of course, the file is de-compressed automatically, with no user intervention needed.
There are thousands of different compression methods and the compression algorithms used by them vary. At the simplest level, however, compression could be as straightforward as removing repeating characters in a file (a data area in a program, for example, may be initialized with zeroes) and replacing them with a short marker that specifies how many bytes have been removed and what character should be there.
While compression is used in legitimate programs, it is also used by authors of malicious code. It is very common for Trojans, in particular, to be released in compressed form (and sometimes re-released in a re-packaged form).
Synonyms: MBR [Master Boot Record]
The MBR is the first sector on a hard disk and contains the partition table, which holds information on the number of partitions, their size and which one is ‘active’ (i.e. which one contains the operating system used to boot the machine).
A packet is a unit of data transferred between two points on the Internet. When data is sent across the Internet (an e-mail message, for example), it is divided into convenient sections. Each of these packets may travel via different routes, to be re-assembled at their destination.
A partition is a logical division of a hard disk into several sections, allowing the user to install different operating systems on the same hard disk. Partitions are created using the FDISK.EXE program. Information on the number of partitions, their size and which one is ‘active’ (i.e. which one contains the operating system used to boot the machine) is stored within the MBR, in the partition table.
In the world of malicious code, the term payload is used to describe what a virus, worm or Trojan has been coded to do to a victim machine. For example, a virus could be designed to display a message on the screen on a particular day of the week, or erase all EXE files on a given day, or ... anything else that software can be coded to do. In fact, many viruses contain no payload at all. That’s not to say that they will have no adverse effect on an infected system. Many viruses are poorly written and may interfere with other programs running on the machine. They may also cause unintended side-effects if they are run in an environment they were not ‘designed’ for.
The term ‘peer-to-peer’ can be applied to a network system in which there is no dedicated network server and in which each machine has both server and client capabilities.
Today, the term P2P is more commonly applied to a temporary connection shared by users running the same application, allowing them to share files on each other’s computers (typically to share music or other multimedia files over the Internet, as with Napster, Gnutella and Kazaa).
PDA is the term given to small handheld computers that provide many of the functions of a standard PC, including e-mail, web browser, calendar (and other personal information) functions, network access, synchronization between the PDA and a PC. Increasingly, PDA functions are becoming combined with those of a wireless phone in a smartphone.
‘Pornware’ is the generic term used by Kaspersky lab to describe malware-related programs that either use the computer’s modem to connect to pornographic pay-to-view services, or download pornographic content from the web, without the consent of the user.
Port scanning is the process of sending messages to ports on a computer to see what response comes back: the response indicates whether or not the port is being used and may be vulnerable to attack.
Synonyms: Executable file
Programs (also known as executables) contain binary code in a form that is ready to be run on a computer. Programs are written using a computer language (‘C’ or ‘C++’, for example), where the programmer writes the language-specific instructions using a text editor: this is known as source code. The source code is then compiled into instructions that can be interpreted by the computer.
The most common file extension for programs in a Microsoft® Windows® environment is EXE, but there are other files that contain program code, including COM and DLL. Batch files (which have the extension BAT) are themselves text files, but they contain a list of instructions for the computer to carry out unattended.
A proxy server stands between users on a network and the Internet. When a user requests a web page through their browser, the request goes through the proxy server. The proxy server checks its cache, to see if the page has been requested before: if it has, there’s no need for the proxy server to access the Internet, so the user gets quicker access to cached pages.
Many organizations install a proxy server at the Internet gateway, on the same computer as its firewall.
Synonyms: Password-stealing Trojans
These Trojans are designed to steal passwords from the victim machine (although some steal other types of information also: IP address, registration details, e-mail client details, and so on). This information is then sent to an e-mail address coded into the body of the Trojan. The first PSW Trojans were AOL password stealing Trojans: and they are so numerous that they form a specific subset of PWS Trojans.
Synonyms: Spyware, Malware-related programs
‘Spyware’ is something of a grey area, so there’s no copy-book definition for it. However, as the name suggests, it’s often loosely defined as software that is designed to gather data from a computer and forward it to a third party without the consent or knowledge of the computer’s owner. This includes monitoring key strokes, collecting confidential information (passwords, credit card numbers, PIN numbers, etc.), harvesting e-mail addresses or tracking browsing habits. There’s a further by-product, of course: such activities inevitably affect network performance, slowing down the system and thereby affecting the whole business process.
The reason ‘spyware’ is such a grey area is that it’s really just a catch-all term for a wide assortment of malware-related programs, rather than a defined category. Most ‘spyware’ definitions apply not only to adware, ‘pornware’ and ‘riskware’ programs, but also to many Trojan programs: Backdoor Trojans, Trojan Proxies and PSW Trojans. Such programs have been around for almost 10 years, when the first AOL password stealers appeared. However, they were not then called ‘spyware’.
Although such programs are not new, their use for malicious purposes has increased in recent years and they have received much greater attention, both from the media and from ‘spyware’-only vendors.
The ASC [Anti-Spyware Coalition] drafted a definition of ‘spyware’ in August 2005. The ASC defines ‘spyware and other potentially unwanted technologies’ as those that ‘impair users' control over material changes that affect their user experience, privacy, or system security; use of their system resources, including what programs are installed on their computers; or collection, use, and distribution of their personal or otherwise sensitive information.’
This definition, like others, spans the whole range of maware-related programs.