Glossary

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

A

ActiveX Control
A software component of Microsoft Windows that can be used to create and distribute small applications through Internet Explorer. ActiveX controls can be developed and used by software to perform functions that would otherwise not be available using normal Internet Explorer capabilities. Because ActiveX controls can be used to perform a wide variety of functions, including downloading and running programs, vulnerabilities discovered in them may be exploited by malware. In addition, cybercriminals may also develop their own ActiveX controls, which can do damage to a system if a user visits a web page that contains the malicious ActiveX control.

Adware
A program that displays advertisements. While some adware can be beneficial by subsidizing a program or service, other adware programs may display advertisements without adequate consent.

Alert Level
An alert level is assigned to particular malware by an analyst when adding detection. It is based on a calculation that takes into account the malware's ability to spread and potential to cause damage.

Alias
An alternative detection for particular malware. Generally this refers to detections of the same malware by other antivirus vendors; however, it may also refer to an alternative Microsoft detection of the same malware.

B

Backdoor Trojan
A type of trojan that provides attackers with remote unauthorized access and control of infected computers. Bots are a subcategory of backdoor trojans (see botnet).

Bot
A malicious program installed on a computer that is part of a bot network (botnet). Bots are generally backdoor trojans that allow unauthorized access and control of an affected machine. They are often controlled via IRC from a centralized location (although other models of command and control exist). See botnet.

Botnet
A set of computers controlled by a “command and control” computer to execute commands as directed. The "command and control" computer can issue commands directly (often through Internet Relay Chat, or IRC) or by using a decentralized mechanism, like peer-to-peer (P2P) networking.

Browser Modifier
A program that changes browser settings, such as the home page, without adequate consent. Also includes browser hijackers.

C

Clean
To remove malware or potentially unwanted software from an infected computer. A single cleaning can involve multiple disinfections

Clean File
A file that has been determined to be neither malicious, nor potentially unwanted.

Cookie
An HTTP cookie, also called a tracking cookie, is a piece of text sent by an accessed server to the accessing browser. From then on, every time the browser accesses the server again, that particular cookie is sent back, in a way to "identify" the browser and its past behavior. Cookies are often used by online shopping sites to keep track of the browser's (and therefore potentially the user's) shopping habits and to better suggest items that the user may also be interested in purchasing. Depending on which server the cookie belongs to, a cookie may contain sensitive information. However, cookies may be read (and the information stored in them "stolen") by malware.

Cryptor
A tool that may be used, legitimately, or illegitimately, to protect an application from being reverse-engineered, or otherwise analyzed. These tools use encryption in order to obfuscate the content of an application, often for the purposes of avoiding detection and hindering analysis.

Cybersquatting
The act of registering, trafficking in, or using a domain name with bad-faith intent to profit from the goodwill of a trademark belonging to someone else.

D

DDoS
Distributed Denial of Service – see Denial of Service. Considerable resources may be required to exhaust a target system and cause it to fail to respond. Often multiple machines are used in order to perform these types of malicious attack and increase the attack’s chances of success. This can occur, for example, when a number of compromised systems, such as those that comprise a botnet, are commandeered and ordered to access a target network or server over and over again within a small period of time.

Dialer
A program that makes unauthorized telephone calls. These calls may be charged at a premium rate and attract an unexpectedly high cost to the user.

Disinfect
To remove malware or potentially unwanted software from a computer, or to restore functionality to an infected program. Compare to Clean.

DoS
Denial of Service. A condition that occurs when the resources of a target system are deliberately exhausted, effectively overwhelming the system and causing it to fail to respond or function for its intended users. There are a number of different types of attack that may be used to result in a denial of service condition, utilizing different types of flood, or malformed network traffic.

Downloader
A type of trojan that downloads other files, which are usually detected as other malware, onto the system. The Downloader needs to connect to a remote host to download files, compared to a Dropper, which already contains the files in its malware package. See Trojan Downloader/Dropper.

Dropper
A type of trojan that drops other files, which are usually detected as other malware, onto the system. The file to be dropped is included as part of the dropper package, compared to a Downloader, which needs to connect to the Internet to download files. See Trojan Downloader/Dropper.

E

EICAR
Acronym for "European Institute for Computer Antivirus Research". "EICAR.COM" is a test file that is used to see if antivirus software is installed and functioning properly. For additional information about EICAR, please visit the EICAR Web site.

Encryption
Encryption is the method of transforming readable data into unreadable data for the purposes of secrecy. Once encrypted, such data cannot be interpreted (either by humans or machines) until it is decrypted. Encryption is performed using an encryption algorithm and a secret value called a 'key'. Encrypted data generally cannot be decrypted without knowledge of the secret 'key' or substantial resources. Malware may use encryption in order to obfuscate its code (make its code unreadable), thus hoping to hinder its detection and removal from the affected machine. A common and simple encryption technique used by malware is XORing, in which the Exclusive Or (XOR) computational operation is applied to each bit according to a given key. Malware may use cryptors in order to encrypt their code.

Exploit
Malicious code that attempts to exploit vulnerabilities in applications or operating systems.

F

Firewall
A program or device that monitors and regulates traffic between two points, such as a single computer and the network server, or one server to another.

G

Generic
A type of signature capable of detecting a large variety of malware samples from a specific family, or of a specific type.

H

Heuristics
A tool or technique that enhances the ability to identify certain, and potentially common, code patterns. This is useful for making, for example, generic detections for a malware family.

Hoax
An e-mail that warns users about imaginary malware (i.e. that does not exist in reality). Hoaxes tend to follow a fairly standard pattern - they are generally written in highly technical and emotive language and often describe highly destructive, irreversible payloads (that may be physically impossible). Hoaxes also often appear to quote industry experts in order to claim legitimacy and they generally ask users to forward the message to as many people as possible.

HOSTS file
A HOSTS file is a file that maps host names to IP addresses. It is used by a computer to resolve what IP address to go to when a user attempts to go to a certain URL. While this action can be done for legitimate purposes, such as blocking non-authorized Web sites in a corporate environment, the HOSTS file can also be edited for malicious purposes. Certain malware edit the HOSTS file so that when a user attempts to access a certain legitimate web site, the browser is instead redirected to a malware site.

I

IFrames
Short for inline frame, an iFrame is an HTML document that is embedded in another HTML document. Because the iFrame links to another webpage, it can be used by cybercriminals to place malicious HTML content into non-malicious HTML pages, for example in the form of a JavaScript ad, which downloads and installs spyware, that is placed in a trusted Web site.

In-the-wild
Malware that is currently detected in active computers connected to the Internet, as compared to those confined to internal test networks, malware research laboratories, or malware sample lists.

Incorrect Detection
A type of detection in which a legitimate program may have been mistakenly classified as malware or spyware. If you would like to report an incorrect detection, you can use the Incorrect Detection Report Form or you can submit a sample - be sure to indicate it is an incorrect detection by using the checkbox and adding a note to the comments.

Infection
The act by a virus of inserting or adding its code to a file, thus enabling the file to spread virus code.

J

Joke Program
A program that pretends to do something malicious but actually does nothing harmful (for example, pretending to delete files or format disks).

M

Macro Virus
A type of virus written as a macro for an application (such as Microsoft Word or Excel). A macro virus infects a file by replicating itself as a macro for that file, ensuring that when the file is opened, the virus is run.

Malware
Malicious software or potentially unwanted software installed without adequate user consent.

Malware Creation Tool
A malware creation tool is a program that is used by attackers to generate malware. Such programs may be able to automatically produce malware files according to specifications provided by the attacker.

Memory Resident
A threat is termed as "memory resident" if it continues to run and the space it occupies in memory is not freed for use by another program. A memory-resident threat persists in memory and usually cannot be terminated unless the computer is restarted.

Monitoring Software
Commercially available software that monitors activity, usually by capturing keystrokes or screen images. It may also include network sniffing software.

Mutex
(Mutual Exclusion Object) a programming object that may be created by malware to signify that it is currently running in the system. This can be used as an infection 'marker' in order to prevent multiple instances of the malware from running in the affected system, thus possibly arousing suspicion.

P

Packer
A program that allows a user to package or bundle a file. This may be used by malware authors to obfuscate the structure of a malware file and thus avoid detection, as packing a single file using different packers results in different packages.

Password Stealer
A password stealer (PWS) is malware that is specifically used to transmit personal information, such as user names and passwords. A PWS often works in conjunction with a keylogger, which sends key strokes and/or screenshots to an attacker.

Payload
The malware's purpose other than propagation (in the case of viruses and worms). The actions conducted by a piece of malware for which it was created. This can include, but is not limited to, downloading files, changing system settings, displaying messages, logging keystrokes, and so on.

Polymorphic
A virus that can mutate its structure to avoid detection by antivirus programs. It can mutate usually by changing a variable or variables in its code without changing its overall algorithm.

Potentially Unwanted Software
A program with potentially unwanted behavior that is brought to the user’s attention for review. This behavior may impact the user’s privacy, security, or computing experience.

Proof-of-Concept Code
Code that is developed to demonstrate the viability of a particular method of attack. This can include code that is created to illustrate how a particular software vulnerability can be exploited, or even malware created to illustrate how a particular platform can be utilized, or file format infected.

Proxy Server
A proxy server is a type of server that facilitates requests to other servers on behalf of the client. A proxy server can be configured to alter the client's request, or the server's response. Proxy servers can be used to filter content, store content in a cache for frequent requests, anonymize the client from which the request is coming from, and so on.

R

Reinfection
When a computer becomes infected after having previously been cleaned or disinfected. Reinfection typically occurs when a user repeats usage patterns without completely updating the computer’s antimalware protection during the disinfection process.

Remote Control Software
A program that provides access to a computer from a remote location. These programs are often installed by the computer owner or administrator, and are only a risk if unexpected.

Resident
Malware is resident if it continuously runs in the system. Malware may make itself, or a copy of itself, resident by making system changes that automatically set it to run when the system starts up.

Rogue Security Software
Software that appears to be beneficial from a security perspective but which provides limited or no security capabilities, generates a significant number of erroneous or misleading alerts, or which may attempt to socially engineer the user into participating in a fraudulent transaction.

Rootkit
A program whose main purpose is to perform certain functions that cannot be easily detected or undone by a system administrator, such as hide itself or other malware.

S

Script (malware)
A type of malware that is written using a scripting language. Common forms of scripting language include JavaScript and Visual Basic.

Sender ID Framework
An Internet Engineering Task Force (IETF) protocol developed to authenticate e-mail to detect spoofing and forged e-mail with the typical tactic to drive users to phishing Web sites and to download malicious software.

Settings Modifier
A program that changes computer settings with or without the user’s knowledge.

Signature
A set of malware characteristics that can be used to identify it using antivirus/antispyware products.

Social Engineering
A technique that defeats security precautions in place by exploiting human vulnerabilities. Social engineering scams can be both online (such as receiving e-mail messages that ask you to click on the attachment, which is actually malware) and offline (such as receiving a phone call from someone posing as a representative from your credit card company. Regardless of the method selected, the purpose of a social engineering attack remains the same - to get the targeted user to perform an action of the attacker's choice.

Software Bundler
A program that installs other potentially unwanted software, such as adware or spyware. The license agreement of the bundling program may require these other components in order to function.

Spam
Bulk unsolicited e-mail. Malware authors may use spam in order to distribute malware, either by attaching the malware to the message, or by sending a message containing a link to the malware. Malware may also harvest e-mail addresses for spamming from compromised machines, or may use compromised machines to send spam from.

Spam Run
A spam run is the term for a round of released spam. It may be used to refer to a single course of spam, for example, from the same servers, or spam that revolve around a common periodic theme, for example, Valentine's Day spam.

Spammer
A spammer is a trojan that sends large volumes of unsolicited e-mail. It may also pertain to the person or entity responsible for sending out the unsolicited e-mail messages.

Spoof
A type of attack where the source of a message (say, in an e-mail message or on a Web page) is falsified to appear to come from a trusted third party. For example, malware authors often distribute malware via e-mail that appears to come from a legitimate and trusted source.

Spyware
A program that collects information, such as the Web sites a user visits, without adequate consent. Installation may be without prominent notice or without the user’s knowledge.

Stealth
A method of hiding the presence of a threat, file or process. One form of stealth involves redirecting requests or attempts to view malicious files or code to an otherwise innocent location in a file or process.

T

Tool
Software that may have legitimate purposes, but which may also be used by malware authors or attackers.

Trojan
A malicious application that is unable to spread of its own accord. Historically, the term has been used to refer to applications that appear legitimate and useful, but perform malicious and illicit activity on an affected machine.

Trojan Clicker
A trojan clicker is a type of trojan that clicks. This could include trojans that initiate the installation of another program by clicking through dialog boxes in an installer program, however, it is more often applied to trojans that may be used to generate revenue by clicking on online advertisements or to increase web traffic to targeted sites. They can also be used to skew online polls (for any number of different reasons) and to add the appearance of legitimacy to sites that host potentially unwanted software, by making the applications they push appear to be more popular than they actually are.

Trojan Downloader/Dropper
A form of trojan that installs other malicious files to the infected system either by downloading them from a remote computer or by dropping them directly from a copy contained in its own code.

Trojan Proxy
A trojan proxy is a type of trojan that installs a proxy server on a machine. A proxy server installed by a trojan can be configured so that all Internet requests made by the infected system are routed via the proxy server to an attacker-controlled server.

Typosquatting
A form of cybersquatting where someone registers a domain name of a highly visited Web site, except with typographical errors (for example, microsooft.com).

V

Virus
Malware that replicates, commonly by infecting other files in the system, thus allowing the execution of the malware code and its propagation when those files are activated. Other forms of viruses include boot sector viruses and replicating worms.

Vulnerability
A flaw, error, or poor coding technique in a program that may allow an attacker to exploit it for a malicious purpose.

W

WildList
A list of malware that is used for testing antimalware products.

Worm
A worm is a self-propagating program that can automatically distribute itself from one computer to another. Worms may propagate themselves using one or more of the following methods:

  • E-mail programs
    A worm may propagate via e-mail messages by circulating as an attachment or via a link in the message. In some instances the worm creates and sends out e-mail messages containing a copy of itself as an attachment. In other cases, the worm creates and sends out e-mail messages containing a link to a certain Web site; the link then leads to a copy of itself.
  • Instant Messaging programs
    A worm may spread through instant messaging (IM) applications, such as Windows Live Messenger and AOL Instant Messenger, typically by sending IM messages that include a link to a copy of itself.
  • File-sharing programs
    A worm may propagate via file-sharing or peer-to-peer programs. It usually creates copies of itself in common download/upload folders of these programs, with file names taken from popular software or games. This social engineering technique makes it more likely that a user who wishes to download a counterfeit version of such popular software or games instead downloads and eventually runs a copy of the worm.
  • Social networking sites
    A worm may spread by automatically sending messages to all of a user's contacts in a social networking Web site, such as Facebook and MySpace. The message usually contains a link to a copy of itself.
  • Network shares
    A worm may propagate via network shares and mapped drives. These types of worms can spread by creating copies of itself in shared folders. If these folders are password-protected, some worms may attempt to access the share by using commonly used user names and passwords.
  • Removable drives with Autorun enabled
    A worm may propagate via removable drives such as flash drives and portable hard disks. These types of worms are called autorun worms because, aside from creating copies of itself in removable drives, they also drop a file, usually called autorun.inf. This INF file enables the worm copy to automatically run when the drive is accessed and Autorun is enabled. Autorun is the same functionality that allows, for example, your CD drive to automatically run a setup file when you install software, or play music when you insert a music CD.
  • Software vulnerabilities
    A worm may exploit a wormable vulnerability in certain software to spread to other systems. Examples of exploit worms are the Sasser and Blaster outbreaks, and the Conficker worm that first appeared in 2008. These worms exploited vulnerabilities in Windows services that are commonly used by computers to communicate with each other; hence a clean computer that communicates with an infected computer runs the risk of being infected itself.