Definitions for Terms Used in the Security Intelligence Report
A program that displays advertisements. Although some adware can be beneficial by subsidizing a program or service, other adware programs may display advertisements without adequate consent.
A type of trojan that provides attackers with remote unauthorized access to and control of infected computers. Bots are a subcategory of backdoor trojans. Also see botnet.
A set of computers controlled by a “command-and-control” (C&C) computer to execute commands as directed. The C&C computer can issue commands directly (often through Internet Relay Chat [IRC]) or by using a decentralized mechanism, such as peer-to-peer (P2P) networking. Computers in a botnet are often called nodes or zombies.
An error in an application in which the data written into a buffer exceeds the current capacity of that buffer, thus overwriting adjacent memory. Because memory is overwritten, unreliable program behavior may result and, in certain cases, allow arbitrary code to run.
Short for command and control. See botnet
Short for computers cleaned per mille (thousand). The number of computers cleaned for every 1,000 unique computers that run the MSRT. For example, if MSRT has 50,000 executions in a particular location in the first quarter of the year and removes infections from 200 computers, the CCM for that location in the first quarter of the year is 4.0 (200 ÷ 50,000 × 1,000).
To remove malware or unwanted software from an infected computer. A single cleaning can involve multiple disinfections.
A set of signatures that can be used to identify malware by using antivirus or antispyware products. Other vendors may refer to definitions as DAT files, pattern files, identity files, or antivirus databases.
Revelation of the existence of a vulnerability to a third party.
To remove a malware or unwanted software component from a computer or to restore functionality to an infected program. Compare with clean.
See trojan downloader/dropper.
Drive-By Download Sites
The percentage of computers running Microsoft real-time security software that report detecting malware or unwanted software, or report detecting a specific threat or family, during a period.
Malicious code that takes advantage of software vulnerabilities to infect a computer or perform other harmful actions.
A program or device that monitors and regulates traffic between two points, such as a single computer and the network server, or one server to another.
A type of signature that is capable of detecting a variety of malware samples from a specific family, or of a specific type.
Short for inline frame. An IFrame is an HTML document that is embedded in another HTML document. Because the IFrame loads another webpage, it can be used by criminals to place malicious HTML content, such as a script that downloads and installs spyware, into non-malicious HTML pages that are hosted by trusted websites.
In The Wild
Said of malware that is currently detected on active computers connected to the Internet, as compared to those confined to internal test networks, malware research laboratories, or malware sample lists.
A program that sends keystrokes or screen shots to an attacker. Also see password stealer (PWS).
Any software that is designed specifically to cause damage to a user’s computer, server, or network. Viruses, worms, and trojans are all types of malware.
Software that monitors activity, usually by capturing keystrokes or screen images. It may also include network sniffing software. Also see password stealer (PWS).
Operating System, Browser and Application Vulnerabilities
Password Stealer (PWS)
Malware that is specifically used to transmit personal information, such as user names and passwords. A PWS often works in conjunction with a keylogger. Also see monitoring tool.
The actions conducted by a piece of malware for which it was created. Payloads can include, but are not limited to, downloading files, changing system settings, displaying messages, and logging keystrokes.
A method of credential theft that tricks Internet users into revealing personal or financial information online. Phishers use phony websites or deceptive email messages that mimic trusted businesses and brands to steal personally identifiable information (PII), such as user names, passwords, credit card numbers, and identification numbers.
A single instance of a user attempting to visit a known phishing page with Internet Explorer 7, 8, or 9, and being blocked by the Phishing Filter or SmartScreen Filter. Also see malware impression.
A webpage that opens in a separate window that appears beneath the active browser window. Pop-under windows are commonly used to display advertisements.
A program with potentially unwanted functionality that is brought to the user’s attention for review. This functionality may affect the user’s privacy, security, or computing experience.
Remote Control Software
A program that provides access to a computer from a remote location. Such programs are often installed by the computer owner or administrator and are only a risk if unexpected.
Rogue Security Software
Software that appears to be beneficial from a security perspective but that provides limited or no security capabilities, generates a significant number of erroneous or misleading alerts, or attempts to socially engineer the user into participating in a fraudulent transaction.
A program whose main purpose is to perform certain functions that cannot be easily detected or undone by a system administrator, such as hiding itself or other malware.
A set of characteristics that can identify a malware family or variant. Signatures are used by antivirus and antispyware products to determine whether a file is malicious or not. Also see definition.
A technique that defeats security precautions by exploiting human vulnerabilities. Social engineering scams can be both online (such as receiving email messages that ask the recipient to click the attachment, which is actually malware) and offline (such as receiving a phone call from someone posing as a representative from one’s credit card company). Regardless of the method selected, the purpose of a social engineering attack remains the same—to get the targeted user to perform an action of the attacker's choice.
Bulk unsolicited email. Malware authors may use spam to distribute malware, either by attaching the malware to email messages or by sending a message containing a link to the malware. Malware may also harvest email addresses for spamming from compromised machines or may use compromised machines to send spam.
A bot that sends spam at the direction of a remote attacker, usually as part of a spam botnet.
A program that collects information, such as the websites a user visits, without adequate consent. Installation may be without prominent notice or without the user’s knowledge.
Software that may have legitimate purposes but may also be used by malware authors or attackers.
A generally self-contained program that does not self-replicate but takes malicious action on the computer.
A form of trojan that installs other malicious files to a computer that it has infected, either by downloading them from a remote computer or by obtaining them directly from a copy contained in its own code.
Malware that replicates, typically by infecting other files in the computer, to allow the execution of the malware code and its propagation when those files are activated.
A weakness, error, or poor coding technique in a program that may allow an attacker to exploit it for a malicious purpose.
See in the wild.
Malware that spreads by spontaneously sending copies of itself through email or by using other communication mechanisms, such as instant messaging (IM) or peer-to-peer (P2P) applications.
Was the information in this article helpful?