A remote administration utility which bypasses normal security mechanisms to secretly control a program, computer or network. These utilities may be legitimate, and may be used for legitimate reasons by authorized administrators, but they may also be misused by attackers.
A backdoor is usually able to gain control of a system because it exploits vulnerabilities, bugs or undocumented processes in the system's code.
See: heuristic analysis.
The most fundamental program in a computer system; it is responsible for booting up, or starting the main operating system (OS) and for interfacing between the OS and the system's hardware components (graphics card, sound card, etc) and peripherals (keyboards, mouse, etc).
The critical importance of the Basic Input/Output System or Built In Operating System (both shortened to BIOS) makes it an interesting and challenging target for virus writers and a lot of malware (most infamously, Virus:W32/CIH) has been produced which negatively affect the BIOS and in turn, the computer system.
Originally used as a filtration mechanism for spam, a blacklist is a database of known and unwanted e-mail addresses; if blacklisted, traffic from the marked e-mail address is blocked.
Nowadays, use of blacklists has been expanded to include other malicious or potentially unwanted items. Most antivirus products now include a blacklist of unwanted applications, which may be editable by the user based on their personal use profile.
Antivirus products may also include a file or web reputation service, which essentially blacklists malicious or potentially undesirable files or websites.
See also: whitelisting.
A communication protocol using short-range radio frequencies for communications between two or more devices up to a distance of about 10 meters, without needing wires or other physical connections.
The protocol is maintained by the Bluetooth Special Interest Group (SIG), which today includes many major product manufacterers today. Since about 2003, Bluetooth functionality has become a standard feature in a vast range of products, ranging from laptops, mobile phones, headsets, household appliances and even cars.
Two or more devices communicating using Bluetooth can create a small personal area network (PAN). This type of network is usually used by a single user to connect various devices on his person or nearby surrounding - such as a mobile phone in a pocket to a wireless headset or computer - within an area of a few tens of feet at most.
Like many networks, a Bluetooth network can and has been exploited to transmit malware. In addition, the Bluetooth protocol can be subverted to allow such nuisances as bluejacking, or the act of sending unsolicited messages or files from one Bluetooth-enabled device to another (see also Spam).
A platform-specific type of worm that propagates primarily over a Bluetooth network. This type of worm is almost always designed to function on mobile devices, which make more use of Bluetooth connectivity than computers.
A Bluetooth-worm may or may not include a malicious payload.
Due to the limitations of Bluetooth connectivity, a user must have their device's Bluetooth functionality switched on and set in discoverable mode to be reachable by a Bluetooth-worm. The user must also actively accept a transmission request from an infected device before the Bluetooth-Worm can successfully arrive on the new device.
To protect against possible infection by Bluetooth-worm, the user can practice the following safety guidelines:
• Set the Bluetooth-enabled device to non-discoverable when not in active use
• Do not accept Bluetooth-transmitted files from unknown users
A section of the computer system's hard disk that contains the boot program, a critical program that is responsible for initiating the main operating system.
Though most commonly used to refer to the boot sector of a computer system, this can also refer to a comparable section of a floppy disk or other type of data storage device:
• Master Boot Record (MBR)
The first sector of a partitioned storage device (contains information about the partitions)
• Volume Boot Record (VBR)
The first sector on an unpartitioned storage device
• DOS Boot Record (DBR)
Boot sector created by using the FORMAT command on a hard disk
• Floppy Boot Sector (FBR)
Boot sector on a floppy disk
Boot sectors can be infected with a particular type of virus known as the boot sector virus, or boot virus.
This type of virus, more commonly known as a boot sector or boot virus, infects the Master Boot Record (MBR) or DOS Boot Record (DBR) of a hard drive, as well as the Floppy Boot Record (FBR) of floppy disks. Boot viruses are quite rare nowadays, as most motherboards now have protection against boot viruses - access to MBR is denied without user permission.
A boot virus can be either overwriting or relocating. An overwriting boot virus overwrites the MBR, DBR or FBR sector with its code, preserving partition table information or logical drive information, respectively. Relocating boot viruses save the original MBR, DBR or FBR at a new location on the hard or floppy drive. Sometimes, such actions can destroy certain areas of a hard disk or floppy disk, rendering the disk unreadable.
All boot viruses are memory-resident. When a computer is started, boot virus code is loaded in memory. The virus traps one of the BIOS functions (usually disk interrupt vector Int 13h) and stays resident in memory. The virus then monitors disk access and writes its code to the boot sectors of any media used on the infected computer.
A boot virus will typically infect all floppy disks inserted into an infected computer's floppy drive. This is part of the virus's propagation routine, for if these infected floppy disks are subsequently inserted into a clean machine, the new system is infected and the cycle begins again.
A malicious program that, on being installed onto a computer system, allows the attacker to enslave the system into a network of similarly affected systems known as a botnet. The individual computers in a botnet may also be referred to as a bot or a zombie.
Some malware - worms in particular - include bot-like capabilities. On infecting a computer, the malware will typically contact a remote server in order to receive further instructions. A special type of bot known as an IRCBot is a program that connects to an Internet Relay Chat (IRC) channel as a normal user, but is used by an attacker to control a zombie or a botnet.
The term "bot" is also used in more general situations for programs that perform automated tasks, such as scanning Web pages, calculating statistics and so on. Such programs are generally not considered malicious.
A portmanteau formed from the words robot and network, a 'botnet' is a network of infected computers that can be remotely controlled by an attacker, usually via a command-and-control (C&C) server. Each infected computer may be known as a bot , a zombie computer , or a zombie .
An attacker, or group of attackers, can harness the collective resources of a botnet to perform major malicious actions, such as sending millions of spam e-mails, launching a Distributed Denial-of-Service (DDoS); attack and much more.
One of the most notorious botnets of recent years was Storm, which came to prominence in 2007. The attackers were able to use the Storm zombies to run such schemes as phishing attacks and e-mail spam campaigns which netted more infected computers.
The following year, Storm's record number of infected machines was surpassed by Conficker in 2009, the notorious worm which was estimated to have infected anywhere from 9 to 15 million machines. Unlike Storm however, the attacker's control over infected machines was largely stymied.
A program that allows users to easily view and interact with the contents (whether text, graphics or video) of a website. The site itself may be accessed over the Internet or through a local network.
There are many different browsers available for almost every computing platform — Microsoft Internet Explorer, Mozilla Firefox, Opera, Apple's Safari, Google Chrome, et cetera. Each has its own unique advantages, specifications and security issues.
The Preferred Program
A web browser is typically one of the most important programs on a computer system, as it is normally the sole program used by the average user to browse through the colossal amount of information available on the modern Word Wide Web.
Browsers are also rapidly becoming the default platform for conducting a variety of essential offline and online services. For example, many real-world banking operations are allowing customers to perform significant transactions through a browser-based application (as opposed to a separate program). This has only increased the importance of the web browser to the user.
Despite their ubiquity, browsers can pose a significant security risk as they are one of the major conduits for malicious software onto a computer system. Attackers can use specially created codes or programs to exploit vulnerabilities in the browser program or the operating system, in order to gain access to a vulnerable system's data and/or resources, often for further malicious or criminal use.
A type of web browser plug-in specifically designed for use with the Microsoft Internet Explorer browser.
A Browser Helper Object (BHO) executes automatically every time the browser is launched and provides functionality that is not built-in to the browser. This can range from simple services like enhanced 'copy-pasted' functionality, to more complex operations such as browser-based FTP services or easy links to popular social networking websites.
Though BHOs are generally safe and useful, they may pose a security risk under the following circumstances:
- If they track the user's browsing behavior without authorization
- If they are poorly written and inadvertently introduce a loophole or flaw
- If they are specifically designed to perform malicious actions (e.g. silently downloading malware onto the system)
A program that provides additional functionality to a web browser.
Browser plug-ins may pose a security risk if they perform potentially unwanted or unauthorized actions, such as redirecting searches or monitoring the user's browsing behavior. For this reason, some antivirus programs will label browser plug-ins as a type of 'Riskware', unless the user authorizes its installation and use.
A browser plug-in may also be referred to by a browser-specific name. For example, plug-ins for Microsoft Internet Explorer are known as Browser Helper Objects (BHOs), while those for Mozilla Firefox are known as add-ons.
Malicious alteration of a web browser’s start page and search settings in order to direct users to unsolicited websites.
Browser hijacking is may be performed by malware installed on the computer or by malicious scripts hosted on websites; in both cases, the hijacking is possible due to the presence of an unpatched vulnerability in the web browser.
Updating the web browser to use the latest security patches is usually sufficient to prevent hijacking attempts.
A type of attack that typically targets authentication mechanisms such as passwords.
A brute-force attack is an exhaustive, trial-and-error attempt that involves rapidly cycling through a comprehensive list of possible passwords or decryption keys, until the correct one is entered. Brute-force attacks commonly succeed due to weak passwords and/or human error or laxness.
Often, a brute-force attack is combined with a dictionary attack, which uses a long list of words taken from dictionaries and popular culture references. Unlike a standard brute force attack, a dictionary attack uses words that are thought to have the highest chances of success.
A vulnerability stemming from a program's management of memory resources. This type of vulnerability can exist if the memory allocation is poorly designed or can be forced to behave in unexpected ways.
Normally, a program will allocate specific 'areas' of memory to hold any temporary information it needs. Under certain conditions or circumstances however, an attacker can use excessive amounts of data - exploit code - to target to force the program to write data in unexpected locations in the memory. This results in the data 'overflowing' the boundaries set by the program, hence the name.
Technically, there are a few types of buffer overflows, depending on how the program handles the data overflow. In practical terms however, all buffer overflows can force the targeted program to crash, delete data, or allow the attacker to transform the computer into a zombie.
A programming error in an application's code.
A bug usually results in one or more undesirable effects, ranging from barely detectable quirks in an application's performance, to completely crippling it.
The best known bugs are those that afflict legitimate programs and impact the user's ability to use the program. If the bug is particularly severe - for example, if it causes the application to crash or introduces a security risk - it may be considered a vulnerability.
Malware are also sometimes afflicted by bugs, which prevent their malicious routines from functioning as their author intended. In some cases, this prevents the malware from replicating or executing its payload at all.
About Detection Names
A quick guide to Detections - why they are important, how they work and how to read them. Also includes Generic Detections and how they differ from traditional Detections.