The Type designation 'Data Miner' was previously used by F-Secure to identify a program that collects information on user browsing behavior, usually without a user's knowledge or authorization. The collected information can include data entered into online forms, such as sensitive account details and passwords. Once the information is collected, it is usually transmitted to an external party for further analysis and misuse.
With changes in the threat landscape today, programs previously identified as 'Data Miner' have been reclassified under the Spyware Category, with the Type designation 'Trackware'.
The update in naming better clarifies the program's overall security profile in the current, more complex threat landscape.
A type of Internet-based attack that aims to deny legitimate users access to a service (for example, a website or a network) by overloading a relevant computer resource or network device.
The most common type of Denial of Service (DoS) attack takes the form of a massive amount of requests being sent from a host machine to the target, for example, a government website server.
When a target under attack reaches its maximum capacity of handling such requests, it is unable to complete answering all the requests it receives, and any new requests from legitimate users cannot be processed until all the pending requests are resolved - hence, denial of service.
DoS attacks can be carried out by malware, which force the infected machine to carry out the attack as part of the malware's payload. An 'upgraded' version of this is a DoS attack carried out by a botnet, in which multiple malware-infected computers are ordered to flood a target by the controlling attacker.
There are numerous types of DoS attacks, including:
The attackers sends out a flood of ICMP_ECHO packets to the target, swamping CPU usage and effectively rendering the target unusable until the flood is ended or the target is reset or restarted.
Peer to Peer attack:
Attacker exploit bugs in peer-to-peer servers and redirect clients from the peer-to-peer server to the target server instead, flooding the target with thousands of connections and overwhelming its resources.
Application level floods:
A DoS attack carried out via particular applications, most commonly Internet chat systems. The most common kind of flood is an IRC flood, which is carried out on the popular IRC chat system.
Distributed Denial-of-Service (DDoS):
A DoS attack which is carried out on a specified target simultaneously by multiple hosts. This type of attack is typically carried out by a botnet, or a massive network of compromised bot machines under the control of a hacker, or group of hackers. A DDoS attack is by its very nature much harder to defend against than a DoS attack, and unfortunately are becoming increasingly common.
See Distributed Denial-of-Service (DDoS) entry below for more information.
Permanent DoS attack:
A attack which targets the network or computer hardware with the aim to cause so much damage that reinstallation or replacement of hardware is required. This attack method is possible because security flaws in the hardware programming make it possible for attackers to introduce or execute malicious code, effectively rendering the hardware unusable.
A unique string or algorithm used by antivirus programs to identify a virus, worm or other malicious program. A detection may also be known as a signature or definition.
Detections are important because they are integral to how an antivirus program functions. To create a detection, an analyst must first examine a sample of a malware and identify its unique characteristics. The Analyst can then use these characteristics to create an algorithm or signature to identify that specific malware and no other. The signature is then saved into a database that is sent out to all supported antivirus products.
Whenever a user runs an antivirus program and scans their computer system for malware, what the program is really doing is comparing all the files against those in its database; if any of the files match a signature in the database, the file is flagged as infected.
This type of scanning is known as signature-based analysis/ and depends on having the most up-to-date databases in order to provide protection against the latest threats. An alternative or complementary type of analysis is heuristic analysis.
Disinfection or removal is the process of removing malicious files or components from a computer system, including all relevant or harmful registry keys, mutexes, and other changes made by the malware.
In computer security, disclosure generally means public notification of a previously unknown vulnerability in a software program. Such disclosures may come from the program vendors, computer security companies and not infrequently, independent security researchers.
Due to the potential threat posed by a new, unpatched vulnerability, especially is in a popular or business-critical program, disclosures can have a significant impact on computer security. If harmful information is disclosed to the general public without providing the program vendors sufficient time to create a security patch to close the vulnerability, the information provided may provide malicious attackers an opportunity to exploit the program.
On the other hand, limited disclosure to the vendors has been criticized as often resulting in slow or no responses, which ultimately leaves the program users unprotected.
As a compromise, many security researchers provide a limited disclosure to the affected vendors for a certain period, before taking their information public.
On a related note, F-Secure provide a channel for security researchers to report a potential vulnerability in F-Secure products. For more information, please see Security Advisories.
The Type designation 'Dialer' was previously used by F-Secure to identify a program that connects the computer to the Internet via a telephone line and modem.
In the days before widespread broadband Internet connections, dialers were often the only way the average user could access the Internet. Malicious dialers secretly connect the computer to premium-rate lines, greatly increasing the usage charges payable by the user.
With changes in the threat landscape today, programs previously identified as 'Dialer' programs are now classified under the Riskware Category, with the Type designation 'Application'.
The update in naming better clarifies the program's overall security profile in the current, significantly more threatening malware environment.
A type of attack conducted over the Internet, using the combined resources of many computers to bombard, and frequently crash, a targeted computer system or resource (e.g., a program, website or network).
There are various types of Distributed Denial of Service (DDoS) attacks, which vary based on how the attack is conducted.
DDoS attacks are sometimes included as part of a worm or trojan's payload - all infected computer's are directed to attack the selected target. DDoS attacks are also often performed by botnets, as the combined resources of all the computers in the botnet can generate an terrific amount of data, enough to overwhelm most target's defenses within seconds.
DDoS attacks have become one of the more dangerous menaces of the modern Internet.
A Domain Name System (DNS) server is responsible for ‘translating’ the human-friendly domain names (eg, ‘www.f-secure.com’) into IP addresses, the machine-friendly 32-bit long numbers that identify computers and private networks on the Internet.
The DNS servers are the workhorses of the Internet’s Domain Name System (DNS), a distributed, hierarchical naming system that essentially ‘maps out’ all the computers and other resources on the Internet.
A single DNS server will usually store the IP addresses and related domain name information for a particular ‘section’ of the Internet; it will then function as the ‘guideposts’ that provide enquiring computers with correct directions for resources in ‘their area’.
A domain name (eg, ‘www.f-secure.com’) is a human-friendly text string given to identify a specific resource on the Internet – in most cases, a website.
Each domain name maps to a specific IP address. Domain names are used because IP addresses, which are what the computers use to identify the same resources, aren’t easy for humans to remember.
Domain names are a part of the hierarchical Domain Name System (DNS) used to organize all resources on the Internet. The various elements in the domain name itself reflects the DNS hierarchy:
- .com – this is the ‘generic top-level domain’ that indicates the resource’s general purpose or location. Other examples of generic top-level domain names include ‘.org’, ‘.net’ and country-specific abbreviations, such as ‘.uk’.
- F-Secure – this is the technically called a ‘second-level domain’, and is the unique identifier for the resource. Site operators must buy and register this text string in order to be considered the ‘domain owner’.
- www – this indicates the type of server that handles the Internet requests; in this case, ‘www’ indicates this is a web server. This may also be an ftp or email server, and a single domain could of course have multiple servers to handle different functions.
The acronym formed from the words Disk Operating System refers to an early operating system (OS) created by Microsoft for IBM and IBM-compatible computers; the OS was also used for Windows 3.1, 95, 98, and ME.
More current Windows versions, such as NT, 2000, XP, and Vista, also include a version of DOS known as "DOS emulation", which allows users to run old DOS applications.
The first physical section or partition of a diskette or floppy disk (FDD), containing a boot program capable of starting the computer's main operating system, and information needed by the boot program to do so. To be able to boot a computer system this way, the diskette must be formatted as a system disk or a bootable diskette.
If a bootable diskette is inserted into a machine, most computer systems will by default boot up using the boot program stored on the diskette, rather than the boot program stored on the computer's hard disk drive (HDD).
A Dos Boot Record (DBR) may also be found on a HDD, though in this case it is not necessary located on the first partition. The DBR is sometimes referred to as the DOS Boot Sector.
DBR & Boot Viruses
The DBR is a target of interest to virus writers because code located in this area is almost always automatically executed when a disk is inserted into a computer. If a virus writer can insert malicious code into the DBR, then there is a very high chance that a computer system booted from an infected DBR will also be infected.
Like the related Master Boot Record (MBR), the DBR can be infected by aboot virus. A boot sector virus typically affects the DBR by writing over or relocating critical information in it; if done incorrectly, this can cause critical damage. If successful, the virus becomes memory-resident and can subsequently infect the boot sectors of any media - usually floppy disks - inserted into the infected machine.
Fortunately, boot sector viruses are much rarer nowadays, as most computers prevent any access to the boot sector without the user's permission.
This term refers to the automatic download of a program onto a user's computer, almost always without their knowledge or authorization.
Drive-by downloads are often used in conjunction with Search Engine Optimization (SEO) attacks, in which search engine results are poisoned in order to redirect users to a malicious site where the drive-by attack can take place.
The term 'drive-by download' is most frequently used to describe the situation of a website forcibly and silently downloading malware onto a visitor's system, but clicking on pop-up ads or viewing an e-mail message may also result in the user being subjected to this attack.
A malware whose primary aim is to drop other malware onto the system.
Though once commonly used to deliver viruses onto a computer system, droppers have been almost completely superseded by trojan-droppers in today's threat landscape.
How Droppers Work
A dropper shares some similarities with trojans in that they typically depend on some form of social engineering to work. The dropper file will often:
- Appear to be an update or crack for a trusted program
- Use names such as seXXX or hotpix to draw atttention
While executing, the dropper may display a message or animation as a decoy to distract the user.
As virus writers have grown more sophisticated over the years, the separate functions of a dropper and its payload have been merged into a single program, with yesterday's droppers evolving into the trojan-droppers of today.
About Detection Names
A quick guide to Detections - why they are important, how they work and how to read them. Also includes Generic Detections and how they differ from traditional Detections.