A type of scripted 'operation' found in some applications thats allows users to automate certain functions or instructions.
Macros are basically a set of instructions, which can be automatically processed with the click of a button or some other simple trigger, saving the user valuable time and effort.
Properly functioning macros can be extremely useful as they make using certain applications far less complex than it might be. For example, the familiar 'copy-paste' function in many document editing programs is a type of macro.
Macros are most commonly associated with Microsoft Office applications, but many other programs include them. Many programs also allow customizable macros, which the user can tailor to their own needs. In a sense, they become 'mini-executables' that affect a particular program.
Macros & Malware
Despite their legitimate use, some users view macros with a jaundiced eye as they are known to be misused to deliver, execute and hide malware. Because they can function like executable files, macros can be subverted to act like malicious software.
To deliver a malicious macro to a victim, the malware author simply needs to include it in a document (for example a text document or spreadsheet), then send the tainted file to the target. On opening and running the file, malicious macro will perform its dirty deeds.
Viruses which infect and spread using macros are often referred to as 'macro viruses'.
A series of operating systems (also known as the 'Classics') from Apple that precede the current Mac OSX. A sizable percentage of Apple computers still run on these older operating systems, which can be referred to as MacOS.
A portmanteau of the words 'malicious' and 'software', this general term encompasses viruses, trojans, worms and other malicious programs.
Unlike 'riskware', which is used to refer to a program that may be legitimate, 'malware' denotes a program that has been specifically designed with malicious intent. It also differs from programs that we categorize as 'spyware', as some spyware may, depending on jurisdiction or usage, be authorized and desired by the user.
The term 'malware' can be used in the singular to refer to a specific malicious program, such as a trojan or worm (e.g., "this malware program..."), and can also be used to collectively describe these programs in general (ie, "the rise of malware in 2009 has been exponential...").
In computer security, this type of attack involves an undetected third party actively eavesdropping and controlling communications between two systems.
The specific technical details of how the attack is performed varies depending on the type of communication being intercepted (wireless, Internet, mail, etc), but for it to be successful, the attacker must be able to impersonate each side of the dialogue and convince the other that the communication is private and authentic.
MITM attacks are usually done in order to intercept or modify messages sent between the two systems, or to inject false information.
Another term for e-mail worms, which spread copies of themselves to new machines via e-mail.
Once present on a machine, these worms would typically send an e-mail to any e-mail addresses saved on the computer, with a copy of its own executable code as an attachment. Various social engineering tricks would be used to persuade the users to open the attachment, thus launching the worm on the new machine and perpetuating the cycle.
Earlier worms would use the infected machine’s e-mailing program, but more sophisticated worms simply include their own mailing engine, circumventing protective measures on the machine’s e-mail setup.
The boot sector of a hard disk is referred to as the Master Boot Record (MBR).
The boot sector is a dedicated area of a storage device - such as a hard drive or a floppy disk - that contains critical information for starting the main operating system (OS). The information saved in the MBR is used by a boot program to start the main OS whenever the user switches on the computer (a process known 'booting the OS', or similar).
The MBR and Malware
Back when DOS was the major operating system on most computers, the MBR was a favored target of virus writers, leading to the creation of boot viruses. By affecting the MBR, a virus writer didn't need to bother with stealth techniques and other tactics to evade detection, as most security programs at the time weren't able to scan the MBR to detect such malicious changes.
Fortunately, successful defense measures by operating system vendors successfully reduced the effectiveness of these boot viruses to modify the MBR. Boot viruses became significantly less commonly until a recently, when the MBR was again targeted, this time by sophisticated rootkits such as Mebroot.
A virus that remains in a computer system's memory after its host file has been closed is said to be 'resident' in the memory.
Conversely, a program that executes and then removes itself from memory is said to be 'non memory-resident'.
Memory-resident versus Non-memory resident
For a virus writer, the choice of whether to make the virus memory-resident or not is related to the virus's need to produce copies in order to survive (see replication entry). Each option has its own advantages and disadvantages.
Malware, particularly viruses, stay resident in the memory in order to continue performing actions, such as infecting other files, over a longer period of time. (see the resident entry). This is in contrast to non-memory resident viruses, which must perform all their necessary actions within the time that their host file is active.
Being memory-resident does carry a risk however, as it makes the virus more noticeable to an alert user, as well as more visible to a security application.
A virus that rewrites its own code at each iteration, so that each succeeding version appears different from the preceding one. Despite the changes, the malware's functionalities remain the same.
Metamorphic version Polymorphic
A metamorphic closely resembles a polymorphic virus in that both make changes to their code to better hide from security program. There are key differences however.
A polymorphic virus uses encryption to transform its code into an alternate, encrypted form. To execute, a polymorphic virus must decrypt itself back to its original form. In contrast, a metamorphic virus makes direct changes to its code, permanently altering itself between each iteration.
The code changes performed by a metamorphic virus are directed by a metamorphic engine, which may itself be altered between iterations. This is the counterpart to a polymorphic virus's polymorphic engine.
The alterations in code done by a metamorphic virus make it much harder for traditional signature-based antivirus programs to identify two separate iterations as one and the same virus. Fortunately, the technical challenges involved in creating a functioning metamorphic virus is quite high, making them very rare creations.
The Type designation 'Monitor' was previously used by F-Secure to identify a program that can monitor and record all computer activities, including each keystroke typed on the keyboard.
With changes in the threat landscape today, programs previously identified as 'Monitor' have been reclassified under the Riskware Category, with the Type designation 'Monitoring-Tool'.
The update in naming better clarifies the program's overall security profile in the current, more complex threat landscape.
A standard used by telecommunications networks for transmitting multimedia content between mobile devices. This extremely popular communication channel is also a popular vector for spam and malware.
Though the acronym MMS refers to the name of the standard (Multimedia Message Service) used to determine the logistics of transmitting a message, it is often used by the general public to refer to the message itself, much like the term 'e-mail' is now used to refer to the message sent rather than the network/technology it is sent on.
MMS and Malware
Though not yet common, malware sent via MMS messages are a known threat. Typically, such messages are sent by worms or trojans.
MMS-transmitted malware is possible because an MMS message can be used to transfer executable files. A typical malicious message contains a deceptively named installation file which appears to be an update or desired application. If an unsuspecting user executes the received file, the mobile device is then infected.
A multi-segmented virus that is able to infect multiple target types – for example, both the boot sector and the system files – in such a way that every section of the virus must be removed before the system can be considered clean and free from the possibility of reinfection.
In computer programming, mutex is the short form for mutual exclusion object, and refers to an program object that negotiates access to a shared resource, such as memory space, between multiple program threads so that only one thread can access the resource at any one time.
A mutex with a unique name is created when a program is first started, with a defined ‘lock/unlock’ state. Subsequently, when a thread requires resource access, it must first lock the mutex, thereby excluding other threads from using the resource. Once the resource is no longer needed, the mutex is ‘unlocked’ so that other threads may use it.
In a malicious context, malware can use mutexes to prevent multiple infections of the same system. Some simpler malware families will use the same mutex for all its variants; presence of the known malicious mutex on the system is therefore considered a sign of infection.
About Detection Names
A quick guide to Detections - why they are important, how they work and how to read them. Also includes Generic Detections and how they differ from traditional Detections.