A malware is described as being 'packed' if it has been compressed with a file compression application known as a packer.
Being in a packed state reduces the size of the file and also acts as a form of protection for the malware. Analysis of such files by security experts and the average user is more difficult, as doing so carries the additional risk of accidental infection.
A program that compresses, or reduces, the size of a program's code, often by re-coding it to a smaller size.
Packers are used legitimately to minimize a program's download times and save storage space. Malicious packers are a particular subset of packers, which are known to be used to pack malware.
A packed file must be decompressed to its original state before it can be executed; an antivirus program must read the decompressed, executable form of a file to identify whether it is malicious. Obviously, decompressing a malicious file can introduce a security risk. Virus writers also commonly use a variety of packing techniques to prevent security programs from analyzing a file, including using multiple packers to compress the file.
To solve this conundrum, most antivirus programs will identify the packer used to compress a file, rather than analyze the file itself - if the packer is known to be malicious, the file is flagged. Alternatively, a packed file may be examined using heuristic analysis.
Palm is the platform designator for the operating system (OS) designed specifically for the personal digital assistant (PDA) devices created by Palm Inc.
A small program, or code, issued by an application vendor in order to fix issues or problems discovered in a program or operating system. Patches are usually issued to fix bugs, vulnerabilities or usability issues.
A strong security recommendation is to install patches as soon as possible whenever they are released. Unfortunately, for many businesses and home users, there may be a significant delay between the time the patch is released and when it is installed on the affected application or machine.
The term 'patch' can also be used for new content that is introduced to a game.
Much like the payload of a missile or plane, this is an action, program or code delivered to an system by a malware. Most payloads in today's threat landscape are malicious and damaging in nature.
A type of network in which each connected machine devotes some of its resources (storage, bandwidth, processing, etc) to use by other machines or peers on the network. A peer-to-peer (P2P) network are most commonly used to distribute large files between peers.
How Peer-to-Peer Works
A P2P network differs from other file distribution networks in that there is no central server directing the operations, nor a single repository containing the desired files; instead, a file is broken down into 'segments' which are saved on various peers in the network. When downloading a particular file, the various 'segments' are transfered from a peer to the recipient machine, which then becomes a peer (hence the name of the network type).
To connect to a P2P client, a user must usually install a P2P client on their system. Using the client, they can then browse for files available for download in the network, as well as offer files for download.
P2P and Malware
Malware, particularly worms, can takes advantage of the mechanics of a P2P network to distribute copies of itself to unsuspecting users. To do so, malware will typically place one or more copies of their infectious code in the P2P client's shared folder. Sometimes, they will also replace real movie or sound files with their copies.
Malware will also commonly name their malicious files with the names of popular movies, music files, applications or other appealing names in order to catch a user's attention. This is a form of social engineering.
When a user searches the P2P network for a file and finds the deceptively named malware copy, the user would download the file onto their own computer and run it, thereby infecting themselves with the malware. Once active on the new machine, the malware can continue the cycle.
A type of social engineering attack in which a fraudulent website is used to trick a user into giving out their sensitive personal information, such as their banking or e-mail account details.
Pharming attacks are normally used to steal login credentials for online banking sites and massive multiplayer online role playing games (MMORPGs). They can however be used to steal any type of sensitive personal or financial information, such as names, addresses, birthdays, social security numbers and so on.
The information stolen can have considerable value to a criminal; its loss can be even more significant to the victim. Such information theft is rapidly becoming a major concern for law enforcement agencies and web service operators worldwide.
Pharming is pronounced the same as "farming".
How Pharming Works
A pharming attack depends on "DNS poisoning", in which the user is surreptitiously directed from a legitimate website to a 'copy-cat' site where his information can be stolen.
DNS poisoning can take place in two locations: either in the hosts file on the user's own computer system, or a Domain Name Server (DNS), usually the one used by a local ISP. DNS poisoning of a user's hosts file can occur if a malware (most commonly Banking Trojans) infects the computer and inserts malicious data into the file.
A similar attack can take place against the DNS server. Tampering with the DNS data works in cases where the user does not frequently visit a particular website, and doesn't keep the necessary website information on the machine itself; the computer must then visit the DNS to retrieve the (now tainted) information.
The website a user is redirected to is often designed to look exactly like a legitimate website. Usually, even the name of the website is very similar; it takes a very alert visitor to recognize a small difference in the website name. The fake website will usually allow a visitor to insert the login credentials into a form, and then return an error message of some sort. Any information the user enters in the malicious website is compromised.
A pharming attack may also be used in conjunction with a 'phishing' attempt.
A type of social engineering attack in which fraudulent communications are used to trick the user into giving out sensitive information, such as passwords, account information and other details. Phishing is a criminal activity in many jurisdictions.
'Phishing' is pronounced the same as "fishing".
How Phishing Attacks Are Done
A phishing attack usually involves a fake communication, supposedly from a trusted corporation or institution, that uses an alarming pretext such as "restoring access to a bank account" to pressure the user into providing their sensitive details.
Phishing attempts are most commonly done via e-mail, but attempts made by instant messages and SMSes are also known. Malware may also drop these communications as part of their payload.
The simplest attacks simply request the user to reply to the communication with the desired details. More sophisticated phishing attempts will direct users to a seemingly-legitimate website, which is actually under the attacker's control. Any information the user enters in the malicious website is then compromised.
Phishing may be considered similar to spamming in that thousands of fake communications may be sent out, with very few successful responses. Occasionally, phishing attempts may be more targeted - they may be directed to a specific individual, workers in a company or product users. This is particularly prevalent with Banking Trojans, which target users of specific online banking services. This approach, known as 'spear phishing', tends to yield more successful results.
Phishing is a growing concern for many businesses with online portals, as well as for law enforcement agencies.
A virus that mutates, or modifies, its own code at various intervals. The changes in code typically occur each time the virus replicates, or infects a new machine.
Detection and disinfection of a polymorphic virus can be very challenging, as mutating code makes traditional signature-based detection methods ineffective. Nowadays, many antivirus programs instead use heuristic analysis to identify polymorphic viruses.
The act of a virus 'mutating' parts of its code at various intervals in order to evade detections.
By constantly changing its code, a virus ensures that each iteration of its code looks different from the preceding one, making it impossible for traditional signature-based antivirus programs to identify the two iterations as one and the same virus.
These so-called 'mutating viruses' can be divided into polymorphic and metamorphic viruses.
How Polymorphism Works
The most common method used by viruses to achieve polymorphism is to use encryption to transform its own code into an alternate state; to execute, the virus then requires a 'decryption key' to revert back to its original state. This is how a simple polymorphic virus works.
The decryption key is a separate module from the encrypted virus body. Simple decryption keys would stay static through every iteration, leading antivirus programs to simply detect the decryption key itself. This lead to the creation of more sophisticated viruses, which mutated the decryption key as well between iterations.
A key component of polymorphic viruses is the polymorphic or mutation engine which directs the code changes in the virus body and the decryption key. The engine can be a completely separate module, which can be added on to the virus like an attachment, and their authors often distribute these engines as standalone components, for use by other malware creators.
Polymorphic Versus Metamorphic
A metamorphic virus works performs its mutation routine differently. Rather than using encryption to obfuscate its virus body, a metamorphic virus 'rearranges' entire chunks of actual code between iterations in order to create a seemingly different virus.
The changes in code are directed by a metamorphic engine and despite the alterations, do not affect function - that is, the virus is still able to perform the same malicious actions through each iteration.
Fortunately, the major code changes performed by a metamorphic virus require a high degree of technical skill from the virus author, and there are very few such viruses in the wild so far.
A type of data connection used by computer systems to transfer data directly between two or more computers or resources.
Ports are most commonly used for communications between computers or resources over the Internet, using the Transmission Control Protocol (TCP) and User Datagram Protocol (UDP).
A port can also be a physical connection linking a machine to a peripheral device. For example, a mouse or keyboard is connected to a computer system via a physical port.
A port is identified by its port number, a specific IP address and its associated protocol. By convention, certain ports are reserved for specific functions or activities. For example, HTTP traffic uses port 80.
A file format used on certain Windows operating systems for certain types of executable files.
The 'portable' part of the name denotes that the files are capable of running in numerous environments on the system.
The term 'portable executable file' is often abbreviated as a PE EXE file, or PE file.
An application used to scan for open ports (also known as listening ports) on a computer system or resource connected to a network. A port scanner can be targeted to look for ports on single machine, or to scan multiple machines.
Port scanners may be legitimately used by authorized system administrators or other IT professionals as a tool to check the security of their networks. Unfortunately, port scanners can also be used by attackers to find machines that may be amenable to attack.
Typically, a malicious attack starts with a port scan, which searches for an open port. Once found, the computer may be targeted for buffer overflow attack, or a Denial of Service attack.
The probability and success of an attack depends on the how vulnerable the machine really is, how prepared the system administrators are and how competent the attackers are.
More colloquially known as grayware, Potentially Unwanted Software (PuS) or Program (PuP) is a general term used to describe applications that may potentially pose a potential risk to the user’s system or data, but are less harmful than malware.
The term is generally used to cover programs such as dialers, adware, joke programs and other such files that may negatively impact the user or the computer system’s performance.
Categorization of a program as a PuP is by nature highly context-sensitive, as it involves the users own preferences and behavioral patterns, as well as issues of legal/ethical usage.
Most user accounts on a computer system have a limited set of privileges that allow them to perform a specified range of actions, such as viewing or editing files or making certain system changes.
Privilege escalation involve exploiting a vulnerability or bug in the system or a program in order to gain more privileges than the logged-in user is entitled to, usually in order to perform unauthorized, malicious actions.
A collection of instructions for a computer system. These instructions are the 'software' direct the physical 'hardware' components of a computer, in order to perform useful actions.
There are many different types of programs, but these can be broadly categorized into: system software, which involves intimate control of the computer hardware (e.g., operating systems); and application software, which is more concerned with performing tasks that benefit the user (e.g., document processing, games, etc).
A program is typically created in a human-readable 'source code' form by a programmer or team of programmers; it must then be compiled into a machine-readable, executable form for the computer to 'read' it in order to execute the commands.
In computer security, a proof of concept (PoC) usually refers to code that demonstrates the existence of a vulnerability or bug in an application or operating system, and how it may be exploited.
PoC code often – but not always – accompanies a disclosure statement, as proof that the found vulnerability exists and is exploitable.
The act of creating a copy of a malicious program's code, usually in order to infect a new target, or distribute a copy to a new computer system. 'Propagation' is often used interchangeably with the term, 'replication'.
A computer system or application that functions as an intermediary between clients and resources, usually to provide a layer of security and regulation.
Proxy servers are commonly used as a barrier between individual computers on an internal company network and resources on the Internet, such as websites or public ftp servers. By configuring the proxy server, a system administrator can efficiently regulate communications for the entire network, or for individual computers on the network.
Proxy servers are generally used when content needs to be filtered, or to control access to certain restricted or potentially harmful services. They can also be used to protect the privacy of the parties communicating. Like other types of servers however, proxy servers may be hacked into or otherwise subverted for malicious purposes.
About Detection Names
A quick guide to Detections - why they are important, how they work and how to read them. Also includes Generic Detections and how they differ from traditional Detections.