An A-Z guide to the technical terms used in digital security
Adware | Administrative rights | Alias | Alternate Data Stream | Android | Antispyware | Antivirus | Application | Application Programming Interface (API)
A Type designation used by F-Secure to identify a program that displays advertising content on the computer or mobile device. The advertisements may be displayed in the software's user interface or during a web browsing session.
Programs or services that generate income by displaying advertising content to their users instead of directly charging them are known as 'ad-supported'. If the user is not aware that the software or service they are using is ad-supported, or objects to the advertising content shown, it may cause annoyance.
A special set of privileges on a computer's operating system, tied to an administrative account. A user or administrator with access to this account can make critical changes to the operating system, and to all accounts on it.
Most users will log into a restricted user account, which only allows them to make changes to the computer's settings that affect their own account. In contrast, an administrator can make changes to all accounts.
Depending on the operating system, the administrative account may be known as root, administrator, admin or similar.
The name used by another security researcher or security software for the same unique program.
Most security software companies or researchers follow their own naming practices for identifying a unique program. When discussing a particular program, its given aliases may be included to make it clear that all the names refer to the same program. For example, the worm identified by F-Secure as ' Downadup' also has the aliases 'Conficker' or 'Kido'.
Alternate Data Stream
An extension to Microsoft's Windows NT File System (NTFS) that provides compatibility with files created using Apple's Hierarchical File System (HFS).
Applications must write special code if they want to access and manipulate data stored in an alternate stream. Some applications use these streams to evade detection.
A Platform identifier used by F-Secure for the mobile operating system from Google.
Android is found on a wide range of consumer products, ranging from mobile phones to cars.
A program that scans the computer system for spyware programs. Most antispyware programs include the ability to disinfect or remove any spyware found on the system.
An antispyware program may be a standalone application, though nowadays most antivirus programs can also identify and remove spyware.
A program that scans for and identifies harmful files on a computer or mobile device.
An antivirus uses a scanning engine that examines every file stored on the computer or device to identify suspicious or harmful files. The scanning engine works in tandem with its detections database, a set of algorithms for identifying harmful files. During a scan, the engine checks each file against its database and if a match is found, the file is flagged for further attention.
A Type designation used by F-Secure to identify a program that can introduce security risks if used in a harmful or unauthorized manner.
There are many useful programs that can be used to make significant changes to a device's settings, behavior or stored data. Examples of such programs include:
When these programs are used by an authorized person in the intended manner, they can be considered beneficial. If they are misused however, they can allow an attacker to:
Application Programming Interface (API)
A set of instructions, specifications or protocols used to transfer commands or requests between applications.
There are many APIs available for most programming languages or programs, as they are often necessary for developers to create new software or add new features to existing software.
Backdoor | BIOS | Blacklist | Bluetooth | Botnet | Browser | Browser plugin | Browser hijacking | Brute force | Buffer overflow | Bug
A Type designation used by F-Secure to identify methods or programs that allow a user to bypass the normal security mechanisms on a program, computer or network.
Some examples of methods or programs that can be considered backdoors are:
Backdoor can be used by authorized administrators to carry out legitimate tasks. They can however also be used by attackers to gain unauthorized access to a targeted computer or network.
A critical program that is responsible for booting or starting a computer's operating system and coordinating communications between the operating system and the physical components of the computer - graphics card, keyboards, mouse, etc.
The BIOS is a separate program that is stored on a memory chip on a computer's motherboard, rather than on a hard disk drive like the operating system. When a computer is turned on, the BIOS is the first program to run.
Because the BIOS is stored in a separate location from other software on a computer, it is much harder for malware to affect it, though a small handful have been able to do so ( Virus:DOS/CIH).
A list of known unwanted items, such as email addresses, websites or programs.
Blacklists are used to filter out unwanted items from gaining access to or passing through a computer or a network. For example, an email server will block incoming emails from blacklisted email addresses, while a firewall will block incoming web traffic from a blacklisted website. Antivirus programs usually use blacklists to identify harmful files and websites.
A communication protocol that allows two or more nearby devices to connect to each other without needing wires or other physical contacts.
Bluetooth uses short-range radio frequencies to create a small personal area network (PAN) between the devices that covers distances of up to about 10 meters. Bluetooth networks are often used to connect laptops, mobile devices, headsets, household appliances, cars and other consumer goods.
Like many networks, a Bluetooth PAN can be exploited to allow eavesdropping, or to transmit malware or unsolicited messages.
A collection of devices that are infected with a bot program, which allows an attacker to control each individual device, or collectively direct all the infected devices.
Bot programs commonly target computers, but there have been cases where mobile devices, servers and even Internet-connected cameras have been infected and roped into botnets. Once infected, the device itself may be known as a bot or zombie.
The attacker(s) controlling the botnet typically relay their commands to the zombies through a command-and-control (C&C) server. The collective resources of a botnet are often used to perform undesirable activities such as sending millions of spam emails, launching a Distributed Denial-of-Service (DDoS) attack and so on.
For more information, see Article: Botnet.
A program used to connect to and view a webpage. Also known as a web browser.Browsers are usually used to connect over the Internet and view webpages that are stored on a remote server, though they can also be used to view pages that are stored in a local network.
Browsers use a Uniform Resource Locator (URL, or more informally a web address) to navigate, find and display a webpage. The webpage itself must be written in a special markup language before it can be viewed properly in a browser.
Browsers are an indispensable part of the modern Internet. Unsurprisingly, they are also a favorite target of attackers, who usually try to either hijack the browser to redirect users to unwanted webpages or monitor its communications to steal sensitive data such as passwords.
A mini-program that adds features to a browser.
Plugins can give users a variety of useful functions or services that are not found natively in the browser, such as enhanced 'copy-paste' actions, or viewing multimedia files.
Though plugins are generally safe and useful, they may be a security issue if they inadvertently introduce a flaw or perform unwanted or harmful actions, such as tracking the user's browsing behavior or downloading harmful files.
Plugins are referred to in various browsers as Browser Helper Objects (BHOs), extensions or add-ons.
Unwanted changes to a web browser's settings that redirect users to unsolicited websites.
Browser hijacking can be done by harmful programs, or by scripts hosted on websites that the user is visiting.
Usually, the hijacking is possible because an unpatched vulnerability in the web browser allows the changes to be made. Updating the web browser to use the latest security patches is usually sufficient to prevent hijacking attempts.
A type of attack that relies on a 'trial-and-error' approach.
This type of attack that usually targets security mechanisms such as passwords. It involves rapidly running through a list of possible passwords until the correct one is entered.
A brute-force approach may be combined with a dictionary-based one, which uses words taken from dictionaries, popular culture references and other sources that the attackers think have a good chance of success.
Brute-force attacks can succeed because either the passwords can be easily guessed, and/or the service or program does not prevent multiple attempts at entering passwords.
A type of vulnerability in the way a program uses a computer's memory resources.
Programs normally write any temporary data they use in specifically allocated areas of buffer memory. If an attacker can successfully exploit the vulnerability however, it can flood the program with excessive data and force it to write data in unexpected locations - that is, the data 'overflows' the given buffer memory.
Technically, there are a few types of buffer overflows, depending on how the program handles the overflow. The results however are the same: the program may crash, delete data, or allow the attacker to perform other unauthorized actions.
An error in an program's code or behavior.
A bug can result in one or more undesirable effects, ranging from barely detectable quirks in an application's performance, to completely crippling it.
CAPTCHA | Clean | Clickjacking | Code injection | Command and Control (C&C) server | Command line | Constructor | Cookie | Content filter | Cross Site Scripting (XSS) | Cross-site Request Forgery (CSRF or XSRF)
Completely Automated Public Turing Test to tell Computers and Humans Apart (CAPTCHA)
A challenge-response test used to distinguish between a human operator and a computer.
CAPTCHA typically requires the user to solve a challenge that would be very difficult for a computer program, such as identifying letters or words in an image or an audio file. Correctly solving the challenge implies that the user is human, and not an automated computer response.
The test is often used to prevent attackers from using computer scripts to automate certain repetitive actions, such as signing up for email accounts, submitting online forms and so on. While attackers have found ways to circumvent this type of security precaution, it often still requires some form of human interaction.
A program or file that does not contain harmful code or behavioral routines, and performs its stated function.
A clean program offers no security issues. Under certain circumstances, a clean program may be wrongly identified as harmful, usually because it has code that is similar to a known malware.
When a clean file is wrongly identified as harmful, the incidence is known as a False Alarm or False Positive . The converse, where a malicious file is wrongly identified as Clean, is known as a False Negative.
A type of online attack that involves hijacking a user's actions on a website to perform unintended actions.
For clickjacking to work, an attacker has to embed malicious code on a webpage, for instance by exploiting an iframe vulnerability. The code is then triggered when an unsuspecting visitor to the site performs certain actions on the page, such as clicking a button.
For example, the attacker can create an invisible iframe layer with buttons that 'float' directly over buttons on the visible webpage. If the user clicks on a visible button, they also unintentionally click the button on the invisible layer. The user may then find out they have unexpectedly 'agreed' to an unknown charge or service.
Introducing or injecting code into a program or page that causes it to behave in an unexpected manner.
Code injection usually involves an attacker targeting an input mechanism, such as an online service's login form. Instead of entering the expected input such as a password, the attacker enters special code that exploits a flaw or loophole in the logic used to validate the input. If successful, the attacker then gains unauthorized access to the service.
Command and Control (C&C) server
A computer or service that acts as the controller for all infected devices in a botnet .
The operators of a botnet usually have control over a Command and Control server (also known as C&C, CnC or C2), which they use to issue instructions to one or all the infected devices in the botnet. The devices can also communicate back to the C&C server, for example to forward any stolen data they have gathered.
C&C servers can issue commands to the infected devices using a variety of communication methods, such as IRC messages, malicious domains, posts on fake social media accounts and even specially-crafted image files.
A text-based interface in an operating system that allows users to type in text instructions to perform specific tasks.
The instructions typed into the command line interface (CLI) are read and interpreted by an interpreter, which then executes the command.
Operating systems and programs usually have a visual-based Graphic User Interface (GUI) that is easy for users to navigate. Most will also include a CLI for the benefit of advanced users, especially when performing tasks that are more cumbersome to do using the standard GUI.
A utility program for creating a program. In computer security, the created program is usually malware.
Constructor kits make it easy for a user with little or no programming experience to create programs. Often, these kits are simplified so that the user only needs to select the desired features/actions from a list of pre-prepared components.
Software that analyzes content based on a given set of criteria, and either permits or blocks it from being accessed.
Content filters are commonly used by businesses or governments to screen emails or web traffic for undesirable content. They can also be used in a home setting to prevent minors from accessing undesirable sites or materials.
The criteria used to analyze the content can be modified by the software's operator.
Cross-site Scripting (XSS)
A type of attack in which malicious code is injected into content from a trusted website; the tainted content is subsequently presented to the site's visitors, usually with harmful consequences.
For a cross site scripting to work, attackers must be able to inject code into the site, which usually involves exploiting a vulnerability in a site or program.
If successful, the attack can have a variety of effects, including hijacking web browsing sessions, stealing cookies, information theft and so on.
Cross-site Request Forgery (CSRF or XSRF)
A type of attack that hijacks the authentication credentials issued from a targeted website to a trusted user's browser, in order to perform unauthorized actions on the website.
For a cross-site request forgery attack to work, the user must be lured (usually by social engineering or a redirect) to specially-crafted malicious website while they are still logged into the targeted website (such as a banking portal). The malicious website silently sends commands to the targeted website via the user's still-authenticated browser. The targeted website, which assumes the commands are legitimate instructions from the user, executes them.
Data Miner | Denial of Service (DoS) | Detection / Definition | Disinfection | Disclosure | Dialer | Distributed Denial of Service (DDoS) | Domain name | Domain Name System (DNS) server | DOS | Drive-by Download
A Type designation formerly used by F-Secure to identify programs that collect information on the user's browsing behavior, usually without their knowledge or authorization.
Today, such programs would be classified as 'Trackware'.
Denial of Service (DoS)
A type of attack that blocks access to a program, computer, network or online service.
A DoS attack usually involves sending large amounts of connection attempts or requests to the target. The flood of requests quickly overwhelms the target's ability to handle them all, and any new requests from a legitimate user cannot be processed until all the pending requests are resolved - hence, denial of service.
Attackers often use malware to force an infected machine to send connection requests to the target. If more than a handful of infected machines under the control of the attacker are used to carry out the attack, it may be considered a Distributed-Denial-of-Service (DDoS) attack.
For more information, see Article: Denial of Service (DoS).
Detection / Definition
An algorithm or hash used by antivirus programs to identify a unique harmful program, or a set of harmful programs that share similar code or behavior. Also known as a signature.
When a user scans the files on their computer using an antivirus program, the scanning engine in the program analyzes the files using the detections in its database; if a match is found, the file is flagged for further attention.
To create a detection, an analyst must first examine a sample of the harmful program to identify its unique characteristics, then create an algorithm that can spot those telltale traits. The detection is then added to an antivirus program's database for use in future scans.
For more information, see Article: Detection.
The process of removing a program or file from a computer system.
In addition to the program or file, disinfection can involve removing any associated components, and reverting any changes that were made to the computer or device, such as program settings, registry keys, mutexes, and so on.
The public notification of a previously unknown vulnerability in a program or service.
Disclosures may come from program vendors, information security companies and not infrequently, independent security researchers.
Disclosures can have a significant impact on security if information about a vulnerability is released before a fix for it becomes available, as attackers can use the information to craft an attack targeting the exposed flaw. This is especially true if the affected program is popular or business-critical.
Many security researchers privately disclose their findings to the vendors of an affected program or service for a limited period, before taking their information public. F-Secure provides a Vulnerability Reward Program for researchers to report a potential vulnerability in F-Secure products and services. For more information, see the Security Advisories.
A Type designation formerly used by F-Secure to identify a program that connects the computer to the Internet via a telephone line and modem.
In the days before widespread broadband Internet connections, dialers were often the only way a user could access the Internet. Malicious dialers secretly connected the computer to premium-rate lines, greatly increasing the usage charges payable by the user.
Today, such programs would be classified as 'Application'.
Distributed Denial of Service (DDoS)
A type of attack that uses the combined resources of many computers to send massive volumes of data or connection requests to a targeted computer or website in order to block normal access to it.
DDoS attacks normally take place over the Internet and are often carried out using the combined resources of a botnet, which can be enough to overwhelm a target in seconds. There are various types of DDoS attacks, which vary based on how the attack is conducted, but all have the same result: legitimate users are prevented from accessing the targeted computer or site until the attack abates.
Many major online services today have been forced to establish robust defenses against DDoS attacks to ensure that their users are not affected.
A unique text string (such as 'www.f-secure.com') that identifies a specific resource on the Internet, such as a website.
A domain name is the 'human-friendly' alias for the resource's IP address, a 32-character long numerical label that computers use to identify the resource.
Domain names are strictly a human convenience, as most users have difficulty remembering IP addresses off-hand.
Domain Name System (DNS) server
A server that 'translates' domain names (such as 'www.f-secure.com') to the IP addresses that identify specific computers and private networks on the Internet.
DNS servers are part of the Domain Name System (DNS), a database that 'maps' out all the resources found on the Internet. A single DNS server will usually store the IP addresses and associated domain names for a particular 'section' of the Internet; it then functions as a 'guidepost' that provides enquiring computers with the correct directions to find a desired resource in their area of coverage.
An early operating system created by Microsoft for IBM and IBM-compatible computers.
The operating system was also used for Windows 3.1, 95, 95 and ME. More current Windows versions (such as NT, 2000, XP,and Vista) include a version of DOS known as 'DOS emulation' that allows users to run old DOS applications.
The download of a file from a website onto a user's computer or device that takes place without their knowledge or consent.
Drive-by downloads usually start with redirects or Search Engine Optimization (SEO) poisoning attacks that force users to a malicious site, where actual download occurs. A video or other content may be displayed to distract the user from the download taking place in the background.
Email | Emulation | Encryption | End User License Agreement (EULA) | Entry Point Obscuration (EPO) | Executable file (EXE file) | Exploit
A network for electronically creating, transmitting and storing text-based messages.
An email network involves an email client program that is used to view the messages, and email servers that handle the actual transmission of the messages over the Internet, a well as their storage.
Though the term 'email' technically refers to the network itself, most people use it to describe a message sent on the network.
The act of running code in a tightly controlled virtual environment (also known as a sandbox).
Security programs often emulate suspicious code in a sandbox to observe the actions it takes in the virtual system. Based on how the code behaves in the sandbox, the security program can then determine if it is clean or harmful.
Emulation is particularly useful when dealing with encrypted or obfuscated code, which may defeat other forms of analysis.
The use of a cipher or algorithm to transform data into an unintelligible form. Usually, the transformed data can only be restored to its original form by using a decryption key that reverses the process.
Encryption is used to ensure that the transformed data remains private and accessible only to the party that has the appropriate decryption key. Encryption is a critical security layer for many forms of communications, especially those that involve transmitting sensitive information, such as banking data, over the Internet.
Encryption can also be used maliciously by attackers, as seen by its use in ransomware.
End User License Agreement (EULA)
A legally binding agreement between a program's vendor and the user, stating the terms under which the user may use the program .
Most programs display the EULA in electronic form during the installation process; users must agree to it before installation can be completed.
EULAs may become an issue if the language they use is ambiguous, excessively restrictive, or too technical for the average user to understand. Many users do not read EULAs completely before accepting them, potentially placing them in an untenable position if they later face problems with the program or the vendor.
Entry Point Obscuration (EPO)
A technique used to prevent virus scanners from detecting changes to a program's entry point, which identifies the beginning of its code.
When a program is launched, the operating system first looks for its entry point and then starts executing the code from that point onwards.
Sophisticated viruses modify the host program's entry point so that it points to the start of the viral code instead, which may be located almost anywhere in the file. The change in entry point forces the operating system to run the viral code first; once that has been executed, most viruses will then pass control back to the host program, allowing it to run normally.
Executable file (EXE file)
A program containing binary code that provides instructions for an operating system to read and execute.
Unlike a data file that contains information without instructions, an executable file has the commands and related information needed to perform various tasks on a computer. An executable file is what users usually mean when they refer to an application or program.
The Windows platform identifies executable files using the .EXE file extension, while the Mac platform uses the .DMG and .APP.
An object, such as a program, piece of code, or even a string of characters, that takes advantage of a vulnerability in a program or operating system to cause unexpected behavior or allow unauthorized actions.
An exploit is almost always used in a malicious context. If successfully used, exploits can provide an attacker with a wide range of possible actions, from viewing data on a restricted-user database to almost complete control of a compromised system.
False Alarm / False Positive | File Transfer Protocol (FTP) | File Transfer Protocol (FTP) | Firewall | Flash
False Alarm / False Positive
The incidence of an antivirus program wrongly identifying a harmless file or program as harmful.
A False Positive (FP) usually occurs if a file or program has code or behavior that is similar to a known harmful program.
In most cases, a False Positive is fixed in a subsequent detection database update; updating your F-Secure security program to use the latest database is enough to resolve the issue.
More information about recent False Positives can be found at Threat Description: False Positive.
File Transfer Protocol (FTP)
A protocol for transmitting files over networks using TCP/IP connections.
Though there are many protocols for handling file transmissions, FTP has become the one that is most commonly used for transferring data to and from web servers over the Internet.
A hardware device or application that controls access to a computer or network.
A firewall acts as a security barrier for communications between the 'trusted' computers within the network, and 'untrusted' resources outside of it, such as remote servers or websites on the Internet. The firewall monitors traffic going into and out of the trusted zone and based on a set of predetermined rules, either allows the traffic to go through or discards it.
A multimedia platform popularly used for animated and interactive web applications. Executable files on this platform use the extension .SWF.
Flash was once frequently used on websites for elements such as games, scrolling advertisements and so on. To view these elements, a user needed to install a separate 'player' application known as a Flash Player, usually as a plugin to their web browser.
Because the Flash Player was so commonly found, it became a favorite target for hackers. This in turn led to many security researchers urging users to uninstall or minimize use of the Flash Player. Major web browsers also made changes that encouraged websites to minimize the use of Flash-based content.
As of 2018, Flash is much less commonly found on websites. Adobe announced plans to end the development and distribution of Flash Player by end 2020.
A detection that identifies broad patterns of similar code or behavior in programs or files.
Security software use generic detections to find programs or files that either a) can perform similar types of harmful actions, such as stealing data; or b) have code similar to known harmful programs, such as worms or trojans.
Hacker | Hacktool | Hash | Header | Heuristic analysis | Hoax | Honeypot | Hosts file | Hypertext Markup Language (HTML) | Hypertext Transfer Protocol (HTTP)
In information security, an individual who uses an in-depth knowledge of security systems and their weaknesses to gain unauthorized access to a computer, service or network.
When used in the popular media, a hacker is often assumed to have malicious or criminal intent, and can be referred to as a black hat hacker.
In contrast, an individual who uses similar methods to evaluate a system's defenses, but has the administrator's permission to do so, would be referred to as an ethical or white hat hacker.
A Type designation formerly used by F-Secure to identify a utility program that can be used, or misused, to access remote computers.
Today, such programs would be classified as 'Hack-Tool'."
A short string of alphanumerical characters that represents a much larger block of data, such as a file.
A file's hash is sometimes referred to as its 'digital fingerprint'. Hashes are created by using hash functions (or algorithms), which generate a unique hash for every unique file. The two most commonly used hash functions are MD5 and SHA-1.
Hashes are used in many ways, such as:
A data area in a file that precedes its executable code and contains vital information about the file, such as its size, contents and so on.
Some malware try to edit the header information in order to hide changes they make to the file.
A type of analysis used by security software to determine if a program or file is safe or harmful by examining the actions it performs. Also known as behavioral analysis.
When it encounters a new or unknown program or file, the security software will emulate or run it in a completely isolated virtual environment (also known as a sandbox). Within the sandbox, the unknown program or file can perform all its actions without endangering the user's own system. The security software observes what the program or file does within the sandbox and based on its actions there, determines if it is safe or harmful.
Security software can also use heuristic detections, which identify specific patterns of harmful behavior, to guide the heuristic analysis.
A Type designation formerly used by F-Secure to identify an application that does not perform as claimed.
Today, such programs would be classified as 'Application'.
The term 'hoax' may also be used in a non-technical manner for an email message that contains false information, with the aim of spreading alarm or disinformation.
A computer or website used to detect and deflect attempted intrusions into a computer or network.
A honeynet refers to multiple honeypots on a single network and is usually used in large, diverse networks which may not be sufficiently protected by a single honeypot.
A list of frequently accessed domain names and their corresponding IP addresses that is stored on the computer.
The hosts file reduces the amount of time and processing needed to access a website. Each time a user clicks a link or enters a website in the browser's address bar, the browser first checks the hosts file to see if the site's domain name is already saved there. If so, it can retrieve the corresponding IP address directly from the hosts file; if not, the browser has to connect to the Domain Name Server (DNS) service of the Internet Service Provider (ISP) to find the correct IP address.
Some malware modify entries in the host file to hijack and redirect the browser to a different and usually malicious site.
Hypertext Markup Language (HTML)
The most common programming language used to create documents ( webpages) that can be viewed in a browser.
Though other languages have become more popular for use in creating heavily interactive websites, HTML remains the preferred language for the majority of websites.
Hypertext Transfer Protocol (HTTP)
A protocol used to connect to and transmit information resources over network, most commonly for delivering webpages over the Internet.
HTTP works in tandem with such elements as Universal Resource Locators (URLs), the Domain Name System (DNS) and web browsers so that users can easily navigate the modern World Wide Web.
iframe | Instant Messaging (IM) | Internet | Internet Relay Chat (IRC) | Internet Service Provider (ISP) | Integer overflow | In-the-wild | Intrusion Detection / Intrusion Prevention System | IP Address
A HTML element that allows one page to be embedded as a section in another page.
iframes are a popular method for displaying content from multiple pages on a single page, which is referred to as the parent page. If the source content has been compromised however (for example, it contains injected code), then the parent page may also be affected.
A form of real-time, text-based communication connecting two or more parties over a network, such as the Internet or a company intranet.
Users use IM client programs to send and receive IM messages from other users of the same program. Most clients also allow audio, video and image files to be transferred between parties.
Because they are extremely popular and include the ability to transfer files, IM clients are popular targets for exploit by attackers, who try to distribute their harmful programs to as many connected IM users as possible.
A global 'super-network' made up of interconnected smaller networks, which use the TCP/IP Internet protocol suite to communicate between networks.
Strictly speaking, the term Internet refers to the infrastructure (both hardware and software) that connects the networks and manages the transmissions between them. All technical matters related to the infrastructure are managed by Internet Service Providers (ISPs).
Users who can connect to the Internet gain access to all the connected networks, and the resources and services they offer: for example, the World Wide Web, webmail, social media sites, video streaming sites and so on.
Internet Relay Chat (IRC)
A form of real-time, text-based group communication over a network, such as the Internet or a company intranet.
IRC differs from Instant Messaging (IM) in that it is designed more for group communications, with users gathered into forums known as channels. Most IRC clients does also allow one-to-one conversations, as well as data transfers. IRC clients are also popular targets for attackers trying to distribute their harmful programs.
Internet Service Provider (ISP)
An organization that provides users with access to the physical infrastructure needed to connect to the Internet.
The Internet is essentially a vast 'super-network' that connects millions of smaller networks using a complex infrastructure made up of both hardware and software components - for example, fiber optic cables, satellites, modems, email servers, Domain Name System servers, and so on. ISPs are responsible for maintaining this infrastructure.
Individual users typically must sign an agreement with an ISP in their geographical location to gain access to the Internet through the ISP's own physical infrastructure. Many, but not all, ISPs also provide related services, such as website hosting, email hosting and so on.
A type of vulnerability in the way a program performs a calculation, resulting in a numerical value that is too large for the available storage space.
Programs normally have specifically allocated space on a computer or device where they can save data. If an attacker can successfully exploit the vulnerability however, it can cause data to 'overflow' from its allocated space and either be ignored or written to unexpected places. This may lead to significant calculation errors and possibly system crashes.
If the system is critical - for example, used in air traffic control or hospital emergencies – a miscalculation or system crash can have serious repercussions.
Classification term for harmful programs that have been found infecting an actual user's computer or device.
In contrast, Proof-of-Concept (POC) codes are theoretical creations produced by researchers without exposure to actual users, while code that is restricted to use in a laboratory for testing are said to be in a zoo collection.
Intrusion Detection / Intrusion Prevention System
A hardware device or software that monitors a network and identifies suspicious activity. More sophisticated examples can react to the suspicious activity by blocking it.
Nowadays, a number of products provide detection and intrusion as two complementary services or merge the two functionalities into one system. An IDS/IPS can be either host-based, where protects only a single computer, or network-based, where it resides on one host and can still take action on other hosts.
A 32-character long numerical label assigned to every resource (computers, servers, etc) connected to a network.
An IP address is used in tandem with domain names to navigate the modern Internet. A user will use the more 'human-friendly' domain name (for example, 'www.f-secure.com') to search for a resource; the computer will use the corresponding IP address for that resource to connect to it.
A resource's assigned IP address isn't always permanent and can be changed depending on need. For example, a web server on a company network that must be constantly accessed can have an unchanging or static IP address. In contrast, a workstation may be assigned a dynamic IP address that changes with each session. Each configuration has its own security considerations.
A popular programming language developed by Sun Microsystems in 1995 specifically for the Internet; Java allows Web designers include interactive mini-programs known as applets to their site.
Standalone applications can also be created in the Java language. These require a special program called the Java runtime environment (JRE) to view Java applications. Due to its popularity, the JRE is a popular target for attackers.
A popular scripting language (only loosely related to the Java programming language) that is used to add interactivity on webpages.
The 'central core' of an operating system that is responsible for communications between the software and hardware components of a computer.
The kernel's main task is to manage the computer's physical resources (CPU, RAM, etc.) so that a user can use an application, such as a game, document editor and so on.
Certain types of rootkits specifically target and manipulate the kernel in order to hide their presence or actions. These are known as kernel-level rootkits and work by exploiting vulnerabilities in the kernel.
A program or hardware component that silently monitors and stores all keystrokes typed on a connected keyboard.
Keyloggers are typically used by attackers to steal vital information such as credit card details, online account login credentials and so on. The stolen information can be used to commit identity or monetary theft, online fraud and so on.
Keylogger programs may be installed by other malware or be manually installed by an attacker with physical access to the computer or device. Hardware keyloggers must be manually installed.
Some keyloggers will save the collected information on the computer; others will forward it to an external server for easier retrieval by the attacker.
A navigational HTML element on a webpage that can be clicked to lead the user directly to another specified element, either on the same webpage or another.
Hyperlinks (links for short) are usually specially-coded words, text strings or images. Links can be a security concern if they are deliberately set to lead an unsuspecting user to a harmful webpage.
An open-source operating system (OS).
Linux is popularly used for computer networks and corporate servers, and to a lesser extent, for work and home users.
Macro | MacOS | Malware | Man in the middle (MitM) | Master Boot Record (MBR) | Memory-resident | Metamorphic virus | Monitoring-tool | Multimedia Message Service (MMS) | Multipartite virus | Mutual exclusion object (mutex)
A type of mini-program found in some applications thats allows users to automate certain functions or instructions.
Macros are sets of instructions that can be triggered by a single command (or by clicking a button in a program's user interface). Macros are usually embedded in applications or documents and are used to automate common or repetitive tasks that the user would otherwise have to do manually.
Macros are most commonly associated with Microsoft Office document files (such as Word, Excel or Access).
Though macros are extremely useful, they can be misused to perform harmful actions; in such cases, the macros are known 'macro viruses' or 'macro malware'.
A Platform identifier used by F-Secure for any of a series of operating systems (also known as the 'Classics') from Apple that precede the current Mac OS X.
A sizable percentage of Apple computers still run on these older operating systems.
A portmanteau of the words 'malicious' and 'software', this general term is used to refer to harmful programs.
In computer security, a harmful program can be technically classified as rootkit, trojan, virus, worm and so on.
Man in the middle (MitM)
A type of attack that involves an undetected third party actively eavesdropping and controlling communications between two parties.
MitM attacks are usually done to prevent key information from being transmitted between two parties, or conversely to inject false information.
For a MitM attack to be successful, the attacker must be able to impersonate each side of the dialogue and convince both parties that the communication is private and authentic. The specifics of how this can be done will vary depending on the type of communication being intercepted (wireless, Internet, email, etc).
Master Boot Record (MBR)
A dedicated area in a hard disk drive or other storage drive that contains critical information for starting the operating system (OS).
The information saved in the MBR is used by a boot program to start the OS each time the user turns on the computer (also known as 'booting the OS').
Back when DOS was the major operating system on most computers, the MBR was a favored target of virus writers, as most security programs at the time weren't able to scan the MBR to detect any malicious changes. This lead to the prevalence of boot viruses. Since then, changes made by operating system vendors successfully limited the ability of boot viruses to modify the MBR, resulting in them becoming far less common.
A program that remains running in a computer's memory resources after its original program has been closed.
When a user launches an executable file, its instructions are loaded temporarily into the computer's memory. When the program is closed, these instructions are unloaded from the memory to clear it for use by another program.
Malware can exploit this normal process by 'hooking' a special area of the memory known as an interrupt vector and inserting its own instructions there. When the malware's executable file is closed, the instructions in the interrupt are still active and able to affect other programs that are running in memory.
A virus that rewrites its own code at each iteration so that each succeeding version appears different from the preceding one. Despite the changes, the malware's functionalities remain the same.
Fortunately, creating a functioning metamorphic virus is technically challenging, making them very rare creations.
A Type designation formerly used by F-Secure to identify a program that can monitor and record all computer activities, including each keystroke typed on the keyboard.
Today, such programs would be classified as 'Monitoring-Tool'.
Multimedia Message Service (MMS)
A standard used by telecommunications networks for transmitting multimedia content between mobile devices.
Much like email, most laypersons use the term MMS to refer to the messages sent over the telecommunications networks, rather than to the communication channel itself. MMS is a popular channel for distributing spam and more rarely, messages containing links to malicious sites.
A multi-segmented virus that is able to infect multiple target types – for example, both the boot sector and the system files – in such a way that every section of the virus must be removed before the system can be considered clean and free from the possibility of reinfection.
Fortunately, creating a functioning multipartite virus is technically challenging, making them very rare creations.
Mutual exclusion object (mutex)
A program object that negotiates access to a shared resource between multiple program threads so that only one thread can access the resource at a time.
Resources that can be managed with mutexes include data or file access, and memory and processing space. When a program is launched, a mutex is created with a defined 'lock'/'unlock' state. Later, when one of the program's threads needs access to the resource, it must first 'lock' the mutex and exclude other threads from using the resource. Once the resource is no longer needed, the mutex is 'unlocked' so that other threads can use it.
Some malware use mutexes to prevent multiple infections of the same system.
A group of connected computers, servers and other resources. Each individual unit on a network is referred to as a 'node'.
Networks can be classified based on the type of technology used to connect the nodes, the security level of the network and its reach. The most well-known network is the Internet, but various other network types exist, including:
Operating System (OS) | On-Access Scanner (OAS) | On-Demand Scanner (ODS) | OSX
Operating System (OS)
The main program responsible for managing a device's hardware and software components, so that a user can perform any useful task on the device. Also known as a platform.
There are a handful of OSes that commonly used for computers and consumer devices, such as Microsoft's Windows, Apple's OS X, Google's Android, Linux, etc. Each OS offers unique advantages and disadvantages.
OSes are a major target for attackers, who typically try to find vulnerabilities in the program that they can exploit for their own purposes.
On-Access Scanner (OAS)
The background process used by an antivirus program to examine other running processes for harmful behavior.
Also known as real-time scanning, this feature protects the computer by scanning all files when they are accessed and by blocking access to those files that contain malware.
On-Demand Scanner (ODS)
The component of an antivirus program that a user must manually launch to scan files on the device.
Users can change the settings of their antivirus program to specify the locations and types of files they want to scan.
A Platform identifier used by F-Secure for Apple's OS X operating system.
Also known as Mac OS X, this is the most recent operating system released by Apple.
Packed | Palm | Patch | Payload | Peer-To-Peer (P2P) | Phishing | Polymorphic virus | Port | Portable Executable File (PE EXE) | Port scanner | Potentially Unwanted Application (PUA) | Privilege elevation | Program | Proof of Concept (PoC) | Propagation | Proxy server
A file that has been reduced to a smaller file size by a packer or file compression program.
Files are often compressed when file size is a concern, for example when dealing with limited upload or download speeds. In a malicious context, files may also be packed as a form of protection for malware, as analyzing such files is more difficult.
A Platform identifier used by F-Secure for the operating system (OS)by Palm Inc. that was used on their personal digital assistant (PDA) devices.
As of 2018, only a tiny handful of malware for this platform are known to exist.
A program or piece of code issued by a vendor to fix bugs, usability issues or vulnerabilities in a program, operating system or device.
For patches intended to fix a security issue such as a vulnerability, it is recommended that the patch is installed as soon as possible after it is released. Doing so reduces the period of time (known as zero-day) in which the affected program or device is vulnerable to attacks targeting the vulnerability.
The routine or component of a malware that is designed to cause harm.
A malware's payload will vary depending on its author's intent. Examples of possible payloads include:
A type of network in which each computer allows other connected computers (its peers) to use some of its resources, such as storage, bandwidth, processing, etc. P2P networks are commonly used to distribute large files.
A P2P network does not have a central server or repository to direct operations or hold files. Instead, each file is broken down into 'segments' which are saved on peers in the network. Users connect to the network using a client program, which allows them to browse all the files stored in the network. When the user downloads a file, the various segments are transferred from their host peers to the user's computer.
Attackers can take advantage of a P2P network to spread malware, often by disguising them as popular videos, games or programs.
A type of social engineering attack that uses fraudulent communications to trick the recipient into revealing sensitive information, such as passwords, account information and other details.
Phishing is most commonly carried out via email messages, but attempts via instant messages, SMS messages and even voicemail have also been reported.
Attackers will often misuse the name, branding or background of a trusted individual or company to make the communication seem authentic. The contents of the message are usually carefully tailored to seem either enticing or alarming, to pressure the recipient into complying.
Some phishing attacks direct the recipient to a carefully crafted website where any details they enter are subsequently stolen; others direct the user to transfer money or perform other actions in the belief that they are performing a legitimate task.
A virus that mutates or modifies its own code at intervals. The changes in the code usually occur when the virus replicates or infects a new file or computer.
Fortunately, creating a functioning polymorphic virus is technically challenging, making them very rare creations.
A harware port is a physical outlet on a computer for connecting a peripheral device or another computer; a network port is a number used to identify the transmitting and receiving halves of a data transmission over a network, such as the Internet.
A hardware port allows users to connect devices such as a mouse or a keyboard to the computer.
A network port or port number is always tied to a specific IP address and protocol. A port number can be assigned to individual processes or programs when needed to complete a task, such as downloading files or sending emails. By convention, certain port numbers are reserved for specific functions or activities; for example, port 80 is reserved for HTTP traffic.
Portable Executable file (PE EXE)
A file format used in the Windows operating system for certain types of executable files.
The 'portable' part of the name indicates that the files can run in numerous environments on the operating system.
A program used to scan a network for computers with open or listening ports.
A program that has an assigned port number and is waiting for a data transmission from another computer is said to be 'listening' for the connection.
Port scanners can be used by an authorized administrator to check the security of the computers under their care. They can also be used by attackers to find machines that may be open to attack.
Potentially Unwanted Application (PUA)
Applications that has behaviors or aspects that can be considered undesirable or unwanted, depending on the user's context, but do not meet the stricter definition of malware. Also known as Potentially Unwanted Software (PuS) or Program (PuP).
The term is generally used to cover programs such as dialers, adware, joke programs and other software that may negatively impact the user or the device's performance.
For more information about PUAs, see Classifying Potentially Unwanted & Unwanted Applications.
The unauthorized gain of more privileges in a program or operating system than is normally permitted.
Users of a computer or device usually have a limited set of privileges that allow them to perform a specified range of actions, such as viewing or editing files or making changes to the system settings.
Privilege elevation can occur if a bug, vulnerability or unauthorized process is used to gain more privileges. Users perform a type of privilege escalation when they 'jailbreak' their devices to gain greater access to the operating system. In a malicious context, attackers can take advantage of privilege escalation to perform actions that cause harm to the user's device or data.
A collection of instructions that direct the physical hardware of a computer to perform useful actions.
There are many different types of programs, which can be broadly categorized into:
A program is created as human-readable source code form by a programmer or team of programmers; it is then compiled into an executable form for a computer to 'read' and follow the instructions.
Proof of Concept (PoC)
A program or piece of code that demonstrates the existence of a bug or vulnerability in an application or operating system.
PoC code often – but not always – accompanies a disclosure, as proof that the issue exists and can be exploited.
The act of creating a copy of a program's code. Also known as replication.
Viruses and worms are the most common types of malware to propagate their code, as the copies are usually created in order to infect a file or computer.
A computer system or program that acts as an intermediary between clients and resources, usually to provide a layer of security and regulation.
Proxy servers are commonly used as a security layer between computers on an internal network and external, possibly untrusted resources on the Internet, such as websites.
Some malware cause infected computers to function as proxy servers.
Ransomware | Remote code execution (RCE) | Repackaging | Replication | Reverse engineering (RE) | Riskware | Rogue | Rootkit | Router
Malware that takes control of the user's data or device, then demands a ransom payment to restore it.
Ransomware is a form of extortion and works on the assumption that the data or device is valuable enough to the user that they are willing to pay to recover it.
The most common kind of ransomware today is crypto-ransomware, which essentially 'scrambles' data so that a decryption key is required to restore it; payment is then demanded in return for the key.
The best safeguard against ransomware is to keep up-to-date backups of important files in a separate, unconnected location or device. In the event of an infection, the recommended course of action is to restore the affected files from the backups and report the incident to a local law enforcement authority.
Remote code executionn (RCE)
The ability for an outside party to run commands on a targeted program or computer.
RCE is usually the desired result of an attacker exploiting vulnerabilities in a program or computer. It is considered a critical security incident as it means the attacker can take complete control of the compromised machine.
The act of modifying an existing pack of programs to introduce new elements.
Programs and their associated components or configuration files are often distributed as an application package (APK) so that users can easily install the program with a predefined configuration or settings.
Administrators who want to change the programs, components or files in a package can repackage it to meet their needs. In a malicious context, attackers can do the same to introduce harmful programs or components into the package. When done with malicious intent, the altered package is referred to as trojanized.
Trojanized APKs are particularly notable on the Android platform.
The act of creating a copy of a program's code. Also known as propagation .
Viruses and worms are the most common types of malware to propagate their code, as the copies are usually created to infect a file or computer.
Reverse engineering (RE)
The process of disassembling a program and analyzing its code to understand its capabilities and behavior.
Security researchers will often reverse engineer a malware to create the detections needed to identify it.
A program that, if used in an unauthorized or harmful manner, can introduce security risks to a device or the data stored on it.
Riskware programs typically give their authorized users more access to a computer's system settings, or more control over stored data, than is allowed for a normal user. Such programs include remote administration tools, network monitoring software and rooting utility programs.
If used by unauthorized persons, such programs allow them to perform actions that can cause harm to the user's device or data.
An antivirus or antispyware application that does not provide the functionality claimed, and may not work at all. Rogues are often promoted by deceptive or fraudulent means.
Rogues can range from being substandard products that present false information to deliberately fraudulent software. They are often promoted as 'trial' versions using high-pressure tactics to lure users into installing them. When run, these rogues will perform, or pretend to perform, a system scan, then display misleading or outright false scan reports in order to scare users into buying the 'full version' of the software.
A Type designation used by F-Secure to identify a technique, program or component that hides processes, files, registry data and network connections.
Rootkits are often used by malware to conceal their activities. Rootkits are difficult to detect because they subvert the security programs and processes that would normally identify their presence.
Occasionally, legitimate software will use rootkit-like techniques. This is often for software protection purposes, as a form of Digital Rights Management (DRM). Some antivirus programs will detect these applications as potential security risks, until the rootkit-like techniques are removed, or another solution is used.
A hardware component or program responsible for directing data transmissions between networks, or between separate subnets on the same network.
There are numerous types of routers, graded based on the amount of data they can handle. The most common routers are used by individual users for home networks, as well as larger ones for handling communications in large corporations. The highest capacity routers are responsible for handling huge volumes of data traffic over the Internet.
Sandbox | Script | Search Engine Optimization (SEO) poisoning | Shell | Short Message Service (SMS) | Signature | Simple Mail Transfer Protocol (SMTP) | Social Engineering | Spam | Spoofing | Spyware | SQL Injection | SymbOS
A colloquial term for an isolated, tightly controlled virtual environment that mimics a normal computer system.
Virtual environment or virtual machine (VM) software create sandboxes as completely contained units or instances on the host computer. They are normally used to run and examine unknown or suspicious programs or code without endangering the host computer.
Many security programs will run suspicious files in a sandbox as part of their analysis. In turn, some malware have adapted to become 'VM-aware' - they first check for the presence of a sandbox on the system and if found, stop running or even uninstall themselves, to avoid analysis.
A small program or piece of code used to automate minor tasks. Scripts can be used in applications or on websites to add extra functions or behaviors.
Search Engine Optimization (SEO) poisoning
A type of attack that attempts to poison or affect a website's listing in a search engine's search results.
Website operators try to gain visitors by carefully crafting or optimizing their content so that search engines rank the sites more highly in their search results, which leads to more attention and traffic from the engine's users. Attackers can try to subvert this process by: injecting code or content onto the site that causes its ranking to drop; injecting code onto the site to redirect traffic to a malicious site; or by creating specially crafted malicious sites that compete with and lower the targeted site's ranking in search engine results.
A small program that provides an interface where users can issue instructions to an operating system or a process. Also known as a 'commandshell'.
Many attacks include a piece of code called shellcode that is intended to launch a shell on a targeted computer. This is usually only possible by exploiting a vulnerability in an installed program or in the operating system.
Short Message Service (SMS)
A service for transmitting short text messages between mobile devices connected to a telecommunications network.
SMS is one of the most heavily used data services in the world today. In many countries, it is used not only for personal communications, but for critical financial transactions and other useful services. Like many popular services, SMS is also a target for attackers engaged in various undesirable activities, such as sending out spam messages, spreading worms, stealing data and so on.
Though the term 'SMS' technically refers to the service itself, most people use it to refer to a message sent via the service.
An algorithm or hash used by antivirus programs to identify a unique harmful program. Also known as a detection or definition.
When a user scans the files on their computer using an antivirus program, the scanning engine in the program analyzes the files using the detections in its database; if a match is found, the file is flagged for further attention.
To create a detection, an analyst must first examine a sample of the harmful program to identify its unique characteristics, then create an algorithm that can spot those telltale traits. The detection is then added to an antivirus program's database for use in future scans.
Simple Mail Transfer Protocol (SMTP)
A protocol used for transmitting email messages over a TCP/IP network.
SMTP can send email messages, but has limited capability for receiving them, resulting in the common practice of using SMTP for sending messages, and another protocol for receiving messages. Other commonly used protocols are IMAP and POP3.
Many worms include an SMTP-based engine in their own code that is dedicated to sending out copies of their code.
In information security, a communication that is unsolicited and sent out in massive amounts. Spam can be sent out over email, fax, SMS or any other communication medium.
Spam is mainly used for commercial promotions or mass communications. Today, spam is often sent out by botnets, which can generate thousands or even millions of emails every day. Spam may also be used to distribute malware, or to direct users to sites that host malware.
Spam is considered a nuisance as it requires takes up network bandwidth and time that could be more productively used. If the spam also brings users into contact with malware and leads to an infection, it can also have a significant financial or personal impact.
The act of sending spam is legally ambiguous in many countries. In some countries, spam operations have been successfully shut down and prosecuted; in others, they can operate with practical impunity.
The act of falsifying characteristics or data, usually in order to conduct a malicious activity.
Spoofing is used in an attack to prevent or complicate the process of identifying the source. There are many kinds of such 'spoofing attacks': email spoofing, Internet Protocol spoofing, URL spoofing and so on.
For example, if a header on a spam email message is modified with a false sender address to hide the actual sender, it is said to be 'spoofed'.
A Type designation used by F-Secure to identify programs that collect information about user actions or a device, and sends it out.
The information collected by the spyware can vary, and may include the user's web browsing habits, search strings, site preferences and similar types of details that cannot be used to exactly identify a user. Some users may consider that the data gathering intrudes on their privacy.
Spyware may be considered legally and ethically ambiguous. Depending on how it gathers data, the context of use and any applicable laws, spyware may be considered legal and acceptable; dubious but unlegislated; or outright illegal and unethical.
A type of attack that exploits poor user-input filtering and an improperly configured Structured Query Language (SQL) database to inject code and run unauthorized commands in the database.
SQL databases are commonly used to hold vital data such as payroll or customer records. They are usually accessed through either an application or a webpage, with input fields that allow a user to search through and retrieve records in the database.
When a user enters any text or commands into the input fields, a properly configured SQL database will sanitize or filter it to remove invalid content that might cause unexpected issues. Unsanitized input may cause the database to behave unexpectedly, which an alert attacker can then exploit to run unauthorized commands.
A Platform identifier used by F-Secure for the once-popular Symbian mobile operating system.
The Symbian platform was discontinued in 2012.
Toolbar | Tracking Cookie | Trackware | Trojan | Trojan-Clicker | Trojan-Downloader | Trojan-Dropper | Trojan-Proxy | Trojan-PSW or Trojan-PWS | Trojan-Spy
A type of plugin for a browser that provides additional functions or features.
Toolbars tend to be associated with adware, as they are often bundled together.
A Type designation used by F-Secure to identify a program that monitors user behavior or gathers information about the user.
A program is considered trackware if the information it gathers includes details that could identify a specific user or device. Once gathered, the collected information may be forwarded to a remote server.
A Type designation used by F-Secure to identify a program that deliberately performs a harmful action, such as altering data or disabling another program.
Trojans were named after the Trojan Horse of Greek legend. They are sometimes referred to as Trojan Horse programs. They can be further subcategorized based on the actions they perform: Trojan-Downloader, Trojan-Dropper, Trojan-Proxy, Trojan-PWS and Trojan-Spy.
Trojans are often carefully crafted to look like authentic legitimate programs or documents, usually by stealing the name or branding of trusted programs or companies. Some trojans may also use documents, videos or even other programs as 'decoys' to distract the user from the harmful actions the trojans perform.
For more information, see Article: Trojan.
A Type designation formerly used by F-Secure to identify a trojan that continuously connects to specific webpages.
Trojan-clickers are designed to artificially inflate the count of visitors to the targeted webpages, so that operators can fraudulently increase their earnings from pay-per-click advertising schemes.
Today, such programs would be classified as 'Trojan'.
A Type designation used by F-Secure to identify a trojan that downloads files from remote web and FTP sites.
Trojan-downloaders typically try to contact a specific website or server; if it successfully makes contact, it will then download specific files. Most trojan-downloaders will also install the files on the affected computer, though not all do so.
Many trojan-downloaders include a second payload in addition to downloading and installing files.
A Type designation used by F-Secure to identify a trojan that installs one or more harmful programs or components.
Unlike a trojan-downloader, which retrieve files from a website or server, a trojan-dropper already contains the files to be installed, often in a compressed format. When the trojan-dropper is launched, it drops or installs these contained programs onto the affected computer.
Trojan-droppers can also contain document or multimedia files that serve as decoys to distract the user from the unauthorized installation.
A Type designation used by F-Secure to identify a trojan that allows an attacker to use the infected computer as a proxy to connect to the Internet.
Trojan-proxies are often used by hackers to hide the location of the original host from any investigating authorities, as the connection can only be traced back to the computer where the trojan is installed.
A Type designation used by F-Secure to identify a trojan that monitors the user's activities specifically to steal account login details, including passwords.
Trojan-PWSes typically go after bank or finance-related accounts, as well as social media accounts. Some may also include spying and data-stealing routines.
Trojan-PWSes may gather the targeted information by monitoring the web browser or by installing keyloggers. Once the required data is gathered, it is forwarded to a remote website or server.
This designation was formerly written as 'Trojan-PSW'.
Universal Resource Locator (URL) | Universal Serial Bus (USB)
Universal Resource Locator (URL)
An identifier for a resource that can be found on the World Wide Web. Commonly known as a web address.
Each URL - for example, https://www.f-secure.com - uniquely identifies the resource, such as a website or a service. It also gives information about how content from it should be transferred over the Internet and displayed in a browser.
Universal Serial Bus (USB)
A standard specification for how a physical device (e.g., mouse, keyboard) can connect to a controller, such as a computer.
The USB specification standardizes how devices can connect to each other. There are currently three USB standards in use, 1.1, 2.0 and 3.0, which support data speeds of up to 12 Mbps, 480 Mbps and 5 Gbps, respectively.
A physical port on a device that complies with the USB specification is referred to as a 'USB port'; this type of port has become the preferred choice over serial and universal ports.
Variant | Virtual machine (VM) or environment | Virtual Private Network (VPN) | Virus | Visual Basic Script (VBS) | Vulnerability
A program with enough similarities to a previously identified program that it can be considered as part of the same 'family'.
Variants are usually created when a programmer takes the code of an existing program, modifies it and releases the new, slightly altered version. The alteration may be very minor, such as a change in a message to be displayed, or they may be extensive enough that an entirely new feature is added.
The original program is often referred to as variant A, with subsequent versions referred to as B, C and so on. Occasionally, a variant's code is so altered that it may be considered an entirely new family.
Virtual machine (VM) or environment
An isolated, tightly controlled emulation of a normal computer system. Also known as a sandbox.
VMs are created as completely contained units or instances on the host computer. They are normally used by security researchers and security software to examine unknown or suspicious programs without endangering the host computer.
Virtual Private Network (VPN)
A private, secured network that is runs over a larger public, unsecured network such as the Internet. A VPN allows authorized users to send data directly to other VPN-connected machines over the public network.
VPNs are commonly used by businesses to allow their remote employees to access the company's internal network in a secure manner.
A Type designation used by F-Secure to identify a program that injects its own code into files on a computer. The next time the infected file is run, the viral code in it is replicated or copied again.
A file infected with virus code is referred to as a host file. When it is run, the viral code is copied and either reinserted into the same host file or used to infect another file. If the cycle is repeated enough times, it may cause severe damage to the file or the computer.
Viruses can technically be classified based on the type of files they infect and how the code insertion is performed. For more information, see Article: Virus.
Viruses were once the most common type of malware, and most people will use the term 'virus' to refer to any kind of harmful program. Today however, programs that would be technically classified as viruses are very rare; instead, trojans are now the most common type of malware reported.
Visual Basic Script (VBS)
Also known as 'VisualBasic Script' or 'VBScript', this scripting language was created by Microsoft as a subset of the Visual Basic programming language.
VBS is widely used in webpages designed for Microsoft Internet Explorer web browser users; most other browsers do not have native support for the language. It is also used with Windows Script Host (WSH) to perform local functions on machines running Windows.
Malware written in VBS or using VBS was once quite common in the early 1990s but have become far less common.
A flaw or loophole in a program, service or network that allows a user or attacker to perform unintended actions or gain unauthorized access.
A vulnerability can be a flaw in a program's fundamental design, a bug in its code that allows improper use of the program, or simply weak security practices that allow attackers to access the program without directly affecting its code. Fixing a vulnerability requires the program vendor to create a patch and distribute it to all users of the vulnerable product or service to protect them from possible exploitation.
A publicly announced vulnerability is often targeted by attackers, who attempt to exploit it before the vendor can create and release the fix (known as a zero-day attack). Unfortunately, there is often a significant time lag between when a patch is released and when it is installed on an affected machine. During that time, the machine remains vulnerable to attacks targeting the vulnerability.
For more information, see Article: Vulnerability.
W32 / W64 | Whitelist | WildList | Windows Registry | World Wide Web (WWW) | Worm
W32 / W64
A Platform identifier used by F-Secure for the Windows operating system from Microsoft on a computer with either a 32-bit or 64-bit processor.
While computers with 32-bit processors remain common, newer ones will usually use 64-bit ones. Malware that was designed to run on computers with 32-bit processors often need to be modified to be able to run properly on those with 64-bit processors.
A list of known and approved items, such as email addresses, websites or programs. The opposite of a blacklist.
Whitelists are used to ensure that only approved items are allowed onto a computer or a network. Many antivirus programs allow users to control a whitelist of programs or websites that are allowed to connect or send data to a computer or a network.
A list that identifies 'in-the-wild' threats that were reported affecting users in the past month. Compiled by a collaborative group of security experts known as the WildList Organization.
Antivirus program vendors regularly test the effectiveness of their products by pitting them against both in-the-wild and zoo malware.
A directory in the Windows operating systems listing the settings for the operating system, programs and hardware, user accounts and so on.
The Registry can be viewed and edited using the Registry Editor, also known as regedit. A registry key identifies each item, while a registry value indicates a specific setting or option.
Many malware make changes in the registry that allow them to perform their harmful actions. Examples of these changes include adding a registry key so that their components to run each time Windows starts or altering a registry key to prevent security software from scanning the device.
World Wide Web (WWW)
A collective term for all the documents (webpages) and other resources that can be accessed using the Hypertext Transfer Protocol (HTTP).
Strictly speaking, the term 'World Wide Web' refers only to the documents or services that a user views or interacts with, while the term " Internet" refers to the infrastructure (both hardware and software) that connects all these resources. For example, when a user is browsing through website pages and social media posts, they are essentially viewing parts of the World Wide Web. Most laypersons however will use the two terms interchangeably.
A webpage or other online resouce must be written in Hypertext Markup Language (HTML) for it to be properly transmitted via HTTP and displayed in a web browser.
A Type designation used by F-Secure to identify a program that replicates by sending copies of itself from an infected device to any other accessible devices, usually over a network.
An infected device can suffer from productivity issues if the worm's replicating behavior takes up too much of the device's resources. In addition, some worms also include a payload, such as installing other programs, changing the system settings and so on.
A worm is classified based on the type of network it uses to spread, such as the Internet, email, IRC chat channels, peer-to-peer networks, Bluetooth, SMS or social media networks. If too many devices on a network are simultaneously sending out worms, the entire network may severely disrupted.
For more information, see Article: Worm.
The time period between when a vulnerability is first publicly disclosed, and when a patch for it is released.
Attackers will often try to target a recently announced vulnerability to take advantage of the zero-day period when programs or devices are vulnerable. This is known as a zero-day attack.
Due to the high likelihood of zero-day attacks, many security researchers will work with vendors to create and release a patch before publishing the news to the general public.
Even after a patch becomes publicly available, there is often an additional time lag before most companies or homes users can install the patch, which gives additional opportunity for a zero-day attack to be effective.
A device that has been infected with a bot program which allows an attacker to control it.
A zombie may also be referred to as a bot. Zombies are usually roped into a network of similarly infected devices known as a botnet .
For more information, see Article: Botnet.
A collection of malware held in a laboratory and used only for testing purposes.
A zoo collection may also serve as an archive, as it will often contain programs that are no longer 'in-the-wild' (essentially extinct outside the laboratory).
Many antivirus vendors will use both zoo and in-the-wild malware to test the effectiveness of their products.
An approach that exploits psychological or social pressures to gain unauthorized access or information.
Social engineering usually involves exploiting people's trust in common behaviors or practices to gain an unintended advantage. An attack that uses social engineering can take place either online, or in the real world. A few examples of an attack that uses social engineering are:
Social engineering is usually used to: gain access to a restricted area; get a targeted individual to disclose sensitive information such as passwords, account details and so on; or get the targeted individual to perform an action. Despite the simplicity of many of these approaches, they tend to be effective as they take advantage of natural human behaviors.