Malware Glossary

ActiveX control
A sofware component of Microsof Windows that can be used to create and distribute small applications through Internet Explorer. ActiveX controls can be developed and used by sofware to perform functions that would otherwise not be available using normal Internet Explorer capabilities. Because ActiveX controls can be used to perform a wide variety of functions, including downloading and running programs, vulnerabilities discovered in them may be exploited by malware. In addition, cybercriminals may also develop their own ActiveX controls, which can do damage to a system if a user visits a Web page that contains the malicious ActiveX control.

adware
A program that displays advertisements. While some adware can be benefcial by subsidizing a program or service, other adware programs may display advertisements without adequate consent.

backdoor trojan
A type of trojan that provides attackers with remote access to infected computers. Bots are a sub-category of backdoor trojans. Also see botnet.

bot-herder
An operator of a botnet.

botnet
A set of computers controlled by a "command-and-control" (C&C) computer to execute commands as directed. Te C&C computer can issue commands directly (ofen through Internet Relay Chat [IRC]) or by using a decentralized mechanism, like peer-to-peer (P2P) networking. Computers in the botnet are ofen called nodes or zombies.

browser modifier
A program that changes browser settings, such as the home page, without adequate consent. Tis also includes browser hijackers.

CCM
Short for computers cleaned per mil (thousand). Te number of computers cleaned for every 1,000 executions of the MSRT. For example, if the MSRT has 50,000 executions in a particular location in January and removes infections from 500 computers, the CCM for that location in January is 10.0. Te CCM for a multiple-month period is derived by averaging the CCM for each month in the period.

clean
To remove malware or potentially unwanted sofware from an infected computer. A single cleaning can involve multiple disinfections

disclosure
Revelation of the existence of a vulnerability to a third party. Also see responsible disclosure.

disinfect
To remove a malware or potentially unwanted sofware component from a computer or to restore functionality to an infected program. Compare clean.

downloader/dropper
See trojan downloader/dropper.

exploit
Malicious code that takes advantage of sofware vulnerabilities to infect a computer.

firewall
A program or device that monitors and regulates trafc between two points, such as a single computer and the network server, or one server to another.

IFrame
Short for inline frame. An IFrame is an HTML document that is embedded in another HTML document. Because the IFrame loads another Web page, it can be used by criminals to place malicious HTML content, such as a script that downloads and installs spyware, into non-malicious HTML pages hosted by trusted Web sites.

in the wild
Said of malware that is currently detected in active computers connected to the Internet, as compared to those confned to internal test networks, malware research laboratories, or malware sample lists.

keylogger
See password stealer (PWS).

malware
Malicious sofware or potentially unwanted sofware installed without adequate user consent.

malware impression
A single instance of a user attempting to visit a site known to host malware, and being blocked by the SmartScreen Filter in Internet Explorer 8. Also see phishing impression.

monitoring tool
Sofware that monitors activity, usually by capturing keystrokes or screen images. It may also include network snifng sofware. Also see password stealer (PWS).

parser vulnerability
A vulnerability in the way an application processes, or parses, a fle of a particular format, which can be exploited through the use of a specially crafed fle. Also see vulnerability.

password stealer (PWS)
Malware that is specifcally used to transmit personal information, such as user names and passwords. A PWS ofen works in conjunction with a keylogger, which sends keystrokes or screen shots to an attacker. Also see monitoring tool.

payload
Te actions conducted by a piece of malware for which it was created. Tis can include, but is not limited to, downloading fles, changing system settings, displaying messages, and logging keystrokes.

phishing
A method of identity thef that tricks Internet users into revealing personal or fnancial information online. Phishers use phony Web sites or deceptive e-mail messages that mimic trusted businesses and brands to steal personally identifable information (PII), such as user names, passwords, credit card numbers, and identifcation numbers.

phishing impression
A single instance of a user attempting to visit a known phishing site, with Internet Explorer 7 or Internet Explorer 8, and being blocked by the Phishing Filter or SmartScreen Filter. Also see malware impression.

potentially unwanted software
A program with potentially unwanted behavior that is brought to the user’s attention for review. Tis behavior may impact the user’s privacy, security, or computing experience.

remote control software
A program that provides access to a computer from a remote location. Tese programs are ofen installed by the computer owner or administrator and are only a risk if unexpected.

responsible disclosure
Te practice of disclosing vulnerabilities privately to an afected vendor so it can develop a comprehensive security update to address the vulnerability before it becomes public knowledge.

rogue security software
Sofware that appears to be benefcial from a security perspective but provides limited or no security capabilities, generates a signifcant number of erroneous or misleading alerts, or attempts to socially engineer the user into participating in a fraudulent transaction.

Sender ID Framework
An Internet Engineering Task Force (IETF) protocol developed to authenticate e-mail to detect spoofng and forged e-mail with the typical tactic to drive users to phishing Web sites and to download malicious sofware.

social engineering
A technique that defeats security precautions in place by exploiting human vulnerabilities. Social engineering scams can be both online (such as receiving e-mails that ask you to click the attachment, which is actually malware) and ofine (such as receiving a phone call from someone posing as a representative from your credit card company). Regardless of the method selected, the purpose of a social engineering attack remains the same-to get the targeted user to perform an action of the attacker’s choice.

spam
Bulk unsolicited e-mail. Malware authors may use spam to distribute malware, either by attaching the malware to the message or by sending a message containing a link to the malware. Malware may also harvest e-mail addresses for spamming from compromised machines or may use compromised machines to send spam.

spear phishing
Phishing that targets a specifc person, organization, or group, containing additional information associated with that person, organization, or group to lure the target further into a false sense of security to divulge more sensitive information.

spyware
A program that collects information, such as the Web sites a user visits, without adequate consent. Installation may be without prominent notice or without the user’s knowledge.

SQL injection
A technique in which an attacker enters a specially crafed Structured Query Language (SQL) statement into an ordinary Web form. If form input is not fltered and validated before being submitted to a database, the malicious SQL statement may be executed, which could cause signifcant damage or data loss.

tool
Sofware that may have legitimate purposes but may also be used by malware authors or attackers.

trojan
A generally self-contained program that does not self-replicate but takes malicious action on the computer.

trojan downloader/dropper
A form of trojan that installs other malicious fles to the infected system either by downloading them from a remote computer or by dropping them directly from a copy contained in its own code.

virus
Malware that replicates, commonly by infecting other fles in the system, thus allowing the execution of the malware code and its propagation when those fles are activated.

vulnerability
A weakness, error, or poor coding technique in a program that may allow an attacker to exploit it for a malicious purpose. Also see parser vulnerability.

vulnerability broker
A company or other entity that provides sofware vendors with vulnerability information provided to it by external security researchers. In exchange for such compensation as the broker may provide, the security researchers agree not to disclose any information about the vulnerability to anyone other than the broker and the afected vendor.

whaling
Phishing that targets senior executives and other high-ranking people within a company or group.

wild
See in the wild.

worm
Malware that spreads by spontaneously sending copies of itself through e-mail or by using other communication mechanisms, such as instant messaging (IM) or peer-to-peer (P2P) applications.

Source:
• Microsoft Security Intelligence Report volume 6 (July - December 2008)