Security Dictionary

hnbp16

Level 1
Verified
Oct 26, 2015
15
Hello, have tried to put together a wide array of terms that are used in the security community and may occasionally crop up on this forum without explanation. As with any author-written dictionary the definitions are infused with my own personal experience, also be aware that in trying to simplify some of the technical explanations I may have missed important information out, so let me know if that's the case.

The list is pretty short so far, but I'm hoping if anybody has a term to add, or sees a definition I've got wrong, let me know either in a reply or in PM etc. For those of you not well-versed in the technical terms I hope this will be an interesting read :) I'll be working on adding new terms (a lot of obvious ones missing...), cleaning it up and generally improving it as my labour of love :p Hope you enjoy it

1337: The leet spelling of leet.

Adware: A program that is designed to present advertisements to you. These usually take the form of links being displayed on legitimate websites (for example, links to online pharmacies appearing on the usually ad-free Google homepage), pop ups and any software that appears to serve the sole purpose of extracting money from you. When people refer to BHOs and toolbars, they are normally referring to adware. Note that Scareware is classed by some as a type of adware.

Anti-Malware: Software that specialises in removing malware and trojans from your computer. True anti-malware programs such as MalwareBytes Anti-Malware are different from Anti-Virus programs (See below)

Anti-Spyware: The same as above, however specialises in removing spyware, which usually includes Adware and PUPs.

Anti-Virus: Software that protects your computer from malicious software. There is much debate and confusion in the community about which anti-virus is the best, however it's often not fair to compare certain products. An anti-virus software is a more general program which aims to remove all known threats from your computer. Whereas some programs are more specialised, these include "anti-rootkit, anti-malware and anti-spyware"

AV: Short for Anti-virus

Backdoor: A program, normally called a trojan or 'server' designed to grant a hacker or operator access to your computer. The backdoor works by listening for special commands sent from the control program to your IP address, instructing the server portion to do anything from log passwords, record your webcam, take screen shots etc, depending on what abilities were programmed into the server. Note that server in this context refers to the actual malicious file on your computer and not to a 'server' on the internet. The hackers control panel is usually called a client.

Binder: See Joiner

Code: The word code is used almost exclusively in the underground community to refer to either the source code of a program, or as another word for program (to write a piece of code).

Crypter: Also known as executable encrypters, the aim of a crypter in the hands of malicious parties is to obfuscate the contents of the file to prevent disassembly and debugging. Think of this as the difference between reading this sentence. And reading \[th]%@***+[is] se-&^nt20enc2008e2&21][*7. There are two forms of crypters, "Scan-Time" and "Run-Time", the latter is the most sought after as the executable code is protected in memory. In order to run an executables code has to be unpacked and loaded into memory, in it's unpacked state the code is vulnerable to attack as the analyst can simply make a copy of it, therefore run time crypters employ more advanced techniques to avoid this practise, known as 'dumping' (copying memory contents to a file). A scan time crypter simply protects until it is run, when it decrypts the malicious file into memory (or a temporary file on disk). Anti-virus scanners typically include modules to deal with these kinds of file by running them in a sandbox to scan the unprotected contents.

Dropper: Normally called a Trojan Dropper, any file or code which downloads or 'drops' a file/s onto the users computer.

Fork Bomb: A piece of code which is designed to continuously replicate itself until all the computers resources have been exhausted. For example a process which continually launches itself as a new process. Some zip bombs are also considered fork bombs, especially where they aim to unpack multiple layers of gigantic sized files, designed to exhaust all of the disk space or memory on your computer (whichever runs out first).

FUD: Short for Fully Undetected or Fully Undetectable. Referring to a piece of malware meaning no anti-virus can currently detect it. See also UD and SUD.

HEUR: Short for Heuristic. Refers to generic patterns which are matched against malware samples to indicate the likelihood that sample is malicious.

Heuristic: As above.

IM: Instant messenger, for example MSN Messenger or Windows Live Messenger.

IRC: Internet Relay Chat. Private IRC chatrooms are popular amongst the underground community, normally hosted on private servers, multiple people can join a channel (individual chatroom) and talk at once.

IRC Bot: A remote administration program which receives commands through an IRC channel.

JS: Short for JavaScript

JavaScript: A scripting language (see below) which is used to control the interactive (aka dynamic) features of a website. It is processed not by the server as with PHP but by your browser. Javascript viruses are not compiled and are therefore usually obfuscated to frustrate attempts to detect any malicious activity in plain site. As Javascript is interprited by the browser, it can also be run as a URL in the address bar. The user copies and pastes a code into their address bar, giving the javascript code access to anything on the webpage the user is browsing. This has been used prominently in the past on social media to cause users to automatically post malicious links to all of their friends profiles for example.

Joiner: A program used to package together multiple files into a single file (or container). Typically used to package a backdoor with a legitimate file, so as when you run the legitimate program, the trojan is also extracted and run without your knowledge. See "stub" for details on how this works.

New School: Used to describe a person belonging to the new generation of hackers and virus writers. The term is generally derogatory as it's thought most new schoolers are 'script kiddies'. Some people also include those hackers and virus writers who operate exclusively for money in this category.

n00b/Newbie: A usually derogatory term used to describe someone inexperienced. n00bs are especially prone to annoying less tolerant members by asking what are often 'obvious' questions.

Obfuscation: Unobfuscated code is normally fairly readable, allowing the analyst to 'follow along' and understand how the program operates. The point of obfuscation is to frustrate these attempts, whether to discourage stealing (ripping) or prevent malware researchers from detecting malicious activity.

Oldskool: Used to describe a person who shares the attitude and culture of the early hackers and virus writers. The exact definition of this is generally a personal view, however the general consensus is that an 'oldskooler' is someone who obsessively seeks knowledge. An oldskooler will generally dissect a system to find it's weaknesses and will reward themselves by exploiting those weaknesses. Notoriety and demonstrating this knowledge is often part of the fun.

Packer: Different from a crypter in that the main goal is not to protect against anti-viruses by encryption but simply to reduce the file size.

Phishing: A fake website, program, email or application disguised as legitimate and used for the purpose of gaining personal information (usually passwords & bank account details) from the user. Lesser known phishing scams also affect the underground community (typically script kiddie hangouts), in the form of fake tools and programs. The mid 2000s saw an influx of fake "Freezers" and "booters" designed to steal usernames and passwords from IM services such as Yahoo and MSN.

Popup: A popup or pop up ad can take three forms. Popup is used to describe an advert that opens in a new window or tab. Pop-over is used to describe an advert that appears right in front of the website itself, obscuring your view of it, these are often particularly difficult to close. And pop-under, which is used to describe an advert that appears behind any open webpages, the intention being that as you don't notice it right away, you will be more likely, on discovering it to stop, look and think "what's this" as opposed to closing another annoying pop-up without thinking.

Rar Bomb: See Zip Bomb

Ripper: Someone who steals code and passes it off as their own, usually with little modification other than replacing the authors name with their own.

Root: Refers to an account with the highest possible privileges on a computer or server. Should a virus or hacker "get root" they can do pretty much anything they like.

Leet: Referring either to "leet speak" meaning t0 r3pl4c3 l33t3r5 w1th numb3rs or referring to an especially skilled person "elite". Note that it is generally regarded by most as rather childish to label yourself as leet or elite, this behaviour is common amongst new schoolers.

Scene: The scene is a name for the culture and collective of hackers and virus writers. Some people will refer specifically to a subsection, for example virus writers as the vx scene.

Script Kiddie: Someone who is interested in writing viruses and spreading malicious code for fun and to cause mayhem and destruction but uninterested in how they work. Script kiddies almost exclusively use tools and kits to produce viruses, use pre-made RATs, password stealing kits and crypters. These people are also called skids & skiddies.

Signature: An anti-virus signature is a small sequence of bytes (eg. the computers version of the alphabet) which can uniquely identify a malicious file. It can also refer to a hash (unique sequence of letters and numbers, like a fingerprint) which identifies either a whole malicious file, or just a portion of it (a particular 'section' in the executable file)

Stub: Refers to a small executable in a crypter, packer or joiner that unpacks the main contents of the file. Usually a specific marker or 'offset' (pointer to a specific part of a file) tells the stub what data is to be loaded into memory or extracted to disk. For a visual example, imagine that || means the boundaries of a file (the container) and the @split@ is the end of the stub program and the beginning of the malicious program inside. ||[STUB DATA]@split@[FILE1 DATA]||

SUD: Submission of Undetected (samples) Done, refers to submitting a file for analysis to anti-virus companies which do not currently detect the file as malicious.

Trojan: Short for Trojan Horse. General term for a malicious program which does not have the ability to replicate. Trojans are normally sub-categorised according to their ability. For example a Trojan PSW will steal passwords whereas a Trojan Dropper will download malicious files to your computer.

UD: Undetected or Undetectable, different from FUD in that some anti-virus programs may detect the file as malicious.

Virus: A virus traditionally is any piece of malicious code that has the ability to infect other files on your computer. There are multiple types of viruses, known as prependers, appenders, inserters and over-writers. It was considered poor for a virus writer to produce an over-writer virus, that is one that simply replaces files on your computer with a copy of itself. Prependers and appenders attach the virus code (or a specific infection code, or sometimes just text), to the beginning of the file and the end of the file respectively. An inserter virus places it's code at a random position in the file. This technique is designed to reduce the possibility of detection by anti-virus and also to make file harder to disinfect (remove the virus code and restore the file to it's original state). These terms refer to the physical position of the code within the file, not to whether the virus runs before the main program or after as nearly all viruses patch the "original entry point" meaning the first piece of code to execute when you run the file becomes the viruses code, which will then decide whether to let the program continue as normal or not. Additionally viruses can also be considered 'polymorphic' or 'metamorphic', a polymorphic virus has the ability to change the order it's code is run, whereas a metamorphic virus can actually re-write it's code, becoming a 'technically different' virus from the point of view of an anti-virus. Both techniques were employed to frustrate attempts by anti-virus programs to detect and remove viruses.

VX: Slang for virus.

XSS: Cross site scripting. An attack whereby malicious commands (usually HTML or Javascript) are passed to a web server and executed. Client side XSS attacks require the attack to cause a user to copy and paste malicious code into the address bar, this code can add for example, a malicious iframe (a malicious website can be 'embedded' in the webpage you are viewing) without your knowledge. This form of attack usually relies on malicious input being passed to a PHP file on the server, for example the file example.com/vulnerable.php?=hello can be replaced vulnerable.php?=[our code here] causing our code to execute if the input is not 'sanitized' or filtered properly (the ?= at the end of the php file means we can pass information to a file on the server, in the url). with Server side XSS means that the same malicious code can be "injected" into a webpage, for example a comment box that allows the use of certain HTML tags for example <b></b> to make text bold. If the comment box does not properly filter the content, we can include a <script> tag which allows us to run Javascript. Thereafter whenever another user views our comment on the page, the server will also load the Javascript, allowing for example, links to be spammed to us and much more.

ZIP Bomb: A malicious Zip file which is designed to cause your computer or anti-virus to crash upon opening. Because of how the compression algorithms in a zip file work, repeated data for example "aaaaaaaaaaaaaaaaaaaa" can be dramatically reduced in size, meaning a file containing just repeated data over a terabyte in size can be compressed to as little as 40kb. Some Zip bombs employ a different approach and are crafted specifically to contain a second zip file within the first (zip in a zip), this second zip file does not however contain any further files, but instead a link back up to the top zip file, creating an endless loop. This technique is designed to cause anti-virus programs to crash when trying to unpack. Whilst the technique was popular many years ago, most modern anti-viruses contain counter-measures against these practises.

Note: This list is currently quite small and random. I will add more terms in the next few days (as of 07/20/14)

Great! So relevant information!
 
  • Like
Reactions: Cats-4_Owners-2
Apr 15, 2019
10
I'd also add "Proxy", which, according to proxyway.com is a "a secure gateway between you and the internet. So when you use a proxy server, the traffic flows through it towards the site you want to reach." And no, it's not the same thing a VPN is - I won't get into details here, but you can check that website/ Google it yourself, if you find it interesting!
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top