Checkmark Certification & Platinum Product Awards
Malware And Security Threat Glossary
As the content security threat landscape becomes increasingly complex with threat types and attack vectors multiplying, the industry is awash with buzzwords and naming conventions. The following glossary identifies the specific definitions that West Coast Labs uses.
Security Threat Glossary
Method by which malware attempts to enter a system. This generally refers to a protocol such as HTTP, SMTP, FTP, IRC, IM, etc. Anti-Malware - A term generally applied to a software application which combats malicious code through detection and/or removal.
This technique is used to surreptitiously download malware onto a user's machine. The attack generally includes exploits to browser or OS vulnerabilities, and may be separated into several pieces so that a user may be directed to several websites or domains to avoid detection by anti-malware programs.
Malware which uses FTP as an attack vector.
URLs which direct a user to a Web Threat.
Malware which uses email as an attack vector Application-specific attacks - Exploits or hacking attempts which seek to use a vulnerability in a particular software program to gain entrance onto a user's system.
Socially Engineered Attack
Exploits or hacking attempts which seek to use a user's susceptibility to fear, trust or titillation to gain entrance onto a user's system or information. Phishing and trojans are two types of attacks which rely almost exclusively on social engineering.
URLs which direct a user to content which may be considered inappropriate for certain contexts, such as "adult" or violent content, or network tools which could be used to compromise a network.
This is a category of threats delivered by HTTP which intend to perform actions which harm a user or their system. Phishing, drive-by downloads and sites which host malware can be considered to fall into this category.
The term Bot (short for robot) is a type of program, which has evolved from RATs (see Spyware definitions). A bot usually leverages an internet facing port to deliver a program that awaits a further command upon which it can take remote control of the system. Bots are often combined with other infected machines to form a botnet (a network of bot-infected machines). Bots are used to turn an individual machine into a "zombie" that can then be used for actions such as co-ordinated DoS attacks on websites, spamming, or hired/sold to others for such use.
An Exploit is a piece of code designed to attack a vulnerability on a computer system, or such an attack. Hackers and writers of Malware look for announcements of such vulnerabilities by manufacturers and other sources and then attack machines, which have not been patched against the vulnerability. The code is designed to enable an activity that otherwise could not take place, or to avoid system restrictions preventing such an activity. Various payloads attached to the exploits may provide the attacker with a number of ways into the compromised system.
Placebo files are both clean files and files that may display malware-type tendencies, for example opening local ports, but are entirely innocuous. They are included in custom test sets to provide a control group.
Although the term referred originally to Unix systems, the term has come to more widely mean a set of tools or programs that are used on a host system, often in conjunction with malware, to allow attackers to exploit said system or a network. Rootkits can be used to hide applications from third party scanners and the term is also coming to mean more generalized cloaking utilities that mask the attacker's activities. Recently the term rootkit has become more publicly known after the anti-copy security software on several Sony-BMG audio CDs displayed rootkit-like tendencies as part of their Digital Rights Management strategy.
Spyware is a form of software that makes use of a user's internet connection without his or her knowledge, usually in order to covertly gather information about the user. Once installed, the Spyware may monitor user activity on the Internet and transmit that information in the background to someone else. Spyware can also gather information about addresses and even passwords and credit card numbers. Spyware is often unwittingly installed when users install another program, but can also be installed when a user simply visits a malicious website.
Types of Spyware used in the West Coast Labs Test Suites
- Backdoor - A Backdoor is a secret or undocumented way of gaining access to a program, online service, computer or an entire computer network. Most Backdoors are designed to exploit a vulnerability in a system and open it to future access by an attacker. A Backdoor is a potential security risk in that it allows an attacker to gain unauthorized access to a computer and the files stored thereon.
- Key Loggers - A Key Logger is a type of surveillance software that has the capability to record every keystroke to a log file (usually encrypted). A Key Logger recorder can record instant messages; email and any information typed using the keyboard. The log file created by the Key Logger can then be sent to a specified receiver. Some Key Logger programs will also record any e-mail addresses used and Web Sites visited.
- Financials - A Financial is a program that has the capability of scanning a PC or network for information relating to financial transactions and then transmitting the data to a remote user.
- Proxies - Proxies are designed to enable an external user to use a computer for their own purposes, for example, to launch DDoS attacks or send spam, so that the true originator of the attack cannot be traced.
- Password Stealers and Crackers - A Password Stealer is a program resident on a computer, which is designed to intercept and report to an external person any passwords, held on that machine. A Password Cracker has the ability to decode any encrypted passwords.
- Downloaders - A downloader is a file which when activated, downloads other files on to the system without the knowledge or consent of the user, those other files then carrying out malicious functions on the system.
- Hijacker - A Hijacker is a file with the ability to change your default Internet home page and/or to create or alter other Web browser settings such as bookmarks and redirection of Internet searches or Internet browsing to commercial sites that could offend the user or breach corporate policies on inappropriate or illegal content.
- RATs - A Remote Access Trojan (RAT) is a piece of malware designed to run and gain access to a remote computer across a network or the Internet in order to carry out a particular purpose on that remote computer, that purpose being malicious and without the consent of the remote system's owner or user. Access is usually gained by use of a backdoor, either already installed or included in the code of the RAT.
Trojan Horses or Trojans are destructive programs that pretend to be benign applications. Unlike Viruses or Worms, Trojan Horses do not replicate themselves; they can be damaging to networks by delivering other types of Malware.
A Virus is a program or piece of code attached to a file or diskette's boot sector; it is loaded onto a computer without the user's knowledge. Viruses are manmade (though they can be corrupted in use to form new variants of the virus) and replicate themselves by attaching themselves to files or diskettes, often soaking up memory or hard disk space and bringing networks to a halt. Most recent viruses are internet-borne and capable of transmitting themselves across and bypassing security systems. Minor variants of the same virus are classed as families of viruses.
A Worm is an insidious program or algorithm that replicates itself over a computer network or by email system and usually performs malicious actions, such as using up the computer's resources or distributing pornography and possibly shutting the system down. Unlike Viruses, Worms copy themselves as standalone programs and do not attach themselves to other objects.
Security Test Methodologies
Testing security solutions by executing threats against it, as would occur in a user's environment. For example, testing a threat which propagates in email by clicking on an attachment to execute it, allowing run-time or "on-access" solutions to analyze and potentially protect against the threat.
Real Time Testing
Testing security solutions against threats as they come in, rather than passing large test-beds of threats on a periodic basis. Recognizing the swiftly changing malware environment, this testing approach focuses on time, location and threat-vector information to provide the greatest relevance in terms of what will likely be seen in a user's environment.
Testing security solutions by passing a test-bed of threats (malware, vulnerabilities or URLs) against it.