|
Network Chico security
terms glossary
| @ | A
| B | C | D | E | F
| G | H | I
| J | K | L
| M | N | O
| P | Q | R
| S | T | U
| V | W | X
| Y | Z |
Welcome to the Network Chico
computer security terms glossary.
=B=
Backdoor (1): A program
that surreptitiously allows access to a computer's resources
(files, network connections, configuration information, etc)
via a network connection is known as a backdoor or remote access
trojan. Note that such functionality is often included in legitimate
software designed and intended to allow such access. For example,
software that allows remote administration of workstations on
a company network, or that allows helpdesk staff to 'take over'
a machine to remotely demonstrate how a user can achieve some
desired result, are genuinely useful tools (and even desirable
in many settings). The difference between backdoors or remote
access Trojans and remote administration tools is that the latter
are designed into a system and installed and used with the knowledge
and support of the system administrator's and the other support
staff they involve. Remote access trojans generally consist of
two parts; a client component and a server component. In order
for the trojan to function as a backdoor, the server component
needs to be installed on the victim's machine. This may be accomplished
by disguising the program in such a way as to entice victims
into running it. It could masquerade as another program altogether
(such as a game or a patch), or it could be packaged with a hacked,
legitimate program that installs the trojan when the host program
is executed. Once the server file has been installed on a victims
machine, often accompanied by changes to the registry to ensure
that the trojan is reactivated whenever the machine is restarted,
the program opens a port so that the hacker can connect. The
hacker can then utilize the trojan via this connection to issue
commands to the victim's computer. Some remote access trojans
even provide a message system, where the hacker is notified every
time their victim logs onto the Internet.
Here's an abbreviated list of things that a hacker can accomplish
while controlling a victim's computer via a backdoor:
- Upload/download files
- Make changes to the registry
- Delete files
- Steal passwords and other confidential information
- Log keystrokes
- Rename files
- Display images or message boxes
- Disable the keyboard or mouse
- Hide the taskbar, start button or desktop icons
- Shutdown the computer or reboot the computer
- Print
- Run applications or terminate the currently running applications
- Detect and initialize capture devices such as web cams or
microphones
- Disable antivirus or firewall software
- Start an FTP server on the victim's machine that could make
it accessible to other unauthorized intruders
Backdoor (2): The term
‘backdoor’ is also frequently used as a synonym for
a method for accessing a computer system or application that
its maintainers or users are usually not aware of. Normally the
term is used when the presence of this 'feature' is a secret.
Such a feature whose presence is widely known - even if some
arcane access method needs to be known to use it and remains
a closely guarded secret - is unlikely to be referred to as a
'backdoor' unless its existence was uncovered by chance. Such
surreptitious access mechanisms may be included by the developers
without the knowledge of the system or application designer,
or may be designed-in but kept from the customers or end users.
This meaning of backdoor is of little immediate interest or relevance
in the antivirus field.
Bait File: See the first
meaning of Goat File.
Bimorphic Virus: An encrypted
virus that has two forms of the decryption code, usually randomly
selecting between them when writing its decrypter to a new replicant.
(See Polymorphic Virus for more details; also see Oligomorphic
Virus.)
Binder: A tool that combines
two or more files into a single file, usually for the purpose
of hiding one of them. A binder compiles the list of files that
you select into one host file, which you can rename. A host file
is a simple custom compiled program that will decompress and
launch the source programs. When you start the host, the embedded
files in it are automatically decompressed and launched. When
a trojan is bound with Notepad, for instance, the result will
appear to be Notepad, and appear to run like Notepad, but the
Trojan will also be run.
BIOS: Basic Input/Output
System. The program in a PC providing the lowest level of
interface with the hardware. A PC's BIOS is also responsible
for initiating the operating system bootstrap process by loading
the boot sector of a diskette or the master boot record of a
hard drive and passing control to it. Under CPM, DOS and Windows
3.x, BIOS interfaces to the hardware were paramount to the proper
operation of the machine. Specialized hardware that standard
BIOSes were not written to recognize and handle had to either
include a BIOS extension on its adaptor card or provide device
drivers allowing access to the device (or both) if they were
to be used other than by proprietary software written to their
hardware interface. More advanced OSes for the PC - such as the
various Unixes written for it, NT, Linux, Windows 95 and so on
- only depend on the BIOS for its OS bootstrapping function,
providing their own (or vendor-supplied) protected mode drivers
for all the hardware devices they can use. (Windows 9x allows
a degree of real mode compatibility so it can be used on older
machines with 'odd' hardware that is not supported by native
drivers, but there are performance overheads.) Traditionally,
the BIOS was supplied in a ROM chip plugged into a socket on
the PC's mainboard. This arrangement allowed for the replacement
of the BIOS, should that ever be necessary to accommodate new
hardware requirements (or to supply bug fixes). More recently
it has become standard practice to supply the BIOS in a flash
memory (or flash ROM) chip, allowing updates to be written directly
to the chip via software. The BIOS should not be confused with
the CMOS storage area that is used to store BIOS and mainboard
configuration options and data.
Boot Code: The program
recorded in a boot sector is known as boot code. Boot sectors
usually contain boot code because these small programs have the
job of starting to load a PC's operating system once the BIOS
completes its POST checks, although some types of boot sector
seldom, if ever, contain boot code. Good examples of boot sectors
that do not normally contain boot code are those at the head
of extended partitions - under DOS and Windows OSes, such partitions
cannot be made bootable so those OSes usually only place a partition
table (which they do require) in such boot sectors. Thus, the
system boot sectors of diskettes and partitions (logical drives)
on hard drives, and the MBRs of hard drives, normally all contain
boot code of some kind. It is this code, or at least the room
reserved for it, that boot viruses target. Once the BIOS completes
its hardware checks, it simply reads the appropriate boot sector
(depending on which device it is set to boot from first and whether
that device is ready) without doing any 'sanity checking' on
its contents.
Boot Infector: See Boot
Sector Infector.
Boot Record: The program
recorded in the Boot Sector. All floppies have a boot record,
whether or not the disk is actually bootable. Whenever you start
or reset your computer with a disk in the A: drive, DOS reads
the boot record from that diskette. If a boot virus has infected
the floppy, the computer first reads the virus code (because
the boot virus placed its code in the boot sector), then jumps
to whatever sector the virus tells the drive to read, where the
virus has stored the original boot record.
Boot Sector: A generic
term encompassing system boot sectors and master boot records.
Technically, this means the first logical sector of any drive
(what DOS or Windows would consider to be sector 1 of that drive)
and the MBR (sector 0,0,1 in CHS notation) of hard drives. As
floppy disks do not have partitions, the logical drive and physical
drive map sector for sector and their first logical sector is
also 0,0,1. On hard drives, there is a boot sector for each logical
drive (or partition, such as C: and D:) plus one for the MBR.
(The 'root' entries of any extended partitions may or may not
be counted - if so, the total number of boot sectors is higher
than the preceding description suggests, with the final count
depending on the number and nesting of extended partitions.)
Most boot sectors contain boot code, which (under DOS and Windows)
is usually created by FORMAT or SYS if the boot code is in a
system boot sector, or by FDISK if in the master boot record
of a hard drive. Sometimes the term 'boot sector' is ambiguously
used to also refer to only the boot sectors of logical drives.
This usage is avoided as far as possible in this glossary and
the rarely used term 'system boot sector' used when this distinction
needs to be made.
Boot Sector Infector:
Every logical drive, both hard disk and floppy, contains a boot
sector. This is true even of disks that are not bootable. These
boot sectors usually contain specific information relating to
the formatting of the disk (see BPB) and a small program - the
boot code (which starts loading the system files of the active
OS on that drive). The boot code is what displays the 'Non-system
Disk or Disk Error' message familiar to those who have left a
'non-bootable' diskette in the A: drive of a PC when it booted.
As well as these system boot sectors, hard drives also have a
special boot sector known as a master boot sector or master boot
record. As the boot code is a program, it can also be infected
by a computer virus. Boot sector infections normally start from
leaving an infected diskette in a PC's floppy drive and rebooting
the machine. When the viral boot code is read from the boot sector
and executed, the virus copies itself to a 'safe' place in memory,
hooks disk I/O functions, infects the hard drive and remains
resident, lying in wait for uninfected boot sectors to present
themselves (these will usually be on diskettes accessed in the
floppy drives). The safe memory location used by most boot viruses
(and many file infectors too) is at the 'top of memory'. Brain
- the first PC virus - was also the first PC boot sector infector.
Although Brain was limited to diskette boot sectors, most boot
viruses since typically infect the system boot sectors of floppy
disks and the MBRs of hard drives. Perhaps the main advantage
of this strategy is that the virus' code will always be the first
to run, whichever drive type is booted from. Stoned was the first
virus to implement this and in many ways remains the classic
example of the technique. A few boot viruses, such as Form (which
is perhaps most notable for its perseverance), infect the system
boot sectors of both diskettes and hard drives. Some multipartite
viruses have boot sector components that only infect MBRs while
others have boot sector parts that only infect diskette or hard
drive system boot sectors. Boot viruses can be polymorphic (for
example, the boot component of the complexly multipartite Win95/Fono,
can employ stealth techniques (Brain and many more since), and
use many of the other techniques from the usual arsenal of virus
tricks. In the early history of virus development, boot infectors
were most commonly responsible for actual infections and featured
prominently in the WildList. This was because of the high incidence
of diskette sharing, that being by far the most common method
of transferring data before connecting PCs to LANs and WANs became
popular. Multipartite viruses with diskette boot sector components
were the next most common viruses at that time, with Junkie probably
being the best-known and most prevalent example. Straight file
infectors barely showed in the WildList in those days. These
patterns were entirely overturned as macro viruses embedded in
documents became common and network (and particularly Internet)
connectivity increased.
Boot Virus: A virus that
infects boot sectors.
BPB: BIOS Parameter
Block. A data table in the system boot sector of all FAT
format logical drives, containing information about the formatting
of the drive. This includes details such as the number tracks,
the number of sectors per track, the size of the sectors and
the number of sectors per logical cluster, which are critical
to reading the drive properly.
BHO: Browser Helper
Object. A component that Internet Explorer will load whenever
it starts, shares IE's memory context, can perform any action
on the available windows and modules. A BHO can detect events,
create windows to display additional information on a viewed
page, monitor messages and actions. Microsoft calls it "a
spy we send to infiltrate the browser's land." BHOs are
not stopped by personal firewalls, because they are seen by the
firewall as your browser itself. Some exploits of this technology
search all pages you view in IE and replace banner advertisements
with other ads. Some monitor and report on your actions. Some
change your home page.
BSI: Boot Sector Infector.
| @ | A
| B | C | D | E | F
| G | H | I
| J | K | L
| M | N | O
| P | Q | R
| S | T | U
| V | W | X
| Y | Z |
|
