|
Network Chico security
terms glossary
| @ | A
| B | C | D
| E | F | G
| H | I | J
| K | L | M
| N | O | P
| Q | R | S
| T | U | V
| W | X | Y
| Z |
Welcome to the Network Chico
computer security terms glossary.
=P=
P2P: Any peer-to-peer
file swapping program, such as Audiogalaxy, Bearshare, Blubster,
E-Mule, Gnucleus, Grokster, Imesh, KaZaa, KaZaa Lite, Limewire,
Morpheus, Shareaza, WinMX and Xolox. In an organization, can
degrade network performance and consume vast amounts of storage.
May create security issues as outsiders are granted access to
internal files. Often bundled with Adware or Spyware.
Packer: A utility which
compresses a file, encrypting it in the process. It adds a header
that automatically expands the file in memory, when it is executed,
and then transfers control to that file. Some packers can unpack
without starting the packed file. Packers are ""useful""
for trojan authors as they make their work undetectable by anti-virus
products.
Parasitic Virus: Parasitic
viruses are those that modify some existing code resource to
effect replication. The major distinction here is that companion
viruses are not parasitic, and the standalone 'worms' (such the
mass mailers and network creepers) tend not to be parasitic.
Overwriters tend not to be considered parasitic either. Although
macro virus infection necessitates the modification of document
files, it has been common for macro viruses to remove pre-existing
macros, making them more akin to overwriters. Thus, usually only
those macro viruses with a replication method that retains (some
of) the pre-existing macros from a target are considered parasitic.
Some researchers consider such viruses parasitic only if macros
within a module used by the virus are retained.
Partition Boot Sector:
A confusing term, at best. It seems to mainly be used to mean
the system boot sector of the active partition. Unfortunately,
without some additional context, it seems likely this term would
easily be mistaken to be a reference to the master boot sector
because this houses the partition table.
Partition Table: Partition
tables are a crucial part of how DOS and related operating systems
understand the layout of partitions (or logical drives) on hard
disks. For the sake of interoperability, most OSes that run on
PCs also follow the dictates of these fundamental partition information
resources.
A partition table is a 64 byte data array located at offset 1BEh
of master boot records and the boot sectors of extended partitions.
Each table has space for only four 16 byte partition definition
entries. Each such entry records such data as the beginning and
ending sector of the partition, a partition type indicator byte
and whether the partition is marked 'active' (or 'bootable').
Beginning and ending sector locations are recorded in absolute
CHS terms (relative to any drive geometry translation the BIOS
may be set to use). As the partition table, per se, is just data
it cannot be infected. Occasionally the term 'partition virus'
or 'partition table virus' is seen or heard. It is a misconception
and what is meant is usually a boot virus that infects MBRs.
Password Cracker: A tool
to decrypt a password or password file. PestPatrol uses the term
both for programs that take an algorithmic approach to cracking,
as well as those that use brute force with a password cracking
word list. Password crackers have legitimate uses by security
administrators, who want to find weak passwords in order to change
them and improve system security.
Password Cracking Word List:
A list of words that a brute force password cracker can use to
muscle its way into a system.
Payload: If a virus has
any damaging routines (other than apparently unintended side-effects
or bugs), they are known as payloads or warheads. The term is
drawn by analogy with military rocket and munitions talk, where
the virus is seen as the 'delivery vehicle' and the damage routine
the payload or warhead. We also borrow the term trigger from
this analogy.
Pervasiveness: Pervasiveness
refers to a virus' potential to spread. Hence, a worm that has
the ability to send itself out to a large number of victims is
given a high pervasiveness rating, while a boot sector virus
that spreads via 'sneakernet' (i.e. - by
the manual sharing of floppy disks), is given a low pervasiveness
rating. Varying pervasiveness ratings are often allocated to
specific types of malware. Computer Associates uses this metric to measure
a malware's potential to spread to other computers. This metric
is given the second highest weight, in combination with Wild
and Destructiveness metric, to calculate the overall threat assessment.
There are four levels of pervasiveness that can be allocated
to a virus in the Encyclopedia:
None
This rating is given to trojans, hoaxes
and in some cases, viruses that may not function as intended
(and fail to replicate). Trojans and hoaxes must be maliciously
or otherwise sent to potential victims. They do not have the
ability to self-replicate; and generally appear in the encyclopedia
with a pervasiveness rating of 'N/A' (i.e. - this characteristic
is not applicable).
Examples include Win32.Butano, W97M/MadCow.A:intended and the Good Times hoax.
Please Note: 'N/A' may also used in encyclopedia entries
where a virus' pervasiveness rating is unavailable.
Low
This rating is often given to 'traditional viruses'. This
type encompasses the majority of macro viruses
and boot sector viruses. These viruses have
the capacity to replicate by themselves and require no further
human intervention to spread from file to file in an infected
PC. However, in order to spread from PC to PC, they hide in floppy
disk boot sectors and office files such as documents and spreadsheets
that may be shared among users. The limitation that they must
be manually sent out or shared in order to infect other PCs,
means that they will generally be given a 'low' pervasiveness
rating.
Examples of such viruses include W97M/Bablas.A, WM/Concept.A and Michelangelo.
Medium
This rating is given to viruses, such as mailers (or slow
mailers) that use one or more of the following
techniques for distribution:
- Send only one 'infected' message at a time
- Occasionally send small batches of infected messages (for
example, sends itself out to the first 10 addresses in the Microsoft
Outlook address book)
- The virus may have the capacity to spread out to many users,
but utilizes a very specific channel (such as IRC) which will
limit its potential for distribution
- Runs its distribution mechanism only once (as opposed to,
say, each time the PC is started)
- Has the ability to spread to large numbers of users at one
time, but the infection process is so obvious to even the most
naive of users, that it will rarely run without being interrupted
Examples from our encyclopedia include Win32.Funso, Win32.SQL and Win32.Annoying
High
This rating is given to viruses that can distribute themselves
with either great speed or, from a virus writer's perspective-
success. This category of pervasiveness is often given to worms
and mass-mailing viruses. Malware with a high pervasiveness rating
often use one or more of the following techniques:
- Utilizes more than one method of distribution (say by sending
itself to all addresses in the Outlook address book, and by spreading
through open network shares)
- Performs its distribution process repeatedly (every time
the PC is rebooted or at a specific time every day)
- Performs its distribution process in a way that is completely
hidden from the user and therefore more likely to run repeatedly
without being detected
- Uses 'social engineering' tricks successfully to prompt users
to run infected attachments
- Exploits either one or more vulnerabilities in widely distributed
software applications (for example - Microsoft Windows)
Examples from the encyclopedia include Win32.Nimda.A, Win32.Badtrans.29020, VBS.ILoveYou.A and W97M/Melissa.A.
Phreaking Tool: Any executable
that assists in hacking the phone system, such as by using a
sound card to imitate various audible tones.
POC: See Proof of Concept.
Polymorphic Virus: In
a sense, polymorphic viruses were an extension of the simpler
idea of encrypted viruses. Although the replicants of encrypted
viruses vary, they can still be detected (albeit imprecisely
identified) by simple string scanning because they have a constant
decryptor. The development of polymorphism was an attempt to
overcome that shortcoming of encrypted viruses. The simplest
approach to not having a constant decryptor was for the virus
writer to produce several implementations of the decryption algorithm
and slot just one of those forms into the small unencrypted area
of each replicant. A very similar method was to have several
different encryptor/decryptor pairs, randomly selecting among
them at infection time. The very simplest form of this approach
employs just two forms of the decryption code or two encryption/decryption
pairs and thus is sometimes referred to as bimorphism. More complex
variations on this approach involve more than two forms, but
still a number fixed by the fact that the code for each decryptor
or encrypt/decryptor pair is present in the virus' code. Whale
was the first example of this approach, carrying 30 encryptor/decryptor
pairs in its code. Aside from adding some overhead to analyzing
the virus, such approaches were still not difficult for scanners
to deal with - all the scanner developers had to do was add a
scan string for each decryptor. True polymorphism, however, requires
more complexity than simply selecting from a group of constant
encryptor/decryptor pairs. Viruses in the V2Px family were the
first truly polymorphic viruses, employing such techniques as
inserting a variable number of 'do nothing' or 'noise' instructions
between the 'viral' instructions, interchanging equivalent but
different instructions, and swapping code blocks where the order
of execution of the blocks was not important to the overall effect
of the code. Such code permutations could be applied to all of
a virus' code or just to the decryption routine of an encrypting
virus. One of the most sophisticated forms of polymorphism at
the time, in some ways setting the standard against which subsequent
polymorphs were judged, was the 'Mutation Engine' (or MtE). It
was distributed in the form of an object module which could be
linked to the code of a virus body (the code responsible for
replication), making that virus polymorphic. More recently, polymorphic
viruses have 'benefited' from the advance of 32-bit computing,
with some polymorphic engines theoretically capable of reproducing
their host virus into 4 billion different forms. Scanning technology
has obviously had to evolve well past simple string scanning
to deal with such complexity while not labeling every other 'innocent'
executable a virus too.
Popularity: Describes
the existing or potential frequency of exploitation of the vulnerability.
For example:
- 1, 2, 3 Not Popular: Exploit techniques for the particular
vulnerability are not widely known, detailed knowledge of vulnerable
systems must be known, or circumstances under which the attack
may be successfully exploited are very rare
- 4, 5, 6, 7 Semi-Popular: Exploit techniques are fairly well
known, and the circumstances under which the attack may be successfully
exploited are somewhat common
- 8, 9, 10 Very Popular: Exploit techniques are well known,
and the circumstances under which the attack may occur are very
common
Port Scanner: In hacker
reconnaissance, a port scan attempts to connect to all 65536
ports on a machine in order to see if anybody is listening on
those ports. Ports scans are not illegal in many places, in part
because they don't actually compromise the system, in part because
they can easily be spoofed, so it is hard to prove guilt, and
in part because virtually any machine on the Internet can be
induced to scan another machine. Many people think that port
scanning is an overt hostile act and should be made illegal.
An attacker will often sweep thousands (or millions) of machines
rather than a single machine looking for any system that might
be vulnerable. Port scans are always automated through tools
called Port Scanners.
POST: Power On Self
Test. When a PC is powered up or restarted, the first thing
the BIOS does is perform some basic tests for the existence and/or
functionality of various hardware components (e.g. whether there
is enough RAM to run the rest of the BIOS code, whether there
is functional display adaptor with text-mode capabilities, etc).
Should any of these tests fail, the BIOS simply beeps to indicate
the error, and stops - the machine just freezes. The number of
beeps describes which of the sub-system tests failed. Unfortunately,
there is no explicit standard between manufacturers (and even
between models) for these error codes, so you need to contact
technical support or the manufacturers web site to obtain this
information.
Prepender: A virus that
inserts a copy of its code at the beginning of the code of its
victim file is known as a prepender or prepending virus. (c.f.
Appender, Cavity Infector, Companion Virus, Overwriter)
Probe Tool: A tool that
explores another system, looking for vulnerabilities. While these
can be used by security managers, wishing to shore up their security,
the tools are as likely used by attackers to evaluate where to
start an attack. An example is an NT Security Scanner.
Proof of Concept: A term
broadly applied to mean the first implementation of an idea that
had previously only been discussed as a theoretical possibility
or concept. In antivirus circles it is commonly used to describe
a virus that is the first to infect a given platform or implement
a given infection technique. Employed thus, it often has a pejorative
connotation, particularly if used in a phrase such as 'It is
just a proof of concept' which usually means the virus is very
simplistic and possibly quite obvious or buggy (or both), and
thus unlikely to pose a real-world threat itself.
| @ | A
| B | C | D
| E | F | G
| H | I | J
| K | L | M
| N | O | P
| Q | R | S
| T | U | V
| W | X | Y
| Z |
|
