|
Network Chico security
terms glossary
| @ | A
| B | C | D
| E | F | G
| H | I | J
| K | L | M
| N | O | P
| Q | R | S
| T | U | V
| W | X | Y | Z |
Welcome to the Network Chico
computer security terms glossary.
=W=
War Dialer: (demon-dialing,
carrier-scanning) War-dialing was popularized in the 1983 movie
War Games. It is the process of dialing all the numbers in a
range in order to find any machine that answers. Many corporations
have desktop computers with attached modems; attackers can dial
in order to break into the desktop, and thereafter the corporation.
Similarly, many companies have servers with attached modems that
aren't considered as part of the general security scheme. Since
most security emphasis these days is on Internet-related attacks,
war-dialing represents the ""soft underbelly""
of the security infrastructure that can be exploited.
Warhead: Another term
for Payload.
Web Bug: A Web Bug is
a device used in html web pages and e-mail that is used to monitor
who is reading the web page or e-mail. The name "Bug"
is used as, just like a bug in a spy movie, these are small,
hidden, difficult to detect eavesdropping devices. Most of the
time, you will not even be aware that these bugs exist, as they
hide within 1 by 1 pixel html image tags, although any graphic
on a web page or in an e-mail can be configured to act as a Web
bug. This is not to say that all invisible gifs on web pages
are web bugs; some invisible gif files are used for alignment
and design purposes.
When you view a page or e-mail that contains a Web Bug, the
following information is sent to the Bug's owner:
- Your IP address
- Information regarding the browser you are using
- The time the page or e-mail is viewed
- The URL of the page that the bug is on
- Cookie values
Web bugs can be used by advertising networks to gather and
store information on user's personal profiles. They are also
used to count the numbers of people visiting particular sites,
and to gather information regarding browser usage.
Wild: Also referred to
as 'in-the-wild'. A term that indicates a
virus has been found infecting systems in several organizations
around the world. Ideally, the term is reserved for viruses that
currently are (or, that have been) in the 'top half' of the WildList.
This contrasts the virus with those that have only been reported
by antivirus researchers, and which are sometimes referred to
as 'zoo viruses' or 'collection
viruses'. Despite popular hype, most viruses are not 'in
the wild' and are unlikely ever to be. (c.f. In the Field, Zoo
Virus) CA uses this as a metric to measure the degree of real
world spread of a malware threat. This metric, in combination
with the Pervasiveness and Destructiveness metric is given the
most weight when calculating the overall threat assessment.
Wild Virus: See In
the Wild.
WildList: Although there
are many thousands of known viruses, few actually cause any real-world
concern, and those that do are often said to be 'in the wild'.
However, the term 'in the wild' has been used in many different
contexts and with many different shades of meaning. In an attempt
to clear this situation up, as it regards computer viruses, antivirus
researcher Joe Wells instigated what he called the WildList.
Its purpose was to provide a listing of viruses that could (or
should) be considered 'in the wild' by set criteria. The approach
chosen was quite simple - from a reasonably sized and distributed
group of reporters (comprised of antivirus researchers and other
IT professionals working in, or closely with, the antivirus community),
collate monthly reports of virus infection incidents that have
been verified by the reporter receiving a sample of the virus
involved. The criteria applied to counting these reports were
equally simple - if two or more reporters claimed to have received
two or more independent, sample-verified reports of infection
by the same virus, that virus would be listed on the WildList.
In reality, the WildList consists of two parts. Those viruses
currently reported and meeting these criteria are listed first
(in what is sometimes called 'the top-half of the list'). That
is the WildList and such viruses can be said to be 'in the wild'.
However, as an indication of viruses that may be 'bubbling under',
all viruses reported to have met the 'two or more independent,
sample-verified reports' criterion by only one WildList reporter
are also listed. This is often referred to as 'the bottom-half
of the list' and such viruses can be said to have been 'reported
from the field'. The WildList has been used as a 'reference standard'
by many antivirus testing organizations that require 100% detection
of acknowledged 'in the wild' viruses for tested products to
attain various, 'desirable' certification levels. The list has
not, however, been without its critics and it must be acknowledged
that the WildList does not list all viruses that have been seen
'in the field'. That it should be such a list is a common expectation
of those with different backgrounds where the term is also used
(for example, the general computer security community uses the
term 'in the wild' and members of that community are accustomed
to the term meaning 'an exploit of a security hole has been seen
used in a real-world attack').
An archive of the WildLists and details about the organization
that compiles and maintains it are available from http://www.wildlist.org.
Worm: The term 'worm'
does not have a firm definition, although there is less disagreement
over the claim that the 'Internet Worm' (or 'Morris Worm') of
1988 was one of the first and the best-known (at least until
W97M/Melissa - see below). Some people use the term 'classic
worm' (and a few 'real worm') to distinguish such self-contained
programs that break into a system via remotely exploitable security
flaws (such as buffer overflows) and self-instantiate (i.e. their
replication mechanism, per se, is directly responsible for their
code running on new target host systems, rather than requiring
some external action such as a user running a program or restarting
the system as with viruses). The Ramen and Lion (or '1i0n') Linux
worms (that were enjoying some success in April 2001) are 'classic
worms', as just described.
However, since the late-1990s the term 'worm' has been widely
adopted within antivirus circles as meaning something like 'a
virus that spreads via network connections'. However, an immediately
obvious weakness of this definition is that most file infectors
blithely infect files on any drive available to them, including
any on mapped network drives. Thus, given an environment where
client machines commonly map network drives (i.e. most corporate
LANs), most file infecting viruses would be worms. As the point
of the late-1990s adoption of the term 'worm' was to emphasize
the additional threat posed by mass mailing viruses, this informal
definition was changed to something like 'a virus that overtly
spreads via network connections' or 'a virus that overtly spreads
via external network connections'. Worms, under this definition,
really came to the fore with the release and widespread distribution
of W97M/Melissa.A in late March 1999. In fact, accepting this
definition of 'worm', the most common type of worm seen to date
is the co-called 'e-mail worm' or mass mailing virus. Aside from
e-mail worms, the open share, or network creeper attack is another
form of 'network copying virus' worm. This was probably first
successfully implemented in VBS/Netlog. Netlog's attack takes
the simple expedient of randomly selecting tracts of the IP network
address-space then attempting to connect to a Microsoft Network
share named 'C' on whatever machine (if any) happens to be on
each of the IP addresses in the chosen network address range.
A variation on this is network creeper attack, as seen in ExploreZip
and some later 'worms', uses Windows' network enumeration API
to find all the machines the host explicitly knows on the network
and these are then attacked, thus saving time of not having to
try many unknown addresses to find potentially exploitable machines.
Worm Creation Tool: A
program designed to generate worms. Worm creation tools can often
generate hundreds or thousands of different, functioning worms,
most of which are initially undetectable by current scanners.
| @ | A
| B | C | D
| E | F | G
| H | I | J
| K | L | M
| N | O | P
| Q | R | S
| T | U | V
| W | X | Y | Z |
|
