Security Glossary

http://www.viruslist.com/en/glossary

3

3G

3G (short for 3rd Generation) is the general term for technologies and standards

designed to combine high speed mobile access with IP [Internet Protocol]-based

services. 3G will improve the performance of wireless services, including greater

data speeds and improved capacity for accessing multimedia data.

The ultimate goal is to provide broadband, always-on access to Internet-based

services.

The term is used to distinguish emerging wireless technologies from the earlier

analog cellular phone systems (1G) and the digital technologies that succeeded

them (and are still in use today).

A

Adware

Synonyms: AdvWare

Programs designed to launch advertisements, often pop-up banners, on host

machines and/or to re-direct search engine results to promotional web sites.

Adware programs are often built into freeware or shareware programs, where the

adware forms an indirect ‘price’ for using the free program. Sometimes a Trojan

silently downloads an adware program from a web site and installs it onto a user’s

machine. Or hacker tools, often referred to as Browser Hijackers (because they

subvert the web browser to install a program without the user’s knowledge),

download the adware program using a web browser vulnerability.

Browser Hijackers may change browser settings, re-direct incorrect or incomplete

URLs, or change the default homepage. They may also re-direct searches to ‘pay-

to-view’ (often pornographic) web sites.

Typically, many adware programs do not show themselves in the system in any

way: no listing under Start | Programs, no icons in the system tray, nothing in the

task list. In addition, adware programs seldom come with a de-installation

procedure and attempts to remove them manually may cause the original carrier

program to malfunction.

AIM [AOL Instant Messenger]

AIM is a specific implementation of IM [Instant Messaging].

Anti-virus databases

Anti-virus databases hold the data needed to find and remove malicious code. The

databases contain a series of virus definitions (or signatures), unique sequences of

bytes specific to each piece of malicious code. Signature analysis is one of the key

methods used to find and remove malicious code.

Anti-virus engine

The engine, the core of any anti-virus product, is a software module that is

purpose-built to find and remove malicious code. The engine is developed

independently of any specific product implementation. So it ‘plugs-in’ equally

well into personal products (such as personal scanners or real-time monitors), or

solutions for servers, mail scanners, file servers, firewalls and proxy-servers.

These products may be developed by the engine developer, or they may be

developed by third parties who integrate the engine into their application or

business process using the engine SDK.

The reliability of malicious code detection, and hence the security level provided

by the products that use it, is determined by the quality of the engine.

Anti-virus update

Synonyms: Anti-virus upgrade

Nearly all anti-virus programs make use of signature analysis: that is, using a

database that contains byte sequences belonging to known viruses, worms,

Trojans or other malicious code. As the list of known threats grows, new virus

definitions (or signatures) are added to the anti-virus databases. Anti-virus

researchers at Kaspersky Lab, for example, add around 200 new records to the

database every day. Enhanced protection is passed on to users in the form of an

update. In addition, new anti-virus engine functionality may also be delivered as

part of an anti-virus database update.

Signature analysis is not the only protection method available. Anti-virus

solutions have become increasingly sophisticated over the years, to counter the

growing complexity of malicious programs. Proactive detection mechanisms

designed to detect new threats before they appear in the field, such as heuristic

analysis, generic detection or behavioral analysis, are also an important first line

of defense.

Nevertheless, regular updating of anti-virus protection remains important, given

the speed at which today’s threats are able to spread. Anti-virus vendors have

successively reduced the time interval between virus definition updates: first

quarterly, then monthly, then weekly, then daily updates. Kaspersky Lab now

provides incremental virus definition updates every hour.

API [Application Program Interface]

An API defines the way that a piece of software communicates with other

programs, allowing these programs to make use of its functionality. The API

provides a series of commonly-used functions that third party developers might

need. For example, an operating system vendor provides an API that allows

developers to write applications that are consistent with the operating system.

Typically, the API comes with a set of routines, modules and protocols that can be

used to access the program’s functionality, known as an SDK [Software

Development Kit]. Although distinct, the two terms are often used

interchangeably. An anti-virus engine API provides a way for third parties to

integrate anti-virus scanning into their application or business process.

Archive bomb

This is a seemingly small archive file that is actually highly compressed and

expands into a huge file or several identical files. Such archives typically take

quite a long time to scan, thus potentially forming a DDoS attack on an anti-virus

program that tries to scan them. Good anti-virus programs include a smart

algorithm to avoid extracting such files.

Archive file

An archive file is a collection of data files that have been packaged together. This

is done to save space (when backing up a series of files to removable media, for

example) or to save data transmission time (when making files available for

download or when transferring them via e-mail, for example).

Programs that compress data into archive files are called archivers. WinZip is

probably the best known of these: in fact, many people equate ‘zipping’ a file with

archiving it, even when using a different archiver.

There are numerous archiving programs on the market, though the most familiar

include WinZip and WinRAR. Most are capable of creating and accessing ZIP

files, in addition to whatever format the program is designed to product. The most

common archive file formats are ZIP, RAR, ARJ and CAB. The CAB format is

used to archive many Microsoft® Windows® distribution files.

It’s important for anti-virus programs to scan inside these files. Otherwise any

archived file could provide a convenient hiding place for malicious code. Some e-

mail worms have even been deliberately distributed as archive attachments.

Good anti-virus programs also scan recursively (a ZIP within a ZIP, for example)

and include a smart algorithm to avoid extracting archive bombs.

ASCII [American Standard Code for Information Interchange]

Developed by ANSI [American National Standards Institute], ASCII is one of the

most common standards for representing text in a computer. Each character

(alphanumeric or special character) is represented by a binary number.

DOS- and Unix-based operating systems use ASCII. Windows® NT, Windows®

2000 and Windows® XP use a more recent standard called Unicode.

Attack signature

A file containing a data sequence used to identify an attack on the network,

typically using an operating system or application vulnerability. Such signatures

are used by an Intrusion Detection System [IDS] or firewall to flag malicious

activity directed at the system.

B

Backdoor Trojans

These are the most dangerous, and most widespread, type of Trojan. Backdoor

Trojans provide the author or ‘master’ of the Trojan with remote ‘administration’

of victim machines. Unlike legitimate remote administration utilities, they install,

launch and run invisibly, without the consent or knowledge of the user. Once

installed, backdoor Trojans can be instructed to send, receive, execute and delete

files, harvest confidential data from the computer, log activity on the computer

and more.

Bandwidth

In computer networking, bandwidth refers to data transfer rate (how fast data

travels) and is normally measured in bits per second (bps). For example, a modem

operating at 57,600 bps has twice the bandwidth of a modem working at 28,800

bps.

Batch file

A batch file (which has the extension BAT) is designed to automate the execution

of multiple commands on a computer. The batch file itself is a text file. However,

it contains a list of instructions (including commands to run programs) that are

carried out unattended when the batch file is run.

Behavioral analysis

This refers to the technique of deciding whether an application is malicious or not,

according to what it does. If an application does something that falls outside the

range of ‘acceptable’ actions, its operation is restricted. For example, trying to

write to certain parts of the system registry, or writing to pre-defined folders, may

be defined as a threat. The action can be blocked, or the user notified about the

attempted action. This fairly simple approach can be further refined. It's possible,

for example, to restrict the access of one application (let's say allowing a web

browser read-only access to limited portions of the system registry) while giving

unrestricted access to other programs that do not use the Internet.

An alternative behavioral method is to 'wrap' a downloaded application and

restrict its action on the local system. Here the application is run in a protective

'sandbox' [sometimes called a ‘playground’, or ‘secure cache’] to limit its actions

according to a pre-defined policy. The activity performed by the program is

checked against a set of rules. Depending on the policy, the program’s actions

may be considered a violation of the policy, in which case the rogue action is

blocked.

Binary code

Synonyms: Object code

This term is applied to the compiled instructions contained within an executable

file. Binary code is not human-readable and can only be ‘understood’ by the

computer’s processor when the program is run.

Source code, by contrast, is made up of the statements created by a programmer

using a text editor. Source code is human-readable, for anyone who understands

the conventions used by that programming language (‘C’, ‘C++’, etc.), but can not

be executed by a computer’s processor until it has been compiled.

BIOS

The BIOS [Basic Input-Output System] refers to the instructions contained in one

of the chips in the PC. It is used to start the PC and is used by the operating

system to access the computer’s hardware.

Bit

Bit is a contraction of ‘binary digit’ and is the smallest unit of measurement for

computer data. As the name suggests, bits are counted in base-2, so the value of

any given bit will be either 0 or 1 (its value being defined by whether it is above

or below a set level of electrical charge within a capacitor).

Eight bits (called a byte) are required for a single alphanumeric character. Higher

multiples used to measure data are the kilobyte (1,024 bytes), the megabyte

(1,048,576 bytes), the gigabyte (1,073,741,824 bytes) and the terabyte (1,000

gigabytes).

Bandwidth (how fast data travels) is normally measured in bits per second.

Blacklist

Synonyms: Black hole list, Realtime black list, RBL [Realtime Blocklist]

Used as one method of filtering spam, blacklists provide a list of known sources

of unwanted e-mail. Traffic from listed IP addresses is simply blocked. Several

public blacklists are available, one of the best known being the Mail Abuse

Prevention System [MAPS].

The use of blacklists helps to force ISPs [Internet Service Providers] to monitor

their own outgoing e-mail and so avoid the negative commercial effects of being

‘blacklisted’.

Blended threat

Blended threats is a general description for malicious programs or bundles of

malicious programs that combine the functionality of different types of malware:

viruses, worms, Trojans and so forth.

As applications and operating systems as well as security products have become

more sophisticated, virus writers have retaliated by creating more and more

complex malicious programs.

A malicious program needs to meet most of the following criteria to be called a

blended threat:

Have more than one payload - launch a DoS attack, install a backdoor, damage a

local system etc.

Replicate and/or spread in a number of ways - via email, IRC channels, file-

sharing networks, download copies of itself from compromised web sites etc.

Use multiple attack methods - infect exe files, modify more than one registry key,

modify HTML files etc.

Bluetooth

Bluetooth is a specification for short-range wireless connectivity between

Bluetooth-enabled devices (PCs, PDAs, smartphones or pagers fitted with the

appropriate chip). Bluetooth has a range of 10 metres and currently supports a

transfer rate of 1Mbps. The Bluetooth specification is maintained by the Bluetooth

SIG [Special Interest Group], set up in 1998 and made up of more than 2,000

members (including Microsoft®, IBM, Intel, Nokia, Toshiba, Motorola, Sony

Ericsson and many others).

Boot

The process of starting a PC, during which the BIOS then the operating system are

loaded.

Boot disk

Synonyms: System disk

A disk containing the system files required to load an operating system. These

files may be located on a hard disk or removable media (floppy disk, CD or USB

memory storage device).

Boot sector

The boot sector is the area on a hard disk and floppy disks containing instructions

that are executed during the boot process, i.e. when the PC starts. Among other

things, the boot sector specifies the location of the operating system files. On a

hard disk, the boot sector is the first sector(s) on the bootable partition, i.e. the

partition containing the system files. On a floppy disk, the boot sector if the first

sector on the disk: all floppy disks contain a boot sector, even if they are just data

disks.

Boot sector virus

A boot sector virus is one that infects by replacing code in the boot sector of a

floppy disk (and sometimes a hard disk) with its own code. This ensures that

whenever an attempt is made to boot from the infected disk, the virus loads before

the operating system.

These viruses are very uncommon now, but in the first half of the 1990s, when

floppy disks were the main means of transferring data, they represented the main

threat to PC users. Typically, a boot sector virus infected the hard disk when a

user inadvertently left an infected floppy disk in drive A. When the PC was next

booted, the system would try to boot from the floppy disk and the virus code

would execute, regardless of whether or not the floppy disk was a system disk or

just a data disk. Most boot sector viruses then infected the MBR [Master Boot

Record] of the hard disk, rather than the boot sector.

Bridge

A bridge connects two LANs [Local Area Networks]: it examines data sent across

the network to determine which LAN it should be delivered to.

Broadband

Synonyms: DSL

Broadband (delivered through a Digital Subscriber Line [DSL]) is generally

applied to telecommunications in which a wide range of frequencies is available

for transmission of data, typically voice and data together. So broadband provides

an always-on connection, allowing home user to access the Internet while still

being able to use the telephone. Clearly this is more efficient than using a dial-up

connection, which makes exclusive use of a telephone line. In addition, broadband

typically also provides a faster connection, of 512Kbps, 1Mbps, 2Mbps or more.

Browser Helper Object

A Browser Helper Object [BHO] is a DLL that loads every time Microsoft®

Internet Explorer runs. Typically, a BHO is installed by a third party program to

enhance the functionality of the web browser (many Internet Explorer plugins, for

example, are BHOs).

BHOs can be installed silently, or can be installed ‘quietly’ (many users fail to

read the small print that comes with the EULA [End User License Agreement]

displayed by the freeware program). Also, because they’re programs, they can do

anything that other programs can do. On top of this, there’s no easy way to list the

BHOs installed on the PC. As a result, BHO functionality can be misused (to

install adware or track browsing habits, for example).

Browser Hijacker

Browser Hijackers modify the user’s web browser settings. This may involve

changing the default home page, re-directing searches to unwanted web sites,

adding unwanted (sometimes pornographic) bookmarks or generating unwanted

pop-up windows.

Bug

A bug is an unintentional fault in a program.

Some people mistakenly refer to viruses, worms or Trojans as ‘bugs’. This is

incorrect: bugs are unintentional, whereas malicious code represents a deliberate

misuse of a user’s computer.

Byte

A byte is made up of eight bits and is the data required for a single alphanumeric

character.

C

Cache

A cache is used to store data temporarily, typically recently accessed files (cache

memory, disk cache or web browser cache, for example). Since accessing the

cache is quicker than accessing regular Random Access Memory [RAM] or disk,

files stored in the cache can be accessed without the need for the processor to

carry out the more intensive work of reading data from regular memory or disk.

CARO [Computer Anti-Virus Research Organization]

CARO, set up in December 1990, is an informal forum in which anti-virus experts

who trust each other could exchange ideas and information on malware.

Classic virus (Virus)

Synonyms: Computer virus, Malicious program

Today the term virus is often loosely used to refer to any type of malicious

program, or is used to describe any ‘bad thing’ that a malicious program does to a

host system. Strictly speaking, however, a virus is defined as program code that

replicates.

Of course, this simple definition leaves plenty of scope for further sub-division.

Sometimes viruses are further classified by the types of object they infect. For

example, boot sector viruses, file viruses, macro viruses.

Or they may be classified by the method they use to select their host. ‘Indirect

action file viruses’ load into memory and hook into the system such that they can

infect files as they are accessed. Conversely, ‘direct action file viruses’ do not go

memory resident, simply infecting a file (or files) when an infected program is run

and then ‘going to sleep’ until the next time an infected file is run.

Another way of classifying viruses is by the techniques they use to infect. There

are ‘appending viruses’ that add their code to the end of a host file, ‘prepending

viruses’ that put their code at the start of a host file and overwriting viruses that

replace the host file completely with their own code. By contrast, companion

viruses and link viruses avoid adding code to a host file at all.

Then there are stealth viruses that manipulate the system to conceal changes they

make and polymorphic viruses that encrypt their code to make it difficult to

analyze and detect.

Of course, there are also viruses that fail to work: they either fail to infect or fail

to spread. Such would-be viruses are sometimes referred to as ‘wanabees’.

Command line

Synonyms: Command Line Prompt, CLI [Command Line Interface], Command

Prompt, DOS prompt

The command line provides a keyboard-driven interface between a computer and

the user. The user types in a command and the computer processes the appropriate

instruction for that command, after which it displays a specified prompt indicating

to the user that the system is ready for further commands.

MS-DOS was a command line driven system. Microsoft® Windows®, by

contrast, offers a Graphical User Interface [GUI] and the means to input

instructions using a mouse (in addition to command line access. Most Unix-based

operating systems also offer both command line and GUI interfaces.

Companion virus

A specific type of virus where the infected code is stored not in the host program,

but in a separate ‘companion’ file. For example, the virus might rename the

standard NOTEPAD.EXE file to NOTEPAD.EXD and create a new

NOTEPAD.EXE containing the virus code. When the user subsequently runs the

Notepad application, the virus will run first and then pass control to the original

program, so the user doesn’t see anything suspicious.

Compound threat

This general description, first used in the wake of the Nimda outbreak in

September 2001, is used to describe those threats that come as a composite

‘bundle’ of malicious programs, using several mechanisms to spread and/or attack

their victims. This includes the following.

Spread via e-mail, the Internet, IRC channels, file-sharing networks, download

from compromised web sites, etc.

The use of application vulnerabiities.

Making use of Trojans to steal confidential data, download other malicious code,

launch a DDoS attack, etc.

In the days when MS-DOS was the primary PC operating system, the term

‘multipartite’ was used to describe viruses that used more than one technique to

spread (infecting programs and system sectors).

Compressed file

Synonyms: Packed file

A compressed file is one where the data belonging to the file has been reduced in

size to save space or data transmission time. For example, software developers

make use of various compression utilities to reduce the size of installation files

distributed on removable media. At run-time, of course, the file is de-compressed

automatically, with no user intervention needed.

There are thousands of different compression methods and the compression

algorithms used by them vary. At the simplest level, however, compression could

be as straightforward as removing repeating characters in a file (a data area in a

program, for example, may be initialized with zeroes) and replacing them with a

short marker that specifies how many bytes have been removed and what

character should be there.

While compression is used in legitimate programs, it is also used by authors of

malicious code. It is very common for Trojans, in particular, to be released in

compressed form (and sometimes re-released in a re-packaged form).

Worm

Synonyms: Computer worm, Email worm, Internet worm, Network worm

Worms are generally considered to be a subset of viruses, but with key

differences. A worm is a computer program that replicates, but does not infect

other files: instead, it installs itself on a victim computer and then looks for a way

to spread to other computers.

From a user’s perspective, there are observable differences. In the case of a virus,

the longer it goes undetected, the more infected files there will be on the victim

computer. In the case of a worm, by contrast, there is just a single instance of the

worm code. Moreover, the worm’s code is ‘self-standing’, rather than being added

to existing files on the disk.

Like viruses, worms are often sub-divided according to the means they use to

infect a system. E-mail worms are distributed as attachments to e-mail messages,

IM worms are attached to messages sent using instant messaging programs (such

as IRC or ICQ). P2P [peer-to-peer] worms use file-sharing networks to spread.

Network worms spread directly over the LAN [Local Area Network] or across the

Internet, often making use of a specific vulnerability.

The term ‘worm’ was coined by sci-fi writer John Brunner in his 1975 novel

Shockwave Rider. The hero, a talented programmer, created self-replicating

computer programs that tunneled their way through a worldwide network.

Cookie

A cookie is the name given to a small piece of information saved to a user’s

machine by a web site that the user visits. Cookies are often used to store user

preferences about a web site, login information or even advertising information

that has been displayed to the user during their visit to the site.

D

DDoS [Distributed Denial of Service] attack

A DDoS attack is broadly similar to a DoS attack, designed to hinder or stop the

normal functioning of a web site, server or other network resource. A DDoS

attack differs only in the fact that the attack is conducted using multiple machines.

The hacker or virus writer typically use one compromised machine as the ‘master’

and co-ordinates the attack across other, so-called ‘zombie’, machines. Both

master and zombie machines are typically compromised by exploiting a

vulnerability in an application on the machine to install a Trojan or other piece of

malicious code.

DHA [Directory Harvest Attack]

A DHA is one method used by spammers to collect valid e-mail addresses.

Spammers either target these addresses directly in their own spam attack, or to sell

them on to other spammers.

The spammer first selects a domain (let’s say ‘victim_domain.com’) and then

sends speculative e-mail messages to possible addresses within that domain (for

example, ‘jack@victim_domain.com’, ‘jill@victim_domain.com’, etc.). If the e-

mail server at ‘victim_domain.com’ doesn’t reject the e-mail, the spammer knows

that a given e-mail address is valid and can be used as a target in a spam attack.

Dial-up connection

A dial-up connection is one that makes exclusive use of a standard telephone line

to send and receive data. The connection is made using a modem.

Disassembler

A disassembler is a program used to convert binary code into assembler language,

a human-readable version of machine code. It’s a form of reverse engineering,

used by programmers to debug code.

Virus researchers use various tools (including purpose-built, bespoke programs) to

disassemble malicious code and determine how it works.

DNS poisoning

Synonyms: DNS cache poisoning, Pharming

DNS servers located throughout the Internet are used to map domain names to IP

addresses. When a user types in a URL, a nearby DNS server will map the domain

to an IP address or pass it to another DNS server. In fact, there are a relatively

small number of very big DNS servers. These provide many smaller DNS servers

with DNS entries that are stored in the cache of the smaller DNS servers.

DNS poisoning is the manipulation of IP addresses for entries stored in the cache

of a smaller DNS server: the aim is to make the DNS server respond, not with the

correct IP address, but with one that contains malicious code. Here’s an example.

If a user types the URL ‘www.kaspersky.com’ in the web browser, the DNS

server should respond with the IP address 81.176.69.70. However, a poisoned

DNS server would map this domain name to an IP address that contains malicious

code.

DNS poisoning is only possible where there is a vulnerability or other security

weakness in the operating system running on the DNS server.

DNS [Domain Name System] server

DNS servers located throughout the Internet are responsible for the translation of

domain names into IP addresses. When a user types in a URL, a nearby DNS

server will map the domain to an IP address or pass it to another DNS server.

There is also a sort of ‘mini DNS server’ stored within Microsoft® Windows®

operating systems, called the hosts file.

Domain name

Domain names are used to locate an organization on the Internet. Each domain

name maps to a specific IP address.

So, for example, in the URL www.kaspersky.com, the ‘com’ part of the domain

name is the top-level and indicates the general purpose of the organization, in this

case ‘commercial’ (others include ‘org’, ‘net’, or geographic domains like

‘co.uk’).

The ‘kaspersky’ part of the domain name is the second-level and is a descriptor

for the organization itself: this can be thought of as a human readable version of

the IP address. Second-level domain names must be unique (and are registered

through ICANN [Internet Corporation for Assigned Names and Numbers]).

The ‘www’ part of the domain name indicates the server (in this case, web server)

that handles Internet request.

The translation of domain names into IP addresses is carried out by DNS servers

located throughout the Internet. When a user types in a URL, a nearby DNS server

will map the domain to an IP address or pass it to another DNS server. There is

also a sort of ‘mini DNS server’ stored within Microsoft® Windows® operating

systems, called the hosts file.

DoS [Denial of Service] attack

A DoS attack is designed to hinder or stop the normal functioning of a web site,

server or other network resource. There are various ways for hackers or virus

writers to achieve this. One common method is simply to flood a server with more

network traffic than it is able to handle. This prevents it from carrying out its

normal functions and in some circumstances crashes the server completely.

A DDoS attack differs only in the fact that the attack is conducted using multiple

machines. The hacker or virus writer typically use one compromised machine as

the ‘master’ and co-ordinates the attack across other, so-called ‘zombie’,

machines. Both master and zombie machines are typically compromised by

exploiting a vulnerability in an application on the machine, to install a Trojan or

other piece of malicious code.

Download

Where a file is transferred from one computer to another, the receiver is said to

download the file. For example, anti-virus updates are downloaded to a user’s

computer from an anti-virus vendor’s server.

E

E-mail

E-mail (short for ‘electronic mail’) is a method of sending messages electronically

from one computing device to another. Plain text e-mails are normally encoded in

ASCII text, although many e-mail client applications (Microsoft® Outlook®, for

example) support HTML, allowing non-text messages to be sent. It is also

possible to send non-text files as a binary attachment to an e-mail message.

SMTP is the standard protocol used for sending e-mail across the Internet,

although the POP3 protocol is also commonly used for receiving e-mail that has

been stored on a remote server (by an ISP, for example). Many web browsers

(including Microsoft® Internet Explorer) also provide support for POP3.

EICAR [European Institute for Computer Anti-Virus Research]

EICAR was formally set up in September 1991 (although an inaugural meeting

had taken place in the previous year), with the aim of providing a forum for

technical, security and legal experts from the security industry, government and

corporate bodies to combine their efforts against malicious code. EICAR was

designed to complement the CARO organization, which is made up solely of anti-

virus experts.

EICAR is probably best known for providing an industry-standard test file (the

‘EICAR Standard Anti-Virus Test File’) that can be used to check that anti-virus

software has been installed correctly, is working and responds appropriately when

a virus has been detected.

Encryption

Encryption describes the process of jumbling up data in such a way that it can not

be easily understood by those who are not authorized to do so. The jumbled data

is stored as ‘ciphertext’. A key, known as a decryption key, is required in order to

access the original data.

Encryption is used to keep prying eyes away from data that is in transit between

sender and recipient (data sent over the World Wide Web during an online

banking transaction, for example).

Modern encryption methods require both sender and recipient (or software

installed on sender and recipient computers) to hold compatible decryption keys.

This may take the form of a single shared key. Or it may be the combination of a

private key created by the recipient and a public key available to anyone wishing

to send data to the recipient: this is known as a PKI [Public Key Infrastructure].

Encryption is a two-way street in the computer world today. While individuals

and businesses use it to protect legitimate communication, virus writers encrypt

malicious programs to conceal them from anti-virus products: in this case, since

the virus writer wants the user to run the encrypted attachment, he must include

the key as part of the transmission (by including the password in an e-mail

message, for example).

Executable files

Synonyms: EXE files, PE EXE files

An executable file is a program in binary code that is ready to be run by the

computer without any further human intervention.

Common file extensions for executable fields in Windows include .exe, .com, .dll,

.bat. An executable file that is dynamically linked to another program is called a

dynamic link library.

Windows Portable Executable (PE) files are simply executable files that work

across all Microsoft 32-bit operating systems, which is why the majority of

malware for Windows written today is written in this format.

In Unix, executable files are marked with a special permission flag in the file

attributes.

Exploit

The term exploit describes a program, piece of code or even some data written by

a hacker or virus writer that is designed to take advantage of a bug or vulnerability

in an application or operating system. Using the exploit, an attacker gains

unauthorized access to, or use of, the application or operating system.

The use of exploits by hackers and virus writers has increased during the last few

years. Typically, exploit code is used to gain access to confidential data or to use

the victim machine for further unauthorized use.

Exploits are often named after the vulnerability they use to penetrate systems: a

buffer overflow, for example.

F

False positive

Synonyms: False alarm

A false positive is another way of saying ‘mistake’. As applied to the field of anti-

virus programs, a false positive occurs when the program mistakenly flags an

innocent file as being infected. This may seem harmless enough, but false

positives can be a real nuisance.

You waste productivity due to user down-time.

You may take e-mail offline, as a security precaution, thus causing a backlog and

more lost productivity

You waste even more time and resources in futile attempts to disinfect ‘infected’

files. And if you load a backup, to replace ‘infected files, the backup appears to be

infected too.

In short, false positives can be costly nuisances.

The term is not confined just to the anti-virus world. It also applies, for example,

to anti-spam protection, where it refers to the misidentification of a legitimate e-

mail message as spam. This too could be very costly, since the undelivered e-mail

may be a business critical message.

False negative

A false negative is simply another name for missing something. Applied to anti-

virus programs, it refers to a failure to detect malware that is present on a system.

FAT [File Allocation Table]

The term FAT is used to describe the file system used by Microsoft® MS-DOS,

Windows® 9x and Windows® ME operating systems. Specifically, the file

allocation table is the index used by the operating system to keep track of the

clusters (a group of disk sectors) belonging to each file stored on a disk. Clusters

are the basic unit of logical storage used by the operating system: and the FAT is

required because the clusters belonging to a file may not be stored contiguously.

When a file is written to the disk, the operating system creates a FAT entry for the

file: this notes the location of the file’s start cluster and its overall size. When

access to the file is later required, the operating system can then piece together

each cluster belonging to the file and load the file into memory for processing.

Alternative file systems are NTFS, used by Windows® NT, Windows® 2000 and

Windows® XP, and HPPS [High Performance File System] used by OS/2.

File virus

Viruses are often classified according to the objects they infect. File viruses, as the

name suggests, are designed to add their code to files (generally program files).

Firewall

Synonyms: Personal Firewall

This term is taken from the world of fire fighting, where a firewall is a barrier

created to block the spread of a fire.

In computing, a firewall forms a barrier between a computer system (either a

corporate system or a single user) and the outside world: the aim is to prevent

outsiders from gaining unauthorized access to the protected network. The firewall

monitors incoming and outgoing network traffic and decides whether to forward it

or block it depending on the security policy that has been set.

Typically, a firewall is installed on a router at the Internet gateway, although it

may also be used to guard the boundaries between networks and user groups.

Today, most enterprises use ‘stateful’ firewalls: they monitor the state of network

connections over a period of time (rather than simply examining packet headers).

The system administrator creates lists of legitimate data packets for each

connection and the firewall passes only packets which match known connections

and reject all others.

Personal firewalls are software-based. They protect single users from hacker

attacks and potentially damaging data packets sent via the Internet and also limit

the scope of applications on the protected computer. Such protection, as a

supplement to anti-virus protection, has become a ‘must’ for those with always-on

broadband connections.

Format

Formatting is the process by which a new disk is prepared for use by the operating

system.

FTP [File Transfer Protocol]

FTP is a protocol for exchanging files between computers on the Internet and is

often used to download files. FTP can be accessed from the command prompt, or

through a web browser.

G

Gateway

A gateway connects one network to another. An Internet gateway, for example,

controls access to the Internet.

Generic detection

Generic detection refers to the detection and removal of multiple threats using a

single virus definition. The starting-point for generic detection is that successful

threats are often copied by others, or further refined by the original author(s). The

result is a spate of viruses, worms or Trojans, each one distinct but belonging to

the same family. In many cases, the number of variants can run into tens, or even

hundreds.

Generic detection involves creating a virus definition that is able to identify all

threats belonging to the same family. So when ‘NewVirus’ appears, the definition

created to detect it will also successfully identify ‘NewVius.b’, ‘NewVirus.c’,

‘NewVirus.d’, etc. if and when they’re created. Such techniques extend also to

detection of exploit code that may be used by a virus or worm. While generic

detection is not guaranteed to find all variants in the family, it has been used with

considerable success by a number of anti-virus vendors.

Gigabyte

A gigabyte [GB] is a unit of measurement for computer storage and is equivalent

to a thousand million kilobytes, or 1,073,741,824 bytes.

H

Hacker

This term was once used to describe a clever programmer. In recent years, this

term has been applied to those who exploit security vulnerabilities to try and break

into a computer system. Originally, those who break into computer systems (for

malicious purposes or as a challenge) were known as ‘crackers’.

Hardware

The term hardware refers to the physical components of a computer (system unit,

monitor, keyboard, mouse, etc.).

Heuristic analysis

The word heuristic is derived from the Greek ‘to discover’ and refers to a learning

method based on speculation or guess-work, rather than a fixed algorithm. In the

anti-virus world, heuristic analysis involves using non-specific detection methods

to find new, unknown malware.

The technique, which has been in use for many years, involves inspecting the code

in a file (or other object) to see if it contains virus-like instructions. If the number

of virus-like instructions crosses a pre-defined threshold, the file is flagged as a

possible virus and the customer is asked to send a sample for further analysis.

Heuristic analysis has been refined over the years and has brought positive results

in detecting many new threats.

Of course, if heuristics aren’t tuned carefully, there’s a risk of false positives.

That’s why most anti-virus vendors using heuristics reduce their sensitivity to

minimize the risk of false alarms. And many vendors disable heuristics by default.

A further drawback is that heuristics is 'find-only'. In order to clean, it’s necessary

to know what specific changes the malware has made to the affected object.

Extensive use of heuristic analysis is also made in anti-spam solutions, to

highlight those characteristics of an e-mail message that are spam-like.

Hexadecimal

Hexadecimal (or ‘hex’ for short) refers to the counting of numbers in base-16, in

which there are 16 sequential digits in each unit. Since our standard decimal

counting system only goes as far as 9 before we have to switch to another unit,

hexadecimal is represented using the numbers 0-9 and the letters A-F. The

following table provides a few examples of how decimal numbers ‘translate’ into

hexadecimal.

Hexadecimal is often used by low-level programmers since it makes it easier to

represent the binary numbers used at machine level (when debugging a program,

or examining sectors on a disk using a sector editor, for example). A byte contains

eight bits (binary digits), but the same eight bits can be represented using just two

hexadecimal numbers.

Hoax

A hoax is a fake warning about a virus or other piece of malicious code. Typically

a hoax takes the form of an e-mail message warning the reader of a dangerous

new virus and suggesting that the reader pass the message on. Hoaxes cause no

damage in themselves, but their distribution by well-meaning users often causes

fear and uncertainty.

Most anti-virus vendors include hoax information on their web sites and it is

always advisable to check before forwarding warning messages.

Hosts file

The hosts file is a sort of ‘mini DNS server’ on every Microsoft® Windows®

system. When a user types a URL into the web browser, the browser checks the

local hosts file to see if the requested domain name is listed there, before it looks

for a DNS server. This is very efficient: if the web browser finds a match in the

hosts file, it doesn’t need to go looking on the Internet for a DNS server.

Unfortunately, writers of malicious code, ‘spyware’ or phishing scams can tamper

with the data stored in the hosts file. For example, a malware author might re-

direct all search requests (through Google, Yahoo, etc.) simply by editing the

hosts file: listing these domain names but matching them to the IP address of a

web site containing malicious code. Or a worm might prevent anti-virus programs

from updating themselves by matching anti-virus domain names in the hosts file

to the IP address of the victim machine.

Hot spot

Synonyms: Wireless access point

A hot spot provides access to a wireless network. Hot spots are now common in

businesses, homes, hotels, airports and even fast food outlets.

HTML [Hypertext Markup Language]

HTML comprises the set of codes used in a file that enables specified data (also

known generically as ‘web content’) to be displayed on a web page. These codes

(also known as ‘tags’) specify how a web browser should display text, graphics,

video and sound. In general, web browser developers adhere to the standard set by

the World Wide Web Consortium [W3C], although some also make use of

additional codes.

HTTP [Hypertext Transfer Protocol]

HTTP is the protocol used for transferring data (including text, graphics, video

and sound) across the World Wide Web. This data is stored in web pages, on a

web server. When an HTTP request is sent to the server from a web browser, the

server delivers the data (also known generically as ‘web content’) to the

requesting computer. The request for data is made by typing the URL into the web

browser, or by clicking on a hyperlink (or link for short): this link may be

specified on a web page or in a piece of text in a document, spreadsheet, etc. The

URL forms the address of the content on the Internet.

I

ICQ

ICQ [‘I Seek You’] is a specific implementation of IM [Instant Messaging].

IDS [Intrusion Detection Systems]

Synonyms: Intrusion detection, IPS [Intrusion Prevention Systems]

Intrusion detection is designed to prevent an attack on a computer system by

analyzing traffic into, and through, a network.

Originally, intrusion detection was restricted to information gathering: the IT

administrator was required to assess the data and take any remedial action

required to secure the system. These days, IDS applications often provide an

automated response to attacks based on a set of pre-defined rules. This is referred

to as IPS [Intrusion Prevention Systems] and may be seen as a development of

behavioral analysis.

IDS (and IPS) fall into two categories. ‘Host-based’ systems are designed to

protect individual computers and typically employ behavioral analysis to detect

malicious code. They do this by monitoring all calls made to the system and

matching them against policies based on ‘normal’ behavior. Such policies can be

quite granular, since behavior may be applied to specific applications. In this way,

activity such as opening ports on the system, port scanning, attempts to escalate

privileges on the system and injection of code into running processes can be

blocked as ‘abnormal’ behavior. Some systems supplement behavioral analysis

using signatures of known hostile code.

‘Network-based’ systems are deployed inline to protect each network segment.

They filter packets for malicious code, looking for ‘abnormal’ bandwidth usage or

for non-standard traffic (such as malformed packets). Network-based systems are

particularly useful for detecting DoS attacks, or the traffic generated by network

worms.

IM [Instant Messaging]

IM is a generic term that describes a system that allows users to see if a contact is

online and communicate with them in real time, over the Internet. IM may be text-

only, although some IM systems support HTML or file sharing.

Examples of IM implementations are AIM, ICQ, IRC and MSN Messenger.

IMAP [Internet Message Access Protocol]

IMAP is a protocol for receiving e-mail. IMAP is useful where e-mail is stored on

a remote server and then forwarded to the user. This is useful, for example, where

a home user connects to the Internet through an ISP and downloads e-mail

periodically. In this case, SMTP is used to send e-mail across the Internet to the

ISP, while IMAP is used to download the e-mail from the ISP.

IMAP is similar to, but more sophisticated than, POP3.

Internet

The Internet (sometimes referred to simply as ‘the net’) is a global system of

connected networks.

The Internet developed out of ‘ARPANET’, set up in 1969 by the US government

agency ARPA [Advanced Research Projects Agency] to provide a network of

computers that would connect various academic and research organizations.

Today the Internet is the sum total of the countless computers around the world

that connect to each other using the public telecommunications infrastructure. The

‘glue’ that holds the Internet together is TCP/IP [Transmission Control

Protocol/Internet Protocol]. ‘TCP’ splits data into packets for transmission across

the Internet and re-assembles them at the other end. ‘IP’ addresses the packets to

the right location.

Sitting on top of TCP/IP are other protocols that provide specific functions to

users on the Internet. These include FTP (for file transfer) SMTP (for e-mail) and

HTTP (for transferring data across the World Wide Web).

IP address

An IP [Internet Protocol] address is a 32-bit number used to identify a computer

sending or receiving packets across the Internet. The number, normally expressed

as four numbers separated by full stops (each representing eight bits) identifies the

network on the Internet and the host machine within that network. Of course, few

of us can easily remember long numbers so, to make things easier, we use domain

names that map to each IP address. The domain name ‘kaspersky.com’, for

example, maps to the IP address ‘81.176.69.70’.

IRC [Internet Relay Chat]

IRC is a specific implementation of IM [Instant Messaging].

ISP [Internet Service Provider]

ISPs provide users and organizations with access to the Internet. The ISP typically

has what’s known as a ‘point of presence’ on the Internet: they have the

equipment necessary to provide Internet access to many users and a dedicated IP

address. Some ISPs rely on the infrastructure of telecoms providers, other have

their own dedicated leased lines. Increasingly, ISPs provide value-add services

along with Internet access: such as anti-virus and anti-spam filtering.

J

JavaScript

Java Script is a script language developed by Netscape®. Like VBS, JavaScript is

often used in the development of web pages. For specific tasks, it’s often easier to

write a script than to use a formal programming language like ‘C’ or ‘C++’.

However, as with a formal program, it’s also possible to use JavaScript to create

malicious code. Since a script can be easily embedded in HTML, a virus author

can embed a malicious script within an HTML e-mail: and when the user reads

the e-mail, the script runs automatically.

Joke program

Joke programs are not harmful, but do something that the author considers to be

funny. This often includes behavior that simulates the destructive effects of

malicious code: for example, displaying a message telling the user that their hard

drive is being formatted.

Junk e-mail (Spam)

Synonyms: UCE [Unsolicited Commercial E-mail]

Spam is the name commonly given to unsolicited e-mail. It is effectively

unwanted advertising, the e-mail equivalent of physical junk mail delivered

through the post or from unsolicited telemarketing calls.

K

Kernel

The term kernel refers to the core of an operating system that supports all other

operations. By contrast, the term shell is used to describe the user interface.

Keylogger

Synonyms: Keystroke logger

A keylogger can be used by a third-party to obtain confidential data (login details,

passwords, credit card numbers, PINs, etc.) by intercepting key presses. Backdoor

Trojans typically come with a built-in keylogger; and the confidential data is

relayed to a remote hacker to be used to make money illegally or gain

unauthorized access to a network or other company resource.

Kilobyte

A kilobyte [KB] is a unit of measurement for computer storage and is equivalent

to 1,024 bytes.

L

Link virus

Viruses are often classified according to the technique they use to infect. A link

virus, as the name suggests, does not add its code directly to infected files.

Instead, it spreads by manipulating the way files are accessed under the FAT file

system.

When an infected file is run, the virus goes memory resident and a writes a

(typically hidden) file to the disk: this file contains the virus code. Subsequently,

the virus modifies the FAT to cross-link other files to the disk sector containing

the virus code. The result is that whenever the infected file is run, the system

jumps first to the virus code and runs it.

The cross-linking is detectable if the CHKDSK program is run, although a virus

could use stealth to conceal the changes if the virus was in memory (in other

words, if the user did not boot from a clean system disk).

M

Macro virus

Viruses are often classified according to the objects they infect. Macro viruses, as

the name suggests, are designed to add their code to the macros associated with

documents, spreadsheets and other data files.

The first macro virus, called Concept, appeared in July 1995 and macro viruses

subsequently became the dominant type of virus. There were three major reasons

for this. First, they were the first type of virus to deliberately add their code to

data files: this meant they weren’t just reliant on the exchange of floppy disks or

programs. Second, they were very easy for would-be virus authors to write (or

copy), so a new macro virus spawned many new variants. Third, they ‘cashed-in’

on the emergence of e-mail as a key business tool, so that infected users

inadvertently spread them quicker than any other type of virus had spread before.

The vast majority of macro viruses were designed to spread on the back of

Microsoft® Office data files (Word, Excel, Access, PowerPoint and Project),

although there were a few ‘proof-of-concept’ macro viruses for other formats

(Lotus AmiPro®, for example).

Macro viruses dominated the scene until the appearance of the first ‘mass-mailers’

early in 1999.

Malicious code

Malicious code refers to any program that is deliberately created to perform an

unauthorized, often harmful, action.

Malware

Synonyms: Malicious software

Malware (short for malicious software) refers to any program that is deliberately

created to perform an unauthorized, often harmful, action.

Mass-mailer

Mass-mailing refers to the technique, used by many worms, of ‘hijacking’ the e-

mail system to send malicious code automatically to e-mail addresses harvested

from an already infected computer.

MBR [Master Boot Record]

Synonyms: Partition sector

The MBR is the first sector on a hard disk and contains the partition table, which

holds information on the number of partitions, their size and which one is ‘active’

(i.e. which one contains the operating system used to boot the machine).

Megabyte

A megabyte [MB] is a unit of measurement for computer storage and is equivalent

to a thousand kilobytes, or 1,048,576 bytes.

Modem

A modem converts digital signals from a computer into to analog signals that can

be transferred across a standard telephone line and vice versa.

The capacity of modems has increased considerably in recent years from

14.4Kbps (Kilobits per second), to 28.8Kbps, to 56Kbps.

However, even higher capacity can be achieved using a digital IDSL [Integrated

Services Digital Network] adaptor (up to 128Kbps) or a broadband connection

(these days measured in Mbps).

MS-DOS

Short for Microsoft® Disk Operating System, MS-DOS was a command line

driven operating system developed for the PC. MS-DOS 1.0 was released ion

1981 and the final version, MS-DOS 6.22, was released in 1994. Microsoft®

Windows® also provides command line access through its Command Prompt.

MSN Messenger

MSN Messenger is a specific implementation of IM [Instant Messaging].

Multipartite

Multipartite viruses are those that use multiple attack methods. In the days when

MS-DOS was the primary PC operating system, the term multipartite was used to

describe viruses that infected programs and system sectors.

N

Network

A network is a group of computers that are connected with each other and able to

send and receive data. The computers within a network are sometimes referred to

as ‘nodes’ or ‘workstations’ and the way they are connected to each other is

referred to as the network’s ‘topology’.

A typical type of network is the LAN [Local Area Network], where all nodes are

connected to a dedicated server used for disk storage and shared applications.

Some smaller organizations, by contrast, may have a peer-to-peer network: in this

case, all computers on the network are connected to each other, but there is no

dedicated server.

In larger organizations, which may be geographically dispersed, several LANs (at

each physical site, for example) may be connected to a WAN [Wide Area

Network], often using the public telecommunications infrastructure.

The Internet can be seen as a ‘super network’ that uses public telecommunications

infrastructure to combine countless individual networks through the common use

of the TCP/IP protocol.

NTFS [New Technology File System]

NTFS is the file system used by Microsoft® Windows® NT, Windows® 2000

and Windows® XP. It was developed after the FAT file system implemented in

MS DOS and provides more efficient and secure methods for storage and retrieval

of files (including support for very large files, integrated file compression, a more

efficient directory system and access control for specific files). By contrast with

the FAT system, information about each file is stored in the clusters belonging to

that file (although there is also a MTF [Master File Table] that keeps track of all

the clusters on the disk).

O

Open relay

The term open relay is applied to an SMTP server that is set up to process e-mail

from an unknown sender, even if it is not intended for a recipient within the

organization. The open relay acts as a sort of ‘blind go-between’, routing all e-

mail regardless of its source or destination.

Using tools that are easily available on the Internet, spammers are able to use open

relays to deliver large volumes of spam while covering their tracks. Since the e-

mail they send out is routed through the SMTP server of a legitimate organization,

it looks like it has come from a legitimate source.

Open source software

Open source software is software that is developed, maintained and distributed

freely, based on open collaboration between programmers. As the name suggests,

the source code for the operating system or application is published openly.

Various Unix-based operating systems have been developed on the open source

principle.

Operating system

An operating system (sometimes abbreviated as OS) is the collection of programs

that loads when a computer boots and subsequently manages the operation of all

other functions on the computer. This includes access to the computer’s hardware,

use of the computer’s processor, memory management, etc.

Examples of operating systems are MS-DOS, Windows® XP, Linux, NetWare®,

etc.

Overwriting virus

Viruses are often classified according to the technique they use to infect. An

overwriting virus, as the names suggests, completely replaces the code in the

infected file with its own. Of course, the original program no longer runs, so the

infection becomes obvious. For this reason, overwriting viruses have never been

successful at spreading in the field.

P

Peer-to-peer

Synonyms: P2P

The term ‘peer-to-peer’ can be applied to a network system in which there is no

dedicated network server and in which each machine has both server and client

capabilities.

Today, the term P2P is more commonly applied to a temporary connection shared

by users running the same application, allowing them to share files on each

other’s computers (typically to share music or other multimedia files over the

Internet, as with Napster, Gnutella and Kazaa).

Packet

A packet is a unit of data transferred between two points on the Internet. When

data is sent across the Internet (an e-mail message, for example), it is divided into

convenient sections. Each of these packets may travel via different routes, to be

re-assembled at their destination.

Partition

A partition is a logical division of a hard disk into several sections, allowing the

user to install different operating systems on the same hard disk. Partitions are

created using the FDISK.EXE program. Information on the number of partitions,

their size and which one is ‘active’ (i.e. which one contains the operating system

used to boot the machine) is stored within the MBR, in the partition table.

PSW Trojans

Synonyms: Password-stealing Trojans

These Trojans are designed to steal passwords from the victim machine (although

some steal other types of information also: IP address, registration details, e-mail

client details, and so on). This information is then sent to an e-mail address coded

into the body of the Trojan. The first PSW Trojans were AOL password stealing

Trojans: and they are so numerous that they form a specific subset of PWS

Trojans.

Patch

Synonyms: Service pack, Maintenance pack

A patch provides additional, revised or updated code for an operating system or

application. Except for open source software, most software vendors do not

publish their source code: so patches are normally pieces of binary code that are

‘patched’ into an existing program (using an install program).

The term ‘patching’ refers to the process of downloading and installing additional

code supplied by an application vendor. However, the terms used may vary.

Typically, a minor fix is referred to as a patch, while a significant fix is referred to

as a Maintenance Pack or Service Pack.

Patching has become an integral part of computer security, since vulnerabilities in

popular operating systems and applications are among the primary targets for

virus writers and hackers. It is crucial to patch in a timely manner. During recent

years, the time-lag between the discovery of a vulnerability and the creation of

exploit code that makes use of it has diminished. The worse-case scenario, of

course, is a so-called ‘zero-day exploit’, where an exploit appears immediately

after a vulnerability has been discovered. This leaves almost no time for a vendor

to create a patch, or for IT administrators to implement other defensive measures.

Payload

In the world of malicious code, the term payload is used to describe what a virus,

worm or Trojan has been coded to do to a victim machine. For example, a virus

could be designed to display a message on the screen on a particular day of the

week, or erase all EXE files on a given day, or ... anything else that software can

be coded to do. In fact, many viruses contain no payload at all. That’s not to say

that they will have no adverse effect on an infected system. Many viruses are

poorly written and may interfere with other programs running on the machine.

They may also cause unintended side-effects if they are run in an environment

they were not ‘designed’ for.

PDA [Personal Digital Assistant]

PDA is the term given to small handheld computers that provide many of the

functions of a standard PC, including e-mail, web browser, calendar (and other

personal information) functions, network access, synchronization between the

PDA and a PC. Increasingly, PDA functions are becoming combined with those

of a wireless phone in a smartphone.

Phishing

Phishing is a form of cyber crime based on social engineering techniques. The

name ‘phishing’ is a conscious misspelling of the word 'fishing' and involves

stealing confidential data from a user’s computer and subsequently using the data

to steal the user’s money.

The cyber criminal creates an almost 100% perfect replica of a financial

institution or online commerce web site. He then tries to lure unsuspecting users

to the site to enter their login, password, credit card number, PIN, etc. into a fake

form. This data is collected by the phisher who later uses it to access users’

accounts fraudulently.

Some financial institutions now make use of a graphical keyboard, where the user

selects characters using a mouse, instead of using a physical keyboard. This

prevents collection of confidential data by phishers who trap keyboard input, but

is of no avail against so-called ‘screenscraper’ techniques: where a Trojan that

takes a snapshot of the user’s screen and forwards it to the server controlled by the

Trojan author or ‘master’.

There are several different ways of trying to drive users to a fake web site.

Spam e-mail, spoofed to look like correspondence from a legitimate financial

institution.

Hostile profiling, a targeted version of the above method: the cyber criminal

exploits web sites that use e-mail addresses for user registration or password

reminders and directs the phishing scam at specific users (asking them to confirm

passwords, etc.).

Install a Trojan that edits the hosts file, so that when the victim tries to browse to

their bank’s web site, they are re-directed to the fake site.

Pharming, also known as DNS poisoning.

‘Spear phishing’, an attack on a specific organization in which the phisher simply

asks for one employee’s details and uses them to gain wider access to the rest of

the network.

Polymorphism

The term ‘polymorphic’ comes from the Greek for ‘many forms’. Polymorphic

viruses are variably-encrypted. They try to evade detection by changing their

‘shape’ with each infection, so there’s no constant sequence of bytes for an anti-

virus program to search for. As a result, anti-virus programs must use various

other techniques to identify and remove polymorphic viruses, including emulating

the code, or using mathematical algorithms to ‘see through’ the code.

POP3 [Post Office Protocol 3]

POP3 is a protocol for receiving e-mail. POP3 is useful where e-mail is stored on

a remote server and then forwarded to the user. This is useful, for example, where

a home user connects to the Internet through an ISP and downloads e-mail

periodically. In this case, SMTP is used to send e-mail across the Internet to the

ISP, while POP3 is used to download the e-mail from the ISP.

Many e-mail client applications (Microsoft® Outlook®, for example) and web

browsers (Internet Explorer, for example) support POP3.

Pornware

‘Pornware’ is the generic term used by Kaspersky lab to describe malware-related

programs that either use the computer’s modem to connect to pornographic pay-

to-view services, or download pornographic content from the web, without the

consent of the user.

Port

Synonyms: TCP/IP port

In computing, ports are connection points.

They may be physical connection points, as in the COM (or serial) and parallel

ports used by physical input or output devices. Before the advent of USB ports,

monitor, keyboard, mouse and modem typically used a COM port (where data is

transferred ‘serially’, one bit at a time), while printers typically used a parallel

port (where data is transferred ‘in parallel’, eight bits at a time). Today, most

computers are equipped with a number of USB ports. USB allows up to 127

devices to connect to a single computer and allows for rapid transfer of data.

They may also be logical connection points for data transferred via TCP/IP or

UDP networks. Some port numbers are reserved: port 80, for example, is reserved

for the HTTP service. Others are assigned dynamically for each connection. Ports

are used by authors of malicious code to transfer data from a victim machine to

the ‘master’, or to download additional malicious.

Port scanning

Port scanning is the process of sending messages to ports on a computer to see

what response comes back: the response indicates whether or not the port is being

used and may be vulnerable to attack.

Program

Synonyms: Executable file

Programs (also known as executables) contain binary code in a form that is ready

to be run on a computer. Programs are written using a computer language (‘C’ or

‘C++’, for example), where the programmer writes the language-specific

instructions using a text editor: this is known as source code. The source code is

then compiled into instructions that can be interpreted by the computer.

The most common file extension for programs in a Microsoft® Windows®

environment is EXE, but there are other files that contain program code, including

COM and DLL. Batch files (which have the extension BAT) are themselves text

files, but they contain a list of instructions for the computer to carry out

unattended.

Proxy server

A proxy server stands between users on a network and the Internet. When a user

requests a web page through their browser, the request goes through the proxy

server. The proxy server checks its cache, to see if the page has been requested

before: if it has, there’s no need for the proxy server to access the Internet, so the

user gets quicker access to cached pages.

Many organizations install a proxy server at the Internet gateway, on the same

computer as its firewall.

PSW Trojans

Synonyms: Password-stealing Trojans

These Trojans are designed to steal passwords from the victim machine (although

some steal other types of information also: IP address, registration details, e-mail

client details, and so on). This information is then sent to an e-mail address coded

into the body of the Trojan. The first PSW Trojans were AOL password stealing

Trojans: and they are so numerous that they form a specific subset of PWS

Trojans.

R

RAM [Random Access memory]

Synonyms: Memory

RAM is used by the operating system and other software to hold data that is

currently being used. Applications and data held on the hard disk or removable

media are loaded into RAM before being processed. It’s faster to read from, and

write to, RAM than a hard disk or removable media. However, RAM can be used

only for temporary storage: it is cleared whenever the PC is switched off.

Registry key

Synonyms: System registry key, Key

In Microsoft® Windows®, registry keys are used to store configuration

information: the value of a relevant key is changed every time a program is

installed or when its configuration settings have been modified.

Many malicious programs change key values, or create new ones, to ensure that

their code runs automatically: in addition, they can have an adverse effect on

legitimate programs.

Riskware

‘Riskware’ is the generic term used by Kaspersky Lab to describe programs that

are legitimate in themselves, but that have the potential for misuse by cyber

criminals: for example, remote administration utilities. Such programs have

always had the potential to be misused, but they now have a higher profile. During

the last few years, there has been a fusion of ‘traditional’ virus techniques with

those of hackers. In the changing climate, such ‘riskware’ programs have come in

to their own as a means of controlling machines for malicious purposes.

Rootkit

A rootkit is a collection of programs used by a hacker to evade detection while

trying to gain unauthorized access to a computer. This is done either by replacing

system files or libraries, or by installing a kernel module. The hacker installs the

rootkit after obtaining user-level access: typically this is done by cracking a

password or by exploiting a vulnerability. This is then used to gather other user

IDs until the hacker gains root, or administrator, access to the system.

The term originated in the Unix world, although it has since been applied to the

techniques used by authors of Windows-based Trojans to conceal their activities.

Rootkits have been used increasingly as a form of stealth to hide Trojan activity,

something that is made easier because many Windows users log in with

administrator rights.

Router

A router is a device, located at the point where one network meets another, that

decides the next point to which a network packet should be passed on its way to

its final destination.

S

Sandbox

In the context of computer security, a sandbox provides a tightly-controlled

environment in which semi-trusted programs or scripts can be safely run in

memory (or with limited access to the local hard disk). The sandbox concept can

be implemented in a web browser, to safeguard the user from potentially harmful

content, or it can be used as a method for analyzing programs in order to

determine if they are safe or harmful.

SDK [Software Development Kit]

A SDK is a set of routines, modules and protocols that can be used to access a

program’s functionality, through its Application Program Interface [API].

Although these two terms are distinct, they are often used interchangeably. An

anti-virus engine SDK provides the tools necessary for third parties to integrate

anti-virus scanning into their application or business process.

Sector

Synonyms: Disk sector

A sector is an area on a PC disk (hard disk or floppy disk) used to store data.

Sectors, which resemble the slices of a cake, are laid down on the disk when it is

prepared for use, or formatted. The size of each sector varies depending on the

operating system and is defined in the disk’s boot sector.

A disk is also divided into cylinders (or tracks) and heads (or sides). Data on a

disk is accessed, at a low-level, according to its cylinder, head and sector number.

Of course, the user doesn’t need to worry about this low-level information, since

the operating system handles the storage and retrieval of data in a user-friendly

way.

Shell

The term shell describes the user interface of an operating system, used to launch

programs and give other commands. By contrast, the term kernel refers to the core

of the operating system that supports all other operations.

Smartphone

The term ‘smartphone’ is generally applied to a mobile device that combines the

functions of a wireless phone with functions more typically associated with a

PDA. These include wireless e-mail access, wireless access to online banking and

other web browsing capabilities, wireless access to a network, calendar (and other

personal information) functions, wireless and wired synchronization between the

device and a PC. Symbian OS and Windows® CE are the most common operating

systems installed on smartphones.

SMTP [Simple Mail Transfer Protocol]

SMTP is a protocol for sending e-mail across the Internet. While any individual

organization may implement a specific application for handling e-mail internally

(Microsoft® Exchange, Lotus Domino®, etc.), SMTP is the common format into

which all messages are converted before being sent over the Internet.

In situations where e-mail is stored on a remote server and then forwarded to the

user (where a home user connects to the Internet through an ISP and downloads e-

mail periodically, for example), POP3 or IMAP protocols are often used also.

Social engineering

Social engineering refers to a non-technical breach of security that relies heavily

on human interaction, i.e. tricking end users into breaking normal security

measures.

Virus writers and spammers alike depend heavily on disguising malware and

spam as innocent messages or software, which may even pretend to be fighting

against the very form of cyber crime that is about to be committed. The objective

is to get the user to respond: click on an infected e-mail attachment, click on a link

to a compromised web site, or respond to a fake unsubscribe notice ... the list is

endless.

Software

The general term used for programs that run on a computer. This includes system

software (related to the operating system) and application software used to carry

out specific tasks (word processors, spreadsheet software, etc.).

Stealth

Stealth is the term used to describe techniques used to make a virus inconspicuous

– that is, to conceal any changes a virus makes to the infected system.

Stealth virus

Stealth viruses attempt to evade antivirus scanners by presenting clean data when

queried by an antivirus product. Some of these viruses display a clean version of

the infected file during scans. Other stealth viruses hide the new size of the

infected file and display the pre-infection size.

System files

System files are operating system files, used to carry out basic functions on a

computer.

System registry

Synonyms: Windows registry

The Windows system registry is a database used by all modern Windows

platforms. This database contains the information needed to configure the system.

Windows constantly refers to the registry for information ranging from user

profiles, to which applications are installed on the machine, to what hardware is

installed and which ports are registered.

Registry keys replace .ini files in previous version of Windows. The registry data

is stored as binary code.

T

TCP/IP [Transmission Control Protocol/Internet Protocol]

TCP/IP is the protocol that is used by the countless computers around the world

that connect to each other through the Internet. ‘TCP’ splits data into packets for

transmission across the Internet and re-assembles them at the other end. The ‘IP’

part of the protocol is responsible for addressing the packets to the right location.

Terabyte

A terabyte [TB] is a unit of measurement for computer storage and is equivalent

to a thousand gigabytes.

Trojan

Synonyms: Trojan horse

The term Trojan is taken from the wooden horse used by the Greeks to sneak

inside the city of Troy and capture it. The first Trojans, which appeared in the late

1980s, masqueraded as innocent programs. Once the unsuspecting user ran the

program, the Trojan would deliver its harmful payload. Hence the copy-book

definition of a Trojan as a non-replicating program that appears to be legitimate

but is designed to carry out some harmful action on the victim computer.

One of the key factors distinguishing Trojans from viruses and worms is that they

don’t spread by themselves. In the early days of PC malware, Trojans were

relatively uncommon since the author had to find some way of distributing the

Trojan manually. The widespread use of the Internet and the development of the

Word Wide Web provided an easy mechanism for distributing Trojans far and

wide.

Today, Trojans are very common. They typically install silently and carry out

their function(s) invisible to the user.

Like viruses and worms, Trojans are often sub-divided into different categories

based on their function.

- Backdoor Trojans provide the author or ‘master’ of the Trojan with remote

‘administration’ of victim machines.

- PSW Trojans steal passwords from victim machines (although some steal other

types of information also: IP address, registration details, e-mail client details, and

so on).

- Trojan Clickers re-direct victim machines to a specified web site, either to raise

the ‘hit-count’ of a site, or for advertising purposes, or to organize a DoS attack on

a specified site, or to direct the victim to a web site containing other malicious

code.

- Trojan Droppers and Trojan Downloaders install malicious code on a victim

machine, either a new malicious program or a new version of some previously

installed malware.

- Trojan Proxies function as a proxy server and provide anonymous access to the

Internet: they are commonly used by spammers for large-scale distribution of

spam e-mail.

- Trojan Spies track user activity, save the information to the user’s hard disk and

then forward it to the author or ‘master’ of the Trojan.

- Trojan Notifiers inform the author or ‘master’ that malicious code has been

installed on a victim machine and relay information about the IP address, open

ports, e-mail address and so on.

- Archive bombs are designed to sabotage anti-virus programs. They take the form

of a specially constructed archive file that ‘explodes’ when the archive is opened

for scanning by the anti-virus program’s de-compressor. The result is that the

machine crashes, slows down or is filled with garbage data.

Trojan Clickers

Trojan Clickers re-direct victim machines to a specified web site. This is done

either to raise the ‘hit-count’ of a site, for advertising purposes, or to organize a

DDoS attack on a specified site, or to direct the victim to a web site containing

other malicious code (another Trojan, for example). The Trojan does this either by

sending commands to the web browser or by simply replacing system files that

contain URLs (the Windows® ‘hosts file’, for example).

Trojan Downloaders

These Trojans (like Trojan Droppers) are used to install malicious code on a

victim machine. However, they can be more useful to malware authors. First,

Downloaders are much smaller than Droppers. Second, they can be used to

download endless new versions of malicious code, adware or ‘pornware’

programs. Like Droppers, Downloaders are also typically written in script

languages such as VBS or JavaScript. They also often exploit Microsoft® Internet

Explorer vulnerabilities.

Trojan Droppers

The purpose of Trojan Droppers, as the name suggests, is to install malicious code

on a victim machine. They either install another malicious program or a new

version of some previously installed malware. Trojan Droppers often carry several

completely unrelated pieces of malware that may be different in behavior or even

written by different coders: in effect, they’re a kind of malware archive containing

many kinds of different malicious code. They may also include a joke or hoax, to

distract the user from the real purpose of the Dropper, the background installation

of malicious code, or adware or ‘pornware’ programs. Droppers are often used to

carry known Trojans, since it is significantly easier to write a dropper than a brand

new Trojan that anti-virus programs will not be able to detect. Most droppers are

written using VBS or JavaScript: they are, therefore, easy to write and can be used

to perform multiple tasks.

Trojan Notifiers

The purpose of these Trojans is to inform the author or ‘master’ that malicious

code has been installed on the victim machine and to relay information about the

IP address, open ports, e-mail address and so on. Trojan Notifiers are typically

included in a Trojan ‘pack’ that contains other malware.

Trojan Proxies

These Trojans function as a proxy server and provide anonymous access to the

Internet: they are commonly used by spammers for large-scale distribution of

spam e-mail.

Trojan Spies

Trojan Spies, as the name suggests, track user activity, save the information to the

user’s hard disk and then forward it to the author or ‘master’ of the Trojan. The

information collected includes keystrokes and screen-shots, used in the theft of

banking data to support online fraud.

U

UDP [User Datagram Protocol]

UDP is a protocol used to transfer data (in the form of ‘datagrams’) across the

Internet. Unlike TCP/IP, UDP doesn’t split up messages and re-assemble them at

the other end. It is useful for sending small amounts of data, since it saves

processing time that would be used to re-assemble packets.

Unicode

Unicode, used in Microsoft® Windows® NT, Windows 2000 and Windows XP,

succeeded ASCII as a means of using binary codes to represent text characters

used in the world’s principal languages.

Unix

The Unix operating system originated at AT&T’s Bell Labs in 1969. Unix is an

open source operating system. Since it is not owned by a single vendor, many

different Unix versions have been developed since its creation (including Unix-

derivative operating systems like Linux). The Open Group holds the ‘Single

UNIX Specification’ and the UNIX® trademark and certifies different Unix

implementations.

Upload

Where a file is transferred from one computer to another, the sender is said to

upload the file. For example, anti-virus updates are uploaded by an anti-virus

vendor to their server, to make them available for users of their software.

URL [Universal Resource Locator]

The URL specifies the address of a piece of content on the World Wide Web. The

request is made by typing the URL into the web browser, or by clicking on a

hyperlink (or link for short): this link may be specified on a web page or in a piece

of text in a document, spreadsheet, etc.

USB [Universal Serial Bus]

USB provides a ‘plug-and-play’ standard for connecting many peripheral devices

to a computer simultaneously, without the need for a specific device adapter card

for each device. USB allows up to 127 devices to connect to a single computer

and allows for rapid transfer of data.

USB 1.1 (the original USB specification, developed by Compaq, IBM, DEC,

Intel, Microsoft and Northern Telecom) supports data speeds of up to 12Mbps.

USB 2.0 (developed by Compaq, Hewlett Packard, Intel, Lucent, NEC and

Philips) supports data transfer speeds of up to 480Mbps.

V

Variant

The term variant refers to a modified version of an existing piece of malicious

code. Virus writers are often quick to create new versions of a virus, worm or

Trojan that has been ‘successful’, or if the source code for the malware has been

published.

VBS [Visual Basic Script]

VBS is a script language developed by Microsoft®. Like JavaScript is often used

in the development of web pages. For specific tasks, it’s often easier to write a

script than to use a formal programming language like ‘C’ or ‘C++’.

However, as with a formal program, it’s also possible to use VBS to create

malicious code. Since a script can be easily embedded in HTML, a virus author

can embed a malicious script within an HTML e-mail: and when the user reads

the e-mail, the script runs automatically.

Virus

Synonyms: Computer virus, Malicious program, Classic virus

Today the term virus is often loosely used to refer to any type of malicious

program, or is used to describe any ‘bad thing’ that a malicious program does to a

host system. Strictly speaking, however, a virus is defined as program code that

replicates.

Of course, this simple definition leaves plenty of scope for further sub-division.

Sometimes viruses are further classified by the types of object they infect. For

example, boot sector viruses, file viruses, macro viruses.

Or they may be classified by the method they use to select their host. ‘Indirect

action file viruses’ load into memory and hook into the system such that they can

infect files as they are accessed. Conversely, ‘direct action file viruses’ do not go

memory resident, simply infecting a file (or files) when an infected program is run

and then ‘going to sleep’ until the next time an infected file is run.

Another way of classifying viruses is by the techniques they use to infect. There

are ‘appending viruses’ that add their code to the end of a host file, ‘prepending

viruses’ that put their code at the start of a host file and overwriting viruses that

replace the host file completely with their own code. By contrast, companion

viruses and link viruses avoid adding code to a host file at all.

Then there are stealth viruses that manipulate the system to conceal changes they

make and polymorphic viruses that encrypt their code to make it difficult to

analyze and detect.

Of course, there are also viruses that fail to work: they either fail to infect or fail

to spread. Such would-be viruses are sometimes referred to as ‘wanabees’.

Virus definition

Synonyms: Virus signature

Virus definitions (or signatures) contain a unique sequence of bytes used by an

anti-virus program to identify each piece of malicious code. Signature analysis is

one of the key methods used to find and remove malicious code.

VoIP [Voice over IP]

VoIP is a technology that lets subscribers to the VoIP service make telephone

calls using a computer network that supports IP [Internet Protocol]. VoIP converts

the analog signal used in a converntional telephone, into a digital signal that can

be carried over the Internet in packets (and converts it back again at the other

end).

This means that users with a broadband Internet connection can replace their

existing telephone connection with VoIP. Some VoIP services only allow

telephone calls to people using the same service. Others allow calls to any

number. Some VoIP services work just through the computer. Others require a

special VoIP telephone or a VoIP adapter fitted to a conventional telephone.

VPN [Virtual Private Network]

A VPN is used to provide remote users with secure access to the private network

of a corporation or other organization, over the Internet (rather than using an

expensive dedicated leased line). Privacy is maintained by implementing

encryption and other security features, preventing unauthorized access to the

private network.

Vulnerability

A vulnerability is a bug or security flaw in an application or operating system that

provides the potential for a hacker or virus writer to gain unauthorized access to,

or use of, a user’s computer. The hacker does this by writing specific exploit code.

Once a vulnerability has been discovered (either by the developer of the software

or someone else) the vendor of the application typically creates a ‘patch’ or ‘fix’

to block the security hole. As a result, vendors, security experts and virus writers

are engaged in a never-ending race to find vulnerabilities first.

During recent years, the time-lag between the discovery of a vulnerability and the

creation of exploit code that makes use of it has diminished. The worse-case

scenario, of course, is a so-called ‘zero-day exploit’, where the exploit appears

immediately after the vulnerability has been discovered. This leaves almost no

time for a vendor to create a patch, or for IT administrators to implement other

defensive measures.

W

War chalking

War chalking refers to the act of walking round a city or town to locate wireless

access points, or ‘hot spots’, in order to gain unauthorized access to unsecured

wireless networks. It is so-called from the act of indicating the hot-spot using a

chalk mark.

War driving

War driving refers to the act of driving round a city or town to locate wireless

access points, or ‘hot spots’, in order to gain unauthorized access to unsecured

wireless networks. The specific process of mapping Bluetooth devices is referred

to as ‘war nibbling’.

Web browser

A web browser is an application that lets a user access and display content from

the World Wide Web.

Whitelist

Used as one method of filtering spam, a whitelist provides a list of legitimate e-

mail addresses or domain names: all messages from whitelisted addresses or

domains are automatically passed through to the intended recipient.

WiFi

Synonyms: Wireless network

WiFi (short for ‘wireless fidelity’) is the name commonly given to wireless

networks that conform to the 802.11 specification laid down by IEEE [Institute of

Electrical and Electronic Engineers]. WiFi provides for fast data transfer rates (up

to 11Mbs) and has become increasingly popular in recent years. Today, many PCs

and mobile devices are fitted with wireless cards that enable them to connect to a

wireless network. WiFi has become a more common way of connecting to a

network and wireless access points, or ‘hot spots’, can be found in businesses,

homes, hotels, airports and even fast food outlets.

By design, no wires are required to connect to a wireless network. If the wireless

network is unsecured, it can be accessed easily by hackers or other users wishing

to obtain free Internet access: so-called ‘war driving’ or ‘war chalking’.

WildList

The WildList was established in July 1993 by anti-virus researcher Joe Wells, was

subsequently published monthly by the WildList Organization and is now

published by ICSA Labs (part of TrueSecure Corporation). It aims to keep track

of which viruses are spreading in the real world (the WildList FAQ cites the

WildList as ‘the world’s authority on which viruses users should really be

concerned with’).

Detection of 'in the wild' viruses, as defined by the WildList, has become the de

facto measure by which anti-virus products are judged. Fee-based anti-virus

certification tests, most notably ICSA Labs. and West Coast Labs, are based on

detection of WildList samples. In addition, the Virus Bulletin ‘VB100%’ is

awarded on the basis of a product's ability to detect WildList viruses.

However, in today’s wired world, there’s a higher risk of being hit by new

malware, with around 80% of new malicious programs being found in the field,

not just in so-called ‘zoo’ collections. As a result, the WildList has become

somewhat outmoded as a measure of the real threat.

World Wide Web

The World Wide Web (or WWW for short) was developed by Tim Berners-Lee, a

British software consultant who was looking for a way to track associations

between pieces of information using a computer (much like a thesaurus does

manually). His initial program for doing this was called ‘Enquire’, developed in

the 1980s.

He subsequently developed the idea, and the standards, to allow the sharing of

data across the Internet. He created HTML as the standard method for coding web

content. He designed an addressing scheme (contained in the URL) for locating

web content. And he created HTTP as the protocol for transferring web content

across the Internet.

The World Wide Web as we now know it appeared in 1991 and has grown

exponentially since. Tim Berners-Lee founded the World Wide Web Consortium

[the W3C], the body that sets WWW standards. The W3C defines the World Wide

Web as ‘the universe of network-accessible information, an embodiment of

human knowledge’.

Worm

Synonyms: Computer worm, Email worm, Internet worm, Network worm

Worms are generally considered to be a subset of viruses, but with key

differences. A worm is a computer program that replicates, but does not infect

other files: instead, it installs itself on a victim computer and then looks for a way

to spread to other computers.

From a user’s perspective, there are observable differences. In the case of a virus,

the longer it goes undetected, the more infected files there will be on the victim

computer. In the case of a worm, by contrast, there is just a single instance of the

worm code. Moreover, the worm’s code is ‘self-standing’, rather than being added

to existing files on the disk.

Like viruses, worms are often sub-divided according to the means they use to

infect a system. E-mail worms are distributed as attachments to e-mail messages,

IM worms are attached to messages sent using instant messaging programs (such

as IRC or ICQ). P2P [peer-to-peer] worms use file-sharing networks to spread.

Network worms spread directly over the LAN [Local Area Network] or across the

Internet, often making use of a specific vulnerability.

The term ‘worm’ was coined by sci-fi writer John Brunner in his 1975 novel

Shockwave Rider. The hero, a talented programmer, created self-replicating

computer programs that tunneled their way through a worldwide network.

X

xx-bit processor

Computer processors are often defined in terms of the ‘word’ size they can

handle. In computing, the term ‘word’ refers to the block of data (specified in

number of bits) that can be manipulated in a single clock cycle.

So a 16-bit processor has a word size of 16 bits, a 32-bit processor has a word size

of 32-bits and a 64-bit processor has a word size of 64-bits. From this, it’s clear

that a 64-bit processor is able to handle more data in the same clock cycle and is

therefore more efficient.

Newer processors are backwardly compatible. 64-bit processors, for example, are

able to detect 16-bit and 32-bit applications and process them appropriately.

Z

Zero-day exploit

A zero-day exploit is one where an exploit written to take advantage of a bug or

vulnerability in an application or operating system appears immediately after the

vulnerability has been discovered. This leaves almost no time for a vendor to

create a patch, or for IT administrators to implement other defensive measures.

Zoo

The term zoo refers to malicious code that has not been seen in the field. Anti-

virus vendors include detection for such malicious code, since there’s no way of

knowing if it will spread successfully in the future.

downloaded/created/modified by

allfaishalloriginall@yahoo.co.id

0857 3024 5131

(and may be) then uploaded and shared by

http://my.opera.com/allfaishall / http://faishalhimawan.wordpress.com /

http://download-writing.blogspot.com / http://faishalhimawan.blogspot.com /

http://emha2indonesia.multiply.com / http://ebookzfaishal.blogspot.com /

http://www.4shared.com/u/stmmkqg/969d0e36/httpmyoperacomallfaishall.html /

http://www.4shared.com/u/vmgtpgt/7cedb28d/httpmyoperacomallfaishall.html

&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&

Contemplation Every Day, Contemplation Never Die

Melangkah adalah Tanah, Merenung adalah Gunung

(Quotes originally by Faishal Himawan Emkai)

&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&

File Checked by

Kaspersky Anti-Virus 7 (KAV 7) - Database Published: 12/12/2008