|
Adware
: Software that displays popup/popunder
ads when the primary user interface is not
visible or which do not appear to be
associated with the product.
Annoyance
: Any trojan that does not cause damage
other than to annoy a user, such as by
turning the text on the screen upside down,
or making mouse motions erratic.
ANSI
Bomb : Character sequences that
reprogram specific keys on the keyboard. If
ANSI.SYS is loaded, some bombs will display
colorful messages, or have interesting (but
unwanted) graphical effects.
AOL
Pest:: Any password stealer, exploit,
DoS attack, or ICQ hack aimed at users of
AOL. ICQ is an instant messenger service
from mirabilis.com, now AOL. ICQ is a
favorite service among hackers, and ICQ
features are built into many trojans (such
as stealing user's passwords, UINs, or
notifying the hacker). Users of ICQ are
warned ""By using the ICQ service
and software... you may be subject to
various risks, including... Spoofing,
eavesdropping, sniffing, spamming, breaking
passwords, harassment, fraud, forgery, 'imposturing',
electronic trespassing, tampering, hacking,
nuking, system contamination including
without limitation use of viruses, worms and
Trojan horses causing unauthorized, damaging
or harmful access and/or retrieval of
information and data on your computer and
other forms of activity that may even be
considered unlawful."
AV
Killer : Any hacker tool intended to
disable a user's anti-virus software to help
elude detection. Some will also disable
personal firewalls.
Backdoor
:A secret or undocumented means of
getting into a computer system, or software
that uses such a means to penetrate a
system. Some software has a backdoor placed
by the programmer to allow them to gain
access to troubleshoot or change the
program. Software that is classified as a
"backdoor" is designed to exploit
a vulnerability in a system, and open it to
future access by an attacker.
Binder
: A tool that combines two or more files
into a single file, usually for the purpose
of hiding one of them. A binder compiles the
list of files that you select into one host
file, which you can rename. A host file is a
simple custom compiled program that will
decompress and launch the source programs.
When you start the host, the embedded files
in it are automatically decompressed and
launched. When a trojan is bound with
Notepad, for instance, the result will
appear to be Notepad, and appear to run like
Notepad, but the Trojan will also be run.
Browser
Helper Object: (BHO). A component that
Internet Explorer will load whenever it
starts, shares IE's memory context, can
perform any action on the available windows
and modules. A BHO can detect events, create
windows to display additional information on
a viewed page, monitor messages and actions.
Microsoft calls it "a spy we send to
infiltrate the browser's land." BHOs
are not stopped by personal firewalls,
because they are seen by the firewall as
your browser itself. Some exploits of this
technology search all pages you view in IE
and replace banner advertisements with other
ads. Some monitor and report on your
actions. Some change your home page.
Commercial
RAT : Any commercial product that is
normally used for remote administration, but
which might be exploited to do this without
user consent or awareness.
Cracking
Misc : Any document and/or tool that
provides guidance on how to remove copy
protection.
Cracking
Tool : Any software designed to modify
other software for the purpose of removing
usage restrictions. An example is a 'patcher'
or 'patch generator', that will replace
bytes at specified locations in a file,
rendering it a licensed version. A music
file ripper is a program that enables the
user to digitally copy songs from a CD into
many different formats such as MP3, WAV, or
AIFC.
DDoS
: A Distributed Denial of Service (DDoS)
attack is one that pits many machines
against a single victim. An example is the
attacks of February 2000 against some of the
biggest websites. Even though these websites
have a theoretical bandwidth of a
gigabit/second, distributing many agents
throughout the Internet flooding them with
traffic can bring them down. The Internet is
defenseless against these attacks. The best
defense is for users everywhere to run
PestPatrol, and remove DDoS clients when
they are found, so that their machines are
not used as attack tools. Another approach
is for ISPs to do ""egress
filtering"": prevent packets from
going outbound that do not originate from IP
addresses assigned to the ISP. This cuts
down on the problem of spoofed IP addresses.
Dialer : Software that dials a phone
number. Some dialers connect to local
Internet Service Providers and are
beneficial as configured. Others connect to
toll numbers without user awareness or
permission.
DoS
: An exploit whose purpose is to deny
somebody the use of the service: namely to
crash or hang a program or the entire
system. Examples of DoS attacks include
flooding the victim with more traffic than
can be handled; flooding a service (like IRC)
with more events than it can handle bomb;
crashing a TCP/IP stack by sending corrupt
packets; crashing a service by interacting
with it in an unexpected way; or hanging a
system by causing it to go into an infinite
loop. For example, the Ping of Death exploit
crashed machines by sending illegally
fragmented packets at a victim. A common
word for DoS is
""nuke"", which was
first popularized by the WinNuke program.
Downloader : A program designed to
retrieve and install additional files, when
run. Most will be configured to retrieve
from a designated web or FTP site.
Dropper
: In viruses and trojans, the dropper is
the part of the program that installs the
hostile code onto the system.
Encryption
Tool : Any software that can be used to
scramble documents, software, or systems so
that only those possessing a valid key are
able to unscramble it. Encryption tools are
used to secure information; sometimes
unauthorized use of encryption tools in an
organization is a cause for concern.
Error
Hijacker : Any software that resets your
browser's settings to display a new error
page when a requested URL is not found.
Hijacks may reroute your info and address
requests through an unseen site, capturing
that info. In such hijacks, your browser may
behave normally, but be slower.
Exploit
: A way of breaking into a system. An
exploit takes advantage of a weakness in a
system in order to hack it. Exploits are the
root of the hacker culture. Hackers gain
fame by discovering an exploit. Others gain
fame by writing scripts for it. Legions of
script-kiddies apply the exploit to millions
of systems, whether it makes sense or not.
Since people make the same mistakes
over-and-over, exploits for very different
systems start to look very much like each
other. Most exploits can be classified under
major categories: buffer overflow, directory
climbing, defaults, Denial of Service.
Firewall
Killer : Any hacker tool intended to
disable a user's personal firewall. Some
will also disable resident anti-virus
software.
Flooder
: A program that overloads a connection
by any mechanism, such as fast pinging,
causing a DoS attack.
FTP
Server : When installed without user
awareness, an FTP server allows an attacker
to download any file in the user's machine,
to upload new files to that machine, and to
replace any existing file with an uploaded
file.
Hacking
Tutorial : A Hacking Tutorial explains
how to break into systems.
Hijacker:
Any software that resets your browser's
settings to point to other sites. Hijacks
may reroute your info and address requests
through an unseen site, capturing that info.
In such hijacks, your browser may behave
normally, but be slower.
Hoax
: Not a pest, not a virus, not a worm,
not a trojan. A hoax is a worrisome warning,
usually transmitted by e-mail. Examples of
hoaxes: 'If you receive an e-mail that has a
subject line of X, then ... This is a very
bad thing, and blah blah blah... Please pass
this on to everyone in your address
book." Before following the
instructions in the e-mail, do a simple
internet search for the subject line, the
file name, etc. to see if others regard this
as a hoax. Hoaxes are not detected by
PestPatrol. But some are included in our
Pest Encyclopedia for your information.
Homepage
Hijacker : Any software that changes
your browser's home page to some other site.
Hijacks may reroute your info and address
requests through an unseen site, capturing
that info. In such hijacks, your browser may
behave normally, but be slower.
Hostile
ActiveX : An ActiveX control is
essentially a Windows program that can be
distributed from a web page. These controls
can do literally anything a Windows program
can do. A Hostile ActiveX program does
something that its user did not intend for
it to do, such as erasing a hard drive,
dropping a virus or trojan into your
machine, or scanning your drive for tax
records or documents. As with other Trojans,
a Hostile ActiveX control will normally
appear to have some other function than what
it actually has.
Hostile
Java : Browsers include a
""virtual machine"" that
encapsulates the Java program and prevents
it from accessing your local machine. The
theory behind this is that a Java
""applet"" is really
content -- like graphics -- rather than full
application software. However, as of July,
2000, all known browsers have had bugs in
their Java virtual machines that would allow
hostile applets to ""break
out"" of this
""sandbox"" and access
other parts of the system. Most security
experts browse with Java disabled on their
computers, or encapsulate it with further
sandboxes/virtual-machines.
Hostile Script : A script is a text
file with a .VBS, .WSH, .JS, .HTA, .JSE, .VBE
extension that is executed by Microsoft
WScript or Microsoft Scripting Host
Application, interpreting the instructions
in the script and acting on them. A hostile
script performs unwanted actions.
HTTP Server : When installed without
user awareness, an HTTP server allows an
attacker to use a web browser to view and
thus retrieve information collected by other
software placed in the user's machine.
IRC War : Any
tool that uses Internet Relay Chat for
spoofing, eavesdropping, sniffing, spamming,
breaking passwords, harassment, fraud,
forgery, 'imposturing', electronic
trespassing, tampering, hacking, nuking,
system contamination including without
limitation use of viruses, worms and Trojan
horses causing unauthorized, damaging or
harmful access and/or retrieval of
information and data on your computer and
other forms of activity that may even be
considered unlawful.
Key
Generator : Any tool designed to break
software copy protection by extracting
internally-stored keys, which can then be
entered into the program to convince it that
the user is an authorized purchaser.
Key Logger : (Keystroke Logger). A
program that runs in the background,
recording all the keystrokes. Once
keystrokes are logged, they are hidden in
the machine for later retrieval, or shipped
raw to the attacker. The attacker then
peruses them carefully in the hopes of
either finding passwords, or possibly other
useful information that could be used to
compromise the system or be used in a social
engineering attack. For example, a key
logger will reveal the contents of all
e-mail composed by the user. Keylog programs
are commonly included in rootkits and RATs
(remote administration trojans).
Loader
: Any
program designed to load another program.
Mail
Bomber : Software that will flood a
victim's inbox with hundreds or thousands of
pieces of mail. Such mail generally does not
correctly reveal its source.
Mailer
: A program that creates and sends email
with forged headers, so that the source of
the mail it sends cannot be traced.
Misc Tool : Any tool that might be
used in planning an attack on a system,
developing tools for such an attack, or
performing it.
Notifier : Any tool designed for
stealth notification of an attacker that a
victim has installed and run some pest. Such
notification might be done by FTP, SMS, SMTP,
or other method, and might contain a variety
of information. Often used in combination
with a Packer, a Binder and a Downloader.
Nuker : A program that disables a
machine through damage to the registry, key
files, the file system, etc.
P2P : Any peer-to-peer file swapping
program, such as Audiogalaxy, Bearshare,
Blubster, E-Mule, Gnucleus, Grokster, Imesh,
KaZaa, KaZaa Lite, Limewire, Morpheus,
Shareaza, WinMX and Xolox. In an
organization, can degrade network
performance and consume vast amounts of
storage. May create security issues as
outsiders are granted access to internal
files. Often bundled with Adware or Spyware.
Packer : A utility which compresses a
file, encrypting it in the process. It adds
a header that automatically expands the file
in memory, when it is executed, and then
transfers control to that file. Some packers
can unpack without starting the packed file.
Packers are ""useful""
for trojan authors as they make their work
undetectable by anti-virus products.
Password Capture : A variant of the
Key Logger that captures passwords as they
are entered or transmitted. Some password
capture trojans impersonate the login
prompt, asking the user to provide their
password.
Password Cracker : A tool to decrypt
a password or password file. PestPatrol uses
the term both for programs that take an
algorithmic approach to cracking, as well as
those that use brute force with a password
cracking word list. Password crackers have
legitimate uses by security administrators,
who want to find weak passwords in order to
change them and improve system security.
Password
Cracking Word List : A list of words
that a brute force password cracker can use
to muscle its way into a system.
Phreaking
Tool : Any
executable that assists in hacking the phone
system, such as by using a sound card to
imitate various audible tones.
Port Scanner : In hacker
reconnaissance, a port scan attempts to
connect to all 65536 ports on a machine in
order to see if anybody is listening on
those ports. Ports scans are not illegal in
many places, in part because they don't
actually compromise the system, in part
because they can easily be spoofed, so it is
hard to prove guilt, and in part because
virtually any machine on the Internet can be
induced to scan another machine. Many people
think that port scanning is an overt hostile
act and should be made illegal. An attacker
will often sweep thousands (or millions) of
machines rather than a single machine
looking for any system that might be
vulnerable. Port scans are always automated
through tools called Port Scanners.
Probe
Tool : A tool that explores another
system, looking for vulnerabilities. While
these can be used by security managers,
wishing to shore up their security, the
tools are as likely used by attackers to
evaluate where to start an attack. An
example is an NT Security Scanner.
Proxy
: Any firewall that blocks and
re-creates a connection between two points.
As a defensive tool, a proxy in an
organization hides a user from the outside
world. As a pest, a proxy hides an attacker
from a user. As a pest, a proxy is a tool
that can be used to anonymize a connection
between an attacker and your machine, making
the connection more difficult to trace. The
attacker interacts with the proxy; the proxy
translates the interaction and interacts
with your machine. As attack tools, SMTP and
FTP proxies are often used in conjunction
with Firewall Killers, Downloaders, RATs,
and Trojans.
RAT : A Remote Administration Tool,
or RAT, is a Trojan that when run, provides
an attacker with the capability of remotely
controlling a machine via a
""client"" in the
attacker's machine, and a
""server"" in the
victim's machine. Examples include Back
Orifice, NetBus, SubSeven, and Hack'a'tack.
What happens when a server is installed in a
victim's machine depends on the capabilities
of the trojan, the interests of the
attacker, and whether or not control of the
server is ever gained by another attacker --
who might have entirely different interests.
Infections by remote administration Trojans
on Windows machines are becoming as frequent
as viruses. One common vector is through
File and Print Sharing, when home users
inadvertently open up their system to the
rest of the world. If an attacker has access
to the hard-drive, he/she can place the
trojan in the startup folder. This will run
the trojan the next time the user logs in.
Another common vector is when the attacker
simply e-mails the trojan to the user along
with a social engineering hack that
convinces the user to run it against their
better judgment.
Search
Hijacker: Any software that resets your
browser's settings to point to other sites
when you perform a search. Hijacks may
reroute your info and address requests
through an unseen site, capturing that info.
In such hijacks, your browser may behave
normally, but be slower. Search results when
such a hijacker is running will sometimes
differ from non-hijacked results.
Sniffer
: A wiretap that eavesdrops on computer
networks. The attacker must be between the
sender and the receiver in order to sniff
traffic. This is easy in corporations using
shared media. Sniffers are frequently used
as part of automated programs to sift
information off the wire, such as clear-text
passwords, and sometimes password hashes (to
be cracked).
SPAM
Tool : Any software designed to extract
email addresses from web sites and other
sources, remove
""dangerous"" or
""illegal"" addresses,
and/or efficiently send unsolicited (and
perhaps untraceable) mail to these
addresses.
Spoofer
: To spoof is to forge your identity.
Attackers use spoofers to forge their IP
address (IP spoofing). The most common use
of spoofing today is smurf and fraggle
attacks. These attacks use spoofed packets
against amplifiers in order to overload the
victim's connection. This is done by sending
a single packet to a broadcast address with
the victim as the source address. All the
machines within the broadcast domain then
respond back to the victim, overloading the
victim's Internet connection. Since smurfing
accounts for more than half the traffic on
some backbones, ISPs are starting to take
spoofing seriously and have started
implementing measures within their routers
that verify valid source addresses before
passing the packets.
Spyware:
Any product that employs a user's Internet
connection in the background without their
knowledge, and gathers/transmits info on the
user or their behavior. Many spyware
products will collect referrer info
(information from your web browser which
reveals what URL you linked from), your IP
address (a number that is used by computers
on the network to identify your computer),
system information (such as time of visit,
type of browser used, the operating system
and platform, and CPU speed.) Spyware
products sometimes wrap other commercial
products, and are introduced to machines
when those commercial products are
installed.
Surveillance
: Any software designed to use a webcam,
microphone, screen capture, or other
approaches to monitor and capture
information. Some such software will
transmit this captured information to a
remote source.
Telnet
Server : Software that allows a remote
user of a Telnet client to connect as a
remote terminal from anywhere on the
Internet and control a computer in which the
server software is running.
Toolbar:
A group of buttons which perform common
tasks. A toolbar for Internet Explorer is
nomally located below the menu bar at the
top of the form. Toolbars may be created by
Browser Helper Objects.
Tracking
Cookie: Any cookie that is shared among
two or more web pages for the purpose of
tracking a user's surfing history.
Trojan
: Any program with a hidden intent.
Trojans are one of the leading causes of
breaking into machines. If you pull down a
program from a chat room, new group, or even
from unsolicited e-mail, then the program is
likely trojaned with some subversive
purpose. The word Trojan can be used as a
verb: To trojan a program is to add
subversive functionality to an existing
program. For example, a trojaned login
program might be programmed to accept a
certain password for any user's account that
the hacker can use to log back into the
system at any time. Rootkits often contain a
suite of such trojaned programs.
Trojan
Creation Tool : A program designed to
create Trojans. Some of these tools merely
wrap existing Trojans, to make them harder
to detect. Others add a trojan to an
existing product (such as RegEdit.exe),
making it a Dropper.
Trojan
Horse : A Trojan Horse portrays itself
as something other than what it is at the
point of execution. While it may advertise
its activity after launching, this
information is not apparent to the user
beforehand. A Trojan Horse neither
replicates nor copies itself, but causes
damage or compromises the security of the
computer. A Trojan Horse must be sent by
someone or carried by another program and
may arrive in the form of a joke program or
software of some sort. The malicious
functionality of a Trojan Horse may be
anything undesirable for a computer user,
including data destruction or compromising a
system by providing a means for another
computer to gain access, thus bypassing
normal access controls.
Trojan
Source : Source code is written by a
programmer in a high-level language and
readable by people but not computers. Source
code must be converted to object code or
machine language before a computer can read
or execute the program. Trojan Source can be
compiled to create working trojans, or
modified and compiled by programmers to make
new working trojans.
Usage
Track : Usage tracks permit any user (or
their software agent) with access to your
computer to see what you've been doing. Such
tracks benefit you if you have left the
tracks, but might benefit another user as
well.
Virus
Creation Tool : A program designed to
generate viruses. Even early virus creation
tools were able to generate hundreds or
thousands of different, functioning viruses,
which were initially undetectable by current
scanners.
Virus Source : Source code is written
by a programmer in a high-level language and
readable by people but not computers. Source
code must be converted to object code or
machine language before a computer can read
or execute the program. Virus Source can be
compiled to create working viruses, or
modified and compiled by programmers to make
new working viruses.
Virus
Tutorial : We
don't think there is much need for viruses
in today's offices, so we don't think there
is much need to learn how to create them.
Virus Tutorials explain 'how to'.
War Dialer : (demon-dialing,
carrier-scanning) War-dialing was
popularized in the 1983 movie War Games. It
is the process of dialing all the numbers in
a range in order to find any machine that
answers. Many corporations have desktop
computers with attached modems; attackers
can dial in order to break into the desktop,
and thereafter the corporation. Similarly,
many companies have servers with attached
modems that aren't considered as part of the
general security scheme. Since most security
emphasis these days is on Internet-related
attacks, war-dialing represents the
""soft underbelly"" of
the security infrastructure that can be
exploited.
Worm:
A program that propagates itself by
attacking other machines and copying itself
to them. Both worms and viruses are
self-replicating code that travels from
machine to machine by various means. Both
worms and viruses have, as their first
objective, merely propagation. Both can be
destructive, depending on what payload, if
any, they have been given. But there are
some differences: worms may replace files,
but do not insert themselves into files. In
contrast, viruses insert themselves in
files, but do not replace them.
Worm
Creation Tool : A program designed to
generate worms. Worm creation tools can
often generate hundreds or thousands of
different, functioning worms, most of which
are initially undetectable by current
scanners.
|
Submit
a Threat
