The Safe Mac

Follow The Safe Mac on Twitter to stay advised of the latest Mac security news!


Malware Dictionary

Published August 27th, 2013 at 11:11 AM EST, modified December 19th, 2013 at 6:06 AM EST

e-biohazard

The following is (hopefully) a fairly comprehensive dictionary of all malware-related terms. I have probably omitted something, and will revise this dictionary over time. If you feel that I have omitted something, or have gotten something wrong, please feel free to e-mail me to discuss it.

These terms are sorted into logical groups, and may or may not be in alphabetical order within each group, depending on whether it makes sense to have them in a specific order or not. To find a specific term, if you’re not sure where to find it, either search for it using your browser’s text search function (command-F in most Mac web browsers) or refer to the alphabetized index at the end of this document.

Go to index…

Malware Classes

malware
Catch-all term describing all malicious software, regardless of type. For example, viruses and trojans are two specific types of malicious software, but both would also be referred to as malware.
trojan
Malware that tricks the user into opening it. The name comes from the famous Trojan Horse, in which Greek soldiers hid so that they could come out and attack the city of Troy after the Trojans were tricked into bringing it inside the walls. A trojan is unable to infect a computer if it is not opened by the user.
virus
Malware that is capable of spreading on its own, by injecting malicious code into other applications, and infecting new machines independently. The term “virus” is often erroneously used synonymously with the term “malware,” but a virus actually has very specific behavior.
worm
Similar to a virus, but does not inject code into other applications. They typically take advantage of vulnerabilities in the system or another application to spread.
rootkit
An old term for Unix malware that was capable of exploiting weaknesses to get “root” (ie, the highest-level administrator) access. This term has also been used to refer to Windows malware that works its way so deeply into the system that it is extremely difficult to remove. Often, this involves replacement of OS components with malicious code. In general, though, this term is often misused today. A rootkit must come in the form of one of the three primary types of malware (trojan, virus or worm).¬†As such, this term says nothing about the method of infection, only about the behavior after infection.
spyware
Refers to malware specifically designed to steal information from the user. Spyware must come in the form of one of the three primary types of malware (trojan, virus or worm). As such, this term says nothing about the method of infection, only about the behavior after infection.
adware
This refers to software that displays ads, generally in the user’s web browser, that are not supposed to be there normally. This may be for malicious purposes, to perpetrate click fraud, or may be software that offers questionable benefits in exchange for ad-riddled content. Either way, this kind of software is undesirable, but generally the real victim is not the person whose machine has been infected, but the company that is paying for the ads.
ransomware
Malware that attempts to hold your data or your computer hostage until you pay the “ransom.” In the Windows world, ransomware is common, and will often encrypt the hard drive, or portions of it, and promise to decrypt it only after payment is made. (Of course, trusting a criminal to do what he/she has said after you fork over your money is a very bad idea. Backups are the only reasonable way out of this kind of situation.) Fortunately, Mac users have little to fear from ransomware at the time of this writing.
keylogger
Software designed to hide in the background and record all keystrokes. It could be one of the three types of malware, or could be something that is installed manually by a hacker with access to your system, or could even be legit software installed by someone on their own computer for whatever reason. Keystrokes could be sent to a command and control server or logged locally.
hacktool
Shorthand for “hacker tool,” this is something that can be used by a hacker on a computer that is within his or her control. It is not technically malware, but is sometimes detected by anti-virus software since it could be something that was installed for malicious reasons by someone with access to the computer.
RAT
An acronym for “Remote Access Tool.” This is software that gives someone remote access to a computer. Although there are legitimate remote access tools on the market, and there is even one built into every recent Mac (the Back to My Mac feature of iCloud), the term “RAT” is mostly used in reference to remote access malware. This term says nothing about the method of infection, only about the behavior after infection.
PUA
An acronym for “Potentially Unwanted Application.” This is not truly malware, but rather an application that could be misused for malicious purposes. These include, but are not limited to, legitimate keyloggers or remote access tools. For example, LogMeIn is legitimate software, but could be installed on a computer surreptitiously for underhanded reasons.
backdoor
Generally just another name for a RAT.
proof of concept
Malware that has been created by a white hat hacker as a means of demonstrating a technique or vulnerability, with the aim of encouraging the developers of the system or software involved to take action to prevent such attacks.

Anti-virus terminology

definitions
Shorthand way of referring to the databases of data created by anti-virus companies that define the characteristics of malware and allow anti-virus software to identify it. Definitions may be very specific, identifying malware very reliably but missing newer variants, or they may be more general, capable of catching newer malware without changes but also more susceptible to false positives.
false positive
A false positive is a file that anti-virus software has identified as malicious when it actually isn’t. False positives can be quite bad, if important system files are identified as malicious and removed.
heuristics
Rather than using static definitions, which describe malware that has already been seen, heuristics describe malicious behaviors. Anti-virus software that looks at heuristics is capable of catching malware that has never been seen before, but also is more prone to false positives.
on-access scanning
Scanning that is done only when a file is accessed. A file is scanned when it is opened, moved, copied, etc, but not when it is just sitting static on the hard drive. Since a file is not a threat until it is opened, this approach makes a lot of sense. However, on-access scanning requires minor modifications to the system to intercept file access attempts, and this kind of thing has potential to cause instability and crashes.
on-demand scanning
Scanning that is only done when the user requests it (in other words, when the user opens the anti-virus software and starts a scan). Although this kind of scanning does not generally cause instability or crashes, it is also more limited in its utility, and may not catch malware until some time after it has already been installed. This can result in situations where the anti-virus software is no longer able to identify all possible malicious changes to the system.
signatures
Synonym for definitions.

Attack types

authentication bypass
Allows an attacker to access a system without needing to know a valid username and password, using a vulnerability of some kind in that system.
click fraud
Advertising fraud in which the malware displays ads in some way (generally within the web browser). The goal of the fraud is to get the user to click the ads, with the hacker getting paid per click by advertisers. Although annoying to users who see ads (sometimes with offensive content) displayed on pages that shouldn’t contain them, malware perpetrating click fraud is typically not harmful to the user.
cross-site request forgery
An attack that relies on a site’s trust for the user’s browser. Code is inserted in a page on one site that makes a surreptitious request from another site that the user loading that page is assumed to be logged into. That request, issued from the user’s browser, can be taken as an official request on behalf of a user who is logged in, and could take some form of action on that basis. Similar to cross-site scripting, but slightly different.
cross-site scripting
A cross-site scripting, or XSS, attack is one in which a hacker manages to inject malicious code (such as JavaScript) into a web page, which the browser will execute with the same level of trust as is given to the site the code was injected into. This is commonly done, for example, by adding malicious code to a comment on a blog post. Good blog software should prevent any code added to comments from being displayed in a visitor’s browser, but vulnerabilities in the site may allow a hacker to bypass these restrictions. Once the malicious code is added to the page, the user’s browser will run it when that page is loaded, which could have any number of bad outcomes, including harvesting information from the user or infecting the user with malware via drive-by download.
denial-of-service (and distributed denial-of-service)
A denial-of-service (DoS) attack is not an attack on a user’s machine, generally, but an attack on a server of some kind (such as an e-mail or web server). The attack is specifically meant to prevent other users from being able to access the services offered by that site. For example, an attempt to load a web page on a site undergoing a DoS attack will result in problems connecting to the site. Where this pertains to malware is in the distributed denial-of-service (DDoS) attack, in which a botnet is used to flood the site with enough requests to overload it and make legitimate incoming connections difficult or impossible to make.
drive-by download
A kind of malware that is downloaded and installed on your computer invisibly when you visit a hacked web site. This always relies on a vulnerability in either the web browser or a plug-in installed in the web browser, such as Java or Adobe Flash. Flashback is one of the most infamous cases of Mac malware to be installed via drive-by download. All cases of Macs being infected via drive-by download have happened since early 2012, and have almost always involved Java. (Thus my advice to always disable Java in your web browser!) You should be cautious about any other browser plug-ins, add-ons or extensions that you install, and keep them up-to-date.
phishing
An attack where a hacker tries to fool the user into divulging sensitive information. Usually this happens through a web site that mimics another site. For example, you may receive a phishing e-mail telling you that there’s a problem with your PayPal account, and it provides a link to log in that goes to a site that imitates the look and feel of PayPal. The site will probably even have an address that imitates PayPal’s address. Once you enter your login information, however, you have given it to the hackers, and they can drain your account of funds or charge on your credit. (PayPal is only an example, almost any other site could be imitated in phishing attempts.)
watering hole
An attack that targets a specific group through some site that they are likely to visit, much as a lion may stake out a watering hole to catch its prey. One example was a Java exploit, using a previously unknown vulnerability, uploaded to a hacked developer site, which infected numerous Mac-using iOS developers via drive-by download. These developers were all likely to have Java installed, and were thus prime targets for an attack that could hit them all through a site they were likely to be visiting. Another example is a similar Java exploit used on a site devoted to the Dalai Llama, used to attack human rights groups in Tibet.

Other terms

black hat hacker
In reference to the Spy vs Spy cartoons from Mad magazine, a black hat hacker is a hacker who acts with malicious intentions. The opposite of the black hat hacker, of course, would be the white hat hacker.
bot
A computer that has been infected with malware designed to act in coordination with other infected computers around the world. Often, a bot is used for such unscrupulous activities as distributed denial-of-service attacks on web sites, brute force attacks on login pages to discover usernames and passwords or bitcoin “mining” schemes (in which computer processor time is used to manufacture bitcoins, which can be used as currency).
botnet
A group of bots, all infected with the same malware so that they will act in a coordinated fashion towards some specific malicious end.
command-and-control server
Often, malware will “phone home,” or connect to some server used by the hackers who developed it, to either receive instructions or upload stolen data, or both. That server is referred to as a command-and-control (c&c) server. This does not need to be a malicious server. For example, malware has been known to get instructions from tweets that have specific formats, and that can be searched for according to that format or that are posted by Twitter users with usernames following a pattern set up in advance.
dropper
A script or program responsible for downloading and installing malware, generally as part of a drive-by download.
exploit
Malicious code written to take advantage of a vulnerability in some software. An exploit is the actual malware itself, or the dropper responsible for installing the malware.
in the wild
Malware that is in active distribution by malicious hackers is referred to as being “in the wild.” Proof of concept malware, or malware that was developed for sale and that hasn’t been sold yet, are examples of malware that would not be termed “in the wild.”
payload
The software installed by a dropper is referred to as the payload. The payload is the part of the malware that does whatever job the malware is intended to do.
sandbox
A virtual “box” inside which software is run. A program that is run inside a sandbox is cut off from the rest of the computer, and can only access it through interfaces provided by the software managing the sandbox. A well-designed sandbox can prevent malicious software run inside it from actually doing anything meaningful.
variant
Most malware does not remain static, but changes over time. Different versions of a particular malware program are referred to as “variants.” For example, in 2011, there were a couple different variants of Flashback that behaved as trojans. In 2012, new variants appeared that significantly changed the behavior, changing from a trojan to malware installed via drive-by download. This is an extreme example; often, new variants only include minor changes that help the new variant slip past anti-virus software.
vulnerability
A weakness in some piece of software, whether a system, an application, a plug-in or anything else. This kind of weakness will allow an attacker to get access to the computer that should not be allowed, and is usually used to install malware. The software that actually takes advantage of the vulnerability is called an exploit.
white hat hacker
In reference to the Spy vs Spy cartoons from Mad magazine, a white hat hacker is a hacker who acts with benevolent intentions. Security researchers are one example of white hat hackers. The opposite of the white hat hacker, of course, would be the black hat hacker. It’s important to understand that, although white hat hacking can pay off (some companies will pay for discovery of vulnerabilities in their software), it is also a very dangerous activity to engage in. Many (mostly hobbyist) white hat hackers have faced criminal charges for their activities, usually because of hacking systems without having prior permission to do so.
zero-day
An exploit that targets a vulnerability that was previously unknown prior to its appearance is referred to as a “zero-day,” meaning that there have been zero days of awareness during which the vulnerability could have been fixed. Zero-days are particularly dangerous, since they will often get past all defenses, including anti-virus software. The Flashback malware that hit hundreds of thousands of Mac users was a zero-day that utilized a vulnerability in Java to install itself via drive-by download.

Index


This page and all contents (unless otherwise noted) copyright 2011-2014 by Thomas Reed.
For questions or comments, please contact me.