Checklist 10: Demystifying Malware Types and Terminology (Part 2)
- Making sense of common security terminology.
- Code-related terminology.
- Browser-related terminology.
- Threat-related terminology.
- What the heck are all these acronyms?!
With malware attacks on the rise, more and more news coverage is devoted to analyzing these threats. Most recently, the headlines were focused on a major DDoS attack coming from a botnet of IoT devices that took down the DNS servers controlling the internet…Wait, what? What does that even mean?! Well, on today’s show we’re going to help you make sense of all that security gibberish by demystifying the terminology and acronyms frequently encountered when it comes to malware.
Making sense of common security terminology. Almost any report or news article on malware attacks or security threats will contain some terminology that might not make a whole lot of sense at first glance, but are worth investigating further. Once you can recognize the various security terms and their meanings, you’ll gain valuable insight into the capabilities and impact posed the threat at hand. Most of the security terminology you’ll encounter in the news can be grouped into one of three categories: code-related terminology, browser-related terminology, or threat-related terminology.
Each category can provide information on different aspects of the threat, from how it spreads, to what it can do, to the severity level of the threat and how likely it is to affect you.
We’ll kick off our investigation of these various terms by starting where it all begins: Code.
Code-related terminology. Computer code lies at the heart of every program running on your computer, including the operating system itself. Computer code is what allows computers to talk to one another, which forms the basis of the entire internet. Computer code is also, unfortunately, what allows malware to do bad things.
So, let’s go over some of the common code-related terms you might encounter and figure out just what they mean.
- Bug: A bug is a mistake in a piece of computer code. Bugs are usually created by accident, and can cause unexpected behavior in a computer program. Usually when a program crashes, it means there was some bug in the code that happened to be triggered. Bugs can go undiscovered for years, until somebody comes along and realizes that it’s there. Attackers will intentionally look for bugs in computer programs, as some of them can be used as the basis for an exploit.
- Exploit: An exploit is when a bug in computer code is intentionally triggered in order to cause a specific thing to occur, such as allowing an attacker to gain access they wouldn’t otherwise have, read data they shouldn’t be able to read, and so on. Exploits usually take the form of computer code written to specifically trigger a bug in other computer code, and generally form the basis of how malware can slip past a computer’s defenses to attack the system.
- In the wild: ‘In the wild’ refers to malware that has been found outside of a security researcher’s laboratory or similar contained setting. Threats that are in the wild aren’t hypothetical or experimental; they’re the real deal.
- Proof-of-concept: When a security researcher has found a bug in a piece of code and formulated an exploit for it, they’ll generally only create it as a ‘proof-of-concept’ that doesn’t leave the lab — i.e., it’s not in the wild. Sometimes researchers will release a proof-of-concept to the general public that has been hobbled in some way so it can’t be used to actively attack other computer systems. They are generally created as evidence that a vulnerability in a computer program can be successfully exploited.
- Vulnerability: Remember when we said that some bugs can go undiscovered for years? A vulnerability is when a bug is known to exist, and it has been determined that the bug can pose a threat if successfully exploited. Security researchers frequently alert software vendors when they detect vulnerabilities in their programs, giving the vendor a chance to fix the bug before it can be used by the bad guys to cause problems.
- Zero-day: Sometimes, security researchers choose to release full details on a vulnerability without first alerting the software vendor. Other times, the bad guys were the ones to discover and exploit a vulnerability in the first place. In either case, the end result is considered to be a ‘zero-day’ vulnerability. This means that the software vendor had no forewarning about the threat, and thus has had “zero days” in which to fix the issue. Zero-day vulnerabilities can be the basis of some of the most damaging malware, and are considered to be a severe threat.
Now that we’ve covered the code side of things, let’s move on to discuss terms commonly associated with threats encountered while browsing the web.
Browser-related terminology. While most of the threats that can affect your web browsing experience are more on the annoying side of things than anything else, it’s important to understand what the various terms actually mean, since some are more problematic than others.
- Browser Hijacker: Mostly associated with adware, a browser hijacker is anything that makes unwanted changes to your web browser, such as adding a toolbar, changing your homepage or search settings, redirecting you from one webpage to another, or displaying ads and other annoying pop-ups.
- Malvertising: A combination of the words “malicious advertising,” malvertising is when legitimate online advertising networks are used to spread malware. Sometimes the ad itself contains malicious code, other times the ad is simply used to download a separate piece of malware onto a victim’s computer.
- Phishing: Phishing is when bad guys attempt to trick you into giving up sensitive information such as usernames, passwords, or credit card numbers. While most phishing attempts are indiscriminately sent to a large number of users with the hope that at least some of them will fall for it, attackers will sometimes do some extra background research in order to target a specific individual or company, which is called spear-phishing.
- Tracking Cookie: Each time you view a website, information about your visit is stored in the form of tracking cookies. This is often useful when you accidentally close your Amazon tab before you finish checking out — simply re-open the tab and Amazon remembers the contents of your shopping cart. However, tracking cookies can also be used by online advertisers to track, record, and mind data about your web browsing habits. Do you ever feel like a specific ad has been following you around from page to page while surfing the web? That’s a tracking cookie in action!
On last week’s episode, we covered the main categories when it comes to the different malware types, but let’s go a bit more in-depth on some corresponding threat-related terminology.
Threat-related terminology. While the names of different types of malware, such as ransomware or keyloggers, can give a clue to their behavior, there are some additional terms that you might hear in the news when security threats hit the headlines.
- Backdoor: A backdoor is a way for someone to access a computer, program, or website that falls outside of the usual methods (such as logging in with a username and password). Most often, bad guys will use malware to set up a backdoor on an infected system, allowing them remote access, but other times backdoors are intentionally added by vendors to legitimate software programs — usually to facilitate an easier user support experience (such as being able to remotely reset the password for a user).
- Bot/Botnet: Some types of malware can take complete control infected machines, turning those computers into ‘bots’ (sometimes these computers are referred to as ‘zombies’). A ‘botnet’ is a large collection of infected machines, all of which are under complete remote control, and can be used to perform specific tasks on a large scale, such as sending spam or participating in distributed denial-of-service attacks.
- Command-and-Control Server: In order to function, a botnet needs a centralized system to issue commands for the tasks it should carry out. The computer system that is in charge of a botnet is a Command-and-Control server (also known as a C&C or C2 Server).
We’ve covered some of the most common terminology you might encounter in security-related news, but what about all of those acronyms? Don’t worry, we didn’t forget about them!
What the heck are all these acronyms?! While a lot of the acronyms you’ll encounter when it comes to security threats tend to look like something dredged up out of a bowl of alphabet soup, we promise they actually mean something. Let’s clear some of them up.
- DNS: DNS stands for “Domain Name System,” and is the underlying technology that translates easy-to-remember domain names such as apple.com to a more machine-friendly numerical format, which are used when routing traffic around on the internet.
- DoS/DDoS Attack: DoS stands for “Denial-of-Service,” and is a type of attack where the intent is to make a computer, network, or website inaccessible to other users. DDoS stands for “Distributed Denial-of-Service,” and is when multiple systems are acting simultaneously to participate in the attack. Distributed Denial-of-Service attacks are one of the many functions that botnets are used for.
- IoT: IoT stands for the “Internet of Things” — that is, hooking a wide variety of devices up to the internet, beyond the normal things like computers, smartphones, and printers. Some examples are refrigerators, light bulbs, cars, and TVs. Unfortunately, security hasn’t been a priority for many of these new “smart” devices, which has lead to some serious problems.
- PUA/PUP: PUA stands for “Potentially Unwanted Application,” while PUP stands for “Potentially Unwanted Program.” The two acronyms are interchangeable, and basically refer to software that, while not overtly malicious, might not be something a user would actually want installed on their system. Most of these programs come bundled alongside a program that users would want, and are only referenced in the small print of the software license agreement.
- RAT: No, a RAT isn’t some new supercharged version of the standard computer mouse — it stands for “Remote Access Tool.” Remote Access Tools are programs that…you guessed it, allow remote access to a computer. Most Remote Access Tools are either legitimate software programs or built directly into the operating system, and can be used to provide technical support or access to your home computer while you’re on the road for work. However, these tools can also be abused by the bad guys, which is obviously not something you’d want.
Alright, that’s it! Now, let’s see if we can use some of our newfound knowledge to make sense of that technobabble from earlier in the episode. So what exactly does “Most recently, the headlines were focused on a major DDoS attack coming from a botnet of IoT devices that took down the DNS servers controlling the internet” mean?
First, let’s expand those acronyms: “…a major Distributed Denial-of-Service attack coming from a botnet of Internet of Things devices that took down the Domain Name System servers controlling the internet.”
Ok, so basically a bunch of malware-infected “smart” devices were actively working together to block access to a key component of the internet. See? When you’re familiar with the underlying terminology and acronyms used in computer security reporting, it all makes a lot more sense!