(also zero-day, zero-hour) A vulnerability, previously unknown to a manufacturer, used to exploit weaknesses in a system's attack surface.
A vulnerability–known to a manufacturer–waiting for a patch. The number is increased as the vulnerability waits for its patch.
(Advanced Persistent Threat) Tools that are usually attributed to major cyber actors. They may be state operated campaigns that have a broad range of targets that might change over time. APT attacks require a high-degree of covertness, over the duration of their campaign.
Also known as TDSS, a Trojan, and bootkit designed to steal data by intercepting a system’s network traffic and searching for usernames, passwords, and bank card data. Lead to BSOD problems on 32-bit Windows when MS10-015 was released.
The abuse.ch Malware Database, discontinued 2012-03-17. Replaced by Palevo.
(also Gamarue) A worm originally spread via removable drives, with a convoluted method of creating a .DLL that replicates the worm onto any new removable drives attached to the system.
Proxy software aimed at masking a user’s point of origin on the net. There are multiple reasons for this behavior, and multiple ways and types to choose from. Common examples are: TOR and i2p.
A network addressing and routing methodology in which datagrams from a single sender are routed to the nearest topological node in a group of potential receivers. However, multiple nodes may receive the file due to having the same destination address.
Attack Surface
The sum of the different points (attack vectors) where an unauthorized user can try to enter data to or extract data from an environment.
Attack Vector
Available methods of attack used by an attacker to compromise a system.
Banking Trojan
A trojan aimed at gathering banking related information. See: DRIDEX, Feodo, Trojan
Blackhole EK
(Blackhole Exploit Kit) The most infamous EK of 2012, responsible for 29% of all web threats that year. The kit allows its users and maintainers to gather information on victims and keep records of past and present victims. Blackhole EK was sold as a licensed product to anyone that had the money, with no oversight on deployment. The kit leverages compromised websites and landing pages as well as malspam sent by the attackers. One of the alleged creators of Blackhole was arrested by Russian authorities in October 2013. Soon after BlackHole saw its demise, opening the way to new, improved and more advanced EKs.
A bogon is a prefix route that should never appear in the Internet routing table. A packet routed over the public Internet (excluding VPN and similar traffic) should never have a source address in the bogon range. These are often found as the source addresses of DDoS attacks.
A number of Internet-connected computers under the command of a remote host used to complete repetitive tasks. This can be benign, even beneficial, for projects that use distributed computing to good ends (provided the user has agreed to host this style of program, such as Folding@home, or Distributed.net). Conversely, malware infected machines may be part of a botnet that can be used for malicious purposes, such as DDoS attacks.
The technique of automatically generating clicks on a revenue source (such as video advertisements). This is typically in violation of the spirit of revenue generating schemes like advertising. By generating views without actual viewers, advertisers payout money without receiving the actual increase in business normally received by getting more eyeballs in front of their advertisement, thus defrauding the advertiser of revenue.
(Canonical Name) A Domain Name System (DNS) record entry used as an alias for another domain.
(C&C, C2) The nerve center of a botnet. Command and Control systems are the central point that attackers use to control the behavior of a piece of malware. These can take several forms, and can be difficult to track down due to a number of reasons (located in the darknet, DGA, other forms of obfuscation). Shutting down communication between the malware and the C&C will prevent the malware from being able to exfiltrate data to the operator of the C&C. It will also prevent other operations from being executed (such as using botnets to perform DDoS attacks, or even applying updates/upgrade to existing malware).
(Common Vulnerabilities and Exposures) A reference method for publicly known information security issues. Maintained by the MITRE Corporation.
(aka Downup, Downadup, and Kido) A computer worm that targeted Windows. First detected in 2008, uses dictionary attacks and forms a botnet. When first discovered its purpose was unknown, it simply replicated between systems.
Content Delivery Network
(CDN) A system of proxy servers distributed through multiple data centers across geographical regions that mirror content off of a central server. This has several advantages in allowing content to be distributed to end users expeditiously due to the closer physical proximity of the client (user) to the proxied host (server).
Ransomware targeted at Windows based systems. Encrypts certain types of files stored locally, and on network mounted drives, with RSA cryptography. Then displays a message offering to decrypt the files if payment is received via Bitcoin or pre-paid cash voucher. Upwards of 41% of the victims are believed to have paid the ransom, and not all of them received decrypt keys. As an interesting note on this, the original demand was for $400, or 3 Bitcoins, as the market rate for Bitcoins surged the ransomers reduced the amount of Bitcoin demanded, down to as low as 0.3 Bitcoin. Also of interest is that due to its ubiquity it has become synonymous with ransomware.
A form of malware in which ransomware meets worms. In previous forms of ransomware the attack was generated via Drive by Attack, Watering Hole Attack, trojan, or other relatively concentrated attack. With cryptoworms, the malware continues to move laterally, seeking vulnerable machines through multiple different attack surfaces, such as USB to bridge air gaps, email, as well as network vulnerabilities. Once a vulnerable system is found the worm infects it, replicates itself to continue the spread, and then encrypts sensitive data on the device. All of this without the user performing a specific action (for example, installing a program) to trigger the attack.
Botnet, founded around 2007 mostly involved in spam, typically installed on Windows systems by the Pushdo Trojan. Also known as '0bulk Psyche Evolution'.
Dictionary attack
An attack against weak passwords on a computer (usually aimed at the root/admin account) using known commonly used password strings.
(DNS-based Blackhole List) A list of known possible spam hosts on the net. Devices referencing these lists ignore traffic from these IP addresses, effectively placing communications with the IP into a blackhole.
A trojan that specialized in redirecting a target computer's DNS to point to the creator of the trojan's servers. Rove Digital created the virus to allow their advertising banners to be pushed to unsuspecting users.
(Domain generation Algorithm) Algorithms seen in various samples of malware, used to periodically generate a large number of domain names to be used for rendezvous points with C&C systems.
Domain Name System
(DNS) A hierarchical distributed naming system for computers, services and other resources attached to the Internet (or a private network that is using DNS). Associates various information with domain names assigned to each participating device. Most commonly known for translating IP addresses into human readable/friendly names.
(Denial of Service) An attack against a target aimed at disruption (or denial) of service through the flooding of the victim's bandwidth with excess communications. This can be as simple as issuing a flood of pings to a computer with a slow up-link, to having hundreds or thousands of zombie computers sending data to a high-speed host.
(Distributed Denial of Service) A DoS attack using multiple attacking systems to flood the victim's bandwidth and systems.
DDOS Amplification
Many network services can be used to act as a reflector. By spoofing the recipient IP address requests sent to these services on the reflector machines will return responses to the target that may be large, multitudinous, or both depending on the service.
A compromised computer that is acting as part of a bot net.
Malware targeted at stealing an end user's online banking data. Its primary difference to CRIDEX is its delivery method, relying on spam to deliver Microsoft Word documents containing the code. Successor to Feodo and CRIDEX.
A stage of an attack that acts as a carrier, containing other malicious code. When launched it “drops” (installs) the contained file, and executes it.
(Exploit Kit) Malware implemented on web servers with the intent of discovering vulnerabilities in network clients. This includes providing the ability to upload and execute malicious code on user systems. Designs are typically modular to allow a variety of vulnerabilities as well as provide the ability to swap out blocked vulnerabilities for working exploits. Interfaces may be provided to provide metrics on successful infections, provide ease of maintenance, and various other errata. On discovery of an exploit a drive by attack is launched downloading and installing malware on the client machine. Well-known EKs include: Neutrino, Nuclear, RiG, Magnitude, MPack, Phoenix, Blackhole, Crimepack, and Angler.
(also Cridex and Bugat) A MITB attack that worked to intercept a user's banking information. Has not been active for some time.
Game Over ZeuS
(GOZ) The successor to ZeuS. Uses encrypted P2P (based on Kademila) to communicate with its C&C.
A security bug released in April 2014 that affected OpenSSL’s crypto library.
(Internationalized Domain Names) An Internet Domain Name that contains non-Ascii characters.
(Indicator of Compromise) An observed remnant of a compromise discovered in a network or operating system that provides–with high confidence–that a security breach has taken place. Examples include: Unusual IPs (or unusual access times from trusted IPs), Domain, Mutex, etc.
Magnitude EK
(Magnitude Exploit Kit): An exploit kit delivered by a drive-by malware dropper. First noted in October 2013, when it was used as an attack on visitors to PHP.net.
A botnet targeted at IoT devices. Internet connected devices are attacked and infected with the Mirai malware. This allows the device to be used as part of a collective of devices to perform DDoS attacks against victim computers.
(Man-In-The-Middle) A type of attack where a third party server (for instance a router between a client and host) is compromised to capture data and spoof the output to fool the network under attack into revealing its secrets.
Successor to Blackhole EK.
(Open Virtualization Archive) A single appliance packaged to meet OVF standards.
(Open Virtualization Format) A standard for packaging and distributing “virtual appliances” (software) or virtual machines. Effectively timeshares a single piece of hardware's resources across one or more virtual computers hosted by that hardware.
A worm spread through instant messaging, P2P networks, and removable drives. Also known as Rimecud, Butterfly bot, and Pilleuz. Currently tracked by Plaevo Tracker.
(packet capture) File format targeted at packet analysis. Monitoring software (like Wireshark) interface with pcap software to capture any and all data that comes across the selected network interface. This allows the analysis program to log the data and for analysis to begin after the capture period is closed.
An attempt to gain sensitive information through misrepresentation (the bait). Usually conducted by pretending to be an authority and catching unsavvy Internet users (the fish). Typically carried out through email spoofing, though occasionally via Instant Messaging.
Trojan component of the Cutwail botnet and may be part of the Pandex botnet. This is a spam butnet that has been around since 2007 and survived several attempts to shut it down after being discovered in 2010. It was also recorded performing DDoS attacks against websites using SSL encryption. To do this, the botnet sends malformed SSL connections to port 443 (SSL) flooding the connection.
A type of malware that encrypts user data and demands payment to release that data.
(Remote Administration Tool or Remote Access Trojan): A Trojan used to open a hole in a victim's attack surface and allow for the remote access and administration of a victim's systems.
(Response Policy Zone) A mechanism for use by Domain Name System recursive resolvers to allow customized handling of the resolution of collections of domain name information (zones).
(Security Information and Event Management) Software aimed at combining Security Information and Security Event Management. Allows for real-time analysis of security alerts provided by network hardware and applications providing System Administrators a change at an active response to threats. ThreatSTOP leverages SIEM information in order to provide automated threat protection, while simultaneously providing alerts to potential threat activity.
A group of volunteer security specialists from around the world that compile threat information and disseminate it to help improve Internet security.
A DNS Sinkhole or server that gives out false information. This is used to prevent the use of a website handled by the DNS server. The higher in the tier the DNS Server that has been sinkholed is, the more computers it blocks.
Spear Phishing
The use of highly targeted attacks at individuals in a company (or entire companies, depending on the size of the campaign) that are determined to be of particular merit. Standard phishing attacks work by targeting an entire group – casting a net if you will – and emailing an attack to the entire organization, always with the goal of recovering sensitive information, often with the intent of gaining access to a network. Spearphishing operates in the same manner, but targets specific companies or individuals within a company that are suspected (or possibly known) to the attacker to have escalated privileges in a network, or have a greater than average net worth to the attacker's campaign.
(Simple Service Discovery Protocol) Also known as Universal Plug 'n Play, the SSDP service allows for a new network device to be added in to an existing or new network quickly and simply. SSDP is vulnerable to Amplification attacks through malformed packets being sent out to devices.
(Structured Threat Information eXpression) A language for describing cyber threat information in a standardized and structured manner.
(The Onion Router) An anonymization service based on research created by the US Navy to help obfuscate traffic being generated by end-users under oppressive governments. It also is used by less upstanding citizens to conduct questionable business.
As in horse, this is a type of malware that carries a payload intended to pilfer personal data and report to a C&C, or to create out of tolerance behavior for a system with the intention of causing disruption of service and/or damage.
(Transaction Signature) A computer networking protocol defined in RFC 2845. Part of DNSSEC. Used primarily by the Domain Name System (DNS) to provide a means of authenticating updates to a DNS database.
Two-factor Auth
(2fa) A login schema using two different forms of identification to login to a device. For example, an account password, plus a randomly generated number from a device that has been synchronized with the login server.
A large botnet that targets windows. Known for MITB attacks, and was used by CryptoLocker. The creator claims to have retired, but this is considered misdirection by three letter agencies.