Glossary

ActiveX control
A software component of Microsoft Windows that can be used to create and distribute small applications through Internet Explorer. ActiveX controls can be developed and used by software to perform functions that would otherwise not be available using normal Internet Explorer capabilities. Because ActiveX controls can be used to perform a wide variety of functions, including downloading and running programs, vulnerabilities discovered in them may be exploited by malware. In addition, cybercriminals may also develop their own ActiveX controls, which can do damage to a computer you visit a webpage that contains the malicious ActiveX control.

Adware
A program that displays an advertisement that is out of context.

Alert level
An alert level is assigned to particular malware by an analyst when adding detection. It is based on a calculation that takes into account the malware's ability to spread and potential to cause damage. The different alert levels are explained in the following webpages:

Alias
An alternative detection name for particular malware. Generally this refers to detections of the same malware by other antivirus vendors; however, it may also refer to an alternative Microsoft detection of the same malware. For rogue software, this may refer to the name it uses for its fake antivirus program.

API
Stands for "Application Programming Interface". A set of routines that an application uses to interface to lower-level services. APIs allow standard access to low-level programming functions, separating high-level programs from the need to understand the low-level programming required for each piece of hardware or service.

Authenticated user
Refers to a user who is logged in, with the correct credentials, anywhere within a network.

Authentication bypass
A vulnerability in which attackers can bypass certain authentication mechanisms of the application, thereby possibly gaining access to the application without the proper credentials.

Backdoor trojan
A type of trojan that provides attackers with remote unauthorized access and control of infected computers. bots are a subcategory of backdoor trojans (see botnet).

Behavior
A type of signature created based on certain file behaviors that are often associated with malicious activity.

Blackhat SEO (search engine optimization)
A form of SEO in which entities manipulate a webpage for search engine optimization in such a way as to be deceitful or against industry best practices. Search engines usually respond to blackhat SEO by removing the webpage from the search results. Blackhat SEO has been used to increase the visibility of webpages containing malicious content, such as websites distributing malware or phishing sites.

Bitcoins
A form of digital currency that are generated through a decentralized peer-to-peer system also known as Bitcoin. People that obtain bitcoins can purchase various items online, as well as transfer bitcoins to other users and exchange them for real-world currencies. Through the Bitcoin system, all transactions made using bitcoins are tracked and stored publicly in records available for all users to see, and similar to real-world currencies, the value of bitcoins fluctuates regularly.

Bitcoin mining
Bitcoin mining mining is the term used to describe the means by which bitcoins are generated by the Bitcoin system. Any user participating in the Bitcoin system can mine for bitcoins, which consists of running special software on a computer that performs complex calculations, using the computer's processing power, on transactions that occur throughout the Bitcoin system. Every bitcoin transaction that occurs is transmitted to all users that participate in the Bitcoin system, and users running bitcoin mining software calculate a mathematical problem associated with the transactions that help to validate the transaction. The user that successfully solves this mathematical problem is awarded a certain amount of bitcoins. This is how new bitcoins are created. Bitcoin mining software utilizes extensive processing power and may impact the performance of the computer that's trying to solve these mathematical problems.

Bot
A malicious program installed on a computer that is part of a bot network (botnet). Bots are generally backdoor trojans that allow unauthorized access and control of an affected computer. They are often controlled via IRC from a centralized location (although other models of command and control exist). See also botnet.

Botnet
A set of computers controlled by a "command and control" computer to execute commands as directed. The "command and control" computer can issue commands directly (often through Internet Relay Chat, or IRC) or by using a decentralized mechanism, like peer-to-peer (P2P) networking.

Browser helper object
A Browser Helper Object or BHO is a DLL file that acts as a plugin for Internet Explorer. A BHO may have a visible presence in the browser, such as a toolbar. A corresponding CLSID is assigned to each BHO under the "Browser Helper Objects" subkey in the registry; deleting the CLSID key prevents the BHO from loading.

Browser modifier
A program that makes browser modifications without adequate consent from you.

Brute force
A type of attack in which the attacker attempts to gain access to your computer by guessing a correct set of credentials; this is usually done in an automated fashion using an application or an algorithm.

Buffer overflow
An error in an application in which the data written into a buffer exceeds the current capacity of that buffer, thus overwriting adjacent memory. Because memory is overwritten, this may result in unreliable program behavior, and in certain cases, allow arbitrary code to run.

CAPTCHA
Stands for "Completely Automated Public Turing test to tell Computers and Humans Apart". A CAPTCHA is a challenge meant to be easily solvable by humans, while remaining too hard to be economically solved by computers. An example of CAPTCHA seen widely on websites is a distorted image of letters and numbers. You are required to interpret the image and type the response.

Cavity infection
A cavity-infecting virus is a virus that infects files by inserting its code into space that does not appear to be used within the targeted host file. In this way, it is able to infect files without increasing the affected file's size, thus you are less likely to notice it. By looking for space that appears to be unused within the targeted host file, and inserting its own code in to this space, the cavity infection (in comparison to other parasitic infections) minimizes modification to a host file structure (mainly the file's size), and thus may avoid suspicion. This method of file infection, as with parasitic infections in general, is less common in the wild today than it was the past. By inadvertently overwriting spaces which are in use, cavity infecting viruses, as with other parasitic file infectors, may irretrievably corrupt files when attempting to infect them.

Clean
To remove malware or potentially unwanted software from your computer. A single cleaning can involve multiple disinfections.

Clean file
A file that has been determined to be neither malicious, nor potentially unwanted.

Cookie
An HTTP cookie, also called a tracking cookie, is a piece of text sent by an accessed server to the accessing browser. From then on, every time the browser accesses the server again, that particular cookie is sent back, in a way to "identify" the browser and its past behavior. Cookies are often used by online shopping sites to keep track of the browser's (and therefore potentially your) shopping habits and to better suggest items that the you might also be interested in purchasing. Depending on which server the cookie belongs to, a cookie may contain sensitive information. However, cookies may be read (and the information stored in them "stolen") by malware.

Cross-site request forgery (CSRF or XSRF)
A website exploit in which unauthorized commands from an attacker are executed by a website under the guide that the attacker is in fact a trusted user. It involves websites that rely on your credentials, and in which an attacker exploits a website's trust in those credentials.

Cross-site scripting
An attack technique wherein an attacker inserts malicious HTML and JavaScript into a vulnerable webpage, often in an effort to distribute malware or to steal sensitive information from the website or its visitors. Despite the name, cross-site scripting (XSS) does not necessarily involve multiple websites. Persistent cross-site scripting involves inserting malicious code into a database used by a web application, potentially causing the code to be displayed for large numbers of visitors.

Cryptor
A tool that may be used, legitimately, or illegitimately, to protect an application from being reverse-engineered, or otherwise analyzed. These tools use encryption to obfuscate the content of an application, often for the purposes of avoiding detection and hindering analysis.

Cybersquatting
The act of registering, trafficking in, or using a domain name with bad-faith intent to profit from the goodwill of a trademark belonging to someone else. Also known as "typosquatting".

DDoS
Stands for Distributed Denial of Service – see Denial of Service. Considerable resources may be required to exhaust a target computer and cause it to fail to respond. Often multiple computers are used to perform these types of malicious attack and increase the attack's chances of success. This can occur, for example, when a number of compromised computers, such as those that comprise a botnet, are commandeered and ordered to access a target network or server over and over again within a small period of time.

Definition
A set of signatures that can be used to identify malware using antivirus or antispyware products. Other vendors may refer to definitions as DAT files, pattern files, identity files, or antivirus databases.

Dialer
A program that makes unauthorized telephone calls. These calls may be charged at a premium rate and attract an unexpectedly high cost to the user.

Disinfect
To remove malware or potentially unwanted software from a computer, or to restore functionality to an infected program. Compare to Clean.

Domain authentication
An action by which you are checked and verified to be a member of a specific domain that you are trying to access.

DoS
Stands for Denial of Service. A condition that occurs when the resources of a target computer are deliberately exhausted, effectively overwhelming the computer and causing it to fail to respond or function for its intended users. There are a number of different types of attack that may be used to result in a denial of service condition, utilizing different types of flood, or malformed network traffic.

Double-free condition
Occurs when a program frees up memory twice on the same address before that memory has been reused. This can lead to modifying certain memory locations, and thus unpredictable program behavior and in some instances may allow an attacker to gain control of the program.

Downloader
A type of trojan that downloads other files, which are usually detected as other malware, onto the computer. The downloader needs to connect to a remote host to download files, compared to a dropper, which already contains the files in its malware package. See Trojan downloader/dropper.

Drive-by download
Refers to the unintentional download of certain programs from the Internet. This may be because of a lack of user understanding (such as agreeing to EULAs without reading through them), or an automated download of certain programs in accordance with the program developer's design. In the wild, malware has been observed to exploit certain browser vulnerabilities to perform drive-by downloading of arbitrary files.

Dropper
A type of trojan that drops other files, which are usually detected as other malware, onto the computer. The file to be dropped is included as part of the dropper package, compared to a downloader, which needs to connect to the Internet to download files. See Trojan downloader/dropper.

EICAR
Acronym for "European Institute for Computer Antivirus Research". EICAR.COM is a test file that is used to see if antivirus software is installed and functioning properly. For additional information about EICAR, please visit the EICAR website.

Encryption
Encryption is the method of transforming readable data into unreadable data for the purposes of secrecy. Once encrypted, such data cannot be interpreted (either by humans or machines) until it is decrypted. Encryption is performed using an encryption algorithm and a secret value called a 'key'. Encrypted data generally cannot be decrypted without knowledge of the secret 'key' or substantial resources. Malware may use encryption to obfuscate its code (make its code unreadable), thus hoping to hinder its detection and removal from the affected computer. A common and simple encryption technique used by malware is XORing, in which the Exclusive Or (XOR) computational operation is applied to each bit according to a given key. Malware may use cryptors to encrypt their code.

Exploit
Malicious code that attempts to exploit vulnerabilities in applications or operating systems.

Firewall
A program or device that monitors and regulates traffic between two points, such as a single computer and the network server, or one server to another.

Form grabbing
Form grabbing is the hooking of web browser APIs to intercept webform data, with the intent to steal authentication information or alter web content that’s presented to you.

Generic
A type of signature capable of detecting a large variety of malware samples from a specific family, or of a specific type.

Heap overflow
A type of buffer overflow in which the overflow occurs in the heap data area. Memory in the heap is dynamically allocated; therefore successfully causing a heap overflow may overwrite internal structures, such as pointers.

Heap spraying
A technique used by exploit code to execute arbitrary code; in heap spraying, code attempts to block a certain chunk of memory and fill it with a predetermined sequence of bytes, which may compose malicious code.

Heuristics
A tool or technique that enhances the ability to identify certain, and potentially common, code patterns. This is useful for making, for example, generic detections for a malware family.

Hijacking
A vulnerability in which a communication channel is taken over by an attacker; an example is when an attacker gains access to the user's browsing session.

Hoax
An email that warns users about imaginary malware (that is, that does not exist in reality). Hoaxes tend to follow a fairly standard pattern - they are generally written in highly technical and emotive language and often describe highly destructive, irreversible payloads (that may be physically impossible). Hoaxes also often appear to quote industry experts to claim legitimacy and they generally ask users to forward the message to as many people as possible.

Hosts file
A Hosts file is a file that maps host names to IP addresses. It is used by a computer to resolve what IP address to go to when you attempt to go to a certain URL. While this action can be done for legitimate purposes, such as blocking non-authorized websites in a corporate environment, the Hosts file can also be edited for malicious purposes. Certain malware edit the Hosts file so that when you attempt to access a certain legitimate website, the browser is instead redirected to a malware site.

IFrames
Short for inline frame, an iFrame is an HTML document that is embedded in another HTML document. Because the iFrame links to another webpage, it can be used by cybercriminals to place malicious HTML content into non-malicious HTML pages, for example in the form of a JavaScript advertisement, which downloads and installs potentially unwanted software that is placed in a trusted website.

Improper authentication
Occurs when an application does not sufficiently validate that a user is who they say they are.

Improper authorization
Occurs when an application does not sufficiently validate your privileges or permissions when you attempt to access a resource or perform a certain action.

Improper error handling
Occurs when an application does not properly handle errors encountered when it runs; this includes returning to the application failing, the application performing an unexpected action, disclosing information because of the error, and so on.

Improper input validation
Occurs when an input to a form is not properly validated or sanitized, or is in a form that the application is not fit to handle correctly; this is a potential vulnerability if the improper validation allows unintentional actions to occur.

In-the-wild
Malware that is currently detected in active computers connected to the Internet, as compared to those confined to internal test networks, malware research laboratories, or malware sample lists.

Incorrect detection
A type of detection in which a legitimate program may have been mistakenly classified as malware or potentially unwanted software. If you would like to report an incorrect detection, you can use the Incorrect Detection Report Form or you can submit a sample - be sure to indicate that you believe the submission should not be detected as malware by using the check box and adding a note in the comment box.

Infection
The act by a virus of inserting or adding its code to a file, thus enabling the file to spread virus code.

Information disclosure
A vulnerability in which information is made available, often inadvertently, by an application, either to users to whom the information should not be made available, or in a situation in which the information is not relevant.

Insufficient bounds
A condition which may lead to a buffer overflow; this occurs when the boundaries for a container are too small for the data being written into it.

Insufficient validation
A condition in which the type of data written into a container is not checked properly, thus possibly causing errors in the program.

Integer overflow
Occurs when an integer value is expanded by an application until it becomes a value too large to fit in the current representation; this may be a problem when the integer value is used to determine the next step in the application, stores data, or is used to compute for a certain location in memory.

Joke program
A program that pretends to do something malicious but actually does nothing harmful (for example, pretending to delete files or format disks).

Keylogger
See password stealer.

Kill bit
A specific value for the Compatibility Flags DWORD value for the ActiveX control in the registry that, when set, means that the control is no longer called by Internet Explorer at all unless the "Initialize and script ActiveX controls not marked as safe" option is enabled in Internet Explorer.

Least-privilege user account (LUA)
A user account that normally runs with minimal privileges. See also: User Account Control.

Macro virus
A type of virus written as a macro for an application (such as Microsoft Word or Excel). A macro virus infects a file by replicating itself as a macro for that file, ensuring that when the file is opened, the virus is run.

Malformed input
A type of input that is not well-formed; that is, it is not of the expected format or contains invalid data.

Malware
Malicious software or potentially unwanted software installed without adequate user consent.

Malware creation tool
A malware creation tool is a program that is used by attackers to generate malware. Such programs may be able to automatically produce malware files according to specifications provided by the attacker.

Misleading
The program makes misleading and/or fraudulent claims about files, registry entries and/or other items on the system.

Man-in-the-browser (MITB) attack
A type of web-based threat in which a malicious program has the ability to modify webpages and transactions, or insert additional transactions, all without your and your host's knowledge.

Man-in-the-middle (MITM) attack
A form of eavesdropping in which the attacker positions themself figuratively in the middle of two parties. These parties are under the assumption that they are communicating with each other when in fact the attacker is relaying messages from one party to another without their knowledge. This gives the attacker an opportunity to manipulate or gather the messages as they see fit.

Memory reallocation
A condition in which memory is reused and overwritten before the previous data written into it was used; if the new data is unexpected, this may cause errors in the program.

Memory resident
A threat is termed as "memory resident" if it continues to run and the space it occupies in memory is not freed for use by another program. A memory-resident threat persists in memory and usually cannot be stopped unless the computer is restarted.

Microsoft Word global template
An add-in that stores macros, AutoText entries, and custom toolbar, menu, and shortcut key settings that you can use while you work with documents based on any template. By default, the Normal template is a global template.

Monitoring tool
A program that monitors activity such as keystrokes, or captures screen images.

Mutex
Stands for Mutual Exclusion Object, a programming object that may be created by malware to signify that it is currently running in the computer. This can be used as an infection 'marker' in order to prevent multiple instances of the malware from running in the infected computer, thus possibly arousing suspicion.

Network packet
A unit of data carried over a network; it typically has two parts – control and payload – the former which serves to identify the manner in which the latter is delivered.

Non-persistent XSS
A type of cross-site scripting in which the server does not properly sanitize the browser's rendering of certain characters based on a client's input, and renders it back in the HTTP response.

NTFS file system
An advanced file system designed for use specifically with the Windows NT operating system. It supports long file names, full security access control, file system recovery, extremely large storage media, and various features for the Windows NT POSIX subsystem. It also supports object-oriented applications by treating all files as objects with user-defined and system-defined attributes.

NTLDR
Also known as NT loader; it is the boot loader for the Windows NT operating system. It is usually run from the primary hard disk drive, but can also be run from portable devices.

Obfuscate
To obfuscate means to hide or make unclear. Some malware hides its code to make it harder for security software to detect or remove it. We call this type of malware an “Obfuscator”.

Obfuscator
An obfuscator is a type of malware that hides its code and purpose to make it more difficult for security software to detect or remove it.

Packer
A program that allows a user to package or bundle a file. This may be used by malware authors to obfuscate the structure of a malware file and thus avoid detection, as packing a single file using different packers results in different packages.

Password stealer
A password stealer (PWS) is malware that is specifically used to transmit personal information, such as user names and passwords. A PWS often works in conjunction with a keylogger, which collects and sends key strokes and/or screenshots to an attacker.

Payload
The malware's purpose other than propagation (in the case of viruses and worms). The actions conducted by a piece of malware for which it was created. This can include, but is not limited to, downloading files, changing computer settings, displaying messages, logging keystrokes, and so on.

Persistent XSS
A type of cross-site scripting in which the malicious script is stored in a server and is rendered when the application is called or the webpage in which it is hosted is browsed to.

Phishing
A method of identity theft that tricks you into revealing personal or financial information online. Phishers use phony websites or deceptive email messages that mimic trusted businesses and brands to steal personally identifiable information (PII), such as user names, passwords, credit card numbers, and identification numbers.

Pipe
A conceptual channel that facilitates the feeding of the input from one process into another.

Polymorphic
A polymorphic virus is a virus that can mutate its structure to avoid detection by antivirus programs. It can mutate usually by changing a variable or variables in its code without changing its overall algorithm.

Potentially unwanted software
A program with potentially unwanted behavior that is brought to your attention for review. This behavior may impact your privacy, security, or computing experience.

Privilege elevation
A vulnerability in which a user is able to perform tasks beyond the scope of the credentials with which they are logged in with.

Proof-of-Concept (PoC) code
Proof-of-Code (PoC) is code that is developed to demonstrate the viability of a particular method of attack. This can include code that is created to illustrate how a particular software vulnerability can be exploited, or even malware created to illustrate how a particular platform can be utilized, or file format infected.

Proxy server
A proxy server is a type of server that facilitates requests to other servers on behalf of the client. A proxy server can be configured to alter the client's request, or the server's response. Proxy servers can be used to filter content, store content in a cache for frequent requests, anonymize the client from which the request is coming from, and so on.

Ransomware
Ransomware is a type of malware that prevents use of a computer or access to the data that it contains until you pay a certain amount to a remote attacker (the "ransom"). Computers that have ransomware installed usually display a screen containing information on how to pay the "ransom". You cannot usually access anything on the computer beyond the screen. Please see the ransomware article for more information.

Reinfection
When a computer becomes infected after having previously been cleaned or disinfected. Reinfection typically occurs when a user repeats usage patterns without completely updating the computer's antimalware protection during the disinfection process. Please see the reinfection troubleshooting article for more information.

Remote code execution (RCE)
A situation in which an attacker is able to execute arbitrary code without having physical access to the target computer.

Remote control software
A program that provides access to a computer from a remote location. These programs are often installed by the computer owner or administrator, and are only a risk if unexpected.

Remote procedure call (RPC)
An interprocess communication mechanism that enables data exchange and invocation of functionality residing in a different process; that process can be on the same computer, on the local network, or on the Internet.

Resident
Malware is resident if it continuously runs in the computer. Malware may make itself, or a copy of itself, resident by making computer changes that automatically set it to run when the computer starts up.

Rogue security software
Software that appears to be beneficial from a security perspective but which provides limited or no security capabilities, generates a significant number of erroneous or misleading alerts, or which may attempt to socially engineer the user into participating in a fraudulent transaction. If you would like to confirm if a program is a rogue, you can submit a sample to the MMPC for analysis.

Rootkit
A program whose main purpose is to perform certain functions that cannot be easily detected or undone by a system administrator, such as hide itself or other malware. Please see the rootkit article for more information.

Script (malware)
A type of malware that is written using a scripting language. Common forms of scripting language include JavaScript, HTML, and Visual Basic.

SEO
Search engine optimization.

Tool
A Tool detection is used for software that may have a legitimate purpose, but which may be abused by malware authors or attackers. A Hacktool detection is used for tools that have been designed more explicitly with malware authors or attackers in mind. A Virtool detection is used mostly for malware components, or tools that perform malware-related actions, such as rootkits.

Unchecked buffer
A condition in which the data written into a buffer is not validated; this may cause errors in the program when the data in the buffer is read.

Virtual machine
A computer within a computer, implemented in software. A virtual machine emulates a complete hardware system, from processor to network card, in a self-contained, isolated software environment, enabling the simultaneous operation of otherwise incompatible operating systems. Each operating system runs in its own isolated software partition.

WildList
A list of malware that is used for testing antimalware products.

XLStart
A folder, usually located in "%AppData%\Local\Microsoft\Excel\XLStart", into which you can place worksheets that you would like to automatically open when you start Excel.