DDOS ATTACKS & ATTACK TOOLS

1.1 General Description

During the last few years, in their increasing effort to raise havoc, the world wide community of hackers (also known as "crackers") started developing attack platforms for lunching global Internet scale coordinated DDoS attacks.
Most of these tools were designed using client-server (master and slave) architecture. The attack network consists of large quantities of attack daemons, small software agents, capable of receiving command and generating different kind of packets (usually simulating some sort of attack). Those daemons are centrally controlled by a single or few master applications, servers capable of generating the required attack commands thus controlling the attack and the targets.
The attacker can use the server application to order the attack.

1.2 Command Distribution Methods
1.2.1 Peer to Peer Distribution

In this architecture the master is aware (has knowledge) of all available daemons. Either through lists of infected intermediate hosts constructed and administrated by hackers which installed them or by "keep alive" messages sent by the daemons upon installation to a predefined location.
When distributing an attack command the master connects all the required daemons by sending them command packets.

1.2.2 Broadcast or Multicast Distribution

In this architecture the master uses some sort of broadcast mechanism to connect and distribute attack commands.
Due to broadcast packets filtering done by edge and core routers the most popular method for broadcasting commands is using an application based protocol which provides multicast features, such as IRC protocol (used mainly for chat applications).
In this case when the intermediate host connects to the Internet and becomes on line. The daemon connects to a predefined IRC channel. The attacker then can connect to the IRC channel using some sort of chat application and simply type the necessary commands. IRC protocol takes the commands and distributes it to all the connected daemons.

1.3 Frequently Used Attack Tools
1.3.1 Trinoo

This distributed attack tool is installed on intermediate host using a buffer overrun bug in the popular programs: "statd", "cmsd" and others. The daemon's code was compiled on Linux and Solaris operating systems. The daemons and masters are installed on root accounts privileges.
The basic trinoo daemon is cable of generating a UDP packets attack. The following packets parameters are controllable: destination address, packets sizes, attack duration.
The attack is generated against random UDP ports on the victim's host. The contents of the packets are randomly generated from the intermediary host memory, thus packets sent from a certain daemon will have the same payload but different daemons generate different payloads. The daemon is cable of attacking multiple targets at once.

1.3.2 TFN (Tribe Flood Network)

TFN installation procedure is similar to that of Trinoo and is based on buffer overrun bug.
These tools use the same master-daemon architecture, and are capable of launching ICMP floods, UDP floods, SYN attacks, Smurf attacks and a raw TCP packet generator. The daemon's source code was compiled on Linux and Solaris operating systems. The daemons and masters are installed on root accounts privileges.
Commands used by TFN are over ICMP protocol packets using fixed packet length (17 bytes).

1.3.3 Stacheldraht ("barbed wire")

Stacheldraht is a DDoS tool that started to appear in the late summer of 1999 and combines features of trinoo and TFN. The possible attacks generated by the daemons of this tool are similar to those of TFN, namely, ICMP flood, SYN flood, UDP flood, and SMURF attacks. It does not provide an on demand root TCP port (that TFN provides).
Stacheldraht also provides some advanced features, such as encrypted attacker-master communication (which makes detection and overtaking of daemon-master communication harder) and automated daemons updates which enables changes of the attack network with no re-deployment of daemon or masters.
Stacheldraht daemon is capable of producing ICMP, UDP and TCP-SYN packets of sizes up to 1024 bytes against multiple victim hosts. TCP-SYN packets are generated against random ports taken from selected range of port numbers.

1.3.4 Trinity

Trinity is capable of launching several types of flooding attacks on a victim host, including UDP, fragmentation, SYN, RST, ACK, and other floods. Communication from the master to the daemon is accomplished via Internet Relay Chat (IRC) or AOL's ICQ.
IRC attack daemon (including Trinity) will go online by connecting to a predefined IRC server and join a predefined IRC chat room. There it will await incoming commands. IRC chat relays are used in this matter to broadcast and distribute attack commands.
The following attack parameters are controllable: packet size (possibly random), ports (possibly random).

1.3.5 TFN2K

TFN2K is a complex variant of the original TFN with features designed specifically to make TFN2K traffic difficult to recognize and filter, remotely execute commands, hide the true source of the attack using IP address spoofing, and transport TFN2K traffic over multiple transport protocols including UDP, TCP, and ICMP.
TFN2K attacks include flooding (as in TFN) and those designed to crash or introduce instabilities in systems by sending malformed or invalid packets, such as those found in the Teardrop and Land attacks.
Commands sent between masters and daemons are sent using UDP, ICMP and TCP (or all three in random).
TFN2K generated traffic includes the following signatures: TCP and UDP header checksum contains errors, TCP header length is zero.

1.3.6 Shaft

A Shaft network looks conceptually similar to a trinoo. It provides the ability to generate TCP, UDP and ICMP (or all three combined) floods.
The attacker may control the following parameters: packet sizes, attack type, duration of the attack, list of targeted victims.
Shaft daemons also provide statistics on the attack (mainly packets generation rates) which enables the master to refine the list of targets.

1.3.7 MStream

The mstream uses spoofed TCP packets with the ACK flag set to attack the target. Communication between masters and daemons is not encrypted and is performed through UDP packets, masters are controlled by TCP packets.
MStream is in early stages of development, which means it can be used for generating a limited number of attacks.
The following attack parameters are controllable: victims IP addresses, duration of the attack.

Bibliography

1. The DoS Project's "trinoo" distributed denial of service attack tool, David Dittrich University of Washington - http://staff.washington.edu/dittrich/misc/trinoo.analysis.txt
2. CERT® Incident Note IN-99-07 - Distributed Denial of Service Tools http://www.cert.org/incident_notes/IN-99-07.html
3. CERT® Advisory CA-1996-01 UDP Port Denial-of-Service Attack

Trinoo and TFN

4. National Infrastructure Protection Center - TRINOO/Tribal Flood Net/tfn2k http://www.nipc.gov/warnings/alerts/1999/trinoo.htm
5. SANS Institute - Distributed Denial of Service Attack Tools: trinoo and wintrinoo http://www.sans.org/newlook/resources/IDFAQ/trinoo.htm
6. Advanced Networking Management Lab (ANML), Distributed Denial of Service Attacks(DDoS) Resources - http://www.anml.iu.edu/ddos/tools.html
7. ISS Security Alert, December 7, 1999, Denial of Service Attack using the trin00 and Tribe Flood Network programs - http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?id=advise40
8. The "stacheldraht" distributed denial of service attack tool, David Dittrich, University of Washington - http://staff.washington.edu/dittrich/misc/stacheldraht.analysis.txt

General attack tools exploits
9. CERT® Incident Note IN-99-04 Similar Attacks Using Various RPC Services - http://www.cert.org/incident_notes/IN-99-04.html

10. CA-99-08 - Buffer Overflow Vulnerability in rpc.cmsd - http://www.cert.org/advisories/CA-99-08-cmsd.html
11. CA-99-05 - Vulnerability in statd exposes vulnerability in automountd - http://www.cert.org/advisories/CA-99-05-statd-automountd.html
12. CA-98.11 - Vulnerability in ToolTalk RPC Service - http://www.cert.org/advisories/CA-98.11.tooltalk.html

Trinity
13. SANS Institute - "Trinity" Distributed Denil of Service Attack Tool, Michael Marchesseau - http://rr.sans.org/malicious/trinity.php
14. CERT Incident Note IN-2000-08. "Chat Clients and Network Security." CERT. 21 June 2000 - http://www.cert.org/incident_notes/IN-2000-08.html
15. X-Force. "Internet Security Systems Security Alert." Internet Security Systems. 05 September 2000 - http://xforce.iss.net/alerts/advise59.php
TFN2K
16. Axent releases a full TFN2K Analysis - http://www.securiteam.com/securitynews/5YP0G000FS.html
Shaft
17. Analyzing Distributed Denial Of Service Tools: The Shaft Case; Sven Dietrich – NASA Goddard Space Flight Center, Neil Long – Oxford University, David Dittrich – University of Washington - http://home.adelphi.edu/~spock/lisa2000-shaft.pdf
18. SANS Institute - An Analysis of the "Shaft" Distributed Denial of Service Tool - http://www.sans.org/y2k/shaft.htm

Mstream
19. The "mstream" distributed denial of service attack tool, David Dittrich, University of Washington - http://staff.washington.edu/dittrich/misc/mstream.analysis.txt
20. Nation Infrastructure Protection Center, ADVISORY 00-044 "MStream Distributed Denial of Service Tool" - http://www.nipc.gov/warnings/advisories/2000/00-044.htm

Firefox Addon

Firefox Addon

This will be a basic guide to some common and basic hacking tools. This is intended mainly for those who have no prior knowledge of such and aren't sure where to begin. With some tweaking and common sense, you should be able to apply these to some of the missions on this site. I use the Firefox web browser(also known simply as FF) due to it's collection of add-ons, and will be referencing it throughout this tutorial. It doesnt mean that some of the things mentioned in here cant be done with other browsers, you just may need to find another way of doing it. I will suggest downloading Firefox as well as the following add-ons/tools:
Firefox:
Click here for Firefox
Go here and search for the add-ons but don't limit yourself to just these:
https://addons.mozilla.org/en-US/firefox
Web Developer
Firebug
RefControl
Live HTTP headers
Tamperdata
user agent switcher
FoxyProxy

Get acquainted with these terms:
Click for cookie info
Click for cache Clearing.

Basic Unix Commands

Basic Unix Commands


This is one of a series of handouts describing Solaris and Linux, the operating systems used on the Sun and other computers in the Rutgers University New Brunswick Division of Computer and Information Sciences. This handout contains a description of the most basic commands. It assumes that you know how to get to the system and to login. If you don't please see "Getting Started".

CONTENTS

* Typing Commands
o Delete
o Summary of special characters
* Setting things up
* Files and Commands that Deal with Files
o Common Commands Dealing with Files
o Printing
o Disk quotas
o More about Directories and "cd"
o More About Specifying Other Files Belonging to Other Users
o Some Useful Details: Ownership and Privacy
* The Shell
o Job control
* Using the Documentation and Help Facilities
o Man Pages
o Full Documentation
* Editors: Creating and Changing Files
o EMACS
* Related documents

Typing Commands
You will talk to Unix using your terminal's keyboard. Unix talks to you through your terminal's CRT screen. Notice that the keyboard looks much like a standard typewriter. In particular, many keys are labelled as they are on a typewriter.

There are a number of additional keys. Depending upon the type of terminal or workstation you are using, there may be "special function" keys above your keyboard, with labels like "F2", special keys to the left with labels like "L1" or "STOP", and special keys to the right with various special labels. More about them later.

The most important additional key is the Control key. This is located to the left of the normal letters, and is labelled "Control" or "Ctrl". It acts like a shift key, in that you hold it down and then type something else. For example, if you hold down Control and hit a C, that's called Control-C. When characters are printed, an uparrow is normally used, so Control-C would be printed as ^C. In different documentation, you'll see it called ^C, Control-C, Ctrl-C, or even C-c. Control-C is an important character to know about, but you can use it to interrupt programs. Suppose you are testing a program and it gets into an infinite loop. If you type ^C, the program will be killed. (This assumes that the program is a fairly simple one, like most of those you will write for assignments. It is possible for programs to block ^C, or to redirect their control to someplace unexpected. It also assumes that you type ^C in the window where the program is running.)

When you're typing a command, nothing will happen until you hit the "return" key. That gives you a chance to fix typos and look carefully at the command before you hit "return".

Unix is "case sensitive". That is, there's a difference between upper and lower case characters. The command "ls" will list all files in your directory. If you try to type it as "LS", you'll get an error message. Some commands use upper-case letters in the name, e.g. "Mosaic". In this case, you must use the upper-case letter exactly as shown. More commonly, some command options use upper case. For example, the "ls" command has an option called "-R". It must be typed in upper case. If a sentence begins with a command name, we'll violate the rules of English, and give you the command name as it really is: "ls" is the most common Unix command. However a lot of manuals will stick with English rules: "Ls" is the most common Unix command. The command is still "ls". It won't work if you type it as "Ls".

The same thing is true with file names. If you use both upper and lower case letters in a file name, you'll always have to type it that way. Some people use VeRy OdD CaPiTaLiZaTiOn in their file names. That's fine, but they'll have to remember to type the names that way all the time.

Delete
The most common key for fixing typos is "delete". This key deletes the most recent character you typed, and in most cases removes it from the screen. Unfortunately this key is the most complex, because there is confusion about which key and ASCII code should be used.

Our computers are configured to use the ASCII DEL character (decimal 127) to delete. Most keyboards now are set up with a key called "Backspace", which generates a different code (ASCII BS, which is the same as ^H, decimal 8). Some of our software will recognize either key, but not all of it. Thus you will either want to adjust our software to accept a backspace, or make sure that your keyboard generates a delete. Here's some advice, depending upon the type of keyboard you use:

Sun Workstations:
The newer Sun workstations have backspace keys. There is a delete key, but it's to the right, in a place that you probably wouldn't want to use regularly. If this is your normal workstation, I recommend putting the following command into the file .xinitrc in your home directory:

xmodmap -e "keysym BackSpace = Delete"

Micros at home:
PC keyboards generally have a backspace key, with delete being fairly convenient to get to. However most of the communications programs you would use from home have configuration options that let you set the backspace key to generate a delete. We recommend using that option.

If for some reason you prefer using a backspace rather than a delete, you'll need to tell Unix to treat the backspace character as delete. To do this, put the following command into the file .cshrc in your home directory:

stty erase "^h"

The disadvantage of this is that the editor emacs does not work well with this setting. So we only recommend this if you use a different editor (e.g. vi).

Summary of special characters
^C and delete are the most important special characters. Here's a summary of all the ones you'll want to use as a beginner:

^C
kill the current process
^D
end of file
^U
kill the whole line
^W
kill the previous word
delete
kill the previous character

There is one more character that we'll talk about later: ^Z. You should not use this unless you know about job control. It can get you into states that you won't know about to get out of.

^D is the end of file character. It's not used very often. However sometimes a program will open the terminal as if it were a file. In this case, what you type will become input to the program. There needs to be some way to tell the program when you're finished giving it input. ^D is it. (It corresponds to ^Z in MS/DOS.)

Setting things up
In order to help you to tell Unix about yourself, we have created a command called "newuser". The first time you log in, this will be run for you.

It does 3 things:

* It sets things up so the system will ask you what terminal type you are using, if it doesn't already know. If this happens, you'll see the line

Terminal type:

when you log in. It's looking for a terminal model name. These days the name "vt100" will work most of the time. (Don't type the quotes.)
* It will set things up so that you get the prompt "name> " instead of "% " when the system is waiting for a command -- where name is the name of the computer you're using. We recommend using the system name as a prompt so that you always know what system you are talking to. We do so much with networks around here that it is easy to forget. Also, the prompt will change to "topaz 2> " if you are talking to a subsidiary command parser. This will help you realize that you are in an unusual context.
* It will run programs that ask you for various information. Much of this is personal information. This is used to help other people find you, so that they can send email to you, etc. Supplying this information is voluntary. On some systems you may also be asked for a default printer and printer bin number.

This program creates some files for you, e.g. .cshrc and .login. You may want to adjust these files yourself. For help in doing so, see the handout "Tailoring Your Setup: .cshrc".
Files and Commands that Deal with Files
Most programs and data you use will be stored in "files". A file is an area of storage to which you assign a name. You can put anything you want into a file: a program, a set of data, or a paper you are writing. You usually decide what you want to call a file when you first create it and start putting data into it. However you can change the name later if you want to (with "mv").

Each file has a name. Normally the person who creates the file chooses the name. Names are from 1 to 255 characters, normally letters, digits, and some special characters such as "." and "_". There is a naming convention that you will do well to follow. Although it is not strictly necessary, it will help the system programs to figure out what you are doing. Under this convention, file names have at most one "." in them. The part of the name after the "." is called the "extension". It is used to describe what sort of thing is in the file. For example, "prog.p" is probably a Pascal source program, since ".p" is the extension normally used for Pascal. Similarly "prog.o" is probably a relocatable binary file, produced by compiling prog.p. Normally executable programs are given names without dots at all.

A collection of files belonging to a particular user, is called a "directory". The login procedure puts you in your own directory. When you refer to file names with no special qualification, you will get a file by that name in your directory. In order to refer to a file in another directory, you must specify the directory name in front of the file name. Directory names normally have "/"'s around them. For example, the file name "project.p" would be a file in your own directory. "/bin/rm" is a file in the directory "/bin". "/usr/ucb/mail" is a file in the directory "/usr/ucb". Normally you will be using files only in your own directory, except for systems programs that you run.

Most commands let you specify more than one file at a time. For example, to remove files "x" and "y", you could say "rm x y". ("rm" is the "remove" command.) There is also a shorthand that makes it easier for you to specify several files. The characters "*" and "?" in a filename act as "wildcards". A filename that includes one of them is actually a pattern. It expands to include a list of all files that match the pattern. For example, "rm *.s" would remove all files whose name ends in ".s". That's because * matches any character or sequence of characters. There can be more than one * in a name. E.g. "*pro*" will match all files with "pro" somewhere in their name. Since * will match the null string, this includes names that begin or end with "pro". The character "?" is used less often. It match any one character. So "rm ?.s" matches only files whose names have exactly 3 characters, the last of which are ".s"

In Unix, everything on the system is considered to be a file. The things that aren't really files are typically allocated pseudo-filenames in the directory "/dev". Thus your terminal is "/dev/tty", and the tape drive "/dev/mt0".

Common Commands Dealing with Files
Here are the most common commands that deal with files. Note that the following list does not show how to create or edit a file. This is done with an editor, which is the subject of a separate section.

cp oldfile newfile
CoPy a file
diff file1 file2
shows the DIFFerences between 2 files
du
shows the Disk Usage on the current directory. Note that Newer versions of Unix display usage in 512-byte units. Most users prefer to see Kbytes. To do that, use the command "du -k". If you want this all the time, put "alias du du -k" in .cshrc.
grep string files
search all the specified files for the specified string. (Actually, you can specify a fairly complicated search pattern, but you will have to do "man grep" for details on that.)
lpr file
print file on the Line Printer - Solaris
ls
LiSt all the files in your directory
more file
show a file on the terminal, stopping when the screen is full. Hit the space bar to get it to continue. (It is called "more" because when the screen is full, it says "more: " to tell you there is more to come.) This is the way that most people look at files.
mv oldfile newname
MoVe a file (i.e. give it a new name)
rm files
ReMove files

In order to keep things simple, we have not shown you the options for most of the commands. You should use the "man" command to find out the details. However the "ls" and print commands are used so much that it is worth taking a bit of time to explain them in more detail.

If you just type "ls", it will list all of the files in your directory.

The first option you have is to give it a filename to look for. "ls *.p" will show you all files than end in ".p". "ls /bin/a*" will show you all files starting with "a" in directory /bin.

So far all you will have seen are lists of filenames. It is also possible to ask "ls" to give you more information about a file. That's where the options come in. Options give extra details about how you want the command to be executed. Normally the options come right after the name of the command, with a hyphen in front of it. For example, "ls -l" will give you a "long-form" directory listing. For each file, this will show its size, creation date, owner, etc. If you wanted to see this information for all files ending in ".p", you would put the option before the file names, i.e. "ls -l *.p". If you want to specify more than one option, put all of the letters after the hyphen, e.g. "ls -lt" will give you a long-form listing, sorted by creation time. This is useful for reviewing the files you have created recently, since those will show up first. Here are the most common options for ls:

-a
all files [normally files starting . not shown]
-l
long form - give lots of information
-t
time-sorted - most recent first
-R
Recursively look into directories

The "-a" option requires some explanation. Filenames starting with "." are for files that you don't normally want to see. These include .login and .logout, which list commands that get done automatically every time you log in or out, and files giving default options for various other programs. The designers of Unix figured you would want to set up these options and then forget about them. Thus a normal "ls" will not show files whose names start with ".". "ls -a" will show all files, including those that start with ".".

Printing
In order to print a file on a printer, you need to know two things: the name of the printer, and what kind of file you're printing. There are so many printers that we're not going to list them here. In general, you should find a printer near where you're working, and ask the staff what its name is. However you can only print if the printer is attached to the network and will accept printouts from Unix. The RUCS public facilities all have such printers. So do many departments. On our Suns, the command "printers" will list printers that are valid on your machine.

Now for file type: Most files you deal with will be plain text files. These are files that you create or edit in a text editor such as emacs. You can print files like this without any special precautions. However when your file comes out of a program, you need to be a bit careful. If you want to see whether a file is printable, look at it using "more" or "emacs". If it looks normal in more, you can print it. You can also print Postscript files. They start with a line like this:

%!PS-Adobe-2.0

Many files can't be printed on a printer at all. For example, the output of a compiler is a binary executable file. It makes no sense to print it. It would come out as junk. In other cases, the file can be printed, but it requires a special program. The most common examples are the output of TeX or LaTeX, and graphics files such as .GIF files or files produced by the Island tools.

In these cases, you need a program that understands the file and can convert it into printable output. At Rutgers, you normally want the printable output in a format called "Postscript". Postscript is a special language that can be used to describe graphics, special effects such as boldface or italics, etc. There are "filters" to convert just about everything conceivable into Postscript format.

It used to be that we tried to do file conversion automatically as part of the print program. This has turned out to be a bad idea. If you look at the printer documentation, you'll find that options to do this are still around. However they don't always work well, and we will probably be removing some of them in the future. Now if you want to print something that needs conversion, we recommend that you run the converter program yourself. In many cases, the converter program can print the file automatically. The most command case is TeX and LaTeX (languages used for document processing). They produce output in a special format called DVI. We use a converter called "dvips" to convert this into Postscript.

Once you know the printer name, and any conversions needed, you can issue the print command. If the file is plain text or it's already been converted to Postscript, you can issue a simple print command, e.g.

lpr -P printer filename


If your file needs conversion, there are two possibilities. Some of the converter programs will issue the print command for you. dvips is an example of this. So to print a DVI file you could use the command

dvips -P printer filename

In other cases, the converter is a "filter". This means that it puts the converted output to "standard out". Filters are designed to be stuck together with the print command using "|" (the "pipe" character). For example, "ras2ps" is a converter that takes a Sun rasterfile (which is produced by certain programs that make a copy of your screen) and produces Postscript on standard output. So to print a raster file, you would use

ras2ps filename | lp -d printer

The man page should tell you whether the program sends the file to the printer itself, puts the output into a file, or puts it to standard output. If the program sends the file to the printer itself, that's all you need. If it puts the output into a file, then you'll need to use lp or lpr to print the file. If it puts the output to standard output, then you'll need to use "| lp" or "| lpr" after the program.

lp and lpr have many options. You should look at the man page to see what they are.

Disk quotas
In order to prevent one user from using hogging all the space, we have disk quotas on many of our systems. You are not allowed to use more space on a given file system than your. To find out what your quota is, type the command "quota -v". (Quota with no argument only prints something if you are over quota. It's suitable for use in .login.) Here is an example of what you will see:

Disk quotas for hedrick (uid 103):
Filesystem usage quota limit timeleft files quota limit
/ug/u1 69 1 3500 7.0 days 0 0 0
/ug/u2 0 1000 5000 0 0 0

Filesystem:
Files are stored in "file systems", for administrative convenience. Normally all your file will be in one file system, so you'll only see one line. However some users have two different places they can put files, on different file systems.
Usage:
is the amount of disk space you are using now, in KBytes (1024 bytes). It should be roughly the sum of the file sizes shown by "ls -l". However files are allocated in units of 2 KBytes, so there will be some rounding up.
Quota:
is the amount of disk space you are supposed to use. Whenever your current usage goes over this number, you will get a message such as "WARNING: disk quota (/ug/u1) exceeded". We realize that you often need more space than your quota temporarily, so this is just a warning. Your program will continue.
Limit:
is your absolute limit. If you go over that you will get a message like "DISK LIMIT REACHED (/ug/u1) - WRITE FAILED". Your program will probably blow up at this point. The limit is normally larger than the quota.
Timeleft:
will be explained below.

The second set of numbers (starting with files) refers to a separate quota on the number of files you can create. We do not use this, so those quotas and limits will always be 0.

In order to keep people honest, we have to make sure that you don't stay over your quota too much. The idea is that you are supposed to get your usage down to the quota when you log out. In login, this is checked. If you are over quota when you log in, you will get a warning message. It will say something like "Over disk quota on /ug/u1, remove 1K within 7.0 days". If you use the quota command, you will now see 7.0 days in the timeleft column. If you do not get within quota by that time, the system will conclude that you are a hopeless pig, and prevent you from creating any more files until you fix the problem. At that point, you will have to delete enough files to bring your usage down to the quota. You will then have to log out and log in again.

There is a possible problem with quotas. Current usage refers to all files that you own. That is, all files that show your name in the owner column when you do "ls -l". You own every file that you created. You also own your own mail file. So if someone sends you a lot of mail, this can put you over your quota. Also, if you copy a file into someone else's directory, you still own it, and it is still counted against your quota. If you want to give someone else a file, you should let them copy it. Note that current usage also counts files that have not yet been closed. If a program is still running, it may be using disk space that does not show in an "ls -l" command.

************ NOTE ***************

The following sections give more details about files and about using commands. On your first reading, you may want to skip to Using the Documentation and Help Facilities.

More about Directories and "cd"
Every user has a "home directory". This is a directory that is associated with the user name. Normally it has the same name as the user name, although there may be another directory or two above it. For example, the user hedrick might have a home directory "/u2/hedrick".

Most users end up with so many files that it is hard to keep track of them all. They end up wanting to create more directories. For example, they may have separate directories for each course they are working on. Normally these additional directories are put within the user's home directory. Thus if hedrick is taking courses 431 and 435, he might create directories /u2/hedrick/cs431 and /u2/hedrick/cs435.

To create a directory, use the command "mkdir". For example, "mkdir /u2/hedrick/cs435". As with file names, you often will not bother to type out the entire directory name. If you are currently in /u2/hedrick, it would be easier to type just "mkdir cs435".

At any moment you are always in some directory. In various documentation this is called your "current directory" or your "working directory". (To my embarrassment, some of our documentation calls it your "connected directory". This terminology is from TOPS-20, our previous operating system. It does not apply to Unix.) If you mention a file name but don't specify a directory, it refers to this current directory. That is, if you in "/u2/hedrick", then the filename "prog.p" means "/u2/hedrick/prog.p". You change current directories using the command "cd". The full form would involve naming the whole directory, e.g. "cd /u2/hedrick/cs431". As usual, you will often not bother to do this. For example, if you were already in /u2/hedrick, then "cd cs431" would change your directory to "/u2/hedrick/cs431".

The "pwd" command prints the current directory, in case you have forgotten. (pwd stands for Print Working Directory.)

Be sure you know where you are before you do mkdir. Otherwise you can have unintended effects. For example, suppose you were in /u2/hedrick/cs435 and you did "mkdir cs431". You would end up with /u2/hedrick/cs435/cs431. That's probably not what you intended. Of course if you want to be safe, you can use the full form: "mkdir /u2/hedrick/cs431".

The abbreviation ".." means the directory above the current one. This can be handy for getting back up to your home directory. If you were in /u2/hedrick/cs431, then "cd .." would get you to /u2/hedrick. You can use .. with other things, e.g. "cd ../cs435" would take you up to /u2/hedrick and then back down to /u2/hedrick/cs435.

The abbreviation "." means the current directory. This isn't normally needed, since this is the default. However a few commands require you to specify a directory names, and "." can be useful then.

More About Specifying Other Files Belonging to Other Users
It would be nice if the way to access Smith's files was always to give a file name starting with /smith. Unfortunately, things are not so pleasant. For efficiency reasons, Unix system managers do not generally put everything on the same file system. Thus you are likely to find two more levels of directory than you would expect. Typically users' directories have names like /ug/u1/smith and /grad/u2/jones. The top level directories represent separate file systems. These may be separate disk drives, or at least separate at least separate physical parts of the same disk drive. On most large Unix systems, there are at least 3 file systems: /, /usr, and at least one more file system for user directories. None of this matters particularly to you, except that it makes it harder for you to figure out where to look for a given user's files. For this reason, there is a special syntax: ~user. ~jones means the home directory for the user named "jones". It expands to /ug/u1/jones, /ug/u2/jones, or whereever jones may happen to be. So to refer to the file prog.p on hedrick's directory, you would type "~hedrick/prog.p".

Some Useful Details: Ownership and Privacy
Unix allows you to control who can access your files. If you don't do anything special, anyone on the system can read or execute any of your files. However you can do things to exercize more control over file access.

You can control access at two levels: the individual file, or the whole directory. In order to get to one of your files, someone else must have the authorization to look in your directory. If he can't look in your directory, then nothing else matters. Once he can look into your directory, then each individual file has its own code to say what he can do. So you can lock out users from individual files by changing the file permissions. Or you can lock them out from the whole directory by changing the directory's permissions. (In some of our documentation, the term "protection" is used rather than "permission". The proper Unix term is "permission.")

Some aspects of file protection depend upon "groups". A group is a set of users. It has a group id, which is a number, and a group name. The groups are set up by the system administrator. Normally they represent classes and research projects. So there is a group "cs431-a", which contains all students in Computer Science 431, section A. There is also a group "vlsi-design", which contains all users in the VLSI design project. One of the things you can do is to say that everyone in a certain group can access your files. If you find that you need a group that is not already defined, you should contact your system administrator, by sending email to the pseudo-user "help". The groups are listed in the file /etc/group.

In order to provide you with maximum flexibility, Unix allows each file to have three attributes that affect who can access it.

owner:
this person can normally delete or modify the file, and can change its protection and the group that is associated with it. The owner is normally the user that created the file. This means that if someone else puts a file into your directory, he owns it! (As a special convenience, you can always delete a file that is in your directory, even if its permissions would not normally allow you to.)
group:
different files can have different groups associated with them. You would normally choose a group that you want to have more access to the file than the rest of the world. For example, you might decide that members of your research project should be able to change the file, and everybody else should just be able to read it. Then you would set the group to your project's group. If you don't specify a group, it defaults to the group associated with the directory. The owner can change a file to any group that he belongs to.
mode:
the mode is a number that controls who can do what. It has separate fields for the owner, the group, and others. Thus the owner could allow himself to change the file, members of his group to read it, an other to do nothing at all. Or any other combination...

The commands "chown", "chgrp", and "chmod" are used to change the owner, group, and mode of a file. (However only a superuser can use chown.)

Although the mode is actually a number, you normally look at it by using the "ls -l" command. It displays the mode in a form that looks like the first line below.

-rwxr-x---
xxx owner
xxx group
xxx others
r read
w write
x execute (search for directory)

There are three groups of three letters. The first group applies to the owner, the second to the group, and the third to all others. The letters mean read, write, and execute. So the code "-rwxr-x---" means that the owner can do anything; others in his group can read or execute the program, but not change it; and others can't do anything with it at all.

As mentioned above, in order to be able to access one of your files, a user must have the appropriate permission in the file mode, but he must also have access to the directory itself. The protection bits have a slightly different meaning for directories. Read allows the user to read the directory as a file. In practice, this controls whether he can do wildcard operations such as listing all the files in the directory. Write controls whether he can do operations that involve changing the directory, i.e. create or remove files. Execute controls whether he can open existing files. If execute is missing, the user cannot open any file in the directory, even if the files themselves have permissions that would allow him to do so. If the execute bit is on, then the user can do operations on individual files according to their permissions.

Typically directories are set up to have modes "-rwxr-xr-x", which means that the owner can do anything, and everyone else can access files according to their individual modes. The "r-x" allows other users to look into the directory and at the files in the directory. Because "w" is missing, the other users can't create new files in the directory. If you wanted to have a totally private directory, you would use "-rwx------". In this case, no one else could look at anything in it. If you wanted members of your group to be able to create files in your directory, you might use "-rwxrwxr-x".

In Unix, file names and files are conceptually separate. It is perfectly possible to have two different names for the same file. In that case, there are simply two different directory entries that point to the same file. In order to avoid confusion, the term "i-node" is used to refer to the file as a physical entity. So we would say that a file with two names is an "i-node" having two directory entries that point to it. We refer to the connection between a directory entry and an i-node as a "link".

The "ln" command can be used to link a new name to an i-node. The format is "ln old-name new-name". Note that it is perfectly possible for the two names to be in different directories. So you and your friend could share a file by using the "ln" command to create a second link to it. Note that the ownership information is part of the i-node. So the one that created the file initially would still own it. But it would appear identically in both of your directories. The file will continue to exist until both of you delete it. That is, the "rm" command really only removes the link from a name to an i-node. The i-node goes away when there are no more links to it.

There is an additional kind of link, a "symbolic link". This is a link from one name to another name, instead of from a name directly to an i-node. Suppose you wanted to make "myprog" in your directory point to your friend's version: "~smith/myprog". You could of course say "ln ~smith/myprog myprog". However if your friend ever deleted myprog and created a new one, your link would continue to point to the same i-node, namely the old file. So you might prefer to use a symbolic link: "ln -s ~smith/myprog myprog". This says that myprog in your directory is linked to ~smith/myprog, whatever it may happen to be at the moment. That is, instead of being linked to a particular physical file, it is linked to the name. Most people do not use symbolic links. A normal link (technically called a "hard link") will normally do the right thing. There are special provisions in the editors so that when you edit a file that has more than one link, all of the links are maintained. But there are some situations where a symbolic link may make sense.

Unless you are a super-user, you can't create a hard link between two directories. So one of the more common uses of symbolic links is for directories. Suppose you have a friend who is working with you on files in the directory /ug/u2/smith/cs431/source. You may not want to type all of that every time you want to access one of his files. So you might do "ln -s /ug/u2/smith/cs431/source smith". Then if you refer to "smith/foo" you will really get "/u2/smith/cs431/source/foo".

The Shell
The commands that you type to the system are processed by a program called the "shell". The shell reads your command, and then calls a program to execute it. The shell can't do very much on its own. But it is an expert at coordinating other programs. There are several different shells used on Unix. They all understand the same basic commands, but they have different additional features. The shell that we use at Rutgers is an extended version of the C Shell, called tcsh. Users from Bell Labs or ATT may be used to the Bourne shell, or an extended version called ksh. If you want to use that, you can use the command "chsh yourname /bin/sh". chsh changes your default shell.

You will normally be talking to the "top-level" shell, that is the shell that is created when you log in. However some programs have commands that create another shell. You would normally use one of these commands if you are in the middle of something and suddenly need to do an "ls" or some other command. When you are in one of these subsidiary shells, the "exit" command will get you back to the program that called the shell. If you have not set ignoreeof, ^D will also exit from a shell.

Normally what you type to the shell is the name of a program followed by arguments. For example, when you type the command "rm *.p" (which deletes all files ending in .p), this is really a request to run the program "rm". Normally, the shell looks on your own directory first to see whether you have a program called "rm". If not, it then looks on a set of system directories where commands are normally kept. That allows you to create your own version of commands, which you will get instead of the normal ones. If you want to execute a program from someone else's directory, you can give a name that specifies the directory, e.g. "/fac/u1/hedrick/rm *.p" would run a program from the directory "/fac/u1/hedrick". The exact list of directories where the shell looks is defined by a variable called your "path". To change it, you can use a command such as

set path = (. /usr/local/bin /usr/ucb /usr/bin /bin /etc)

"." means the current directory.

The shell processes the wildcards, * and ?. So if you type a command such as "rm *.p", the shell looks in your directory for all files ending in ".p". It then run the program "rm", passing it an actual list of files, such as "lastprog.p prog1.p prog2.p". Thus means that individual programs don't have to have special provisions to deal with wildcards.

You can tell the shell to direct a program's primary input and output to something other than the terminal. This can be useful in case you want to put output in a file. For example, suppose you want to put a list of your files into "filelist". You could use the command

ls >filelist

The ">filelist" tells the shell to redirect the output from the "ls" program to the file "filelist". You can also redirect input, by using <. You can direct one program's primary output directly into another program's primary input. (The device used for doing this is called a "pipe".) For example, suppose you have so many files that the "ls" command fills up your screen 3 times. You might do the following: ls | more This directs the output from "ls" into the program "more". More is a program that prints its input, stopping every N lines (where N is the length of your terminal screen). You can construct long chains of programs in this way, e.g. ls | sort | more which passes output from "ls" through "sort", and then to "more". Many commands let you specify options. Normally options begin with a "-". For example, the "ls" command has options "-l" (long form listing) and "-t" (sort in order of creation time). You normally put options before any other arguments. Thus the following commands would be legal: ls -l ls -l *.p There are two different ways of specifying more than one option. Either you can specify the options separately, e.g. "-l -t", or you can combine them into a single option "-lt". Many commands accept either one. However you may run into occasional commands that require one or the other syntax. The documentation for each command describes the exact syntax that it is prepared to accept. The following sections describe some more sophisticated features of the C shell. You may not want to read them the first time through. If not, skip to the next chapter. Job control The C shell allows you to run and keep track of more than one process at a time. For reasons known only to the folks at Berkeley, the processes running under control of the shell are known as "jobs". This terminology is potentially confusing, since the term job is more commonly used to refer to an entire session, i.e. to everything that you are doing. When you type a normal command, the shell starts the program you have requested, and waits until it is finished. If this were the only tool available to you, you could only do one thing at a time. You can interrupt a process by typing ^C, but this kills the process. So this still doesn't let you do more than one thing at a time. The first, and most common, way to do more than one thing is to put a "&" at the end of a command. E.g. suppose you want to get a list of all the files on your directories, and you don't want to wait for this to finish. You might type ls -R >files &

The & specifies that the shell should start the command but not wait for it to finish. You can now issue more commands, and forget that the "ls" is still happening. A program that is running this way is "in the background". That is, it does not interfere with anything else you might be doing.

There is some question about what should happen to the terminal when a background job is running. In the example I just showed, the "ls" command sent its output to a file. But suppose you did "ls -R &". This command would still run in the background, and you could still proceed to do other things, but all the output from the command would come to the terminal. Since "ls" produces output continuously, it wouldn't be very practical for you to try to do anything else while it was running. The situation is even more interesting if the program reads from the terminal. Suppose a background program tries to read from the terminal at the same time that the shell is waiting for a command. You would have no way to know where your input is going to go. For this reason, the system will normally stop a background program when it tries to read from the terminal. The assumption is that you will eventually notice that the program is waiting for input, and will continue it as a normal "foreground" program.

The other way to get more than one thing happening at a time is the ^Z command. This stops the currently running job. But unlike ^C, it leaves the job around. You will be able to continue it later. Suppose you are typing a mail message and realize that you have to look something up in order to include it in the message. You can type ^Z. This will stop the mail program, but leave it around. You then look at whatever you need. You can come back to the mail program by typing "%mail". You can also continue a job in the background by doing "%name &". In the case of mail that wouldn't be too useful, since mail is going to need input from the terminal. But some programs ask a few questions and then go off and compute. In that case, you might run the program, answer the questions, and then type ^Z followed by "%name &" to get it into the background.

Before you can really use all of these commands, you need to know how to refer to a job. To get the terminology straight, let's start by looking at the output of the command "jobs":

geneva> jobs
[1] Running ls -R /
[2] - Stopped mail hedrick
[3] + Stopped emacs

Here we see a situation where there are 2 jobs stopped by ^Z and one running in the background. (It must be in the background, since otherwise I couldn't ever have typed the "jobs" command.) There are four different ways to refer to one of these jobs:

by job number:
in this case %1, %2 or %3. A % is always used to indicate this type of notation.
by job name:
This is the name of the program that is running, again with a %. So the job names would be %ls, %mail, and %emacs.
by system-wide process id:
You would have to do a "ps" command to find out the pid for these processes. Even then, it wouldn't be all that useful, since only certain commands (most commonly, the "kill" command) take pids as arguments.
by default:
Some of the commands default to the "current job". This is the one with the + next to it. The - is the previous job. This would become current if the current one finishes.

There are actually two different ways to continue a job. You can simply use the job name as a command, e.g. "%3" or "%emacs". Or you can use the "fg" or "bg" commands, which continue a specified job in the foreground or the background. "fg" and "bg" default to the current job. If you have just stopped a job, "fg" is probably the most convenient way to continue it, since you don't have to think about what to call it. But if you want to continue some previous job, it is probably easier to type a command like "%emacs", rather than "fg %emacs".

Two other useful commands commands that deal with processes are "kill" and "stop". Both of these allow either %name or %number. Kill also allows a system-wide pid. In general, kill is equivalent to ^C. That is, it gets rid of a job permanently. You would normally use it to kill a job that is stopped or running in the background. (If the job is running normally, you would just type ^C.) Some programs will trap the kill command. If you want to get rid of them, you have to use "kill -9", e.g. "kill -9 %emacs". This can be slightly dangerous. Normally processes trap a kill because they want to be able to clean up after themselves. If you use kill -9, they may leave temporary files lying around, etc.

The stop command is equivalent to ^Z. You would normally use it for a job that is running in the background. (It wouldn't make any sense for a job that is already stopped, and for a normal job, you would just type ^Z.)

Using the Documentation and Help Facilities
Man Pages
Unix has fairly complete documentation online. That is, for each command or program, there is supposed to be a "manual page" that describes it. To access these manual pages, you use the "man" command. For example, "man ls" prints the manual page describing the "ls" command.

In order to use the man command, there are some things you should know. First, for substantial programs, the manual pages are not complete. The intent is that they should tell you how to run things, but they should be short enough to read on your terminal. So "man pascal" will tell you how to run the Pascal compiler, and list all of the options. But it will not print out a complete Pascal language reference manual. There are separate manuals for the languages, the mail system, the document processors, and certain other complex pieces of software. Generally the manual page will refer to this separate documentation if it exists. Larger documents are normally put in the directory /usr/doc.

Second, the manual pages are organized into chapters. It is sometimes helpful to know what the chapters mean. For example if you ask "apropos" what documentation there is on "unlink" it will offer you man pages from sections 2 and 3. It is useful to know that section 2 is system calls and section 3 is subroutines. So if you were looking for the Fortran subroutine, you would want the one in section 3. Here are the chapters:

1:
Commands
2:
System calls
3:
Subroutines
4:
File formats and conventions
5:
Miscellaneous documentation
6:
Games and demos
7:
Special files (i.e. devices)
8:
Items of interest to system managers (under Solaris this is in section 1m)
9:
Device drivers (Solaris only)

So if you are looking for commands and programs, you will only be interested in documentation from section 1.

Note that Berkeley and System V used different numbering conventions, and this difference has carried over to Solaris. Solaris has additional suffixes for sections 1, 3, 4, 7, and 9. For example, section 1 has the following subsections under Solaris:

1b:
Berkeley compatibility commands
1c:
commands related to UUCP
1f:
commands related to FMLI
1m:
administrative commands
1s:
system development commands (seems to contain only "make")

Section 3 has many subsections. Here are some of the more useful:

3f:
Fortran library
3m:
Math library
3n:
Internet network library
3s:
C standard I/O routines
3x:
other libraries

If you want to get an overview of what is in a given section, you can use a command like "man 3 intro", which will print the introduction to chapter 3.

You can get an overview of one of these subsections by typing a command like "man 3f intro".

The "man" command is useful for finding a description when you know what something is called. But suppose you want to remove a file, but you can't remember the name of the command that does that. The "man" command can't help you, because you don't know what to look up. "apropos" is designed for these situations. apropos searches an index containing the titles of all the man pages. It prints all title lines containing its argument. So "apropos remove" would print all title lines that contain the word "remove". Generally the title lines are written so that they contain most of the keywords people would use for looking them up. Of course you do still need to know something about Unix terminology. (E.g. you have to know to look for "remove" instead of "delete".)

By a judicious combination of "apropos" and "man", you should be able to find anything you want to about the system. What these will not do is give you overall system conventions, and the context you need to make sense out of these pages. (That is what this document is for.)

Full Documentation
The man pages are intended to be fairly brief documents, that can be read on a terminal. There are also full-scale reference manuals describing the system and most of its software.

Many people it helpful to buy books about Unix or some Unix programs. Several local bookstores now carry a good collection of computer books (e.g. Borders). The publisher O'Reilly is particularly known for producing good books about Unix and Unix-related topics. If you want to learn how to write programs for X, their books are almost essential. They also publish detailed manuals about many topics related to system administration. However we don't know of anything that's good for just teaching you how to use Unix and debug programs. (That's why I've spent the time to write these handouts.) This set of online documents, plus the man pages, may be all you need as a general introduction. For complete novices, we sometimes recommend "Unix for Dummies". However it spends much of its time describing files and other basic concepts. People who have gone through the first semester computer science course shouldn't need it.

Editors: Creating and Changing Files
When you want to create a new program or change an existing one, you will use an editor. An editor is a program that reads in a file, lets you modify it, and then writes out an updated copy of it. The editors that we use are "full-screen" editors. This means that they display a piece of your file on the screen. In order to change or add to the file, you move the cursor around the screen until it is pointing to the place where you want to make the change. Then you use editor commands to delete and/or insert things. The changes that you make show up immediately on the screen. Of course it is also possible to move the "window", i.e. to change which portion of the file is showing on your screen.

When you are in an editor, you are actually working with a copy of the file. That is, the changes that you make do not show up in the file itself, but rather in a copy of that file that the editor maintains in memory. When you are satisfied with your changes, you instruct the editor to make the changes in the permanent copy of the file. Sometimes something horrible will happen while you are editing. If you want to forget all of your changes, you can exit from the editor without writing the changes back into the file. In this case, the file will not be changed at all.

Editors are very different in their commands from the rest of Unix. In most programs, commands are words or abbreviations. They are designed to be easy to remember and read. However in an editor, commands are usually single characters. Initially, this makes most editors look somewhat cryptic. However there is a good reason. You will be using the editor so much that you would quickly become tired of long commands. For example, if you want to move the cursor down 4 lines, it is very easy to hit the downarrow key 4 times. How would you like to have to type the word "down" 4 times? Normally commands are typed "in the dark". That is, you don't see the command on the screen as you are typing. Instead, you see its effect. For example, when you type a delete command, the character you are deleting disappears from the screen. You don't see the delete command itself.

Most of our users will use the editor EMACS. So the following section describes it in more detail. There are several other text editors available on the system. You can use any of them that you prefer. One advantage of EMACS is that it is available on almost every system at the University. It is also available for most common PC operating systems.

EMACS
To edit a file using EMACS, just type "emacs filename". This works whether the file exists or not. If the file does not exist, it will be created the first time you use a command that updates the file.

You may get an error message "emacs: terminal "xxx" isn't powerful enough to run Emacs." Normally this means that the system does not know what kind of terminal you are using, or the type you have specified is not known. This probably means that you specified the wrong thing when you logged in. Try the command "echo $TERM" to see what the system thinks your terminal type is. You can change it to another type by using "set term", e.g. "set term = vt100".

The best introduction to EMACS is the EMACS tutorial program, "teach-emacs". To enter the tutorial, type the command "teach-emacs" from Unix command level. The following sections will give you a quick introduction, which should be enough to let you do some useful work.

In EMACS, there is no distinction between "command mode" and "insert mode", as there is in most editors. Whenever you type a normal printable character, it is inserted in the file immediately. The commands are all control characters or something equally unusual. Since you normally don't want to put control characters into your text, it is easy enough to tell what things are commands and what are text that you want to go into your file. So in EMACS, to add some new text, you just get to the right place and start typing. To execute a command, just type it.

As it turns out, there weren't enough different control characters to satisfy the designers of EMACS. They wanted more commands. So there are also some prefix characters that are used to make up 2-character commands. The most common ones are "escape" and "^x". "escape" following by anything is a command. So is "^x" followed by anything. (Escape is a special key, normally labelled "ESCAPE" or "ESC". On some older terminals it is labelled "ALTMODE" or "ALT".) Actually escape has one other use: escape followed by a number sets up a count for the next command. For example, "^d" deletes the next character. "escape 5 ^d" deletes the next 5 characters. [It's hard to write these key sequences. "escape 5 ^d" represents three keypresses: escape, 5, and control-d.]

The most common commands are put on a separate "keypad". This is a special set of keys to the right of the normal keyboard. On most of our terminals, the keys are labelled with the digits, and look like the keyboard of a desk calculator. When you use them in EMACS, you should ignore the labels. The most important keys are used to move the cursor around the screen.

what they do how they are labelled

up 8

left right 4 6

down 2

Here are enough other commands to get you started doing useful work.

^v
move forward a screenful
escape v
move back a screenful
^s
search for a specified string; asks for string
^d
delete a character
rubout
delete previous character
^k
kill (delete) the rest of the current line
^a
go to the beginning of the line
^e
go to the end of the line
escape < go to the beginning of the file escape >
go to the end of the file
^o
open up a new line
^y
put back the most recently deleted lines
^x^s
make the changes in the file
^x^c
exit

It is probably useful to give some additional information about some of these commands. There are two reasonable ways to add a new line. One is to go to the end of the line before the place where you want to put it and hit the carriage return to create the new line. The other is to go to the beginning of the line after it and hit "^o". In either case, the cursor will be left on the new line, ready for you to type in new text.

^k has a somewhat odd but useful definition. If you are in the middle of a line, it deletes the rest of the line. If you are at the end of the line, it deletes the newline at the end. That is, it joins the next line to the end of the current one. If you want to kill the whole line, this means that you should get to the beginning of it and do "^k" twice. The first time clears the line. The second time gets rid of the newline at the end.

^k can be used with ^y to move text around. When you kill lines with ^k, they are remembered in a "kill buffer". You can then to somewhere else and do ^y. This will cause the lines that you killed to be resurrected at the current location. You can put the same lines several places by doing ^y in several places. NB: If you do a few ^k's, then move the cursor, then do a few more ^k's, only the last set of lines killed will be in the kill buffer. Of course if you know how many lines you want to move, it is easier to do "escape 5 ^k" than ^k 10 times. (10 times because you have to type ^k twice to kill a single line.)

To exit from EMACS, first write out the updated version of the file by typing "^x^s", and then leave by typing "^x^c".

EMACS protects you against various kinds of disaster by keeping backup copies of your file. These have the same name as the original file, with .BCK or .CKP added to the end. If may find it a good idea to do "rm *.BCK *.CKP" now and then.

20 Killer Perl Programming Tips for Beginners on UNIX / Linux OS

20 Killer Perl Programming Tips for Beginners on UNIX / Linux OS

If you are a Linux sysadmin who writes occasional perl code (or) a developer who wants to learn perl program language, these 20 basic perl programming tips and tricks explained in this article will give you a jumpstart.


1. List all Installed Perl Modules from Unix Command Line

Get a list of all installed perl modules as shown below.

$ perl -MFile::Find=find -MFile::Spec::Functions -Tlw -e 'find { wanted => sub { print canonpath $_ if /\.pm\z/ }, no_chdir => 1 }, @INC'

/usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi/HTML/Filter.pm
/usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi/HTML/LinkExtor.pm
/usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi/HTML/PullParser.pm
/usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi/HTML/Parser.pm
/usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi/HTML/TokeParser.pm
.....
In the above example,

File::Find and File::Spec::Functions module are used to list all installed modules.
-M option loads the module. It executes use module before executing the script
-T option enables taint checking, which instructs perl to keep track of data from the user and avoid doing anything insecure with it. Here this option is used to avoid taking the current directory name from the @INC variable and listing the available .pm files from the directory recursively.
-l option enables automatic line-ending processing in the output. Print statements will have the new line separator (\n) added at the end of each line.
-w option prints any warning messages.
-e option indicates that the following string is to be interpreted as a perl script (i.e., sequence of commands).
2. List all Installed Perl Modules from a perl script (Using ExtUtils::Installed package)

Use the following perl code snippet to get a list of installed perl modules.

my $Inst = ExtUtils::Installed->new();
my @Modules = $Inst->modules();
print "Current List of Installed PERL Modules:\n\n";
foreach my $mod(@Modules){
print "$mod\n";
}
Note: The module ExtUtils::Installed is not pre-installed with perl program. So you should install it from cpan.

3. List Perl Modules Using Perldoc Command

perldoc perlmodlib lists all the modules that comes pre-installed with the perl program.

$ perldoc perlmodlib

Attribute::Handlers Simpler definition of attribute handlers
AutoLoader Load subroutines only on demand
.........
Note: You can also use ‘perldoc perllocal’ command to identify additional perl modules that are installed.

$ perldoc perllocal
perldoc perllocal command lists all optional modules installed in the system with the following information:

Installation date
Directory location of where the perl module is installed
Perl Module version number
etc.,
4. View Perl Documentation From Unix Command Line

You can use either perldoc or man command to get help about a particular perl module as shown below.

$ perldoc Regexp::Common

(or)

$ man Regexp::Common
If the perl document is not enough, use perldoc option -m, to view both source code and unformatted pod documentation of the specified perl module.

$ perldoc -m Regexp::Common
To view documentation on a specific perl function, use the option -f, as shown below.

$ perldoc -f splice
5. View Online Perl Documentation (or Download it for Offline Use)

Lot of excellent perl tutorials are available online at Perl programming documentation.

From this website, you can also download the HTML or PDF version of the perl documentation for offline viewing.

Full version (contains HTML and PDF files) – perldoc.tar.gz
Lite version (contains HTML files only) – perldoc-html.tar.gz
6. Read Perl Documentation Using Podbrowser

Download the podbrowser. You can browse the installed perl modules, functions, and perl documentation visually from the podbrowser. From their website:

PodBrowser is a documentation browser for Perl.
You can view, search and print documentation for Perl's
builtin functions, its "perldoc" pages, pragmatic modules
and the default and user-installed modules.
Note: You can also use Vim editor as Perl-IDE as we discussed earlier.

7. Modify CPAN Module Configuration Manually

To install the perl modules from Linux command line, use CPAN. We discussed earlier about how to install perl modules — both manually and using CPAN command.

The first time you use the Perl module CPAN ( perl -MCPAN ), a script is executed to configure several options. For example, it configures the location of tar, gzip and unzip files, the cache size for the build directory, source file location etc.,

To reconfigure CPAN module configuration files manually you can edit one of the following files.

~/.cpan/CPAN/MyConfig.pm – User specific Perl CPAN Configuration file
/etc/perl/CPAN/Config.pm – System-wide Perl CPAN Configuration file is stored somewhere in the perl module directory tree.
$ vim ~/.cpan/CPAN/MyConfig.pm

(and / or)

$ vim /etc/perl/CPAN/Config.pm
8. Modify CPAN Module Configurations Interactively

Launch the cpan shell as shown below and execute o conf init, which will ask “are you ready for manual configure”, give your option ( Yes / No ) to continue. This will list all the configuration parameters along with it’s value.

$ perl -MCPAN -e shell

cpan> o conf init

cpan> o conf
9. Verify if a Perl Module is Installed

If you like to know whether a perl module (for example, Regexp::Common) is installed, execute the following command. If you get “1″ as the output, then the specified perl module is installed. If not, you’ll get the error message as shown below.

$ perl -MRegexp::Common -le 'print 1'

Can't locate Regexp/Common.pm in @INC (@INC contains: /etc/perl /usr/local/lib/perl/5.8.8 /usr/local/share/perl/5.8.8 /usr/lib/perl5 /usr/share/perl5 /usr/lib/perl/5.8 /usr/share/perl/5.8 /usr/local/lib/site_perl .).
Note: You can also check if perl module is installed using perldoc or man command. If the perl module is installed the manual page of the module will open successfully. If not, it will say “no manual / documentation found for this module”

$ perldoc Regexp::Common

$ man Regexp::Common
10. List the Directories Where Perl Modules are Located

The perl array @INC contains the list of places that the ‘do EXPR’, ‘require’, or ‘use’ constructs look for their library files. The following one-liner shows the contents of the @INC perl array:

$ perl -e 'foreach $folder (@INC) { print "$folder\n";}'
11. Check the Version of an Installed Perl Module

To check the version number of a module use the following command.

#-- check the version number of CGI module
$ perl -MCGI -e 'print "$CGI::VERSION \n"'

#-- check the version number of Regexp::Common module
$ perl -MRegexp::Common -e 'print "$Regexp::Common::VERSION \n"'
Note: Also, make sure to read our review about the Perl Best Practices book.

12. Specify the Minimum Perl Module Version to Use

Sometimes you might want to use a specific version of a perl module in your program. To avoid using earlier version of that module, append the minimum version number you want in the use ‘module’ statement as shown below.

#-- Use version 5.8 of later of module LWP
use LWP 5.8
Note: Your perl program will exit with an appropriate error message if the installed module version is lower than the version you specified in the use command.

13. Useful Perl Modules to Develop Web Applications

If you are developing web application, you might want to consider using the following perl modules.

CGI – General purpose module for creating web pages
Template – Template Toolkit to generating dynamic web content
LWP – LWP is used to fetch web contents
WWW::Mechanize – Use this to automate interaction with a website
14. Determine the Operating System the Perl Script is Running Under

The name of the underlying operating system is stored in the variable $^O. Following are some of the common $^O value

linux – Linux
MSWin32 – Windows
aix – AIX
solaris – Solaris
Note: The value stored in $^O contains only the name of the operating system, not the release number. To determine the release number, consider using POSIX::uname() from POSIX package.

15. Define Constant Values Inside Perl Script

The best way to define constant values is to use Perl Readonly or Constant module as shown below.

use Readonly;
Readonly my $PI => 3.1415926535;

(or)

use Constant PI => 3.1415926535;
Please note the following:

Using Readonly module you can define Readonly scalars, hashes and arrays.
If you try to modify a Readonly variable, the program will die.
16. Determine the OS User and/or OS Group Running a Perl Script

Use the following predefined variables to get the user and group information of the current process:

$< – real user id (uid); unique value $> – effective user id (euid); unique value
$( – real group id (gid); list (separated by spaces) of groups
$) – effective group id (egid); list (separated by spaces) of groups
Please note the following:

This information applies only to Unix systems
The values that theses variables hold are integers.
To get the user and group names, use ‘(getpwuid($<))[0]‘ (for user information) and ‘getgrgid($()’ (for groups). 17. Executing External Commands There are many ways to execute external commands from Perl as explained below. system() – you want to execute a command and don’t want to capture its output exec – you don’t want to return to the calling perl script backticks – you want to capture the output of the command open - you want to pipe the command (as input or output) to your perl script 18. Parse Plain Messy Perl Script Using B::Deparse Got a chunk of obfuscated or just plain messy and hard to read Perl code? The B::Deparse module may be able to help. It compiles, then decompiles the program it is given, expanding it out and formatting it nicely. It removes the comment lines written in the perl program. To run it at the command line, type “perl -MO=Deparse prog.pl”. Here is an example of its usage, First create the input program: $ cat scary.pl for(74,117,115,116){$::a.=chr};(($_.='qwertyui')&& (tr/yuiqwert/her anot/))for($::b);for($::c){$_.=$^X; /(p.{2}l)/;$_=$1}$::b=~/(..)$/;print("$::a$::b $::c hack$1."); Pass the perl script scary.pl to the Deparse module $ perl -MO=Deparse scary.pl foreach $_ (74, 117, 115, 116) { $a .= chr $_; } ; $_ .= 'qwertyui' and tr/eiqrtuwy/nr oteah/ foreach ($b); foreach $_ ($c) { $_ .= $^X; /(p.{2}l)/; $_ = $1; } $b =~ /(..)$/; print "$a$b $c hack$1."; scary.pl syntax OK 19. List Installed DBI Drivers DBI is the standard database interface module for Perl. The following Perl program prints a list of all installed DBI drivers. use strict; use warnings; use DBI; print map "$_\n",DBI->available_drivers;
Example output of the above program:

DBM
ExampleP
File
Proxy
Sponge
mysql
If the driver you require is not installed, use CPAN to find the right DBD (database driver) module.

20. Regular expression special variable

One of the most useful feature or the most powerful string manipulation facility in perl is regular expression.

At heart of this is the regular expression which is shared by many other UNIX utilities.
Perl has a host of special variables that get filled after every m// or s/// regex match.

$1, $2, $3, etc. hold the backreferences.
$+ holds the last (highest-numbered) backreference.
$& (dollar ampersand) holds the entire regex match.
$’ (dollar followed by an apostrophe or single quote) holds the part of the string after (to the right of) the regex match.
$` (dollar backtick) holds the part of the string before (to the left of) the regex match.
Using these variables is not recommended in perl scripts when performance matters, as it causes Perl to slow down all regex matches in your entire perl script.

All these variables are read-only, and persist until the next regex match is attempted.
Example

$string = "This is the geek stuff article for perl learner";
$string =~ /the (g.*) stuff(.*) /;
print "Matched String=>$&\nBefore Match=>$`\nAfter Match=>$'\nLast Paren=>$+\nFirst Paren=>$1\n";
Output of the above example :

Matched String=>the geek stuff article for perl
Before Match=>This is
After Match=>learner
Last Paren=> article for perl
First Paren=>geek

Gmail Account Hacking Tool

A tool that automatically steals IDs of non-encrypted sessions and breaks into Google Mail accounts has been presented at the Deacon hackers’ conference in Las Vegas.
Last week Google introduced a new feature in Gmail that allows users to permanently switch on SSL and use it for every action involving Gmail, and not only, authentication. Users who did not turn it on now have a serious reason to do so as Mike Perry, the reverse engineer from San Francisco who developed the tool is planning to release it in two weeks.
When you log in to Gmail the website sends a cookie (a text file) containing your session ID to the browser. This file makes it possible for the website to know that you are authenticated and keep you logged in for two weeks, unless you manually hit the sign out button. When you hit sign out this cookie is cleared.
Even though when you log in, Gmail forces the authentication over SSL (Secure Socket Layer), you are not secure because it reverts back to a regular unencrypted connection after the authentication is done. According to Google this behavior was chosen because of low-bandwidth users, as SLL connections are slower.
The problem lies with the fact that every time you access anything on Gmail, even an image, your browser also sends your cookie to the website. This makes it possible for an attacker sniffing traffic on the network to insert an image served from http://mail.google.com and force your browser to send the cookie file, thus getting your session ID. Once this happens the attacker can log in to the account without the need of a password. People checking their e-mail from public wireless hotspots are obviously more likely to get attacked than the ones using secure wired networks. Todd Mumford, from the SEO Company called SEO Visions Inc, states “This can be a serious problem for Internet Marketers who travel often and use their wireless laptops and Gmail services often and do not always have access to a secure connection”
Perry mentioned that he notified Google about this situation over a year ago and even though eventually it made this option available, he is not happy with the lack of information. “Google did not explain why using this new feature was so important” he said. He continued and explained the implications of not informing the users, “This gives people who routinely log in to Gmail beginning with an https:// session a false sense of security, because they think they’re secure but they’re really not.”
If you are logging in to your Gmail account from different locations and you would like to benefit from this option only when you are using unsecured networks, you can force it by manually typing https://mail.google.com before you log in. This will access the SSL version of Gmail and it will be persistent over your entire session and not only during authentication.

Glossary of Computer Threat Terms

A B C D E F G H I J K L M N O P R S T U V W Z


This suffix is often attached to a virus' name to indicate the virus is a slow mailer. An important distinction, in terms of threat assessment, is made between slow mailers (which send one 'infected' message at a time or occasionally send small batches of infected messages) and mass mailers.

This suffix is often attached to a virus' name to indicate a virus that distributes itself from victim machines via mass mailing. An important distinction, in terms of threat assessment, is made between mass mailers (which send large numbers of infected messages at once) and slow mailers (also see @m).
Return to top


A

Adware or Ad ware
Software that downloads and displays advertisements. This kind of software is often bundled with Freeware. The software license may say that by installing the software you agree to accept advertising. See also Spy ware or Spyware.
Alias
Unfortunately, there is no one standard, accepted rule for naming viruses. Hence, even though informal groups, such as CARO, have discussed conventions for virus naming, differences still exist between antivirus software companies and research organizations. Thus where the term ‘alias’ or ‘also known as’ occurs, it refers to different names that the same virus may be given by other sources.
Annoyance
Any trojan that does not cause damage other than to annoy a user, such as by turning the text on the screen upside down, or making mouse motions erratic.
ANSI Bomb
Character sequences that reprogram specific keys on the keyboard. If ANSI.SYS is loaded, some bombs will display colorful messages, or have interesting (but unwanted) graphical effects.
Anti-antivirus Virus
Another term for a retro-virus.
Anti-emulation
To reliably detect polymorphic viruses, scanners include code emulators to simulate the running of executable code and check whether it decrypts to a known virus. An emulator must stop emulating a program once it is no longer necessary to continue doing so and for performance reasons many emulators have simple rules for quickly determining a stopping point. Some polymorphic viruses include tricks attempting to defeat these code emulators by fooling them into quitting the emulation before the decryption code has finished its work. Such methods are commonly called anti-emulation techniques.
Anti-heuristic
Efforts by virus writers to avoid having their code detected as a possible new virus by heuristic detection are known as anti-heuristic techniques. What works depends on the heuristics approach of different scanners, but some code obfuscation techniques seem to clearly be anti-heuristic.
Antivirus Virus
The idea of making an antivirus program itself viral so it can propagate to where it is most needed is a very old one. Such a program would be an antivirus virus. It is universally agreed among reputable antivirus researchers to be a very bad - even dangerous - idea, and should be avoided at all costs.
AOL Pest
Any password stealer, exploit, DoS attack, or ICQ hack aimed at users of AOL. ICQ is an instant messenger service from mirabilis.com, now AOL. ICQ is a favorite service among hackers, and ICQ features are built into many trojans (such as stealing user's passwords, UINs, or notifying the hacker). Users of ICQ are warned "By using the ICQ service and software... you may be subject to various risks, including... Spoofing, eavesdropping, sniffing, spamming, breaking passwords, harassment, fraud, forgery, 'imposturing', electronic trespassing, tampering, hacking, nuking, system contamination including without limitation use of viruses, worms and Trojan horses causing unauthorized, damaging or harmful access and/or retrieval of information and data on your computer and other forms of activity that may even be considered unlawful."
Appender
A virus that inserts a copy of its code at the end of its victim file is known as an appender or appending virus. (c.f. Cavity Infector, Companion Virus, Overwriter, Prepender)
Armored Virus
Viruses that use special tricks to make tracing them in a debugger and/or disassembling them difficult are said to be 'armored'. The purpose of armoring is primarily to hinder virus analysts reaching a complete understanding of the virus' code. An early example of an armored virus is Whale.
AV Killer
Any hacker tool intended to disable a user's anti-virus software to help elude detection. Some will also disable personal firewalls.
AVED
AntiVirus Emergency Discussion list.
A mailing list for professional antivirus researchers allowing them to alert other researchers to emerging or ongoing 'crisis' or 'emergency' virus events. These may be localized to a geographic or language-based region or known to be approaching a wordlwide scale. It also acts as a forum for these researchers to discuss such events, what precursors count as sufficient grounds to make posting alerts to users about a newly discovered virus and at what point involving the news media seems appropriate. Aside from the discussion list, another list facilitates the secure distribution of emergency samples and members of the list are expected to send samples of any viruses the organizations they work for consider worthy of raising public warnings about. Senior Computer Associates virus analysis staff are represented on the AVED mailing lists and board. (c.f. REVS)
Return to top


B

Backdoor (1)

A program that surreptitiously allows access to a computer's resources (files, network connections, configuration information, etc) via a network connection is known as a backdoor or remote access trojan. Note that such functionality is often included in legitimate software designed and intended to allow such access. For example, software that allows remote administration of workstations on a company network, or that allows helpdesk staff to 'take over' a machine to remotely demonstrate how a user can achieve some desired result, are genuinely useful tools (and even desirable in many settings). The difference between backdoors or remote access Trojans and remote administration tools is that the latter are designed into a system and installed and used with the knowledge and support of the system administrator's and the other support staff they involve.
Remote access trojans generally consist of two parts; a client component and a server component. In order for the trojan to function as a backdoor, the server component needs to be installed on the victim's machine. This may be accomplished by disguising the program in such a way as to entice victims into running it. It could masquerade as another program altogether (such as a game or a patch), or it could be packaged with a hacked, legitimate program that installs the trojan when the host program is executed.
Once the server file has been installed on a victims machine, often accompanied by changes to the registry to ensure that the trojan is reactivated whenever the machine is restarted, the program opens a port so that the hacker can connect. The hacker can then utilise the trojan via this connection to issue commands to the victim's computer. Some remote access trojans even provide a message system, where the hacker is notified every time their victim logs onto the Internet.
Here's an abbreviated list of things that a hacker can accomplish while controlling a victim's computer via a backdoor:
• Upload/download files
• Make changes to the registry
• Delete files
• Steal passwords and other confidential information
• Log keystrokes
• Rename files
• Display images or message boxes
• Disable the keyboard or mouse
• Hide the taskbar, start button or desktop icons
• Shutdown the computer or reboot the computer
• Print
• Run applications or terminate the currently running applications
• Detect and initialise capture devices such as web cams or microphones
• Disable antivirus or firewall software
• Start an FTP server on the victim's machine that could make it accessible to other unauthorised intruders
Backdoor (2)

The term ‘backdoor’ is also frequently used as a synonym for a method for accessing a computer system or application that its maintainers or users are usually not aware of. Normally the term is used when the presence of this 'feature' is a secret. Such a feature whose presence is widely known - even if some arcane access method needs to be known to use it and remains a closely guarded secret - is unlikely to be referred to as a 'backdoor' unless its existence was uncovered by chance. Such surreptitious access mechanisms may be included by the developers without the knowledge of the system or application designer, or may be designed-in but kept from the customers or end users. This meaning of backdoor is of little immediate interest or relevance in the antivirus field.
Bait File

See the first meaning of Goat File.
Bimorphic Virus

An encrypted virus that has two forms of the decryption code, usually randomly selecting between them when writing its decryptor to a new replicant. (See Polymorphic Virus for more details; also see Oligomorphic Virus.)
Binder

A tool that combines two or more files into a single file, usually for the purpose of hiding one of them. A binder compiles the list of files that you select into one host file, which you can rename. A host file is a simple custom compiled program that will decompress and launch the source programs. When you start the host, the embedded files in it are automatically decompressed and launched. When a trojan is bound with Notepad, for instance, the result will appear to be Notepad, and appear to run like Notepad, but the Trojan will also be run.
BIOS

Basic Input/Output System. The program in a PC providing the lowest level of interface with the hardware. A PC's BIOS is also responsible for initiating the operating system bootstrap process by loading the boot sector of a diskette or the master boot record of a hard drive and passing control to it.
Under CPM, DOS and Windows 3.x, BIOS interfaces to the hardware were paramount to the proper operation of the machine. Specialized hardware that standard BIOSes were not written to recognize and handle had to either include a BIOS extension on its adaptor card or provide device drivers allowing access to the device (or both) if they were to be used other than by proprietary software written to their hardware interface. More advanced OSes for the PC - such as the various Unixes written for it, NT, Linux, Windows 95 and so on - only depend on the BIOS for its OS bootstrapping function, providing their own (or vendor-supplied) protected mode drivers for all the hardware devices they can use. (Windows 9x allows a degree of real mode compatibility so it can be used on older machines with 'odd' hardware that is not supported by native drivers, but there are performance overheads.)
Traditionally, the BIOS was supplied in a ROM chip plugged into a socket on the PC's mainboard. This arrangement allowed for the replacement of the BIOS, should that ever be necessary to accommodate new hardware requirements (or to supply bug fixes). More recently it has become standard practice to supply the BIOS in a flash memory (or flash ROM) chip, allowing updates to be written directly to the chip via software.
The BIOS should not be confused with the CMOS storage area that is used to store BIOS and mainboard configuration options and data.
Boot Code

The program recorded in a boot sector is known as boot code. Boot sectors usually contain boot code because these small programs have the job of starting to load a PC's operating system once the BIOS completes its POST checks, although some types of boot sector seldom, if ever, contain boot code. Good examples of boot sectors that do not normally contain boot code are those at the head of extended partitions - under DOS and Windows OSes, such partitions cannot be made bootable so those OSes usually only place a partition table (which they do require) in such boot sectors.
Thus, the system boot sectors of diskettes and partitions (logical drives) on hard drives, and the MBRs of hard drives, normally all contain boot code of some kind. It is this code, or at least the room reserved for it, that boot viruses target. Once the BIOS completes its hardware checks, it simply reads the appropriate boot sector (depending on which device it is set to boot from first and whether that device is ready) without doing any 'sanity checking' on its contents.
Boot Infector

See Boot Sector Infector.
Boot Record

The program recorded in the Boot Sector. All floppies have a boot record, whether or not the disk is actually bootable. Whenever you start or reset your computer with a disk in the A: drive, DOS reads the boot record from that diskette. If a boot virus has infected the floppy, the computer first reads the virus code (because the boot virus placed its code in the boot sector), then jumps to whatever sector the virus tells the drive to read, where the virus has stored the original boot record.
Boot Sector

A generic term encompassing system boot sectors and master boot records. Technically, this means the first logical sector of any drive (what DOS or Windows would consider to be sector 1 of that drive) and the MBR (sector 0,0,1 in CHS notation) of hard drives. As floppy disks do not have partitions, the logical drive and physical drive map sector for sector and their first logical sector is also 0,0,1. On hard drives, there is a boot sector for each logical drive (or partition, such as C: and D:) plus one for the MBR. (The 'root' entries of any extended partitions may or may not be counted - if so, the total number of boot sectors is higher than the preceding description suggests, with the final count depending on the number and nesting of extended partitions.)

Most boot sectors contain boot code, which (under DOS and Windows) is usually created by FORMAT or SYS if the boot code is in a system boot sector, or by FDISK if in the master boot record of a hard drive. Sometimes the term 'boot sector' is ambiguously used to also refer to only the boot sectors of logical drives. This usage is avoided as far as possible in this glossary and the rarely used term 'system boot sector' used when this distinction needs to be made.
Boot Sector Infector

Every logical drive, both hard disk and floppy, contains a boot sector. This is true even of disks that are not bootable. These boot sectors usually contain specific information relating to the formatting of the disk (see BPB) and a small program - the boot code (which starts loading the system files of the active OS on that drive). The boot code is what displays the 'Non-system Disk or Disk Error' message familiar to those who have left a 'non-bootable' diskette in the A: drive of a PC when it booted.
As well as these system boot sectors, hard drives also have a special boot sector known as a master boot sector or master boot record. As the boot code is a program, it can also be infected by a computer virus. Boot sector infections normally start from leaving an infected diskette in a PC's floppy drive and rebooting the machine. When the viral boot code is read from the boot sector and executed, the virus copies itself to a 'safe' place in memory, hooks disk I/O functions, infects the hard drive and remains resident, lying in wait for uninfected boot sectors to present themselves (these will usually be on diskettes accessed in the floppy drives).
The safe memory location used by most boot viruses (and many file infectors too) is at the 'top of memory'. Brain - the first PC virus - was also the first PC boot sector infector. Although Brain was limited to diskette boot sectors, most boot viruses since typically infect the system boot sectors of floppy disks and the MBRs of hard drives. Perhaps the main advantage of this strategy is that the virus' code will always be the first to run, whichever drive type is booted from. Stoned was the first virus to implement this and in many ways remains the classic example of the technique.

A few boot viruses, such as Form (which is perhaps most notable for its perseverance), infect the system boot sectors of both diskettes and hard drives. Some multipartite viruses have boot sector components that only infect MBRs while others have boot sector parts that only infect diskette or hard drive system boot sectors. Boot viruses can be polymorphic (for example, the boot component of the complexly multipartite Win95/Fono, can employ stealth techniques (Brain and many more since), and use many of the other techniques from the usual arsenal of virus tricks.

In the early history of virus development, boot infectors were most commonly responsible for actual infections and featured prominently in the WildList. This was because of the high incidence of diskette sharing, that being by far the most common method of transferring data before connecting PCs to LANs and WANs became popular. Multipartite viruses with diskette boot sector components were the next most common viruses at that time, with Junkie probably being the best-known and most prevalent example. Straight file infectors barely showed in the WildList in those days. These patterns were entirely overturned as macro viruses embedded in documents became common and network (and particularly Internet) connectivity increased.
Boot Virus

A virus that infects boot sectors. Refer to Boot Sector Infector for more details.

BPB

BIOS Parameter Block. A data table in the system boot sector of all FAT format logical drives, containing information about the formatting of the drive. This includes details such as the number tracks, the number of sectors per track, the size of the sectors and the number of sectors per logical cluster, which are critical to reading the drive properly.
Browser Helper Object

(BHO). A component that Internet Explorer will load whenever it starts, shares IE's memory context, can perform any action on the available windows and modules. A BHO can detect events, create windows to display additional information on a viewed page, monitor messages and actions. Microsoft calls it "a spy we send to infiltrate the browser's land." BHOs are not stopped by personal firewalls, because they are seen by the firewall as your browser itself. Some exploits of this technology search all pages you view in IE and replace banner advertisements with other ads. Some monitor and report on your actions. Some change your home page.
BSI

Boot Sector Infector.
Return to top


C

CARO

Computer Antivirus Research Organization. An informal group of professional antivirus researchers committed to improving the state of the art.
Cavity Infector

A virus that searches for a 'hole' in the infection target and inserts its code there is known as a cavity infector. This infection technique has the advantage of not increasing the size of the target - a common telltale of viral infection that can giveaway the virus' presence to observant victims. Many programs have pre-initialized arrays (usually filled with null characters) and/or stack space filled with common patterns and viruses can easily search for areas matching these patterns. If a cavity infector finds a suitably sized 'hole', it copies itself into that hole then patches the program's entry point so the virus code runs first (or makes whatever other change to the host to gain control). This gives the virus a chance to copy itself elsewhere in memory or just run and be done with before the host program possibly uses the data area overwritten by the virus. Although cavity infection is a rarely used technique, one of the first parasitic file infectors Lehigh, was a cavity virus. See also Multiple Cavity Infector; c.f. Appender, Companion Virus, Overwriter, Prepender.

CHS

Cylinder, Head, Sector. The notation by which the location of a disk sector is supplied to some disk access routines. In this usage, the term 'track' is analogous to cylinder and 'side' (or occasionally 'surface') is analogous to head, but CHS/Cylinder, Head, Sector has the advantage of being non-ambiguous.
Its significance in antivirus work is that boot sector viruses (particulalry MBR infectors) commonly make a 'safe' copy of the original contents of the sector they infect, and this is often located by a fixed CHS address. Thus, you may see descriptions of such viruses saying something like 'the original MBR is saved to 0,0,7' meaning, in this case, that the original MBR was saved to the seventh sector on head (or 'side') zero of cylinder (or 'track') zero.
Class Infector
A class infector is a macro virus whose code resides in one or more class modules. Class infectors became popular among macro virus writers shortly after the SR-1 (Service Release 1) version of Word 97 became available. With that version of Word, Microsoft introduced an undocumented antivirus feature that prevented the successful replication of most existing Word macro viruses. Under that version of Word, the most that earlier viruses can do is infect the normal template. They are not able to spread from there to documents. (This feature is present in all later versions of Word, including Word 98 for the Macintosh). Class infection, per se, was not necessary to subvert the SR-1 measures, but the first virus writer who realized what was happening coincidentally moved to infecting the default document class object.
Cluster Virus
Apart from directly infecting host files as appenders and prependers do, there are other ways to intercept calls to an executable file and have some other code run instead of, or before, the code from the intended file. One such method is cluster infection, used by a small number of DOS viruses.
On a FAT file system this method usually involves saving the virus' code to the hard drive then altering the directory entry of an 'infected' file. The required directory entry change is to set the field that points to the first cluster of the file to the cluster holding the virus code and record the original initial cluster of the infected file in an unused field in the directory entry. When the user tries to execute an infected program, the operating system reads the virus from the apparent first cluster of the executable file and runs it. The virus does whatever else it is designed to do then loads and executes the original file, using the correct first cluster information it saved during the infection process. Dir-II was the first cluster virus and in the wild for some time.
Because the cluster infection technique interferes with the linking of cluster chains apparently assigned to a file, these viruses are occasionally referred to as 'link viruses', although this usage should be avoided.
CMOS

Complementary Metal Oxide Semiconductor: The battery backed RAM used in AT and later PCs to store hardware configuration information uses CMOS technology. As this memory is not in the CPU address space, but addressed via I/O port reads and writes, its contents cannot be directly executed. This means that viruses cannot reside in nor infect the CMOS RAM. Some viruses alter the contents of the CMOS RAM as a payload, either scrambling them or removing the reference to the floppy drive so the hard drive's (infected) MBR will always run first during boot-up.
Collection Virus
See Zoo Virus (c.f. In the Wild).
Commercial RAT

Any commercial product that is normally used for remote administration, but which might be exploited to do this without user consent or awareness.
Companion Virus

There are other methods of infecting a system other than the most commonly used one of modifying an existing file (see Parasitic Virus. Given the way command-line interpreters (or shells) of several operating systems work, a virus can copy itself onto the system as an entire program yet be sure that much of the time, attempts to invoke a program will result in the virus' code being run first. Such programs are known as companion viruses and there are several forms of this infection method.
For example, under DOS (and at least from the command-line or 'Command Prompt' of its Windows relatives), if the shell is given a command that does not begin with a fully-specified filename, it searches the current directory, then each directory in the PATH environment variable (in the order they are listed), for a COM file matching the command name, then an EXE file and then a BAT file. Thus, a companion virus can 'infect' an EXE file by copying itself to the same directory as that file and using its filename but with a COM extension. (Similarly a BAT file could be 'infected' by copying the virus code to either an EXE or COM with the same filename.) Once the virus has done its work, it loads and executes the original program file. If the virus acts quickly the user is unlikely to notice the short delay this introduces and the fact the target runs 'normally' also reduces the likelihood of user suspicion. This infection technique is known as the program execution order companion method or the execution precedence companion method.
Another companion infection method should be obvious from the preceding description of DOS' command interpretation process. Known as the path order companion method or the path precedence companion method, it depends on a copy of the virus being made in a directory earlier in the path than the directory housing the target. The virus file is given the same name as the target file (although it need not have the same extension - any executable extension will do) so the virus program will be found and executed instead of its target. As with execution order companions, path companions must take steps to ensure the original program runs after the virus has done its thing. Unlike execution order companions, path companions should also be successful on operating systems that do not depend on filename extensions to determine whether a file is 'executable', so long as they have something akin to the concept of a PATH variable.
Yet another companion infection method involves renaming the target program to a non-executable extension then copying the virus to the same location, filename and extension as the target. When the user calls the program, instead of the intended one running, the virus is executed. Again, to avoid immediate detection, such renaming companion viruses must load and execute the original program. This approach has the advantage of being more likely to work under GUI shells (such as the Windows desktop) because such environments usually record full path and filenames when configuring desktop and menu shortcuts and the like. Under such an environment, path and execution order companions will have little effect as they leave the original program intact. Of course, replacing the original program as a renaming companion virus must, makes them much more visible to integrity checking methods.
Although quite simple (because they are not required to alter existing executable files), companion viruses have been rarely seen until recently, when another companion infection technique started to become popular. Windows 95 and NT introduced (or, more correctly, promoted) more complex techniques for controlling how the usual operating system shell (normally Windows Explorer) handles files. Complex inter-relationships between file extensions and more finely described file types exist in the registry. For example, handling of EXE files is defined through a series of values in HKEY_CLASSES_ROOT. This sequence includes a handler for the 'opening' of EXE files. Normally the shell just loads and executes EXE files, much as earlier versions of Windows and DOS did. However, this can be usurped by altering the appropriate registry values so another program runs. So long as the introduced handler launches the original EXE 'as normal', the user will not become suspicious.
Companion infection methods that do not involve replacing the target program defeat simple integrity checkers that only look for modifications to existing programs. For this reason, good integrity checkers also monitor the addition of new program files to a system. (c.f. Appender, Cavity Infector, Overwriter, Prepender)
Constructor Kit
Some virus writers are not content with writing their own viruses and have wondered about bringing the 'opportunity' of becoming a virus writer to the masses. The solution to this is usually some form of 'construction kit' - a program even a non-programmer can run, feed some parameters into and then produce a virus. Many have been produced over the years covering simple COM and/or EXE infectors, polymorphics, batch, macro and script viruses. Perhaps the best-known of the early ones were the Virus Construction Laboratory (VCL) and Phalcon/Skism Mass-Produced Code Generator (MS-MPC).
Cracking Misc

Any document and/or tool that provides guidance on how to remove copy protection.
Cracking Tool

Any software designed to modify other software for the purpose of removing usage restrictions. An example is a 'patcher' or 'patch generator', that will replace bytes at specified locations in a file, rendering it a licensed version. A music file ripper is a program that enables the user to digitally copy songs from a CD into many different formats such as MP3, WAV, or AIFC.
Return to top


D

Data Diddlers
This is a popular name for a virus that contains a data modifying payload. This type of virus may, for example, change 0's to 9's in an Excel spreadsheet or, like Jal.A, it may replace certain words. Unfortunately, the changes made by some of these viruses may be almost unnoticable in large amounts of data. Hence, users may not realize that they are infected for quite some time, necessitating possibly lengthy and costly clean-up procedures.
DDoS, DDOS
Distributed Denial of Service. Attempts to DoS large sites using most forms of resource exhaustion attack, and particularly network bandwidth wasting strategies, are often impossible for a single attacking machine because of the sheer scale of resources available to the attacked site. One solution to this is the distributed denial of service approach, whereby a number of machines with 'attack services' installed on them are simultaneously commanded to attack a target system. Each of these DDoS 'agents' contributes part of the total 'load' that eventually topples the attacked service or server, or each agent contributes part of the bandwidth necessary to clog the network connections to the attacked server. See also Denial of Service.

By late 1999, code from several DDoS systems had been captured from compromised machines. These were mostly the agents (the part that implements the attack service), but a few examples of masters - the component that keeps track of the agents availability and sends the commands to begin and end an attack - were also captured. At the time, some networks of these DDoS agents were discovered to contain several hundred active agents. Although most of these systems have been designed and written for Unix (and particularly Linux) machines, some implementations for PCs also exist. (Refer to the DDoS entry in the virus encyclopedia for more details.)
Decoy File

See the first meaning of Goat File.
Denial of Service

An attack on a computer system intended to reduce, or entirely block, the level of service that 'legitimate clients' can receive from that system. These range in scope from network bandwidth wasting and/or swamping through exhausting various machine resources (memory, disk space, thread or process handles, etc) required by the process(es) providing the service. They usually work by exploiting vulnerabilities that eventually crash the service process or the underlying system. Although not commonly associated with viruses, denial of service components are included in some viral payload routines. (Also see DDoS.)
Destructiveness
This is measured based on the amount of damage that a malicious program can possibly achieve once a computer has been infected. These metrics can include attacks to important operating system files, triggered events, clogging email servers, deleting or modifying files, releasing confidential information, performance degradation, compromising security settings, and the ease with which the damage may be fixed. CA uses this metric to measure the potential damage that a malware's payload can deliver. This metric is given the least weight, in combination with Wild and Pervasiveness metric, to calculate the overall threat assessment.
Dialer

Software that dials a phone number. Some dialers connect to local Internet Service Providers and are beneficial as configured. Others connect to toll numbers without user awareness or permission.
Direct Action

A virus that attempts to locate and infect one or more targets when it is run, and then exits is referred to as direct action virus. In single-tasking operating systems such as DOS, direct action viruses usually only infect a small number of targets during each run, as the 'find then infect' process slows the normal execution of the infected host from which the virus is running and significant slowing of a machine is likely to warn its user of the presence of something 'untoward'. (c.f. Resident)
DOS (DoS)

1. Disk Operating System - most famously, MS DOS and IBM DOS, but also DR DOS and others.
2. Denial of Service (although the acronym DoS is somewhat preferable here to avoid confusion).
Downloader

A downloader is a program that automatically downloads and runs and/or installs other software without the user's knowledge or permission.
In addition to downloading and installing other software, it may download updated versions of itself.
A downloader may install itself in a manner that allows it to constantly check for updated files. For example, it may add an entry to the following registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Dropper

A program that installs a virus, but is not, itself, infected is known as a dropper. These are not very common and probably most are for installing boot viruses.
Return to top


E

EEPROM
Electrically Erasable and Programmable Read-Only Memory.
A type of ROM whose contents are non-volatile but modifiable through the application of appropriate chip reprogramming voltages. EEPROM was an advance on EPROM technology, replacing the requirement for a source of ultra-violet light with a purely electronic mechanism to erase a chip's contents. Some early 'updateable BIOSes' were shipped on EEPROM chips, but flash memory has become the preferred non-volatile memory technology for holding BIOSes in recent years.
EICAR

European Institute for Computer Antivirus Research.
A group of academics, researchers, law enforcement specialists and other technologists united against 'writing and proliferation of malicious code like computer viruses or Trojan Horses, and, against computer crime, fraud and the misuse of computers or networks' (to quote from the mission statement on the EICAR web site).
E-mail Worm

A commonly used misnomer for mass mailing viruses
Embedded tags or cross site scripting
This vulnerability occurs when a web server performs inadequate checks on content provided by third parties. A remote attacker may be able to embed a script in a piece of text which is then reproduced onto a web site. Legitimate users of the system may then inadvertently run the script when the innocently connect to the attackers information.
Emulator

A commonly used method for detecting polymorphic viruses is to simulate running part of a program's code in an emulator. The purpose is to see if the code decrypts known virus code. There are several essentially irresolvable issues with emulator design. For example, ensuring they don't run for 'too long' on each file thus slowing the scanner down, and making them complex enough to include sufficient aspects of the environment they simulate that anti-emulation and emulation detection techniques employed in some viruses do not reduce their usefulness.
Encrypted Virus

An early attempt at evading scan string driven virus detectors was self-encryption with a variable key. Cascade was the first example of an encrypting virus, but this approach was not much of a challenge to scanners as the decryption code of such viruses is constant across replicants and thus can be used as a scan string. Of course, if another virus or program uses the same decryption routine, precise identification of each would require reliably detecting more than just the common decryption code. Extending the idea of an encrypting virus so as to beat the limitation of scanners detecting just the decryption code resulted in the development of polymorphic viruses.
Encryption Tool

Any software that can be used to scramble documents, software, or systems so that only those possessing a valid key are able to unscramble it. Encryption tools are used to secure information; sometimes unauthorized use of encryption tools in an organization is a cause for concern.
Entry Point Obscuring Virus
One technique virus writers have tried to make it more difficult for a scanner to detect a virus is entry point obscuration. Simple parasitic viruses alter the code at the entry point of their hosts in some way. Some alter the fields in the executable's header so the pointer to the start of the program's code points to where the virus' code has been inserted or added to the file. Others leave the header alone, but alter the original program code at the entry point itself, either inserting the virus there, or inserting or overwriting code to jump to the virus' code elsewhere in the executable. These approaches pose no problems for virus scanners as most scanners adopted entry point tracing techniques long ago to speed up their scanning. Entry point tracing meant that instead of grunt scanning a whole executable file, only the parts of an executable that were likely to contain a virus' code were scanned.
Entry point obscuring (EPO) viruses employ various methods in attempts to complicate entry point tracing, by inserting the virus' code elsewhere in the target executable than at the entry point of the host program's code. Several approaches have been used. The crudest is randomly inserting the virus' code into the target and 'hoping' both that this does not corrupt the program and that execution branches through the code at the insertion point often enough to give the virus a chance to replicate. More sophisticated methods involve disassembling the host looking for a suitable code sequence (such as an interrupt call or a long jump) to replace with a call to the virus. A minor variation on this, but easier to implement, is to simply scan the host for a suitable byte sequence. However, this involves the risk that the target sequence may be found somewhere that it does not represent the intended machine code sequence and thus infection will corrupt the executable. The first viruses to use EPO techniques were Omud and Lucretia.
EPO
Entry Point Obscuring.
EPROM

Erasable and Programmable Read-Only Memory.
A type of ROM whose contents are non-volatile but modifiable through the application of appropriate chip reprogramming voltages. Before reprogramming an EPROM, it has to be exposed to source of ultra-violet light. Some early 'updateable BIOSes' were shipped on EPROM chips, but EEPROMs became more popular. More recently, flash memory has become the preferred non-volatile memory technology for holding BIOSes.
Error Hijacker

Any software that resets your browser's settings to display a new error page when a requested URL is not found. Hijacks may reroute your info and address requests through an unseen site, capturing that info. In such hijacks, your browser may behave normally, but be slower.
Exploit

A way of breaking into a system. An exploit takes advantage of a weakness in a system in order to hack it. Exploits are the root of the hacker culture. Hackers gain fame by discovering an exploit. Others gain fame by writing scripts for it. Legions of script-kiddies apply the exploit to millions of systems, whether it makes sense or not. Since people make the same mistakes over-and-over, exploits for very different systems start to look very much like each other. Most exploits can be classified under major categories: buffer overflow, directory climbing, defaults, Denial of Service.
Return to top


F

False Positive, False Negative

These terms derive from their use in statistics. If it is claimed that a file or boot sector is infected by a virus when in reality it is clean, a false positive (or Type-I) error is said to have occurred. Conversely, if a file or boot sector that is infected is claimed to not be infected, a false negative (or Type-II) error has been made. From an antivirus perspective, false negatives probably seem more serious than false positives, but both are undesirable. False positives can cause a great deal of down-time and lost productivity because proving a program cannot replicate under some condition or other is generally much more time consuming than discovering the conditions under which a viral program will replicate.
With good known-virus scanners, false positives are rare. However, they can arise if the scan string for a virus is poorly chosen, say because it is also present in some benign programs. False negatives are a more common problem with virus scanners because known-virus scanners tend to miss completely new or heavily modified viruses. False positives have, historically, been quite a problem for scanners that make heavy use of heuristic detection mechanisms.
Another related, serious problem is the situation where a scanner detects a virus, but incorrectly identifies which. Such misdiagnosed positives can lead to terrible problems if the scanner, or its user, then engages in a virus-specific disinfection routine based on detailed knowledge of the 'detected' virus' characteristics. 'Generic disinfection' procedures are not entirely immune from such problems either.
Fast Infector

When programs infected with common file infectors (such as Jerusalem in days of yore, and many others since) are run, the virus code usually gets control first. It then checks it has not already gone resident, copies itself into memory, and hooks a system interrupt or event handler associated with the host platform's 'load and execute' function. When that function is subsequently called, the virus' infection routine runs, checking whether the program that is about to run has been infected already, and infecting it if not.
In contrast, a fast infector not only infects programs as they are executed, but even those that are just opened. Even more aggressive fast infectors will infect suitable targets as they are accessed in the most peripheral of ways, such as by reading their directory information as happens during a 'DIR' listing under DOS, or Explorer accessing a directory to display its contents under Windows. Thus, if a fast infector is active in memory, running a virus scanner or integrity checker can result in all of the virus' potential victim files being infected. Early examples were the Dark Avenger and Frodo viruses and more recently CIH became very widespread, partly as a result of being a fast infector. (c.f. Slow Infector)
Note that, technically, most macro viruses are fast infectors. For example, Word macro viruses tend to infect the Word application environment (by deliberately targeting one or more global templates) so they are always present in the Word environment following initial infection. Also, most utilize some form of auto or system macros, or standard event handlers, which are normally triggered during the opening, closing or other user-initiated processing of document files (saving, for example) within the Word application environment. However, unlike executable infectors, such macro viruses are not spread by normal virus scanners, as the finding and opening of files occasioned by the use of a scanner happens outside the host application's environment (i.e. it is the operating system's file processing functions being used, not those of Word, Excel, etc and thus the viral macros are not invoked during this processing of the files).
Also note that residency is associated with fast infection. This was a poorly chosen term, as it was settled on before multi-threaded or multi-process operating systems were targeted by viruses. A virus can be written for such systems to run as a separate process from its host, staying loaded as long as it takes it to find and infect all potential victim files, then exit (this has been done, for example by Libertine.31672.). As this results in the near-immediate infection of all hosts, the term 'fast infector' probably seems a good description for such a virus despite it being a direct action infector. However, the term 'fast infector' is intended for resident viruses that infect on most file accesses - the development of such viruses resulted in the addition of memory scanning to on-demand virus scanners.
Fast Mailer

Another term for Mass Mailer.
FAT

File Allocation Table.
A crucial part of the standard file systems employed in all versions of DOS and Windows 9x. The FAT records the chaining of disk clusters and the final cluster in a file. A file's first cluster is stored in its directory entry and also acts as an offset into the FAT's chaining table so the rest of the file can be located.
FAT16 file systems were limited to logical drives with a maximum of 65,536 clusters. Thus, as drives got larger, slack space wastage increased as the cluster size had to be increased to keep the cluster count at or under 65,536. FAT32 file systems, introduced in the OEM Service Release 2 (OSR2) version of Windows 95 and supported by Windows 98, ME and Windows 2000, extend the FAT file system to support huge drives (up to 2 Terabytes) and allow much larger drives to retain relatively efficient, smaller cluster sizes, reducing slack space wastage.
Technically, most so-called FAT hard drive partitions are actually FAT16 partitions, but the number is usually assumed. Standard sized 'DOS format diskettes' still use the original FAT12 standard, which has always been used on DOS diskettes.
Field Sample, Field Virus

See In the Field.
File Infector

These are viruses that attach themselves to (or replace; see Companion Virus) .COM and .EXE files, although in some cases they will infect files with other extensions such as .SYS, .DRV, .BIN, .OVL, .CPL, .DLL, .SCR and others. The most common file viruses are resident viruses, loading into memory at the time the first copy is run, and taking clandestine control of the computer. Such viruses commonly infect additional program files as they are run or even just accessed. But there are many non-resident viruses, too, which simply infect one or more files whenever an infected file is run.
File race condition

Some applications store information in unsecured files and folders like the temp directory. A file race condition occurs where an attacker has the chance to modify these files before the original application has finished with them. If the attacker successfully monitors, attacks and edits these temp files the original application will then process them as if they were legitimate. The name of this kind of attack is from the attackers 'race to edit the file'.
File System Virus

A synonym for cluster virus.
Firewall Killer

Any hacker tool intended to disable a user's personal firewall. Some will also disable resident anti-virus software.
Flash Memory

Flash memory became of interest to antivirus researchers when the full measure of CIH's payload was decoded. Because the BIOS of most Pentium-class and later PCs is shipped on a flash memory chip and most mainboard and system designs result in write-mode for that memory being readily enabled, the BIOS of a PC can no longer be considered 'carved in stone'.
Fortunately, some BIOSes are write-protected, requiring special measures be taken to allow flash write enabling to be activated (such as opening the case and setting jumpers or switches). However, testing reveals in many systems that appear to have such a feature, it often does not work. To date, viruses that attempt to re-flash a victim's BIOS and 'succeed' (in that the contents of the BIOS change) all result in the 'trashing' of the BIOS, rendering the victim machine unbootable. That is, unbootable as in you cannot put a special recovery diskette in the floppy, bootup and run a program to re-flash a good copy of the BIOS program back into the flash memory chip. That is, unbootable as in all that happens is the power supply and CPU cooling fans, and the hard drives, spin up because that's what they do when power is applied. Specialist equipment is needed to re-program the flash chip once it is removed from the mainboard, and as more mainboard designs move to surface-mount flash chips rather than socketed ones, that option is not available for an increasing number of machines.
Flooder

A program that overloads a connection by any mechanism, such as fast pinging, causing a DoS attack.
FTP Server

When installed without user awareness, an FTP server allows an attacker to download any file in the user's machine, to upload new files to that machine, and to replace any existing file with an uploaded file.
Return to top


G

Generator Kit
See Constructor Kit.
Germ
A first generation sample of a virus. Technically, the term is reserved for forms of the virus that are in some way 'special', such that another sample the same as the one being referred to could not be produced as the result of a normal infection event. Examples include the initial, unencrypted form of encrypted or polymorphic viruses and 'virus code only' samples of simple prependers and appenders, as would be produced by compiling their source code. Germ samples are infective but not themselves the result of a natural infection incident.
Ghost Positive

This is a specific form of false positive, in which the error is due to 'leftover pieces' or 'remnants' of a virus that are incorrectly detected and reported as an infection. As the virus is not present, no longer present (in the sense that it cannot be activated through normal actions of the user or system), or present but inactive, it is erroneous for a scanner to report an (active) infection. (Usually only part of the virus will be present anyway.)
For example, under DOS or Windows, accessing a diskette to obtain a listing of its root directory causes the diskette's system boot sector to be read because details from the BPB must be obtained to correctly access the rest of the disk's contents. Imagine a diskette that had previously been infected with a boot virus and disinfected by writing a very short boot program that simply displays a message warning the diskette is not a functional system diskette. Such a short program could easily leave a couple of hundred bytes of the virus' boot sector code intact if the disinfecting program did not overwrite the rest of the boot sector. Some scanners may see this part of the virus' code and consequently report the virus' presence. (See also Slack Space.)
In the early days of scanner development, some scanners would false alarm on other scanners, or report viruses in memory after another scanner had run. This was usually a form of ghost positive caused by one scanner 'seeing' the scan strings of another scanner. The simple solution to this was to not store scan strings in plain text, but to cipher them in some way. Of course, once this was done, the scanner had to work with them ciphered, as deciphering them even just in memory could still lead to their detection in-memory on a subsequent scanning run.
Global Template

Although many applications have mechanisms for their users to extend the default functionality and/or appearance of the application, some allow this (partially) via template files. Originally used as a means to provide standard document, spreadsheet, etc formatting, the template files of some applications (like the document files on which they are based) have been extended to hold all manner of customizations (such as keyboard shortcuts and personalized menu layouts) and macros (that add functionality by automating routine processes and the like). Some products, such as Word and Excel, have gone a couple of steps further and provide for one or more specially named template files and/or directories to be automatically loaded as the application starts up and also allow 'Add-In' functionality to be implemented in templates.
For example, Word for Windows looks for the file 'Normal.dot' in certain directories (while the Macintosh version looks for a file of Word Template type named 'Normal' in matching folders) and loads it into its environment without warning. Should a normal template contain any auto macros that should run when such a template is loaded, they are run, any menu or shortcut customizations it contains are applied, and any system macros or standard event handler macros in the template will become active, running when the corresponding Word command or event occurs. Word and Excel both support a 'startup' directory, although in slightly different ways. Word will open and integrate any template files stored in its startup directory into its runtime environment, just as it integrates the contents of the normal template. Excel opens and integrates any standard Excel file type stored in its startup directory into its runtime environment. Registered Add-Ins are also loaded when the application starts and if they are templates, will be loaded from wherever they are registered. Thus, for Word, the normal template, any templates in its startup folder and any Add-Ins loaded as templates are all 'global templates', with any customizations and macros they contain becoming available throughout the Word environment.
Infection of global templates is thus an attractive proposition to macro viruses written for such application environments, as it provides a simple form of 'residency'. This will improve its likelihood of infecting more documents and thus improve its chances to spread.
The term 'global template' is also often, but incorrectly, used to mean 'Word's normal template'. This is almost certainly a carryover from earlier versions of Word's macro language, where the normal template could often be referred to via the referent 'Global:', rather than by its full path and name. Even in many of those versions of Word, this usage was, at best, sloppy because of the possibility (if not the actuality) of other 'global' templates.
Globbing

Globbing is the use of wildcard characters or arguments to greatly increase the amount of data requested. An example is Dir *.* in DOS, this command is asking for all file names with all file extensions (everything) in the current directory. By making globbing requests to a web server it is sometimes possible to cause a Denial of Service attack as the the server is too busy to deal with legitimate requests.
Goat File
1. Some generic approaches to virus detection create 'dummy' program files which are written to the drives of the machines being monitored. These files are regularly checked for modification, or created, checked and then deleted. Such files are sometimes called 'goat files', 'decoy files' or 'bait files' because they are not intended to be run for any practicable purpose, and act solely as 'bait' to trap and detect the presence of an active virus.
2. Goat file is also widely used to refer to the 'standard' files antivirus researchers commonly use to replicate viruses onto. Such files can make it easier to analyze the virus, because the researchers know what parts of the infected files they are dealing with are part of the original 'goats', and thus can readily ignore that code during their analysis of the virus. Different researchers generally use different goats.
Return to top


H

Hardware Damage

There has been much debate about whether viruses, or any other software, can cause physical harm or 'damage' to computer hardware. Most claims that such is possible turn out to be one of three kinds - appeals to ancient and usually badly documented stories of hardware destroyed by software shenanigans, accelerated wear and tear, and misunderstanding the difference between damaging hardware and trashing software stored in some form of (semi-)permanent storage. Dealing with each briefly...
There are several reports of ancient hard drives that (reputedly) had no sanity checking in their control mechanisms. The usual claim is that such drives could be taken out of service (even 'destroyed') by directing the drive to seek for a cylinder (track) past the last physical cylinder location. Stories also persist about early PC monitors that could have internal electronic components 'fried' (even setting the monitor on fire if left long enough) by programming the display adapter to use out of specification frequencies for the monitor. A variation on the latter is the 'blow up a monitor by stopping the guns from scanning so they bombard a continuous beam at one tightly focussed spot' claim.
Similar stories and speculation exist about 'overusing' a device. These include claims that certain (usually unspecified and ancient) monitors could be damaged by various means or rendered 'practically unusable' via accelerated phosphor burn and the like. Notions of wearing disks out quickly by repeatedly seeking back and forward between the very first and last cylinders and repeatedly updating the contents of CMOS RAM or EEPROMs or Flash memory are also common.
These first two kinds of stories are pretty much relegated to the scrap heaps of history now, but another type of claim has recently had quite an airing. The CIH virus renders a PC unusable by re-flashing the flash memory chip holding the BIOS. The routine in CIH effectively trashes the BIOS. However, although it leaves the machine unusable (and often leaves the mainboard effectively irreparable) this is not an example of software damaging hardware. The hardware is all still fully functional, but just happens to be built into a bad design that prevents the (economical) return of the system to a working state. For the user faced with a mainboard replacement because a virus payload triggered, this may seem like splitting hairs, but there is a clear technical distinction between the CIH virus rendering a poorly designed system board irreparable and software damaging hardware.
Heuristic Detection
Apart from precise identification of known viruses, scanners can (and do) employ various forms of less-precise detection. The essential idea behind such heuristic detection mechanisms is to relax the detection rules somewhat, detecting code that is almost bound to be indicative of virus infection (or other forms of malware functionality) and at the same time very unlikely to be seen in 'innocent' programs.
For example, various kinds of unusual settings in the headers of PE (Windows 32-bit executable) files may be strongly indicative of virus-related 'tampering'. If it is also known that such 'odd' headers are never produced by any PE compiler/linker combinations, detecting such things and flagging the files to the user as 'suspicious' may be a good heuristic for detecting certain kinds of new PE infecting virus that the scanner does not yet detect as a known virus.
Similarly, code analysis of a VBA macro can, in most cases, quickly and reliably determine whether the macro has code that copies itself to other documents and templates. However, that alone is not sufficient as a macro virus heuristic as it is common for legitimate macro programs to have installation routines that are themselves macros that copy other macros around. The designer of a good heuristic macro virus detector will attempt to prevent raising false positive alarms on such macro installation packages by requiring the heuristic detector to find more than just code that copies a macro to a global template (the usual installation location for such macro programs). Careful tuning of the importance (or 'weight') attached to various virus-like features can greatly reduce the rate of such false positives. An approach that combines positive and negative heuristics is generally considered best. A positive heuristic is a programmatic feature the scanner considers increases the likelihood it is looking at a virus and a negative heuristic is a feature that reduces that likelihood.
Often scanners that include heuristic detection capabilities have these disabled by default. This can be because they add extra overhead to the scanning process, but it can also be because the heuristics are fairly 'liberal'. Particularly in the latter case, you should only enable the scanner's heuristic detection if a new virus is suspected, as it's results may further focus your attention on the likely affected files. Heuristics should also be enabled and set to their highest levels on e-mail gateway scanners and other 'interception points' if there is an unavoidable business need to allow infectible file types into an organization. Some scanners with heuristic detection abilities allow the user to set the 'sensitivity' of the heuristics and again, these should be set to highest sensitivity for e-mail gateway scanners.
Heuristics

Heuristics means 'rule based'. Normally, for an Anti-Virus product to detect a virus, the virus must have been seen before, analyzed and detection added to the signature update files. Heuristics are used as there are some families of viruses that continually change their appearance and it is not possible to detect every variant. Heuristics allow us to set up some rules so if it smells like a virus, and it acts like a virus we can detect it, even if we have never seen the virus before.
Hijacker

Any software that resets your browser's settings to point to other sites. Hijacks may reroute your info and address requests through an unseen site, capturing that info. In such hijacks, your browser may behave normally, but be slower.
Hoax

A hoax is a message, typically distributed via E-mail or newsgroups, which is written to deliberately spread fear, uncertainty and doubt. Just like the viruses they purport to describe, they are sent from user to user/s, slowing network and Internet traffic and causing damage 'per se', by wasting users time and by prompting well meaning, (albeit unnecessary) clean up procedures. These messages may be regarding completely fictitious viruses and trojans, or they may be misleadingly warning users about legitimate programs (a common target of past hoaxes was screensavers and more recently, Windows utilities). Hoaxes prey on the lack of technical knowledge and the goodwill of all those that receive a hoax. Generally, hoaxes are warnings about threats to your computer. They tend to follow a standard pattern, and should you receive an e-mail that contains the following characteristics, view it with doubt, if not downright suspicion.
• Reports of a virus that can do massive damage to your pc - many even going so far as to say that critical hardware will be destroyed.
• May sound unnecessarily technical (although often meaningless), thus taking advantage of many users fears of technology/the unknown.
• May quote bogus announcements from Antivirus Industry experts, some even going so far as to provide a correct link to an AV site (which strangely enough, if visited, will most likely tell you that it's a hoax).
• The message may be written in emotive language. That is, the message may be colored with upper case text and contain large numbers of exclamation marks (in order to emphasize the severity of the perceived threat and make the user more likely to forward the message).
• Asks that you forward the message to as many people as possible. This is the most obvious line in a hoax. Warnings from reputable expert sources do not ask you to forward their notifications. It is this part of the text of the message in particular, that should immediately make wary users skeptical.
Homepage Hijacker

Any software that changes your browser's home page to some other site. Hijacks may reroute your info and address requests through an unseen site, capturing that info. In such hijacks, your browser may behave normally, but be slower.
Hostile ActiveX

An ActiveX control is essentially a Windows program that can be distributed from a web page. These controls can do literally anything a Windows program can do. A Hostile ActiveX program does something that its user did not intend for it to do, such as erasing a hard drive, dropping a virus or trojan into your machine, or scanning your drive for tax records or documents. As with other Trojans, a Hostile ActiveX control will normally appear to have some other function than what it actually has.
Hostile Java

Browsers include a ""virtual machine"" that encapsulates the Java program and prevents it from accessing your local machine. The theory behind this is that a Java ""applet"" is really content -- like graphics -- rather than full application software. However, as of July, 2000, all known browsers have had bugs in their Java virtual machines that would allow hostile applets to ""break out"" of this ""sandbox"" and access other parts of the system. Most security experts browse with Java disabled on their computers, or encapsulate it with further sandboxes/virtual-machines.
Hostile Script

A script is a text file with a .VBS, .WSH, .JS, .HTA, .JSE, .VBE extension that is executed by Microsoft WScript or Microsoft Scripting Host Application, interpreting the instructions in the script and acting on them. A hostile script performs unwanted actions.
HTTP Server

When installed without user awareness, an HTTP server allows an attacker to use a web browser to view and thus retrieve information collected by other software placed in the user's machine.
Return to top


I

Immediate Acting
Usually of payloads; code that runs when the virus or Trojan carrying it first runs. For example, one of the reasons the mass mailing viruses W97M/Melissa and VBS/LoveLetter spread so far and so fast was because their mass mailing code runs the first time the virus' macro (Melissa) or script (LoveLetter) is run. Whether that functionality is disabled so as to not execute on subsequent runs of the virus or Trojan is immaterial. (c.f. Logic Bomb)
Impact
The extent to which an attacker may gain access to a system and the severity of it on the organization. For example:
• 1, 2, 3 Info Gathering:
Little or no chance of an attacker gaining access to a system
• 4, 5, 6, 7 User Access:
Attackers can gain limited user or network level access
• 8, 9, 10 Privileged access or Denial of Service:
Attackers can gain root or superuser access or severely impact system operation.
In the Field

Sometimes viruses are said to be 'in the field' or 'reported from the field'. This may be loose usage of the term, or it may be to draw the distinction between viruses that have been seen in a small number of real-world infection incidents ('in the field') and those that have reached the top half of the WildList ('in the wild'; see next item).
IRC War

Any tool that uses Internet Relay Chat for spoofing, eavesdropping, sniffing, spamming, breaking passwords, harassment, fraud, forgery, 'imposturing', electronic trespassing, tampering, hacking, nuking, system contamination including without limitation use of viruses, worms and Trojan horses causing unauthorized, damaging or harmful access and/or retrieval of information and data on your computer and other forms of activity that may even be considered unlawful.
ITW, ItW

In the Wild.
Return to top


J

Joiner

Loosely a joiner is a program that takes two or more files and 'sticks them together'. In antivirus and malware circles it is typically used in reference to utilities that join two or more files together with one or more of these being executables. The joiner itself supplies a 'stub' - a small executable that actually gains control when the resulting executable file is run. The stub breaks the two (or more) original files off either into predestined files or temporary files and performs various actions with them, as defined by the person who joined the files together. For example, if two executables were joined, each may be run with one of them set to do so in a hidden window so its presence is not obvious to the user (victim) of the joined file. Joiners are particularly popular with the mass spreaders of common remote access Trojans, where a successful ploy has been joining a small harmless joke or fun program or popular utility with the server installer of a RAT.
Joke Program
There is no firm definition of a joke program, but, there are many programs about that are so classified. In general, they aim to entertain either the recipient or the supplier of the program, although it is probably the case that the joke is usually at the expense of the recipient. Human nature seems to turn many of these recipients into senders though, once they realize the program did no obvious harm beyond briefly increasing their personal anxiety levels (which was, in fact, the purpose of the person who sent the program to them).
So, what is a joke program? Joke programs are usually seen as programs that do no real damage but in some way attempt to raise the program user's concern for the contents of their computer. A classic example is a program that suggests the user's hard drive is about to be reformatted unless they click the 'Cancel' button in time and then starts a ten-second countdown - when the user tries to click the 'Cancel' button, the button jumps away from the cursor. If left to run until the countdown completes, a message is displayed explaining that it was dangerous to run a program sent via e-mail. Although such programs do not perpetrate any direct harm against the user, they can represent a serious risk. The problem that many such 'harmless' joke programs introduce is that some users panic and, decide that rather than risking the loss of their files, they would be better off turning their machine off. In so doing, they will lose any unsaved changes to current work and may corrupt the file system on their machine, causing even greater losses.
Return to top


K

Key Generator

Any tool designed to break software copy protection by extracting internally-stored keys, which can then be entered into the program to convince it that the user is an authorized purchaser.
Key Logger (1)

A variant of the Key Logger that captures passwords as they are entered or transmitted. Some password capture trojans impersonate the login prompt, asking the user to provide their password.
Key Logger (2)

Any program that records keystrokes is, technically, a key logger. The term tends to be used in malware circles for programs that surreptitiously record keystrokes and then make the log of keyboard activity available to someone other than the logged user(s). Commonly these log files are e-mailed to the person who planted the logging software, but on public access machines (in cyber-cafes, school and university computer labs, etc) that level of sophistication is not necessary as the 'attacker' can simply access the log file from the compromised machine at a later date, revealing usernames and passwords for accessing other systems and other potentially sensitive information. Although more common in Trojan Horse programs and remote access Trojans, key loggers are sometimes used in the payloads of viruses.
Return to top


L

Link Virus

A synonym for cluster virus which should not be used to avoid confusion with the use of the term 'link virus' to mean file infectors on Amiga computers.
Loader

Any program designed to load another program.
Logic Bomb
Usually of payloads; code that only runs when particular logical conditions are met while executing the virus or Trojan carrying it. For example, many viruses have payloads that only run on a certain date or between two dates or times, whereas others have payloads that only run after a specific number of files or boot sectors have been infected, and yet others check for any number and manner of other conditions.

Logic bombs that depend on date, time or elapsed time triggers are often called time bombs. Those that will normally run when a virus or Trojan first executes are referred to as immediate acting.
Return to top


M

Macro Virus
Macro viruses consist of instructions in Word Basic, Visual Basic for Applications and other application macro languages. They often reside in documents or other file types that are traditionally thought of as 'just data', and although that is not critical to determining whether something is a macro virus or not, it has been a crucial factor in the relative success of certain kinds of macro viruses. Another factor contributing to the success of macro viruses in the popular Microsoft Office application suite and related products (such as Microsoft Project) is that not only can the document files of these applications carry macro code, those macros can automatically run when certain basic events (such as opening and closing documents) occur and/or when the user expects that standard functions within the application should occur (such as selecting the Save item from the File menu).
While few users tend to think of 'documents' as capable of being infected, any application which supports document-bound macros that automatically execute or usurp standard application functions is a potentially welcoming platform for macro viruses. By the late 1990s, documents had become much more widely shared than diskettes (assisted by the extensive adoption of networking technologies and particularly Internet e-mail) and document-based viruses dominated prevalence statistics. This seems likely to continue for the early years of the 21st century.
Mail Bomber

Software that will flood a victim's inbox with hundreds or thousands of pieces of mail. Such mail generally does not correctly reveal its source.
Mailer

A program that creates and sends email with forged headers, so that the source of the mail it sends cannot be traced.
Malware
Malicious software.
A catch-all term for 'programs that do bad or unwanted things'. Generally, viruses, worms and Trojans will all be classed as malware, but several other types of programs may also be included under the term. One example of a good use for the term is where the best classification of a program as a worm or a virus may be unclear, you could still refer to it as 'a piece of malware'.
Mass Mailer
A virus that distributes itself via e-mail to multiple addressees at once is known as a mass mailer. Probably the first mass mailer was the CHRISTMA EXEC worm of December 1987 (and a couple of copycats in succeeding years), but the technique then all but disappeared until the Melissa outbreak of 1999. There have, however, been many mass mailers since Melissa.
An important distinction between mass mailers and slow mailers, at least in terms of threat assessment, is the scale or rate at which they send infective messages. In sending a large number of messages (and hence copies of themselves) at once, mass mailers aim to achieve rapid, widespread distribution. Presumably their writers hope enough recipients of these messages will be lulled into running the attachments (or simply opening the messages in the case of HTML-embedded script viruses) to ensure the virus' distribution outstrips spread of news about the outbreak and/or updates to virus scanners and other countermeasures. With the apparently ever-growing number of people on the Internet through the late 1990s, there was a continuous supply of fresh, very naïve, inexperienced users to be fooled into double-clicking what they should not. Through the use of 'obvious' social engineering tricks, viruses such as VBS/VBSWG.J had a fair shot at their fifteen minutes of fame.
Mass mailers often have the '@mm' suffix to their names, making the additional threat they may pose readily identifiable to the informed (although Computer Associates do not generally use this naming convention). Mass mailers are often referred to as 'worms', but this usage is not entirely accepted, and as 'e-mail worms' (perhaps to distinguish them from 'real worms').
Master Boot Record
The boot sector at the beginning of a hard drive (sector location 0,0,1 in CHS notation) is known as the master boot sector or, more commonly, the master boot record. Boot code in this disk sector is loaded by the BIOS, should it attempt to boot from the hard drive. Normally, the MBR's boot code checks the MBR's partition table to determine which partition to load an OS from. It then loads the contents of the boot partition's system boot sector (the first sector in the partition) and transfers control to that load location. This should be the beginning of the boot code of that partition and it is up to that code to 'know' how to boot the OS on that partition.
The master boot record is usually referred to as such or as the MBR, sometimes as the master boot sector (or MBS) and occasionally, but incorrectly, as the partition table (which is actually just a part of the contents of the MBR). Normally the master boot record of a DOS or Windows machine is created when partitioning the drive with FDISK, although all manner of third-party partitioning and boot management tools may also write to the partition table and/or the MBR's boot code.
Because the MBR contains a program (the boot code) it can be infected by a suitably crafted virus. The details of this are covered in more detail in the Boot Sector Infector item.
Master Boot Record Infector
A virus that infects master boot records. In reality, a virus that only infected MBRs would not be very successful because its chances of replicating would be very limited as new hard drives are seldom added to systems. Its chances of spreading would be even more limited as it is even rarer for hard drives to be moved from machine to machine. MBR infectors usually also infect other boot sectors (particularly those on diskettes) or are multipartite, infecting program files and MBRs (and possibly other boot sectors as well). For a detailed consideration of general boot sector infection issues, see the Boot Sector Infector item.
Master Boot Sector

See Master Boot Record.
MBR
Master Boot Record.
MBS

Master Boot Sector - a synonym for Master Boot Record.
Middle Infector

This is not a widely used term, but generally refers to an entry point obscuring (EPO) virus. Due to design considerations in some scanners, some non-EPO viruses are referred to as middle infectors and may require special handling.
Misc

Anything (other than a document) not in another category, perhaps because it falls into mulitple categories, such as a tool suite.
Multipartite Virus
A virus that infects two or more different target types is generally referred to as a multipartite virus. Early multipartite viruses infected boot sectors and DOS executables, but more esoteric combinations have been seen.
Multiple Cavity Infector

An extension of the cavity infection technique, a multiple cavity infector is able to break its code into two or more pieces, placing each piece in a suitable-sized 'hole' in the infection target. As with the standard cavity infection technique, this has the advantage of not increasing the size of the target, but adds the flexibility of infecting files that do not have a single 'hole' large enough for the virus' entire code. This is a very rare infection technique and made famous by the first multiple cavity virus - CIH (although Commander_Bomber can lay claim to using much the same technique, it made its own cavities, moving pieces of the original executable image around to accommodate slivers of its code).
Mutex

MUTual EXclusion object. Mutex is a program object that allows multiple threads to share the same resource. Any thread that needs the resource must lock the mutex from other threads while it is using the resource. The mutex is unlocked when it is no longer needed or the thread is terminated. The difference between mutex and semaphore is that a mutex is owned by the thread which locked it (that is, only the process which locked the mutex can unlock it). Whereas a semaphore can be changed by another thread or process.
Return to top


N

Network Creeper
Viruses that spread to new hosts by finding writable network drives (or 'shares') and copying themselves there or infecting files on those shares are sometimes referred to as network creepers. Note that a distinction is made between network creepers and other viruses that just happen to infect files on network shares because they infect files on all local and mapped drives. To be a network creeper, a virus has to specifically search for shared network resources, and will find ones that are not currently in use by its host machine. VBS/Netlog has shown how surprisingly successful this technique can be when depending solely on Microsoft Networking and open shares (ones with write-access but no password).
Some antivirus researchers consider network creepers to be worms
Notifier

Any tool designed for stealth notification of an attacker that a victim has installed and run some pest. Such notification might be done by FTP, SMS, SMTP, or other method, and might contain a variety of information. Often used in combination with a Packer, a Binder and a Downloader.
Nuker
Now a generic term for several TCP/IP DoS attacks, but originally made (in)famous by the WinNuke DoS attack which crashed Windows machines that had not been suitably patched or firewalled.
Return to top


O

Oligomorphic Virus
An encrypted virus that has several forms of its decryption code, selecting between them (usually randomly) when writing its decryptor to a new replicant. (See Polymorphic Virus for more details.) ,
Overwriter
In general, the simplest form of virus is a program that just copies itself over the top of other programs. Such viruses are known as overwriters and are commonly the first types of viruses written for newly 'virused' platforms (e.g. Phage, the first PalmOS virus, discovered in late 2000, was a simple overwriter). Because they do not preserve the functionality of their host programs, overwriters tend to be very obvious and thus not very 'successful'. (c.f. Parasitic Virus)
Return to top


P

P2P

Any peer-to-peer file swapping program, such as Audiogalaxy, Bearshare, Blubster, E-Mule, Gnucleus, Grokster, Imesh, KaZaa, KaZaa Lite, Limewire, Morpheus, Shareaza, WinMX and Xolox. In an organization, can degrade network performance and consume vast amounts of storage. May create security issues as outsiders are granted access to internal files. Often bundled with Adware or Spyware.
Packer

A utility which compresses a file, encrypting it in the process. It adds a header that automatically expands the file in memory, when it is executed, and then transfers control to that file. Some packers can unpack without starting the packed file. Packers are ""useful"" for trojan authors as they make their work undetectable by anti-virus products.
Parasitic Virus
Parasitic viruses are those that modify some existing code resource to effect replication. The major distinction here is that companion viruses are not parasitic, and the standalone 'worms' (such the mass mailers and network creepers) tend not to be parasitic. Overwriters tend not to be considered parasitic either. Although macro virus infection necessitates the modification of document files, it has been common for macro viruses to remove pre-existing macros, making them more akin to overwriters. Thus, usually only those macro viruses with a replication method that retains (some of) the pre-existing macros from a target are considered parasitic. Some researchers consider such viruses parasitic only if macros within a module used by the virus are retained.
Partition Boot Sector
A confusing term, at best. It seems to mainly be used to mean the system boot sector of the active partition. Unfortunately, without some additional context, it seems likely this term would easily be mistaken to be a reference to the master boot sector because this houses the partition table.
Partition Table

Partition tables are a crucial part of how DOS and related operating systems understand the layout of partitions (or logical drives) on hard disks. For the sake of interoperability, most OSes that run on PCs also follow the dictates of these fundamental partition information resources.
A partition table is a 64 byte data array located at offset 1BEh of master boot records and the boot sectors of extended partitions. Each table has space for only four 16 byte partition definition entries. Each such entry records such data as the beginning and ending sector of the partition, a partition type indicator byte and whether the partition is marked 'active' (or 'bootable'). Beginning and ending sector locations are recorded in absolute CHS terms (relative to any drive geometry translation the BIOS may be set to use).
As the partition table, per se, is just data it cannot be infected. Occasionally the term 'partition virus' or 'partition table virus' is seen or heard. It is a misconception and what is meant is usually a boot virus that infects MBRs.
Password Cracker

A tool to decrypt a password or password file. PestPatrol uses the term both for programs that take an algorithmic approach to cracking, as well as those that use brute force with a password cracking word list. Password crackers have legitimate uses by security administrators, who want to find weak passwords in order to change them and improve system security.
Password Cracking Word List

A list of words that a brute force password cracker can use to muscle its way into a system.
Payload

If a virus has any damaging routines (other than apparently unintended side-effects or bugs), they are known as payloads or warheads. The term is drawn by analogy with military rocket and munitions talk, where the virus is seen as the 'delivery vehicle' and the damage routine the payload or warhead. We also borrow the term trigger from this analogy.
Pervasiveness
Pervasiveness refers to a virus' potential to spread. Hence, a worm that has the ability to send itself out to a large number of victims is given a high pervasiveness rating, while a boot sector virus that spreads via 'sneakernet' (i.e. - by the manual sharing of floppy disks), is given a low pervasiveness rating. Varying pervasiveness ratings are often allocated to specific types of malware. CA uses this metric to measure a malware's potential to spread to other computers. This metric is given the second highest weight, in combination with Wild and Destructiveness metric, to calculate the overall threat assessment.

There are four levels of pervasiveness that can be allocated to a virus in the Encyclopedia:
• None
• Low
• Medium
• High
None
This rating is given to trojans, hoaxes and in some cases, viruses that may not function as intended (and fail to replicate). Trojans and hoaxes must be maliciously or otherwise sent to potential victims. They do not have the ability to self-replicate; and generally appear in the encyclopedia with a pervasiveness rating of 'N/A' (i.e. - this characteristic is not applicable). Examples include Win32.Butano, W97M/MadCow.A:intended and the Good Times hoax.
Please Note: 'N/A' may also used in encyclopedia entries where a virus' pervasiveness rating is unavailable.
Low
This rating is often given to 'traditional viruses'. This type encompasses the majority of macro viruses and boot sector viruses. These viruses have the capacity to replicate by themselves and require no further human intervention to spread from file to file in an infected PC. However, in order to spread from PC to PC, they hide in floppy disk boot sectors and office files such as documents and spreadsheets that may be shared among users. The limitation that they must be manually sent out or shared in order to infect other PCs, means that they will generally be given a 'low' pervasiveness rating. Examples of such viruses include W97M/Bablas.A, WM/Concept.A and Michelangelo.
Medium
This rating is given to viruses, such as mailers (or slow mailers) that use one or more of the following techniques for distribution:
• Send only one 'infected' message at a time
• Occasionally send small batches of infected messages (for example, sends itself out to the first 10 addresses in the Microsoft Outlook address book)
• The virus may have the capacity to spread out to many users, but utilizes a very specific channel (such as IRC) which will limit its potential for distribution
• Runs its distribution mechanism only once (as opposed to, say, each time the PC is started)
• Has the ability to spread to large numbers of users at one time, but the infection process is so obvious to even the most naïve of users, that it will rarely run without being interrupted
Examples include Win32.Funso, Win32.SQL and Win32.Annoying.
High
This rating is given to viruses that can distribute themselves with either great speed or, from a virus writer's perspective- success. This category of pervasiveness is often given to worms and mass-mailing viruses. Malware with a high pervasiveness rating often use one or more of the following techniques:
• Utilizes more than one method of distribution (say by sending itself to all addresses in the Outlook address book, and by spreading through open network shares)
• Performs its distribution process repeatedly (every time the PC is rebooted or at a specific time every day)
• Performs its distribution process in a way that is completely hidden from the user and therefore more likely to run repeatedly without being detected
• Uses 'social engineering' tricks successfully to prompt users to run infected attachments
• Exploits either one or more vulnerabilities in widely distributed software applications (for example - Microsoft Windows)
Phreaking Tool

Any executable that assists in hacking the phone system, such as by using a sound card to imitate various audible tones.
POC
See Proof of Concept.
Polymorphic Virus
In a sense, polymorphic viruses were an extension of the simpler idea of encrypted viruses. Although the replicants of encrypted viruses vary, they can still be detected (albeit imprecisely identified) by simple string scanning because they have a constant decryptor. The development of polymorphism was an attempt to overcome that shortcoming of encrypted viruses.
The simplest approach to not having a constant decryptor was for the virus writer to produce several implementations of the decryption algorithm and slot just one of those forms into the small unencrypted area of each replicant. A very similar method was to have several different encryptor/decryptor pairs, randomly selecting among them at infection time. The very simplest form of this approach employs just two forms of the decryption code or two encryption/decryption pairs and thus is sometimes referred to as bimorphism. More complex variations on this approach involve more than two forms, but still a number fixed by the fact that the code for each decryptor or encrypt/decryptor pair is present in the virus' code. Whale was the first example of this approach, carrying 30 encryptor/decryptor pairs in its code. Aside from adding some overhead to analyzing the virus, such approaches were still not difficult for scanners to deal with - all the scanner developers had to do was add a scan string for each decryptor.
True polymorphism, however, requires more complexity than simply selecting from a group of constant encryptor/decryptor pairs. Viruses in the V2Px family were the first truly polymorphic viruses, employing such techniques as inserting a variable number of 'do nothing' or 'noise' instructions between the 'viral' instructions, interchanging equivalent but different instructions, and swapping code blocks where the order of execution of the blocks was not important to the overall effect of the code. Such code permutations could be applied to all of a virus' code or just to the decryption routine of an encrypting virus.
One of the most sophisticated forms of polymorphism at the time, in some ways setting the standard against which subsequent polymorphs were judged, was the 'Mutation Engine' (or MtE). It was distributed in the form of an object module which could be linked to the code of a virus body (the code responsible for replication), making that virus polymorphic. More recently, polymorphic viruses have 'benefited' from the advance of 32-bit computing, with some polymorphic engines theoretically capable of reproducing their host virus into 4 billion different forms. Scanning technology has obviously had to evolve well past simple string scanning to deal with such complexity while not labeling every other 'innocent' executable a virus too.
Popularity
Describes the existing or potential frequency of exploitation of the vulnerability. For example:
• 1, 2, 3 Not Popular:
Exploit techniques for the particular vulnerability are not widely known, detailed knowledge of vulnerable systems must be known, or circumstances under which the attack may be successfully exploited are very rare.
• 4, 5, 6, 7 Semi-Popular:
Exploit techniques are fairly well known, and the circumstances under which the attack may be successfully exploited are somewhat common.
• 8, 9, 10 Very Popular:
Exploit techniques are well known, and the circumstances under which the attack may occur are very common.
Port Scanner

In hacker reconnaissance, a port scan attempts to connect to all 65536 ports on a machine in order to see if anybody is listening on those ports. Ports scans are not illegal in many places, in part because they don't actually compromise the system, in part because they can easily be spoofed, so it is hard to prove guilt, and in part because virtually any machine on the Internet can be induced to scan another machine. Many people think that port scanning is an overt hostile act and should be made illegal. An attacker will often sweep thousands (or millions) of machines rather than a single machine looking for any system that might be vulnerable. Port scans are always automated through tools called Port Scanners.
POST
Power On Self Test.
When a PC is powered up or restarted, the first thing the BIOS does is perform some basic tests for the existence and/or functionality of various hardware components (e.g. whether there is enough RAM to run the rest of the BIOS code, whether there is functional display adaptor with text-mode capabilities, etc). Should any of these tests fail, the BIOS simply beeps to indicate the error, and stops - the machine just freezes. The number of beeps describes which of the sub-system tests failed. Unfortunately, there is no explicit standard between manufacturers (and even between models) for these error codes, so you need to contact technical support or the manufacturers web site to obtain this information.
Prepender
A virus that inserts a copy of its code at the beginning of the code of its victim file is known as a prepender or prepending virus. (c.f. Appender, Cavity Infector, Companion Virus, Overwriter)
Probe Tool

A tool that explores another system, looking for vulnerabilities. While these can be used by security managers, wishing to shore up their security, the tools are as likely used by attackers to evaluate where to start an attack. An example is an NT Security Scanner.
Proof of Concept
A term broadly applied to mean the first implementation of an idea that had previously only been discussed as a theoretical possibility or concept. In antivirus circles it is commonly used to describe a virus that is the first to infect a given platform or implement a given infection technique. Employed thus, it often has a pejorative connotation, particularly if used in a phrase such as 'It is just a proof of concept' which usually means the virus is very simplistic and possibly quite obvious or buggy (or both), and thus unlikely to pose a real-world threat itself.
Return to top


R

RAM

Random Access Memory.
The memory transient programs are loaded into so they can be executed. It is also the memory that must be used for revisable data storage, regardless of the location of the program manipulating the data (e.g. a PC's interrupt table is stored at a fixed location in system RAM even though it is initialized and used by the BIOS, because the OS and user programs need to be able to alter interrupts). Viruses must use some of this for themselves if they are to remain active on a machine (i.e. if they are to go resident). Thus, scanners check memory, at least for signs of known memory-resident viruses.
In the early days of virus scanner development, many scanners would declare that a virus was active simply when it is found in RAM. This could, and often did, cause a particular type of false positive known as ghost positives through the 'detection' of part of a virus' code that was, for example, left over in a buffer area of RAM rather than truly being active. (c.f. ROM)
RAT
1. Remote Access Trojan (occasionally Remote Access Trapdoor).
2. Remote Administration Tool. There are legitimate remote administration tools included with many network management products, with helpdesk and other support software, and the like. These are installed with the system administrator's knowledge and consent (although not necessarily with that of the end-users). Many programs that are clearly designed to harass, annoy and spy on unsuspecting users who are fooled into running their server part (that is, programs that better fit the first expansion of this acronym) are referred to as 'remote administration tools' in an attempt (usually by their writers, resellers, agents, etc) to legitimize them. Such tools that have 'silent' installation modes and such useful administration functions as the ability to repeatedly open and close the CD-ROM tray of the 'administered' machine are perhaps better thought of as 'remote antagonism tools' and should be treated as such
Registry
The registry is a database used by the Windows32 operating system (Win9x/ME/NT/2000/XP) to store configuration settings. The Registry is broken down into several major sections, for example; HKEY_Current_User (where all the preferences for the current user are stored) or HKEY_Local_Machine (where settings are stored for hardware, installed applications and the operating system).

Many Windows applications write data to the Registry. The Registry can be edited, although extreme caution must be used when doing so. Actions such as altering registry settings, deleting files from system areas and modifying the content of system files are difficult and potentially dangerous operations that SHOULD NOT be undertaken unless users are aware of the risks involved.
Experimenting with registry settings is likely to result in lost files and/or unusable programs and can even cause the operating system to become corrupted.
Microsoft defines the registry thus:
"In Windows 32-bit operating systems, the tree-structured hierarchical database where general system hardware and software settings are stored."
(quoted from http://www.microsoft.com/hwdev/GLOSSARY1.HTM#R 23/11/2001)

Remnant
There are many approaches to disinfecting virus-infected objects. As a result, some people are surprised to learn that not all products remove all traces of a virus when disinfecting. Should this happen, the remaining virus code will not be 'active' - it will not be able to gain control in the flow of execution - so the disinfected object is still 'safe'. These snippets of leftover code are sometimes referred to as remnants.
Because this does happen and not all scanners use the same methods to detect any given virus (just as they do not all use the same methods to disinfect), these remnants may be detected by some scanners. If this happens, it may cause them to raise an alert that the original virus is still present or that a new variant of that virus may have been detected. This is a special form of false positive known as a ghost positive.
Remote Access Trojan
A program that surreptitiously allows access to a computer's resources (files, network connections, configuration information, etc) via a network connection is known as a remote access Trojan, or RAT. Note that such functionality is often included in legitimate software designed and intended to allow such access. For example, software that allows remote administration of workstations on a company network, or that allows helpdesk staff to 'take over' a machine to remotely demonstrate how a user can achieve some desired result, are genuinely useful tools (and even desirable in many settings). The difference between remote access Trojans and remote administration tools is that the latter are designed into a system and installed and used with the knowledge and support of the system administrator's and the other support staff they involve. Remote access Trojans are also commonly referred to as remote access trapdoors and backdoors, although the terms trapdoor and backdoor tend to have their own specialized and slightly different meanings.
Resident
A property of most common computer viruses. A resident virus is one which is normally running and active in the environment in which it is infective. Thus, resident DOS executable infectors load into memory, hook one or more interrupts and remain in memory, waiting for some trigger event such as a file being opened. When the trigger event occurs, the virus' infection code runs, attempting to infect one or more suitable targets (usually the file(s) being processed by the system or function call they have hooked). As boot code is only executed at the very beginning of the boot process, boot viruses have to be resident to have a chance to infect any other targets. The more common macro viruses are also resident, for example, installing themselves into global templates in Word and Excel. (c.f. Direct Action)
Retro-virus
Loosely based on the biological concept with the same name, computer viruses that attack antivirus products are sometimes referred to as retro-viruses. Examples range from including code that is known to cause code emulators to exit early, through disabling loading of well-known antivirus products and disabling resident antivirus products by patching them in memory to deleting the checksum data files of products offering such features.
REVS
Rapid Exchange of Virus Samples list.
A mailing list for antivirus companies, allowing their virus analysis staff to securely send samples of 'emergency' viruses to other antivirus developers and for the lab staff to discuss emerging 'virus emergencies'. REVS member companies are expected to send samples of any 'urgent' viruses they isolate to the mailing list no later than the time they make press releases or other public announcements about such viruses.
Computer Associates is represented on the REVS lists. (c.f. AVED)
ROM
Read-Only Memory.
Apart from its contents normally not being modifiable, ROM is usually also non-volatile. This type of memory is traditionally used to hold a PC's BIOS and little else, although various kinds of 'modifiable ROM' memory technologies, such as EPROM, EEPROM and flash memory, have been used through the years, with flash memory being preferred in recent years.
Return to top


S

Search Hijacker

Any software that resets your browser's settings to point to other sites when you perform a search. Hijacks may reroute your info and address requests through an unseen site, capturing that info. In such hijacks, your browser may behave normally, but be slower. Search results when such a hijacker is running will sometimes differ from non-hijacked results.
Simplicity

The amount of effort required to exploit a vulnerability. Some attacks against systems can be more difficult to exploit than others. Some exploits merely require inputting a command string, while others involve compiling code and executing the resulting program under an explicit set of conditions. For example:
• 1, 2, 3 Complex:
Detailed computer security knowledge and experience is required, and exploit techniques are difficult to obtain or execute.
• 4, 5, 6, 7 Simple:
General computer security knowledge is required, and exploit techniques are easily obtained and executed.
• 8, 9, 10 Extremely Simple:
Unskilled attackers can easily obtain and execute exploit techniques. Typically, compiled binaries or GUI exploit tools are readily available.
Slack Space
In more general usage, slack space is the disk space 'wasted' by the difference between a file's real size and the minimum storage unit of the file system storing it. For example, on a FAT32 file system under Windows 9x, disk cluster size may be 4KB (4096 bytes). What this means is that regardless of their actual sizes, all files from 1 to 4096 bytes will remove 4096 bytes of free disk space from the drive as the file system cannot allocate drive space in units smaller than a cluster. Thus, if you created ten one byte files, despite having only stored ten bytes of data, you will have used 40960 bytes of disk space. In a sense this is a waste of 40950 bytes of disk space, which is said to be 'slack space'. (There are solutions to this 'problem' of wasting disk space, such as sub-block allocation methods and the like, and these are employed in more advanced file systems.)
An important thing to be aware of is that few popular operating systems overwrite this unused space between the end of a file and the end of the last cluster the file occupies. Thus, pieces of 'inert' virus code can be found in various kinds of 'slack space'. Whilst this is unlikely to be seen when scanning files, such code may be detected in memory and incorrectly reported as an active infection once the contents of (cluster-sized) disk buffers are copied elsewhere (see Ghost Positive for an example with boot sectors).
There are, however, other kinds of slack space that can be of more significance to virus writers. For example, the internal format of Win32 portable executables (the PE format) is section based, with files consisting of a header and one or more sections containing code, data resources and the like. Each section, including the header, is 'padded out' to the nearest whole multiple of the file alignment size (which is specified in the header). This arrangement means that PE files can contain sections that do not completely fill the last section assigned to them in the file, just as the final cluster assigned to a file may not be filled. Some viruses have taken advantage of this section slack space, perhaps most notably CIH (see also Multiple Cavity Infector).
Slow Infector
Most resident viruses attempt to maximize their hit rate by infecting at least the commonly used programs on a system. Some go so far as to attempt to infect all possible targets (see Fast Infector). However, infecting many targets tends to increase the likelihood of being detected so some resident viruses only infect files as they are modified or created. This beats integrity checking methods, as the addition of a new file or modification of an existing one reported by an integrity checker would normally be expected so the user will ignore the reported change, assuming it to be entirely due to (legitimate) reasons for the file's creation or modification. An early example is the Darth Vader virus. A related, though different, technique for reducing the likelihood of detection is that of the sparse infector.
Slow Mailer

A slow mailer is a virus that distributes itself from victim machines via e-mail but not in the 'explosive' manner attributed to mass mailers. Ska (aka Happy99) and Kak are classic examples of slow mailers, respectively sending itself once to each addressee the victim sends e-mail to or embedding itself in all outgoing HTML messages the victim sends. Despite the mass mailers such as Melissa and LoveLetter hogging the media spotlight, Ska and Kak are also excellent examples of how slow mailers 'last the distance'. For example, several sources of prevalence statistics show roughly twice as many Kak incidents in 2000 as LoveLetter incidents, with the explosive nature of LoveLetter - then the most prevalent virus in history - seen in the fact that most LoveLetter incidents were recorded in a single month (May).
Slow mailers often have the '@m' suffix to their names, making the additional threat they may pose readily identifiable to the informed.
Slow Polymorphism
A term occasionally applied to polymorphic viruses that only morph their code 'occasionally' rather than each time they replicate, as is more common. This is an 'anti-antivirus research' technique.
Sneakernet
The network of inter-personal contacts that existed before ethernet made LANs commonplace and long before the Internet as we know it today existed. The name is a play on 'sneaker' and 'ethernet' and refers to the sharing patterns seen when data files and programs were mainly distributed and copied between workmates, other professional colleagues and friends via diskette. As all diskettes have boot sectors and most PCs will attempt to boot from a diskette left in a floppy drive, boot sector infectors were the most prevalent viruses when sneakernet was the predominant sharing mechanism.
Sniffer

A wiretap that eavesdrops on computer networks. The attacker must be between the sender and the receiver in order to sniff traffic. This is easy in corporations using shared media. Sniffers are frequently used as part of automated programs to sift information off the wire, such as clear-text passwords, and sometimes password hashes (to be cracked).
Social Engineering

1. There are two main ways to obtain technical or administrative information about a computer system. The first is from the machines and systems themselves and the second is from the administrators and users of the machines. Surreptitious or unauthorized attempts to obtain such system information are known as hacking or cracking if the attempt involves obtaining the information from the machines and as social engineering if they involve manipulating or 'tricking' a person into divulging the information.
2. By extension of the previous meaning, the term social engineering is often used to describe the 'tricks' used by mass mailing viruses to entice recipients messages with viral attachments to run (or 'view') those attachments.
SOCKS Proxy
Socks (or "SOCKS") is an IETF standard protocol for TCP/IP-based networking applications. A proxy server (a server that sits between a client application and a real server) can use SOCKS to accept requests from clients so that they can be forwarded across the Internet. Socks uses sockets to represent and keep track of individual connections.
SOCKS proxy servers are widespread, and used legitimately for improving system performance, caching web pages and filtering client requests. Unfortunately, SOCKS proxy servers can also be used for undermining system security; attackers can hide their IP address by "bouncing" their requests off a victim’s computer with an open SOCKS proxy.
SPAM Tool

Any software designed to extract email addresses from web sites and other sources, remove ""dangerous"" or ""illegal"" addresses, and/or efficiently send unsolicited (and perhaps untraceable) mail to these addresses.
Sparse Infector

Although not an approach to beat integrity checking, like slow infection methods, sparse infection is also an approach to reduce the chances of early detection. The main idea is to replicate only occasionally; for example, only infecting one in every 100 programs that are executed. Another approach a sparse infector may take to deciding which files to infect is to only target files that meet certain criteria such as having a size divisible by a particular value or with a creation date of a certain day of the month and so on.
Spoofer

To spoof is to forge your identity. Attackers use spoofers to forge their IP address (IP spoofing). The most common use of spoofing today is smurf and fraggle attacks. These attacks use spoofed packets against amplifiers in order to overload the victim's connection. This is done by sending a single packet to a broadcast address with the victim as the source address. All the machines within the broadcast domain then respond back to the victim, overloading the victim's Internet connection. Since smurfing accounts for more than half the traffic on some backbones, ISPs are starting to take spoofing seriously and have started implementing measures within their routers that verify valid source addresses before passing the packets.
Spyware Cookie

Any cookie that is shared among two or more unrelated sites for the purpose of gathering and sharing private user information.
Spyware or Spy Ware
A program that gathers information and can be 'silently' installed and run in 'stealth' mode. This kind of software is used to gather information from a user's machine, such as recorded keystrokes (passwords), a list of websites visited by the user, applications installed on the machine, the version of operating system, registry settings, etc.
SR-1
Service Release 1.
A Service Release is an incremental update and/or bug-fix version of an application, similar to the better-known term Service Pack (or SP). SR-1 is usually of significance in antivirus issues when talking about Word 97 SR-1, as this release introduced some subtle changes to Word's VBA environment that had implications for the replication mechanisms of most Word macro viruses written prior to its release. (See also Class Infector.)
Stealth Virus
Aside from infecting seldom (see Slow Infector and Sparse Infector), some viruses take other steps to make themselves difficult to detect. For example, stealth boot viruses intercept attempts to read the boot sector (where they reside) and return copies of the original boot sector so it is seen as it was prior to infection - the first PC virus, Brain, is an example of this. More sophisticated boot sector stealth also intercepts write functions, preventing the viral code being overwritten and perhaps redirecting such writes to the 'safe' copy of the original boot sector. Stealth file infectors typically hide any file size increases they are responsible for when a file's properties are read from the disk - Number of the Beast and Frodo were early examples. Macro viruses have also attempted many stealth techniques, such as replacing the standard list of macros with a list from which the virus' macros are missing, and preventing users from accessing the Visual Basic Editor. For their stealth functions to work, a virus must be 'resident'.
With executable viruses, this residency means the virus' modifications go undetected by antivirus programs as well as preventing the user from noticing changes (such as in file sizes and the like). However, with macro viruses, such stealth mechanisms only help prevent the user noticing or reporting changes because virus scanners look directly at the document files containing the viruses and are not dependent on internal functions of Word - the only functions a macro virus can usurp - in order to detect these viruses.
In general, to counter stealth mechanisms you must be able to re-establish a 'clean' environment. With boot and program stealth, restarting from a clean system is necessary to ensure there is no possibility of the normal system functions being interfered with. With stealth macro viruses a clean user environment is needed. This can be attained by assuring that all global templates and other code resources that may be loaded during the host application's startup phase, and as a result of loading a (potentially) infected document, do not get a chance to run.
Surveillance

Any software designed to use a webcam, microphone, screen capture, or other approaches to monitor and capture information. Some such software will transmit this captured information to a remote source. See also Key Logger.
SYN Flood Attack

In the normal course of a TCP connection, a SYN (TCP connection request) is sent to a target computer. When the target computer receives the SYN, it sends a SYN_RECEIVED message back to the machine that sent the SYN (reading the IP source address of the originating packet). The target computer then waits for the machine that originated the request to send back a SYN_ACK upon receipt of its SYN_RECEIVED message (this SYN-RECEIVED state is saved in a buffer either until the ACK is received or until the request has been waiting for a particular finite period of time and is then purged). When this "three-way" handshake is completed, data can travel freely between the two computers.
During a SYN Flood Attack, a SYN is sent to the target computer, however the source IP address is spoofed. The target computer attempts to send its SYN_RECEIVED message back to the originating IP address of the SYN, however, because the address is spoofed, this message will either be sent to an IP address that does not exist or to a computer that did not send the original SYN (and therefore will ignore this message). When this occurs, the target machine may send several more SYN_RECEIVED messages, and wait for a finite time for a SYN_ACK that will never come, storing this information in a buffer. The more of these spoofed packets that are sent to the target computer, the more system resources that are used on the target computer. Once the limit is reached for a given TCP port, the target computer responds by resetting all further connection requests until system resources are freed. The result of this attack is a Denial of Service.
System Boot Sector

A seldom used term denoting the boot sectors at the beginning of disk partitions and other logical drives such as floppies and some other removable drives. This term is used in the glossary to denote the set of boot sectors excluding master boot records.

Return to top


T

Telnet Server

Software that allows a remote user of a Telnet client to connect as a remote terminal from anywhere on the Internet and control a computer in which the server software is running.
Time Bomb

A logic bomb with its trigger condition(s) based on absolute or elapsed date or time conditions.
TOM

Top Of Memory. The end of a PC's conventional memory, which, as a matter of architectural design, was limited to 640KB on most PCs and is always a multiple of 64KB. Early PCs were seldom fully populated with RAM, with 64KB, 128KB and 512KB being common values for very early models.
During startup, the BIOS initializes a value in the BIOS Data Area (BDA) noting, in kilobytes, how much conventional memory it found. Boot sector viruses typically read this value, copy their code to just below the memory location it represents and then decrease the value in the BDA. This means the virus' resident code ends up above the TOM subsequently reported to the operating system or to any programs (boot viruses load before the OS). With OSes such as DOS, this ensures the virus' code is not overwritten, but with some more complex OSes this may not be the case. Monitoring the TOM value in the BDA for unexpected changes can help detect a virus, but there are legitimate reasons for it to change.
It is a common misconception that PCs reporting less than 640KB of conventional memory necessarily have a virus. While it is the case that boot viruses (and many simple DOS executable infectors) steal RAM from the TOM, this is far from the only explanation for less than 640KB being reported. For example, many expansion cards that have their own BIOSes and other common BIOS extensions (such as on SCSI controllers embedded in a PC's main logic board) liberate a small amount of conventional RAM from the TOM for their own purposes (1KB, 2KB and 4KB are common amounts for this). Similarly, many system BIOSes have an option to move the Extended DIOS Data Area (EBDA) to the TOM, accounting for 1KB of RAM if enabled. Further, the various startup modes of Windows 9x and ways of getting to a DOS prompt to discover the TOM setting of a machine can also affect what is reported (for example, a machine in the current author's test network variously reports 640KB, 639KB and 636KB depending whether a straight DOS boot is made, the DOS prompt is accessed from inside Windows and whether safe mode is used or not).
Toolbar

A group of buttons which perform common tasks. A toolbar for Internet Explorer is normally located below the menu bar at the top of the form. Toolbars may be created by Browser Helper Objects.
Tracking Cookie

Any cookie that is shared among two or more web pages for the purpose of tracking a user's surfing history.
Trigger
The condition that determines the launching of a virus' or Trojan's payload is usually called the trigger or trigger condition. Trigger is also used as a verb to indicate the activation of a payload. (See also Logic Bomb, Time Bomb; c.f. Immediate Acting.)
Trojan

By analogy to the wooden horse the Greeks reputedly used to break the siege of Troy, the term Trojan is applied to programs that do something their programmers intended but that the user would not approve of if he knew about it. As with so many central terms in this field, there is considerable debate about phrasing an adequate, operational definition.
In the context of Computer Associates AntiVirus solutions and most of the greater AntiVirus industry, the defining feature of a trojan is that it is a malicious program that is unable to spread of its own accord.
Trojan Creation Tool

A program designed to create Trojans. Some of these tools merely wrap existing Trojans, to make them harder to detect. Others add a trojan to an existing product (such as RegEdit.exe), making it a Dropper.
Trojan Source

Source code is written by a programmer in a high-level language and readable by people but not computers. Source code must be converted to object code or machine language before a computer can read or execute the program. Trojan Source can be compiled to create working trojans, or modified and compiled by programmers to make new working trojans.
TSR
Terminate but Stay Resident.
This term is properly used of DOS programs that stay loaded in memory and functional, but allow the user to return to DOS and continue using the PC for other purposes. It is a type of poor person's multi-tasking and in the early days of DOS was very much a black art as several important details of undocumented DOS internals had to be understood before a reliable TSR could be written, and many stability problems were attributed to TSRs. The DOS MEM utility (with the '/C' parameter), and many third-party utilities, can display a list of what TSRs are loaded and have 'followed the rules'.
Return to top


U

Usage Tracks

Usage tracks permit any user (or their software agent) with access to your computer to see what you've been doing. Such tracks benefit you if you have left the tracks, but might benefit another user as well.
Return to top


V

Virus

A computer virus is a self-replicating program that explicitly copies itself and that can infect other programs by modifying them or their environment such that a call to an infected program implies a call to a possibly evolved copy of the virus. Note that 'program' takes a fairly liberal interpretation here, involving much more than the 'obvious' application programs (executables) in a typical computer system. Almost any code that is executed or interpreted may be 'virusable' so long as, when running in its normal execution context, that code has write access to some other executable object (note this need not be the same kind of executable object!).
Some not immediately obvious targets for viruses include the boot code in the system boot sectors and MBRs of PC disks and hard drives. These are clearly programs, but are often overlooked because they do not reside in files and thus are not readily accessible to the user, or even 'visible'. Other less than obvious programs include scripting facilities built into applications, either in the form of sophisticated macro languages such as Visual Basic for Applications (VBA), or the simpler procedural languages for automating many applications such as the scripting feature of popular Windows IRC clients like mIRC and Pirch.
Another important feature of viruses is that, unlike their biological namesakes, they need not be parasitic. Various companion infection methods exist and mechanisms that involve altering the behavior of the host program's environment, rather than altering the program itself, can be sufficient to classify a program as viral (so long as it is also self-replicating).
Worms are, in some ways, similar to viruses in that they make copies of themselves. However, there is a deal of disagreement between researchers over how to classify worms. See the worm entry for more discussion of this issue.
When discussing viruses, it is common to hear talk about obvious symptoms and damaging payloads. Some viruses display symptoms, and some cause damage to files in a system they have infected, but neither symptoms nor damage are essential in the definition of a virus. A non-damaging virus is still a virus, not a prank.
There are no 'good' viruses. Viruses are seldom intentionally installed. Users (and, more importantly in corporate settings, system administrators) must be able to control their computers. This requires that they have the power to install and remove software, and that no software is installed, modified, or removed without their knowledge or permission. As viruses are usually surreptitiously self-installed and modify other software in the system without user or administrator awareness, they break these requirements of system administration. Further, their removal can be difficult and costly and viruses will occupy drive space and space on backup media and use CPU cycles and RAM that has not been budgeted for.
Many viruses cause intentional damage. But many more cause damage that may not have been intended by the virus' writer. For instance, when a virus finds itself in a very different environment from that for which it was written, a non-destructive virus can suddenly become very destructive. A good case in point are many common (or formerly common) boot viruses: while a particular boot virus might not contain any code to damage computers running Windows NT, booting an NT machine with such a virus is likely to result in system repairs the user or system administrator may not have been prepared for.
Even if a virus causes no direct damage to a computer, the user's or administrator's inexperience with viruses can mean that damage occurs during the 'clean up' process. Many organizations have shredded floppies, deleted files, and done low-level formats of hard disks in their efforts to remove viruses. Even when removal is done perfectly, with no damage to the infected system or files, it is not normally done when the machine is first infected, and the virus in that machine has had a few weeks to spread. The social costs of infection include a loss of reputation and good will which in a business setting can be significant.
Virus Creation Tool

A program designed to generate viruses. Even early virus creation tools were able to generate hundreds or thousands of different, functioning viruses, which were initially undetectable by current scanners.
Virus Source

Source code is written by a programmer in a high-level language and readable by people but not computers. Source code must be converted to object code or machine language before a computer can read or execute the program. Virus Source can be compiled to create working viruses, or modified and compiled by programmers to make new working viruses.
Virus Tutorial

We don't think there is much need for viruses in today's offices, so we don't think there is much need to learn how to create them. Virus Tutorials explain 'how to'.
Return to top


W

War Dialer

(demon-dialing, carrier-scanning) War-dialing was popularized in the 1983 movie War Games. It is the process of dialing all the numbers in a range in order to find any machine that answers. Many corporations have desktop computers with attached modems; attackers can dial in order to break into the desktop, and thereafter the corporation. Similarly, many companies have servers with attached modems that aren't considered as part of the general security scheme. Since most security emphasis these days is on Internet-related attacks, war-dialing represents the ""soft underbelly"" of the security infrastructure that can be exploited.
Warhead
Another term for Payload.
Web Bug (1)

A Web Bug is a device used in html web pages and e-mail that is used to monitor who is reading the web page or e-mail. The name "Bug" is used as, just like a bug in a spy movie, these are small, hidden, difficult to detect eavesdropping devices. Most of the time, you will not even be aware that these bugs exist, as they hide within 1 by 1 pixel html image tags, although any graphic on a web page or in an e-mail can be configured to act as a Web bug. This is not to say that all invisible gifs on web pages are web bugs; some invisible gif files are used for alignment and design purposes.
When you view a page or e-mail that contains a Web Bug, the following information is sent to the Bug's owner:
• Your IP address
• Information regarding the browser you are using
• The time the page or e-mail is viewed
• The URL of the page that the bug is on
• Cookie values
Web bugs can be used by advertising networks to gather and store information on user's personal profiles. They are also used to count the numbers of people visiting particular sites, and to gather information regarding browser usage.
Web Bug (2)

A Web Bug is a device in html web pages and e-mail that is used to monitor who is reading the web page or e-mail. The name "Bug" is used as, just like a bug in a spy movie, these are small, hidden, difficult to detect eavesdropping devices. Most of the time, you will not even be aware that these bugs exist, as they hide within 1 by 1 pixel html image tags, although any graphic on a web page or in an e-mail can be configured to act as a Web bug. This is not to say that all invisible gifs on web pages are web bugs; some invisible gif files are used for alignment and design purposes.
When you view a page or e-mail that contains a Web Bug, the following information is sent to the Bug's owner:
• Your IP address
• Information regarding the browser you are using
• The time the page or e-mail is viewed
• The URL of the page that the bug is on
• Cookie values
Web bugs can be used by advertising networks to gather and store information on user's personal profiles. They are also used to count the numbers of people visiting particular sites, and to gather information regarding browser usage.
Wild
Also referred to as 'in-the-wild'.
A term that indicates a virus has been found infecting systems in several organizations around the world. Ideally, the term is reserved for viruses that currently are (or, that have been) in the 'top half' of the WildList. This contrasts the virus with those that have only been reported by antivirus researchers, and which are sometimes referred to as 'zoo viruses' or 'collection viruses'. Despite popular hype, most viruses are not 'in the wild' and are unlikely ever to be. (c.f. In the Field, Zoo Virus) CA uses this as a metric to measure the degree of real world spread of a malware threat. This metric, in combination with the Pervasiveness and Destructiveness metric is given the most weight when calculating the overall threat assessment.
Wild Virus

See In the Wild.
WildList
Although there are many thousands of known viruses, few actually cause any real-world concern, and those that do are often said to be 'in the wild'. However, the term 'in the wild' has been used in many different contexts and with many different shades of meaning. In an attempt to clear this situation up, as it regards computer viruses, antivirus researcher Joe Wells instigated what he called the WildList. Its purpose was to provide a listing of viruses that could (or should) be considered 'in the wild' by set criteria.
The approach chosen was quite simple - from a reasonably sized and distributed group of reporters (comprised of antivirus researchers and other IT professionals working in, or closely with, the antivirus community), collate monthly reports of virus infection incidents that have been verified by the reporter receiving a sample of the virus involved. The criteria applied to counting these reports were equally simple - if two or more reporters claimed to have received two or more independent, sample-verified reports of infection by the same virus, that virus would be listed on the WildList.
In reality, the WildList consists of two parts. Those viruses currently reported and meeting these criteria are listed first (in what is sometimes called 'the top-half of the list'). That is the WildList and such viruses can be said to be 'in the wild'. However, as an indication of viruses that may be 'bubbling under', all viruses reported to have met the 'two or more independent, sample-verified reports' criterion by only one WildList reporter are also listed. This is often referred to as 'the bottom-half of the list' and such viruses can be said to have been 'reported from the field'.
The WildList has been used as a 'reference standard' by many antivirus testing organizations that require 100% detection of acknowledged 'in the wild' viruses for tested products to attain various, 'desirable' certification levels. The list has not, however, been without its critics and it must be acknowledged that the WildList does not list all viruses that have been seen 'in the field'. That it should be such a list is a common expectation of those with different backgrounds where the term is also used (for example, the general computer security community uses the term 'in the wild' and members of that community are accustomed to the term meaning 'an exploit of a security hole has been seen used in a real-world attack').
An archive of the WildLists and details about the organization that compiles and maintains it are available from http://www.wildlist.org.

Worm

The term 'worm' does not have a firm definition, although there is less disagreement over the claim that the 'Internet Worm' (or 'Morris Worm') of 1988 was one of the first and the best-known (at least until W97M/Melissa - see below). Some people use the term 'classic worm' (and a few 'real worm') to distinguish such self-contained programs that break into a system via remotely exploitable security flaws (such as buffer overflows) and self-instantiate (i.e. their replication mechanism, per se, is directly responsible for their code running on new target host systems, rather than requiring some external action such as a user running a program or restarting the system as with viruses). The Ramen and Lion (or '1i0n') Linux worms (that were enjoying some success in April 2001) are 'classic worms', as just described.
However, since the late-1990s the term 'worm' has been widely adopted within antivirus circles as meaning something like 'a virus that spreads via network connections'. However, an immediately obvious weakness of this definition is that most file infectors blithely infect files on any drive available to them, including any on mapped network drives. Thus, given an environment where client machines commonly map network drives (i.e. most corporate LANs), most file infecting viruses would be worms. As the point of the late-1990s adoption of the term 'worm' was to emphasize the additional threat posed by mass mailing viruses, this informal definition was changed to something like 'a virus that overtly spreads via network connections' or 'a virus that overtly spreads via external network connections'.
Worms, under this definition, really came to the fore with the release and widespread distribution of W97M/Melissa.A in late March 1999. In fact, accepting this definition of 'worm', the most common type of worm seen to date is the co-called 'e-mail worm' or mass mailing virus.
Aside from e-mail worms, the open share, or network creeper attack is another form of 'network copying virus' worm. This was probably first successfully implemented in VBS/Netlog. Netlog's attack takes the simple expedient of randomly selecting tracts of the IP network address-space then attempting to connect to a Microsoft Network share named 'C' on whatever machine (if any) happens to be on each of the IP addresses in the chosen network address range. A variation on this is network creeper attack, as seen in ExploreZip and some later 'worms', uses Windows' network enumeration API to find all the machines the host explicitly knows on the network and these are then attacked, thus saving time of not having to try many unknown addresses to find potentially exploitable machines.
Worm Creation Tool

A program designed to generate worms. Worm creation tools can often generate hundreds or thousands of different, functioning worms, most of which are initially undetectable by current scanners.
Return to top


Z

Zoo Virus

Those viruses not known to have accounted for any real-world infection incident, or that have been bypassed by computing developments, perhaps despite having once been common, are known as zoo viruses.
Many thousands of trivial, uninteresting viruses are held in antivirus developer virus collections and are widely considered to pose little, if any, real threat. However, they are kept closely guarded to prevent whatever consequences may befall their victims, should they ever be released. As these viruses are not known to have occurred outside such collections, they are likened to rare and exotic animals that are seldom or ever seen other than in nature parks and zoos. The term 'collection virus' is a synonym. (c.f. In the Wild)
Other viruses that are often referred to as zoo viruses are those left behind by technological advances. A classic example is Brain - widely regarded as the first PC virus. It only infected diskette boot sectors, and only those of 360 KB diskettes at that. These days, that probably seems a most unusual design decision, but given the computing milieu of the time, it made sense. The main (in fact, all but only) means of software or data exchange between PCs at the time was via diskette (see Sneakernet). With hard drives being very expensive and most software running on single floppy systems (and running well on dual-floppy systems), users were accustomed to booting from a system diskette, swapping the disk in the A: drive for a program disk and putting their data disks in the B: drive. Thus, booting from and swapping diskettes was common practice (in fact, booting from diskette was 'normal').

Return to top