Information Security Management Chapter 6


advertising that is integrated into software. It can result in pop-up ads or redirection of a browser to a commercial site.

attack kit

set of tools for generating new malware automatically using a variety of supplied propagation and payload mechanisms.


any mechanism that bypasses a normal security check. It may allow unauthorized access to functionality in a program, or onto a compromised system.

blended attack

uses multiple methods of infection or propagation, to maximize the speed of contagion and the severity of the attack. Some malware even support an update mechanism that allows it to change the range of propagation and payload mechanisms utilized once it i

boot-sector infector

infects a master boot record or boot record and spreads when a system is booted from the disk containing the virus.


zombie or drone that secretly takes over another Internet-attached computer and then uses the computer to launch or manage attacks that are difficult to trace to the ____'s creator.


a collection of bots that is capable of acting in a coordinated manner.


an attack using code in a compromised Web site that exploits a browser vulnerability to attack a client system when the site is viewed.


captures keystrokes on a compromised system.

logic bomb

Code inserted into malware by an intruder. Lies dormant until a predefined condition is met, the code then triggers an unauthorized act.


malware that encrypts the user's data and demands payment in order to access the key needed to recover this information.


set of hacker tools used after attacker has broken into a computer system and gained root-level access


also known as malicious software. A program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim's data, applications, or operating system or otherwise annoying or


a computer program that can run independently and can propagate a complete working version of itself onto other hosts on a network, usually by exploiting software vulnerabilities in the target system.


malware that, when executed, tries to replicate itself into other executable machine or script code. when it succeeds, the code is said to be infected. When the code is executed, the ____also executes.


software that collects information from a computer and transmits it to another system by monitoring keystrokes, screen data, and/or network traffic; or by scanning files on the system for sensitive information.


a secret entry point into a program that allows someone who is aware of the backdoor to gain access without going through the usual security access procedures.

Trojan horse

a useful, or apparently useful, program or utility containing hidden code that, when invoked, performs some unwanted or harmful function. Can be used to accomplish functions indirectly that the attacker could not accomplish directly.


social engineering attack when a spam e-mail directs a user to a fake Web site controlled by the attacker, or to complete some enclosed form and return to an e-mail accessible to the attacker, which is used to gather a range of private, personal, informat


a variant of phishing in which e-mail claiming to be from a trusted source. Recipients are carefully researched by the attacker and each e-mail is carefully crafted to suit its recipient specifically, often quoting a range of information to convince them

metamorphic virus

virus that mutates with every infection. Rewrites itself completely at each iteration (new version of a piece of computer hardware or software), increasing the difficulty of detection. It may change behavior as well as appearance.

polymorphic virus

a virus that mutates with every infection, making detection by the "signature" of the virus possible.

stealth virus

a form of virus explicitly designed to hide itself from detection by anti-virus software. The entire virus is hidden. May use both code mutation and rootkit techniques to achieve this.


code that installs other items on a machine that is under attack. It is normally included in the malware code first inserted on to a compromised system to then import a larger malware package.

macro virus

a type of virus that uses macro or scripting code, typically embedded in a document, and triggered when the document is viewed or edited, to run and replicate itself into other such documents.


program activated on an infected machine that is activated to launch attacks on other machines.


first function in propagation phase for a network worm in which it searches for other systems to infect.

mobile code

programs (e.g. macro, script, or other portable instruction) that can be shipped unchanged to a heterogeneous collection of platforms and execute with identical semantics. It is transmitted from a remote system to a local system and then executed on the l

zero-day exploit

to achieve maximum surprise and distribution, a worm should exploit an unknown vulnerability that is only discovered by the general network community when the worm is launched.

e-mail virus

virus that could be activated merely by opening an e-mail that contains the virus or by opening an attachment in an e-mail. User on a vulnerable host opens an infected e-mail attachment.

behavior-blocking software

integrates with the operating system of a host computer and monitors program behavior in real time for malicious actions. It then blocks potentially malicious actions before they have a chance to affect the system. Monitored behaviors can include attempts

digital immune system

comprehensive approach to virus protection developed by IBM. The system expands on the use of program emulation and provides a general-purpose emulation and malware detection system. Objective: provide rapid response time so that malware can be stamped ou


scanner that requires a malware signature to identify the malware. Such signature-specific scanners are limited to the detection of known malware.


scanner that does not relay on a specific signature. Rather, the scanner uses heuristic rules to search for probable malware instances. One class of such scanners looks for fragments of code that are often associated with malware.


scanners that are memory-resident programs that identify malware by its actions rather than its structure in an infected system. It is not necessary to develop signatures and heuristics for a range of malware. Only need to identify the small set of action


scanners that are packages consisting of a variety of anti-virus techniques used in encryption. These include scanning and activity trap components. In addition, it includes access control capability, which limits ability of malware to penetrate a system