Glossary - Malwarebytes

A
Abandonware
Abandonware is software that is shelved by its developer. As such, it is no longer

updated nor supported so it may be rife with vulnerabilities.
Account harvesting
Account harvesting is the process of gathering user accounts from a system, service, or
database using a variety of methods, such as malware or phishing.
Account hijacking
Account hijacking is the process of taking over user online accounts, such as email and
social media accounts.
Ad blocker
An ad blocker is software that blocks advertisements, including pop-ups, when a user

visits websites.
Ad fraud
Ad fraud happens when advertisers pay for ads with false impressions. For more
information, see this blog post on the difference between adware and ad fraud.
Synonym: invalid traffic
Ad rotator
An ad rotator allows two or more ads to alternately show in the same place on a
website. The rotator triggers whenever a user refreshes or revisits a site.
Add-in
An add-in is software that gives additional functionality to a device or another software.
Address bar
An address bar is the text box in your web browser that displays the web page URL or
IP address. At times, it functions as a search bar if the user entered text that is an
invalid URL.
Address bar spoofing
Address bar spoofing is a technique where the legitimate URL on a browser address
bar is replaced with a rogue one. This then leads to potential data or financial theft.
Adware
Adware is a form of malicious software which displays unwanted advertising on your

computer. For more information, see this blog post on adware delivery methods.
Air gap
Air gap refers to computers that are incapable of physically connecting to a network or
another computer that is connected to the internet. Air-gapped systems were believed
to be more secure until Stuxnet disproved this.
Other forms: Air gapping
Always-On
An always-on device, software, or network denotes that it is constantly accessible.

Analog
In computing, analog is usually used as the opposite of digital. Analog signals are
continuous and can reach any value between two given extremes. Consider this
analogy: If digital can be black or white, then analog can also be any of the gray shades
in between.
Android
Android is Google’s flagship operating system for smartphones and tablets.

Manufacturers have adapted Android in televisions, smart-watches, cars, and many
other electronic devices.
Android app
An Android app is a program designed for the Android OS.
Annoybot
Annoybot is software that repeats an annoying task. IRC bots, for example, are
annoybots that send out unsolicited messages to participants in a channel.
Annoyware
Annoyware is software that continuously shows reminders or pop-up windows to remind

users to perform a particular action, such as registering or buying software.
Synonyms: Nagware, Begware
Anomaly detection solution
An anomaly detection solution is any next-generation firewall or IDS/IPS in an

enterprise network. It is used to monitor, alert, and block potentially malicious or
suspicious network traffic.
Anonymization
Anonymization is the action or an attempt to disable the ability to track back information
or actions to a specific user.
Other forms: Anonymize
Anonymizer
An anonymizer is a tool that minimizes the amount of tracking done during surfing in an
attempt to hide the true identity of the user.
Synonyms: Anonymous proxy
Anonymous
Anonymous, in computing, is to keep one’s true name and identity concealed online
with the use of various applications.
Other forms: Anonymity
Anti-ransomware
Anti-ransomware is software specifically designed to combat ransomware. Such

software could make use of specific techniques that general security tools don’t deploy.
Applet
An applet is a piece of software that usually performs one specific task. Applets are
often part of a more complex program.
Application security
Are the countermeasures taken to secure an application. This starts during the design
and development of the application but broadens to the host and network the
application is deployed on. This has to be done to defend against threats and attacks
from the outside that will attempt to exploit the application.
APT
Stands for Advanced Persistent Threat, which is a prolonged, aimed attack on a specific
target with the intention of compromising their system and gaining information from or
about the target. For more information, see this blog post.
ARP
Stands for Address Resolution Protocol, which is used to find a physical address that
belongs to an IP address.
The normal procedure is to send an ARP request over the network and the machine
that has the requested IP will answer with an ARP reply. This procedure then
associates a physical machine with an IP address. Attackers can abuse this protocol by
ARP spoofing, broadcasting an IP address so that the traffic meant for that IP address
can be intercepted by the attacker.
ARPANET
ARPANET stands for Advanced Research Projects Agency Network. ARPANET is the
basis for the internet.
Artificial Intelligence
Is sometimes shortened to AI. It describes the science that works on intelligence in

machinery (computers/robots). The first discussion being what we define as intelligence
and whether we can describe human intelligence close enough to reproduce and
recognize it in machines. The main pillars are defined as the abilities to learn, reason,
and self-correct. There are several disputed tests that are used to determine intelligence
in machines, important ones are those by Turing and Hintze.
ASCII
Is short for American Standard Code for Information Interchange. ASCII tables
represent a seven-bit encoding standard for text files. Later, a 8-bit encoding was
introduced called the extended ASCII (EASCII), which included the original 128
characters plus additional characters.
Astroturfing
Is the masking of initiatives by corporations, governments, or political parties to make

the campaign appear to be spontaneous or initiated by civilian groups. Sometimes
masking the origin makes the campaign more effective or less controversial.
Attack vector
Is the technique used to obtain unauthorized access to a system or network. It is an

important part of vulnerability research to know which attack vector is or might be used.
Examples of attack vectors are:
 phishing
 watering holes
 malicious email attachments
 exploit kits
Attribution
Attribution is the practice of taking forensic artifacts of a cyberattack and matching them
to known threats against targets with a profile matching a particular organization. Or in
other words, trying to figure out the threat actor based on the methods used and who
the target was (or might have been). More in-depth information can be found in these
blog posts: Attribution, and when you should care: Part 1 and Attribution Part II: Don’t
overthink it.
Augmented Reality
Is sometimes shortened as AR. Augmented reality is a cross between the physical

world and virtual reality. It adds images, sounds, motion sense, and even smell to the
physical reality.
Authentication
In computing, it is the process of verifying the identity of a user or process. Usually this
is done to check whether the user or process has sufficient rights for access or to make
modifications. You can find more information in these blog posts:
 Understanding the basics of two-factor authentication

 The Password and You
Autonomous system
An autonomous system is a group of networks managed by one large entity to ensure

there’s a reliable routing policy to the internet.
AV killer
Is malicious code that disables the users antivirus software to avoid detection. The term
AV killer is also used sometimes for malware that disables firewalls. Also
see retroviruses.
Backdoor
Typically a type of Trojan malware that allows its creator or proponent to gain access to
a system by bypassing its security. The term “backdoor” can also refer to the method of
gaining access to user systems undetected; should not be mistaken for exploits.
Other form/s: backdooring
Bad sector
A sector on a computer’s disk or flash drive that is already unusable. This is usually
caused by physical damage.
Banking Trojan
A Banking Trojan is a type of Trojan specifically created to harvest credentials and other
sensitive financial and personal information stored and processed through online
banking systems.
Behavior
In the context of computer malware, behavior refers to the actions malware performs on
an affected system once executed.
Binary
Is a numerical system with only two different values: 0 and 1, or True and False.
Compare the decimal system which uses 10 different values (or numerals): o to 9.
Binary is popular in electronics and therefore in computing because 0 can be regarded
as OFF and 1 as ON.
Biohacking
In computing, it is a form of hacking that refers to the application of IT concepts to

biological systems, usually the human body. These are usually done as DIY IT projects.
Biohacking can include the modification of the human body, such as introducing
implants and other wearable computing tech.
Biometrics
Is the measurement and statistical analysis of people’s physical and behavioral

characteristics. In biometrics authentication, this means personally identifiable and
unique features are stored in order to give the holder access to certain resources.
Consider for example a fingerprint reader to log on to a computer.
Bitcoin
Is a cryptocurrency, a payment medium that relies on cryptography rather than on
banks or governments. It is very popular among internet criminals as it’s readily
exchangeable for other physical currencies and is practically untraceable.
Black Friday
The Friday after U.S. Thanksgiving when retailers make numerous special offers.
Because of this, consumers go online or in-store to shop.
Black Friday is regarded as the unofficial start of the Christmas shopping season.
Blacklist
In computing, it usually refers to a list of domains and/or IP adresses. Blacklists are long
lists of known or suspected malicious servers and/or domains. These lists are used to
protect users from receiving mail from these servers or from browsing to sites that are
on these domains/IP addresses.
Blended threat
A blended threat is an attack that makes use of multiple vectors to gain leverage on a
target. This could include malware, phishing, social engineering and more.
Blue Screen of Death
Abbreviated as BSOD. This occurs on Windows systems where a blue screen is

splashed to the user after encountering a fatal error.
Bluejacking
Is the act of sending messages between mobile devices via Bluetooth wireless
connection.
Bluesnarfing
Refers to the unauthorized access and theft of information through
a Bluetooth connection. Mobile devices, such as smartphones, laptops, and tablets, that
are Bluetooth-enabled can easily be affected by this.
Bluetooth
Is a wireless technology mainly used for short distance connections between devices.
Communication is done at a band around 2.45 GHz. To avoid interference between
devices, they use a low power signal, which is what makes it a short range connection,
but it does not need a line of sight to establish a connection.
Boot
In computing, to boot a system is to turn the device or machine on and load

the operating system into random access memory. The boot-up process is made up out
of different stages, depending on the setup of the system and the operating system that
has to be loaded. For most cases, these stages are important parts of them:
 The BIOS or UEFI are powered up and do the Power-On Self Test (POST)
 The bootloader loads the operating system
 Once all the operating systems files have been loaded, control is given to the
OS.
Boot sector
Is a part of a physical information carrier (usually a hard drive) that contains the code
that has to be loaded in a systems RAM memory first, to start the actual boot process
and load the operating system. The boot sector is created when a volume is formatted.
Boot sector virus
Is malware that infects the boot sector of a drive or other storage device. During
a boot, this sector is automatically located and loaded into memory. This makes boot
sector viruses harder to remove as they will load before normal removal software.
Bootkit
Is a type of rootkit that alters or replaces the bootloader of the affected system in order
to take over control. To remove a bootkit, one will need a bootable medium, which has
the necessary tools to undo the changes made by the bootkit.
Bot
A derivative of the word “robot.” It usually pertains to (1) one or more compromised
machines controlled by a bot master or herder for the purpose of spamming or
launching DDoS attacks, and (2) an automated program coded with certain instructions
to follow, which includes interacting with websites and humans via the use of Web
interfaces (e.g. IMs). A collective of bots is called a botnet.
Synonym: zombie machine
Bot herder
Also known as botnet herder, this are threat actor who controls and maintains a botnet.
Botnet
A collection of bots. The term also refers to the malware run on a connected device to
turn it into a bot.
Also known as zombie network.
Breadcrumbs
In computing, breadcrumbs are navigation aids that tell users where exactly they are
while surfing on a site or in a set of folders. It shows the hierarchy of links on a site or
the steps in the folder structure. Consider, for example, the address bar in a Windows
explorer window.
Bricking
Refers to the practice or act of rendering an electronic computing device—often a

smartphone—useless or inoperable. Bricking usually happens by accident, such as
when a firmware update gets interrupted.
Bring your own device
Abbreviated as BYOD. Sometimes called “bring your own technology” (BYOT), this is a
trend wherein employees bring their personal computing devices, usually a smartphone,
to be used in the workplace. These devices are connected to the company’s network.
Browlock
Is a contraction of browser and lock. The term is used to describe the state of the
internet browser in response to certain sites where the user is unable to perform any of
the actions below:
 close the open tab or window

 blocks access to the desktop of the system
 stops you from navigating to another site
The term is also used in cases where malware opens a browser window for the above
purposes without the user actively using the browser. The browser controls can be
hidden so the user would not recognize it as such.
The objectives for this behavior can be numerous, but it in essence the threat
actor wants the user to do something he normally wouldn’t have done, i.e. call a tech
support scam number, pay a ransom, or install an extension. You can find more
information about browser lockers in our blog post, Regaining Control Over Edge.
Browser helper object
Abbreviated as BHO. This is a DLL component of Internet Explorer that provides added
functionality to the said browser.
Buffer
In computing, a buffer refers to the amount of data stored and shared between
applications to compensate for the difference in speed with which these can handle the
data. Consider, for example, your browser buffering (part of) a movie while downloading
it and, at the same time, while your movie player plays it.
Buffer overflow
Also known as buffer overrun. It’s a computer anomaly wherein a program writes to a
block of memory (or buffer) more than what it is allocated to hold.
Bug bounty
A rewards program through which individuals can receive monetary compensation

and/or recognition for finding flaws or vulnerabilities on a company’s software or system.
Bundler
Usually refers to a single installation file containing two or more programs. Many of
them are found in freeware download sites. Although in some cases, these “free”
software are actually trial versions of applications one commonly pays for.
Bundlers bank on the names of popular programs users generally want to install onto
their systems, and those who aren’t familiar with bundlers may welcome the additional
free programs. Unfortunately, a majority of these are categorized as unwanted software,
such as adware and browser toolbars.
A bundler also refers to software that is pre-installed in newly purchased hardware (e.g.
PC, laptop, smartphone).
Synonyms: bundleware, bloatware, bundled software, crapware, pre-installed software
Burn
In computing, this refers to the act of writing data to a drive with a recordable disc (CD,
DVD). The data is written onto the disc using a laser and, until the invention of
rewritable discs (RW), this was considered a one-time only process.
C&C
Stands for command and control, which may pertain to a a centralized server or
computer that online criminals use to issue commands to control malware and bots and
to receive reports from them.
Other forms: command & control, C2
Cache
In computing, a cache is a temporary storage that is used to speed up future requests.

For example, a browser cache stores contents of websites, so they can be displayed
faster the next time the user visits them. For information about DNS cache poisoning,
have a look at the blog post, DNS Hijacks: What to Look For.
CAD
Stands for Computer-Aided Design. This is the use of computer technology to help with
the design of two- or three-dimensional objects. This specialized type of software helps
to design, modify, analyze, optimize, and even create objects in many fields, including
architecture, mechanics, engineering, and art.
Click fraud
Also known as pay-per-click fraud. It is the practice of artificially inflating statistics of

online advertisements by using automated clicking programs or hitbots.
Also see: Adfraud
Clickbait
Clickbait is content (especially a headline) that uses exaggeration and sensationalism to

entice you into clicking on a link to a particular web page. Clickbait often leads to
content of questionable value.
Cloud computing
Refers to the delivery of services that are hosted over the internet to computers and
other computing devices.
Also see Anything-as-a-Service (XaaS)

Cloud phishing
Refers to a phishing trend that uses the guise of cloud computing services to get users
to click on malicious links. Campaigns of this kind usually start off in emails and social
media posts. Some examples of cloud computing services that phishers have used in
the past are Dropbox and Google Drive.
Cold boot
In computing, cold boot happens when the system gets booted from a shut down or
powerless state. Sometimes used in cases to specify that the power to the system was
unplugged and then plugged in again to remedy a certain problem. A reboot executed
from the OS is called a warm boot.
Companion virus
Is a type of virus that uses two typical Windows properties:
 Windows does not require file extensions to run a requested file.

 When more than one file qualify for a command, Windows chooses the one that
comes first alphabetically.
To illustrate, let’s say you want to run ipconfig from the command prompt. If you do not
specify the extension, this normally runs the file ipconfig.exe. However, if there is a file
(companion virus) in the same path that is called ipconfig.com, this is executed as,
alphabetically, it comes first before ipconfig.exe.
Compromised
Compromised sites (or servers) are otherwise legitimate sites that are being used by
hackers without the owner’s knowledge. Compromised sites are often used to house
and spread malware.
Computer ethics
Is a set of moral principles that describe how decisions in the field of computing should
be made. Examples would be rules for disclosing of compromised information and
vulnerabilities, copying of electronic content, and the impact of computers (artificial
intelligence) on human lives.
Computer science
Is a multi-disciplinary collection of studies in the fields that are related to digital

information. Computer systems, the internet, programming, data storage, and artificial
intelligence are some of the best known fields.
Consumer fraud protection
A law designed to shield consumers against goods and services that didn’t perform as
advertised. Consumers are also protected against unfair trade (overcharging) and
fraudulent credit practices.
Crack
This could either mean:
1. a piece of software used to figure out passwords using a dictionary attack. It can
also be a piece of software or tool used to illegally bypass certain software
security features, such as copy protection. This is usually done by individuals
who pirate software.
2. the act of breaking into a secured computer system. The person doing the crack
is called a cracker. Some argue that there are distinctions between a cracker and
a hacker.
Crypter
In malware research, this refers to a program that makes malware hard to read by
researchers. The crudest technique for crypters is usually called obfuscation. A more
elaborate blog post on that is Obfuscation: Malware’s best friend.
Obfuscation is also used often in scripts, like JavaScript and VBScript. But most of the
time, these are not difficult to bypass or de-obfuscate. More complex methods use
actual encryption. More information about this and related subjects can be found in our
blog post, Explained: Packer, Crypter, and Protector
Cryptocurrency
Cryptocurrency is a decentralized digital currency. It is the preferred payment method of

ransomware authors, and it can be generated by mining scripts embedded on websites.
Cryptography
Is the knowledge of sending and storing data encrypted. This is done so the data can
only be read by the person encrypting the data and the person(s) for whom the
information is intended. But encryption techniques are also used
by malware called ransomware. Ransomware encrypts a users’ data without his
consent and offers to provide him with the key for a certain compensation. More
information can be found in our blog post, How to encrypt files and folders.
Cryptomining
Also called cryptocurrency mining.
This is the process of adding new transactions to a public ledger of previous

transactions (called the blockchain) and introducing new cryptocurrencies into the
system. Mining is, by default, resource-intensive.
Related blog post(s):
 Ransomware puts your system to work mining Bitcoins

 Fake Flash Player wants to go mining
 Drive-by mining and ads: The Wild Wild West
Cybercrime
Is the term for crimes that are related to computers and networks, including traditional
crimes like fraud, blackmail, identity theft (to name a few) that are being done over the
Internet or by using computing devices. Cybercrime has rapidly become a serious
problem because of the growth of computer users and the fact that it knows no borders,
which makes finding and punishing cyber criminals difficult.
D
Data exfiltration
An act of retrieving, copying, and transferring data, such as user credentials, about
individuals and/or organizations without authorization.
Synonym: siphoning
Data mining
Is the process of sifting through large data sets in order to identify patterns and/or
generate new information.
DDoS
DDoS stands for Distributed Denial of Service. It is a network attack that involves
attackers forcing numerous systems (usually infected with malware) to send network
communication requests to one specific web server. The result is the receiving server
being overloaded by nonsense requests and either crashing the server and/or
distracting the server enough that normal users are unable to create a connection
between their system and the server. This attack has been popularized in many
“Hacktivism” attacks by numerous hacker groups as well as state-sponsored attacks
conducted by governments against each other.
Decryptor
A tool used to transform unreadable data back to its original, unencrypted form. This is
normally used by those affected by ransomware to restore their files.
Defragment
Is the short term for defragmentation. It is the process of reorganizing a file system so
that those that were split up when saved and changed are put back together again. This
removes pointers to and from the fragments and optimizes the speed with which these
files can be used. It also frees up space on the drive.
Dialer
Also spelled dialler can have several definitions when it comes to computing. All of them
involve connections to a telephone or ISDN (Integrated Services Digital Network) line.
 A program or app that initiates the best connection for the number chosen by the
user
 A program that connects a system to the internet over a telephone or ISDN line
 Malware that connects a system to a network or number with fraudulent intent
Dictionary attack
The act of penetrating password-protected computer systems or servers using large

sets of words in a dictionary as password. This attack usually works as many users still
use normal words for their passwords.
DNS
DNS stands for Domain Name Service. It is an internet protocol that allows user
systems to use domain names/URLs to identify a web server rather than inputting the
actual IP address of the server. For example, the IP address for Malwarebytes.com is
104.72.35.176, but rather than typing that into your browser, you just type
‘malwarebytes.com’ and your system reaches out to a ‘DNS Server’ which has a list of
all domain names and their corresponding IP address, delivering that upon request to
the user system. Unfortunately, if a popular DNS server is taken down or in some way
disrupted, many users are unable to reach their favorite websites because without the
IP address of the web server, your system cannot find the site.
DNSSEC
Is short for Domain Name System Security Extensions. It is a set of extensions that add
extra security to the DNS protocol. This is done by enabling the validation of DNS
requests, which is specifically effective against DNS spoofing attacks. DNSSEC
provides the DNS records with a digital signature, so the resolver can check if the
content is authentic. More information can be found in the blog post, DNSSEC: why do
we need it?
Domain
In computer security related terminology domain refers to either:
1. A group of computers that are under the control of a common operator and
administered as one unit, or
2. The name of a Web resource following the rules of the Domain Name System
(DNS), which translates the Domain Name into an IP address
Domain administrator privileges
Refers to administrator access to all machines within a network.
Downloader
A downloader, or Trojan-downloader, is malware with the sole intention to download

other programs—usually more malware—to the affected system as soon as an Internet
connection is available.
Drive-by download
Pertains to (1) the unintended download of one or more files, malicious or not, onto the
user’s system without their consent or knowledge. This usually happens when a user
visits a website or views an email on HTML format. It may also describe the download
and installation of files bundled with a program that users didn’t sign up for. These files
can be adware, spyware, or PUPs; (2) the general term used for files that were
downloaded unintentionally; i.e. “drive-by downloads.”
Drive-by mining
A term coined to describe a method in which a piece of JavaScript code is embedded

into a Web page to perform cryptocurrency mining on user machines that visit this page.
This happens in the background and without user consent.
 Drive-by mining and ads: The Wild Wild West

Dropper
Also called Trojan dropper is a type of malware that installs other malware on the
affected system. The other malware is part of the same executable, which is usually in
compressed form.
Dwell time
Refers to the amount of time passed from when malware has initially infiltrated a system
to when it has been detected and removed.
Encryption
Is the process of changing data in a way that can not (easily) be undone (decrypted) by
parties that don’t have the decryption key. Users encrypt information or messages so
they can’t be read by anyone. Ransomware encrypts files so the victim can no longer
use them, unless he pays the ransom. More information about encryption can be found
in the blog post, Encryption: types of secure communication and storage.
End user
Is the person that a certain product is designed, developed, and created for. For this
intended user, the product should be suitable (ease of use), and it should be a finished
product. Even if a product can be developed further, this should not hinder the end user
from using it.
eSports
Also known as electronic sports are basically video games competitions. Any computer-
or console-game that has a multi-player competition qualifies as an eSport. Most of
them fall in the genre of fighting, be it shooters, strategy or battle arena, but other types
of games can fall into this category. Professional players participate in many of them.
Exploit
Exploits are a type of malware that takes advantage of bugs and vulnerabilities in a
system in order to allow the exploit’s creator to take control.
Exploit Kit
A collection of exploits which are packaged up for use by criminal gangs in spreading
malware.
Family
In computer security, a family refers to a group of malware variants that all exhibit base
characteristics associated only with them.
FAQ
Stands for Frequently Asked Questions. These are lists drawn up around a certain
subject of commonly asked questions and the answers to those questions. These lists
are often a first line of support for may products and answer many of the questions that
users may have.
File type
This is a name given to a specific kind of file. For example, a Microsoft Excel document
and a Python script file. These files are associated with certain applications. Standard
file types, such as rich text format (RTF) files and MP3 audio files, can be opened using
multiple programs that support it.
File-based attack
Refers to an attack where threat actors use certain file types, usually those bearing
document file extensions like .DOCX and .PDF, to entice users to open them. The file in
question has been embedded with a malicious code (malcode); thus, once opened, this
code is also executed. Usually, the malcode delivers an equally malicious payload.
Below are other file types used in malicious attacks:
 Binary executables: EXE, DLL, MSI

 Scripts: JS, VBS, PowerShell
Fingerprinting
Refers to the process of gathering information about a system at first contact. The
information often concerns location, installed operating system, and installed software.
Fingerprinting is often used by malware to determine whether the system is vulnerable
to certain attacks and to assess whether it is a desirable victim.
Foothold expansion
An act of a threat actor creating backdoors that are used to re-enter a network after
initially infiltrating it.
Fraud
Fraudulent websites appear to be one thing, like a tech support site, a dating site, or a
shopping site with illegal products or great deals, but they’re really scams to try to steal
your information or credit card details.
Freeware
Freeware is software that comes without a cost. Some freeware may give the option of
voluntary payments to the developer, which is typically be called donationware.
FUD
Stands for fear, uncertainty, and doubt.
FUD is a disinformation strategy that is used as a weapon against competitors. This

could also mean the spreading of false or harmful information to influence perception
and appeal to their fear.
In hacking, FUD could also mean fully undetected. This either means (1) data that has
been made to appear like random noise due to encryption, or (2) a piece of software
that cannot be detected by AV tools and scanners.
GUI
Stands for Graphical User Interface. This is a type of interaction that helps a system
user to control and manipulate software. The alternative are command line programs
that are usually perceived as hard to understand and hard to learn, where a well-
designed GUI can make or break the success of programs.
H
Hacker
Is a person that has a profound understanding of particular systems or processes. His

knowledge enables him to use those subjects for other goals than they were designed
for. This is done by finding flaws or loopholes in them. There is a distinction
between white hat hackers that report the flaws they find without abusing them and
gray or black hat hackers that use the flaws they find, for personal gain at the expense
of others.
Hacktivism
Hacktivism is a portmanteau of “hacking” and “activism”. Hacktivism is the defacement

of a website where the compromise isn’t as significant as the statement the hackers
make through it.
Hibernation
Is a state of inactivity to save energy. In computing this expression is used for powering
down a computer while preserving the state it is in. The content of the RAM (Random
Access Memory) is saved to a drive (usually the main hard disk of the system) and will
be restored in RAM as soon as the system is brought back out of hibernation. Not to be
confused with sleep mode, which is another energy saving method that uses a little
energy to keep the data in RAM. The advantage of sleep mode is that the system is
ready for use almost instantaneously where waking from hibernation takes some time.
Hijacker
A hijacker is a type of that malware that modifies a web browser’s settings without
users’ permission, usually to inject unwanted ads into the browser or redirect to scam
sites.
HIPS
Stands for Host Intrusion Prevention System, which describes a software package that
monitors for suspicious activities occurring within a host machine. This helps keeps a
system secure, without depending on a specific threat to be added to a detection
update. For more information, see the article HIPS.
Hoax
A hoax is the term we use to generally describe a fake or false warning. Hoaxes
did start out as emails, but nowadays they are most active on social media, especially
on Facebook. This has considerably increased the speed with which they spread. For
more information, see the article hoax.
Homograph
Is by definition a word of the same written form as another but of different meaning and
usually origin, whether pronounced the same way or not. But in cyber-security this is
expanded to include words that look the same. This can be achieved by using numbers
that looks the same as a letter or characters from another characterset that look the
same to humans, but computers see the difference. For example the letter Omicron
from the Greek alphabet looks exactly the same as the “Latin” O, but they have a
different code in the Unicode table.
Homograph attacks
Also known as homoglypth attacks, script spoofing, and homograph domain name
spoofing.
A homograph attack is a method of deception wherein a threat actor leverages on the

similarities of character scripts to create and register phony domains of existing ones to
fool users and lure them into visiting.
 Out of character: Homograph attacks explained
Host-based solution
Refers to software that is installed in end-point systems as opposed to a centralized

solution.
I
I/O
Is short for Input/Output, the expression is used to describe any information exchange
between a computer system and the outside, in both directions. Usually this expression
is used, but not limited to for the traffic between the system and peripheral devices.
IDN
Short for internationalized domain name. It is a domain name containing at least one
non-ASCII character.
IDNs enable Internet users from all over the world can create and register domain
names using their own native language. IDNs can only be used by applications that
were designed for them. Fortunately, all modern browsers and email programs support
them.
Incident scope
In a malware attack against enterprises, an incident scope generally refers to the extent
of damage against the organization, how much data has been stolen, what the attack
surface is, and how much it’d cost them to resolve the attack and prevent it from
happening again in the future.
Intellectual property
Refers to creations of the mind, whether they are inventions, art, designs, names, or
commercial images. Laws on intellectual property differ from one country to the other,
but they usually protect the rights of the person or company that first successfully claims
coming up with the creation.
Intranet
Is a (large) network with restricted access. Usually set up by or for a company or other
organization and with access limited to the staff or members of the organization.
IOC
In computing IOC stands for indicator of compromise. These indicators can be found
after a system intrusion and tell the investigators something about the sort of attack or
security breach. These indicators can be IP addresses, domains, hashes of malware
files, virus signatures, and similar artifacts. They can lead the investigators to the
vulnerabilities that may have been used, possible prevention methods, and
sometimes even help in attribution.
IoT
Stands for Internet of Things. It represents a host of internet connected devices that do
not require direct human input. You can think of refrigerators, cars, security camera’s,
but also pacemakers and other biochip transponders. The device has to have a unique
identifier and the ability to connect to a network to qualify as a part of the IoT. Many
concerns have surfaced about some of these devices due to the weak or complete lack
of implemented security in these connected devices.
IP address
An IP address is a number assigned to each system that is participating in a network

using the Internet Protocol, such as the World Wide Web.
There are two standards in use: IPv4 and IPv6, but every computer that has an IP
address has at least an IPv4 address. An IPv4 address consist of 4 elements each
ranging from 0 to 255. A well-known example is the IP-address 127.0.0.1, which points
back at the computer that sends the query.
IPS
Is short for Intrusion Prevention System. These systems monitor network traffic to
determine whether a security breach or malware infection has taken place. When
applicable they can intervene in such cases as pre-determined by the network
administrator to avoid further damage. In general, a complete Intrusion Prevention
System can include components like firewalls and anti-virus software.
IT
Is short for Information Technology. Describes the study or the use of systems
(especially computers and telecommunications) for storing, retrieving, and sending
information. Often used to describe the department that focuses on the success of
computer operations and other information technologies needs, within an organization.
Keygen
Is short for key generator. This is a piece of software that generates random keys,
usually software product keys, for the purpose of letting the user activate and operate a
program without them actually purchasing it.
Keylogger
In the context of malware, a keylogger is a type of Trojan spyware that is capable of

stealing or recording user keystrokes.
Other forms: key logger, keylogging

Synonyms: keystroke logger, system monitor
Keystroke
Is one stroke of any key on a machine operated by a keyboard, as a typewriter,

computer terminal, and so on. Sometimes keystrokes per hour (KSPH) or keystrokes
per minute (KSPM) are used as a standard of typing speed. And the efficiency of
programs is sometimes measured by how little keystrokes it takes to get a job done.
L
LAN
Stands for Local Area Network. It is a network of computers and other devices spread
over a relatively small space, e.g. a building or group of buildings. Usually, these
devices all connect to a server or group of servers by ethernet or Wi-Fi. Sometimes,
they are connected to other LANs and together they form a WAN (Wide Area Network).
Latency
In computing, it generally means a time delay from system input to desired output. This
can be defined differently, depending on context. There are several types:
 Network latency
 Internet latency
 Interrupt latency
 WAN latency
 Operational latency
 Mechanical latency
 Computer and OS latency
Lateral movement
Refers to various techniques and/or tactics that threat actors use that allows them to
move through a network to access or search for key assets and data within a network.
At times, they employ this to control remote systems. Remote administration tools
(RATs) are usually used in performing lateral movement.
Linux
Is a favorite and most used free, open-sourced OS to date. This term also denotes a
family of OS distributions (or distro) built around the Linux kernel.
A distro is an OS made from a collection of software, which is based on the Linux
kernel. An example of a distro is Ubuntu.
Unlike Microsoft Windows and Apple OSX, which are compiled, Linux isn’t. As such,
humans can easily understand its code.
Local administrator privileges
Refers to administrator access to a specific machine within a network, allowing an

owner to make system configurations, install and uninstall software, and use other
privileged OS components. The owner of the machine is usually (and by default) the
administrator.
localhost
On any given system localhost refers to “this computer”, the one . It uses the IP
address 127.0.0.1 to use the loopback function in order to reach the resources
stored on the system itself.
LSP
Stands for Layered Service Provider. A Layered Service Provider is a file (.dll) using the
Winsock API to insert itself into the TCP/IP stack. There it can intercept, filter, and even
modify all the traffic between the internet and a system’s applications. More detailed
information can be found in the blogpost Changes in the LSP stack. An example of an
LSP hijacker can be found in the blogpost Fake Adblocker Bylekh is an LSP Hijacker.
Malicious/Destructive payload
Simply known as payload, this refers to a portion of malware that performs its malicious
activity. A payload can be as benign as changing an affected system’s desktop
screensaver or as destructive as deleting key operating system (OS) files.
MalSpam
Malware which is delivered by email messages. For more information,

see https://blog.malwarebytes.com/threats/malspam/
Malvertising
Malvertising, or “malicious advertising,” is the use of online advertising to distribute

malware with little to no user interaction required. More information can be found in our
blogs: What is malvertising? and Truth in malvertising: How to beat bad ads.
Malware
Malware, or “malicious software,” is an umbrella term that refers to any malicious

program or code that is harmful to systems.
Man-in-the-Middle (MitM)
In cybersecurity, a man-in-the-middle attack happens when a threat actor manages to

intercept and forward the traffic between two entities without either of them noticing. To
pull this off, the attacker should not only be convincing in their impersonation but be
able to follow and influence the conversation between two or more parties. A MitM
attack can be done between browser and internet, for example, or between a Wi-Fi
hotspot and an internet user.
Mass malware/Opportunistic attack
In contrast to a targeted attack, an opportunistic attack involves malware that is being

distributed in large numbers for anyone to download or injected into websites for anyone
to access. Any victim is welcomed. Well-known methods are email and exploit kits.
MBR
Stands for Master Boot Record. Typically, the MBR is the first sector on a startup drive
(or other partitioned media). It contains the boot loader, which basically is a piece of
executable code that starts the loading of the Operating System, or the boot-loader on a
system that has more than one operating system installed. More information can be
found in the blogpost Meet the Master Boot Record.
Memory dump
A memory dump is the content of the systems RAM (Random Access Memory) created
at a specific point in time. Usually this is done at the moment of a program crash or
system failure and used to diagnose the problem. But they can also be made manually,
for the purpose of memory forensics like the investigation of advanced (e.g. fileless)
malware.
Metadata
Are basically data about data. Metadata gives background information about data
that gives the user of the data information about the origin, the relevance and the
creation. Examples are geotags in photographs (where was the photograph taken)
and the file information of documents ( who created it, when was the last change, size,
etc.).
MFA
Stands for Multi-factor authentication. The most well-known version of MFA is 2FA (Two
factor authentication). Both represent the combination of more than one method of
getting access to a resource (logging in). For more information see this blog-
post Understanding the basics of Two-Factor Authentication.
Miner
Also known as cryptocurrency miner. This is a form of malware that uses the resources
of an infected system to mine a cryptocurrency (e.g. Bitcoins) for the threat-actor.
Mitigation
In computing, this is the process or act of containing the impact and/or risk borne from
an attack. Remediation usually follows mitigation.
MMS
Is short for Multimedia Messaging Service. This service is an enhancement of the Short
Message Service (SMS) and allows the user to send longer messages (SMS is limited
to 160 characters), accompanied with pictures, short videos, and audio over a cellular
network.
Multiplatform
Or cross-platform, is an expression to describe software that has been developed to

work on multiple operating systems.
Mumblehard malware
Is a type of malware that specifically targets Linux and BSD servers. It uses spambots
to compromise systems. It has derived its name from spam being “mumbled” out of
affected systems and servers.
Network
In computing the definition of a network is a group of two or more computers systems

linked together. Consider for example your home network or a LAN (Local Area
Network). A prime property of networks is their topology. The main topologies are:
 mesh
 star
 bus
 ring
 tree
Network perimeter
Refers to the boundary between a private network and a public network, such as the
World Wide Web.
NewTab
NewTab is software that changes the default page of a new tab on the browser.
This can result in similar negative effects and behavior like browser toolbars or browser
hijackers. NewTab can manipulate browser(s) to change their home page or search
provider in order to hijack internet traffic and inject advertisements.
OS
In computing this stands for Operating System. The most well-known operating systems
are Microsoft Windows, Linux, Apple’s MacOS, Android, and Google’s Chrome OS.
Most of these can be divided in more specific operating systems (e.g. Windows 8.1) or
grouped into more general clusters of operating systems (e.g. Chrome OS is based on
the Linux kernel)
OSI
Is short for Open Systems Interconnection. This is a model that defines a networking
framework to implement protocols in seven layers:
1. Physical
2. Data Link
3. Network
4. Transport
5. Session
6. Presentation
7. Application
This model was designed by ISO (International Organization for Standardization) as a

design template for building network systems. The lower layers deal with electrical
signals, chunks of binary data, and routing of these data across networks. Higher levels
cover network requests and responses, representation of data, and network protocols
as seen from a user’s point of view.
Packer
Is usually short for runtime packers. It is also known as self-extracting archives, which
is software that unpacks itself in memory when the “packed file” is
executed. Sometimes, this technique is also called executable compression.
This type of compression is invented to make files smaller, so users wouldn’t have to
unpack them manually before they could be executed. However, given the current size
of portable media and internet speeds, the need for smaller files is not that urgent
anymore. So when you see some packers being used nowadays, it is almost always for
malicious purposes. In essence, to make reverse engineering more difficult, with the
added benefit of a smaller footprint on the infected machine. For more information about
this subject, have a look at the blog post, Explained: Packer, Crypter, and Protector
Passcode
Is essentially a short and simple password. Consider for example the 4 digit numerical
code to unlock a smartphone.
Passphrase
Is essentially a complex password made up of a sequence of words. The differences
with a regular password are the presence of spaces and the length that makes a
passphrase more complex.
Password
Is a method of authentication that has become popular due to its ease of use. The
growing need for complex and longer passwords has diminished that ease of use a bit.
More information can be found in our blogpost The Password and You.
Payload
In computing and telecommunications, a payload is part of transmitted data that is the

actual intended message. In malware research, a payload is the malware that the threat
actor wants to deliver to the victim. For example, if the threat actor sent out a document
with a malicious Macro as an email attachment and the victim gets infected with
ransomware, then the ransomware is the payload. The threat actor did use the email,
document, or the packer, crypter or protector to avoid detection.
Peer-to-peer
Is abbreviated as P2P. In computing, this involves the sharing of files and/or resources
between two computers connected to each other through a network. Each of these
computers become a file server to the other.
Penetration Testing
Penetration Testing (or “pen testing”) is the practice of running controlled attacks on a
computer system (network, application, Web app, etc.) in an attempt to find unpatched
vulnerabilities or flaws. By performing pen tests, an organization can find ways to
harden their systems against possible future real attacks, and thus to make them less
exploitable.
Peopleware
Is the term used to refer to the role of humans/people in information technology, such as
the creation of hardware and software.
Pharma
Pharma is short for “pharmacy.” In cybersecurity, the expression refers to spam or

websites that traffic in fake or illegal medication. These sites may also sell legal
medication, but in violation of local laws.
Phishing
Phishing scams attempt to obtain your information by presenting themselves as

legitimate websites, then asking for your password, credit card details, or other sensitive
information.
Phreaking
Is a term to describe hacking anything to do with telephone systems. The term is a

contraction of the words phone and freaks and goes back to the time when the
telephone structure was still gaining popularity and was by far not as secure as it is
now. At the time phreaking was more driven by curiosity than pursuing illegal activity.
PII
Is short for Personally Identifiable Information. This phrase is used for data that could be
tracked back to one specific user. You will see it used in Privacy Policies and other
privacy statements. Examples of PII are names, social security numbers, biometrics,
and other data that, in combination with other data, could be enough to identify a user.
Platform
See OS.
Polymorphism
In computer science this describes the ability to use a variable or function in more than
one way. The applied use depends on the context in the program. The easiest example
is the use of “+” (which is in fact a very basic function). In most programming
languages, when used with numbers it will calculate the sum, but when a string variable
is involved, it will join the strings together.
Power User
In computer science is a user that uses a system or software with more than average
skills, knowledge, and demands. Often they will use a system that is equipped for
special tasks the Power User often needs it to perform. People can easily be Power
Users in one field and be regular users in others.
Privilege escalation
An act or event that occurs when a threat actor or unauthorized user achieves full
access to normally restricted resources on a computing device’s operating system
(OS) it has gained access to. Currently, there are two kinds: horizontal escalation, in
which the actor assumes the identity of another user to gain his/her level of
privilege; vertical escalation, in which the actor grants himself a higher access privilege
by manipulating the system or taking advantage of its flaws.
Proof of concept
A proof of concept (PoC) is a demonstration that a certain idea or method works. In

computer security this often means that hackers show that they have been able to make
use of a security flaw in software or hardware. For example, in 2015, a team of software
developers have proven that malware can indeed hide on graphic card chips.
Protector
In malware research, a protector is software intended to prevent tampering and reverse

engineering of programs. The methods used can—and usually will—include both
packing and encrypting. This combination, plus added features, makes what is usually
referred to as a protector. Researchers are then faced with protective layers around the
payload, making reverse engineering difficult.
A completely different approach, which also falls under the umbrella of protectors, is
code virtualization, which uses a customized and different virtual instruction set every
time you use it to protect your application. Of these protectors, there are professional
versions that are used in the gaming industry against piracy. More information about
this and related subjects can be found in our blog post, Explained: Packer, Crypter, and
Protector
Proxy
In general, it is the act of performing an action for someone else. In computing, this
translates as approaching a resource (like the internet) through a different (proxy)
server. This server can act as a simple gateway, but it can also add functionality to the
requests it receives and sends. The most well-known proxies are the ones that allow
access to resources that are restricted. For example, sites that are only open to visitors
from a certain country, or the opposite, sites that are not a allowed at a certain location
(work, school).
Pseudocode
Pronounced as soo-doh-kohd. It is a detailed human-readable yet detailed description

of what a computer program or algorithm is supposed to do. Pseudocode is often used
in developing a program. It also provides programmers a template to follow in writing
their code.
 Using ILSpy to analyze a small adware file
PUM
Stands for potentially unwanted modification. This is an alteration made to a computer’s

registry (or other settings), which either damages the computer or changes its
behaviour, without knowledge of the user. Such unwanted alterations can be done by
legitimate software, malware, grayware, or PUP.
Punycode
Is a method of encoding that converts Unicode to ASCII. This is especially helpful when
representing non-Latin or foreign characters that are used in Internet host names.
Internationalized domain names (IDNs) are usually converted to Punycode. For
example, the pretend site, bücher.co.uk, is transcoded in Punycode to xn--bcher-
kva.co.uk. Here’s a breakdown of that output so we can explain each part:
 bcher-kva
o This label is the transcoded form of bücher. It’s called a Letter-Digit-
Hyphen (LDH) as such forms follow this syntax.
 xn--
o This is called an ASCII Compatible Encoding (ACE) prefix, which is placed
before the LDH. This is prepended by default to prevent confusing IDNs
with hyphens from those that were converted to Punycode.
 .co.uk
o This is the TLD of a domain name.
PUP
PUPs, or Potentially Unwanted Programs, are programs that may include advertising,
toolbars, and pop-ups that are unrelated to the software you downloaded. PUPs often
come bundled with other software that you installed.
QR Code
Is a 2-dimensional barcode. They are squares filled with black and white blocks
invented to keep track of cars during manufacturing. Because of the speed with which
they can be read and the amount of data they can store, they are rapidly becoming
popular in a growing range of fields.
Quarantine
Is by origin a medical term which means keeping infected persons or animals away from
healthy ones, to minimize the chances of spreading a contagious disease. This term
was picked up by the AV-industry, that uses the term for files they have moved to a safe
location on a system, because they were identified as malware. In quarantine the files
can no longer be executed, but the user can restore them if he feels the detection was
false.
Ransomware
Ransomware is a form of malware that locks you out of your device and/or encrypts
your files, then forces you to pay a ransom to get them back.
Ransomware-as-a-service
Is abbreviated as RaaS. This is a form of software-as-a-service (SaaS) catered

by underground vendors to threat actors by providing them a ransomware platform tool.
Because of this, even non-technical internet users can create, distribute, and cash in
from ransomware attacks.
See: Anything-as-a-Service
RAR
RAR files, like other archives, are essentially data containers where one or more files
are stored in compressed form. WinRAR is the software typically used to compress
these files. RAR files use the .rarextension.
Recon
Is short for reconnaissance, which (in the context of information security) describes an
act of a threat actorusing remote access tools (RAT) to gain access to a target system
to assess items of value and map the network landscape.
Remediation
In computing, this is the process or method of correcting system changes, regardless of

severity, on the affected system. Mitigation usually precedes remediation.
Remote access
Is controlling a computer system from another location. There are many programs that
enable this method of working. Very convenient if you want to work on your office
computer from home. Unfortunately, it is also a tool of choice for Tech Support
Scammers.
Remote administration tool (RAT)
A software program that allows users to control another system as if they have physical
access to it.
Remote user
Is someone who operates or accesses a computing device from an off-site location.
Retroviruses
Are also referred to as anti-anti-virus viruses. Which means that it tries to attack and
disable any anti-virus, or other protective software, on the system they are trying to
infect, so it won’t get detected.
Riskware
Riskware, or “risky software,” describes legitimate software programs that contain

loopholes or vulnerabilities that can be exploited by hackers for malicious purposes.
Rootkit
Is software, generally classified as malware, that provides the attacker with
administrator privileges on the infected system and actively hides from the normal
computer user. They also hide from other software on the system, often even from
the operating system.
RunPE Technique
A common technique malware uses: running the original executable, suspending it,
unmapping from the memory, mapping the payload on its place, and running it again.
Safe Mode
It’s a boot option that loads only the most basic drivers needed for Windows to run.
There are different sets of drivers that can be loaded, depending on the kind of “Safe
Mode” the user selects. For more information, see the article safe mode.
Sandbox solution
A type of solution wherein IT administers run a program in a controlled environment to

determine whether it is safe to deploy within their network or not.
Scam
In cybersecurity, scams are attempts to obtain money or something else of value

through dishonest means, mostly over the Internet, though sometimes with a phone call.
Seed
In computer security related terminology a seed is one of the factors used to create (a
series of) seemingly random numbers or strings. Consider for example Domain
Generating Algorithms or encryption keys that are created on the fly. In the combination
of factors, the seed is the constant that is the same for one set of random items. For
example, the seed for the file encryption used on one victim, can be unique for that
victim and for all his files. The seed for one series of generated domains is generally the
same until the author switches to a new variant of the malware using the domains.
SEO
Is short for search engine optimization. This is a set of marketing techniques aimed at
raising the popularity of a website. The goal is to have your site high up in the search
results when a user searches for certain relevant keywords. This brings more visitors to
the site and bring in more business.
Sextortion
Is a form of blackmail in which the victim is forced to perform sexual favors for the
blackmailer. This is often done by threatening to make embarrassing pictures public that
were obtained under false pretenses over the internet.
SIEM
Stands for Security information and event management. SIEM systems are designed to
provide SOCs or other security managers with information about the entire system’s
infrastructure to support detection and help with incident response and prevention.
Smart home
Also called smart house or building. This is an establishment that incorporates

advanced automated systems that enable users to remotely control an array of
electronic devices. For example, a user living in a smart home is capable of controlling
appliances, room temperature, lighting, and the security system by issuing commands
to a computing device.
SOC
Stands for Security Operations Center and is a centralized unit of personnel, processes
and technology that guard the security and investigate security breaches for a bigger
entity, usually a company or a network. A SOC does not necessarily have to be part of
an organization, they can be hired externally.
Social engineering
In cybersecurity, social engineering is the description of methods that attackers use to

get the victims to breach security protocol or give up private information. There are
many tactics that lead to this goal, and they rely on psychological manipulation, such as
seducing the victims by playing to their greed, vanity, or their willingness to help
someone.
Software delivery layer
Refers to a method for network administrators to push out and manage software on the
systems they are responsible for.
Software vulnerability
Refers to a weakness or flaw in software, which leaves it open to be exploited by threat

actors.
Spam
Spam is an undesired communication, often an email or call, that gets sent out in bulk.
Spam wastes time and resources, so many communication tools have built-in ways of
minimizing it.
Spambot
A program designed to build mailing lists to send unsolicited emails to by harvesting

email addresses from websites, newsgroups, and even chat room conversations.
Spear phishing
Is a method of deceiving users with any sort of on-line messages, but usually email, into
giving up important data. Spear phishing attacks are phishing attacks that are targeted
at a particular user or group of users (e.g. employees of one company). The intended
victim(s) will be asked to fill out data or lured into installing data gathering malware on
his system. Learn more about phishing in our blog post, Phishing 101: Part 1.
Spyware
Spyware is a type of malware that gathers information on a device and sends it to a

third-party actor or organization that wouldn’t normally have access. In the past, this
term was also used for adware and cookies.
Steganography
Is the science of hiding information. In cyber-security this usually comes down to hiding
the malicious information behind seemingly harmless messages. Consider for
example malvertising where the code is hidden in images. Or malware where the threat
actors used Twitter as their C&C infrastructure.
Supply-chain attack
A type of attack that targets the weakest or most vulnerable element in a business’s or
organization’s supply chain network. There are several ways this can be done: one,
cybercriminals can continuously attack the system through hacking; another is by
embedding malware into a manufacturer’s software. However this is done, the purpose
of a supply chain attack is to gain access to sensitive data repositories and damage the
company.
 Stuxnet: new light through old windows

 Revealed: POS malware used in Target attack
 Petya-esque ransomware is spreading across the world
 Infected CCleaner downloads from official servers
Suspicious activity
In our Malwarebytes product, “possible suspicious activity” encompasses a variety of
behaviors that are commonly attributed to technical support scams, cryptojacking,
browser hijacking, and other types of harmful or potentially unwanted programs.
System optimizer
This type of software combines some or all of the below functionalities:
 Registry cleaner
 Driver Updater
 Temp file cleaner
 Disk optimizer (disk defragmenter)
 Report system errors
Since all these functionalities are offered by free tools built into the Windows operating
system, many system optimizers are considered Potentially Unwanted Programs
(PUPs), especially if they exaggerate the seriousness of possible improvements that
can be made on user system.
Targeted attack
Refers to an attack aimed at a certain person or group of people. The attackers can be
an organization or people that work in a certain field.
Third party
Is a term used to describe an entity that is involved in a deal, but not directly as one of
the entities that close the deal. In privacy policies, the term is often used to avoid being
blamed, as the publisher, for something any third party might do to the user. For
example, additional software that is included in a bundler, will usually be referred to as
“third-party software”.
Threat actor
In cybersecurity, a threat actor is a group or person behind a malicious incident. As it is

sometimes unclear whether an attack was done by one person or whether there is a
group or organization involved, we use this as a general term to describe the
responsible entity.
TLD
Is short for Top Level Domain. This is the right hand part of a domain name. Examples
are .com, .gov, and . info. In the hierarchical structure of the DNS system these are at
the highest level, hence the name. A complete list of valid TLDs can be found at the
ICANN.org site.
Token
In information security, a token is a small hardware device that, together with what a
user knows—such as a PIN—gives him/her authorized access to a computing system
or network. A smart card and a key fob are examples of security tokens.
Trojan
Trojans are programs that claim to perform one function but actually do another,
typically malicious. Trojans can take the form of attachments, downloads, and fake
videos/programs and, once active on a system, may do a number of things, including
stealing sensitive data or taking control of the device.
Troubleshooting
Is a systematical approach to finding the cause of a malfunction or other problem. With

computers this usually starts with studying logs, some of which may have been created
specifically for the problem at hand, others may be error logs or even memory dumps.
Typosquatting
Typosquatting is the practice of deliberately registering a domain name which is similar
to an existing popular name, in the hope of getting traffic by people who mis-type the
URL of the popular domain. For more information, see the article typosquatting.
Ubuntu
Pronounced as oo-boon-too. It is a Linux distro that is based on the Debian architecture.

It was designed for use on personal computers; however, it can be used on network
servers as well. In fact, it is the most used OS in hosted environments, i.e., the cloud,
and it’s also arguably the most famous distro.
Unicode
Is a global standard for character encoding. It provides a unique number to every

character in existence, which comprises of scripts and symbols. As such, it simplifies
the localization of software and supports multilingual text processing.
The Unicode Consortium maintains, develops, and promotes the use of the Unicode
standard.
External link(s):
 The Unicode Standard
URL
Stands for Uniform Resource Locator and is a method to find resources located on the
World Wide Web. A URL consists of (at least) a protocol (i.e. HTTP) and either a
domain or an IP address. They can also include a path on the server to point to a
particular file or site.
USB attack
Refers to an attack where threat actors use a USB drive to spread malware. In a
targeted attack, infected USB drives are deliberately dropped in public locations, such
as parking lots, to entice victims to picking it up and opening it using their computers.
User interface
In information technology, a UI is the visual part of an operating system or software that

allows users to interact with a computing system, an application, or a website via input
devices. There are three (3) known types of UI: command language, menu,
and graphical user interface (GUI).
Vaporware
In computer slang, it is a non-existent hardware or software that is publicly announced

and actively promoted.
A vaporware announcement may be a marketing strategy to gauge user interests in a

particular product.
Variant
Often refers to closely related malware strains or types of malware that are in the same
family. Usually, it is a version of an existing malware family with modifications.
Virtual machine
A software computer or application environment that runs on another computer or OS.
User experience with virtual machines is the same as they would have on dedicated
hardware.
Virtual memory
Is a memory management technique in use by the Windows operating system to

enlarge the address space. It uses a part of the hard drive to store pages and copy
them into the RAM memory when they are needed. This method is slower then using
RAM only, but it enables the user to run programs even if his RAM memory is already
all in use.
Virus
A virus is malware attached to another program (such as a document) which can

replicate and spread after an initial execution on a target system where human
interaction is required. Many viruses are harmful and can destroy data, slow down
system resources, and log keystrokes.
Virus hoax
A false message warning users of having a computer virus. It comes in many forms,
some are emails and some are pop-up windows.
Vishing
Short for voice phishing. It is a phishing tactic that uses voice, either via VoIP or phone,
to steal information from call recipients.
See also:
 Something’s phishy: How to detect phishing attempts
Visual spoofing
Is a type of threat vector where the similarities of characters and letters from different
languages are used (deliberately or accidentally) to confuse and/or trick users.
According to Chris Weber, a cybersecurity expert, there are several possible
scenarios where visual spoofing can be used to give threat actors the advantage:
 Domain name spoofing
 Fraudulent vanity URLs
 User interface and dialog spoofing
 Malvertising
 Internationalized email forging
 Profanity filter bypassing
VLAN
Is short for Virtual Local Access Network. It describes a network of systems that are
simulating to be on the same network. They are bound at OSI Layer 2 (the datalink
layer) which means they can communicate as if connected by wire while they can in fact
be on different LAN‘s and be physically far apart. VLAN’s are often used to divide LANs
into subsets that are allowed to share certain information and devices. Or to create a
group of systems around the world that belong to a certain group in the
same organization.
VLAN
Short for Virtual Local Area Network (LAN).
It’s a group of devices on different physical LANs that are configured to communicate
with each other as if they are connected to the same wire. If set up right, a VLAN can
significantly improve the overall performance of a network.
VM-aware
A capability of malware to detect and identify that the environment it resides on is

a virtual machine (VM). Some methods of determining a VM are simple while others are
not. Once the malware is aware that it’s on a VM, it usually ceases functioning as its
supposed to.
 A look at malware with virtual machine detection

Voice authentication
Sometimes called voice ID. It is a type of biometric verification wherein a user’s

voiceprint is applied to confirm his or her identity. This relies on the fact that vocal
characteristics are as unique as fingerprints and iris patterns of each individual.
VoIP
Stands for Voice over Internet Protocol.
VoIP is a technology that allows users to make voice calls over an Internet broadband
connection instead of an analog connection, which is used by a regular phone line. In
short, it’s a phone service over the Internet.
VPN
Is short for virtual private network. This is a virtual extension of a private network over
the internet. It is often used to allow employees that are not in the physical office to
connect to resources on the intranetas if they were in the office. But there are also
commercial VPNs that can be used to anonymize your internet traffic. You can find
more information about those in our blog post, One VPN To Rule Them All!
VR
Is short for Virtual Reality. It’s a computer generated simulation of an environment,

using images, sound, and sometimes other sensations like for example “force feedback”
to give the users the illusion that they are in that environment and can interact with the
objects in that environment. VR is primarily used in medicine, military training and video
games.
W
Walled garden
This term is used in a lot of ways in computing and technology. Generally, this is an
environment that limits user access to certain content and services.
WAN
Stands for wide area network. It is a private telecommunications network that

interconnects multiple LANs and metro area networks (MANs).
A WAN covers a wide geographical area. A router is typically used to connect a LAN to
a WAN.
WAP
Stands for Wireless Application Protocol. This is a standardized set of communication

protocols that allows wireless devices (usually mobile devices, two-way radios,
smartphones, and pagers) to securely access the Internet. WAP supports most wireless
networks and is supported by all operating systems.
Warez
Is an internet slang that means software that has been illegally copied and made
available to users.
This shouldn’t be confused with shareware or freeware.
Warm boot
In computing, this is also called a soft boot. It restore the system to its initial state
without shutting it down completely. It is often used when applications are hanging or
frozen, or after installing software. In Windows ,for example, this can be achieved by
choosing “Restart” in the shutdown menu. Also see cold boot.
Warm standby
It is a redundancy method involving two systems running simultaneously: the primary
system at the foreground and a secondary or backup system at the background.
WASP
Short for wireless application service provider. These are services similar to regular
application service providers (ASP) but are accessible via wireless devices, such as
smartphones and personal digital assistants (PDAs).
Wayback Machine
This is a website that allows Internet users to see what certain websites look like at
some point in the past. These sites are archived and are currently inaccessible outside
the Wayback Machine.
The Wayback Machine is created by the Internet Archive.
Wearable computer
Also known as body-borne computers or wearables. An electronic computing device

that can either be strapped on or carried around on (like being incorporated in clothing
and personal accessories) a user’s body. This is also capable of storing, processing,
and transmitting data.
Wearable device
See: Wearable computer
Web
Pertains to the World Wide Web (W3). Although many define the Web as “the internet”,
they are not synonymous. The Web is a way of accessing information that is on the
internet. It’s an information-sharing model. The internet, on the other hand, is a massive
global network infrastructure comprising of millions of computers.
Web application security

This deals with the security of websites, Web applications, and Web services. It aims to
address and/or fulfill the four principles of security, which are confidentiality, integrity,
availability, and nonrepudiation.
Web scraping
Also known as screen scraping, Web data extraction, and Web harvesting among
others. This is an automated technique used in extracting large amounts of data from
websites to be saved locally in a computer as a file or a database (in spreadsheet
format). Web scraping is usually done with the aid of software.
Web-enabled
A product or service is called “Web-enabled” if it can be used in conjunction with or

through the World Wide Web.
This was once a famous buzzword; nowadays, it’s rare to find products or services that
don’t use the Web.
Wetware
A slang term pertaining to the human element of an IT architecture. An IT system is

comprised of hardware (or the physical computers), software (or the applications
installed on the computers), and wetware (or the people using and maintaining the
computers).
Whack-a-mole
In IT, this is a term used to describe a situation where a problem keeps recurring after it
is supposedly fixed. The term was inspired by the arcade game, Whac-A-Mole.
An example of a whack-a-mole situation is when one cleans a malware-ridden computer

only to find it re-infected again.
Whaling
Also known as whale phishing. It’s a type of fraud or phishing scheme that targets high-
profile end-users, usually C-level businessmen, politicians, and celebrities. Fraudsters
behind whaling campaigns aim to trick targets into giving out their personal information
and/or business credentials. Whaling is usually done through social engineering efforts.
White hat hacker
A term most commonly used within the computer security circle to describe a
type hacker who uses their knowledge and skills to help improve the security of a
product and/or service by identifying their weak points before threat actors take
advantage of them.
Whitelist
In computing, it is a list of resources and destinations that we decided to trust.

Application whitelisting is a method that allows only specific software and applications to
run in order to maintain security. This is more restrictive than blacklisting processes,
which has pros and cons. Whitelisting is more secure yet time-consuming to manage.
WHOIS
Pronounced “who is”. This is not an abbreviation; however, it stands for “Who is
responsible for this domain name?”
It’s an internet service used to look up information about domain names.
Wi-Fi
Is a trademarked phrase for connections compliant with the IEEE 802.11 standard. This
is a wireless technology used to provide internet and other WLAN connections. Wi-Fi-
certified products are interoperable with each other. The IEEE 802.11 is often combined
with a letter to indicate the radio frequency band the products use.
Winsock
Is short for Windows Sockets API. It is a standard that specifies how Windows
networking software should deal with TCP/IP traffic. One of the features of Winsock 2 is
the LSP (Layered Service Provider). A method to insert a file (usually a DLL) into the
TCP/IP stack and intercept and modify inbound and outbound Internet traffic. You can
read more about LSP hijackers in our blog post, Changes in the LSP stack.
Wireless
Is the name for any means of transferring information or power over a distance without
the need of an electrical conductor (wire).
Wiretap Trojan
A program capable of secretly recording VoIP calls and IM conversations. This malware
usually comes with a backdoor, which allows a threat actor to retrieve the recordings.
WLAN
Stands for Wireless Local Area Network. This is also referred to as LAWN or Local Area
Wireless Network.
This is a type of network connection that uses high-frequency radio waves rather than
wires to communicate. As it’s wireless, users connected to a WLAN are free to move
around provided they stay within the coverage area.
Also see Wi-Fi.
Worm
Worms are a type of malware similar to viruses, but they do not need to be attached to
another program in order to spread.
WoT
Stands for the Web of Things. This is considered as a subset of IoT that focuses on
software standards and frameworks. One can think of them as everyday objects
capable of communicating with Web services.
WPA
Is short for Wi-Fi Protected Access. WPA and WPA2 are security protocols designed for
the secure access of Wi-Fi. WPA was intended as an easy upgrade from WEP, but that
turned out to be less straightforward than expected. Later WPA2 replaced WPA
and supports CCMP, an encryption mode with strong security.
See also WPA2 and WPA-PSK.
WPA-PSK
Short for Wi-Fi Protected Access Pre-Shared Key. Also known as WPA Personal. This
is a security method that uses Pre-Shared Key (PSK) authentication, which is designed
for homes, to validate users over a wireless internet. WPA-PSK is a variation of
the WPA protocol.
See also WPA2.
WPA2
Short for Wi-Fi Protected Access II or Wi-Fi Protected Access 2. This is a security
standard for computers connected to the internet over a wireless network. Its purpose is
to achieve complete compliance with the IEEE802, an IEEE standard for LANs and
MANs.
WPA2 generally doesn’t work with old network cards.
See also WPA and WPA-PSK.
WPAN
Stands for Wireless Personal Area Network. This is a network for various
interconnected devices within the circumference of an individual’s workspace. The
connection among these devices is usually wireless, and the area of coverage is no
greater than 10 meters. An example of a WPAN technology that permits this short-
range communication is Bluetooth.
See also WPA2.
Write protection
The ability of a physical, hardware device or software to prevent old information from
being overwritten and new data from being written.
Write protection features are normally found in computers and devices that can carry or
store information.
WSoD
Short for White screen of death, o.therwise known as White Death.
This is an error in the OS, particularly Mac OS and Linux, causing it to display a white
screen. A WSoD also happens when an application, such as a Web page, locks up or
freezes.
Sometimes, a WSoD also happens on Windows.
WYSIWYG
WYSIWYG, pronounced “wiz-ee-wig”, stands for What You See Is What You Get. In
computing, it refers to an editor or tool that allows the developer to see the changes
they make on what they’re creating in real time.
XaaS
XaaS is the abbreviated form of Anything-as-a-Service. XaaS is a catch-all term

referring to all available services provided online instead of locally or on-premise.
Synonym: Everything-as-a-Service, Cloud computing

Y
Y2K
Stands for “year 2000”. This abbreviation is well known today because of the term “the
Y2K problem” or “the millennium bug”. The Y2K problem stemmed from fears of
computer programs that store year values as two-digits figures—”97″ to mean the year
1997, for example—would cause problems as the year 2000 rolls in.
Zero Administration for Windows
Abbreviated as ZAW. This refers to an initiative led by Microsoft that allows

administrators to install, update, and manage Windows from a central server to LAN-
connected machines. Microsoft has aimed to decrease the amount of time it takes for
administrators to perform these tasks and to reduce the cost of maintaining PCs in
large corporations.
Zero-day
A zero-day vulnerability is an exploitable vulnerability in software that has not been

disclosed yet. Zero days sarcastically stands for the time the software creator has then
left to patch the vulnerability. More information can be found in our blog post, What is a
Zero-Day?
Zombie
Is the description for systems that have been infected by a Trojan that added the
system to a botnet. The term is used because the system is taken out of control of its
owner, and now obeys the botherder like a zombie. You can read more about these
botnets in our blog post, The Facts about Botnets.
Zombie network
See botnet.
Zombie process
Also known as defunct process. It’s what you call a process in its terminated state.
In programs with parent-child functions, a child usually sends an exit status message to
its parent after executing. Unless the parent receives and acknowledges this message,
the child is in a ‘zombie’ state. This means that it has executed but hasn’t exited.

Glossary - Malwarebytes

Uploaded by

Document Informationclick to expand document information

Copyright:

Available Formats

Glossary - Malwarebytes

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Glossary - Malwarebytes

Uploaded by

Copyright:

Available Formats

A

Abandonware is software that is shelved by its developer. As such, it is no longer

An ad blocker is software that blocks advertisements, including pop-ups, when a user

Synonym: invalid traffic

An add-in is software that gives additional functionality to a device or another software.

Address bar spoofing

Adware is a form of malicious software which displays unwanted advertising on your

Other forms: Air gapping

An always-on device, software, or network denotes that it is constantly accessible.

Android is Google’s flagship operating system for smartphones and tablets.

An Android app is a program designed for the Android OS.

Annoyware is software that continuously shows reminders or pop-up windows to remind

Synonyms: Nagware, Begware

Anomaly detection solution

An anomaly detection solution is any next-generation firewall or IDS/IPS in an

Other forms: Anonymize

Synonyms: Anonymous proxy

Other forms: Anonymity

Anti-ransomware is software specifically designed to combat ransomware. Such

Is sometimes shortened to AI. It describes the science that works on intelligence in

Is the masking of initiatives by corporations, governments, or political parties to make

Is the technique used to obtain unauthorized access to a system or network. It is an

Is sometimes shortened as AR. Augmented reality is a cross between the physical

 Understanding the basics of two-factor authentication

An autonomous system is a group of networks managed by one large entity to ensure

Other form/s: backdooring

In computing, it is a form of hacking that refers to the application of IT concepts to

Is the measurement and statistical analysis of people’s physical and behavioral

Blue Screen of Death

Abbreviated as BSOD. This occurs on Windows systems where a blue screen is

In computing, to boot a system is to turn the device or machine on and load

Boot sector virus

Synonym: zombie machine

Also known as zombie network.

Refers to the practice or act of rendering an electronic computing device—often a

 close the open tab or window

Browser helper object

A rewards program through which individuals can receive monetary compensation

Synonyms: bundleware, bloatware, bundled software, crapware, pre-installed software

Other forms: command & control, C2

In computing, a cache is a temporary storage that is used to speed up future requests.

Also known as pay-per-click fraud. It is the practice of artificially inflating statistics of

Also see: Adfraud

Clickbait is content (especially a headline) that uses exaggeration and sensationalism to

Also see Anything-as-a-Service (XaaS)

Is a type of virus that uses two typical Windows properties:

 Windows does not require file extensions to run a requested file.

Is a multi-disciplinary collection of studies in the fields that are related to digital

Consumer fraud protection

This could either mean:

Cryptocurrency is a decentralized digital currency. It is the preferred payment method of

Also called cryptocurrency mining.

This is the process of adding new transactions to a public ledger of previous

Related blog post(s):

 Ransomware puts your system to work mining Bitcoins

The act of penetrating password-protected computer systems or servers using large

In computer security related terminology domain refers to either:

Domain administrator privileges