Adware : Adware are programs that facilitate delivery for advertising content to the user and in some cases gather information from the user's computer, including information related to Internet browser usage or other computer habits. They can take up your computers resources and are largely responsible for the countless popup ads you receive on the web. Adware is often bundled with or embedded within freeware programs like such as clocks, messengers, alerts, weather, and so on, and software such as screensavers, cartoon cursors, backgrounds, sounds, etc.

Annoyance : Any trojan that does not cause damage other than to annoy a user, such as by turning the text on the screen upside down, or making mouse motions erratic.

ANSI Bomb : Character sequences that reprogram specific keys on the keyboard. If ANSI.SYS is loaded, some bombs will display colorful messages, or have interesting (but unwanted) graphical effects.

AOL Pest:: Any password stealer, exploit, DoS attack, or ICQ hack aimed at users of AOL. ICQ is an instant messenger service from mirabilis.com, now AOL. ICQ is a favorite service among hackers, and ICQ features are built into many trojans (such as stealing user's passwords, UINs, or notifying the hacker). Users of ICQ are warned ""By using the ICQ service and software... you may be subject to various risks, including... Spoofing, eavesdropping, sniffing, spamming, breaking passwords, harassment, fraud, forgery, 'imposturing', electronic trespassing, tampering, hacking, nuking, system contamination including without limitation use of viruses, worms and Trojan horses causing unauthorized, damaging or harmful access and/or retrieval of information and data on your computer and other forms of activity that may even be considered unlawful."

AV Killer : Any hacker tool intended to disable a user's anti-virus software to help elude detection. Some will also disable personal firewalls.

Backdoor : A Backdoor is a software program that gives an attacker unauthorized access to a machine and the means for remotely controlling the machine without the user's knowledge. A Backdoor compromises system integrity by making changes to the system that allow it to be used by the attacker for malicious purposes unknown to the user.

Badjoke : Software that is designed to mimic the actions of a virus but is not malicious and does not harm the machine. Although some Low Risk Software programs may track online habits -- as provided for in a privacy policy or End User License Agreement (EULA) -- or display advertising within the applications themselves, these programs have only vague, minimal or negligible effects on your privacy.

Binder : A tool that combines two or more files into a single file, usually for the purpose of hiding one of them. A binder compiles the list of files that you select into one host file, which you can rename. A host file is a simple custom compiled program that will decompress and launch the source programs. When you start the host, the embedded files in it are automatically decompressed and launched. When a trojan is bound with Notepad, for instance, the result will appear to be Notepad, and appear to run like Notepad, but the Trojan will also be run.

Browser Helper Object (BHO): BHO is an application that extends Internet Explorer and acts as a plug-in. Spyware as well as browser hijackers often use BHOs to display ads or redirect the browser to alternate sites and alternate search results. BHO may not necessarily need your permission to install and they can be used for malicious purposes like gathering info on your surfing habits and search data to facilitate targeted, contextual advertising.

Clicker: This family of Trojans redirects victim machines to specified websites or other Internet resources. Clickers either send the necessary commands to the browser or replace system files where standard Internet urls are stored (e.g. the 'hosts' file in MS Windows).
Clickers are used:
1. To raise the hit-count of a specific site for advertising purposes
2. To organize a DoS attack on a specified server or site
3. To lead the victim to an infected resource where the machine will be attacked by other malware (viruses or Trojans).

Commercial RAT : Any commercial product that is normally used for remote administration, but which might be exploited to do this without user consent or awareness.

Constructor : Virus writers use constructor utilities to create new malicious programs and Trojans. It is known that constructors to create macro-viruses and viruses for Windows are in existence. Constructors can be used to generate virus source code, object modules and infected files.
Some constructors come with a user interface where the virus type, objects to attack, encryption options, protection against debuggers and disassembles, text strings, multimedia effects etc. can be chosen from a menu. Less complex constructors have no interface, and read information about the type of virus to be built from the configuration file.

Cracking Misc : Any document and/or tool that provides guidance on how to remove copy protection.

Cracking Tool : Any software designed to modify other software for the purpose of removing usage restrictions. An example is a 'patcher' or 'patch generator', that will replace bytes at specified locations in a file, rendering it a licensed version. A music file ripper is a program that enables the user to digitally copy songs from a CD into many different formats such as MP3, WAV, or AIFC.

DDoS : A Distributed Denial of Service (DDoS) attack is one that pits many machines against a single victim. An example is the attacks of February 2000 against some of the biggest websites. Even though these websites have a theoretical bandwidth of a gigabit/second, distributing many agents throughout the Internet flooding them with traffic can bring them down. The Internet is defenseless against these attacks. The best defense is for users everywhere to run PestPatrol, and remove DDoS clients when they are found, so that their machines are not used as attack tools. Another approach is for ISPs to do ""egress filtering"": prevent packets from going outbound that do not originate from IP addresses assigned to the ISP. This cuts down on the problem of spoofed IP addresses.

Dialer : A Dialer is a program that uses the computer's modem to dial telephone numbers, often without the user's knowledge and consent. A Dialer can connect to a toll number that adds long distance charges to the telephone bill without the user's knowledge or permission. Dialers may be downloaded through exploits and installed without notice and consent.

DoS : DoS is Denial of Service trojan. This is a DDoS (Distributed Denial of Service) Trojan. It conducts a SYN Flood attack on a number of servers in the bootcom.com domain. It works under Windows NT. When launched, it creates a service named Secure transactions provider, which covertly starts each time the system boots up. The service launches five threads, each of which sends TCP packets to one of the servers under attack at high frequency, with SYN flags set. This will cause the network to slow noticeably. Always run in DOS mode.

Downloader : Downloader is a program typically installed through an exploit or some other deceptive means and that facilitates the download and installation of other malware and unwanted software onto a victim's PC. Downloader may download adware, spyware or other malware from multiple servers or sources on the internet.

DSNChanger : The DNSChanger trojan is usually a small file (about 1.5 kilobytes) that is designed to change the 'NameServer' Registry key value to a custom IP address. This IP address is usually encrypted in the body of a trojan. As a result of this change a victim's computer will contact the newly assigned DNS server to resolve names of different webservers. And some of the resolved names will not point to legitimate websites - they will point to fake websites that look like real ones, but are created to steal sensitive information (like credit card numbers, logins and passwords).

Dropper : Spyware dropper when run will install spyware. In other words dropper is a carriage for malicious or spying software. Finding it on your computer means that your computer is infected with Dropper and crucial data could be endangered or even lost.

Encryption Tool : Any software that can be used to scramble documents, software, or systems so that only those possessing a valid key are able to unscramble it. Encryption tools are used to secure information; sometimes unauthorized use of encryption tools in an organization is a cause for concern.

Error Hijacker : Any software that resets your browser's settings to display a new error page when a requested URL is not found. Hijacks may reroute your info and address requests through an unseen site, capturing that info. In such hijacks, your browser may behave normally, but be slower.

Exploit : Exploits use vulnerabilities in operating systems and applications to achieve the same result. Or in other words, this is a type of malware containing a piece of software, a chunk of data, or sequence of commands that take advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software. This frequently includes such things as gaining control of a computer system or allowing privilege escalation or a denial of service attack.

Fake Anti Spyware : A Fake Anti Spyware is software that purports to scan and detect malware or other problems on the computer, but which attempts to dupe or badger users into purchasing the program by presenting the user with intrusive, deceptive warnings and/or false, misleading scan results. They spuriously warn users that their computers have been infected with spyware, directing them to purchase programs which do not actually remove spyware or worse, may add more spyware of their own It typically uses aggressive, deceptive advertising and may be installed without adequate notice and consent, often though exploits.

Firewall Killer : Programs that alters/bypasses security system that uses rules to block or allow connections and data transmission between your computer and the Internet.

Flooder : A program that overloads a connection by any mechanism, such as fast pinging, causing a DoS attack. An E-Mail Flooder is a program used to send mass e-mail to flood or disrupt a PC or network.

FTP Server : When installed without user awareness, an FTP server allows an attacker to download any file in the user's machine, to upload new files to that machine, and to replace any existing file with an uploaded file.

HackTool : HackTool is a utility designed to penetrate remote computers. These types of malware connect to the remote machines and use them as zombies without any giving prior information to the owner. Many hacktools download malicious programs on the victim machines.

Hacking Tutorial : A Hacking Tutorial explains how to break into systems.

Hijacker : Hijackers are software programs that modify users' default browser home page, search settings, error page settings, or desktop wallpaper without adequate notice, disclosure, or user consent. When the default home page is hijacked, the browser opens to the web page set by the hijacker instead of the user's designated home page.
In some cases, the hijacker may block users from restoring their desired home page.

Hoax : Not a pest, not a virus, not a worm, not a trojan. A hoax is a worrisome warning, usually transmitted by e-mail. Examples of hoaxes: 'If you receive an e-mail that has a subject line of X, then ... This is a very bad thing, and blah blah blah... Please pass this on to everyone in your address book." Before following the instructions in the e-mail, do a simple internet search for the subject line, the file name, etc. to see if others regard this as a hoax. Hoaxes are not detected by PestPatrol. But some are included in our Pest Encyclopedia for your information.

Homepage Hijacker : Any software that changes your browser's home page to some other site. Hijacks may reroute your info and address requests through an unseen site, capturing that info. In such hijacks, your browser may behave normally, but be slower.

Hostile ActiveX : An ActiveX control is essentially a Windows program that can be distributed from a web page. These controls can do literally anything a Windows program can do. A Hostile ActiveX program does something that its user did not intend for it to do, such as erasing a hard drive, dropping a virus or trojan into your machine, or scanning your drive for tax records or documents. As with other Trojans, a Hostile ActiveX control will normally appear to have some other function than what it actually has.

Hostile Java : Browsers include a ""virtual machine"" that encapsulates the Java program and prevents it from accessing your local machine. The theory behind this is that a Java ""applet"" is really content -- like graphics -- rather than full application software. However, as of July, 2000, all known browsers have had bugs in their Java virtual machines that would allow hostile applets to ""break out"" of this ""sandbox"" and access other parts of the system. Most security experts browse with Java disabled on their computers, or encapsulate it with further sandboxes/virtual-machines.

Hostile Script : A script is a text file with a .VBS, .WSH, .JS, .HTA, .JSE, .VBE extension that is executed by Microsoft WScript or Microsoft Scripting Host Application, interpreting the instructions in the script and acting on them. A hostile script performs unwanted actions.

HTTP Server : When installed without user awareness, an HTTP server allows an attacker to use a web browser to view and thus retrieve information collected by other software placed in the user's machine.

Installer : A utility that copies system software or an application from floppy disks or a CD-ROM to your hard disk. An Installer may also decompress the new files, remove obsolete files, place extensions and control panels in their proper folders, and/or create new folders. Spyware Installers installs spyware which is bundled with the installer.

IRC War :  Any tool that uses Internet Relay Chat for spoofing, eavesdropping, sniffing, spamming, breaking passwords, harassment, fraud, forgery, 'imposturing', electronic trespassing, tampering, hacking, nuking, system contamination including without limitation use of viruses, worms and Trojan horses causing unauthorized, damaging or harmful access and/or retrieval of information and data on your computer and other forms of activity that may even be considered unlawful.

Joke Program : A Joke Program is software that is designed to mimic the actions of a virus but is not malicious and does not harm the machine. Although some Low Risk Software programs may track online habits -- as provided for in a privacy policy or End User License Agreement (EULA) -- or display advertising within the applications themselves, these programs have only vague, minimal or negligible effects on your privacy.

Key Generator : Any tool designed to break software copy protection by extracting internally-stored keys, which can then be entered into the program to convince it that the user is an authorized purchaser.

Key Logger (Keystroke Logger): A key logger is a program that captures and logs keystrokes on the computer without the user's knowledge and consent. The logged data may be encrypted and is typically sent to a remote attacker. The key logger is usually hidden from the user and may use cloaking (rootkit) technology to hide from other software in order to evade detection by anti-malware applications.

KillAv: KillAV is a Trojan that tries to terminate and/or remove any antivirus software that is running on the computer.

Loader :  Any program designed to load another program.

Mail Bomber : Software that will flood a victim's inbox with hundreds or thousands of pieces of mail. Such mail generally does not correctly reveal its source.

Mailer : A program that creates and sends email with forged headers, so that the source of the mail it sends cannot be traced.

Malware : Malware is a category of malicious code that includes viruses, worms, and Trojan horses. Destructive malware will utilize popular communication tools to spread, including worms sent through email and instant messages, Trojan horses dropped from web sites, and virus-infected files downloaded from peer-to-peer connections. Malware will also seek to exploit existing vulnerabilities on systems making their entry quiet and easy.

Mass Mailer : Mass mailer can spread through email by sending copies of itself to everyone in the user's address book. A mass mailer may consume a large amount of system resources and cause the machine to become noticeably sluggish and unreliable.

Misc Tool : Any tool that might be used in planning an attack on a system, developing tools for such an attack, or performing it.

Notifier : Any tool designed for stealth notification of an attacker that a victim has installed and run some pest. Such notification might be done by FTP, SMS, SMTP, or other method, and might contain a variety of information. Often used in combination with a Packer, a Binder and a Downloader.

Nuker : Nuker is a generic term for several TCP/IP DoS attacks. In some cases, it selects some folders and deletes them. Through TCP/IP it sends packets to targeted computers containing malicious programs which may destroy some specified data.

P2P (Peer-to-peer): Peer-to-peer (P2P) is a method of file sharing over a network in which individual computers are linked via the Internet or a private network to share programs/files, often illegally. Many P2P programs bundle third-party advertising programs, and are currently the second largest source of virus, Trojan and data mining infections.

Packer : A utility which compresses a file, encrypting it in the process. It adds a header that automatically expands the file in memory, when it is executed, and then transfers control to that file. Some packers can unpack without starting the packed file. Packers are ""useful"" for trojan authors as they make their work undetectable by anti-virus products.

Password Capture : A variant of the Key Logger that captures passwords as they are entered or transmitted. Some password capture trojans impersonate the login prompt, asking the user to provide their password.

Password Cracker : A tool to decrypt a password or password file. PestPatrol uses the term both for programs that take an algorithmic approach to cracking, as well as those that use brute force with a password cracking word list. Password crackers have legitimate uses by security administrators, who want to find weak passwords in order to change them and improve system security.

Password Cracking Word List : A list of words that a brute force password cracker can use to muscle its way into a system.

Phreaking Tool :  Any executable that assists in hacking the phone system, such as by using a sound card to imitate various audible tones.

Pornware : Porn ware is the generic term used to describe malware-related programs that either use the computer’s modem to connect to pornographic pay-to-view services, or download pornographic content from the web, without the consent of the user.

Port Scanner : In hacker reconnaissance, a port scan attempts to connect to all 65536 ports on a machine in order to see if anybody is listening on those ports. Ports scans are not illegal in many places, in part because they don't actually compromise the system, in part because they can easily be spoofed, so it is hard to prove guilt, and in part because virtually any machine on the Internet can be induced to scan another machine. Many people think that port scanning is an overt hostile act and should be made illegal. An attacker will often sweep thousands (or millions) of machines rather than a single machine looking for any system that might be vulnerable. Port scans are always automated through tools called Port Scanners.

Probe Tool : A tool that explores another system, looking for vulnerabilities. While these can be used by security managers, wishing to shore up their security, the tools are as likely used by attackers to evaluate where to start an attack. An example is an NT Security Scanner.]

Proxy : Proxy Trojans turns the victim's computer into a proxy server. This gives the attacker the opportunity to do everything from your computer, including the possibility of conducting credit card fraud and other illegal activities, or even to use your system to launch malicious attacks against other networks.
Normally, it:
1. Connect to some proxy site
2. has proxy related information into it
3. Send mails via this proxy. So has mail related info. Or SMTP port
4. Sending data out. (SYN_SENT)
5. Does some mail related activity

PSW: This family of Trojans steals passwords, normally system passwords from victim machines. They search for system files, which contain confidential information such as passwords and Internet access telephone numbers and then send this information to an email address coded into the body of the Trojan. The ‘master’ or user of the illegal program will then retrieve and misuse this information.
Most common behavior:
1. Ask for password using fake window
2. Change ICQ, MSN, AOL configuration
3. Get cached Windows passwords

PUP: PUP or PUPs is a term used to describe unwanted programs such as Trojans, spyware and adware, along with other malware which may compromise your privacy. Persons at McAfee’s Avert research lab to avoid any legal issues that may arise from calling these types of applications “spyware” first used the term PUP.

RAT : A Remote Administration Tool, or RAT, is a Trojan that when run, provides an attacker with the capability of remotely controlling a machine via a ""client"" in the attacker's machine, and a ""server"" in the victim's machine. Examples include Back Orifice, NetBus, SubSeven, and Hack'a'tack. What happens when a server is installed in a victim's machine depends on the capabilities of the trojan, the interests of the attacker, and whether or not control of the server is ever gained by another attacker -- who might have entirely different interests. Infections by remote administration Trojans on Windows machines are becoming as frequent as viruses. One common vector is through File and Print Sharing, when home users inadvertently open up their system to the rest of the world. If an attacker has access to the hard-drive, he/she can place the trojan in the startup folder. This will run the trojan the next time the user logs in. Another common vector is when the attacker simply e-mails the trojan to the user along with a social engineering hack that convinces the user to run it against their better judgment.

Search Hijacker: Any software that resets your browser's settings to point to other sites when you perform a search. Hijacks may reroute your info and address requests through an unseen site, capturing that info. In such hijacks, your browser may behave normally, but be slower. Search results when such a hijacker is running will sometimes differ from non-hijacked results.

Sniffer : A program and/or device that monitors data traveling over a network. Sniffers can be used both for legitimate network management functions and for stealing information off a network. Unauthorized sniffers can be extremely dangerous to a network's security because they are virtually impossible to detect and can be inserted almost anywhere. This makes them a favorite weapon in the hacker's arsenal. Sniffer may be able to read the data in the packet as well as the source and destination addresses.

SpamTool : This program is designed to send spam to email addresses harvested from the victim computer. In addition to wasting people's time with unwanted e-mail, spam also eats up a lot of network bandwidth. When sending spam e-mails, the Trojan can generate fake senders e-mail addresses automatically. It is remotely controlled and can upgrade its file from Internet.

Spoofer : To spoof is to forge your identity. Attackers use spoofers to forge their IP address (IP spoofing). The most common use of spoofing today is smurf and fraggle attacks. These attacks use spoofed packets against amplifiers in order to overload the victim's connection. This is done by sending a single packet to a broadcast address with the victim as the source address. All the machines within the broadcast domain then respond back to the victim, overloading the victim's Internet connection. Since smurfing accounts for more than half the traffic on some backbones, ISPs are starting to take spoofing seriously and have started implementing measures within their routers that verify valid source addresses before passing the packets.

Spyware: Any software that covertly gathers user information through the user's Internet connection without his or her knowledge, usually for advertising purposes. Spyware applications are typically bundled as a hidden component of freeware or shareware programs that can be downloaded from the Internet. Once installed, the spyware monitors user activity on the Internet and transmits that information in the background to someone else. Spyware can also gather information about e-mail addresses and even passwords and credit card numbers.

StartPage: This Trojan modifies the configuration of Microsoft Internet Explorer without the knowledge or consent of the user.

Surveillance : Any software designed to use a webcam, microphone, screen capture, or other approaches to monitor and capture information. Some such software will transmit this captured information to a remote source.

Telnet Server : Software that allows a remote user of a Telnet client to connect as a remote terminal from anywhere on the Internet and control a computer in which the server software is running.

Toolbar : A Toolbar is a type of browser plug-in that adds a third-party utility bar to the web browser, usually just below or next to the browser's address bar. A Toolbar typically has a search function and provides search results for paid advertisers.

Tracking Cookies : Tracking cookies allow multiple web sites to store and access records that may contain personal information (including surfing habits, user names and passwords, areas of interest, etc.), and subsequently share this information with other web sites and marketing firms.

Trackware : Programs that track system activity, gather system information, or track user habits and relay this information to third-party organizations.

Trojan : A destructive program that masquerades as a benign application. Unlike viruses, Trojan horses do not replicate themselves but they can be just as destructive. One of the most insidious types of Trojan horse is a program that claims to rid your computer of viruses but instead introduces viruses onto your computer.

Trojan Creation Tool : A program designed to create Trojans. Some of these tools merely wrap existing Trojans, to make them harder to detect. Others add a trojan to an existing product (such as RegEdit.exe), making it a Dropper.

Trojan Horse : A Trojan Horse portrays itself as something other than what it is at the point of execution. While it may advertise its activity after launching, this information is not apparent to the user beforehand. A Trojan Horse neither replicates nor copies itself, but causes damage or compromises the security of the computer. A Trojan Horse must be sent by someone or carried by another program and may arrive in the form of a joke program or software of some sort. The malicious functionality of a Trojan Horse may be anything undesirable for a computer user, including data destruction or compromising a system by providing a means for another computer to gain access, thus bypassing normal access controls.

Trojan Source : Source code is written by a programmer in a high-level language and readable by people but not computers. Source code must be converted to object code or machine language before a computer can read or execute the program. Trojan Source can be compiled to create working trojans, or modified and compiled by programmers to make new working trojans.

Usage Track : Usage tracks permit any user (or their software agent) with access to your computer to see what you've been doing. Such tracks benefit you if you have left the tracks, but might benefit another user as well.

Virus Creation Tool : A program designed to generate viruses. Even early virus creation tools were able to generate hundreds or thousands of different, functioning viruses, which were initially undetectable by current scanners.

Virus Source : Source code is written by a programmer in a high-level language and readable by people but not computers. Source code must be converted to object code or machine language before a computer can read or execute the program. Virus Source can be compiled to create working viruses, or modified and compiled by programmers to make new working viruses.

Virus Tutorial : We don't think there is much need for viruses in today's offices, so we don't think there is much need to learn how to create them. Virus Tutorials explain 'how to'.

War Dialer : (demon-dialing, carrier-scanning) War-dialing was popularized in the 1983 movie War Games. It is the process of dialing all the numbers in a range in order to find any machine that answers. Many corporations have desktop computers with attached modems; attackers can dial in order to break into the desktop, and thereafter the corporation. Similarly, many companies have servers with attached modems that aren't considered as part of the general security scheme. Since most security emphasis these days is on Internet-related attacks, war-dialing represents the ""soft underbelly"" of the security infrastructure that can be exploited.

Worm : A Worm is a malicious program that spreads itself without any user intervention. Worms are self-replicating. Worms spread without attaching to or infecting other programs and files. A Worm can spread across computer networks via security holes on vulnerable machines connected to the network. Worms can also spread through email by sending copies of itself to everyone in the user's address book A Worm may consume a large amount of system resources and cause the machine to become noticeably sluggish and unreliable.

Worm Creation Tool : A program designed to generate worms. Worm creation tools can often generate hundreds or thousands of different, functioning worms, most of which are initially undetectable by current scanners.