COMP3650 Malware Analysis Basics Vocabulary

Vocabulary terms and definitions from the COMP3650 Malware Analysis Basics lecture notes, covering malware types, virus phases, analysis stages, and file identification.

Malware

Malicious software intended to disrupt, damage, steal information, or gain unauthorized access to a system.

Confidentiality

Protecting data from unauthorized access or disclosure.

Integrity

Protecting data and systems from unauthorized modification or corruption.

Availability

Keeping systems and data accessible when authorized users need them.

Payload

The action the malware performs besides spreading, such as stealing data, encrypting files, or damaging systems.

Trigger

The event or condition that activates a payload, such as a date, user action, system event, or logic condition.

Infection vector

The method malware uses to spread or reach a victim, such as email attachments, vulnerabilities, USB drives, or social engineering.

Social engineering

Tricking a user into helping the attack, such as opening a malicious attachment or entering credentials into a fake login page.

Virus

Malware that attaches to a host file/program and replicates when the host executes.

Worm

Standalone malware that can run independently and spread complete copies of itself to other hosts.

Trojan horse

A program that appears useful or harmless but hides malicious functionality.

Backdoor / trapdoor

A way to bypass normal security checks and gain unauthorized access.

Downloader

Malware that downloads and installs additional malware after initial compromise.

Rootkit

Malware or tools designed to hide malicious activity, often by concealing files, processes, registry entries, or network connections.

Bot / zombie

An infected computer controlled by an attacker.

Botnet

A group of infected machines controlled together.

Command-and-Control (C&C) server

Attacker-controlled infrastructure that sends commands to infected machines.

Spyware

Software that secretly collects information from a computer and sends it elsewhere.

Keylogger

Malware or tool that records keystrokes.

Logic bomb

Code that stays dormant until a specific condition is met, then triggers a payload.

Macro virus

A virus that uses document macro or scripting features to execute and spread.

Adware

Software that displays ads or redirects the browser, sometimes unwanted or malicious.

Attack kit

A toolkit that helps attackers generate or deploy malware using built-in exploits and payloads.

Drive-by download

Malware infection caused by visiting a compromised website that exploits a browser or plugin vulnerability.

Exploit

Code that targets a specific software vulnerability.

Flooder / DoS client

Malware that generates large traffic volumes for denial-of-service attacks.

Scareware

Malware or deceptive software that frightens users into paying for fake help or fake security tools.

APT

Advanced persistent threat: a well-resourced, targeted, long-term intrusion effort, often against business or political targets.

Dormant phase

The stage where a virus is idle until some activation event occurs.

Triggering phase

The stage where the virus is activated by a specific condition or event.

Propagation phase

The stage where the virus copies itself into other programs or system areas.

Execution phase

The stage where the virus performs its intended function or payload.

Boot sector infector

A virus that infects the master boot record or boot record.

File infector

A virus that infects executable files.

Multipartite virus

A virus that infects in multiple ways, such as boot sectors and files.

Polymorphic virus

A virus that changes its appearance with each infection.

Metamorphic virus

A virus that rewrites itself more completely, sometimes changing behavior as well as appearance.

Random scanning

The process where a worm probes random IP addresses to find vulnerable machines.

Hit-list scanning

Scanning where an attacker starts with a prepared list of vulnerable targets, making early spread very fast.

Topological scanning

The process where a worm uses information on the infected host, such as address books, to find new targets.

WannaCry

Ransomware with worm-like spread that encrypted files and demanded Bitcoin payment in $2017$.

Ploutus

ATM malware used for jackpotting, allowing unauthorized ATM cash dispensing.

CIH / Chernobyl

Destructive virus known for overwriting hard drive data and damaging or corrupting BIOS firmware.

Stuxnet

Example of a highly targeted malware/APT-style attack against industrial control systems.

Static analysis

Analyzing malware without running it, using tools like hashes, strings, and disassemblers.

Dynamic analysis

Running malware in a controlled environment, such as a VM or sandbox, and monitoring its behavior.

Signature

A pattern or artifact used to detect malware or infection.

IOC

Indicator of Compromise: evidence that a system may be infected or attacked, such as hashes or malicious IPs.

False positive

A benign file or activity that is incorrectly flagged as malicious.

False negative

A malicious file or activity that is incorrectly missed or classified as safe.

Snapshot

A saved VM state that allows analysts to restore a clean system after testing malware.

Magic number

The first few bytes of a file used to identify the file type, such as MZ for Windows executables.

Hash

A fixed-length fingerprint generated from data or a file, used for integrity and identification.

MD5

A $128$-bit hash; useful for quick ID but cryptographically weak due to collisions.

SHA-256

A $256$-bit hash from the SHA-2 family that is a stronger modern choice for security.

Avalanche effect

A property where a small change in input causes a large, unpredictable change in the hash output.