Glossary of Terms



Description

Last Updated

Note that encyclopedia descriptions are updated periodically, and impact levels adjusted according to the latest data. However, as fast as events can occur, a threat may rapidly become widespread or quickly die off in prevalence before a description's next update occurs.

Date Discovered

The date a virus is first discovered subjectivemay be difficult to precisely identify inasmuch as it may be relative to other antivirus software vendors. When applying a date of discovery, Fortinet will always attempt to present the date closest to when it discovers a threat.

First Detected in FortiGate DB Version

At any point in time, Fortinet may provide antivirus and NIDS database updates for up to three FortiOS (Fortinet Operating System) versions. Up until the end of its life, each FortiOS version will in turn support the most recently available antivirus database update. Based on the FortiOS your unit has installed, "First Detected in FortiGate DB Version" will convey to a FortiGate user the minimum antivirus database update required to detect a virus.

Impact Level

At the time of the writing of each description, the categories - damage, prevalence, how widespread a threat is, its vector, the number of possible targets, and potential rate of infection/spread - are taken into account when assigning an averaged impact level.

According to this scale, the greater the impact of a threat, the greater the threat's impact level. Explained elsewhere in this document are various examples of how a threat might receive a particular level of impact.

Length

Known threats sometimes have definite sizes associated with the arriving file(s). When a threat has a definite static file size, that size is always given in the description. If a threat does not have the same static file size, an encyclopedia description may indicate the size of the threat varies. "Varies" indicates that, while a threat may not vary in appearance or internal functional code, it varies in file size. "Variable" indicates the file size changes because the threat is (for example) polymorphic. In this case, the appearance, the internal functional code of the threat, and its size are variable.

Class

Threats fall into various classes or major categories. These categories include Apple Macintosh virus, Application, Attack, Backdoor, Batch file virus, Boot virus, Exploit, File virus, Linux virus, Macro virus, Multipartite or Tripartite virus, Script virus, Trojan horse, Worm or File virus/Worm hybrid.

Affects

Which operating system(s) does this threat affect? Most viruses will affect more than one operating system. For example, most 32-bit viruses will function under MS Windows 98, Me, 2000, NT and XP. Others threats may not function at all under any Microsoft operating system because the threat is native to Linux.

Known Alias(es)

Not all antivirus vendors will call the same threat by the same name. Sometimes differences are minimal, sometimes the names are very different. Whenever possible, Fortinet will also list the name or names by which other antivirus products identify threats.

Adware

Adware is not necessarily malicious, but will typically display advertising content to the user. This advertising content may take many forms, typically in the form of Internet browser pop-up advertisements. Under most circumstances a user is not aware of the Adware component being installed on the local machine. That is, an Adware component may be surreptitiously installed along with a desired piece of software. Perhaps even masked as an upgrade for additional functionality in one's web browsing software.

Riskware

Any software installed that is considered a potentially unwanted application or creates a potential security risk is considered Riskware. This includes software and modules such as Browser Helper Objects (BHO), Hacker Tools, Remote Administration Tools, and Toolbars. This software may not have an immediate impact but could lead to further software downloads and/or malicious action being taken.



Level of Impact -- Considerations

Attackers test your computer's operating system and underlying application software for weaknesses and attempt to exploit them in order to gain access to your system. The options of attackers are limited only by their abilities and level of access to the system.

Computer viruses exploit certain functions of operating system and application software in ways that allow them to spread to other computers. While most simply attach themselves to executable files playing the part of nothing more than a form of digital graffiti, there are viruses capable of erasing or modifying programs and data, or transmitting password lists and other confidential bits of information.

Some of the most successful viruses in years past have attempted to keep themselves hidden from visual observation. The intention of this concealment was to allow for the virus to spread itself to many systems before the inevitable detection.

In more recent years, the modus operandi of virus writers has been to write viruses that spread themselves at an extremely fast rate. They do appear to care whether it is detected or not, but rather seem to rely on the possibility that it will fully saturate computers connected to the Internet with copies of itself.

At the time of the writing of each description, each category stated below - damage, prevalence, how widespread the threat is, its vector, the number of possible targets, and potential rate of infection/spread - is taken into account when assigning an averaged impact level to the threat.

According to this scale, the greater the impact of a threat, the greater the threat's impact level. Threats are rated on a scale of 1-5, as described below. Also explained below are various examples of how a threat might receive its level of impact.

Damage

Each threat varies in degree and type of damageinflicted. Viruses such as Form or W32/HLLP.Hantaner modify executable code in a predictable manner. There are others, such as nearly any variant found within the VBS/LoveLetter-mm family, that completely overwrite a file with its own code, making recovery possible only from backup. Some hackers expose your customer-base credit card database while others have nothing more than a quick look around.

In some instances damage from an attack is reversible. In other instances the damage is not reversible.



Prevalence

How often a threat is identified as being found in the wild by Fortinet antivirus researchers, and other antivirus research professionals in the community. Manually initiated attacks are far less prevalent compared to the number of automated infections a single computer virus can produce. Prevalence ratings for manually initiated attacks are therefore scaled accordingly.

The higher the prevalence, the greater the chance that you will encounter the virus.



Widespread

How widespread is the threat?If a threat is able to propagate at a fast enough rate (i.e. it has a high prevalence) then it is also likely to become widespread.

Common today is the rapid achievement of an Internet-wide outbreak. When a threat becomes widespread quickly it is very difficult to then completely stomp out its existence -- even over time. For just as with wildfire, as one flare is being put down, another will almost certainly pop up to take its place.

When looking at a description, note the threat may be on its way to becoming widespread, or it may have already reached its height and is now dying off.



Prevalence vs. a threat that is Widespread

A threat may have a high prevalence, but that does not always indicate that it is widespread. In other words, you may find the threat existing within the walls of your domain on a daily basis. Even one instance of a virus may begin yet again a cycle resulting in hundreds of infections. In such as case, the virus has a high prevalence.

However, this does not mean that it is widespread. For example, the threat may exist only in one region of the world, because it has a language dependency. A good example of such a virus is WM/TWNO.A:Tw.



Vector of infection

What is the vector of infection?" How common and efficient the vector is have bearing on the classification?

Email is a good example of an efficient vector of infection. Many people have email. Internet-borne mass-mailer virus/worms exploit the open services and natural abilities of email applications to spread themselves. Email is thus a vector of infection.

W32/Bady.C (Code Red II -- a virus/intrusion hybrid) relies on a flaw in a specific version of Microsoft IIS to propagate. At the time of its initial outbreak, there were a huge number of computers running the flawed version of IIS. For the Code Red exploit, IIS was a highly efficient vector.

Threats like Nimda exploit multiple vectors of infection simultaneously. This increases the odds that at least one of their methods of transmission will be successful in finding its way to the next computer.

Another vector of infection is by means of web content. Just as with email attachments, URLS can link to download infected files which, when launched by the user, may automatically execute and cause infection. In addition, the HTTP protocol is feature rich, and can carry executable content (Java Script, etc.) that can execute without requiring any action by the user after a web link is accessed. Simply clicking on a malicious link can load a virus, worm or trojan that can execute without further user action. Thus, while the fastest spreading techniques will often use email or some other mechanism to spread, web traffic provides a very efficient means for launching an attack, enabling the threat to get a foothold in the user's environment and then spread via other means.

A large population of susceptible targets along with the proper method of vectoring the threat to the objective will give the threat a greater chance of becoming widespread.



Potential rate of infection/spread:

Taking into account whether the scope of the threat is limited (i.e. the threat's impact clearly falls below level 2, as described below), and whether this is a known or unknown factor at the time of the writing of the description, is the spread of the threat slow or fast?



Number of potential targets

A threat may have an efficient method of self-propagation, but if there are no computers to travel to, it probably won't become very successful -- that is if success is to be judged in terms of how widespread it becomes. The threat has to find the next computer to attack.

This outbreakdatum is an estimate made at the time of outbreak. Complete accuracy cannot be assured, but is greatly enhanced by past experiences with the threat itself, or similar threat types.



Impact Level


Impact level Level1
includes zoo viruses and exploits (i.e. those threats that are not found on actual systems and are not being actively reported by individuals or antivirus vendors) or any ineffective threat that is flawed and therefore will not effectively spread. This level may also apply to viruses reported to Fortinet researchers with a very low frequency (for example, when only one report of a virus arrives to Fortinet).

Impact level Level2
Threats reported to Fortinet researchers as spreading receive an impact level of 2. These threats use known-efficient infection vectors (i.e. internet-borne viruses, network-aware and P2P worms), and are designed to spread or distribute themselves massively.

Impact level Level3

Threats reported as spreading and attaining a measurable degree of prevalence receive an impact level of 3. Such threats are not, however, currently at outbreak level at the time of writing of the description.

Impact level Level4

Threats that have already become widespread (but may now dying off) receive an impact level of 4. Threats falling in to this category may no longer fall in outbreak' category, but are still very much in the wild.

Impact level Level5

This type of threat has usually been discovered within the last 24-48 hours. Due to several of the aforementioned characteristic considerations (mass mailer, etc), this threat is quickly becoming or has already become extremely widespread.



Popularity

Popularity profiles the global adoption of an application. Applications are classified to be either popular, or not popular, based on how widespread the general public and customers have adopted it. FortiGuard worldwide intelligence systems are used in combination with real-time public data derived from demand to classify the popularity of an application.



Risk

The risk level of an application defines the potential security risk of a particular application. While almost any application may have the possibility of being host to an attack vector, the risk level provides an estimate of the likelihood of a threat taking place. To gauge this, several factors are considered such as known vulnerabilities, their various risk levels, and frequency over a relevant period of time.



Technology

Technology describes the way an application was designed to function and communicate - its structure. As examples, applications may use peer-to-peer communication, Web browsers and Web technology, or primarily be based on a client-server architecture. The category of the application will further define how the technology is used.



Threat Level Indicators


The malware, vulnerability and spam threat levels are calculated as the ratio of threat activity in the previous 6-hour period (number of detection for malware and vulnerability, percentage of spam emails for spam) compared to the average of activity recorded in the same period and day of week for the past 10 out of 12 weeks (with the highest and lowest activity weeks removed). This is designed to accommodate the natural fluctuation in threat activities during the week. The ratio is then converted into one of the four threat levels as follows:

Threat LevelRatio
Normal<=100
Elevated100-150
High150-250
Severe>250