Page tree


RAM Scrape (Memory-Scraping): The process of scanning or (coloquially, scraping) random access memory (RAM) to recover data. In the case of malware it's looking for sensitive data to send back home to it's C&C system. This is fruitful because data is traditionally stored in RAM in cleartext. This opportunity usually only exists for a very small fraction of a second (miliseconds), during which time the malware snags the data and stores it for later exfiltration

Ransomware : A type of malware that encrypts user data and demands payment to release that data.

RBL (Real-time Blackhole List): See: DNSBL

Registrar : An organization that manages the reservation of Domain Names.

RR Type CodeRR Type
HINFOHost INFOrmation
MXMail eXchanger
NSName Server
SOAStart Of Authority
WKSWell-Known Services
AFSDBAndrew FileSystem DataBase
ISDNIntegrated Services Digital Network address
RPResponsible Person
RTRoute Through
X25X.25 address
PXPointer to X.400/RFC 822 mapping information
AAAAIPv6 Address
SRVlocate SeRVices
NAPTRNaming Authority PoinTeR

Remote Administration Tool / Remote Access Trojan
(RAT): A Trojan used to open a hole in a victim's attack surface and allow for the remote access and administration of a victim's systems.

Resource Record : The basic informational building block of DNS. Resources records contain information that associate FQDNs with IP addresses, and break this information up across several service types. These types are defined in RFCs: 1035 , 1183 , 1664 2782 , 2915 , and 3596 but a brief listing of the type codes, and the associated type, is provided to the right. DNS servers refresh the records for their particular type throughout the day, this helps to account for changes in IP addresses associated with given FQDNs, in addition servers are dedicated to particular record types, this helps to alleviate traffic congestion–caused by server requests–that can slow down network traffic.

Record entries all contain the data in the table below, with additional fields defined based on the record type.

FieldDescriptionLength (octets)
NAMENode name provided by the recordVariable
TYPENumerical representation of the type of RR (e.g. 1 for A RRs)2
CLASSThe class code of an RR2
TTLNumber of seconds the RR stays valid (Max is 231-1 or 68 years)4
RDLENGTHHow long the RDATA field is2
RDATAAny RR-specific data that compliments the above.Variable, per RDLENGTH

RFC1918 : IP Addresses designated as a reserved range for internal networks (Class C networks: - Internal IP addresses cannot be used as an address in ThreatSTOP.

Rootkit : A piece of software that hides on a machine and gives a remote user (in control of a C&C system) root/admin privileges on a compromised computer.

Response Policy Zone (RPZ): A mechanism for use by Domain Name System recursive resolvers to allow customized handling of the resolution of collections of domain name information (zones).

Round-robin DNS : A technique of load distribution, balancing, or fault-tolerance using multiple redundant IP service hosts. The order IP addresses from the list are returned is the basis for the term. With each DNS response, the IP address is permuted.

Russian Business Network (RBN): A cybercrime organization specializing in personal identity theft. Originated as an ISP for child porn, phishing, spam, and malware distribution based out of St. Petersburg (Russia). Behind Malware Alarm, and Malware Wiper.