An iframe is an element in a HTML document that allows a page to be embedded as a component in another page (known as the parent page). Despite known usability issues, iframes continue to be a popular way to display related information on a single page.
In terms of security, an iframe is not itself a security risk; it may however inadvertently serve as a channel for malicious code if the page being referred is compromised, or if a malicious script running in the iframe is able to affect the parent page.
A script or code that scans for and infects webservers running Microsoft Internet Information Server (IIS) software.
The IIS code is usually an HTTP request that exploits a vulnerability in IIS software and forces a server to run arbitrary binary code. If successful, the IIS worm can make a few changes to a system to allow a hacker to gain unauthorized access.
For example, the CodeRed IIS worm copied command interpreter to the scripts folder of an IIS server; an attacker would be able to that file from a remote computer to gain full access to an infected webserver. Some IIS worms also change startup pages of IIS servers they infect.
Some IIS worms do not exist in a file form; instead, they only exist as a memory process. Disinfection of such worms is quite easy - special patches need to be installed to IIS software and a server has to be rebooted.
A form of real-time communication between two or more parties, based on typed text that is transmitted over a network, such as the Internet or a company intranet.
A variety of applications, collectively referred to as Instant Messaging (IM) clients, allow connected users to send messages. Many also allow files, audio and video to be transmitted.
Due to their extreme popularity, extensive reach and file transfer capabilities, IM clients and networks are popular targets for malware authors attempting to distribute their malicious wares to as wide an audience as possible. The most common such malware are IM-Worms.
A form of real-time communication, based on typed text transmitted over a network, such as the Internet or a company intranet.
Though similar to Instant Messaging (IM), Internet Relay Chat (IRC) differs in that it is geared primarily towards groups communications, organized into forums known as channels. Like IM however, IRC allows one-to-one conversations, as well as data transfers.
Also like IM, IRC client software and networks are popular targets for malware authors attempting to distribute their products.
IRC & Malware
In addition to being a distribution vector, there are malware specifically designed to use IRC channels for their own purposes. The most common type is the IRC-backdoor, which after installing on a victim machine will connect to a (restricted) IRC channel to receive further instructions from the attacker.
A company that provides clients with the necessary infrastructure and technology for its clients to connect to the Internet. The provided technology runs the gamut of simple dial-up programs, to broadband wireless or cable Internet services.
Some major Internet Service Providers (ISPs), particularly national telecommunications companies, may be responsible for maintaining the necessary physical infrastructure and licensing its usage to smaller ISPs.
Many, but not all, ISPs also provide related services, such as website hosting, e-mail hosting and so on.
In computer programming, an integer overflow is a type of arithmetic error in which a calculation produces a numeric value too large for the available storage space.
If data validation measures are not in place, the data overflow may be ignored or written to unexpected places, leading to significant calculation errors, and not infrequently, system crashes.
In systems that are business or even life critical – i.e. for air traffic control or hospital medical equipment – the potential repercussions of a crash from an integer overflow can be severe, and there have been a number of cases where such errors have lead to major disasters or tragedies.
This term refers to instances of threats reported infecting a user’s system in the real world, as opposed to Proof of Concept (POC) codes from a known source or researcher, or in a contained environment.
An Intrusion Detection System (IDS) is a network security device (either a hardware appliance or software) that monitors network activity for suspicious activity.
An Intrusion Detection System is very similar to an Intrusion Prevention System (IPS), except that the latter is capable of reacting to the suspicious activity by blocking it.
Nowadays, a number of products provide detection and intrusion as two complementary services, or merge the two functionalities into one system
An IDS/IPS can be either host-based, in that it resides and acts on only a single IP address, such as a single computer; or network-based, where it can reside on one host and still take action on other hosts.
Though useful, an IDS/IPS must be carefully configured to ensure that it does not generate an unacceptably high level of false positives, while still being sufficiently sensitive to detect any dangerous activity.
An Internet Protocol (IP) address is an identifier assigned to all unique resources (computers, servers, etc) connected to a network, which acts as that resource's 'name tag' during machine-to-machine communications.
IP addresses are written in the following format:
Much like a real name tag, a resource's assigned IP address isn't always permanent, and can be changed depending on need. For example, an FTP server on a company network that must be constantly accessed can have its IP address configured to be static or it rarely changes. On the other hand, a workstation may be assigned a dynamic IP address that changes with each session. Each configuration has its own security considerations.
Though IP addresses are crucial to the way machines communicate with each other, the user typically does not use it; instead, the average user will remember and use the resource's domain name (for example, 'www.f-secure.com'). The domain name is strictly a human convenience, as most users have difficulty remembering IP addresses off-hand. The computer system itself however will use the resource's IP address to find and connect to it.
IP address & Security
IP addresses can be a security issue in cases of:
Large amounts of data using spoofed or forged origin IP addresses are used in Denial-of-Service attacks
Messages or files sent may also use forged IP addresses as their origin, thereby confusing both the recipient and the supposed 'sender'. This tactic is generally used to obfuscate the true sender's location.
A type of worm that uses Internet Relay Chat (IRC) networks to spread copies of itself to new victim machines.
The simplest way for an IRC-worm to propagate is by establishing connection to an IRC server and directly offering infected worm copies to other users, usually in deceptively named files. This simple method is however largely unused today, as it is easily outflanked by alert IRC users.
Most IRC-worms are designed to propagate more circumspectly. On infecting a machine with an IRC client installed, the worm drops a INI file (containing a script) into the IRC client folder on the system. The scripts causes the IRC client to automatically send a copy of the worm's executable file to every other user whenever the infected client connects to an IRC server and joins any channel.
An IRC-Worm may or may not have a payload. Some IRC-worms may have backdoor- or trojan-like capabilities.
About Detection Names
A quick guide to Detections - why they are important, how they work and how to read them. Also includes Generic Detections and how they differ from traditional Detections.