In computer security, a sandbox generally refers to a tightly controlled virtual environment that replicates a normal computer system.
In this isolated environment, security researchers and malware analyst are able to execute and examine suspect, untested or malicious code without risking damage to their actual systems.
A script is a small program or piece of code used to automate minor tasks. Scripts can be used in applications or on websites to add extra functionalities.
A type of attack that involves poisoning a website's listing in a search engine's search results, in order to redirect visitors to a malicious website.
SEO attacks are becoming increasingly common. They are often timed to take advantage of major holidays, political drams or entertainment events, such as New Year's, presidential elections or celebrity deaths. The sites affected by these attacks have ranged from major corporations (both online and brick-and-mortar businesses) and personal sites.
How Search Engine Optimization (SEO) Attacks Are Done
Also known as SEO poisoning, this type of attack undermines one of the most relied-upon services on the Internet - the search engines that help visitors find the website they want. Most websites try to gain more traffic by carefully crafting their webpages so that search engines are likely to display them more prominently in the search engine results, where they are more likely to be viewed by the reader.
Attackers exploit this engine-website-reader relationship by 'poisoning' the site's ranking in the search results. Visitors who click on the affected site's listing in the search results will be forced to visit an unwanted site, which will often perform drive-by downloads on the visitor's system.
Attackers can poison the website's ranking either by cross site scripting (XSS), or more commonly by using an iframe exploit to inject a redirect script into the site. The site's actual contents may or may not be affected. An SEO attack can also be carried out using the collective resources of a botnet.
A small program used to provide an interface for users, which is then often used to control or manipulate an operating system or a process. A shell is also known as a "command shell".
Creating a shell on a target machine is often the objective of shellcode (a piece of code used to insert or start the command shell) and is associated with the exploitation of a vulnerability.
A communication protocol for transmission of short text messages between one mobile devices connected to a telecommunications network.
The Short Message Service (SMS) is one of the most heavily used data services in the world today, with close to 2.5 billion regular users.
Like many popular services, SMS is also used by hackers to engage in various undesired activities, such as
- SMS Hoaxes
Much like e-mail hoaxes, unsolicited SMS messages may be sent to generate misinformation, fear or doubt.
- SMS Spam
Much like e-mail spam, unsolicited SMS messages sent out in bulk can be a serious annoyance to recipients. Depending on the jurisdiction, this activity may be legal, illegal or simply unregulated.
- Worm payload
A number of worms such as Worm:SymbOS/Yxe and Worm:SymbOS/HatiHati will send out high volumes of SMS messages to persons listed on the phone's Contact List, resulting in high SMS usage charges.
- SMS Spoofing
An SMS message sender tampers with the address information to impersonate another sender.
- Malicious links
SMS messages may also contain links to, or direct users to, a website that may be harmful.
A sufficiently unique section of code that can be used by an antivirus application as a program's identifying marker. Depending on the antivirus in question, a signature may also be known as a "detection" or "definition".
How Signatures Work
Signatures are commonly used by antivirus programs to find and identify malware. To define a signature, an Anti-Malware Analyst must first analyze a malicious program and determine the appropriate section of code to use as the program's signature; for certain simple malware, this may also be done automatically.
To use it, an antivirus program must first have a signature listed in its signature database. Then, each time the antivirus scans a computer system's files, it searches for code matching the signatures in its database; any file found with matching code is automatically flagged as a security risk.
Why Signatures Are Important
As new malware are being found every day, an antivirus program's signature database should be kept up-to-date to ensure the computer is protected against the latest threats.
This type of signature-based detection is effective if the malware is previously known; it does not work against new, unknown malware, which have not yet been analyzed and identified with a signature. Instead, many antivirus programs now incorporate heuristic analysis technology to detect new, unknown malware.
A protocol used for transmitting e-mail messages over a TCP/IP network. It is one of three protocols (the others are IMAP and POP3) commonly used for e-mail transmissions.
SMTP is capable of sending e-mail messages, but has limited capability for receiving them, resulting in the common practice of using SMTP for sending messages, and another protocol for receiving messages.
Many worms include an SMTP-based engine in their own code dedicated to sending out copies of the infectious worm code.
A general term used to describe attacks that leverage on psychological or social pressures to dupe an unsuspecting victim into providing sensitive information such as passwords, account details and so on.
Social engineering attacks can take place both online and offline. Online social engineering attacks usually take the form of phishing or pharming attempts, which present unsuspecting users with legitimate-looking e-mails or websites in order to convince to part with important information or money.
Another form of online social engineering involves convincing a user to download a file, usually in the guise of a security or application update, game or other desired program. Once downloaded and run however, the file turns out to be something entirely different, and almost always malicious.
Social engineering is also possible in the offline, 'real world' environment. Usually, these attacks are done for the same reason - to obtain information or money - but differ in that there tends to be more direct, sometimes physical interaction. Examples of offline attacks include:
- Pretending to be a surveyor and asking people to provide their passwords in return for a prize;
- Calling a company and pretending to be an employee to gain access to the company intranet;
- Or leaving an infected disk in a position where someone is likely to pick it up and use it, thereby infecting their system.
Despite the simplicity of many social engineering attacks, they tend to be consistently effective, as they exploit natural human tendencies based on trust, desire or curiosity.
The human-readable form of a program's code.
A programmer or team of programmers will typically write a program's source code in a programming language (e.g., C or Python). The programmer(s) then use a separate compiler program to transform it into an executable form known as binary code that only a computer system can 'read' to execute the commands.
A communication that is unsolicited and sent out in massive amounts. A more formal term for this material is 'junk mail' or 'unsolicited bulk mail'.
Spam is mainly used for commercial promotion. The products or services typically being offered tend to be of a somewhat dubious nature. They may also be used to as mass communications, generally seeking credulous participants willing to take part in activities that may turn out to be fraudulent or criminal. Spam may also be used to distribute malware, or to direct users to sites that host malware.
Spam is often considered a nuisance as it clogs up communications networks and requires time and effort to deal with. It may also have a significant financial or personal impact, through malware infection of a company network or loss of personal data or money through fraud.
The act of sending spam is legally a 'grey area' in many countries; there is usually insufficient legislation or police enforcement to prevent it. In some countries, spam operations have been successfully shut down and prosecuted; in others, these operations can operate with practical impunity.
How Spam is Sent
At one time, the most common way to send spam was through a spammer, or a standalone utility that allows the user to efficiently send massive amounts of e-mails to a mailing list (the term 'spammer' may also be used to describe the person who sends out spam).
Typically, a spammer program will use fake e-mail message headers and anonymous SMTP servers to send the e-mails, making it significantly more difficult for investigating authorities to trace back the source of the unsolicited e-mails.
These programs are not destructive, but the consequences of their usage can be seriously damaging. The legitimacy of these programs depends on jurisdiction. In several counties, spammer usage is illegal.
Nowadays, spam is more commonly sent out by botnets, which can generate thousands, if not millions of e-mails every day. The botnet may be created specifically for this purpose but increasingly, spam operations are simply renting use of these botnets from other (presumably criminal) organizations.
Types of Spam
The term 'spam' is most commonly used to describe unwanted e-mail messages, but spam can also be used to describe unwanted messages transmitted over fax, posted on online or offline message boards, sent through SMSes or MMSes and so on:
Typically, these messages are commercial promotions sent out by businesses. Telecommunications providers may or may not provide their users with an option to 'opt-out' of receiving these communications. More malicious messages may include hoaxes, intended to frighten or spread misinformation to recipients.
Similar to SMS-spam, but potentially more dangerous as MMS-spam can include active links to websites. If clicked, the recipient may be taken to a malicious website.
Unwanted messages sent through Instant Messages (IM) are a common propagation tactic for worms and other malware. The messages typically contain an infected file or a link to a malicious website.
Unwanted messages added to website forums, weblog comments and other locations where other users will see the message. These messages may or may not include malicious links or files.
A more modern twist of this is to include these spam messages or links on online video-sharing websites.
The act of falsifying characteristics or data, usually in order to conduct a malicious activity. For example, if a spam e-mail’s header is replaced with a false sender address in order to hide the actual source of the spam, the e-mail header is said to be ”spoofed”.
An attack can also involve elements of spoofing, as it prevents or complicates the process of identifying the correct source of the attack. There are many kinds of such ”spoofing attacks”: e-mail spoofing, Internet Protocol spoofing, URL spoofing and so on.
A program that may compromise a user's personal or confidential information. Spyware may be installed on a system without a user's authorization or knowledge.
Spyware can vary widely in the kinds of actions they perform. Some common actions include displaying unsolicited pop-ups, hijacking a browser's home or search pages, redirecting browsing results and monitoring user activities. Depending on the context, these actions may be considered to border on, or are, malicious.
Spyware is sometimes considered a "gray" area in terms of ethics and legality. Depending on the specific action, context of use and applicable laws, spyware may be legal and acceptable; dubious but unlegislated; or outright illegal and unethical.
Complicating the issue is that some spyware are not intentionally designed as such. Instead, programming errors may result in them performing actions that would class them as spyware. Once the flaws are corrected, the program may then be reclassified.
Another common issue is if a program's uninstaller is not included, or nonfunctional. A legitimate program with a nonfunctional uninstaller may be classified as 'spyware' until the issue is resolved.
In addition, programs previously identified as spyware may be renamed and redistributed as a new product.
A type of attack that exploits poor user-input filtering to inject and run executable command into improperly configured Structured Query Language (SQL) databases. Technically, a few types of SQL injection attacks are possible, but the end result of all successful SQL injection attacks is that an attacker can manipulate or even gain total control over the database.
SQL databases are a common feature of many applications. Often, companies will use such databases for vital operations such as payrolls and customer records. The most commonly reported attacks however are usually launched against databases that can be accessed via a website, simply because these databases are much easier for a hacker to reach. SQL databases are commonly used on websites with dynamic content, making them popular targets for hackers.
SQL injection attacks only work against databases that don't sanitize user input properly. Whenever a user interacts with a database, for example by trying to log into the Members Only section of a website, any input they provide should be 'sanitized', or checked to make sure it doesn't contain invalid characters. Poor or improper checking of the data input that may cause programming errors, which an alert or malicious user can then further exploit.
Any virus that attempts to keep its presence undetected can be classed as a 'stealth virus'.
A virus can hide its presence and/or actions from antivirus programs or system security process using a variety of techniques. The most common tactic is to display a clean 'image' or copy of an infected file or directory when the file is being scanned, fooling the security program into believing the file or directory is clean. A more sophisticated technique involves temporarily 'uninfecting' a file during scans and reinfecting it once a scan is completed.
Another common trick is to disguise changes in the file size or header information.
The platform designator for the popular Symbian operating system (OS) used to run data-enabled phones (also known as smartphones).
Created by Symbian Ltd., this OS supports Java, Bluetooth connectivity, GPRS data transmission, and computer synchronization.
About Detection Names
A quick guide to Detections - why they are important, how they work and how to read them. Also includes Generic Detections and how they differ from traditional Detections.