Presentation is loading. Please wait.

Presentation is loading. Please wait.

Types of Attacks and Malicious Software

Published byAnthony Fowler Modified over 8 years ago

Similar presentations

Presentation on theme: "Types of Attacks and Malicious Software"— Presentation transcript:

1 Types of Attacks and Malicious Software
Chapter 15

2 Objectives Describe various types of computer and network attacks, including denial-of-service, spoofing, hijacking, and password guessing. Identify the different types of malicious software that exist, including viruses, worms, Trojan horses, logic bombs, time bombs, and rootkits. Explain how social engineering can be used as a means to gain access to computers and networks. Describe the importance of auditing and what should be audited. Attacks can be made against virtually any layer or level of software, from network protocols to applications. When an attacker finds a vulnerability in a system, he exploits the weakness to attack the system. The effect of an attack depends on the attacker’s intent and can result in a wide range of effects, from minor to severe. An attack on one system might not be visible on the user’s system because the attack is actually occurring on a different system, and the data the attacker will manipulate on the second system is obtained by attacking the first system. For example, an attack on a DNS cache can result in widespread effects for other processes, many times without any specific warning to a user.

3 Key Terms Drive-by download attack Backdoor Birthday attack
Botnet Buffer overflow Denial-of-service (DoS) attack Distributed denial-of-service (DDoS) attack DNS kiting Drive-by download attack Man-in-the-middle attack Null session Pharming Phishing Ping sweep Port scan Backdoor – This is a hidden method used to gain access to a computer system, network, or application. Often used by software developers to ensure unrestricted access to the systems they create. Synonymous with trapdoor. Birthday attack – This is a form of attack in which the attack needs to match not a specific item but just one of a set of items. Botnet – This is a collection of software robots, or bots, that runs autonomously and automatically and commonly invisibly in the background. The term is most often associated with malicious software, but it can also refer to the network of computers using distributed computing software. Buffer overflow – This is a specific type of software coding error that enables user input to overflow the allocated storage area and corrupt a running program. Denial-of-service (DoS) attack – This is an attack in which actions are taken to deprive authorized individuals from accessing a system, its resources, the data it stores or processes, or the network to which it is connected. Distributed denial-of-service (DDoS) attack – A special type of DoS attack in which the attacker elicits the generally unwilling support of other systems to launch a many-against-one attack. DNS kiting – This the use of a DNS record during the payment grace period without paying. Drive-by download attack – An attack on an innocent victim machine where content is downloaded without the user’s knowledge. Man-in-the-middle attack – This is any attack that attempts to use a network node as the intermediary between two other nodes. Each of the endpoint nodes thinks it is talking directly to the other, but each is actually talking to the intermediary. Null session – This is how Microsoft Windows represents an unauthenticated connection. Pharming – This is the use of a fake website to socially engineer someone out of credentials. Phishing – This is the use of social engineering to trick a user into responding to something such as an to instantiate a malware-based attack. Ping sweep – This is the use of a series of ICMP ping messages to map out a network. Port scan – This is the examination of TCP and UDP ports to determine which are open and what services are running.

4 Key Terms (continued) Replay attack Sequence number Smurf attack
Sniffing Spear phishing Spoofing Spyware SYN flood Replay attack – This is an attack where data is replayed through a system to reproduce a series of transactions. Sequence number – This is a number within a TCP packet to maintain TCP connections and conversation integrity. Smurf attack – This is a method of generating significant numbers of packets for a DoS attack. Sniffing – This is a software or hardware device used to observe network traffic as it passes through a network on a shared broadcast media. Spear phishing – This is a form of targeted phishing where specific information is included to convince the recipient that the communication is genuine. Spoofing – This is making data appear to have originated from another source so as to hide the true origin from the recipient. Spyware – This is software that “spies” on users, recording and reporting on their activities. Typically installed without user knowledge, spyware can do a wide range of activities. SYN flood – This is a method of performing DoS by exhausting TCP connection resources through partially opening connections and letting them time-out.

5 Avenues of Attack Specific targets
Chosen based on attacker’s motivation Not reliant on target system’s hardware and software Targets of opportunity Systems with hardware or software vulnerable to a specific exploit Often lacking current security patches Generally, computer systems are attacked either as specific targets or merely as targets of opportunity. An attacker’s motivation in specifically targeting a system may be political, monetary, or other. In these instances the choice to attack does not rely on the exact hardware and software being used in the targeted system, but rather proceeds in spite of these details. Target of opportunity attacks succeed when systems are found which have not been updated with the most current security patches and are therefore vulnerable to specific exploits.

6 The Steps in an Attack Conducting reconnaissance Scanning
Researching vulnerabilities Performing the attack Creating a backdoor Covering tracks Hacking a computer system is a multi-step, fairly complicated process, and over time a “standard” method has emerged. This is an agenda slide for the next six slides – to introduce the seven steps that occur in a typical attack.

7 Conducting Reconnaissance
Gather as much information as possible about the target system and organization. Use the Internet. Explore government records. Use tools such as Whois.Net. Don’t worry yet whether the information being gathered is relevant or not. The first step of an attack is to gather as much information as possible about the system or organization being targeted. Key data would include: names, phone numbers, IP addresses, physical addresses, networks maintained by the organization, and even the organizational structure or hierarchy. This information can be gathered through open source Internet searches of the groups web pages and ftp sites through Google or another search engine. Information can also be aquired using resources such as the SEC’s EDGAR website ( which provides numerous financial reports. Additional information can be gathered using tools such as Whois.Net ( to link registrants and IP addresses. At this point it may not be clear as to what information will be needed to make the attack successful. Do not worry about what data is being collected, just gather as much as can be found using as many sources as possible. As the attack moves forward through the scanning and vulnerability research phase, some of the information may prove more valuable than originally thought.

8 Scanning Identify target systems that are active and accessible.
Ping sweep Port scan Identify the operating system and other specific application programs running on system. Analyzing packet response The next step in the attack process is scanning to determine what target systems are active and accessible on the target system or network. First, a broad ping sweep is used to identify which machines on the target network are reachable. Next, a port scan can be used to identify open ports and possibly even services running on the systems previously found. Once the active and accessible systems have been identified, additional scanning can be performed to determine the operating system and any other specific application programs running on the target system. This is accomplished by sending specifically formatted packets to the target system and then analyzing the response.

9 Researching Vulnerabilities
Wealth of information available through the World Wide Web Lists of vulnerabilities in specified OS and application programs Tools created to exploit vulnerabilities Once the software running on the target system has been determined, an attacker can then use the Internet to research vulnerabilities previously identified within the software and hardware of the target system. There are many web sites that provide both information about vulnerabilities and tools that can be downloaded and used to exploit those vulnerabilities. System administrators may also find these types of web sites valuable in their efforts to stay abreast of new vulnerabilities that they must secure within their systems.

10 Performing the Attack Matching an attack to an indentified vulnerability Once vulnerabilities have been identified within the target systems, it can then be attacked in a variety of ways depending on the attacker’s objective. The variety of possible outcomes is as diverse as are the avenues for executing the attack. Some possible outcomes include: crashing the system, theft of information, and defacement of a website. The key is to match the chosen attack to the vulnerability identified through reconnaissance.

11 Creating a Backdoor Provides future access to the attacker
May create “authorization” for themselves Could install an agent As part of the attack, an attacker may wish to create a specific way to more easily regain access to the target system in the future. This is done by creating a backdoor into the system that will provide the attacker with access to the previously hacked system. Whether it is done by simply adding themselves to the list of authorized users or more difficultly by writing code or installing an agent which will initiate contact with the attacker at some future point, the key for the attacker is to capitalize on their current success by ensuring additional success in the future.

12 Covering Their Tracks In an effort to remain undetected, attackers endeavor to cover their tracks: Erase pertinent log files from the system. Change file time stamps to appear unaltered. Exam Tip: A good defense against a hacker modifying or erasing log files is to maintain them on a separate, remote log file server, with restricted access. If an attacker has succeeded in gaining access to the target system, carrying-out the attack, and then creating a backdoor into the system, they will typically then try to cover their tracks to avoid detection. This is the final step in the attack process. One of the methods used to avoid being discovered is to erase the log files that outline the attackers actions. Another effective method is to change the file time stamps so that the files do not appear to have been altered by the attacker.

13 Minimizing Possible Avenues of Attack
Ensure all patches are installed and current. Limit the services being run on the system. Limits possible avenues of attack Reduces number of services the administrator must continually patch Limit the amount of publicly available data about the system and organization. In order to minimize the possibility of an attack, an administrator should limit the exposure their systems. This can be completed by the following three steps: Ensure all patches are installed and up to date. Limit the services being run on the system. Limits possible avenues of attack. Reduces the number of services the administrator must continually patch. Limit the amount of publicly available data about the system and organization.

14 Attacking Computer Systems and Networks
An attack is an attempt by an unauthorized person to: Gain access to or modify information Assume control of an authorized session Disrupt the availability of service to authorized users An attack can be defined as an attempt by an unauthorized individuals to Gain access to or modify information without proper permission Assume control of an authorized session Disrupt the availability of a service or system resources to authorized users.

15 Attacking Computer Systems and Networks (continued)
Variety of methods used to carry out attacks Attacks on specific software Rely on code flaws or software bugs Indicates lack of thorough code testing Attacks on a specific protocol or service Take advantage of or use a service or protocol in an unintended manner There are many different methods employed in attacking networks and computer systems. Generally, network and computer system attacks can be grouped into two categories: The first category is an attack on specific software such as an application or the operating system. These software specific attacks rely on flaws within the program’s code or a bug in the overall operation of the software to succeed. These flaws should have been identified and corrected during the thorough testing phase of the software development lifecycle. The second category is an attack on a specific protocol or service. These attacks attempt to exploit a specific protocols or services by either using it in a manner different from its intended purpose or in taking advantage of a specific feature of the protocol or service.

16 Types of Attacks Denial-of-service Backdoors/Trapdoors Null sessions
Sniffing Spoofing Man-in-the-middle Replay TCP/IP hijacking Drive-by downloads Phishing/pharming Attacks on encryption Address system attacks Password guessing Hybrid attack Birthday attack This is an agenda slide for the next 15 slides – to illustrate the different types of common attacks

17 Denial-of-Service Attack
Exploit known identified vulnerabilities Purpose is to prevent normal system operations for authorized users Can be accomplished in multiple ways Take the system offline Overwhelm the system with requests Security + Objective 2.1g DOS attacks A denial-of-service (DoS) attack can exploit a previously identified vulnerability within a specific application or weakness in a specific protocol. The purpose of the DoS attack is to prevent a system from normal operations by denying authorized users access to system resources or the network in general. There are multiple ways that a DoS attack can be carried out depending on the desired outcome and the tools available to carry-out the attack with. One way to prevent authorized users access to the system would be to take the system offline. Another way would be to overwhelm the system with so many requests that authorized users legitimate requests are unable to get through.

18 SYN Flood Attack An example of a DoS attack targeting a specific protocol or service Illustrates basic principles of most DoS attacks Exploit a weakness inherent to the function of the TCP/IP protocol Uses TCP three-way handshake to flood a system with faked connection requests Security + Objective 2.1g DOS attacks One example of a DoS attack that exploits a weakness in the operation of a specific protocol is a SYN flood attack. A study of how a SYN flood attack works illustrates the basic principles of how any DoS attack works. A SYN flood attack takes advantage of the way that TCP/IP networks were designed to function. SYN flooding uses the TCP three-way handshake that establishes a connection between two systems.

19 TCP Three-Way Handshake
System 1 sends SYN packet to System 2. System 2 responds with SYN/ACK packet. System 1 sends ACK packet to System 2 and communications can then proceed. First, System 1 sends a SYN packet to System 2 indicating a desire to communicate with the system. Then System 2 responds to System 1 by sending back the SYN packet combined with an ACK packet to indicate its willingness to accept communications. Once System 1 receives the SYN/ACK packet, it responds with an ACK packet and communications are then established between the systems.

20 Steps of a SYN Flood Attack
Communication request sent to target system. Target responds to faked IP address. Target waits for non-existent system response. Request eventually times out. If the attacks outpace the requests timing-out, then systems resources will be exhausted. Security + Objective 2.1g DOS attacks First, an attacker sends a communication request to a target system, but fakes the IP address. The target system then responds to the request, but directs its response to the faked IP address. Next the target system waits in vain for an acknowledgement from the imaginary system at the faked IP address. Of course that acknowledgement never comes and the communication request eventually times out. However, if the attacker is able to send this type of communication requests quicker than they are timing out on the target system, it will create a backlog of requests which will tax the target system to the point of it no longer being able to accept new communication requests.

21 SYN Flood Attack This illustration shows a SYN flood attack as described in the previous slide.

22 Distributed Denial-of-Service Attack (DDoS)
Goal is to deny access or service to authorized users Uses resources of many systems combined into an attack network Overwhelms target system or network With enough attack agents, even simple web traffic can quickly affect a large website Security + Objective 2.1h DDoS attacks Similar to a DoS attack, a Distributed Denial of Service (DDoS) attack has a goal of denying service to authorized users. The difference between a DoS and DDoS attack centers on the ability of the DDoS to use the combined resources of many systems. An entire network of attack agents can be commandeered and controlled by an attacker. The combined systems can then overwhelm the target with traffic under the direction of the attacker. If the attack network is large enough, even simple web traffic can quickly overwhelm even the largest web sites.

23 Denial-of-Service Attack
Security + Objective 2.1h DDoS attacks This illustration shows a DDoS attack as described in the previous slide.

24 Ping of Death (POD) Another example of a DoS attack.
Illustrates an attack targeting a specific application. Attacker sends ICMP ping packet > 64KB. This ping packet size should not occur naturally. ICMP packet will crash certain systems unable to handle it. A Ping of Death attack (POD) is an example of a DoS attack which targets a specific protocol or operating system. Attacker sends an Internet Control Message Protocol (ICMP) ping packet equal to or greater than 64KB. This type of packet should not occur naturally. Some systems cannot handle the packet and will hang or crash.

25 Preventing DoS & DDoS Attacks
Ensure necessary patches and upgrades remain current. Change time-out period for TCP connections. Distribute workload across several systems. Block external ICMP packets at border. The first method to prevent DoS and DDoS attacks is to keep all necessary system patches and upgrades current. Attackers are typically quick to exploit newly discovered vulnerabilities, but administrators usually have a small window of opportunity in which to patch their systems. Another method to prevent an attack is to change the time-out period for TCP connections in order to drop unused connections more quickly. This makes it more difficult for attackers to disrupt the system with a SYN flooding attack. To help prevent or at least minimize a DDoS attack, the workload can be distributed across several systems. Distributing the workload causes attackers to target multiple hosts simultaneously to achieve success in disrupting service. A final method to prevent DoS and DDoS attacks is to block external ICMP packets at the border. As many attacks rely on ICMP, blocking these packets or at least specific forms of ICMP can help to prevent attacks from occurring.

26 Trapdoors and Backdoors
Hard-coded access built into the program Ensures access should normal access methods fail Creates vulnerability in systems using the software Backdoor Ensures continued unrestricted access in the future Attackers implant them in compromised systems Can be installed inadvertently with a Trojan horse Security + Objective 2.5c backdoors In the beginning, backdoors referred to efforts by software developers to ensure access to a program that bypassed the normal access methods. Overtime, this practice has come to be known as creating a trapdoor into a program. One problem with a trapdoor is that since it is hard-coded into the program, it can be very difficult if not impossible to remove. A benefit to software developers and system administrators alike in using a trapdoor is that it ensures access to a program even if the normal access methods fail. However, this benefit is far outweighed by the vulnerability the trapdoor creates within each system running the affected software. The trapdoor offers full access into the system where an attacker could cause serious harm. More recently, a backdoor has come to refer to the programs or code introduced by an attacker that has compromised a system. A few common backdoor programs are Netbus and Back Orifice which both allow remote access to unauthorized system users. The purpose of the backdoor is to grant the attacker future access to the system even if the original vulnerability used to attack the system has been rectified. Usually, backdoors are installed on systems by unauthorized users or attackers. However, they can also be installed by authorized users who inadvertently run a Trojan horse program on their machine which then installs the backdoor as well. Similar to the backdoor, another method employed by attackers is to install a rootkit on a system that ensures continued root access for the attacker.

27 Null Sessions A connection to a Windows inter-process communication share (IPC$) Systems prior to XP and Server 2003 are vulnerable. Used by a variety of exploit tools and malware. No patch is available. Options to counter the vulnerability Upgrade systems to Windows XP or newer version Only allow trusted users access to TCP ports 139 and 445 Security + Objective 2.1c null sessions A null session is a connection to a Windows inter-process communication share (IPC$). A vulnerability exists in Microsoft Windows systems (prior to XP and Server 2003) in the Server Message Block system (SMB) that allows users to establish a null session. Microsoft Windows systems beginning with XP and Server 2003 are not vulnerable. A wide range of tools and malware use this vulnerability to achieve their aim. However, most systems using previous versions of Windows are vulnerable and there is not a patch to defend against it. There are a few different ways to limit a system’s vulnerability to the effects of null sessions. One way to defend against the creation of null sessions is to upgrade the systems to Windows XP, Server 2003, or newer version. Another way to defend against null sessions is to limit TCP ports 139 and 445 access to only allow trusted users.

28 Sniffing Attacker observes all network traffic.
Software, hardware, or combination of the two Ability to target specific protocol, service, string of characters, etc. May be able to modify some or all traffic in route Network administrators can use to monitor and troubleshoot network performance. TCP/IP protocols were originally developed to operate in a friendly environment where each system connected to the network used the protocols as they were designed. However, as time went on, the protocols began to be abused as is illustrated by network-traffic sniffing programs, sometimes referred to as sniffers. Sniffing occurs when an attacker examines all network traffic as it passes their NIC independent of whether or not the traffic is addressed to them or not. Network sniffing can be accomplished with a software application, hardware device, or a combination of the two. Sniffing can be used to view all network traffic or it can target a specific protocol, service, or even string of characters such as a login or password. Some network sniffers are designed not just to observe all traffic but to modify some or all of the traffic as well. Network administrators may also use sniffers to analyze network traffic, identify bandwidth issues, and troubleshoot other network issues.

29 Sniffing (continued) Physical security is key in preventing introduction of sniffers on the internal network. This illustration depicts an internal attacker with the ability to observe all network traffic. Fortunately, for network sniffers to be most effective, they need to be on the internal network, which generally means that the chances for outsiders to use them against you are extremely limited. This is another reason that physical security is an important part of information security in today’s environment.

30 Spoofing True source of data is disguised:
Commonly accomplished by altering packet header information with false information Can be used for a variety of purposes Spoofing From address differs from sending system Recipients rarely question authenticity of the Security + Objective 2.1d spoofing When data appears be coming from a different source than it actually is, the data source is being spoofed. An attacker’s goal in spoofing may be to manipulate return packets in the case of ping sweeps, provide anonymity for s, or perform some other action without the target systems . Spoofing is accomplished by altering a packet’s header information to deceive the receiver as to the true origin of the packet. When a packet is sent from one system to another, it includes not only the destination IP address and port but the source IP address as well. Systems should fill in the their own address as the source, but attackers can manipulate the system into filling in another system’s address. Spoofing In spoofing, a message is sent with a from address that differs from that of the sending system. This can be easily accomplished in several different ways using several programs. Recipients can use several methods to determine whether an message was sent by the source it claims to have been sent from, but most users do not question their and will accept as authentic where it appears to have originated.

31 IP Address Spoofing Security + Objective 2.1d spoofing
In a specific DoS attack known as a smurf attack, the attacker sends a spoofed packet to the broadcast address for a network, which distributes the packet to all systems on that network. In the smurf attack, the packet sent by the attacker to the broadcast address is an echo request with the From address forged so that it appears that another system (the target system) has made the echo request. The normal response of a system to an echo request is an echo reply, and it is used in the ping utility to let a user know whether a remote system is reachable and is responding. In this illustration, the attacker has sent one packet and has been able to generate as many as 254 responses aimed at the target. Should the attacker send several of these spoofed requests, or send them to several different networks, the target can quickly become overwhelmed with the volume of echo replies it receives.

32 Spoofing and Trusted Relationships
Security + Objective 2.1d spoofing Spoofing can also take advantage of a trusted relationship between two systems. If two systems are configured to accept the authentication accomplished by each other, an individual logged onto one system might not be forced to go through an authentication process again to access the other system. An attacker can take advantage of this arrangement by sending a packet to one system that appears to have come from a trusted system. Since the trusted relationship is in place, the targeted system may perform the requested task without authentication. Since a reply will often be sent once a packet is received, the system that is being impersonated could interfere with the attack, since it would receive an acknowledgement for a request it never made. The attacker will often initially launch a DoS attack (such as a SYN flooding attack) to temporarily take out the spoofed system for the period of time that the attacker is exploiting the trusted relationship. Once the attack is completed, the DoS attack on the spoofed system would be terminated, and the system administrators, apart from having a temporarily nonresponsive system, might never notice that the attack occurred. The figure in this slide illustrates a spoofing attack that includes a SYN flooding attack. Because of this type of attack, administrators are encouraged to strictly limit any trusted relationships between hosts. Firewalls should also be configured to discard any packets from outside of the firewall that have From addresses indicating they originated from inside the network (a situation that should not occur normally and that indicates spoofing is being attempted).

33 Sequence Numbers SYN packets include an original sequence number.
Sequence numbers are incremented by 1 and sent back with ACK packets. Security + Objective 2.1d spoofing In the TCP three-way handshake, two sets of sequence numbers are created. The first system chooses a sequence number to send with the original SYN packet. When the second host responds and sends it’s own SYN packet, it generates another sequence number. The second host also sends an ACK packet in response to the first host’s SYN packet. The ACK packet includes the original sequence number incremented by 1. The original host system receives the SYN/ACK with both sequence numbers and then increments the second host’s sequence number by one and passes it back in an ACK packet response.

34 Spoofing and Sequence Numbers
Attacker must use correct sequence number: TCP packet sequence numbers are 32-bit. Sequence numbers are incremented by 1. Very difficult to guess. Insider attacks vs. external attacks Security + Objective 2.1d spoofing How complicated the spoofing is depends heavily on several factors, including whether the traffic is encrypted and where the attacker is located relative to the target. An external attacker may have a more difficult time in creating packets that mimick the 32-bit sequence number that is associated with TCP packets. Packets are not always received in order, so the sequence number is used to reorder packets as they arrive and to recognize missing packets. Spoofing attacks from inside a network is typically easier than attacks from outside a network because an attacker can more easily observe the traffic inside the network and can do a better job of formulating the necessary packets.If the attacker is inside the network and can observe the traffic with which a target host responds, the attacker can easily see the sequence number the system creates and can respond with the correct sequence number. If the attacker is external to the network and the sequence number the target system generates is not observed, it is next to impossible for the attacker to provide the final ACK with the correct sequence number.

35 Man-in-the-Middle Attack
Attacker is positioned between two target hosts: Typically accomplished through router manipulation Traffic redirected to attacker, then forwarded on Benefits: Attacker can intercept, modify, and/or block traffic Communication appears normal to target hosts Limitation: Useful data collection reduced if traffic is encrypted Security + Objective 2.1e Man in the middle attacks When an attacker successfully inserts themselves between two other hosts communications by spoofing addresses, it is referred to as a man-in-the-middle attack. A man-in-the-middle attack is usually accomplished by manipulating a router to alter the path of the traffic. The traffic is sent to the attacker rather than the intended target and then relayed on to the target host. Benefits: This enables the attacker to observe the traffic from each target host in route and may even allow the attacker to modify or block certain messages. Since all expected replies are received by the target hosts, it can appear to them that communications are occurring normally. Limit: If the data being intercepted from the target hosts is encrypted, the attacker may only be able to glean a limited amount of information.

36 Man-in-the-Middle Attack (continued)
Security + Objective 2.1e Man in the middle attacks This diagram illustrates a Man-in-the-Middle attack as described in the previous slide.

37 Replay Attack Attacker intercepts part of an exchange between two hosts and retransmits message later. Often used to bypass authentication mechanisms Prevented by encrypting traffic, cryptographic authentication, and time-stamping messages. Security + Objective 2.1f replay attacks A replay attack occurs when an attacker captures a portion of a communication between two hosts and then retransmits the captured message at a later time. Replay attacks are often used to circumvent authentication mechanisms. Systems can prevent falling victim to a replay attack by encrypting traffic, providing cryptographic authentication, and including a time stamp with each portion of the message.

38 TCP/IP Hijacking Assume control of an already existing session:
Attacker circumvents authentication. Can be disguised with a DoS attack. Typically used against web and Telnet sessions. Security + Objective 2.1b TCP/IP hijacking TCP/IP hijacking and session hijacking are terms used to refer to the process of taking control of an already existing session between a client and a server. The advantage to an attacker of hijacking over attempting to penetrate a computer system or network is that the attacker doesn’t have to circumvent any authentication mechanisms. To prevent the user from noticing anything unusual, the attacker may target the user’s system with a DoS attack, taking it down so that the user, and the system, will not notice the extra traffic that is taking place. Hijack attacks generally are used against web and Telnet sessions.

39 Drive-by Download Attack
Unsolicited malware downloads May be hidden in legitimate ads or hosted from web sites that prey on unaware users Browsers are used to navigate the Internet, using HTTP and other protocols to bring files to users’ computers. Some of these files are images, some are scripts, and some are text based, and together they form the web pages that we see. Users don’t ask for each component—it is the job of the browser to identify the needed files and fetch them. A new type of attack called a drive-by download attack takes advantage of this process by initiating downloads of malware, whether a user clicks it or not. Drive by downloads can occur from a couple of different mechanisms. It is possible for an ad that is rotated into content on a reputable site to contain a drive by download. Users don’t have control over what ads are presented. A second, more common method is a website that the user gets to either by mistyping a URL or by following a search link without vetting where they are clicking forst. Just like cities can have bad neighborhoods, so too does the Internet, and surfing in a bad neighborhood can result in bad outcomes.

40 Phishing and Pharming Phishing
Fraudulent s designed to trick users into divulging confidential information Pharming Fake web sites created to elicit authentic user credentials Phishing and pharming are two tools used for identity theft and are common attack methods used to steal credentials. Phishing is the use of fraudulent s or instant messages that appear to be genuine but are designed to trick users. The goal of a phishing attack is to obtain from the user information that can be used in an attack, such as login credentials or other critical information. When the attacker includes information that should be known only to the entity that they are impersonating, the attack is called spear phishing. Pharming is the impersonation of a website in an effort to deceive a user into entering their credentials. The Anti-Phishing Working Group (APWG) is “an industry association focused on eliminating the identity theft and fraud that result from the growing problem of phishing and spoofing.” APWG is located at

41 Attacks on Encryption Cryptanalysis attempts to crack encryption
Common methods Weak keys Exhaustive search of key space Indirect attacks Cryptographic systems can be compromised in various ways. Weak Keys – Certain encryption algorithms may have specific keys that yield poor, or easily decrypted, ciphertext. Imagine an encryption algorithm that consists solely of a single XOR function (an exclusive OR function where two bits are compared and a 1 is returned if either of the original bits, but not both, is a 1), where the key is repeatedly used to XOR with the plaintext. A key where all bits are 0’s, for example, would result in ciphertext that is the same as the original plaintext. This would obviously be a weak key for this encryption algorithm. In fact, any key with long strings of 0’s would yield portions of the ciphertext that were the same as the plaintext. In this simple example, many keys could be considered weak. Encryption algorithms used in computer systems and networks are much more complicated than a simple, single XOR function, but some algorithms have still been found to have weak keys that make cryptanalysis easier. Exhaustive Search of Key Space – Even if the specific algorithm used to encrypt a message is complicated and has not been shown to have weak keys, the key length will still play a significant role in how easy it is to attack the method of encryption. Generally speaking, the longer a key, the harder it will be to attack. Thus, a 40-bit encryption scheme will be easier to attack using a brute-force technique (which tests all possible keys, one by one) than a 256-bit based scheme. This is easily demonstrated by imagining a scheme that employs a 2-bit key. Even if the resulting ciphertext were completely unreadable, performing a brute-force attack until one key is found that can decrypt the ciphertext would not take long, since only four keys are possible. Every bit that is added to the length of a key doubles the number of keys that have to be tested in a brute-force attack on the encryption. It is easy to understand why a scheme utilizing a 40-bit key would be much easier to attack than a scheme that utilizes a 256-bit key. The bottom line is simple: an exhaustive search of the keyspace will decrypt the message. The strength of the encryption method is related to the sheer size of the keyspace, which with modern algorithms is large enough to provide significant time constraints when using this method to break an encrypted message. Algorithmic complexity is also an issue with respect to brute force, and you cannot immediately compare different key lengths from different algorithms and assume relative strength. Indirect Attacks – One of the most common ways of attacking an encryption system is to find weaknesses in mechanisms surrounding the cryptography. Examples include poor random-number generators, unprotected key exchanges, keys stored on hard drives without sufficient protection, and other general programmatic errors, such as buffer overflows. In attacks that target these types of weaknesses, it is not the cryptographic algorithm itself that is being attacked, but rather the implementation of that algorithm in the real world.

42 Password Attacks Most common user authentication is combination of user ID and password. A compromised password typically indicates a failure to adhere to good password procedures. Security + Objective 2.5b weak passwords The combination of a user ID and a password is the most common form of system authentication. When this combination fails, it is typically the result of users failing to adhere to good password procedures.

43 Password Attacks (continued)
Password attack methods Guess Dictionary Brute force Hybrid Birthday There are multiple ways to attack passwords as the following list illustrates: Guessing - It is surprising how often this simple method works, and the reason it does is because people are notorious for picking poor passwords. Even if the person doesn’t use some personal detail as her password, the attacker may still get lucky, since many people use a common word for their password. Attackers can use the Internet to find many lists of common passwords to try. Dictionary attack - The dictionary words can be used by themselves, or two or more smaller words can be combined to form a single possible password. A number of commercial and public-domain password-cracking programs employ a variety of methods to crack passwords, including using variations on the user ID. Brute-force attack - a password-cracking program that attempts all possible character combinations. The length of the password and the size of the set of possible characters in the password will greatly affect the time a brute-force attack will take. A few years ago, this method of attack was very time consuming, since it took considerable time to generate all possible combinations. With the increase in computer speed, however, generating password combinations is much faster, making it more feasible to launch brute-force attacks against certain computer systems and networks. A brute-force attack on a password can take place at two levels: The attacker can use a password-cracking program to attempt to guess the password directly at a login prompt, or the attacker can first steal a password file, use a password-cracking program to compile a list of possible passwords based on the list of password hashes contained in the password file (offline), and then use that narrower list to attempt to guess the password at the login prompt. The first attack can be made more difficult if the account locks after a few failed login attempts. The second attack can be thwarted if the password file is securely maintained so that others cannot obtain a copy of it. hybrid attack - is a password attack that combines the dictionary and brute-force methods. Most password cracking tools operate perform in this manner by first attempting a dictionary attack and then moving on to brute-force methods. The programs often permit the attacker to create various rules that tell the program how to combine words to form new possible passwords. Users commonly substitute certain numbers for specific letters. If the user wanted to use the word secret as a base for a password, for example, she could replace the letter e with the number 3, yielding s3cr3t. This password will not be found in the dictionary, so a pure dictionary attack would not crack it, but the password is still easy for the user to remember. If the attacker created a rule that instructed the program to try all words in the dictionary and then try the same words substituting the number 3 for the letter e, however, the password would be cracked. birthday attack - is a special type of brute-force attack that gets its name from something known as the birthday paradox, which states that in a group of at least 23 people, the chance that two individuals will have the same birthday is greater than 50 percent. Mathematically, the equation is 1.25×k1/2, where k equals the size of the set of possible values, which in the birthday paradox is 365 (the number of possible birthdays).This same phenomenon applies to passwords, with k (number of passwords) being quite a bit larger.

44 Software Exploitation
Take advantage of software bugs/weaknesses Results from poor design, inadequate testing, or inferior code practices. Buffer overflow attack Most common example of software exploitation Program receives more input than it can handle. Program may abort, crash the entire system, or allow attacker to execute malicious commands Security + objective 1.4e buffer overflow Software exploitation encompasses attacks which take advantage of software bugs or weaknesses. These bugs and weaknesses may be the result of poor design, inadequate testing, or inferior coding practices. They may also come from additional features built into the program to assist in development and then forgotten. One example of software being exploited is a buffer overflow attack where a program receives more input data than it is designed to handle. Historically, buffer overflows have been one of the most common software vulnerabilities, but recent efforts to raise awareness of the problem has helped to greatly reduce their occurrence in new software. Improperly configured programs cannot handle the buffer overflow and the extra characters continue to fill memory and eventually begin to overwrite other portions of the program. A buffer overflow can cause a program to abort, the entire system to crash, or even allow an attacker to execute a command within the program.

45 Malicious Code Viruses Trojan horses Spyware Logic bombs Rootkits
Worms Zombies and botnets This is an agenda slide for the next seven slides – to illustrate different types of malicious code. The difference between the different types of malicious code is typically a combination of how the code is installed and its end goal. In general, malicious code or malware is software designed to attack vulnerabilities in OS or programs for nefarious reasons. For instance, the code may have a goal of causing system damage by deleting files or be structured to create a backdoor for unauthorized users to gain access to a system.

46 Viruses Replicate and attach to executable code
Best-known malicious code Common types: Boot Sector virus Program virus Macro virus Stealth virus Polymorphic virus Security + Objective 1.1b virus A virus is most well known malicious code and works by replicating and attaching itself to another piece of executable code. Then, when the executable code is run, the virus runs as well infecting additional files and performing whatever else it was designed to do. Some common types of viruses are: Boot Sector Virus – A boot sector virus infects the boot sector portion of a hard drive. When a computer is powered on, a small portion of the operating system is initially loaded from hardware. This small operating system then attempts to load the rest of the operating system from a specific sector on the hard drive. A boot sector virus infects this portion of the drive. Program Virus – A second type of virus is the program virus, which attaches itself to executable files so that it is executed before the program executes. Most program viruses also hide a nefarious purpose, such as deleting the hard drive data. Like other types of viruses, program viruses are often not detected until after they execute their malicious payload. One method that has been used to detect this sort of virus before it has an opportunity to damage a system is to calculate checksums for commonly used programs or utilities. Should the checksum for an executable ever change, it is quite likely that it is due to a virus infection. Macro Virus – The proliferation of software that includes macro-programming languages has resulted in a new breed of virus—the macro virus. This type of virus now accounts for the majority of viruses and is most commonly transmitted through attachments. This type of virus is so common today that it is considered a security best practice to advise users never to open a document attached to an if it seems at all suspicious. Many organizations now routinely have their mail servers eliminate any attachments containing certain macros. Stealth Virus – The stealth virus is a newer creation which attempts to hide from antivirus programs and the operating system in order to avoid detection and eradication. Polymorphic Virus – Like the stealth virus, the polymorphic virus also tries to avoid detection and eradication. However, rather than hiding , polymorphic viruses continually evolve making it difficult to identify and track them across the system. System administrators and users alike must take precautions to avoid becoming infected with a virus. First, users should always exercise caution when executing a program or opening an attachment sent through . Another security best practice for protecting against virus infection is to install and run an antivirus program. Since these programs typically only offer protection against known viruses, it is imperative that the programs be consistently updated with the most current virus signature libraries. New stealth and polymorphic viruses attempt to evade detection by hiding or constantly evolving so that antivirus programs will have difficulty in recognizing and taking action against the viruses.

47 Trojan Horses Software that appears to do one thing but contains hidden functionality Standalone program that must be installed by user Disguised well enough to entice user Delivers payload without user’s knowledge Prevention Never run software of unknown origin or integrity. Keep virus-checking program running continuously. Security + Objective 1.1d Trojan horse attack A Trojan horse is software that appears to do one thing but includes some hidden functionality. Unlike a virus, which reproduces by attaching itself to other files or programs, a Trojan is a standalone program that must be copied and installed by an authorized user. Since an attacker must entice the user to copy and run the program, they must disguise it as something that the user would want to run. Once the Trojan is installed on the target system, its hidden functions execute often unbeknownst to the users. Prevention: The best method to prevent Trojan Horse software is to never run software if its origin, security, or integrity can not be verified. Another way to prevent a Trojan Horse is to keep a virus-checking program running on the system.

48 Spyware Software capable of recording and reporting a users actions:
Typically installed unbeknownst to users Monitors software and system use Can steal information through keylogging Many states have banned spyware and other unauthorized software: Organizations circumvent with complex EULAs Software capable of recording and reporting on the activity conducted on a system is called Spyware. This software is usually installed without user knowledge. It can monitor the system and software use. Spyware can also steal data through keylogging and other similar activities. While some uses of spyware may seem innocent in the beginning, it can quickly be abused. For this reason, the majority of states have passed legislation banning the unauthorized installation of software such as spyware. However, many of the organizations which use spyware have been able to circumvent this legislation using complex and confusing EULAs.

49 Logic Bombs Malicious code dormant until triggered by a specified future event: Usually installed by authorized user Reinforces need for backups A time bomb is similar to the logic bomb, but delivers payload at a predetermined time/date. Security + Objective 1.1j logic bombs Logic bombs are malicious code that sit dormant until triggered by a future event—such as a specified user being fired by the organization. Logic bombs are usually placed into software by an authorized user. The destruction that can be caused by a logic bomb reinforces the need for an organization to ensure systems are being consistently backed-up. A time bomb is similar to a logic bomb, but releases its malicious payload at a specific time and date rather than being triggered by an event.

50 Rootkits Modifies OS kernel or other process on system
Originally designed to grant root access Designed to avoid being detected and deleted Support a variety of malware Often operating unbeknownst to user Found in OS kernel, application level, firmware, etc. Security + Objective 1.1h rootkits A rootkit is malware that modifies the operating system kernel and supporting functions which affects how the operating system performs. Rootkits were originally designed to allow an attacker to assume root access to the system. They are usually designed to avoid detection by the operating system as well as antivirus and antispyware programs. This functionality allows rootkits to hide other processes and files. Currently, rootkits are commonly used to support a variety of different malware applications. Because of the subversive nature of the rootkit, it is usually running on a system without the user or other applications aware of it’s actions. Different types of rootkits have been found such as those that reside in the OS kernel, application level, and even in firmware. Once a rootkit is detected, it needs to be removed and cleaned up. Because of rootkits’ invasive nature, and the fact that many aspects of rootkits are not easily detectable, most system administrators don’t even attempt to clean up or remove a rootkit. It is far easier to use a previously captured clean system image and reimage the machine than to attempt to determine the depth and breadth of the damage and fix individual files.

51 Types of Rootkits Firmware Virtual Kernel Library Application level
Security + Objective 1.1h rootkits There are five main types of rootkits as listed below:  Firmware Attacks firmware on a system  Virtual Attacks at the virtual machine level  Kernel Attacks the kernel of the OS  Library Attacks libraries used on a system  Application level Attacks specific applications

52 Worms Code that penetrates and replicates on systems
Doesn’t need to attach to other files or code Spread by a variety of methods such as , infected web sites, and P2P sharing networks Examples Morris worm, Love Bug, Code Red, and Samy worm Security + Objective 1.1c Worms Worms are programming code which attempts to penetrate a target computer system or network. Upon successful penetration, the worm then copies itself onto the target system. Unlike a virus which requires attachment to a system file or code, a worm propagates itself throughout the network and does not rely on something else for its survival. Worms can be spread through a variety of means. In recent years they have been sent by , picked-up while browsing infected web sites, conveyed through social networking web sites, passed through open network shares, and even through backdoors left by previous worms and viruses. There have been many infamous worms in the last 25 years. A few examples would be the Morris worm, Love Bug, Blaster, Code Red, ILOVEYOU, and the MySpace or Samy worm. There are short descriptions of a few of these worms below. Morris, love bug and code red were discussed in chapter 1.  Samy Worm (The MySpace Worm) MySpace is a popular social networking site with a feature that allows people to list other users as friends. In 2005, a clever MySpace user looking to expand his friends list created the first self-propagating cross-site scripting (XSS) worm. In less than a day, the worm had gone viral and user Samy had amassed more than 1 million friends on the popular online community. The worm’s code, now posted at used a fairly sophisticated JavaScript script. Fortunately the script was written for fun and didn’t try to take advantage of unpatched security holes in Internet Explorer to create a massive MySpace botnet. MySpace was taken down because the worm replicated too efficiently, eventually surpassing several thousand replications per second.

53 Worms (continued) Key steps in preventing worms: Install all patches.
Use firewalls. Implement an intrusion detection system. Eliminate unnecessary services. Use extreme caution with attachments. Security + Objective 1.1c Worms The method used to protect a system or network from worms varies somewhat with the type of worm. Similar to those used in defending against a human attacker, there are some common security measures that should be enforced to prevent worms. These include: not opening files or running attachments without being able to verify their origin and integrity, installing patches, eliminating unused and unnecessary services, regulating network traffic with firewalls, and monitoring the system with an intrusion detection system.

54 Zombies and Botnets Malware installed on machines creates zombies under the control of the attacker. Large networks of zombies are called botnets. Some attacker’s botnets have 1,000,000+ zombies. Botnets are responsible for millions of spam messages daily. Security + objective 1.1i botnets Attackers can install malware on machines, unbeknownst to most users, creating a zombie under the control of the attacker. Large networks of these zombies are called botnets and can be used to conduct spam, malware, and other such attacks. There are some attackers who have amassed botnets with 1,000,000+ zombies under their control. Botnets are responsible for millions of spam messages on a daily basis.

55 Malware Defense Attacks typically exploit multiple vulnerabilities
Network, OS, application, and user level Steps to prevent malware Use an antivirus program. Ensure all software is up-to-date. Attacks against a system can occur at the network level, operating system level, application level, or user level as in social engineering. Early malware attack patterns targeted networks, but most of today’s sophisticated malware attacks target a combination of network, OS, and application vulnerabilities. There are a few simple steps that when applied can defend against all forms of malware. These steps are: The first step in both preventing and dealing with malware is to use an effective antivirus program. The majority of antivirus suites are designed to catch most widespread forms of malware. However, there are many new threats being developed and deployed on a daily basis. Therefore the key to an effective antivirus solution is to ensure its library of threats be continually updated. Another key step in avoiding malware is to keep all system software up-to-date. Many forms of malware achieve their objectives through exploitation of vulnerabilities in software, both in the operating system and applications. Although operating system vulnerabilities were the main source of problems, today application-level vulnerabilities pose the greatest risk. The majority of attacks that occur happen within the application level as this is the level where the target data resides. Unfortunately, while operating system vendors are becoming more and more responsive to patching, most application vendors are not.

56 War-dialing and War-driving
War-dialing attempts to find unprotected modem connections to a system over phone lines. New telephone firewalls restrict access. War-driving involves traveling around an area in search of vulnerable wireless networks. Security + Objective 2.7b war-driving War-dialing is an attempt by an attacker to find unprotected modem connections to an organizations computer systems and networks. Success is often the result of authorized individuals connecting unauthorized or rogue modems to the network. The authorized user’s intent is not usually malicious, but the results can be. In recent years, advances in telephone firewalls have severely restricted unauthorized connections while also increasing the security of authorized modems as well. The term war-driving refers to attackers wandering around an area (often in a car), searching for available wireless network connections. There are security measures built into both the hardware and software tasked with maintaining a wireless access point, but it will only operate as well as it is configured.

57 Social Engineering Manipulating authorized users into providing access to an attacker Applies to both virtual and physical access Sometimes attackers prefer to gain information through people rather than by technically hacking into a system. This can be accomplished by manipulating authorized users into providing access or divulging confidential information to an attacker through lies or misrepresentation. Social engineering can apply to efforts to gain either virtual or physical access to a system.

58 Security Auditing Should be conducted on a regular basis
May be mandated depending on the industry Can be contracted out to a another party Focus on Security perimeter Policies, procedures, and guidelines governing security Employee training Security+ Objective 4.1 Risk assessments Security+ Objective 4.7a, b, c Auditing Audits are the method used to assess the overall security of an organization in comparison to an established standard. Audits also measure how effective deployed countermeasures actually are in mitigating previously identified risks. Security Audits: Should be conducted on a regular basis May be mandated depending on the industry Can be contracted out to a another party The focus of a security audit should be on: Security perimeter of the organization and the system All of an organization’s policies, procedures, and guidelines governing security The training of all employees that will be involved with the system

59 Chapter Summary Describe various types of computer and network attacks, including denial-of-service, spoofing, hijacking, and password guessing. Identify the different types of malicious software that exist, including viruses, worms, Trojan horses, logic bombs, time bombs, and rootkits. Explain how social engineering can be used to gain access to computers and networks. Describe the importance of auditing and what should be audited.

Download ppt "Types of Attacks and Malicious Software"

Similar presentations

Lesson 3-Hacker Techniques

Lesson 3-Hacker Techniques
ECE454/599 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2012.

ECE454/599 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2012.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.

Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.
Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.

Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Network Security. Permission granted to reproduce for educational use only.© Goodheart-Willcox Co., Inc. Objectives  Give examples of common network.

Network Security. Permission granted to reproduce for educational use only.© Goodheart-Willcox Co., Inc. Objectives  Give examples of common network.
Software Security Threats Threats have been an issue since computers began to be used widely by the general public.

Software Security Threats Threats have been an issue since computers began to be used widely by the general public.
Introduction to Security Computer Networks Computer Networks Term B10.

Introduction to Security Computer Networks Computer Networks Term B10.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Network & Computer Attacks (Part 2) February 11, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Network & Computer Attacks (Part 2) February 11, 2010 MIS 4600 – MBA © Abdou Illia.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Analysis of Attack By Matt Kennedy. Different Type of Attacks o Access Attacks o Modification and Repudiation Attacks o DoS Attacks o DDoS Attacks o Attacks.

Analysis of Attack By Matt Kennedy. Different Type of Attacks o Access Attacks o Modification and Repudiation Attacks o DoS Attacks o DDoS Attacks o Attacks.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Attacks and Malicious Code Chapter 3. Learning Objectives Explain denial-of-service (DoS) attacks Explain and discuss ping-of-death attacks Identify major.

Attacks and Malicious Code Chapter 3. Learning Objectives Explain denial-of-service (DoS) attacks Explain and discuss ping-of-death attacks Identify major.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Threats and Attacks Principles of Information Security, 2nd Edition

Threats and Attacks Principles of Information Security, 2nd Edition
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Similar presentations

Ads by Google