Types of Attacks and Malicious Software. Chapter 15. Objectives. Describe various types of computer and network attacks, including denial-of-service, spoofing, hijacking, and password guessing.
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
Chosen based on attacker’s motivation
Not reliant on target system’s hardware and software
Targets of opportunity
Systems with hardware or software vulnerable to a specific exploit
Often lacking current security patches
Performing the attack
Creating a backdoor
Gather as much information as possible about the target system and organization.
Use the Internet.
Explore government records.
Use tools such as Whois.Net.
Don’t worry yet whether the information being gathered is relevant or not.
Identify target systems that are active and accessible.
Identify the operating system and other specific application programs running on system.
Analyzing packet response
Wealth of information available through the World Wide Web
Lists of vulnerabilities in specified OS and application programs
Tools created to exploit vulnerabilities
Matching an attack to an indentified vulnerability
Provides future access to the attacker
May create “authorization” for themselves
Could install an agent
In an effort to remain undetected, attackers endeavor to cover their tracks:
Erase pertinent log files from the system.
Change file time stamps to appear unaltered.
Ensure all patches are installed and current.
Limit the services being run on the system.
Limits possible avenues of attack
Reduces number of services the administrator must continually patch
Limit the amount of publicly available data about the system and organization.
An attack is an attempt by an unauthorized person to:
Gain access to or modify information
Assume control of an authorized session
Disrupt the availability of service to authorized users
Variety of methods used to carry out attacks
Attacks on specific software
Rely on code flaws or software bugs
Indicates lack of thorough code testing
Attacks on a specific protocol or service
Take advantage of or use a service or protocol in an unintended manner
Exploit known identified vulnerabilities
Purpose is to prevent normal system operations for authorized users
Can be accomplished in multiple ways
Take the system offline
Overwhelm the system with requests
An example of a DoS attack targeting a specific protocol or service
Illustrates basic principles of most DoS attacks
Exploit a weakness inherent to the function of the TCP/IP protocol
Uses TCP three-way handshake to flood a system with faked connection requests
System 1 sends SYN packet to System 2.
System 2 responds with SYN/ACK packet.
System 1 sends ACK packet to System 2 and communications can then proceed.
Communication request sent to target system.
Target responds to faked IP address.
Target waits for non-existent system response.
Request eventually times out.
If the attacks outpace the requests timing-out, then systems resources will be exhausted.
Goal is to deny access or service to authorized users
Uses resources of many systems combined into an attack network
Overwhelms target system or network
With enough attack agents, even simple web traffic can quickly affect a large website
Another example of a DoS attack.
Illustrates an attack targeting a specific application.
Attacker sends ICMP ping packet > 64KB.
This ping packet size should not occur naturally.
ICMP packet will crash certain systems unable to handle it.
Ensure necessary patches and upgrades remain current.
Change time-out period for TCP connections.
Distribute workload across several systems.
Block external ICMP packets at border.
Hard-coded access built into the program
Ensures access should normal access methods fail
Creates vulnerability in systems using the software
Ensures continued unrestricted access in the future
Attackers implant them in compromised systems
Can be installed inadvertently with a Trojan horse
A connection to a Windows inter-process communication share (IPC$)
Systems prior to XP and Server 2003 are vulnerable.
Used by a variety of exploit tools and malware.
No patch is available.
Options to counter the vulnerability
Upgrade systems to Windows XP or newer version
Only allow trusted users access to TCP ports 139 and 445
Attacker observes all network traffic.
Software, hardware, or combination of the two
Ability to target specific protocol, service, string of characters, etc.
May be able to modify some or all traffic in route
Network administrators can use to monitor and troubleshoot network performance.
True source of data is disguised:
Commonly accomplished by altering packet header information with false information
Can be used for a variety of purposes
From address differs from sending system
Recipients rarely question authenticity of the e-mail
SYN packets include an original sequence number.
Sequence numbers are incremented by 1 and sent back with ACK packets.
Attacker is positioned between two target hosts:
Typically accomplished through router manipulation
Traffic redirected to attacker, then forwarded on
Attacker can intercept, modify, and/or block traffic
Communication appears normal to target hosts
Useful data collection reduced if traffic is encrypted
Attacker intercepts part of an exchange between two hosts and retransmits message later.
Often used to bypass authentication mechanisms
Prevented by encrypting traffic, cryptographic authentication, and time-stamping messages.
Assume control of an already existing session:
Attacker circumvents authentication.
Can be disguised with a DoS attack.
Typically used against web and Telnet sessions.
Unsolicited malware downloads
May be hidden in legitimate ads or hosted from web sites that prey on unaware users
Fraudulent e-mails designed to trick users into divulging confidential information
Fake web sites created to elicit authentic user credentials
Cryptanalysis attempts to crack encryption
Exhaustive search of key space
Most common user authentication is combination of user ID and password.
A compromised password typically indicates a failure to adhere to good password procedures.
Password attack methods
Take advantage of software bugs/weaknesses
Results from poor design, inadequate testing, or inferior code practices.
Buffer overflow attack
Most common example of software exploitation
Program receives more input than it can handle.
Program may abort, crash the entire system, or allow attacker to execute malicious commands
Zombies and botnets
Replicate and attach to executable code
Best-known malicious code
Boot Sector virus
Software that appears to do one thing but contains hidden functionality
Standalone program that must be installed by user
Disguised well enough to entice user
Delivers payload without user’s knowledge
Never run software of unknown origin or integrity.
Keep virus-checking program running continuously.
Software capable of recording and reporting a users actions:
Typically installed unbeknownst to users
Monitors software and system use
Can steal information through keylogging
Many states have banned spyware and other unauthorized software:
Organizations circumvent with complex EULAs
Malicious code dormant until triggered by a specified future event:
Usually installed by authorized user
Reinforces need for backups
A time bomb is similar to the logic bomb, but delivers payload at a predetermined time/date.
Modifies OS kernel or other process on system
Originally designed to grant root access
Designed to avoid being detected and deleted
Support a variety of malware
Often operating unbeknownst to user
Found in OS kernel, application level, firmware, etc.
Code that penetrates and replicates on systems
Doesn’t need to attach to other files or code
Spread by a variety of methods such as e-mail, infected web sites, and P2P sharing networks
Morris worm, Love Bug, Code Red, and Samy worm
Key steps in preventing worms:
Install all patches.
Implement an intrusion detection system.
Eliminate unnecessary services.
Use extreme caution with e-mail attachments.
Malware installed on machines creates zombies under the control of the attacker.
Large networks of zombies are called botnets.
Some attacker’s botnets have 1,000,000+ zombies.
Botnets are responsible for millions of spam messages daily.
Attacks typically exploit multiple vulnerabilities
Network, OS, application, and user level
Steps to prevent malware
Use an antivirus program.
Ensure all software is up-to-date.
War-dialing attempts to find unprotected modem connections to a system over phone lines.
New telephone firewalls restrict access.
War-driving involves traveling around an area in search of vulnerable wireless networks.
Manipulating authorized users into providing access to an attacker
Applies to both virtual and physical access
Should be conducted on a regular basis
May be mandated depending on the industry
Can be contracted out to a another party
Policies, procedures, and guidelines governing security