Types of attacks and malicious software
1 / 59

Types of Attacks and Malicious Software - PowerPoint PPT Presentation

  • Uploaded on

Types of Attacks and Malicious Software. Chapter 15. Objectives. Describe various types of computer and network attacks, including denial-of-service, spoofing, hijacking, and password guessing.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Types of Attacks and Malicious Software' - blythe

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript


  • Describe various types of computer and network attacks, including denial-of-service, spoofing, hijacking, and password guessing.

  • Identify the different types of malicious software that exist, including viruses, worms, Trojan horses, logic bombs, time bombs, and rootkits.

  • Explain how social engineering can be used as a means to gain access to computers and networks.

  • Describe the importance of auditing and what should be audited.

Key terms
Key Terms

  • Drive-by download attack

  • Man-in-the-middle attack

  • Null session

  • Pharming

  • Phishing

  • Ping sweep

  • Port scan

  • Backdoor

  • Birthday attack

  • Botnet

  • Buffer overflow

  • Denial-of-service (DoS) attack

  • Distributed denial-of-service (DDoS) attack

  • DNS kiting

Key terms continued
Key Terms (continued)

  • Replay attack

  • Sequence number

  • Smurf attack

  • Sniffing

  • Spear phishing

  • Spoofing

  • Spyware

  • SYN flood

Avenues of attack
Avenues of Attack

Specific targets

Chosen based on attacker’s motivation

Not reliant on target system’s hardware and software

Targets of opportunity

Systems with hardware or software vulnerable to a specific exploit

Often lacking current security patches

The steps in an attack
The Steps in an Attack

Conducting reconnaissance


Researching vulnerabilities

Performing the attack

Creating a backdoor

Covering tracks

Conducting reconnaissance
Conducting Reconnaissance

Gather as much information as possible about the target system and organization.

Use the Internet.

Explore government records.

Use tools such as Whois.Net.

Don’t worry yet whether the information being gathered is relevant or not.


Identify target systems that are active and accessible.

Ping sweep

Port scan

Identify the operating system and other specific application programs running on system.

Analyzing packet response

Researching vulnerabilities
Researching Vulnerabilities

Wealth of information available through the World Wide Web

Lists of vulnerabilities in specified OS and application programs

Tools created to exploit vulnerabilities

Performing the attack
Performing the Attack

Matching an attack to an indentified vulnerability

Creating a backdoor
Creating a Backdoor

Provides future access to the attacker

May create “authorization” for themselves

Could install an agent

Covering their tracks
Covering Their Tracks

In an effort to remain undetected, attackers endeavor to cover their tracks:

Erase pertinent log files from the system.

Change file time stamps to appear unaltered.

Minimizing possible avenues of attack
Minimizing Possible Avenues of Attack

Ensure all patches are installed and current.

Limit the services being run on the system.

Limits possible avenues of attack

Reduces number of services the administrator must continually patch

Limit the amount of publicly available data about the system and organization.

Attacking computer systems and networks
Attacking Computer Systems and Networks

An attack is an attempt by an unauthorized person to:

Gain access to or modify information

Assume control of an authorized session

Disrupt the availability of service to authorized users

Attacking computer systems and networks continued
Attacking Computer Systems and Networks (continued)

Variety of methods used to carry out attacks

Attacks on specific software

Rely on code flaws or software bugs

Indicates lack of thorough code testing

Attacks on a specific protocol or service

Take advantage of or use a service or protocol in an unintended manner

Types of attacks
Types of Attacks



Null sessions





TCP/IP hijacking

  • Drive-by downloads

  • Phishing/pharming

  • Attacks on encryption

  • Address system attacks

  • Password guessing

  • Hybrid attack

  • Birthday attack

Denial of service attack
Denial-of-Service Attack

Exploit known identified vulnerabilities

Purpose is to prevent normal system operations for authorized users

Can be accomplished in multiple ways

Take the system offline

Overwhelm the system with requests

Syn flood attack
SYN Flood Attack

An example of a DoS attack targeting a specific protocol or service

Illustrates basic principles of most DoS attacks

Exploit a weakness inherent to the function of the TCP/IP protocol

Uses TCP three-way handshake to flood a system with faked connection requests

Tcp three way handshake
TCP Three-Way Handshake

System 1 sends SYN packet to System 2.

System 2 responds with SYN/ACK packet.

System 1 sends ACK packet to System 2 and communications can then proceed.

Steps of a syn flood attack
Steps of a SYN Flood Attack

Communication request sent to target system.

Target responds to faked IP address.

Target waits for non-existent system response.

Request eventually times out.

If the attacks outpace the requests timing-out, then systems resources will be exhausted.

Distributed denial of service attack ddos
Distributed Denial-of-Service Attack (DDoS)

Goal is to deny access or service to authorized users

Uses resources of many systems combined into an attack network

Overwhelms target system or network

With enough attack agents, even simple web traffic can quickly affect a large website

Ping of death pod
Ping of Death (POD)

Another example of a DoS attack.

Illustrates an attack targeting a specific application.

Attacker sends ICMP ping packet > 64KB.

This ping packet size should not occur naturally.

ICMP packet will crash certain systems unable to handle it.

Preventing dos ddos attacks
Preventing DoS & DDoS Attacks

Ensure necessary patches and upgrades remain current.

Change time-out period for TCP connections.

Distribute workload across several systems.

Block external ICMP packets at border.

Trapdoors and backdoors
Trapdoors and Backdoors


Hard-coded access built into the program

Ensures access should normal access methods fail

Creates vulnerability in systems using the software


Ensures continued unrestricted access in the future

Attackers implant them in compromised systems

Can be installed inadvertently with a Trojan horse

Null sessions
Null Sessions

A connection to a Windows inter-process communication share (IPC$)

Systems prior to XP and Server 2003 are vulnerable.

Used by a variety of exploit tools and malware.

No patch is available.

Options to counter the vulnerability

Upgrade systems to Windows XP or newer version

Only allow trusted users access to TCP ports 139 and 445


Attacker observes all network traffic.

Software, hardware, or combination of the two

Ability to target specific protocol, service, string of characters, etc.

May be able to modify some or all traffic in route

Network administrators can use to monitor and troubleshoot network performance.

Sniffing continued
Sniffing (continued)

  • Physical security is key in preventing introduction of sniffers on the internal network.


True source of data is disguised:

Commonly accomplished by altering packet header information with false information

Can be used for a variety of purposes

Spoofing e-mail:

From address differs from sending system

Recipients rarely question authenticity of the e-mail

Sequence numbers
Sequence Numbers

SYN packets include an original sequence number.

Sequence numbers are incremented by 1 and sent back with ACK packets.

Spoofing and sequence numbers
Spoofing and Sequence Numbers

  • Attacker must use correct sequence number:

  • TCP packet sequence numbers are 32-bit.

  • Sequence numbers are incremented by 1.

  • Very difficult to guess.

  • Insider attacks vs. external attacks

Man in the middle attack
Man-in-the-Middle Attack

Attacker is positioned between two target hosts:

Typically accomplished through router manipulation

Traffic redirected to attacker, then forwarded on


Attacker can intercept, modify, and/or block traffic

Communication appears normal to target hosts


Useful data collection reduced if traffic is encrypted

Replay attack
Replay Attack

Attacker intercepts part of an exchange between two hosts and retransmits message later.

Often used to bypass authentication mechanisms

Prevented by encrypting traffic, cryptographic authentication, and time-stamping messages.

Tcp ip hijacking
TCP/IP Hijacking

Assume control of an already existing session:

Attacker circumvents authentication.

Can be disguised with a DoS attack.

Typically used against web and Telnet sessions.

Drive by download attack
Drive-by Download Attack

Unsolicited malware downloads

May be hidden in legitimate ads or hosted from web sites that prey on unaware users

Phishing and pharming
Phishing and Pharming


Fraudulent e-mails designed to trick users into divulging confidential information


Fake web sites created to elicit authentic user credentials

Attacks on encryption
Attacks on Encryption

Cryptanalysis attempts to crack encryption

Common methods

Weak keys

Exhaustive search of key space

Indirect attacks

Password attacks
Password Attacks

Most common user authentication is combination of user ID and password.

A compromised password typically indicates a failure to adhere to good password procedures.

Password attacks continued
Password Attacks (continued)

Password attack methods



Brute force



Software exploitation
Software Exploitation

Take advantage of software bugs/weaknesses

Results from poor design, inadequate testing, or inferior code practices.

Buffer overflow attack

Most common example of software exploitation

Program receives more input than it can handle.

Program may abort, crash the entire system, or allow attacker to execute malicious commands

Malicious code
Malicious Code


Trojan horses


Logic bombs



Zombies and botnets


Replicate and attach to executable code

Best-known malicious code

Common types:

Boot Sector virus

Program virus

Macro virus

Stealth virus

Polymorphic virus

Trojan horses
Trojan Horses

Software that appears to do one thing but contains hidden functionality

Standalone program that must be installed by user

Disguised well enough to entice user

Delivers payload without user’s knowledge


Never run software of unknown origin or integrity.

Keep virus-checking program running continuously.


Software capable of recording and reporting a users actions:

Typically installed unbeknownst to users

Monitors software and system use

Can steal information through keylogging

Many states have banned spyware and other unauthorized software:

Organizations circumvent with complex EULAs

Logic bombs
Logic Bombs

Malicious code dormant until triggered by a specified future event:

Usually installed by authorized user

Reinforces need for backups

A time bomb is similar to the logic bomb, but delivers payload at a predetermined time/date.


Modifies OS kernel or other process on system

Originally designed to grant root access

Designed to avoid being detected and deleted

Support a variety of malware

Often operating unbeknownst to user

Found in OS kernel, application level, firmware, etc.

Types of rootkits
Types of Rootkits





Application level


Code that penetrates and replicates on systems

Doesn’t need to attach to other files or code

Spread by a variety of methods such as e-mail, infected web sites, and P2P sharing networks


Morris worm, Love Bug, Code Red, and Samy worm

Worms continued
Worms (continued)

Key steps in preventing worms:

Install all patches.

Use firewalls.

Implement an intrusion detection system.

Eliminate unnecessary services.

Use extreme caution with e-mail attachments.

Zombies and botnets
Zombies and Botnets

Malware installed on machines creates zombies under the control of the attacker.

Large networks of zombies are called botnets.

Some attacker’s botnets have 1,000,000+ zombies.

Botnets are responsible for millions of spam messages daily.

Malware defense
Malware Defense

Attacks typically exploit multiple vulnerabilities

Network, OS, application, and user level

Steps to prevent malware

Use an antivirus program.

Ensure all software is up-to-date.

War dialing and war driving
War-dialing and War-driving

War-dialing attempts to find unprotected modem connections to a system over phone lines.

New telephone firewalls restrict access.

War-driving involves traveling around an area in search of vulnerable wireless networks.

Social engineering
Social Engineering

Manipulating authorized users into providing access to an attacker

Applies to both virtual and physical access

Security auditing
Security Auditing

Should be conducted on a regular basis

May be mandated depending on the industry

Can be contracted out to a another party

Focus on

Security perimeter

Policies, procedures, and guidelines governing security

Employee training

Chapter summary
Chapter Summary

  • Describe various types of computer and network attacks, including denial-of-service, spoofing, hijacking, and password guessing.

  • Identify the different types of malicious software that exist, including viruses, worms, Trojan horses, logic bombs, time bombs, and rootkits.

  • Explain how social engineering can be used to gain access to computers and networks.

  • Describe the importance of auditing and what should be audited.