WEEK 10-11
Attacks and Malware
Attack Overview
• According to RFC 2828, a attack is defined as
“An assault on system security that derives
from an intelligent threat; that is, an
intelligent act that is a deliberate attempt
(especially in the sense of a method or
technique) to evade security services and
violate the security policy of a system.”
cont
• An attack is a threat that is carried out (threat
action) and, if successful, leads to an
undesirable violation of security, or threat
consequence.
• The agent carrying out the attack is referred to
as an attacker, or threat agent.
• We can distinguish two types of attacks:
• Active attack: An attempt to alter system
resources or affect their operation.
cont
• Passive attack: An attempt to learn or make use
of information from the system that does not
affect system resources.
• We can classify attacks based on the origin of the
attack:
• Inside attack: Initiated by an entity inside the
security perimeter (“an insider”).
• The insider is authorized to access system
resources but uses them in a way not approved
by those who granted the authorization.
cont
• Outside attack: Initiated from outside the
perimeter, by an unauthorized or illegitimate
user of the system (“an outsider”).
• On the Internet, potential outside attackers
range from amateur pranksters to organized
criminals, international terrorists, and hostile
governments.
Denial of Service (DoS) Attack
• DoS is a form of attack on the availability of some
service.
• In the context of computer and communications
security, the focus is general on network services
that are attacked over their network connections.
• We distinguish this form of attack on availability
from other attacks, such as the classic act of God,
that cause damage or destruction of IT
infrastructure and consequent loss of service.
Definition of DoS as defined by NIST
• A denial of service (DoS) is an action that
prevents or impairs the authorized use of
networks, systems, or applications by
exhausting resources such as central
processing units (CPU), memory, bandwidth,
and disk space.
Targets for DoS
• From the definition in the previous section,
you can see that there are several categories
of resources that could be attacked:
• Network bandwidth
• System resources
• Application resources
cont
• In DoS attack, the vast majority of traffic
directed at the target server is malicious,
generated either directly or indirectly by the
attacker.
• This traffic overwhelms any legitimate traffic,
effectively denying legitimate users access to
the server.
cont
• A DoS attack targeting system resources typically
aims to overload or crash its network handling
software.
• Specific types of packets are sent that consume
the limited resources available on the system.
• These includes temporary buffers used to hold
arriving packets, tables of open connections, and
similar memory data structures.
• The SYN spoofing attack is of this type.
• It targets the table of TCP connections on the
server.
cont
• Another form of system resource attack uses
packets whose structure triggers a bug in the
system’s network handling software, causing it
to crash.
• This means the system can no longer
communicate over the network until this
software is reloaded, general by rebooting the
target system.
• This is known as a poison packet.
cont
• An attack on a specific application, such as a Web
server, typically involves a number of valid
request, each of which consumes significant
resources.
• This then limits the ability of the server to
respond to requests from other users.
• For example, a Web server might include the
ability to make database queries.
• If a large, costly query can be constructed, then
an attacker could generate a large number of
these that severely load the server.
cont
• This limits the ability to respond to valid
requests from other users.
• This type of attack is known as cyberslam.
• Another alternative is to construct a request
that triggers a bug in the server program,
causing it to crash.
• This means the server is no longer able to
respond to request until it is restarted.
Denial-of-Service (DoS)
 a form of attack on the availability of some service
 categories of resources that could be attacked are:
network
bandwidth
relates to the capacity of
the network links
connecting a server to the
Internet
for most organizations this
is their connection to their
Internet Service Provider
(ISP)
system resources
application
resources
aims to overload or crash
the network handling
software
typically involves a
number of valid requests,
each of which consumes
significant resources, thus
limiting the ability of the
server to respond to
requests from other users
Classic Denial-of-Service Attacks
flooding ping command
 aim of this attack is to overwhelm the capacity of the
network connection to the target organization
 traffic can be handled by higher capacity links on the path,
but packets are discarded as capacity decreases
 source of the attack is clearly identified unless a spoofed
address is used
 network performance is noticeably affected
Source Address Spoofing
 use forged source addresses
 usually via the raw socket interface on operating
systems
 makes attacking systems harder to identify
 attacker generates large volumes of packets that
have the target system as the destination address
 congestion would result in the router connected
to the final, lower capacity link
 requires network engineers to specifically query
flow information from their routers
 backscatter traffic
 advertise routes to unused IP addresses to monitor
attack traffic
SYN Spoofing
common DoS attack
attacks the ability of a server to respond to
future connection requests by overflowing the
tables used to manage them
thus legitimate users are denied access to the
server
hence an attack on system resources,
specifically the network handling code in the
operating system
TCP
Connection
Handshake
TCP SYN
Spoofing
Attack
Flooding Attacks
 classified based on network protocol used
 intent is to overload the network capacity on some link to a server
 virtually any type of network packet can be used
ICMP flood
• ping flood using ICMP echo request packets
• traditionally network administrators allow such packets into their
networks because ping is a useful network diagnostic tool
UDP flood
• uses UDP packets directed to some port number on the target
system
TCP SYN flood
• sends TCP packets to the target system
• total volume of packets is the aim of the attack rather than the
system code
DoS Attack Prevention
block spoofed source addresses
on routers as close to source as possible
 filters may be used to ensure path back to the claimed source
address is the one being used by the current packet
filters must be applied to traffic before it leaves the
ISP’s network or at the point of entry to their network
use modified TCP connection handling code
cryptographically encode critical information in a
cookie that is sent as the server’s initial sequence
number
 legitimate client responds with an ACK packet containing
the incremented sequence number cookie
drop an entry for an incomplete connection from the
TCP connections table when it overflows
DoS Attack Prevention
block IP directed broadcasts
block suspicious services and combinations
manage application attacks with a form of
graphical puzzle (captcha) to distinguish
legitimate human requests
good general system security practices
use mirrored and replicated servers when
high-performance and reliability is required
Responding to DoS Attacks
Good Incident Response Plan
• details on how to contact technical personal for ISP
• needed to impose traffic filtering upstream
• details of how to respond to the attack
antispoofing, directed broadcast, and rate
limiting filters should have been implemented
ideally have network monitors and IDS to
detect and notify abnormal traffic patterns
Responding to DoS Attacks
 identify type of attack
 capture and analyze packets
 design filters to block attack traffic upstream
 or identify and correct system/application bug
 have ISP trace packet flow back to source
 may be difficult and time consuming
 necessary if planning legal action
 implement contingency plan
 switch to alternate backup servers
 commission new servers at a new site with new
addresses
 update incident response plan
 analyze the attack and the response for future
handling
Packet Sniffing
• A packet sniffer is a passive device (as
opposed to a port or vulnerability scanners
that by their nature are “active” systems).
• Packet sniffers are more formally known as
network analyzers and protocol analyzers.
• The name network analyzer is justified by the
fact that you can use a packet sniffer to
localize a problem in a network.
cont
• As an example, suppose that a packet sniffer
says that the packets are indeed being put on
the wire by the different hosts.
• If the network interface on a particular host is
not seeing the packets, you can be a bit more
certain that the problem may be with the
network interface in question.
cont
• The name protocol analyzer is justified by the
fact that a packet sniffer can look inside the
packets for a given service (especially the
packets exchanged during handshaking and
other such negotiations) and make sure that
the packet composition is as specified in the
RFC document for that service protocol.
cont
• Using the information captured by the packet
sniffer an administrator can identify erroneous
packets and use the data to pinpoint
bottlenecks and help maintain efficient
network data transmission.
cont
• What makes packet sniffing such a potent tool
is that a majority of LANs are based on the
shared Ethernet notion.
• In a shared Ethernet, you can think of all of
the computers in a LAN as being plugged into
the same wire (notwithstanding appearances
to the contrary).
Packet Sniffing with wireshark (formerly
ethereal)
• Wireshark is a packet sniffer that, as far as the
packet sniffing is concerned, work pretty much
the same way as tcpdump.
• (It also uses the pcap library.)
• What makes wireshark special is its GUI front
end that makes it extremely easy to analyze
the packets.
Social Engineering
• Any network, no matter how secure it is from a
purely engineering perspective, can be
compromised through what is now commonly
referred to as “social engineering.”
• I would now like to present a summary of the
different steps/facets of a classic social
engineering attack.
• This listing is taken from
• http://www.fsecure.com/weblog/archives/00001638.html:
cont
• 1. You receive a spoofed e-mail with an attachment
• 2. The e-mail appears to come from someone you know
• 3. The contents make sense and talk about real things (and in your
language)
• 4. The attachment is a PDF, DOC, PPT or XLS
• 5. When you open up the attachment, you get a document on your
screen that makes sense, but you also get exploited at the same
time
• 6. The exploit drops a hidden remote access trojan, typically a
Poison Ivy or Gh0st Rat variant
• 7. You are the only one in your organization who receives such an
email
• 8. You work for a government, a defense contractor or an NGO
War Dialling
• What is war dialing?
• War dialing uses a software program to
automatically call large numbers of telephone
numbers in a defined range to search for ones
that have a modem attached.
cont
• The hacker simply enters an area code and the
three digit exchange of a phone number.
• The war dialer will then call all numbers having
that area code and starting with that exchange.
• Corporations are particularly vulnerable to this
type of attack because each of their locations is
typically assigned phone numbers having the
same area code and exchange.
cont
• Armed with a log of phone numbers of the
modems that answered, the hacker may then
attempt to gain unauthorized access to the
computer system attached to the modems.
• Some of these programs can also determine
which operating system is running on the
computer and perform automated penetration
testing.
• To do the latter, the war dialer runs through a list
of common user names and passwords in order
to gain access to the computer.
War Dialing Example
• The following is an example of war dialing, albeit
benign.
• Peter Shipley is a computer consultant in the San
Francisco Bay area.
• In the late nineties he spent several years
completing a study in which he dialed every
telephone number in the 508, 415, 510, 650, and
708 exchanges.
• His goal was to find the number of modems that
represented a security risk to their owners.
cont
• He wanted to use this number to make the public
more aware of the threat that unprotected
modems present.
• Shipley found dial-ups to many vulnerable
personal computers, as well as to hotels and even
banks.
• He had potential access to such sensitive
information as medical records and fire
department dispatch computers.
• His work did help to bring media attention to the
issue.
War Dialing Products
• Unfortunately, network vulnerability scanners overlook the threat
presented by unprotected modems, so phone scanning software
must be used.
• Phone scanning software falls into two types: freeware and
commercial.
• Starting with the freeware type can help the novice to become
more familiar with the features of a phone scanner and to
determine which features are important to him or her.
• Another advantage of using the freeware type of scanner is that
this type of software is more likely to be used by an unauthorized
scanner.
• THC-Scan (with THC standing for The Hacker's Choice) is one of the
more popular freeware scanners, and available at
• http://www.thehackerschoice.com/releases.php.
cont
• In contrast, commercial phone scanners are more
appropriate for large companies having strict
security requirements.
• Commercial software provides more robust
feature sets, as well as wider vendor support and
hardware capabilities.
• One of the big advantages that commercial
phone scanners have over freeware scanners is
that they can make multiple calls in parallel, on
multiple phone lines.
cont
• Two of the better-known commercial phone
scanners available are Telesweep Secure from
SecureLogix and PhoneSweep, put out by
Sandstorm Enterprise, Inc.
War Driving
• What is War Driving?
• War driving is one of the latest hacker fads, and is
closely related to war dialing.
• Both involve scanning, in order to gain unauthorized
access to computers and networks.
• War dialing, however, involves using software and a
stationary computer to scan for unprotected modems.
• War driving, on the other hand, involves driving around
and scanning in search of unprotected 802.11 wireless
• networks.
cont
• The 802.11 access points and cards currently
on the market use WEP (Wired Equivalent
• Protocol) for security.
• WEP is supposed to make it hard to eavesdrop
on a wireless network or gain access to one
without authorization.
• Researchers at University of California at
Berkeley, however, have recently discovered a
number of problems with the WEP algorithm.
cont
• The following is a list of the types of attacks they
discovered:
• Passive attacks to decrypt traffic based on statistical
analysis.
• Active attack to inject new traffic from unauthorized
mobile stations, based on known plaintext.
• Active attacks to decrypt traffic, based on tricking the
access point.
• Dictionary-building attack that, after analysis of about
a day's worth of traffic, allows real-time automated
decryption of all traffic.
•
cont
• Despite its reported flaws, using WEP should
still be better than using nothing for security,
yet many wireless installations don't even use
WEP.
• Those that do may still be open to attack if
they have the encryption key set to one of the
commonly known defaults.
War Driving Example
• The following example of benign war driving involves another study
by Peter Shipley.
• It follows the formula: "laptop + wireless + GPS + car = war driving.“
• Using a special monitoring software on a laptop that is connected
to a GPS receiver and a Lucent antenna on the roof of his car, Peter
• Shipley is "war driving" the streets of Oakland, San Francisco and
parts of Silicon Valley, scanning for unprotected 802.11 wireless
networks.
• His goal is to create a database that maps the location of open
802.11 wireless networks.
• His intent is not to help bad guys, and he won't be publishing the
raw data.
War Driving Tools
• Tools to aid in war driving are starting to become
available. The following is a partial list of such
tools:
• A perl script by Peter Shipley to pull stat's from
FreeBsd's wicontrol and lat/long from a GPS unit.
• http://lists.bawug.org/pipermail/wireless/2001April/000679.html
• Two perl scripts by frisco@blackant.net, which he
used to map around Ann Arbor, MI (supposedly
there are some bugs in this so beware).
• http://blackant.net/other/wireless.php
cont
• A Windows application by Marius Milner
<mariusm@pacbell.net> called NetStumbler.
• He hasn't released it yet, but you can get a copy
for evaluation by emailing him.
• You can see his announce message on BAWUG
and see a screenshot of it in action
• http://lists.bawug.org/pipermail/wireless/2001May/000999.html
• http://home.pacbell.net/mariusm/netstumbler.jp
g
Malware
[NIST05] defines malware as:
“a program that is inserted into a system, usually
covertly, with the intent of compromising the
confidentiality, integrity, or availability of the victim’s
data, applications, or operating system or otherwise
annoying or disrupting the victim.”
Classification of Malware
classified into two
broad categories:
also classified by:
based first on how it spreads or
propagates to reach the desired
targets
those that need a host program
(parasitic code such as viruses)
then on the actions or payloads it
performs once a target is reached
those that are independent, selfcontained programs (worms,
trojans, and bots)
malware that does not replicate
(trojans and spam e-mail)
malware that does replicate (viruses
and worms)
Worm Propagation Model
Types of Malicious Software (Malware)
propagation mechanisms include:
• infection of existing content by viruses that is subsequently spread to
other systems
• exploit of software vulnerabilities by worms or drive-by-downloads to
allow the malware to replicate
• social engineering attacks that convince users to bypass security
mechanisms to install Trojans or to respond to phishing attacks
payload actions performed by malware once it
reaches a target system can include:
• corruption of system or data files
• theft of service/make the system a zombie agent of attack as
part of a botnet
• theft of information from the system/keylogging
• stealthing/hiding its presence on the system
Viruses
• piece of software that infects programs
– modifies them to include a copy of the virus
– replicates and goes on to infect other content
– easily spread through network environments
• when attached to an executable program a virus can
do anything that the program is permitted to do
– executes secretly when the host program is run
• specific to operating system and hardware
– takes advantage of their details and weaknesses
Virus Components
infection mechanism
• means by which a virus spreads or propagates
• also referred to as the infection vector
trigger
• event or condition that determines when the payload is activated
or delivered
• sometimes known as a logic bomb
payload
• what the virus does (besides spreading)
• may involve damage or benign but noticeable activity