White Paper: Type of Attacks
Author: Mr. Mayank Lau
Consultant Security-Practices
DATA SECURITY COUNCIL OF INDIA
Niryat Bhawan, 3rd Floor, Rao Tula Ram
Marg, New Delhi – 110057
P: +91-11-26155071 |W: www.dsci.in
A NASSCOM® Initiative
Type of Attacks
EXECUTIVE SUMMARY
As with the digitization of the world business and interaction going mobile , IT
security specialist and white hats are finding it difficult to guard against ever
increasing threat database .This threat database is dynamic in nature and needs
an attention toward its . We need to understand how to make our working and
social environment safe from them, in order to do that first leap we can take is to
understand the functionality and nature of these threats .Keeping this is in mind
an effort has been made in the form of a white paper that consolidates nearly all
the threats definitions on the macro level. This document serve the purpose if
one needs to understand the definitions of all attacks and symptoms associated
with them. As both end point and cyber world is germane for all organizations, so
we need to cover the type of threats which affects both disciplines.
Last decade have witnessed paradigm shift how hackers looks to exploit
vulnerabilities within the organization and nation infrastructure. In order to
counter that we all have to change our outlook towards how we foresee security
feature around the globe. This white paper with latest trends talks about latest
exploits and how we can learn from them.
With a view of shedding light on the nature and behavior of infection vectors and
to make this paper dynamic in nature it will require a collaborative effort from all
of us.
A NASSCOM® Initiative
Type of Attacks
Contents
1. DoS Attacks:................................................................................................................... 4
2. Ping Flood: ...................................................................................................................... 8
3. Ping of Death: ................................................................................................................. 9
4. Port Scanning: ............................................................................................................... 10
5. ARP Spoofing: .............................................................................................................. 10
6. ACK flood:.................................................................................................................... 13
7. FTP Bounce Attack: ..................................................................................................... 13
8. TCP Session Hijacking: ................................................................................................ 13
9. Man-In-The-Middle Attack: ......................................................................................... 13
10. Social Engineering Attacks: ........................................................................................ 14
11. OS Finger Printing: ..................................................................................................... 15
12. Stealth Scan:................................................................................................................ 15
13. Key-Loggers: .............................................................................................................. 15
14. ICMP Tunneling: ........................................................................................................ 16
15. LOKI Attack: .............................................................................................................. 16
16. TCP Sequence Attack: ................................................................................................ 17
17. CAM Table Overflow: ................................................................................................ 17
18. WEB APPLICATION ATTACKS: ............................................................................ 19
19. Virus:........................................................................................................................... 24
20. Worm: ......................................................................................................................... 24
21. Malware: ..................................................................................................................... 25
22. Adware: ....................................................................................................................... 26
23. Spyware: ..................................................................................................................... 26
24. Trojan: ......................................................................................................................... 27
25. Root kit: ...................................................................................................................... 28
REFERENCES ................................................................................................................. 29
A NASSCOM® Initiative
Type of Attacks
1. DoS Attacks:
In a denial-of-service (DoS) attack, an attacker attempts to prevent legitimate
users from accessing information or services.
The most common and obvious type of DoS attack occurs when an attacker
"floods" a network with information. When you type a URL for a particular website
into your browser, you are sending a request to that site's computer server to
view the page. The server can only process a certain number of requests at
once, so if an attacker overloads the server with requests, it can't process your
request. This is a "denial of service" because you can't access that site.
Tools generally are Hping, Nemesis and other packet Crafting tools.
Symptoms:

unusually slow network performance (opening files or accessing websites)

unavailability of a particular website

inability to access any website

dramatic increase in the amount of spam you receive in your account
Examples: On December 8, 2010, a group calling themselves "Anonymous"
launched orchestrated DDoS attacks on organizations such as Mastercard.com,
PayPal, Visa.com and PostFinance; as part of the ongoing "Operation Payback"
campaign, which originally targeted anti-piracy organizations, in support of the
Whistle blowing site Wikileaks and its founder, Julian Assange. The attack
brought down the Mastercard, PostFinance, and Visa websites successfully by
deploying 3 versions of the Denial of Service tool.
On November 28, 2010, whistle blower site wikileaks.org experienced a DDoS
attack. This was presumably related to the pending release of many thousands of
secret diplomatic cables
A NASSCOM® Initiative
Type of Attacks
Types of Dos Attack:
1. ICMP Flood Attack
2. Tear Drop Attack
3. Smurf Attack
4. SYN Flood
5. Land Attack
6. Jolt Dos Attack
7. Fraggle Dos Attack
Tear Drop Attacks:
A series of data packets are sent to the target computer with overlapping
field values and large size payloads. As a result, the target computer is unable to
reassemble these packets and is forced to crash, hang or even reboot.
Example
Around September 2009, a vulnerability in Windows Vista was referred to as a
"teardrop attack", but the attack targeted SMB2 which is a higher layer than the
TCP packets that teardrop used
Land Attack:
The attacker sends a spoofed TCP SYN packet in which the IP address of
the target is filled in both the source and destination fields. On receiving the
spoofed packet, the target gets confused and goes into a frozen state.
Note: These types of attacks are detected by Anti-virus these days.
Example
This security flaw was actually first discovered in 1997 by someone using the
alias "m3lt", and has resurfaced many years later in operating systems such as
Windows Server 2003 and Windows XP SP2.
A NASSCOM® Initiative
Type of Attacks
Jolt Dos Attack:
An attacker fragments the ICMP packet in such a way that the target
cannot reassemble it.
Consequently the CPU usage goes high and gets
crashed.
Example:
In 2009 Jolt dos attacks was utilized against twitter in a series of electronic
attacks, which have targeted large web hosts and domain registrars
The attacks knocked Twitter offline for some time, with both Net craft and
Pingdom reporting about three hours of downtime. Twitter co-founder Biz Stone
confirmed that the outage was caused by a denial of service attack(Jolt in this
case), which affected both the Twitter web site and the services that access
Twitter data via API calls, according to the Twitter
Smurf Attack:
The attacker sends a large amount of ICMP echo request to IP Broadcast
Address. These ICMP requests have a spoofed source address of the intended
victim. So if the routing device delivering traffic to those broadcast addresses
delivers the IP broadcast to all the hosts, most of the IP addresses send an
ECHO reply message. However, on a multi-access broadcast network, hundreds
of computers might reply to each packet when the target network is overwhelmed
by all the messages sent simultaneously. So the network will be unable to work
normally.
Example
In July and August 2010, the Irish government Central Applications Office
server was hit by a denial of service attack on four separate occasions, causing
difficulties for thousands of Second Level students who are required to use the
CAO to apply for University and College places.
A NASSCOM® Initiative
Type of Attacks
Fraggle Dos Attack:
The attacker sends a large amount of UDP echo requests traffic to IP
broadcast address. These UDP packets have a spoofed source address of the
intended victim. So if the routing device delivering traffic to those broadcast
addresses delivers the IP broadcast to all the hosts, most of the IP addresses
send an ECHO reply message. However, on a multi-access broadcast network,
hundreds of computers might reply to each packet when the target network is
overwhelmed by all the messages sent simultaneously. So the network will be
unable to work normally.
Example
Using Fraggle UDP request hackers were able to do exposed over 100,000
AT&T Customers iPad Records In June, a cybercriminal organization named
“Goatse” was able to exploit a security flaw through an AT&T Web application.
The breach exposed email addresses of iPad 3G users. Many high-ranking
media, as well as government and military members of Apple‟s early adopter
program, were on the list. Numerous members of the U.S. Department of
Defense‟s advanced research team had their information exposed websense
believes that Apple will continue to be a choice attack target, as the
consumerization of their products quickly flourish in many work environments.
A NASSCOM® Initiative
Type of Attacks
SYN Flood:
SYN flood sends a flood of TCP/SYN packets, often with a forged sender
address. Each of these packets is handled like a connection request, causing the
server to spawn a half-open connection, by sending back a TCP/SYN-ACK
packet, and waiting for a packet in response from the sender address. However,
because the sender address is forged, the response never comes. These halfopen connections saturate the number of available connections the server is able
to make, keeping it from responding to legitimate requests until after the attack
ends.
2. Ping Flood:
Ping flood is based on sending the victim an overwhelming number of ping
packets, usually using the "ping" command from UNIX like hosts (the -t flag on
Windows systems has a far less malignant function). It is very simple to launch,
the primary requirement being access to greater bandwidth than the victim.
Example
On August 6, 2009 several social networking sites, including Twitter, Facebook,
Live journal, and Google blogging pages were hit by Ping flood
attacks,
apparently aimed at Georgian blogger "Cyxymu”.This brought a down time for
some of these social networking sites.
A NASSCOM® Initiative
Type of Attacks
3. Ping of Death:
The attacker sends an ICMP Packet larger than 65.536 bytes. Since the OS does
not know how to handle such a large packet, it either freezes or crashes at the
time of reassembling it.
Nowadays the OS discard such packets by itself.
Example
This was affecting every one of us on daily basis as recently Microsoft plugs
1990s-era 'Ping of Death', patches IE9, Windows DNS service. Microsoft has
issued 13 security updates that patched 22 vulnerabilities in Internet Explorer,
Windows, Office and other software, including one that harked back two decades
to something dubbed "Ping of Death."
Distributed Denial of Service (DDos):
In a distributed denial-of-service (DDoS) attack, an attacker may use your
computer to attack another computer. By taking advantage of security
vulnerabilities or weaknesses, an attacker could take control of your computer.
He or she could then force your computer to send huge amounts of data to a
website or send spam to particular email addresses. The attack is "distributed"
because the attacker is using multiple computers, including yours, to launch the
denial-of-service attack. Tools used are TFN (Tribe Flood Network), TFN2K,
Trin00, Trinity, Stacheldraht, Shaft, MStream
Example
In July and August 2010, the Irish Central Applications Office server was hit by
a denial of service attack on four separate occasions, causing difficulties for
thousands of Second Level students who are required to use the CAO to apply
for University and College places. The attack is currently subject to a Garda
investigation
A NASSCOM® Initiative
Type of Attacks
Prevention:
1. Applying Router Filtering
2. Blocking undesired IP Addresses
3. Permitting network access only to desired traffic
4. Disabling un-needed network services
5. Updating Antivirus regularly
6. Having a very good password policy.
7. Limiting the amount of Network Bandwidth
8. Using the network-ingress filtering
4. Port Scanning:
Port Scanning is one of the most popular reconnaissance techniques
attackers use to discover services they can break into. All machines connected to
a Local Area Network (LAN) or Internet run many services that listen at wellknown and not so well known ports. A port scan helps the attacker find which
ports are available (i.e., what service might be listing to a port).
Essentially, a port scan consists of sending a message to each port, one at a
time. The kind of response received indicates whether the port is used and can
therefore be probed further for weakness.

Well Known Ports (0 - 1023)

Registered Ports (1024 - 49151)

Dynamic and/or Private Ports (49152 - 65535)
5. ARP Spoofing:
ARP Poison Routing (APR), is a technique used to attack an Ethernet wired or
wireless network. ARP Spoofing may allow an attacker to sniff data frames on a
local area network (LAN), modify the traffic, or stop the traffic altogether. The
attack can only be used on networks that actually make use of ARP and not
another method of address resolution.
A NASSCOM® Initiative
Type of Attacks
Detection: Reverse ARP (RARP) is a protocol used to query the IP address
associated with a given MAC address. If more than one IP address is returned,
MAC cloning is present.
Tools: Arpoison, Cain and Abel, and Ettercap
Example
One ARP Spoofing packet sniffer obtained data for about 5,000 Dave & Buster's
customers in Islandia, New York, causing losses of at least $600,000 to the card
issuing banks. While the defendants successfully penetrated a terminal at an
Arundel, Maryland, location in April 2007, their packet sniffer did not work, so
they were unable to gain access to any credit card data. Improved versions of
their program successfully logged the information, but a bug caused the software
to be deactivated each time the point-of-sale servers were rebooted.
MAC Flood Attack: In a typical MAC flooding attack, a switch is flooded with
packets, each containing different source MAC addresses. The intention is to
consume the limited memory set aside in the switch to store the MAC address-tophysical port translation table. Tools: XArp
The result of this attack causes the switch to enter a state called fail open mode,
in which all incoming packets are broadcast out on all ports (as with a hub),
instead of just down the correct port as per normal operation. A malicious user
could then use a packet sniffer (such as Wireshark) running in promiscuous
mode to capture sensitive data from other computers (such as unencrypted
passwords, e-mail and instant messaging conversations), which would not be
accessible were the switch operating normally
A NASSCOM® Initiative
Type of Attacks
Example
Anti- Spyware 2011 a MAC flood which attacks Windows 9x, 2000, XP,Vista,
and Windows 7, posing as an anti-spyware program. It actually disables securityrelated process of anti-virus programs, while also blocking access to the Internet
which prevents updates
DNS cache poisoning:
This is a maliciously created or unintended situation that provides data to a
caching name server that did not originate from authoritative Domain Name
System (DNS) sources. This can happen through improper software design,
misconfiguration of name servers, and maliciously designed scenarios exploiting
the traditionally open architecture of the DNS system. Once a DNS server has
received such non-authentic data and caches it for future performance increase,
it is considered poisoned, supplying the non-authentic data to the clients of the
server.
Example
In July 2009 Using DNS cache poisoning Symantec discovered Dap rosy Worm
said Trojan worm is intended to steal online-game passwords in internet cafes. It
could, in fact, intercept all keystrokes and send them to its author which makes it
particularly a very dangerous worm to infect B2B (business-to-business)
systems.
IP Spoofing:
IP spoofing refers to the creation of Internet Protocol (IP) packets with a forged
source IP address, called spoofing, with the purpose of concealing the identity of
the sender or impersonating another computing system.
A NASSCOM® Initiative
Type of Attacks
6. ACK flood:
This is a technique to send a TCP/ACK packet to the target often with a forged IP
address. It is very similar to TCP/SYN flood attacks.
7. FTP Bounce Attack:
The Attacker can connect to the FTP servers and intend to send files to other
machines using the PORT command. So that the FTP server will try to send the
file to other machines on a specified port and check the port is open. It is obvious
that the FTP transfer would be allowed on the firewalls. These days almost all
the FTP servers are deployed with disabled PORT command.
8. TCP Session Hijacking:
It is the case when the Hacker takes over the existing TCP session which is
already established between 2 parties.
Since most of the TCP session
authentication occurs at the beginning of the session, hackers make this attack
possible.
9. Man-In-The-Middle Attack:
It is also called as Janus attack and abbreviated as MITM. This occurs when the
hacker sits between 2 legitimate parties and sniffs the communication to get
valuable data like passwords, usernames or even certificates/keys etc to use it
later. MITM is active Eaves-Dropping
A NASSCOM® Initiative
Type of Attacks
Example
Using Janus attack techniques
Oklahoma Tax Commission Site Compromised
Attack Date: 01/29/2010
Attack Details: Websense Security Labs and the Websense Threat Seeker
Network discovered that the home page of the Oklahoma Tax Commission
website had been compromised with malicious script code. After the page was
loaded, the browser executed the injected script in the background. The injected
script code would go through a series of de obfuscation techniques that
ultimately took the victim computer to an attack website without the victim‟s
consent or knowledge.
10. Social Engineering Attacks:
A social engineering attack is one in which the intended victim is somehow
tricked into doing the attacker's bidding. Examples like replying to an Email sent
by the attacker or a phone call by an attacker impersonating as a legitimate
user/colleague revealing confidential data.
Example
World Cup Targeted by Malicious Spam Campaign using social engineering
techniques in June 2010
Attack Details: Websense Security Labs and the Websense Threat Seeker
Network detected a new wave of interesting malicious emails. At the dawn of the
eagerly anticipated World Cup tournament we expected to be inundated with
suitably themed spam. The sample we encountered was a little different from the
usual sample, because the technique used may not raise suspicion. We saw
over 80,000 email messages in this new campaign, which used an HTML
attachment with an embedded JavaScript. Upon execution, this script led to a
malicious website.
A NASSCOM® Initiative
Type of Attacks
11. OS Finger Printing:
Each Operating System has a unique subset of TCP/IP Stack. While a Port scan
is done usually the scanners analyze this unique stack and try to match the
fingerprints within its database.
Inverse Mapping:
Inverse mapping is a stealth-approach network scanning method that gathers
information about inactive IP addresses on a network to try to determine which IP
addresses are associated with active hosts.
12. Stealth Scan
The Port scans which are carried out in a way it could Evade the Filtering or
blocking Devices (IPS, IDS, Firewall) with its own unique techniques (SYN Scan,
ACK Scan, FIN Scan, Null Scan) . The delay of each packet send to the target
and Packet fragmentation also matters when it comes to Stealth Scan.
13. Key-Loggers:
2 types of key loggers are available software and hardware key loggers.
Software Key loggers:
These are installed in the computer and programmed to run in the background,
so that the user won‟t be able to find and sense that this is running. The
perspective of using this is to „Log‟ all the Keystrokes, snapshot of OS, even the
Mouse click can be recorded and could be configured to send these information
to a pre-defined „E-mail address. These are called „Spywares‟.
Example
In 2011 Pentagon reveals 24,000 files stolen in cyber-attack
Penetrations of defense industry computer networks have targeted a wide swath
of military hardware, including missile tracking systems and drone aircraft.
A NASSCOM® Initiative
Type of Attacks
Hardware Key loggers:
This can be plugged on a computer (PS/2 connector). So when the user types
something the keystrokes gets interpreted by the key logger first and store them
on their internal memory. Then the IRQ goes to the CPU for processing.
Otherwise it is very similar to the Software Key logger.
Ping Sweep:
Ping Sweep is a technique used to determine which of a range of IP addresses
map to live hosts. It consists of ICMP ECHO requests sent to multiple hosts. If a
given address is live, it will return an ICMP ECHO reply.
14. ICMP Tunneling:
Tunneling is often used to bypass firewalls which do not block ICMP packets, or
to establish hard to trace, encrypted communication channel between two
computers without direct network interaction. An ICMP tunnel establishes a
covert connection between two remote computers (a client and proxy), using
ICMP echo requests and reply packets. An example of this technique is tunneling
complete TCP traffic over ping requests and replies.
15. LOKI Attack:
LOKI is a client/server program published in the online publication Phrack. This
program is a working proof-of-concept to demonstrate that data can be
transmitted somewhat secretly across a network by hiding it in traffic that
normally does not contain payloads. For example, the code can tunnel the
equivalent of a Unix RCMD/RSH session in either ICMP echo request (ping)
packets or UDP traffic to the DNS port. This is used as a back door into a Unix
system after root access has been compromised. Presence of LOKI on a system
is evidence that the system has been compromised in the past.
A NASSCOM® Initiative
Type of Attacks
Example
Using LOKI attack techniques a virus was introduced Office.Microsoft.Com
Search Results Can Lead to Rogue Antivirus Web sense Security Labs and the
web sense Threat Seeker Network detected that search results on
office.microsoft.com can lead users to a Rogue AV page. Users looking for
information related to help with Office products on Microsoft‟s own site are being
targeted. Users may be unaware that when they type in search queries on the
site, Microsoft scours its own website for results but also pulls in results from the
broader Web. Since the URL for the search results begins with
http://office.microsoft.com, this is particularly troubling for users who trust sites
simply because of their reputation. The malicious URL served as a redirect to a
very real-looking virus scan and warning page presented by a Rogue AV. At the
time of discovery, the executable used in the exploit was only recognized by one
of the 41 AV engines on Virus Total.
16. TCP Sequence Attack:
A TCP sequence prediction attack is an attempt to predict the sequence number
used to identify the packets in a TCP connection, which can be used to duplicate
packets leading to session hijacking.
17. CAM Table Overflow:
A switch's CAM table contains network information such as MAC addresses
available on physical switch ports and associated VLAN parameters. CAM Table
Overflows occur when an entry of MAC addresses is flooded into the table and
the CAM table threshold is reached. This causes the switch to act like a hub,
flooding the network with traffic out all ports. The flooding caused by a CAM
Table Overflow is limited to the source VLAN, thus does not affect other VLANs
on the network
A NASSCOM® Initiative
Type of Attacks
ICMP Redirect Attacks:
ICMP redirect messages are used to redirect a source host to use a different
gateway that may be closer to the destination. These redirect messages are sent
by the receiving gateway and the source host should adapt its forwarding
accordingly when receiving this message. ICMP Redirects are most often used in
source routing environments where the source host calculates routing paths to all
destinations itself. ICMP redirects may also be used to amplify SMURF or
FRAGGLE attacks or to set up Man-in-the-Middle attacks.
Example
June 2009 the P2P site The Pirate Bay was rendered inaccessible due to a
ICMP Redirect attack. This was most likely provoked by the recent sellout to
Global Gaming Factory X AB, which was seen as a "take the money and run"
solution to the website's legal issues. In the end, due to the buyers' financial
troubles, the site was not sold
DNS Zone Transfer Attack:
A Zone Transfer request to a DNS server returns a complete list of hostnames
and IP addresses in the domain. Ordinarily, zone transfers should only occur
between authoritative DNS servers for a domain. Attackers may query DNS
servers to compile a list of possible hosts to attack. This signature detects
attempted zone transfers from sources other than DNS servers.
A NASSCOM® Initiative
Type of Attacks
18. WEB APPLICATION ATTACKS:
SQL Injection:
It is also called as SQL Insertion Attack which helps the hacker to execute a code
due to a presence of vulnerability at the database layer of the Application.
Consequently, the code will get confidential data or even compromise the
application itself.
Example
In June, 2011, Group Anonymous claims to have hacked the NATO, using a
"simple SQL injection."
On 8 November 2010 the British Royal Navy website was compromised by Tin
Kode using SQL injection
Cross-Site Scripting:
Cross-site scripting holes are web application vulnerabilities that allow attackers
to bypass client-side security mechanisms normally imposed on web content by
modern browsers. By finding ways of injecting malicious scripts into web pages,
an attacker can gain elevated access privileges to sensitive page content,
session cookies, and a variety of other information maintained by the browser on
behalf of the user. Cross-site scripting attacks are therefore a special case of
code injection.
A NASSCOM® Initiative
Type of Attacks
Example
TJX Companies, owners of T.J. Maxx, Marshalls, Winners, Home Goods, A.J.
Wright, and Bob‟s stores fell prey to one of the worst web hacking incidents todate. On the 17th January 2008, the company disclosed that 40 million of their
customers‟ credit and debit card details were stolen. In parallel, federal credit
union SEFCU published a similar warning that the personal details of 10,000 of
its customers were compromised in the web hacking attack
Cross-Site Request Forgery:
Cross-site request forgery, also known as a one-click attack or session riding and
abbreviated as CSRF ("sea-surf") or XSRF, is a type of malicious exploit of a
website whereby unauthorized commands are transmitted from a user that the
website trusts. Unlike cross-site scripting (XSS), which exploits the trust a user
has for a particular site, CSRF exploits the trust that a site has in a user's
browser.
Example
In June 2011 Google discovered that a number of its Gmail account user names
and passwords of personal accounts belonging to senior government officials,
activists, and journalists, had been compromised. The hack appears to have
originated from Jinan, China, although Google did not accuse any individuals or
governments of orchestrating the attack. Chinese Foreign Affairs Minister Hong
Le denied being the source. Similar spear phishing attempts were also
discovered in Hotmail and Yahoo Mail
A NASSCOM® Initiative
Type of Attacks
Cookie Poisoning Attack:
Cookie Poisoning attacks involve the modification of the contents of a cookie
(personal information stored in a Web user's computer) in order to bypass
security mechanisms. Using cookie poisoning attacks, attackers can gain
unauthorized information about another user and steal their identity.
Cookie Stealing:
These types of attacks are done by Client-Side Scripts like JavaScript. When the
user clicks on a link the script will look for the cookie stored on the computer‟s
memory for all the active cookies and sends (apparently emails) it to the attacker.
Phishing Attacks:
Phishing is the criminally fraudulent process of attempting to acquire sensitive
information such as usernames, passwords and credit card details by
masquerading as a trustworthy entity in an electronic communication.
Web Defacement Attack:
Website defacement is an attack on a website that changes the visual
appearance of the site. These are typically the work of system crackers, who
break into a web server and replace the hosted website with one of their own.
Most probably, these kinds of attacks are done intentionally to spoil the
reputation of the company that has hosted this website.
Buffer Overflow:
Buffer overflow, or buffer overrun, is an anomaly where a process stores data in
a buffer outside the memory the programmer set aside for it. The extra data
overwrites adjacent memory, which may contain other data, including program
variables and program flow control data. This may result in memory access
errors, incorrect results, program termination, or a breach of system security.
This vulnerability is completely a Programmer‟s mistake.
A NASSCOM® Initiative
Type of Attacks
Forced Browsing:
Forced browsing is an attack where the aim is to enumerate and access
resources that are not referenced by the application, but are still accessible. For
Example, directories like config, backup, logs which can be accessed can reveal
a lot of information about the application itself, password, activities etc.
Example
Over a period of 4 hours on Wednesday April 27, 2011 an automated SQL
injection attack occurred on Broadband Reports website that was able to extract
8% of the username/password pairs: 8,000 random accounts of the 9,000 active
and 90,000 old or inactive accounts
HTTP Response Splitting:
An attacker passes malicious data to a vulnerable application, and the
application includes the data in an HTTP response header. This attack itself
does not cause any harm but it would lead to other sensitive attacks like XSS.
Example
A hacker infiltrated a massive database from the University of California, Los
Angeles, containing personal information (including social security numbers,
dates of birth, home addresses and contact information) on 800,000 people in
one of the worst computer breaches ever at a US university.
A NASSCOM® Initiative
Type of Attacks
Injection Flaws:
Injection flaws allow attackers to relay malicious code through a web application
to another system. These attacks include calls to the operating system via
system calls, the use of external programs via shell commands, as well as calls
to backend databases via SQL (i.e., SQL injection). Whole scripts written in perl,
python, and other languages can be injected into poorly designed web
applications and executed. Any time a web application uses an interpreter of any
type there is a danger of an injection attack. Any time a web application uses an
interpreter of any type there is a danger of an injection attack.
Example
On December 4 2010, a group calling itself the Pakistan Cyber Army hacked the
website of India's top investigating agency, the Central Bureau of Investigation
(CBI).
In 2010 A click jacking worm that forced hundreds of thousands of unsuspecting
Facebook users to unknowingly post spam messages on their profiles, rapidly
spread through the social networking website over the weekend. The worm used
catchy news headlines to lure its victims.
A NASSCOM® Initiative
Type of Attacks
19. Virus:
A computer virus is a computer program that can copy itself and infect a
computer. The term "virus" is also commonly but erroneously used to refer to
other types of malware, including but not limited to adware and spyware
programs that do not have the reproductive ability. A true virus can spread from
one computer to another (in some form of executable code) when its host is
taken to the target computer; for instance because a user sent it over a network
or the Internet, or carried it on a removable medium such as a floppy disk, CD,
DVD, or USB drive.
Examples
Intramar, the French Navy computer network, was infected with Conficker on 15
January 2009. The network was subsequently quarantined, forcing aircraft at
several airbases to be grounded because their flight plans could not be
downloaded
In January 2010, the Greater Manchester Police computer network was infected,
leading to its disconnection for three days from the Police National Computer as
a precautionary measure; during that time, officers had to ask other forces to run
routine checks on vehicles and people.
20. Worm:
A computer worm is a self-replicating malware computer program. It uses a
computer network to send copies of itself to other nodes (computers on the
network) and it may do so without any user intervention. This is due to security
shortcomings on the target computer. Unlike a virus, it does not need to attach
itself to an existing program. Worms almost always cause at least some harm to
the network, by consuming bandwidth or so, whereas viruses almost always
corrupt or modify files on a targeted computer.
A NASSCOM® Initiative
Type of Attacks
Example:
Stuxnet is a computer worm which affected Iran's Bushehr nuclear power plant in
September 2010. Designed to target weaknesses in Siemens electronic
industrial systems, it is thought to be capable of seizing control of industrial
plants and to be the first 'worm' created for this purpose. The complexity of its
design and targeted purpose left Western computer experts suggesting it could
only have been the product of a "nation state". Mahmoud Liayi, from Iran's
Ministry of Industries, is quoted as saying, "an electronic war has been launched
against Iran". As well as targeting nuclear power stations, it is also capable of
attacking systems which manage water supplies, oil rigs and other utilities
21. Malware:
Malware it is a short form of malicious software. Malware is not the same as
defective software, that is, software that has a legitimate purpose but contains
harmful bugs. Malware includes computer viruses, worms, trojan horses,
spyware, dishonest adware, crime ware, most root kits, and other malicious and
unwanted software.
Example
On January 13, 2010, Google Inc. announced that operators, from within China,
had hacked into their Google China operation, stealing intellectual property and,
in particular, accessing the email accounts of human rights activists. The attack
was thought to have been part of a more widespread cyber attack on companies
within China which has become known as Operation Aurora. Intruders were
thought to have launched a zero-day attack, exploiting a weakness in the
Microsoft Internet Explorer browser, the malware used being a modification of the
Trojan Hydraq Concerned about the possibility of hackers taking advantage of
this previously unknown weakness in Internet Explorer, the Government of
Germany, then France, issued warnings not to use the browser
A NASSCOM® Initiative
Type of Attacks
22. Adware:
Adware, or advertising-supported software, is any software package which
automatically plays, displays, or downloads advertisements to a computer after
the software is installed on it or while the application is being used. Advertising
functions are integrated into or bundled with the software, which is often
designed to note what Internet sites the user visits and to present advertising
pertinent to the types of goods or services featured there.
23. Spyware:
Spyware is a type of malware that is installed on computers and collects little bits
of information at a time about users without their knowledge. The presence of
spyware is typically hidden from the user, and can be difficult to detect. Typically,
spyware is secretly installed on the user's personal computer. Sometimes,
however, spywares such as key loggers are installed by the owner of a shared,
corporate, or public computer on purpose in order to secretly monitor other users.
Example
Word Press Attacks
Blog platforms have always been vulnerable to attacks due to newly developed
spywares. Research shows that 56 percent of all Compromised blogs are
attacked more than once. Word Press (used by more than 13.9 million blogs), the
world‟s most commonly used blogging software platform, was hacked numerous
times throughout 2010.
Numerous vulnerabilities were known to exist during the height of the attacks. Go
Daddy (Hosts 43 million domains and other hosting sites) saw persistent attacks
in 2010. Something else worth noting is that when celebrity blogs are hacked,
many people assume this means public defacement or an attempt to defame
celebrity status. Although this happens on occasion, most attacks target financial
gain.
A NASSCOM® Initiative
Type of Attacks
24. Trojan:
A Trojan, sometimes referred to as a Trojan horse, is non-self-replicating
malware that appears to perform a desirable function for the user but instead
facilitates unauthorized access to the user's computer system.
Example
According to a survey conducted by BitDefender from January to June 2009,
"Trojan-type malware is on the rise, accounting for 83-percent of the global
malware detected in the world". This virus has a relationship with worms as it
spreads with the help given by worms and travel across the internet with them.
February 18 2010 Microsoft announced that a BSoD problem on some windows
machines which was triggered by a batch of Patch Tuesday updates was caused
by the Alureon Trojan
A NASSCOM® Initiative
Type of Attacks
25. Root kit:
A root kit is a type of software that is designed to gain administrator-level control
over a computer system without being detected. In virtually all cases, the
purpose and motive is to perform malicious operations on a target host
computing system at a later date without the knowledge of the administrators or
users of that system. Root kits can be installed in hardware or software targeting
the BIOS, hypervisor, boot loader, kernel or less commonly, libraries or
applications.
Example
According to the Associated Press in 2010, Spanish police arrested three
ringleaders behind a Mariposa root kit that infected 12.7 million PCs, stealing
credit teased and banking information. Infected computers were at more than half
the Fortune 1,000 companies and 40 major banks. The Mariposa root kit was
one of the worlds largest and appears to be more sophisticated than the root kit
that was used to hack Google Inc.
A NASSCOM® Initiative
Type of Attacks
REFERENCES

Symantec Glossary

NSIT handbook
http://www.symantec.com/business/security_response/glossary/index.jsp
http://alcor.concordia.ca/~helpline/security/threats.html

ZB Shareware
http://www.zbshareware.com/threats/types_threats.html

Data center knowledge
http://www.datacenterknowledge.com/archives/2009/08/06/twitter-is-latestvictim-in-series-of-attacks/

Wikipedia
http://en.wikipedia.org/wiki/

Cyber thugs
http://www.cyberthugs.org/protect-yourself-from-cyberwarfare-rootkit-threats/

Net security
http://www.net-security.org/secworld.php?id=7204

Symantec
Threat
report
2010
https://www4.symantec.com/mktginfo/downloads/21182883_GA_REPORT_IST
R_Main-Report_04-11_HI-RES.pdf

Web sense threat report 2010
http://www.websense.com/assets/reports/report-websense-2010-threat-report-en.pdf
A NASSCOM® Initiative
Type of Attacks
DATA SECURITY COUNCIL OF INDIA
Statement of confidentiality
This document contains information that is proprietary and confidential to DATA SECURITY COUNCIL OF INDIA
A NASSCOM®
(DSCI), and shall
Initiative
not be disclosed
outside transmitted, or duplicated, used in whole or in part for any purpose other than its intended purpose. Any use or disclosure in whole or in part of
this information without explicit written permission of Data Security Council of India is prohibited.
© 2011 DSCI. All rights reserved.