Types of Attacks and Malicious Software Chapter 15
Objectives • Describe various types of computer and network attacks, including denial-of-service, spoofing, hijacking, and password guessing. • Identify the different types of malicious software that exist, including viruses, worms, Trojan horses, logic bombs, time bombs, and rootkits. • Explain how social engineering can be used as a means to gain access to computers and networks. • Describe the importance of auditing and what should be audited.
Key Terms • Drive-by download attack • Man-in-the-middle attack • Null session • Pharming • Phishing • Ping sweep • Port scan • Backdoor • Birthday attack • Botnet • Buffer overflow • Denial-of-service (DoS) attack • Distributed denial-of-service (DDoS) attack • DNS kiting
Key Terms (continued) • Replay attack • Sequence number • Smurf attack • Sniffing • Spear phishing • Spoofing • Spyware • SYN flood
Avenues of Attack Specific targets Chosen based on attacker’s motivation Not reliant on target system’s hardware and software Targets of opportunity Systems with hardware or software vulnerable to a specific exploit Often lacking current security patches
The Steps in an Attack Conducting reconnaissance Scanning Researching vulnerabilities Performing the attack Creating a backdoor Covering tracks
Conducting Reconnaissance Gather as much information as possible about the target system and organization. Use the Internet. Explore government records. Use tools such as Whois.Net. Don’t worry yet whether the information being gathered is relevant or not.
Scanning Identify target systems that are active and accessible. Ping sweep Port scan Identify the operating system and other specific application programs running on system. Analyzing packet response
Researching Vulnerabilities Wealth of information available through the World Wide Web Lists of vulnerabilities in specified OS and application programs Tools created to exploit vulnerabilities
Performing the Attack Matching an attack to an indentified vulnerability
Creating a Backdoor Provides future access to the attacker May create “authorization” for themselves Could install an agent
Covering Their Tracks In an effort to remain undetected, attackers endeavor to cover their tracks: Erase pertinent log files from the system. Change file time stamps to appear unaltered.
Minimizing Possible Avenues of Attack Ensure all patches are installed and current. Limit the services being run on the system. Limits possible avenues of attack Reduces number of services the administrator must continually patch Limit the amount of publicly available data about the system and organization.
Attacking Computer Systems and Networks An attack is an attempt by an unauthorized person to: Gain access to or modify information Assume control of an authorized session Disrupt the availability of service to authorized users
Attacking Computer Systems and Networks (continued) Variety of methods used to carry out attacks Attacks on specific software Rely on code flaws or software bugs Indicates lack of thorough code testing Attacks on a specific protocol or service Take advantage of or use a service or protocol in an unintended manner
Types of Attacks Denial-of-service Backdoors/Trapdoors Null sessions Sniffing Spoofing Man-in-the-middle Replay TCP/IP hijacking • Drive-by downloads • Phishing/pharming • Attacks on encryption • Address system attacks • Password guessing • Hybrid attack • Birthday attack
Denial-of-Service Attack Exploit known identified vulnerabilities Purpose is to prevent normal system operations for authorized users Can be accomplished in multiple ways Take the system offline Overwhelm the system with requests
SYN Flood Attack An example of a DoS attack targeting a specific protocol or service Illustrates basic principles of most DoS attacks Exploit a weakness inherent to the function of the TCP/IP protocol Uses TCP three-way handshake to flood a system with faked connection requests
TCP Three-Way Handshake System 1 sends SYN packet to System 2. System 2 responds with SYN/ACK packet. System 1 sends ACK packet to System 2 and communications can then proceed.
Steps of a SYN Flood Attack Communication request sent to target system. Target responds to faked IP address. Target waits for non-existent system response. Request eventually times out. If the attacks outpace the requests timing-out, then systems resources will be exhausted.
Distributed Denial-of-Service Attack (DDoS) Goal is to deny access or service to authorized users Uses resources of many systems combined into an attack network Overwhelms target system or network With enough attack agents, even simple web traffic can quickly affect a large website
Ping of Death (POD) Another example of a DoS attack. Illustrates an attack targeting a specific application. Attacker sends ICMP ping packet > 64KB. This ping packet size should not occur naturally. ICMP packet will crash certain systems unable to handle it.
Preventing DoS & DDoS Attacks Ensure necessary patches and upgrades remain current. Change time-out period for TCP connections. Distribute workload across several systems. Block external ICMP packets at border.
Trapdoors and Backdoors Trapdoor Hard-coded access built into the program Ensures access should normal access methods fail Creates vulnerability in systems using the software Backdoor Ensures continued unrestricted access in the future Attackers implant them in compromised systems Can be installed inadvertently with a Trojan horse
Null Sessions A connection to a Windows inter-process communication share (IPC$) Systems prior to XP and Server 2003 are vulnerable. Used by a variety of exploit tools and malware. No patch is available. Options to counter the vulnerability Upgrade systems to Windows XP or newer version Only allow trusted users access to TCP ports 139 and 445
Sniffing Attacker observes all network traffic. Software, hardware, or combination of the two Ability to target specific protocol, service, string of characters, etc. May be able to modify some or all traffic in route Network administrators can use to monitor and troubleshoot network performance.
Sniffing (continued) • Physical security is key in preventing introduction of sniffers on the internal network.
Spoofing True source of data is disguised: Commonly accomplished by altering packet header information with false information Can be used for a variety of purposes Spoofing e-mail: From address differs from sending system Recipients rarely question authenticity of the e-mail
Sequence Numbers SYN packets include an original sequence number. Sequence numbers are incremented by 1 and sent back with ACK packets.
Spoofing and Sequence Numbers • Attacker must use correct sequence number: • TCP packet sequence numbers are 32-bit. • Sequence numbers are incremented by 1. • Very difficult to guess. • Insider attacks vs. external attacks
Man-in-the-Middle Attack Attacker is positioned between two target hosts: Typically accomplished through router manipulation Traffic redirected to attacker, then forwarded on Benefits: Attacker can intercept, modify, and/or block traffic Communication appears normal to target hosts Limitation: Useful data collection reduced if traffic is encrypted
Replay Attack Attacker intercepts part of an exchange between two hosts and retransmits message later. Often used to bypass authentication mechanisms Prevented by encrypting traffic, cryptographic authentication, and time-stamping messages.
TCP/IP Hijacking Assume control of an already existing session: Attacker circumvents authentication. Can be disguised with a DoS attack. Typically used against web and Telnet sessions.
Drive-by Download Attack Unsolicited malware downloads May be hidden in legitimate ads or hosted from web sites that prey on unaware users
Phishing and Pharming Phishing Fraudulent e-mails designed to trick users into divulging confidential information Pharming Fake web sites created to elicit authentic user credentials
Attacks on Encryption Cryptanalysis attempts to crack encryption Common methods Weak keys Exhaustive search of key space Indirect attacks
Password Attacks Most common user authentication is combination of user ID and password. A compromised password typically indicates a failure to adhere to good password procedures.
Password Attacks (continued) Password attack methods Guess Dictionary Brute force Hybrid Birthday
Software Exploitation Take advantage of software bugs/weaknesses Results from poor design, inadequate testing, or inferior code practices. Buffer overflow attack Most common example of software exploitation Program receives more input than it can handle. Program may abort, crash the entire system, or allow attacker to execute malicious commands
Malicious Code Viruses Trojan horses Spyware Logic bombs Rootkits Worms Zombies and botnets
Viruses Replicate and attach to executable code Best-known malicious code Common types: Boot Sector virus Program virus Macro virus Stealth virus Polymorphic virus
Trojan Horses Software that appears to do one thing but contains hidden functionality Standalone program that must be installed by user Disguised well enough to entice user Delivers payload without user’s knowledge Prevention Never run software of unknown origin or integrity. Keep virus-checking program running continuously.
Spyware Software capable of recording and reporting a users actions: Typically installed unbeknownst to users Monitors software and system use Can steal information through keylogging Many states have banned spyware and other unauthorized software: Organizations circumvent with complex EULAs
Logic Bombs Malicious code dormant until triggered by a specified future event: Usually installed by authorized user Reinforces need for backups A time bomb is similar to the logic bomb, but delivers payload at a predetermined time/date.
Rootkits Modifies OS kernel or other process on system Originally designed to grant root access Designed to avoid being detected and deleted Support a variety of malware Often operating unbeknownst to user Found in OS kernel, application level, firmware, etc.