Attacks

Question 1

IP Flooding

Answer 1

• simple DoS attack
• many coordinated attackers ping arbitrary machines with a spoofed IP address that belongs to victim
• all machines will send responses (acknowledgements) to the victim flooding its bandwidth
• SMURF attack is example of IP flooding where pings are sent to reserved broadcast address

Question 2

TCP Attacks

Answer 2

• TCP packets are not secured in any way. Most headers can be guessed and forged.
• Attacker on a machine that packets are routed through can easily interfere with packets in any way.
• Can observe packets on the wire, and inject new ones, but can’t intercept the original traffic.

Question 3

Denial of Service (DoS)

Answer 3

• asymmetry of resources is key: attacker needs to spend relatively low resources but cause high-cost damage to target
• defend using: firewalls (filtering/scrubbing), CDNs

Question 4

SUID Vulnerabilities

Answer 4

• SUID bit inherits owner’s UID on execution
• GUID bit inherits owner’s GUID on execution
• SUID allows processes to launch with EUID > UID (more privileges than those assigned to the user)

Question 5

What happens if you can modify $PATH for a SUID program?

Answer 5

You can make a program with higher privileges execute your own program with those high privileges. (And the program that you write can do something malicious with high privileges)

Question 6

File Descriptor Vulnerabilities

Answer 6

Example:
1)SUID program opens a file only readable by root. 2)Program forks a user-controlled, unprivileged process. 3)Child will inherit the open file descriptor!
Close file descriptors to defend against this

Question 7

Cross-Site Scripting (XSS)

Answer 7

• XSS allows an attacker to inject code into a vulnerable web page. Victims visiting the page will inadvertently run code from an untrusted origin.
• Injected code runs in the vulnerable site’s context. Can access all data without violating SOP!

Question 8

Reflected XSS

Answer 8

1) Attacker includes code in malicious link.
2) Attacker tricks victim into clicking on the link.
3) Code is reflected & run on the visited page.

Question 9

Stored XSS

Answer 9

1) Attacker submits code to server.
2) Server persists code to storage.
3) Victim accesses page that includes and runs stored code.

Question 10

Cross-Site Request Forgery (CSRF)

Answer 10

• allows an attacker to perform actions on behalf of a legitimate, authenticated user of a web application
• via social engineering, phishing, by injecting a CSRF payload that will trigger the attack automatically.
• attacker doesn’t need to steal cookie because browser automatically includes session cookie, which authenticates and authorizes the action
• defend using a CSRF token: add a secret to the request so the attacker cannot predict the value needed to trigger a sensitive action

Question 11

Confused Deputy Problem & CSRF

Answer 11

• Confused deputy’s are tricked into performing a malicious action that they had the permission to perform, but should not have performed!
• CSRF is an example of the confused deputy problem.
• Web browser is the deputy
• confused into misusing the user’s legit authority under the attacker’s control.

Question 12

XSS vs CSRF

Answer 12

In XSS, client trust in the server is violated.
In CSRF, server trust in the client is violated.

Question 13

Black Hats

Answer 13

Bad guys.
Break into systems for fun/profit

Question 14

White Hats

Answer 14

Good guys.
Ethical Hackers
Try to protect systems, advance security

Question 15

Gray Hats

Answer 15

“Chaotic good” guys, often good intent, but legal/ethical trouble.
Break things first, then ask questions.

Question 16

Virus

Answer 16

• malware that infects other host files and lives inside them
• can infect boot sector on disk, data files, executable files, etc.
• trade-off b/w propagation success and detection risk

Question 17

Worms

Answer 17

• self-propagation over the network by exploiting vulnerable services
• self-contained program, no infection
• fully automated, no need for user interaction

Question 18

Trojans

Answer 18

• malicious software pretending to be benign
• self-contained program, no infection
• tricks users into thinking it is a benign application and interacting with it

Question 19

Rootkits

Answer 19

• live inside the kernel, modules, drivers…
• can easily hide from anti-virus
• since TCB can no longer be trusted, throw your computer out the window

Question 20

Botnets

Answer 20

• overlay of compromised hosts (bots, zombies)
• easy to monetize
• remote command and control
• distributed command execution
• botmaster: controls network, issues commands through C&C server(s)

Question 21

Domain Generation Algorithms (DGA)

Answer 21

• many bots use DNS to resolve to C&C server
• if a single name is used, easy to take down the botnet by blocklisting that name
• solution: generate many names, botnet rotates b/w them
• Fast flux used to rapidly change IP addresses that DNS record map to, used to prevent IP blocklisting

Question 22

Botnet Defenses

Answer 22

• sinkholes and blocklisting (may need to reverse engineer DGA)
• identify C&C traffic, look for periodic behavior
• identify crowd behavior, all bot-infected hosts in a network will receive and react to a command in the same way

Question 23

Ransomware

Answer 23

• encrypt files, lock screen, ask for a ransom
• solution: backup your files

Question 24

Advanced Persistent Threats (APT)

Answer 24

• attackers may have advanced capabilities
• persistent: covert activity over a long period of time
• threat: capability + intent
• targeted malware is a more useful term!

Question 25

Catching Malware

Answer 25

• traditional technique: static signatures (analysts extract patterns from known malware, anti-virus software checks for these patterns)
• heuristics: generic signatures, involves dynamic behavioral analysis at runtime
• signatures are not very sophisticated, don’t protect against unknown variations of malware
• behavioral analysis prone to false positives –> BAD

Question 26

Avoiding Static Analysis (reverse engineering malware)

Answer 26

• packed executables (hide code)
• obfuscation: polymorphism and metamorphism

Question 27

Polymorphic Malware

Answer 27

• encrypt malware with a new key (maybe after each infection) –> signatures dont match
• key and decryptor loop within malware
• same code, but looks different (different registers, equivalent but different instructions, add dead code)

Question 28

Metamorphic Malware

Answer 28

• similar to polymorphic but not encryption
• entire malware is mutated/rewritten
• every generation looks different in binary but behaves the same way

Question 29

Dynamic Analysis

Answer 29

• run malware and see what it does (network endpoints contacted, files accessed, registry keys changes, order….)
• create fingerprints and cluster samples into malware families
• sandboxes used as execution environment, highly automated, can catch brand new malware
• obfuscation does not work against sandboxes!

Question 30

Evasive Malware

Answer 30

• goal: prevent malware analyst from understanding what the code does by trying to detect if running in sandbox
• if in sandbox, don’t run
• relies on fingerprinting sandbox environment through various artifacts

Question 31

Name issues with dynamic and static analysis

Answer 31

1. Dynamic analysis vulnerable to evasive malware
2. Static analysis vulnerable to obfuscation

Question 32

Process of reversing software

Answer 32

• extract code from binary representation
• extract data from binary representation
• recover control flow abstractions
• recover program semantics