Chapter 8 (Lecture 7) Flashcards
What is the major difference between a virus and a worm?
Viruses and worms both travel from system to system attempting to deliver their malicious payloads to as many machines as possible.
However, viruses require some sort of human intervention, such as sharing a file, network resource, or email message, to propagate.
Worms, on the other hand, seek out vulnerabilities and spread from system to system under their own power, thereby greatly magnifying their reproductive capability, especially in a well-connected network.
Explain the four propagation methods used by Robert Tappan Morris’s Internet Worm.
The Internet Worm used four propagation techniques.
First, it exploited a bug in the sendmail utility that allowed it to spread itself by sending a specially crafted email message that contained its code to the sendmail program on a remote system.
Second, it used a dictionary-based password attack to attempt to gain access to remote systems by utilizing the username and password of a valid system user.
Third, it exploited a buffer overflow vulnerability in the finger program to infect systems.
Fourth, it analyzed any existing trust relationships with other systems on the network and attempted to spread itself to those systems through the trusted path.
What are the actions an antivirus software package might take when it discovers an infected file?
If possible, antivirus software may try to disinfect an infected file, removing the virus’s malicious code.
If that fails, it might either quarantine the file for manual review or automatically delete it to prevent further infection.
Explain how a data integrity assurance package like Tripwire provides some secondary virus detection capabilities.
Data integrity assurance packages like Tripwire compute hash values for each file stored on a protected system.
If a file infector virus strikes the system, this would result in a change in the affected file’s hash value and would, therefore, trigger a file integrity alert.
- What is the most commonly used technique to protect against virus attacks?
A. Signature detection
B. Heuristic detection
C. Data integrity assurance
D. Automated reconstruction
- A. Signature detection mechanisms use known descriptions of viruses to identify malicious code resident on a system.
- You are the security administrator for an e-commerce company and are placing a new web server into production. What network zone should you use?
A. Internet
B. DMZ
C. Intranet
D. Sandbox
- B. The DMZ (demilitarized zone) is designed to house systems like web servers that must be accessible from both the internal and external networks.
- Which one of the following types of attacks relies upon the difference between the timing of two events?
A. Smurf
B. TOCTTOU
C. Land
D. Fraggle
- B. The time-of-check-to-time-of-use (TOCTTOU) attack relies upon the timing of the execution of two events.
- Which of the following techniques requires that administrators identify appropriate applications for an environment?
A. Sandboxing
B. Control signing
C. Integrity monitoring
D. Whitelisting
- D. Application whitelisting requires that administrators specify approved applications and then the operating system uses this list to allow only known good applications to run.
- What advanced virus technique modifies the malicious code of a virus on each system it infects?
A. Polymorphism
B. Stealth
C. Encryption
D. Multipartitism
- A. In an attempt to avoid detection by signature-based antivirus software packages, polymorphic viruses modify their own code each time they infect a system.
- Which one of the following tools provides a solution to the problem of users forgetting complex passwords?
A. LastPass
B. Crack
C. Shadow password files
D. Tripwire
- A. LastPass is a tool that allows users to create unique, strong passwords for each service they use without the burden of memorizing them all.
- What type of application vulnerability most directly allows an attacker to modify the contents of a system’s memory?
A. Rootkit
B. Back door
C. TOC/TOU
D. Buffer overflow
- D. Buffer overflow attacks allow an attacker to modify the contents of a system’s memory by writing beyond the space allocated for a variable.
- Which one of the following passwords is least likely to be compromised during a dictionary attack?
A. mike
B. elppa
C. dayorange
D. fsasoalg
- D. Except option D, the choices are forms of common words that might be found during a dictionary attack. mike is a name and would be easily detected. elppa is simply apple spelled backwards, and dayorange combines two dictionary words. Crack and other utilities can easily see through these “sneaky” techniques. Option D is simply a random string of characters that a dictionary attack would not uncover.
- What file is instrumental in preventing dictionary attacks against UNIX systems?
A. /etc/passwd
B. /etc/shadow
C. /etc/security
D. /etc/pwlog
- B. Shadow password files move encrypted password information from the publicly readable /etc/passwd file to the protected /etc/shadow file.
- What character should always be treated carefully when encountered as user input on a web form?
A. !
B. &
C. *
D. ‘
- D. The single quote character (‘) is used in SQL queries and must be handled carefully on web forms to protect against SQL injection attacks.
- What database technology, if implemented for web forms, can limit the potential for SQL injection attacks?
A. Triggers
B. Stored procedures
C. Column encryption
D. Concurrency control
- B. Developers of web applications should leverage database stored procedures to limit the application’s ability to execute arbitrary code. With stored procedures, the SQL statement resides on the database server and may only be modified by database administrators.
- What type of reconnaissance attack provides attackers with useful information about the services running on a system?
A. Session hijacking
B. Port scan
C. Dumpster diving
D. IP sweep
- B. Port scans reveal the ports associated with services running on a machine and available to the public.
- What condition is necessary on a web page for it to be used in a cross-site scripting attack?
A. Reflected input
B. Database-driven content
C. .NET technology
D. CGI scripts
- A. Cross-site scripting attacks are successful only against web applications that include reflected input.
- What type of virus utilizes more than one propagation technique to maximize the number of penetrated systems?
A. Stealth virus
B. Companion virus
C. Polymorphic virus
D. Multipartite virus
- D. Multipartite viruses use two or more propagation techniques (for example, file infection and boot sector infection) to maximize their reach.
- What is the most effective defense against cross-site scripting attacks?
A. Limiting account privileges
B. Input validation
C. User authentication
D. Encryption
- B. Input validation prevents cross-site scripting attacks by limiting user input to a predefined range. This prevents the attacker from including the HTML tag in the input.
- What worm was the first to cause major physical damage to a facility?
A. Stuxnet
B. Code Red
C. Melissa
D. rtm
- A. Stuxnet was a highly sophisticated worm designed to destroy nuclear enrichment centrifuges attached to Siemens controllers.
- Ben’s system was infected by malicious code that modified the operating system to allow the malicious code author to gain access to his files. What type of exploit did this attacker engage in?
A. Escalation of privilege
B. Back door
C. Rootkit
D. Buffer overflow
- B. Back doors are undocumented command sequences that allow individuals with knowledge of the back door to bypass normal access restrictions.
- What technology does the Java language use to minimize the threat posed by applets?
A. Confidentiality
B. Encryption
C. Stealth
D. Sandbox
- D. The Java sandbox isolates applets and allows them to run within a protected environment, limiting the effect they may have on the rest of the system.
- What HTML tag is often used as part of a cross-site scripting (XSS) attack?
A. “H1”
B. “HEAD”
C. “XSS”
D. “SCRIPT”
- D. The SCRIPT tag is used to indicate the beginning of an executable client-side script and is used in reflected input to create a cross-site scripting attack.
- When designing firewall rules to prevent IP spoofing, which of the following principles should you follow?
A. Packets with internal source IP addresses don’t enter the network from the outside.
B. Packets with internal source IP addresses don’t exit the network from the inside.
C. Packets with public IP addresses don’t pass through the router in either direction.
D. Packets with external source IP addresses don’t enter the network from the outside.
- A. Packets with internal source IP addresses should not be allowed to enter the network from the outside because they are likely spoofed.
Virus propagation techniques
- Macro virus
- MBR virus
- File infector virus
What is a Macro virus
Many common software applications implement some sort of scripting functionality to assist with the automation of repetitive tasks (Like VBA)
Macro viruses first appeared in the mid-1990s, and infected documents created in the popular Microsoft Word environment
Although they were relatively unsophisticated, these viruses spread rapidly because the antivirus community didn’t anticipate them
Master Boot Record (MBR virus)
A master boot record virus (or MBR virus) attacks the MBR, the portion of bootable media (e.g., hard drive) that the computer uses to load the operating system during the boot process
The virus stores most of its code on another portion of the media
When the system reads the infected MBR, the virus instructs it to read and execute the code stored in the alternate location
File infector virus (File Injector)
A file infector virus infects different types of executable files and triggers when the operating system attempts to execute them
Example: .exe and .com files in Windows-based systems
Easily Detectable comparing Hashes.
What are the Main Virus Technologies?
- Multipartite
- Stealth
- Polymorphic
- Encrypted
What is a Multipartite Virus?
Multipartite viruses use more than one propagation technique in an attempt to penetrate systems that defend against only one method
For example, a virus may infect both executable files and the MBR
What is a Stealth Virus?
Stealth viruses hide themselves by tampering with the operating system
For example, a stealth MBR virus might infect the system’s MBR and also modify the operating system’s file access functionality to cover its tracks
When the antivirus requests a copy of the MBR, the modified operating system code provides it with a clean version of the MBR
However, when the system boots, it reads the infected MBR and loads the virus into memory
What is a Polymorphic Virus?
Polymorphic viruses modify their code as they move from system to system,
The signature of the virus is different each time it infects a new system
Constantly changing signature should render signature-based antivirus packages useless
However, current antivirus packages are able to detect known polymorphic viruses
What is Encrypted Virus?
Encrypted viruses use cryptographic techniques to avoid detection
As with polymorphic viruses, each infected system has a virus with a different signature
However, encrypted viruses generate these different signatures by encrypting their code with different cryptographic keys
Encrypted viruses use a decryption routine, which contains the cryptographic information necessary to load and decrypt the main virus code
This routine often contains signatures that render it vulnerable to antivirus software
What are Logic Bombs?
Logic bombs are malicious code objects that infect a system and lie dormant until they are triggered by the occurrence of one or more conditions
What are Trojan Horses?
Trojans differ very widely in functionality
Some are fairly innocuous
Some will destroy all the data stored on a system in an attempt to cause a large amount of damage in a short time frame
ex in 2002 program to run xbox
When users ran these program, they simply didn’t work
However, they inserted a value into the Windows Registry that caused a specific web page to open each time the computer booted
How Worms Work?
Worms pose a significant risk to network security
They contain the same destructive potential as other malicious code objects, but they can also propagate without requiring any human intervention
What is a Spyware?
Spyware monitors your actions and transmits important details to a remote system that spies on your activity
Adware
Adware is quite similar to spyware in form, but has a different purpose
It uses a variety of techniques to display advertisements on infected computers
Name 5 types of Attacks
- Denial-of-Service Attacks
- Distributed DoS Toolkits
- Smurf Attacks
- DNS Amplification Attacks
- Teardrop
- Land Attack
- Ping of Death
- Buffer Overflows
- Time-of-Check-to-Time-of-Use
- Trap Doors
- Rootkits
DOS attacks
DoS attacks prevent legitimate users from accessing resources
In some attacks, a brute-force approach is used, simply overwhelming a targeted system with many requests
Others include elegantly crafted commands that cause vulnerable systems to crash or hang indefinitely
Classes of DOS Attacks
- SYN Flood
- Distributed DoS Toolkits
- Smurf
- DNS Amplification Attacks
- Teardrop
- Land
- DNS Poisoning
- Ping of Death
Distributed DoS Toolkits
Distributed denial-of-service (DDoS) attacks allow attackers to harness the power of many third-party systems to attack the target
Trinoo and Tribe Flood Network (TFN) are two commonly used DDoS toolkits
Smurf Attacks
The smurf attack is a distributed reflective denial-of-service (DRDoS) attack
Attacks are amplified using one or more third-party networks
DNS Amplification Attacks
Causes flooding similar to Smurf
An attacker tricks unwitting participants into sending unwanted traffic to a third party
Teardrop Attack
A teardrop attack is a fragmentation attack (a DoS attack)
Fragmentation attacks exploit vulnerabilities in the fragment reassembly functionality of the TCP/IP protocol stack
System administrators can configure the maximum size allowed for TCP/IP packets on each network
When a network receives a packet larger than its maximum allowable size, it breaks it up into two or more fragments
These fragments are each assigned a size and an offset
In the teardrop attack, attackers use software that sends out packet fragments that do not conform to the protocol specification
Specifically, they send two or more overlapping fragments
When the receiving system tries to reassemble the fragmented packet, it doesn’t know how to handle the fragments and freezes or crashes
Land Attack
The land denial-of-service attack causes many older operating systems to freeze and behave in an unpredictable manner
Ping Of Death
The largest permissible ICMP packet is 65,536 bytes
Many early OS developers relied upon the assumption that the protocol stack of sending machines would never exceed this value and did not build in error-handling routines to monitor for packets exceeding this limit
Buffer Overflow
Buffer overflow vulnerabilities exist when a developer does not properly validate user input to ensure that it is of an appropriate size
User data can overwrite system commands
Buffer-overflow vulnerabilities are especially prevalent in code developed rapidly for the Web using CGI or other languages
Time-of-Check-to-Time-of-Use (TOCTTOU)
is a timing vulnerability that occurs when a program checks access permissions too far in advance of a resource use
RootKits
Rootkits are specialized software packages that allow attackers to gain expanded access to a system
Trap doors (or back doors)
undocumented access mechanisms that allow software developers to bypass normal access restrictions
What is Cross-site Scripting (XSS)
Cross-site scripting (XSS) is a security vulnerability typically found in Web applications
Enables attackers to leverage some type of reflected input to inject client-side scripts into web pages viewed by other users
What is SQL Injection
SQL injection attacks allow a malicious individual to directly perform SQL transactions against the underlying database
How IP Probes Work
IP probes (aka IP sweeps or ping sweeps) are often the first type of network reconnaissance carried out against a target system
- Automated tools simply attempt to ping each address in a range
- Systems that respond to the ping request are logged for further analysis
- Addresses that do not prod/uce a response are assumed to be unused and are ignored
disabling ping helps.
How Port Scans work
After performing an IP probe, attackers have a list of active systems on a network
The next step is to select one or more systems to target with additional attacks
Often, attackers have a type of target in mind, such as a web server or other servers supporting critical operations
Vulnerability Scans
Once the attacker determines a specific system to target, they need to discover a specific vulnerability that can be exploited
Vulnerability scanners are highly automated tools
They can probe an entire network for any exploitable weaknesses
Dumpster Diving
Dumpster diving consists in analyzing waste to gain intelligence that might help launch an attack
