Lecture 21: Malware and attacks

Question 1

What are some examples of what can occur in malware and cyber attacks?

Answer 1

export, alter, disable, destroy, steal or gain unauthorized access to or make unauthorized use of an asset

Question 2

What are some of the goals of malware and cyber attacks?

Answer 2

1) disabling the target computer or knocking it offline

2) getting access to the target computer’s data and perhaps gaining admin privileges on it

Question 3

What are some of the attack methods for malware and cyber attacks?

Answer 3

social engineering
hacking and cracking
viruses and worms
trojan horses
denial of service (DoS) attacks
rootkits
blended treats
zero-day attacks
bots and botnets
buffer overflow

Question 4

What is social engineering?

Answer 4

persuading someone to do something

Question 5

What is hacking and cracking?

Answer 5

guessing, corrupting or stealing info

Question 6

What is a viruses i.t.o malware?

Answer 6

propagates by inserting a copy of itself into and becoming part of another programme e.g. Melissa, CryptoMix

executable piece of code

Question 7

What is a worm i.t.o malware?

Answer 7

replicates functional copies of itself but does not require a host program’s help to propagate e.g. WannaCry, Code-Red, Nimda, Slammer

Question 8

What is a Trojan horse?

Answer 8

harmful piece of software that looks legitimate –> backdoor trojan, downloader trojan, ransom trojan

normally waiting to be downloaded or installed by a user and then executing attack e.g. email attachment

Question 9

What are network layer attacks?

Answer 9

IP spoofing (masquerading), sequencing number prediction, TCP hijacking

Question 10

What are web-based attacks?

Answer 10

cross-site scripting, cooking poisoning, SQL injection

Question 11

What are examples of DoS operating system attacks?

Answer 11

Ping of Death, Tear Drop, Land, Snork

Question 12

What are examples of DoS network attacks?

Answer 12

SYN flood, TCP fin/rst, Smurf, Coke

Question 13

What are examples of DoS distributed Dos attacks?

Answer 13

Cayosin, TCP Flood, Reflection

Question 14

What is are some examples of social engineering attacks?

Answer 14

1) phishing attacks on bank customers
2) inviting someone to log into a bogus website –> spoofed bank website
3) impersonating a new employee who has forgotten user ID and/or password
4) impersonating a technician support staff member and requesting a user to “check” accounts

Question 15

What do social engineering attacks commonly persuade someone to do?

Answer 15

run/install malicious or subverted software

Question 16

Outline what a spear phishing attack involves

Answer 16

1) email appearing to be from an individual or business that users know
2) looking for credit card and bank account numbers, passwords, and other financial information

Question 17

What type of attack is a spear phishing attack?

Answer 17

social engineering attack

Question 18

Outline hacking and cracking

Answer 18

password discovery by trying default passwords e.g. “guest”

password cracking tools, readily available from the internet for a wide range of password protection systems

Question 19

What are the password attacks?

Answer 19

1) brute force attacks

2) dictionary attacks

Question 20

What is a brute force password attack?

Answer 20

try every combo for a password with few characters

Question 21

What is a dictionary attack?

Answer 21

for real-word passwords, use database of passwords

Question 22

What tools can be used for doing password attacks?

Answer 22

CRACK, L0phtcrack, John the Ripper

Question 23

What are one-time passwords (OTPs)? Why is it valuable?

Answer 23

an automatically generated numeric or alphanumeric string of characters that authenticates a user for a single transaction or login session.

An OTP is more secure than a static password, especially a user-created password, which can be weak and/or reused across multiple accounts.

Question 24

How do viruses travel and spread?

Answer 24

attaching itself to legitimate executable programs

Question 25

What do viruses cause?

Answer 25

some unexpected and usually undesirable behaviour

Question 26

Give an example of how viruses can automatically spread to other computer users?

Answer 26

tranfering infected files via email attachments

Question 27

Do worms run independently ?

Answer 27

yes

Question 28

How can a worm propagate a complete working version of itself onto other host on a network?

Answer 28

usually by exploiting software vulnerabilities in the target system

Question 29

Do trojan horses use infected files or propagation?

Answer 29

no

Question 30

What does installing a trojan horse allow the attacker to access?

Answer 30

user's machine remotely via the internet

Question 31

What are the components of a trojan horse?

Answer 31

1) client application run on the attacker's computer | 2) server application run on the victim's computer

Question 32

Once a trojan horse is install/downloaded by the victim, what is the next step in the attack?

Answer 32

Computers on network are scanned to locate any with a trojan installed, creating a botnet

Question 33

What is botnet short for?

Answer 33

Robot network

Question 34

Outline the Zeus trojan horse attack

Answer 34

Stealing banking information by keystroke logging Spreading through drive-by downloads and phishing schemes Compromising thousands of accounts on websites of companies largest botnet on the Internet --> million of compromised computers (3.6 million in USA)

Question 35

What is the intention of a DoS attack?

Answer 35

Making network services unavailable to users | rather than gaining illegal access

Question 36

How does a DoS attack make the network unavailable?

Answer 36

Flooding attacks overload servers

Question 37

What are some examples of DoS attacks?

Answer 37

Ping o’ Death, SYN flood, ICMP redirect | messages

Question 38

What does a DoS attacker threaten the victim with?

Answer 38

Financial incentive and extorsion

Question 39

Is there a solution to prevent DoS attacks?

Answer 39

No magic solution 1) Sharing services across different servers 2) Using a properly configured firewall

Question 40

Explain the process of a normal TCP connection setup

Answer 40

TCP SYN-ACK sequence: client: "may I have a connection?" server: "I'll set aside one just for you" client: "great, I'll take it"

Question 41

Explain the process of an abnormal TCP connection setup

Answer 41

TCP SYN-ACK sequence: client: "may I have a connection?" server: "I'll set aside one just for you" server: "do you still want this connection?"

Question 42

Explain the process of an organised DoS attack

Answer 42

TCP SYN-ACK sequence: client: "may I have a connection?" server: "I'll set aside one just for you" server: "do you still want this connection?" REPEATED to all clients Over time, other requests will not be serviced (too busy with pending requests) System locks up, does not really die (just impaired)

Question 43

What are rootkits?

Answer 43

Collection of programs that hackers use to mask intrusion | and obtain admin access

Question 44

What must an intruder obtain before installing a rootkit?

Answer 44

after obtaining user-level | access

Question 45

How can an intruder obtainer user-level access in order to install a rootkit?

Answer 45

By exploiting known vulnerability or cracking password

Question 46

What is the goal of a rootkit attack?

Answer 46

Collecting user IDs and passwords to other machines on | the network --> Thus giving the hacker root/privilege access

Question 47

What are the utilitises of rootkits?

Answer 47

1) Monitoring traffic and keystrokes 2) Creating a “backdoor” into the system for hacker’s use 3) Altering log files 4) Attacking other machines on the network 5) Altering existing system tools to circumvent detection

Question 48

Comment on the availability of rootkits on operating systems

Answer 48

Available for a number of operating systems.

Question 49

Comment on rootkits' detectivity

Answer 49

Increasingly difficult to detect on any network

Question 50

What is a blended threats attack?

Answer 50

Software exploit that involves a combination of attacks against different vulnerabilities

Question 51

What vulnerabilities can blended threats attack involve?

Answer 51

1) Worms dropping parasitic viruses 2) Destructive trojan horses 3) Password stealers 4) Remote access trojans (RATs) 5) Trojanised applications replacing legitimate system tools 6) Multiplatform attacks - -> I Payloads affecting multiple platforms - -> I Linux worms with drop.exe trojans 7) Advanced persistent threats (APTs)

Question 52

What is a RAT?

Answer 52

remote access trojans Malware threat

Question 53

What were RATs previously used in? Where are they used now?

Answer 53

attacks against energy sectors Now aimed at organizations using/developing industrial applications and machines

Question 54

What is Havex?

Answer 54

Distributed new version of a RAT

Question 55

Briefly outline Havex

Answer 55

Discovered in 2013 by F-Secure Hacking into websites of industrial control system (ICS) manufacturers and poisoning their software downloads

Question 56

What does APT stand for?

Answer 56

Advanced persistent threats

Question 57

What are APTs?

Answer 57

Set of stealthy and continuous computer hacking processes. Involving humans in real-time Sophisticated techniques using malware to exploit vulnerabilities in systems External command and control, continuously monitoring and extracting data off a specific target

Question 58

What do APTs target? Why?

Answer 58

organizations for business motives and nations | for political motives

Question 59

What do APTs require?

Answer 59

a high degree of covertness over a long period | of time

Question 60

What are examples of APTs?

Answer 60

Stuxnet, Duqu, Sandworm, BlackEnergy

Question 61

Outline what zero-day attacks take advantage of

Answer 61

1) software vulnerabilities for which there is no available fix 2) flaws before software makers can fix them

Question 62

What do zero-day attacks emphasise?

Answer 62

e importance of safe configuration policies | and good incident reporting systems

Question 63

Explain the blaster worm zero-day attack

Answer 63

One of the most virulent ever Hitting the Internet barely one month after Microsoft released a patch for the flaw it exploited

Question 64

Explain the nachi worm zero-day attack

Answer 64

A variant of Blaster worm Carrying a dangerous payload. Hitting users less than a week later

Question 65

Comment on the timelines of zero-day attacks

Answer 65

collapsing --> Only a matter of time before users see attacks against flaws not yet discovered or for which no patches are available

Question 66

Explain the diagram on slide 27 of set 22 about the zero-day attacks getting closer

Answer 66

TODO

Question 67

Give an overview of a bot

Answer 67

Derived from the word “robot” Also called webcrawler Software agent interacting with other network services intended for people as if it were a real person Typical use is gathering information

Question 68

Give an overview of a botnet

Answer 68

Collection of software bots, running autonomously Usually a collection of compromised machines running worms, trojans or backdoors

Question 69

What is the buffer overflow attack used for?

Answer 69

to gain remote execution on host

Question 70

What does the buffer overflow attack take advantage of?

Answer 70

inadequate buffer boundary checking in applications/services

Question 71

What does a buffer attack often involve?

Answer 71

overwriting return addresses on the stack sending executable code as binary data within the attack data stream --> Usually carefully crafted to be located at specific position within a buffer

Question 72

What type of attack is the heartbleed bug?

Answer 72

buffer overflow attack

Question 73

Outline what the heartbleed bug is

Answer 73

Bug in the OpenSSL’s implementation of the SSL/TLS heartbeat extension When exploited, it leads to the leak of memory contents from the server to the client and from the client to the server

Question 74

Comment on the scale of the heartbleed attack

Answer 74

Well-known bug in SSL/TLS

Question 75

What is the heartbleed bug exploited for?

Answer 75

to access memory - -> Secret cryptographic keys - -> User names, passwords, their contents

Question 76

Is the heartbeat bug public knowledge?

Answer 76

yes --> Supposed to exist at least 2 years before discovery