Lecture 21: Malware and attacks Flashcards
What are some examples of what can occur in malware and cyber attacks?
export, alter, disable, destroy, steal or gain unauthorized access to or make unauthorized use of an asset
What are some of the goals of malware and cyber attacks?
1) disabling the target computer or knocking it offline
2) getting access to the target computer’s data and perhaps gaining admin privileges on it
What are some of the attack methods for malware and cyber attacks?
social engineering hacking and cracking viruses and worms trojan horses denial of service (DoS) attacks rootkits blended treats zero-day attacks bots and botnets buffer overflow
What is social engineering?
persuading someone to do something
What is hacking and cracking?
guessing, corrupting or stealing info
What is a viruses i.t.o malware?
propagates by inserting a copy of itself into and becoming part of another programme e.g. Melissa, CryptoMix
executable piece of code
What is a worm i.t.o malware?
replicates functional copies of itself but does not require a host program’s help to propagate e.g. WannaCry, Code-Red, Nimda, Slammer
What is a Trojan horse?
harmful piece of software that looks legitimate –> backdoor trojan, downloader trojan, ransom trojan
normally waiting to be downloaded or installed by a user and then executing attack e.g. email attachment
What are network layer attacks?
IP spoofing (masquerading), sequencing number prediction, TCP hijacking
What are web-based attacks?
cross-site scripting, cooking poisoning, SQL injection
What are examples of DoS operating system attacks?
Ping of Death, Tear Drop, Land, Snork
What are examples of DoS network attacks?
SYN flood, TCP fin/rst, Smurf, Coke
What are examples of DoS distributed Dos attacks?
Cayosin, TCP Flood, Reflection
What is are some examples of social engineering attacks?
1) phishing attacks on bank customers
2) inviting someone to log into a bogus website –> spoofed bank website
3) impersonating a new employee who has forgotten user ID and/or password
4) impersonating a technician support staff member and requesting a user to “check” accounts
What do social engineering attacks commonly persuade someone to do?
run/install malicious or subverted software
Outline what a spear phishing attack involves
1) email appearing to be from an individual or business that users know
2) looking for credit card and bank account numbers, passwords, and other financial information
What type of attack is a spear phishing attack?
social engineering attack
Outline hacking and cracking
password discovery by trying default passwords e.g. “guest”
password cracking tools, readily available from the internet for a wide range of password protection systems
What are the password attacks?
1) brute force attacks
2) dictionary attacks
What is a brute force password attack?
try every combo for a password with few characters
What is a dictionary attack?
for real-word passwords, use database of passwords
What tools can be used for doing password attacks?
CRACK, L0phtcrack, John the Ripper
What are one-time passwords (OTPs)? Why is it valuable?
an automatically generated numeric or alphanumeric string of characters that authenticates a user for a single transaction or login session.
An OTP is more secure than a static password, especially a user-created password, which can be weak and/or reused across multiple accounts.
How do viruses travel and spread?
attaching itself to legitimate executable programs
What do viruses cause?
some unexpected and usually undesirable behaviour
Give an example of how viruses can automatically spread to other computer users?
tranfering infected files via email attachments
Do worms run independently ?
yes
How can a worm propagate a complete working version of itself onto other host on a network?
usually by exploiting software vulnerabilities in the target system
Do trojan horses use infected files or propagation?
no
What does installing a trojan horse allow the attacker to access?
user’s machine remotely via the internet
What are the components of a trojan horse?
1) client application run on the attacker’s computer
2) server application run on the victim’s computer
Once a trojan horse is install/downloaded by the victim, what is the next step in the attack?
Computers on network are scanned to locate any with a trojan installed, creating a botnet
What is botnet short for?
Robot network
Outline the Zeus trojan horse attack
Stealing banking information by keystroke logging
Spreading through drive-by downloads and phishing
schemes
Compromising thousands of accounts on websites of
companies
largest botnet on the Internet –> million of compromised
computers (3.6 million in USA)
What is the intention of a DoS attack?
Making network services unavailable to users
rather than gaining illegal access
How does a DoS attack make the network unavailable?
Flooding attacks overload servers
What are some examples of DoS attacks?
Ping o’ Death, SYN flood, ICMP redirect
messages
What does a DoS attacker threaten the victim with?
Financial incentive and extorsion
Is there a solution to prevent DoS attacks?
No magic solution
1) Sharing services across different servers
2) Using a properly configured firewall
Explain the process of a normal TCP connection setup
TCP SYN-ACK sequence:
client: “may I have a connection?”
server: “I’ll set aside one just for you”
client: “great, I’ll take it”
Explain the process of an abnormal TCP connection setup
TCP SYN-ACK sequence:
client: “may I have a connection?”
server: “I’ll set aside one just for you”
server: “do you still want this connection?”
Explain the process of an organised DoS attack
TCP SYN-ACK sequence:
client: “may I have a connection?”
server: “I’ll set aside one just for you”
server: “do you still want this connection?” REPEATED to all clients
Over time, other requests will not be serviced (too busy with pending requests)
System locks up, does not really die (just impaired)
What are rootkits?
Collection of programs that hackers use to mask intrusion
and obtain admin access
What must an intruder obtain before installing a rootkit?
after obtaining user-level
access
How can an intruder obtainer user-level access in order to install a rootkit?
By exploiting known vulnerability or cracking password
What is the goal of a rootkit attack?
Collecting user IDs and passwords to other machines on
the network –> Thus giving the hacker root/privilege access
What are the utilitises of rootkits?
1) Monitoring traffic and keystrokes
2) Creating a “backdoor” into the system for hacker’s use
3) Altering log files
4) Attacking other machines on the network
5) Altering existing system tools to circumvent detection
Comment on the availability of rootkits on operating systems
Available for a number of operating systems.
Comment on rootkits’ detectivity
Increasingly difficult to detect on any network
What is a blended threats attack?
Software exploit that involves a combination of attacks against
different vulnerabilities
What vulnerabilities can blended threats attack involve?
1) Worms dropping parasitic viruses
2) Destructive trojan horses
3) Password stealers
4) Remote access trojans (RATs)
5) Trojanised applications replacing legitimate system tools
6) Multiplatform attacks
- -> I Payloads affecting multiple platforms
- -> I Linux worms with drop.exe trojans
7) Advanced persistent threats (APTs)
What is a RAT?
remote access trojans
Malware threat
What were RATs previously used in? Where are they used now?
attacks against energy
sectors
Now aimed at organizations using/developing industrial
applications and machines
What is Havex?
Distributed new version of a RAT
Briefly outline Havex
Discovered in 2013 by F-Secure
Hacking into websites of industrial control system (ICS)
manufacturers and poisoning their software downloads
What does APT stand for?
Advanced persistent threats
What are APTs?
Set of stealthy and continuous computer hacking
processes. Involving humans in real-time
Sophisticated techniques using malware to exploit
vulnerabilities in systems
External command and control, continuously monitoring
and extracting data off a specific target
What do APTs target? Why?
organizations for business motives and nations
for political motives
What do APTs require?
a high degree of covertness over a long period
of time
What are examples of APTs?
Stuxnet, Duqu, Sandworm, BlackEnergy
Outline what zero-day attacks take advantage of
1) software vulnerabilities for which there
is no available fix
2) flaws before software makers can fix
them
What do zero-day attacks emphasise?
e importance of safe configuration policies
and good incident reporting systems
Explain the blaster worm zero-day attack
One of the most virulent ever
Hitting the Internet barely one month after Microsoft
released a patch for the flaw it exploited
Explain the nachi worm zero-day attack
A variant of Blaster worm
Carrying a dangerous payload.
Hitting users less than a week later
Comment on the timelines of zero-day attacks
collapsing –> Only a matter of time before users see attacks against flaws not yet discovered or for which no patches are available
Explain the diagram on slide 27 of set 22 about the zero-day attacks getting closer
TODO
Give an overview of a bot
Derived from the word “robot”
Also called webcrawler
Software agent interacting with other network services intended for people as if it were a real person
Typical use is gathering information
Give an overview of a botnet
Collection of software bots, running autonomously
Usually a collection of compromised machines running worms, trojans or backdoors
What is the buffer overflow attack used for?
to gain remote execution on host
What does the buffer overflow attack take advantage of?
inadequate buffer boundary checking in applications/services
What does a buffer attack often involve?
overwriting return addresses on the stack
sending executable code as binary data within
the attack data stream –> Usually carefully crafted to be located at specific position
within a buffer
What type of attack is the heartbleed bug?
buffer overflow attack
Outline what the heartbleed bug is
Bug in the OpenSSL’s implementation of the SSL/TLS
heartbeat extension
When exploited, it leads to the leak of memory contents
from the server to the client and from the client to the
server
Comment on the scale of the heartbleed attack
Well-known bug in SSL/TLS
What is the heartbleed bug exploited for?
to access memory
- -> Secret cryptographic keys
- -> User names, passwords, their contents
Is the heartbeat bug public knowledge?
yes –> Supposed to exist at least 2 years before discovery
