Module 6 - Tools and Targets

Question 1

Cyber Attack Outcome

Answer 1

tools and targets vary

• Function as an effective “first strike”
• Deny access to communication and information

Question 2

Tools / Methods (Name 6)

Answer 2

• Spam and Phishing Attacks
• DDoS
• Botnets
• Fast Flux
• Domain Generation Algorithm
• Disclosing Information (method?)

Question 3

Spam and Phishing Attacks

Answer 3

• Avg. click-through rate on these e-mails is approx. 10% ( 2010-2011)
• Individuals not real targets. (Unless spear phishing or whaling campaign.)
• For targeted, e-mails aren’t broadcasted to everyone. Particular domain accounts, e.g., usernames@osd.mil. Customers of a particular organization, e.g., a broad, sweeping e-mail labeled as Bank of America.
• Modern attacks route resulting info through victim so 1 IP

Question 4

DDoS

Answer 4

• commoditized through tools such as LOIC.

Question 5

Botnets

Answer 5

Hlux / Kelihos botnet - most in US (reliable)

Question 6

Modified Botnets

Answer 6

• move away from single C2 server (centralized) to hybrid P2P (servant bots and client bots)

Question 7

Botnets (Name 6)

Answer 7

• Zeus (3,600,000)
• BredoLab (30,000,000)
• Conficker (10,500,000)
• Mariposa (12,000,000)
• Coreflood (2,300,000)
• Cutwail (1,500,000)

Question 8

Zeus

Answer 8

3,600,000 infections in US

• 10/2010 FBI arrested > 100 bank fraud and money laundering
• stole $70
• May 2011 source code made public

Question 9

BredoLab

Answer 9

• 30,000,000 infections

- November 2011 Dutch seized 143 C2 servers

Question 10

Conficker

Answer 10

10,500,000 infections

- July 2010 - suspected creator of “Butterfly bot” arrested.

Question 11

Coreflood

Answer 11

• April 2011 - FBI had court-order issued for server shutdowns

Question 12

Botnets for Hire

Answer 12

• Target: US Banking
• Weapon: Botnet zombie, HTTP and UDP requests
• Source: Infected UK website, Izz ad-Din al-Qassam Cyber Fighters (Iran?)
• Motive: film trailer mocking prophet Muhammad on YouTube (failure to remove)

Question 13

Fast Flux (define)

Answer 13

Numerous IP addresses associated with a single, fully qualified domain name
IP addresses are swapped in and out with extremely high frequency, through changing DNS records

single & double

Question 14

Single-flux vs double-flux

Answer 14

Single: Multiple individual nodes within the network registering and de-registering their addresses as part of the DNS A (address) record list for a single DNS name.
Round-robin with short TTL

Double: Multiple nodes within the network registering and de-registering their addresses as part of the DNS Name Server record list for the DNS zone

Question 15

Domain Generation Algorithm

Answer 15

• used to periodically generate a large # of domain names to be used as rendezvous points with botnet controllers.
• makes it difficult to track and effectively shut down botnets as infected computers will attempt to contact some of these domain names every day to receive updates or commands.
  Use of public key cryptography makes it impossible to mimic commands from the malware controllers
  Examples:
  Conficker, Murofet, BankPatch, Baboons

Question 16

Domain Generation Algoritm (4 examples)

Answer 16

Conficker,
Murofet,
BankPatch,
Baboons

Question 17

Disclosing Information

Answer 17

Purpose of Sharing;

• Cause embarrassment
• Inform fellow activists without direct communication
• Hope that someone – anyone – else will follow-up

Question 18

Doxing

Answer 18

Act of publishing private information about individuals or organizations on the Internet

Question 19

Traditional Targets (Name 4 with goal)

Answer 19

- Government websites 
      Show the security as being weak
      Publish its own message
      Obtain news coverage
- Defense systems – military advantage
- Financial systems
- Corporations with trade secrets

Question 20

Banks as Targets - Changing Trends

Answer 20

Attacks on banks are not limited to DDoS
Percentage of attacks on U.S. banks, which resulted in funds transfers:
2009: 70%
2011: 12%
Q1 & Q2 2012: 9%
Tools: Trojans & Phishing attacks
Corporate customers targeted:
2.1/1000 in Q1 & Q2 2012
3.4/1000 in 2011

Question 21

Non-Traditional Targets (2)

Answer 21

• SCADA

- power

Question 22

SCADA

Answer 22

Supervisory Control and Data Acquisition systems
Used to control and monitor system processes
Industrial
Infrastructure
Facilities

Question 23

Power industries (3)

Answer 23

Electrical
Atomic
Petrochemical (oil and gas)

Question 24

Large Scale Assault Option

Answer 24

New missile emits microwaves to overload computers and electrical systems
Cost: $38 million