Module III-Tools and Methods Used in Cybercrime

IntroductiontoCyberSecurity 22ETC151

MODULEIII
ToolsandMethodsUsedinCybercrime
The basic stages of an attack are described under the following section tounderstand how an
attacker can compromise a network here:

1. Initial uncovering:Two steps are involved here-In the firststep called as reconnaissance, the
attacker gathers information, as much as possible, about the targetby legitimate means — searching the
information about the target on the Internet by Googling socialnetworking websites and people finder
websites.
In thesecond step, the attacker uncovers as much information as possible on the company’s internal
network,such as, Internet domain, machine names and the company’s Internet Protocol (IP) address
ranges.
2. Network probe:At the network probe stage, the attacker uses more invasive techniques to scan the
information. Usually, a “ping sweep” of the network IP addresses is performed to seek out potential
targets, and then a “port scanning” toolis used to discover exactly which services are running on the target
system. At this point, the attacker has still not done anything that would be considered as an abnormal
activity on the network or anything that can be classified as an intrusion.
3. Crossing the line toward electronic crime (E-crime): Now the attacker is toward committing what is
technically a “computer crime.” He/she does this by exploiting possible holes on the target system.
Theattacker usually goes through several stages of exploits to gain access to the system. Once the
attackersare able toaccessauseraccountwithoutmanyprivi-leges,theywillattemptfurtherexploitstogetan
administratoror “root”access.RootaccessisaUnixtermand isassociated with the system privileges required
to run all services and acces all files on the system
4. Capturing the network: At this stage, the attacker attempts to “own” the network. The attacker gainsa
foothold in the internal network quickly and easily, by compromising low-priority target systems.the next
step is to remove any evidence of the attack. The attacker will usually install a set of tools that replace
existing files and services with Trojan files and services that have a backdoor password.
5. Grab the data: Now that the attacker has “captured the network,” he/she takes advantage of his/her
position to steal confidential data,customer credit card information, deface webpages, alter processesand
even launch attacks at other sites from your network, causing a potentially expensive and embarrassing
situation for an individual and/or for an organization.
6. Covering tracks: This is the last step in any cyberattack, which refers to the activities undertaken by
the attacker to extend misuse of the system without being detected. The attacker can remainds or use this
IntroductiontoCyberSecurity 22ETC151

phase either to start a fresh reconnaissance to a related target system of resources, removing evidence of
hacking, avoiding legal action, etc.
Toolsusedtocoverattacks
l.ELSave:Itis a tool to save and/orclearan NTeventlog.ELSaveiswritten by JesperLauritsen.The executable
is available on theweblink, but source code is not available.
2.WinZapper:ThistoolenablestoeraseeventrecordsselectivelyfromthesecurityloginWindowsNT
4.0andWindows2000
3. Evidence eliminator: It is simple and one of the top-quality professional PC cleaning program that is
capable of defeating allknown investigative Forensic analysis becomes impossible.
4. Traceless:ItisaprivacycleanerforInternetexplorer thatcandelerecommonInternettracks,
including history, cache, typedURLs, cookies, etc.
4. TracksEraserPro:Itdeletesfollowinghistorydata:
* DeleteaddressbarhistoryofIE,Netscape, AOL, Opera.
* DeletecookiesofIE,Netscape,AOL,Opera.
* DeleteInternetcache(temporaryInternet files),
* DeleteInternethistoryfiles.

ProxyServersandAnonymizers
Proxyserver isa computer ona networkwhichactsasanintermediaryfor connections withother
computers on that network.
Aproxyserverhasfollowingpurposes:
1. Keepthesystemsbehindthecurtain(mainlyforsecurityreasons).
2. Speedup access toa resource(through“caching”). It is usuallyused tocachethewebpages froma web
server.
3. Specializedproxyserversareusedtofilterunwantedcontent suchasadvertisements.
4. ProxyservercanbeusedasIPaddressmultiplexertoenabletoconnectnumberofcomputerson theInternet,
whenever one has only one IP address
Advantages of a proxy server is that its cache memory can serve all users. If one or more websitesare
requestedfrequently, maybebydifferent users, it is likelytobein theproxy’s cache memory, which will
improve user response time.
IntroductiontoCyberSecurity 22ETC151

Listedarefewwebsiteswherefreeproxyservers canbefound:
1. http://www.proxy4free.com
2. http://www.publicproxyservers.com
3. http://www.proxz.com
An anonymizer or an anonymous proxy is a tool that attempts to make activity on the Internet
untraceable. It accesses the Internet on the user's behalf, protecting personal information by hiding the
source computer'sidentifying information.'") Anonymizers are services used to make Web surfing
anonymous by utilizing a website that acts as a proxy server for the web client. In 1997 the first
anonymizer softwaretoolwascreatedbyLanceCottrell, developedbyAnonymizer.com. Theanonymizer
hides/removes all the identifying information from a user's computer while the user surfs on the Internet,
which ensures the privacy of the user.
Listedarefewwebsiteswheremoreinformationaboutanonymizerscanbefound:
1. http://www.anonymizer.com
2. http://www.browzar.com
3. http://www.anonymize.net

Phishing
The fraudulent practiceofsendingemailsorothermessages purporting tobe
fromreputablecompaniesinordertoinduceindividualstorevealpersonalinformation,such as
passwords and credit card numbers

HowPhishingWorks?
Phishersworkinthefollowing ways

1. Planning: Criminals, usually called as phishers, decide the target and determine how to get E-Mail
address of that target or customers of that business. Phishers often use mass mailing and addresscollection
techniques as spammers.
2. Setup:Oncephishersknowwhichbusiness/business housetospoofandwhotheir victimsare, theywill
createmethodsfor deliveringthemessageandtocollect thedataaboutthetarget. Most oftenthisinvolves E-Mail
addresses and a webpage.
3. Attack: This is the step people are most familiar with the phisher sends a phony message that appears
to be from a reputable source.
4. Collection:Phishersrecordtheinformationofvictimsenteringintowebpagesorpop-upwindows.
IntroductiontoCyberSecurity 22ETC151

5. Identitytheftandfraud:Phishersusetheinformationthattheyhavegatheredtomakeillegal purchases or
commit fraud.
.
PasswordCracking
Password is likea key to get an entry into computerized systems recovering passwords from data thatlike
a lock. Password cracking is a process ofhave been stored in or transmitted by a computer system.
Thepurposeofpasswordcrackingisasfollows:
1. Torecover aforgottenpassword.
2. Asapreventivemeasurebysystemadministratorstocheckforeasilycrackablepasswords.
3. Togainunauthorizedaccess toa system,
Manualpasswordcrackingistoattempttologonwithdifferentpasswords.Theattackerfollowsthe following
steps.
1. Findavaliduseraccount suchasanAdministratororGuest
2. createalistofpossiblepasswords;
3. rankthepasswordsfromhightolow probability;
4key-ineachpassword;
5. tryagainuntilasuccessfulpasswordisfound.
Examplesofguessablepasswordsinclude:
1. Blank(none)
2. thewordslike“password,”“passcode”and“admin”
3. seriesoflettersfromthe“QWERTY”keyboard,forexample,qwerty,asdforqwertyuiop
4. user'snameorloginname;
5. nameofuser'sfriend/relative/pet;
6. user’sbirthplaceordateofbirth,orarelative’sor afriend's;
7. user’svehiclenumber,officenumber,residencenumberormobilenumber;
8. nameofacelebritywhoisconsideredtobeanidol(e.g.actors,actress,spiritualgurus)bytheuser;
9. simplemodificationofoneofthepreceding,suchassuffixinga digit, particularly1,orreversingthe

Passwordcrackingtools

1. Default password(s): Network devices such as switches, hubs and routersare equipped with “default
passwords” and usually these passwords are not changed after commissioning these devices into the
network (i.c., into LAN).
IntroductiontoCyberSecurity 22ETC151

2. Cain& Abel: This passwordrecoverytool is typicallyusedfor Microsoft OperatingSystems (OSs). It

allows to crack the passwords by sniffing the network, cracking encrypted passwords using dictionary,
brute force attacks, decoding scrambled passwords and recovering wireless network keys.
3. John the Ripper: ‘This is a free and open-source software — fast password cracker, compatible with
many OSs like different favors of Unix, Windows, DOS, BeOS and OpenVMS. Its primary purpose is to
detect weak Unix passwords.
4. THC-Hydra:Itisa veryfastnetworklogoncrackerwhichsupportsmanydifferent services.
5. Aircrack-ng: It is a set of tools used for wireless networks. This tool is used for 802.1 1a/b/g wired
equivalent privacy (WEP) and Wi-Fi Protected Access (WPA) cracking.
6. Solar Winds: It is a plethora of network discovery/monitoring/attack tools andhas created dozens of
special-purpose tools targeted at systems administrators
7. Pwdump: It is a Window password recovery tool, Pwdump is able to extractpwdump NTLM and
LanMan hashes from a Windows target, regardless of whetherSyskey is enabled. It is also capable of
displaying password histories if they are available.
8. RainbowCrack: It is a hash cracker that makes use of a large-scale time-memory trade-off, A
traditional brute force cracker tries all possible plain texts one by one, which can be time-consuming for
complex passwords.
9. Brutus:It is oneofthefastest, most flexibleremotepasswordcrackers availablefor free. It isavailable for
Windows 9x, NT and 2000.

Passwordcracking attackscanbeclassifiedunderthreecategoriesasfollows:

1. Onlineattacks
2. Offlineattacks
3. Non-electronicattacks(e.g.,socialengineering,shouldersurfinganddumpsterdiving)

OnlineAttacks
The most popular online attack is man-in-the middle (MITM) attack, also termed as “bucket-brigade
attack” or sometimes “Janus attack.”. When a victim client connects to the fraudulent server,the MITM
server intercepts the call, hashes thepassword and passes theconnection to the victimserver.This type of
attack is used to obtain the passwordsforE-Mail accounts on publicwebsites such as Yahoo, Hotmail
andGmail andcanalso usedto get thepasswords for financial websites that wouldliketogaintheaccess to
banking websites.
IntroductiontoCyberSecurity 22ETC151

OfflineAttacks
Mostly offline attacks are performed from a location other than the target (i.e., either a computer systemor
while on the network) where these passwords reside or are used. Offline attacks usually require physical
access to the computer and copying the password file from the system onto removable media.
DifferenttypesofpasswordCrackingattacks:
 Dictionaryattack:Attemptstomatchallthewords fromthedictionarytoget thepassword
 Hybridattack:Substitutesnumbersandsymbolstogetthepassword
 Brute force attack : Attempts all possible permutation-combinations of letters,numbers andspecial
characters
Strong, WeakandRandomPasswords
A weak password is one, which could be easily guessed, short, common and a system default
password that could be easily found by executing a brute force attack .Passwords that can be easily
guessed by acquaintances of the netizens (such as date of birth, pet’s name and spouses’ name) are
considered to be very weak.
Herearesomeoftheexamplesof“weakpasswords”:
1. Susan:Commonpersonalname;
2. aaaa:repeatedletters,canbeguessed;
3. rover:commonnamefora pet,alsoa dictionaryword;
4. abc123:canbeeasilyguessed;
5. admin:canbeeasilyguessed;
6. 1234;canbeeasily guessed;
7. QWERTY:asequenceofadjacentlettersonmanykeyboards;
8. 12/3/75:date,possiblyofpersonalimportance;
9. nbusr123:probablya username,andifso,canbeveryeasilyguessed;
10. p@$$\/\/Ord:simpleletter substitutionsarepreprogrammedintopasswordcrackingtools; 11,
_ password: used very often — trivially guessed;
12.December12:usingthedateofaforcedpasswordchangeisverycommon.

A strong password is longenough, randomor otherwisedifficult toguess —producibleonlybytheuser who

chooses it.
Herearesomeexamplesofstrong passwords:

1. Convert_£100toEuros!:Suchphrasesarelong,memorableandcontainanextendedsymbolto increase the

strength of the password.
IntroductiontoCyberSecurity 22ETC151

2. 382465304H:It is mix of numbers anda letter atthe end, usually used on mass user accounts and such
passwords can be generated randomly, for example, in schools and business.
3. 4pReelai@3:Irisnotadictionaryword;howeverithascasesofalphaalongwithnumeric andpunctuation
characters.
4. MoOo0fin245679:Itis longwithbothalphabetsandnumerals.
5. t3wahSetyeT4:Itisnotadictionaryword;however,ithasbothalphabetsandnumerals.

RandomPasswords
Forcingusers tousesystem-createdrandompasswords ensures that thepasswordwill havenoconnection with
that user and should not be found in any dictionary. Several OSs have included such a feature. Almost all
the OSs also include password aging; the users are required to choose new passwords regularly,
usuallyafter 30or 45days. Manyusers dislikethese measures, particularlywhenthey have not been taken
through security awareness training.
The imposition of strong randompasswords may encourage the users to write down passwords, storethem
in personal digital assistants (PDAs) or cell phones and share them with others against memory failure,
increasing the risk of disclosure.

The general guidelines applicable to the password policies, which can be implemented
organization-wide,are as follows:

1. Passwordsanduserlogonidentities(IDs)shouldbeuniquetoeachauthorizeduser.
2. Passwordsshouldconsistofaminimumofeightalphanumericcharacters(nocommonnamesor phrases).
3. Thereshouldbecomputer-controlledlistsofprescribedpasswordrulesandperiodictesting(e.g., letterand
number sequences, character repetition, initials, common words andstandardnames) toidentify any
password weaknesses.
4. Passwordsshould bekeptprivate,thatis,notsharedwith friends,colleagues,etc.They shall notbe coded into
programs or noted down anywhere.
5. Passwordsshallbechangedevery30/45daysorless.Mostoperatingsystems(OSs)canenforcea password
with an automatic expiration and prevent repeated or reused passwords.
6. User accounts should be frozen after five failed logon attempts. All erroneous password entries should
be recorded in an audit log for later inspection and action, as necessary.
7. Sessions should be suspended after 15 minutes (or other specified period) of inactivity and require the
passwords to be re-entered.
IntroductiontoCyberSecurity 22ETC151

8. Successfullogonsshould displaythedateandtimeofthelast logonandlogoff.

9. LogonIDsandpasswordsshouldbesuspendedaftera specifiedperiodofnon-use.
10. For high-risk systems, after excessive violations, the system should generate an alarm and be able to
simulate a continuing session (with dummy data) for the failed user (to keep this user connected while
personnel attempt to investigate the incoming connection).

NetizensshouldpracticepasswordguidelinestoavoidbeingvictimofgettingtheirpersonalE- Mailaccounts
hacked/attacked by the attackers.
1. Passwords used for business E-Mail accounts, personal E-Mail accounts (Yahoo/Hotmail/Gmail) and
banking/financial user accounts (e.g., online banking/securities trading accounts) should bekept separate.
2. Passwords shouldbe of minimum eight alphanumeric characters (common names or phrases should be
phrased).
3. Passwordsshouldbechangedevery30/45days.
4. Passwordsshouldnotbesharedwithrelativesand/orfriends.
5. Passwordusedpreviouslyshouldnotbeusedwhilerenewingthepassword.
6. Passwords of personal E-Mail accounts (Yahoo/Hotmail/Gmail) and banking/financial user
accounts(e.g., online banking/securities trading accounts) should be changed from a secured system,
withincouple of days, if these E-Mail accounts has been accessed from public Internet facilities such
ascybercafes/hotels/libraries.
7. Passwords should not be stored under mobile phones/PDAs, as these devices are also prone to cyber
attacks.
8. In the case of receipt of an E-Mail from banking/financial institutions, instructing to change
thepasswords, before clicking the weblinks displayed in the E-Mail, legitimacy of the E-Mail should
beensuredtoavoidbeingavictimofPhishingattacks.
9, Similarly, in case of receipt of SMS from banking/financial institutions, instructing to change
thepasswords, legitimacy of the E-Mail should be ensured to avoid being a victim of Smishing attacks
10. In case E-Mail accounts/user accounts have been hacked, respective agencies/institutes should
becontacted immediately.

KeyloggersandSpywares
Keystroke logging, often called keylogging, is the practice of noting (or logging) the keys struck on a
keyboard, typically in a covert manner so that the person using the keyboard is unaware that such
actionsare being monitored. It can be classified as software keylogger and hardware keylogger.
IntroductiontoCyberSecurity 22ETC151

SoftwareKeyloggers
Software keyloggers are software programsinstalled on the computer systems which usuallyare located
between the OS and the keyboard hardware, and every keystroke is recorded. Software keyloggers are
installed on a computer system by Trojans or viruseswithout the knowledge of the user. Cybercriminals
always install such tools on the insecure computer systems available in public placesandcan obtain the
required information about the victim very easily.
A keylogger usually consists of two files that get installed in the same directory: a dynamic link library
(DLL) file and anEXEcutable (EXE) file that installs che DLL file and triggers it to work. DLL does all
the recording of keystrokes.

Softwarekeyloggers
1. SC-KeyLog PRO: It allows to secretly record computer user activities such asE-Mails, chat
conversations, visited websites, clipboard usage, etc. in a protected logfile. SC-KeyLog PRO alsocaptures
Windows user logon Passwords.
2. Spytech SpyAgent Stealth: It provides a large variety of essential computer monitoring features aswell
as website and application filtering, chat blocking and remote delivery of logs via E-Mail or FTP.
3. AllInOne Keylogger:It isaninvisible keystrokes recorder anda spysoftwaretoolthatregisters every
activity on the PC to encrypted logs. This keylogger allows secretly tracking of all activities from all
computer users and automatically receiving logs to a desired E-Mail/FTP accounting.
Stealth Keylogger: It is a computer monitoring software that enables activity log report where the entire
PC keyboard activities are registered either at specific time or hourly on daily basis. “The entire log
reports are generated either in text or HTML file format as defined by the user.
Perfect Keylogger: It has its advanced keyword detection and notification. User can create a list of “on
alert” words or phrases and keylogger willcontinually monitor keyboardtyping, URLs and webpages for
these words or phrases .When a keyword is detected, perfect keylogger makes screenshot and sends E-
Mail notification to the user.

HardwareKeyloggers
Hardware keyloggers are small hardware devices. These are connected to the PC and/or to the
keyboard and save every keystroke intoa file or in the memory of the hardware device. Cybercriminals
install such devices on ATM machines to capture ATM Cards’ PINs. Each keypress on the keyboard of
the ATM gets registered by these keyloggers.
Listedarefewwebsiteswheremoreinformationabouthardwarekeyloggerscanbefound:
IntroductiontoCyberSecurity 22ETC151

http://www.keyghost.comhttp://www.keelog.co
mhttp://www.keydevil.comhttp://www.keykatch
er.com

Antikeylogger
Antikeylogger isa tool that can detect the keylogger installed on the computer system and also
can remove the tool.
Advantagesofusingantikeylogger areas follows:
1. Firewalls cannot detect the installations of keyloggers on the systems; hence, antikeyloggers can detect
installations of keylogger.
2. This software does not require regular updates of signature bases to work effectively such as other
antivirus and antispy programs; if not updated, it does not serve the purpose, which makes the users at
risk.
3. It Prevents Internet banking frauds. Passwords can be easily gained with the help of installing
keyloggers.
4. ItpreventsIDtheft.
5. ItsecuresE-Mailandinstantmessaging/chatting.

Spywares
Spyware is a type of malware that is installed on computers which collects information about
users without their knowledge.

It is clearly understood from the term Spyware that it secretly monitors the user. The features and
functions of such Spywares are beyond simple monitoring. Spyware programs collect personal
information about the victim, such as the Internet surfing habits/patterns and websites visited
TheSpywarecanalsoredirectInternetsurfingactivitiesbyinstallinganotherstealthutilityontheusers’
computersystem.
Spyware may also have an ability to change computer settings, which may result in slowing of theInternet
connection speeds and slowing of response time that may result into user complaining about the Internet
speed connection with Internet Service Provider (ISP).
IntroductiontoCyberSecurity 22ETC151

Toovercomethe emergenceofSpywares that provedtobetroublesomefor thenormaluser, anti-Spyware are

available in the market. Installation of anti-Spyware software has become a common element nowadays
from computer security practices perspective.

SpywareTools

1.007Spy:Ithasfollowingkeyfeatures:
* Capabilityofoverriding“antispy”programslike“Ad-aware”
* recordallwebsites URLvisitedinInternet;
* powerfulkeyloggerenginetocaptureallpasswords;
* viewlogs remotelyfromanywhereatanytime;
* export logreport inHTMLformat toviewit inthebrowser;
* automaticallyclean-uponoutdatedlogs;
* passwordprotection.
2. SpectorPro:Ir hasfollowingkeyfeatures:
* Capturesandreviews allchatsandinstantmessages
* capturesE-Mails(read,sentandreceived)
* captureswebsites visited
* capturesactivitiesperformedonsocialnetworkingsitessuchasMySpaceandFacebook
3. eBlaster: Besides keylogger and website watcher, it also records E-Mails sent and received, files
uploaded/downloaded, loggingusers’activities, record onlinesearches, recordingMySpaceandFacebook
activities and any other program activity.
4. Remotespy: Besides remote computer monitoring, silently and invisibly, italso monitors and records
users’ PCwithout anyneedfor physicalaccess, Moreover, itrecords keystrokes (keylogger), screenshots, E-
Mail, passwords, chats, instant messenger conversations and websites visited.
5. Stealth Recorder Pro: It is a new type of utility that enables to recorda variety of sounds and transfer
themautomaticallythroughInternet withoutbeingnotifiedbyoriginal locationor source. Ithasfollowing
features:
* Real-timeMP3recordingviamicrophone,CD,line-inandstereomixerasMP3,WMAorWAV formatted files
* transferringvia E-Mailor FTP, therecordedfilestoa user-definedE-Mail
address or FTP automatically
* controllingfromaremotelocation
* voicemail,recordsandsendsthevoicemessages.
6. StealthWebsiteLogger:Itrecordsallaccessedwebsitesandadetailedreport
IntroductiontoCyberSecurity 22ETC151

canbeavailableonaspecifiedE-Mailaddress. Ithasfollowingkeyfeatures:
* Monitor visited websites
* reports senttoanE-Mailaddress
* dailylog
* globallogforaspecifiedperiod
* logdeletionafteraspecifiedperiod
* hotkeyandpasswordprotection
* notvisibleinadd/removeprogramsortaskmanager.
7. Flexispy: It is a tool that can be installed on a cell/mobile phone. After installation, Flexispy secretly
records coversation that happens on the phone and sends this information to a specified E-Mail address.
8. .Wiretap Professional: It is an application for monitoring and capturingall activities on the system. It
can capture the entire Internet activity. This spy software can monitor and record E-Mail, chat messages
and websites visited. In addition, it helps in monitoring and recording of keystrokes, passwords entered
and all documents, picturesand folders viewed.
9. PC PhoneHome: It is a software that tracks and locates lost or stolen laptop and desktop computers,
Every time a computer system on which PC PhoneHome has been installed, conneced to the Internet, a
stealth E-Mail is sent to a specified E-Mail address of the user's choice and to PC PhoneHome Product
Company.
10. SpyArsenalPrintMonitorPro:Ithasfollowingfeatures:
* Keeptrackonaprinter/plotterusage
* recordeverydocument printed
* findoutwhoandwhencertainpaperprintedwithyourhardware.

VirusandWorms
Acomputer virus passes fromcomputer tocomputer in a similar manner asa biological virus passes from
person to person. Viruses may also containmalicious instructions that may cause damage or annoyance;
the combination of possibly Malicious Codewith the ability to spread is what makes viruses
aconsiderableconcern. Viruses can oftenspread without anyreadilyvisiblesymptoms, Avirus canstart on
event-driven effects (e.g., triggered after a specific number ofexecutions), time-driven effects (e.g.,
triggered on a specific date, such as Friday the 13th) or can occur atrandom
Virusescantakesometypicalactions:
1. Displayamessagetopromptanactionwhichmaysetofthevirus
2. deletefilesinsidethesystemintowhichvirusesenter
3. scrambledataonaharddisk
IntroductiontoCyberSecurity 22ETC151

4. causeerraticscreenbehavior
5. haltthesystem(PC)
6. justreplicatethemselvestopropagatefurther harm

Figures4.1-4.3explainhowvirusesspread
(a) throughtheInternet
(b) throughastand-alonecomputer systemand
(c) throughlocal networks.

Differencebetweencomputervirusandworm

Facet virus worm

Differenttypes Stealthvirus, E-Mailworms,instant
selfmodifiedvirus, messagingworms,
IntroductiontoCyberSecurity 22ETC151

encryption with Internetworms,IRC

variable key virus, worms, file-sharing
polymorphiccode networks worms
virus,metamorphiccode
virus
Spreadmode Needsahostprogram Self,withoutuser
tospread intervention
What isit? Acomputervirusisa Acomputerwormisa
software program software program,
that can copy itself self-replicating in
and infect the dataor nature,which spreads
information, without through a network.It
theusers’knowledge. can send copies
However,tospread through the network
toanothercomputer,it with or without user
needs a intervention
hostintervention
programthatcarries the
virus
Inception The creeper virus was The name worm
considered as The originated fromThe
namewormoriginated Shockwave Rider, a
fromthe first known science fictionnovel
virus. It was spread published in 1975 by
throughARPANETin John Brunner.Later
the early 1970s researchers John F
ShockandJonAHupp at
Xerox PARC
published a paperin
1982, The Worm
Programs and after
thatthe name was
adopted
Prevalence Over 100,000 known Prevalenceforvirusis
computerviruseshave very high as
beentherethoughnot againstmoderate
all haveattacked prevalence for a
computers worm.

TypesofViruses

1. Boot sector viruses:It infects the storage media on which OS is stored (e.g., Hoppy
diskettes and hard drives) and which is used to start the computer system.The entire
data/programsarestoredonthefloppydisksandharddrivesinsmallersectionscalled
IntroductiontoCyberSecurity 22ETC151

sectors. The first sector is called theBOOT and it carries the master boot record (MBR).
MBR’s function is to read and load OS, that is,it enables computer system to startthrough
OS. Hence, ifa virus attacks an MBR or infects the bootrecord of a disk, such floppy disk
infects victim's hard drive when he/she reboots the system whilethe infected disk is in the
drive.Once the victim's hard drive is infected allthe floppydiskettesthatare being used in
the system will be infected.
2. Program viruses: These viruses become active when the program file (usually with
extensions .bin, .com,exe, .ovl, .drv) is executed (i.e., opened — program is started).Once
these program files get infected, thevirus makes copies of itself and infects theother
programs on the computer system.
3. Multipartite viruses:It is a hybrid of a boot sector and program viruses. It infects
programfiles along with the boot record when the infected program is active
4. Stealth viruses: It camouflages and/or masks itself and so detecting this type of virus is
verydifficult. It candisguise itselfsuchawaythat antivirussoftwarealso cannot detect it
thereby preventingspreading into the computer system, It alters its file size and conceals
itself in the computer memoryto remain in the system undetected. The first computer
virus, named as Brain, was a stealth virus.A good antivirus detects a stealth virus
lurkingon the victim's system by checking the areas the virusmust have infected by
leaving evidence in memory.
5. Polymorphic viruses:It acts like a “chameleon” that changes its virus signature (i.e.,
binarypattern)everytime it spreads throughthe system(i.e., multiplies and infects a new
file). Hence, it isalwaysdifficult to detect polymorphic viruswiththe help ofanantivirus
program. Polymorphic generatorsarethe routines(i.e., smallprograms) that canbe linked
with the existing viruses.These generatorsare not viruses but the purpose of these
generators is to hide actual viruses under the cloak of poly-morphism.
6. Macroviruses: Manyapplications, suchasMicrosoft WordandMicrosoft Excel, support
MACROs(ie.,macrolanguages).These macrosareprogrammed asa macroembedded ina
document. Oncea macrovirus gets onto a victim's computer then every document he/she
produceswillbecomeinfected. Thistypeofvirus isrelativelynewand mayget slipped by the
antivirussoftware ifthe userdoesnot have themost recent version installed onhis/her
system.
7. Active X and Java Control:All the web browsers have settings about Active
XandJavaControls.Littleawareness is neededabout
managingandcontrollingthesesettingsof a web browser to pro-hibit and allow certain
functions to work — such as enabling or disabling pop-ups, downloadingfiles and sound
— which invites the threats for the computer system being targeted by unwantedsoftware
floating in cyberspace.

Theworld’sworstvirusattacks

1. Conficker:The name Conficker is blended from a English term “configure” and the
German word “Ficker,” which means “to have sex with” or “to mess with” in colloquial
German.It is also known as Downup, Downadup and Kido. It targets MicrosoftWindows
OS and was first detected in Noyember 2008.
2. INF/AutoRun: AutoRun and the companion feature AutoPlay are components of the
MicrosoftWindowsOSthatdictatewhatactionsthesystemtakeswhenadrive
IntroductiontoCyberSecurity 22ETC151

ismounted. This is the most common threat that infects a PC by creating

an“autorun.inf”file. The file contains information about programs meant torun
automatically when removable devices are connected to the computer.
3. Win32 PSW:It is a dangerous virus that replicates itself as other viruses and spreadsfrom
oneOnLineGames computer system to another carrying a payload of destruction. It can
infectseveral computers within few minutes
4. Win32/Agent:ThisvirusisalsotermedasTrojan. Itcopiesitselfintotemporarylocations
andsteals information from the infected system. Ic adds entries into the registry,creating
several files at different places in the system folder, allowing it to run onevery start-up,
which enables to gather complete information about the infectedsystem and then
transferred to the intruder’s system.
5. Win32/FlyStudio:It isknownasTrojanwithcharacteristicsofbackdoor.Thisvirusdoes not
replicate itself, but spreads only when the circumstances are beneficial. It iscalled as
backdoors because the information stolen from a system is sent back to the intruder.
6. Win32/Pacex.Gen:This threat designates a wide range of malwares that makes use ofan
obfuscationlayer to steal passwords and other information from the infected system.
7. Win32/Qhost:This virus copies itself to the System32 folder of the Windows
directorygiving control of the computer to the attacker. The attacker then modifies
theDomain Name Server/System (DNS) settings redirecting the computer to
otherdomains.
8. WMAI/TrojanDownloader:This threat as the suffix. GetCodec modifies the audio files
present onthe. systemto .wma format and adds a URL header that points to the location of
new codec. This means that the end-user will download the new codec believing
thatsomething new might happen, whereas the Malicious Code runs in thebackground
causing harm to the host computer.

Theworld'sworstvirusandwormattacks

1. Morris Worm: It is also known as “Great Worm” or Internet Worm. It was written by a
student, Robert Tappan Morris, at Cornell Universityand launched on 2 November 1988
from MIT, It was reported that around 6,000 major Unix machines were infected by the
Morris worm and the total cost of the damage calculated was US$ 10-100 millions.
2. ILOVEYOU: It is also known as VBS/Loveletter or Love Bug Worm. It successfully
attacked tens of millions of Windows computers in 2000, The E-Mail was sent with the
subject line as “ILOVEYOU” and an attachment “LOVE-LETTER-FOR-YOU,
TXT.vbs.”
3. Code Red:This computer worm was observed on the Internet on 13 July 2001. It
attacked computers running onMicrosoft's IIS webserver. The Code Red wormwas first
discovered and researched by eEye Digital Security employees, Marc Maiffret and Ryan
Permeh. Theynamed the wormCode Red because theywere drinking Pepsi's “Mountain
Dew Code Red” over the weekend.
4. Melissa: It is also known as “Melissa,” “Simpsons,” “Kwyjibo” or “Kwejeebo.” It is a
mass-mailing macro worm. Melissa was written by David L. Smith in Aberdeen
Township, NewJersey, who named it after alapdancer he met inFlorida. Thewormwas
IntroductiontoCyberSecurity 22ETC151

in a file called “List. DOC” which had passwords that allow the access into 80
pornographic websites. This worm in the original form was sent through an E-Mail to
many Internet users. Melissa spread on Microsoft Word 97, Word 2000 and also on
Microsoft Excel 97, 2000 and 2003.
5. MSBlast:The Blaster Worm: It is also known as Lovsan or Lovesan, found during
August 2003, which spread across the systems running on Microsoft Windows XP and
Windows 2000. The worm also creates an entry under OS registry to launch theworm
every time Windows starts
6. Sobig: This worm, found during August 2003, infected millions of Internet-connected
computers chat were running on Microsoft Windows. It was written in Microsoft Visual
C++ and compressed using a data compression tool, “tElock.” This Worm not only
replicates by itself but also a Trojan Horse that it masquerades as something othe than
malware
7. Storm Worm :This worm, found on 17 January 2007, is also known as a backdoor
Trojan Horse that affects the systems running on Microsoft OSs. The Storm worm
infected thousands of computer systems in Europe and in the US on Friday, 19 January
2007, throughanE-Mailwitha subject line abouta recent weather disaster, “230 dead as
storm batters Europe
8. Michelangelo: It is a worm discovered in April 1991 in New Zealand. This worm was
designed primarily to infect the systems that were running on disk operating system
(DOS) systems. Like other boot sector viruses, Michelangelo operated at the BIOS level
and remained dormant until6 March,the birthday ofanartist “Michelangelo diLodovico
Buonarroti Simoni” — an Italian Renaissance painter, sculptor architect and poet
9. Jerusalem:This worm is also known as “BlackBox.” Jerusalem infected the files residing
on DOS that was detected in Jerusalem, Israel, in October 1987. It has become memory
resident (using 2 KB of memory). Once the system gets infected then it infects every
executable file, except “COMMAND.COM.” “.COM” files grow By 1,813 bytes when
infected by Jerusalem and are not reinfected

Atypicaldefinitionofcomputervirus/wormsmighthavevariousaspects

1. Avirusattacksspecificfiletypes(orfiles),

2. Avirusmanipulatesa programto executetasks unintentionally.

3. Aninfectedprogramproduces moreviruses.

4. Aninfectedprogrammayrunwithouterrorforalongtime.

5. Virusescanmodifythemselvesandmaypossiblyescapedetectionthis way.
IntroductiontoCyberSecurity 22ETC151

TrojanHorsesandBackdoors
Trojan Horse is a program in which malicious or harmful code is contained inside apparently
harmless programming ordata insucha waythat it canget controland cause harm, for example,
ruining the fileallocation table on the hard disk.

SometypicalexamplesofthreatsbyTrojansareasfollows:

1. Theyerase,overwriteorcorruptdataonacomputer.
2. ‘Theyhelptospreadother malwaresuchasviruses(byadropperTrojan).
3. Theydeactivateorinterferewithantivirusandfirewallprograms.
4. Theyallowremoteaccesstoyour computer (byaremoteaccessTrojan).
5. ‘Theyuploadanddownloadfileswithoutyour knowledge.
6. TheygatherE-Mailaddressesandusethemfor Spam.
7. Theylogkeystrokestostealinformationsuchaspasswordsandcreditcard numbers.
8. Theycopyfakelinkstofalsewebsites,displaypornosites,playsounds/videosand display
images.
9. Theyslowdown, restartorshutdownthesystem.
10. Theyreinstallthemselvesafterbeingdisabled.
11. Theydisable the taskmanager.
12. Theydisablethe controlpanel.

Backdoor

A backdoor is a means of access to a computer program that bypasses security mechanisms. A

programmer may sometimes install a backdoor so that the program can be accessed for
troubleshooting or other purposes. However, attackers often use backdoors that they detect or
install themselves as part ofan exploit. In some cases, a worm is designed to take advantage ofa
backdoor created by an earlier actack.

Followingaresomefunctionsofbackdoor

1. It allows an attacker to create, delete, rename, copy or edit any file, execute various
commands,change any system settings; alter the Windows registry; run, control and
terminate applications
2. It allows an attacker to control computer hardware devices, modify related settings,
shutdown or restart a computer without asking for user permission .
3. It steals sensitive personal information, valuable documents, passwords, login names, ID
details; logs user activity and tracks web browsing habits.
4. Itrecordskeystrokesthat ausertypesonacomputer'skeyboardand capturesscreenshots.
5. It sends all gathered data to a predefined E-Mail address, uploads it to a predetermined
FTP server or transfers it through a background Internet connection to a remote host.
6. Itinfectsfiles,corruptsinstalledapplicationsanddamagestheentiresystem.
7. It distributes infected files to remote computers with certain security vulnerabilities and
performs attacks against hacker-defined remote hosts.
IntroductiontoCyberSecurity 22ETC151

8. It installs hidden FTP server that can be used by malicious persons for various illegal
purposes.
9. It degrades Internet connection speed and overall system performance, decreases system
security and causes software instability. Some parasites are badly programmed as they
waste too many computer resources and conflict with installed applications.
10. It provides no uninstall feature, and hidesprocesses, filesand other objectsto complicate
its removal as much as possible.

FollowingareafewexamplesofbackdoorTrojans:

1. Back Orifice:It is a well-known example of backdoor Trojan designed for remotesystem

administration. It enables a user to control a computer running the Microsoft Windows
OS from a remote location
2. Bifrost: It is another backdoor Trojan that can infect Windows 95 through Vista. It uses
the typicalserver, server builder and client backdoor program configuration to allow a
remote attacker, whouses client, to execute arbitrary code on the compromised machine.
3. SAP backdoors:SAP is an Enterprise Resource Planning (ERP) system and nowadays
ERP isthe heart of the business technological platform. These systems handle the key
business processesof the organization, such as procurement, invoicing, human resources
management, billing, stockmanagement and financial planning, Backdoors can present
into SAP User Masterthat supports anauthentication mechanismwhena user connects to
access SAP and ABAP Program Modules whichsupport SAP Business Objects.
4. Onapsis Bizploit: It isthe open-source ERP penetrationtesting framework developed by
theOnapsis Research Labs. Bizploit assists security professionals in the discovery,
exploration, vulnerability assessment and exploitation phases of specialized ERP
penetration tests

HowtoProtectfromTrojanHorsesandBackdoors

1. Stay away from suspect websites/weblinks: Avoid downloading free/pirated softwares

that often get infected by Trojans, worms, viruses and other things. We have addressed
“how to determine a legitimate website
2. Surf on the Web cautiously:Avoid connecting with and/or downloading any
information from peer-to-peer (P2P) networks, which are most dangerous networks to
spread Trojan Horses and other threats. P2P networks create files packed with malicious
software, and then rename them to files with the criteria of common search that are used
while surfing the information on the Web.
3. Install antivirus/Trojan removersoftware: Nowadays antivirus software(s) have built-
in feature for protecting the system not only from viruses and worms but also from
malware such as Trojan Horses. Free Trojan remover programs are also available on the
Web and some of them are really good.
IntroductiontoCyberSecurity 22ETC151

3.8 Steganography
Steganography is a Greek word that means “sheltered writing.” It is a method that
attempts to hide the existence of a message or communication. The word“steganography”
comes from the two Greek words: steganos meaning “covered” and graphein meaning “to
write” that means “concealed writing,” This idea of data hiding is not a novelty; it has
been used for centuries all across the world under different regimes. ‘The practice dates
back to ancient Rome and Greece where the messages were etched into wooden tablets
and then covered with wax or when messages were passed byshaving a messengershead
and thentattooing a secret message onit, letting hishair grow back and then shaving it
again after he arrived at the receiving party to reveal the message.

The term “cover” or “cover medium” is used to describe the original, innocent message,
data, audio, still,video and so on. It is the medium that hides the secret message (see Fig.
4.4). It must have parts that can be altered or used without damaging or noticeably
changing the cover media. If the cover media are digital,these alterable parts are called
“redundant bits.” These bits ora subset can be replaced withthe message that is intended
to be hidden. Interestingly, steganography in digital media is very similar to “digital
water-marking.” In other words, when steganography is used to place a hidden
“trademark” in images, music and software, the result is a technique referred to as
“watermarking” .

Steganographytools:

1. DiSi-Steganograph: It is a very small, DOS-based steganographic programthat

embeds data in PCX images.
2. Invisible Folders:It has the ability to make any file or folder invisible toanyone using
your PC even on a network.
3. Invisible Secrets: [t notonlyencryptsthe data and files for safe-keeping orfor secure
transfer across the Net but also hides them in places such as picture or sound files or
webpages. These types of files are a perfect disguise forsensitive information
4. Stealth Files:It hides any type of file in almost any other type of file. Using
steganography technique, Stealth Files compresses, encrypts and then hides any type
of file inside various types of files (including EXE, DLL, OCX, COM, JPG, GIF,
ART, MP3, AVI, WAV, DOC, BMP) and othertypesofvideo, image and executable
files.
5. Hermetic Stego: It is a steganography program that allows to encrypt and
hidecontents of any data file in another file so thar the addition of the data to
thecontainer file will not noticeably change the appearance of that file
IntroductiontoCyberSecurity 22ETC151

6. DriveCryptPlus(DCPP):Ithasfollowingfeatures:
a. IcallowssecurehidingofanentireOSinsidethefreespaceofanotherOS.
b. Full-diskencryption(encryptspartsor100%ofyourharddiskincludingthe OS).
c. Prebootauthentication(beforethemachinesboots,apasswordisrequestedto decrypt
the disk and start your machine)
7. MP3Stego:IthidesinformationinMP3filesduringthecompressionprocess.The data is
first compressed, encrypted and then hidden in theMP3 bit stream
8. MSU StegoVideo: It allows hiding any file in a video sequence.Main features are as
follows:
* Smallvideodistortionsafterhiding information.
* Itispossibletoextract informationaftervideocompression
* Informationisprotectedwiththe password.

Steganalysis
Steganalysis is the art and science of detecting messages that are hidden in images, audio/video
files using steganography. The goal of steganalysis is to identify suspected packages and to
determine whether or not they have a payload encoded into them, and if possible recover it.
Automated tools are used to detect such steganographed data/information hidden in the image
and audio and/or video files .

Steganalysistools

1. StegAlyzerASItisadigitalforensicanalysistooldesignedtoscan“suspectmedia”or
“forensicimages”ofsuspectmediaforknownartifactsofsteganographyapplications.
2. StegAlyzerSS:It is a digital forensic analysis tool designed to scan“suspect media” or
“forensic images” of suspect media for uniquely identifiable hexadecimal byte patterns,or
known signatures, leftinside files when particular steganography applications are used
toembed hidden information within them
3. StegSpyis a program that is always in progress and the latesthtm version includes
identificationofa “steganized” file. It detectssteganographyandtheprogramusedto hide the
message
4. Stegdetect: It is an automated tool for detecting steganographic content in the images. It
is capable of detecting several different steganographic methods to embed hidden
information in JPEG images.
5. Stegsecret:It is a steganalysis open-source project that makes detection of hidden
information possible in different digital media. It is aJAVA-based multiplacform
steganalysis toolthat allows the detectionofhidden informationbyusing the most known
steganographic methods.
IntroductiontoCyberSecurity 22ETC151

6. Virtual Steganographic Laboratory (VSL): It is a graphical blockdiagramming toolthat

allowscomplexusing, testingandadjustingofmethodsbothfor imagesteganography and
steganalysis.

DoSandDDoSAttacks

A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) isan
attempt to make a computer resource (i.e., information systems) unavailable to its intended users.

DoSAttacks

In this type of criminal act, the attacker Hoodsthe bandwidth of the victim’s network or fills his
E-Mail box with Spam mail depriving him of the services he is entitled to access or provide.
Although the means to carryout, motives for, and targets of a DoS attack may vary, it generally
consists ofthe concerted effortsofa person or people to prevent the Internet site or service from
functioning efficiently or at all, temporarily or indefinitely, The attackerstypically target sites or
services hosted on high-profile web servers such asbanks, credit card payment gateways, mobile
phone networks and even root name servers (i.e., domain name

TheUnitedStatesComputerEmergency ResponseTeam definessymptomsof DoSattacks to include

1. Unusuallyslow networkperformance(openingfilesoraccessingwebsites)
2. Inabilityto accessanywebsite
3. Unavailabilityofaparticularwebsite
4. Dramaticincreaseinthenumberof Spam E-Mailsreceived(thistypeof DoSattackis termed as
anE-Mail bomb).
The goal of DoSisnot togain unauthorized access to systems ordata, but topreventintended user
(i.e., legitimate users) of a service fromusing it. A DoS attack maydo the following:

1. Floodanetworkwithtraffic, therebypreventinglegitimatenetworktraffic.
2. Disruptconnectionsbetweentwosystems,therebypreventingaccesstoaservice.
3. Preventaparticularindividualfromaccessingaservice.
4. Disruptservicetoaspecificsystemor person

ClassificationofDoSAttacks

1. Bandwidth attacks: Loading any website takes certain time. Loading means complete
webpage (ie., withentire contentofthe webpage —text along with images) appearing on
the screen and system is awaiting user's input. This “loading” consumes some amount of
memory. Everysite isgivenwithaparticular amount ofbandwidthfor itshosting, sayfor
example, 50 GB. Now if more visitors consume all50 GB bandwidth then the hosting of
thesitecanban thissite,Theattackerdoes thesame—he/sheopens100pagesof asite
IntroductiontoCyberSecurity 22ETC151

and keeps on refreshing and consuming all the bandwidth, thus, the site becomes out of
service.
2. Logic attacks:These kind of attacks can exploit vulnerabilities in network software such
asweb server or TCP/IP stack.
3. Protocol attacks:Protocols here are rules that are to be followed to send data over
network. Thesekind of attacks exploit a specific feature or implementation bug of some
protocol installed at the victim's system to consume excess amounts of its resources.
4. Unintentional DoS: This is a scenario where a website ends up denied not due to a
deliberate attackattack by a single individual or group of individuals, but simply due toa
sudden enormous spike in popularity. This can happen when an extremely popular
websiteposts a prominent link to a second, less well-prepared site, for example, as partofa
news story. The result is that a significant proportion ofthe primarysites regular users,
potentially hundreds of thousands of people, click that link withina few hours and have
the same effect on the target website as a DDoS attack.

TypesorLevelsofDoS Attacks

1. Flood attack: This is the earliest formof DoS attack and is also known as ping flood. Itis
based on an attacker simplysending the victim overwhelming number ofping packets,
usually by using the “ping” command, which result into more traffic than the victim can
handle, This requires the attacker to have a faster network connection than the victim(i.e.,
access to greater bandwidth than the victim). It is very simple to launch, but to prevent it
completely is the most difficult.
2. Ping ofdeath attack: The ping ofdeathattack sendsoversized Internet ControlMessage
Protocol(ICMP) packets, and it is one of the core protocols of the IP Suite. It is mainly
used by networkedcomputers’ OSs to send error messages indicating (e.g., that a
requested service is not available orthat a host or router could not be reached) datagrams
(encapsulated in IP packets) to the victim.
3. SYN attack:It is also termed as TCP SYN Flooding. \n the Transmission Control
Protocol (TCP),handshaking of network connections is done with SYN and ACK
messages. An attacker initiates a TCP connection to the server with an SYN (using a
legitimate or spoofed source address).
4. Teardrop attack: The teardrop attack is an attack where fragmented packets are forged
to overlap eachother when the receiving host tries to reassemble them. IP’s packet
fragmentation algorithm is usedto send corrupted packets to confuse the victim and may
hang the system. This attack can crashvarious OSs due to a bug in their TCP/IP
fragmentation reassembly code
5. Smurf attack: It is a way of generating significant computer network traffic on a victim
network,This is a type of DoS attack that floods a target system via spoofed broadcast
ping messages.
6. Nuke: Nuke is anold DoS attack against computer networks consisting of fragmented or
otherwise invalid ICMP packetssenttothetarget.It isachieved byusing a modified ping
IntroductiontoCyberSecurity 22ETC151

utilitytorepeatedly send this corrupt data, thus slowing down the affected computer until
it comes to a complete stop

ToolsUsedtoLaunchDoSAttack

Various tools (see Table 4.13) use different types of traffic to flood a victim, but the
objective behind the attack and the result is the same: A service on the system or the
entire system(i.e., application/website/network)is unavailable to a user because it iskept
busy trying to respond to an exorbitant number of requests. A DoS attack is usually an
attackoflast resort because it isconsidered to be anunsophisticated attackasthe attacker
does not gain access to any information but rather annoys the target and interrupts the
service.

l. Jolt2- A major vulnerability has been discovered in Windows’ networking code. The
vulnerability allows remote attackers to cause a DoS attack against W indows-based
machines — the attack causes the target machine to consume 100% of the CPU time on
processing of illegal packets.

2. Nemesy- ‘This program generates random packets of spoofed source IP to enable the
attacker to launch DoS attack.

3. Targa- It isa programthat canbe usedto runcight different DoSattacks.The attacker has
the option to launch either individual attacks or try all the actacks until one is successful.

4. CtazyPinger-Thistoolcould sendlargepacketsofICMPto aremotetargetnetwork.

5.Somelrouble-Irisaremoteflooderandbomber.Itisdeveloped inDelphi.

DDoSAttacks

In a DDoS attack, an attacker may use your computer to attack another computer. By
taking advantage of security vulnerabilities or weaknesses, an attacker could take control
of your computer. He/she could then force your computer to send huge amounts of datato
a website or send Spam to particular E-Mail addresses. The attack is “distributed”
because the attacker is using multiple computers, including yours, to launch the
DoSattack.

ToolsusedtolaunchDDoSattack

1. Trinoo It is a set of computer programs to conduct a DDoS attack, It is believed

thatTrinoo networks have been set up on thousands of systems on the Internet
thathave been compromised by remote buffer overrun exploit
IntroductiontoCyberSecurity 22ETC151

2. Tribe Flood It is a set of computer programs to conduct various DDoS attacks suchas
ICMP
3. Nerwork(TFN)flood,SYNflood,UDPfloodand Smurfattack.
4. Stacheldraht It is written by Random for Linux and Solaris systems, which acts as a
DdoSagent. [It combines features of Trinoo with TFN and adds encryption,
5 ShaftThis network looks conceptually similar to a Trinoo; it isa packet Hooding
attackand the client controls the size of the flooding packets and duration of theattack.
6 MStreamIt uses spoofed TCP packets with the ACK Hag set to attack the
target,Communication is not encrypted and is performed through TCP and
UDPpackets. Access to the handler is password protected. This programhas a feature
notfound in other DDoS tools. It informs all connected users of access, successful
ornot, to the handler(s) by competing parties.

HowtoProtectfromDoS/DDoSAttacks

1. Implement routerfilters.ThiswilllessenyourexposuretocertainDoSattacks.
2. Ifsuch filters are available for your system, install patches to guard against TCP SYN
flooding.
3. Disable any unused or inessential network service. This can limit the ability of an
attacker to take advantage of these services to execute a DoS attack.
4. Enablequotasystemsonyour OSiftheyareavailable.
5. Observe your system's performance and establish baselines for ordinary activity. Use
the baseline to gauge unusual levels ofdisk activity, centralprocessing unit (CPU) usage
or network traffic.
6. Routinelyexamineyourphysicalsecuritywithregardtoyourcurrentneeds.
7. Use Tripwire or a similar tool to detect changes in configuration information or other
files
8. Invest inandmaintain“hot spares”— machinesthatcanbeplacedintoservicequickly if a
similar machine is disabled.
9. Invest inredundantandfault-tolerant networkconfigurations.
10. Establish and maintain regular backup schedules and policies, particularly for
important configuration information.
11. Establish and maintain appropriate password policies, especially access to highly
privileged accounts such as Unix root or Microsoft Windows NT Administrator.

4.12AttacksonWirelessNetworks

In the yesteryears, “working” meant leaving home, commuting to the workplace,

spending those typical 9 a.m.—G6 p.m.in the office and then shutting down the work and
commuting back home or wherever that one wished to be after office hours. The
“working” and “away from work” were cleanly delineated distinct states that one couldbe
in. Gone are those days and now we are in the era of computing anywhere, anytime!
There is no doubt that workforce “mobility” is on the rise
IntroductiontoCyberSecurity 22ETC151

The followingaredifferenttypesof“mobileworkers:

1. Tethered/remote worker: This is considered to be an employee who generally remains

ata single point of work, but is remote to the central company systems. This includes
home workers, tele-cottagers and, in some cases, branch workers.

2. Roaming user: This is either an employee who works in an environment (e.g.,

warehousing, shop floor, etc.) or in multiple areas (e.g., meeting rooms).

3. Nomad: This category covers employees requiring solutions in hotel rooms and other
semi-tethered environmentswhere modemuse isstillprevalent,along withthe increasing use
of multiple wireless technologies and devices.

4. Road warrior: This is the ultimate mobile user and spends little time in the office;
however, he/she requires regular access to data and collaborative functionality while on
the move, in transit or in hotels. This type includes the sales and field forces.

Wireless technologies have become increasingly popular in day-to-day business and personal
lives. Hand-held devices such as the PDAs allow individuals to access calendars, E-Mail
addresses, phone number lists and the Internet. Wireless networks extend the range oftraditional
wired networksbyusingradio wavestotransmit datato wireless-enableddevicessuchas laptops and
PDAs.

Wireless networksaregenerallycomposedoftwobasicelements:(a)accesspoints(APs)and(b) other

wireless-enabled devices, such as laptops radio transmitters and receivers to communicate or
“connect” with each other.

Wireless technology is no more buzzword in today’s world. Let us understand important

components of wireless network, apart from components such as modems, routers, hubs and
firewall, which are integral part of any wired network as well as wireless network.
1. 802.11 networking standards:Institute of Electrical and Electronics Engineers
(IEEE)-802.11 isa family of standards for wireless local area network (WLAN),
stating the specifications and/orrequirements for computer communication in the 2.4,
3.6and5GHzfrequencybands.
a. 802.11: \t is applicable to WLANs and provides 1 or 2 Mbps transmission in
the 2.4 GHz bandusing either frequency-hopping spread spectrum (FHSS) or
direct sequence spread spectrum(DSSS).
b. 802.1 1a: It provides 54 Mbps transmission in the 5 GHz band and uses
orthogonal frequency division multiplexing (OFDM) which is more efficient
coding technique compared with FHSSand DSSS.
c. 802.11b: \t provides 11 Mbps transmission in the 2.4 GHz band and uses
complementary codekeying (CCK) modulation to improve speeds. In 1999,
ratification was made to the original
d. 802.11 standard, and was termed as 802.11b, which allowed wireless
functionalitycomparabletoEthernet.Althoughitwasbeingaslowest
IntroductiontoCyberSecurity 22ETC151

standard, at the same time being the least expensive,the evolution led to the
rapid acceptance of 802.11b across the world as the definitive
WLANtechnology and known as “Wi-Fi standard.”
e. 802.1 1g:It provides 54 Mbps transmission inthe 2.4 GHz band and the same
OFDM codingas 802.1 1a, hence it is a lot faster than 802.1 1a and 802.11b.
f. 802.1 1n: It is the newest standard available widely and uses multiple-input
multiple-output(MIMO) that enabled to improve the speed and range
significantly. For example, although802.1 1g provides 54 Mbps transmission
theoretically, however, it can only achieve 24 Mbps ofspeed because of
network trafhe congestion. However, 802.1 !n can achieve speeds as high
as140 Mbps
2. Access points: It is also termed as AP. It is a hardware device and/or a software that
acts as a centraltransmitter and receiver of WLAN radio signals. Users of wireless
device, such as laptop/PDAs,get connected with these APs, which in turn get
connected with the wired LAN. An AP acts as acommunication hub for users to
connect with the wired LAN
3. Wi-Fi hotspots: A hotspot is a site that offers the Internet access by using Wi-Fi
technology over aWLAN. Hotspots are found in public areas
a. Free Wi-Fi hotspots: Wireless Internet service is offered in public areas, free
ofcostandthattowithout anyauthentication.Theuserswillhaveto enablethe
wireless on their devices, search forsuch hotspots and will have to say (click)
connect. The Internet facility is made available to theuser. As the
authentication mechanism on the router is disabled, user gets connected to
WLANandcybercriminalsget theirprey. As,accessto freehotspotscannot be
controlled, cybersecurityis always questioned
b. Commercial hotspots: The users are redirected to authentication and online
paymentto availthewirelessInternet service inpublicareas, Thepayment can be
made using credit/debit cardthrough payment gateways such as PayPal, Major
airports and business hotels are usually chargedto avail wirelessInternet
service

4. Service set identifier (SSID):It is the name of 802.111 WLAN and all wireless
devices on a WLANmust use the same SSID to communicate with each other. While
setting up WLAN, the user(or WLAN administrator) sets the SSID, which can be up
to 32characterslongso thatonlytheuserswho knewtheSSIDwill beableto connect the
WLAN. It is always advised to turn OFF thebroadcast of the SSID, which results
inthe detected networkdisplaying as anunnamed networkandthe user would need to
manually enter the correct SSID to connect to the network
5. Wired equivalence privacy (WEP):Wireless transmission is susceptible to
eavesdropping and toprovide confidentiality, WEP was introduced as part of the
original802.11iProtocolin1997. It isalways termed as deprecated securityalgorithm
for IEEE 802.111 WLANs. SSID along with WEPdelivers fair amount of secured
wireless network
6. Wi-Fi protected access(WPAandWPA2): During2001, seriousweakness inWEP
was identifiedthat resulted WEP cracking software(s) being made available to enable
IntroductiontoCyberSecurity 22ETC151

cybercriminalsto intrudeintoWLANs. WPAwas introducedasaninterimstandardto

replace WEP to improve upon the securityfeatures of WEP
7. Media access control (MAC): It is a unique identifier of each node (i.e., each
networkinterfaces)ofthe networkand it is assigned bythe manufacturerofa network
interface card (NIC) stored inits hardware. MAC address filtering allows only the
devices with specific MAC addresses to accessthe network. The rourer should be
configured stating which addresses are allowed

Toolsusedforhackingwirelessnetworks
1. NetStumbler: Thistoolisbased onWindowsOSand easilyidentifieswirelesssignals
being broadcast within range. It also has ability to determine signal/noise that can be
used for site surveys
2. Kismet: This tool detects and displays SSIDs that are not being broadcast whichis
very critical in finding, wireless networks, NetStumbler do not have thiskeyfanctional
clement — ability to display wireless networks that are not broadcastingtheir SSID
3. Airsnort: This tool is very easy and is usually used to sniff and crack WEP
keysairsnort/files/ (htep://airsnort.shmoo.com/).
4. CowPatty: This tool is used as a brute force tool for cracking WPA-PSK
andContents/coWPAttyMain.htm is considered to be the “New WEP” for home
wireless security. This programsimply tries a bunch of different options from a
dictionary file to see if one endsup matching what is defined as the preshared key.
5. Wireshark (formerly ethereal): Ethereal can scan wireless and Ethernet dataandcomes
with some robust filtering capabilities. It can also be used to sniff out802.11
management Beacons and probes, and subsequentlycould be used as atool to sniff out
non-broadcast SSIDs.

TraditionalTechniquesofAttacksonWirelessNetworks

In security breaches, penetration of a wireless networkthrough unauthorized access is termed as

wireless cracking. There are various methods that demand high level of technological skill and
knowledge, and availability of numerous software tools made it less sophisticated with minimal
technological skill to crack WLANs.

1. Sniffing: It is eavesdropping onthe network and is the simplest ofall attacks. Sniffing is
the simple process ofintercepting wireless datathat is being broadcastedonanunsecured
network. Also termed as reconnaissance technique, it gathers the required information
about the active/available Wi-Fi networks. The attacker usually installs the sniffers
remotely on the victim's system and conducts activities such as
 Passivescanningofwirelessnetwork
 detectionofSSID
 colletingtheMACaddress
 collectingtheframestocrackWEP
2. Spoofing: The primaryobjective of this attack is to successfully masquerade the identity
by falsifying dataand thereby gaining an illegitimate advantage. The attacker often
launchesanattackonawirelessnetworkbysimplycreatinganewnetworkwitha
 IntroductiontoCyberSecurity 22ETC151

stronger wireless signal and a copied SSID in thesame area as a legitimate network.The
attacker can conduct this activity easily becausewhile setting up a wireless network, the
computers no longer need to be informed to access thenetwork; rather they access it
automatically as soon as they move within the signal range. ‘Thisconvenient feature is
always exploited by the attacker
MAC address Spoofing: It is a technique of changing an assigned media access
control (MAC) address of a networked device to a different one. This allows the
attacker to bypass the acces control lists on servers or routers by either hiding a
computer on a network or allowing it to impersonate another network device.

IP Spoofing: It is a process of creating IP packets with a forged source IP address,

with the purpose of concealing the identity of the sender or impersonating another
computing system. To engage in IP Spoofing, the attacker uses a variety oftechniques
to find an IP address of a crusted host(s) and then modifies the packet headers so that
it appears that the packets are coming from that host, that is,legitimate sender

Frame Spoofing: The attacker injects the frames whose content is carefully spoofed
and which are valid as per 802.11 specifications. Frames themselves are not
authenticated in 802.11 networksand hence when a frame has a spoofed source
address, it cannot be detected unless the address is entirely faked/bogus

3. Denial of service (DoS):when a website is accessed massively and repeatedly from

different locations, preventing legitimate visitors from accessing the website. When a
DoS attack is launched from different locations in a coordinated fashion, it is often
referred to as a distributed denial of service attack (DDoS)
4. Man-in-the-middleattack(MITM): Itreferstothescenario whereinanattackeronhost A
insertsAbetweenallcommunications — betweenhostsX and Y without knowledge of X
and Y. All messagessent byX do reach Y but through A and vice versa
5. Encryption cracking: It isalways advised that the first stepto protect wireless networks
is to useWPA encryption. The attackers always devise new tools and techniques to
deconstruct the olderencryption technology, which is quite easy for attackers due to
continuous research in this held.Hence, the second step is to use a long and highly
randomized encryption key; this is very important, It is a little pain to remember long
random encryption; however, at the same time these keysare much harder to crack.

TheftofInternetHoursandWi-Fi-basedFraudsandMisuses

Information communication technology (ICT) is within reach of people nowadays and most of
the new systems (i.e., computers) are equipped for wireless Internet access as more and more
people are opting for Wi-F in their homes, Wireless network into homes is becoming common
necessity because of lifestyle and availability of inexpensive broadband routers that can be
configured easily and/or there is no need to configure these devices at all because of plug-and-
play feature

Cybercriminals know that theyshould not stealInternet hours purchased byothers but somehow
theywant togettheirworkdonewithout paying fortheInternet connectionandtheyalso want to know
if anyone knows how to find out who they are stealing it from. Here is whatthey are mostly likely
to do:
(a) theyfindoutthe IP addressoftherouterthatyou are using
IntroductiontoCyberSecurity 22ETC151

(b) openupacommandprompt(gotostart
clickonrunwith;typecmdandpressenteratthecommandpromptand
(c) typethiscommandipconfig/allandpressenter.

HowtoSecuretheWirelessNetworks

Nowadays, securityfeaturesofWi-Finetworking products are notthattime-consuming and non-

intuitive:however, they are still ignored, especially, by home users. Although following
summarized steps will help to improve and strengthen the security of wireless network.

1. Changethedefaultsettingsof alltheequipments/componentsof wirelessnetwork (e.g.,IP

address/user [Ds/administrator passwords, etc.).
2. EnableWPA/WEPencryption.
3. Changethedefault SSID.
4. EnableMACaddressfiltering.
5. Disableremotelogin.
6. DisableSSIDbroadcast.

7. Disablethe featuresthatarenotusedinthe AP(e.g.,printing/musicsupport).

8. Avoidprovidingthenetworkanamewhichcanbeeasilyidentified(e.g.,My_Home_Wif).
9. Connectonlytosecuredwirelessnetwork(i.e.,donotautoconnecttoopenWi-Fihotspots).
10. Upgraderouter'sfirmwareperiodically.

Toolsto protectwirelessnetwork

1. Zamzom Wireless Network Tool: New freeware tool helps to protect wireless networks
and maintain computer security, detects all computer names, Mac and IP addresses
utilizing a single wireless network, reveals all computers — both authorized and
unauthorized — who have access to any given wireless network.
2. AirDefense Guard: The toolprovidesadvanced intrusiondetection for wirelessLANsand is
based on signature analysis, policy deviation, protocol assessmentpolicy deviation and
statistically anomalous behavior. AirDefense detectsresponds to:
o Denial-of-service(DoS)attacks;
o man-in-the-middleartacks;
o identitytheft.
3. Wireless Intrusion Detection System(WIDZ): ‘This is an intrusion detection for wireless
LANs for 802.11.It guardsAPsand monitors local frequencies forpotentiallymalevolent
activity. It can detect scans, association foods and bogus APs, and it can easily be
integrated with other products such as SNORT or Realsecure.
4. BSD-Airtools:‘Thistoolprovidesacompletetoolsetforwirelessauditing(802.1
1b).projects/bsd-airtools.htmlItcontainsAPdetectionapplication,Dstumbler—similar
IntroductiontoCyberSecurity 22ETC151

to Netstumbler. It canbe used to detect wireless access points and connected nodes, view
signal-to-noisegraphs, and interactively scroll through scanned APs and view statisticsfor
each.
5. Google Secure Access: Google Wi-Fi is a free wireless Internet service offered tothe city
of Mountain View (California, USA). With your Wi-Fi-enabled deviceand a Google
Account, one can go online for free by accessing the network name“Google Wi-Fi,”
which is secured by Google's virtual private network (VPN)