0% found this document useful (0 votes)
64 views105 pages

Tools and Methods Used in Cybercrime

Uploaded by

vishesh091105
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
64 views105 pages

Tools and Methods Used in Cybercrime

Uploaded by

vishesh091105
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 105

15-10-2024 11:30:46 1

Topics
• Introduction
• Proxy Servers and Anonymizers
• Phishing
• Password Cracking, Keyloggers and Spywares
• Virus and Worms
• Trojan-horses and Backdoors
• Steganography
• DoS and DDoS At-tacks
• SQL Injection
Introduction
• There are various tools and techniques and complex
methodologies used to launch attacks against the target.
• we have provided an insight toward these techniques to enable the
reader to understand how the computer is an indispensable tool
for almost all cybercrimes.
• As the Internet and computer networks are integral parts of
information systems, attackers have in-depth knowledge about the
technology and/or they gain thorough knowledge about it.
Introduction
• The basic stages of an attack are here described here to
understand how an attacker can compromise a network
here:
1. Initial uncovering
2. Network probe
3. Crossing the line toward electronic crime
4. Capturing the network
5. Grab the data
6. Covering attacks
Introduction
1. Initial uncovering:
Two steps are involved here.
• In the first step called as reconnaissance, the attacker gathers
information, as much as possible, about the target by legitimate
means-

• searching the information about the target on the Internet by


Googling social networking websites and people finder websites.
• The information can also be gathered by surfing the public
websites/searching news articles/press releases if the target is an
organization/institute.
Introduction
1. Initial uncovering:

• In the second step, the attacker uncovers as much information as


possible on the company’s internal network, such as, Internet domain,
machine names and the company’s IP address ranges. From prevention
perspective, at this stage, it is really not possible to detect the attackers
because they have done nothing illegal as yet and so their information
requests are considered legitimate.
Introduction
2. Network probe:
• At the network probe stage, the attacker uses more invasive techniques to scan the
information.

• Usually, a “ping sweep” of the network IP addresses is performed to seek out potential
targets, and then a “port scanning” tool is used to discover exactly which services are
running on the target system.

• At this point, the attacker has still not done anything that would be considered as a
abnormal activity on the network or anything that can be classified as an intrusion
Introduction
3.Crossing the line toward electronic crime:
• He/she does this by exploiting possible holes on the target system. The attacker
usually goes through several stages of exploits to gain access to the system. Certain
programming errors can be used by attackers to compromise a system and are quite
common in practice.
• Exploits usually include vulnerabilities in common gateway interface scripts or well-
known buffer-overflow holes, but the easiest way to gain an entry is by checking for
default login accounts with easily guessable(or empty) passwords.
• Once the attackers are able to access a user account without many privileges, they will
attempt further exploits to get an administrator or “root” access.
• The “Root” is basically an administrator or super-user access and grants them the
privileges to do anything on the system
Introduction
4.Capturing the network:
• At this stage, the attacker attempts to own the network.
The attacker gains a foothold in the internal network
quickly and easily, by compromising low-priority target
systems.

• The next step is to remove any evidence of the attack. The


attacker will usually install a set of tools that replace
existing files and services with Trojan files and services that
have a backdoor password.
Introduction
4.Capturing the network:

• There are a number of hacking tools which can clean up log files
and remove any trace of an intrusion.
• Once the attacker has gained access to one system, he/she will
then repeat the process by using the system as a steppingstone
to access other systems deeper within the network.
Introduction
5. Grab the data:
• Now that the attacker has captured the network, he/she takes
advantage of his/her position to steal confidential data, customer
credit information, deface webpages, alter processes and even
launch attacks at other sites from your network, causing a
potentially expensive and embarrassing situation for an individual
and/or for an organization.
Introduction
6. Covering attacks:
• This is the last step in any cyberattack, which refers to the activities
undertaken by the attacker to extend misuse of the system without
being detected.
• The attacker can remain undetected for long periods or use this
phase either to start a fresh reconnaissance to a related target
system or continued use of resources, removing evidence of hacking,
avoiding legal action, etc.
• During the entire process, the attacker takes optimum care to hide
his/her identity from the first step itself.
Proxy servers and Anonymizers
• Proxy server is a computer on a network which acts as an intermediary for
connections with other computers on that network.
• The attacker first connects to a proxy server and establishes a connection with
the target system through existing connection with proxy.
• A client connects to a proxy server and requests some services(such as a file,
webpage, connection or other resource) available from a different server.
• The proxy server evaluates the request and provides the resource by establishing
the connection to the respective server and/or requests the required service on
behalf of the client.
• Using a proxy server can allow an attacker to hide ID
Proxy servers and Anonymizers
A proxy server has following purposes:
• Keep the systems behind the curtain
• Speed up access to a resource(through caching). It is usually used to cache the
webpages from a web server.
• Specialized proxy servers are used to filter unwanted content such as advertisements.
• Proxy server can be used as IP address multiplexer to enable to connect number of
computers on the Internet, whenever one has only one IP address.
• One of the advantage of a proxy server is that its cache memory can serve all users. If
one or more websites are requested frequently, may be by different users, it is likely
to be in the proxy’s cache memory, which will improve user response time. In fact
there are special servers available known as cache servers. A proxy can also do
logging.
Proxy servers and Anonymizers
A proxy server has following purposes (Cont…)
• One of the advantage of a proxy server is that its cache memory
can serve all users.
• If one or more websites are requested frequently, may be by
different users, it is likely to be in the proxy’s cache memory,
which will improve user response time.
• In fact there are special servers available known as cache
servers.
• A proxy can also do logging.
Proxy servers and Anonymizers
• Listed are few websites where free proxy servers can be found:
• http://www.proxy4free.com
• http://www.publicproxyservers.com
• http://www.proxz.com
• http://www.anonymitychecker.com
• http://www.surf24h.com
• http://www.hidemyass.com
Proxy servers and Anonymizers
• An anonymizer or an anonymous proxy is a tool that attempts to
make activity on the Internet untraceable.
• It accesses the Internet on the user’s behalf, protecting personal
information by hiding the source computer’s identifying
information.
• Anonymizers are services used to make Web surfing anonymous
by utilizing a website that acts as a proxy server for the web
client. In 1977 the first anonymizer software tool was created by
Lance Cottrell, developed by Anonymizer.com.
Proxy servers and Anonymizers
• Listed are few websites where more information about
anonymizers can be found:
• www.anonymizer.com
• www.browzar.com
• www.anonymize.net
• www.anonymouse.ws
• www.anonymousindex.com
Phishing
• Most people associate Phishing with E-Mail messages that
spoof or mimic banks, credit card companies or other
business such as Amazon and eBay.
• These messages look authentic and attempt to get users to
reveal their personal information. It is believed that
Phishing is an alternative spelling of “fishing,” as in “to fish
for.
Phishing
• . Phishing work in the following way:
• Planning:
• Criminals, usually called as phishers, decide the target
and determine how to get E-Mail address of that
target or customers of that business.
• Phishers often use mass mailing and address collection
techniques as spammers.
Phishing
• Setup: Once phishers know which business/business house to spoof and
who their victims are, they will create methods for delivering the message
and to collect the data about the target. Most often this involves E-Mail
addresses and a webpage.
• Attack: This is the step people are most familiar with-the phisher sends a
phony message that appears to be from a reputable source.
• Collection: Phishers record the information of victims entering into
webpages or pop-up windows.
• Identity theft and fraud: Phishers use the information that they have
gathered to make illegal purchases or commit fraud.
Password Cracking
• The purpose of password cracking is as follows:
1. To recover a forgotten password.
2. As a preventive measure by system administrators to check for easily crackable
passwords.
3. To gain unauthorized access to a system.
4. Manual password cracking is to attempt to logon with different passwords.

The attacker follows the following steps:


1. Find a valid user account such as an Administrator or Guest;
2. Create a list of possible passwords;
3. Rank the passwords from high to low probability;
4. Key-in each password;
5. Try again until a successful password is found.
Password Cracking
• Passwords can be guessed sometimes with knowledge of the user’s personal
information. Examples of guessable passwords include:
1. Blank(none);
2. The words like “password”,” passcode” and “admin”;
3. Series of letters from the “QWERTY” keyboard, for eg., qwerty, asdf or qwertyuiop;
4. User’s name or login name;
5. Name of user’s friend/relative/pet;
6. User’s birthplace or date of birth, or a relative’s or a friend’s;
7. User’s vehicle number, office number, residence number or mobile number;
8. Name of a celebrity who is considered to be an idol(e.g., actors, actress, spiritual gurus) by
the user;
9. Simple modification of one of the preceding, such as suffixing a digit, particularly 1, or
reversing the order of letters.
Password Cracking
• An attacker can also create a script file (i.e., automated program)
which will be executed to try each password in a list.
• This is still considered manual cracking, is time-consuming and not
usually effective.
• Passwords are stored in a database and password verification process
is established into the system when a user attempts to login or
access a restricted resource.
• To ensure confidentiality of passwords, the password verification
data is usually not stored in a clear text format.
Password Cracking
Password Cracking
Password Cracking
• Password cracking attacks can be classified under three
categories as follows:
1. Online attacks
2. Offline attacks
3. Non-electronics Attacks ( E.g.: Social engineering,
shoulder surfing , dumpster diving etc)
Password Cracking
1. Online attacks:

• An attacker can create a script file(i.e., automated program) that will be

executed to try each password in a list and when matches, an attacker can gain

access to the system.

• The most popular online attack is man-in-the middle attack, also termed as

“bucket-brigade attack” or sometimes “Janus attack”.



Password Cracking

1. Online attacks:
• When a victim client connects to the fraudulent server, the MITM
server intercepts the call, hashes the password and passes the
connection to the victim server.
• This type of attack is used to obtain the passwords for E-Mail
accounts on public websites such as Yahoo, Hotmail and Gmail and
can also used to get the passwords for financial websites that would
like to gain the access to banking websites.
Password Cracking
2. Offline attacks:
• These are performed from a location other than the
target(i.e., either a computer system or while on the
network) where these passwords reside or are used.
• Offline attacks usually require physical access to the
computer and copying the password file from the system
onto removable media.
Password Cracking
Strong, Weak and Random Passwords
• A weak password is one, which could be easily guessed, short, common and a system
default password that could be easily found by executing a brute force attack and by
using a subset of all possible passwords, such as words in the dictionary, proper
names and words based on the username or common variations on these themes.

• Passwords that can be easily guessed by acquaintances of the netizens (such as date
of birth, pet’s name and spouses’ name) are considered to be very weak.
Password Cracking
Strong, Weak and Random Passwords
• Here are some of the examples of “weak passwords”:
1. Susan: Common personal name;

2. aaaa: repeated letters, can be guessed;

3. rover: common name for a pet, also a dictionary word;

4. abc123: can be easily guessed;

5. admin: can be easily guessed;

6. 1234: can be easily guessed;


Password Cracking
Strong, Weak and Random Passwords
• Here are some of the examples of “weak passwords”:
7. QWERTY: a sequence of adjacent letters on many keyboards;

8. 12/3/75: date, possibly of personal importance;

9. nbusr123: probably a username, and if so, can be very easily guessed;

10. p@$$\/\/0rd: simple letter substitutions are preprogrammed into password cracking tools;

11. password: used very often – trivially guessed;

12. December12: using the date of a forced password change is very common.
Password Cracking
Strong, Weak and Random Passwords
• A strong password is long enough, random or otherwise difficult to guess –
producible only by the user who chooses it.

• The length of time deemed to be too long will vary with the attacker, the
attacker’s resources, the ease with which a password can be tried and the value
of the password to the attacker.

• E.g.: a password controlling access to a large bank’s electronic money transfer


system
Password Cracking
Strong, Weak and Random Passwords
• Here are some examples of strong passwords:
1. Convert_£100 to Euros!: Such phrases are long, memorable and contain an
extended symbol to increase the strength of the password.
2. 382465304H: It is mix of numbers and a letter at the end, usually used on mass
user accounts and such passwords can be generated randomly, for example, in
schools and business.
3. 4pRte!ai@3: It is not a dictionary word; however it has cases of alpha along with
numeric and punctuation characters.
4. MoOoOfIn245679: It is long with both alphabets and numerals.
5. t3wahSetyeT4: It is not a dictionary word; however, it has both alphabets and
numerals.
Password Cracking
Random Passwords
• Password is stronger if it includes a mix of upper and lower case letters, numbers
and other symbols, when allowed, for the same number of characters.
• The difficulty in remembering such a password increases the chance that the user
will write down the password, which makes it more vulnerable to a different
attack
• A password can, at first sight, be random, but if you really examine it, it is just a
pattern. One of these types of passwords is 26845. It is just the four direction keys
on the square number board plus a five in the middle.
• The imposition of strong random passwords may encourage the users to write
down passwords, store them in personal digital assistants increasing the risk of
disclosure.
Password Cracking
Random Passwords
• The general guidelines applicable to the password policies, which can be implemented
organization-wide, are as follows:
1. Passwords and user logon identities (IDs) should be unique to each authorized user.
2. Passwords should consist of a minimum of eight alphanumeric characters (no common names or
phrases).
3. There should be computer-controlled lists of prescribed password rules and periodic testing (e.g.,
letter and number sequences, character repetition, initials, common words and standard names) to
identify any password weaknesses.
4. Passwords should be kept private, that is, not shared with friends, colleagues, etc. Th ey shall not be
coded into programs or noted down anywhere.
5. Passwords shall be changed every 30/45 days or less. Most operating systems (OSs) can enforce a
password with an automatic expiration and prevent repeated or reused passwords.
6. User accounts should be frozen after five failed logon attempts. All erroneous password entries
should be recorded in an audit log for later inspection and action, as necessary.
Password Cracking
Random Passwords
7. Sessions should be suspended after 15 minutes (or other specified period) of inactivity
and require the passwords to be re-entered.

8. Successful logons should display the date and time of the last logon and logoff.

9. Logon IDs and passwords should be suspended after a specified period of non-use.

10. For high-risk systems, after excessive violations, the system should generate an alarm and
be able to simulate a continuing session (with dummy data) for the failed user
Password Cracking
Similarly, netizens should practice password guidelines to avoid being victim
of getting their personal E-Mail accounts hacked/attacked by the
attackers.
1. Passwords used for business E-Mail accounts, personal E-Mail accounts
(Yahoo/Hotmail/Gmail) and banking/financial user accounts (e.g., online
banking/securities trading accounts) should be kept separate.
2. Passwords should be of minimum eight alphanumeric characters (common names or
phrases should be phrased).
3. Passwords should be changed every 30/45 days.
4. Passwords should not be shared with relatives and/or friends.
5. Password used previously should not be used while renewing the password.
Password Cracking

6. Passwords of personal E-Mail accounts (Yahoo/Hotmail/Gmail) and


banking/financial user accounts (e.g., online banking/securities trading
accounts) should be changed from a secured system, within couple of days, if
these E-Mail accounts has been accessed from public Internet facilities such
as cybercafes/hotels/libraries.
7. Passwords should not be stored under mobile phones/PDAs, as these devices
are also prone to cyberattacks
8. In the case of receipt of an E-Mail from banking/financial institutions,
instructing to change the passwords, before clicking the weblinks displayed
in the E-Mail, legitimacy of the E-Mail should be ensured to avoid being a
victim of Phishing attacks
Password Cracking

9. Similarly, in case of receipt of SMS from banking/financial


institutions, instructing to change the passwords, legitimacy
of the E-Mail should be ensured to avoid being a victim of
Smishing attacks
10. In case E-Mail accounts/user accounts have been hacked,
respective agencies/institutes should be contacted
immediately.
Keyloggers and Spywares
• Keystroke logging, often called keylogging, is the practice of noting the
keys struck on a keyboard, typically in a covert manner so that the
person using the keyboard is unaware that such actions are being
monitored.

• It can be classified as
1. software keylogger
2. hardware keylogger.
Keyloggers and Spywares
Software keyloggers

• These are software programs installed on the computer systems which usually are located
between the OS and the keyboard hardware, and every keystroke is recorded.

• It is installed on a computer system by Trojans or viruses without the knowledge of the user.

• A keylogger usually consists of two files that get installed in the same directory: a dynamic link
library(DLL) file and an Executable file that installs the DLL file and triggers it to work. DLL does all
the recording of keystrokes.
Keyloggers and Spywares
Keyloggers and Spywares
Hardware keyloggers
• To install these keyloggers, physical access to the computer system is required.
Hardware keyloggers are small hardware devices.

• These are connected to the PC and/or to the keyboard and save every keystroke
into a file or in the memory of the hardware device.

• Cybercriminals install such devices on ATM machines to capture ATM cards’ PINs.
Keyloggers and Spywares
Hardware keyloggers
Keyloggers and Spywares
Antikeylogger
• It is a tool that can detect the keylogger installed on the computer system and
also can remove the tool.
• Advantages of using antikeylogger are as follows:
1. Firewalls cannot detect the installations of keyloggers on the systems; hence,
antikeyloggers can detect installations of keylogger.
2. This software does not require regular updates of signature bases to work
effectively such as other antivirus and antispy programs; if not updated, it does
not serve the purpose, which makes the users at risk.
3. Prevents Internet banking frauds. Passwords can be easily gained with the help
of installing keyloggers.
4. It prevents ID theft.
5. It secures E-Mail and instant messaging/chatting.
Keyloggers and Spywares
Spywares
• Spyware is a type of malware that is installed on computers which collects
information about users without their knowledge.
• The presence of Spyware is typically hidden from the user; it is secretly installed
on the user’s personal computer.
• Sometimes, however, Spywares such as keyloggers are installed by the owner of a
shared, corporate or public computer on purpose to secretly monitor other users.
• It secretly monitors the user. The features and functions of such Spywares are
beyond simple monitoring.
• Spyware programs collect personal information about the victim, such as the
Internet surfing habits/patterns and websites visited.
Keyloggers and Spywares
Spywares
• The Spyware can also redirect Internet surfing activities by installing
another stealth utility on the users’ computer system.
• Spyware may also have an ability to change computer settings, which may
result in slowing of the Internet connection speeds and slowing of response
time.
• Various Spywares are available in the market
• Installation of anti-Spyware software has become a common element
nowadays from computer security practices perspective.
Keyloggers and Spywares
Spywares
Keyloggers and Spywares
Spywares
Viruses and Worms
• Computer virus is a program that can “infect” legitimate programs by modifying
them to include a possibly “evolved” copy of itself.
• Viruses spread themselves, without the knowledge or permission of the users, to
potentially large numbers of programs on many machines.
• A computer virus passes from computer to computer in a similar manner as a
biological virus passes from person to person.
• Viruses may also contain malicious instructions that may cause damage or
annoyance; the combination of possibly Malicious Code with the ability to spread
is what makes viruses a considerable concern.
• Viruses can often spread without any readily visible symptoms.
Viruses and Worms
• A virus can start on event-driven effects (e.g., triggered after a specific
number of executions), time-driven effects (e.g., triggered on a specific
date, such as Friday the 13th) or can occur at random.
Viruses can take some typical actions:
1. Display a message to prompt an action which may set of the virus;
2. Delete files inside the system into which viruses enter;
3. Scramble data on a hard disk;
4. Cause erratic screen behaviour;
5. Halt the system;
6. Just replicate themselves to propagate further harm.
Viruses and Worms
• Figures 4.1–4.3 explain how viruses spread (a) through the Internet, and
Viruses and Worms
• b) through a stand-alone
( computer system
Viruses and Worms
(c) through local networks.
Viruses and Worms
• Computer virus has the ability to copy itself and infect the system.

• The term virus is also commonly but erroneously used to refer to other types of
malware, Adware and Spyware programs that do not have reproductive ability.

• A true virus can only spread from one system to another (in some form of executable
code) when its host is taken to the target computer; for instance, when a user sent it
over the Internet or a network, or carried it on a removable media such as CD, DVD or
USB drives.
Viruses and Worms

• Viruses can increase their chances of spreading to other systems by


infecting files on a network file system or a file system that is accessed
by another system.
• The term computer virus is sometimes used as a catch-all phrase to
include all types of malware, Adware and Spyware programs that do
not have reproductive ability.
• Viruses are sometimes confused with computer worms and Trojan
Horses, which are technically different.
Viruses and Worms
Differences between Computers Viruses and Worms
Viruses and Worms
Differences between Computers Viruses and Worms
Viruses and Worms
Types of Viruses
• Boot sector viruses
• Program viruses
• Multipartite viruses
• Stealth viruses
• Polymorphic viruses
• Macroviruses
• Active X and Java Control
Viruses and Worms
Boot sector viruses:
• It infects the storage media on which OS is stored and
which is used to start the computer system.
• The entire data/programs are stored on the floppy disks and
hard drives in small sections called sectors. The first sector is
called the BOOT and it carries the master boot record(MBR).
• MBR’s function is to read and load OS, that is, it enables
computer system to start through OS.
Viruses and Worms
Boot sector viruses(Cont…)
• Once the victim’s hard drive is infected all the floppy
diskettes that are being used in the system will be infected.
• Boot sector viruses often spread to other systems when
shared infected disks and pirated software(s) are used.
Viruses and Worms
• Program viruses:
• These viruses become active when the program file(usually with extensions
.bin, .com, .exe, .ovl, .drv) is executed (i.e. opened-program is started).
• Once these program files get infected, the virus makes copies of itself and
infects the other programs on the computer system.
• These viruses become active when the program file(usually with
extensions .bin, .com, .exe, .ovl, .drv) is executed (i.e. opened-program
is started).
• Once these program files get infected, the virus makes copies of itself
and infects the other programs on the computer system.
Viruses and Worms
• Multipartite viruses:
• It is a hybrid of a boot sector and program viruses.
• It infects program files along with the boot record when the
infected program is active.
• When the victim starts the computer system next time, it will
infect the local drive and other programs on the victim’s
computer system.
Viruses and Worms
• Stealth viruses:
• It camouflages and/or masks itself and so detecting this type of
virus is very difficult.
• It can disguise itself such a way that antivirus software also
cannot detect it thereby preventing spreading into the
computer system.
• It alters its file size and conceals itself in the computer memory
to remain in the system undetected.
• The first computer virus, named as Brain, was a stealth virus.
Viruses and Worms
• Polymorphic viruses:
• It acts like a “chameleon” that changes its virus signature(i.e.,binary patterns) every
time it spreads through the system(i.e., multiplies and infects a new file).
• Hence, it is always difficult to detect polymorphic virus with the help of an antivirus
program. Polymorphic generators are the routines(i.e., small programs) that can be
linked with the existing viruses.
• These generators are not viruses but the purpose of these generators is to hide
actual viruses under the cloak of polymorphism.
• The first all-purpose polymorphic generator was the mutation engine published in
1991.
• Other known polymorphic generators are Dark Angel’s Multiple Encryptor(DAME),
Darwinian Genetic Mutation Engine(DGME), Dark Slayer Mutation Engine(DSME),
MutaGen, Guns’n’Roses Polymorphic Engine(GPE) and Dark Slayer Confusion
Engine(DSCE).
Viruses and Worms
• Macroviruses:
• Many applications, such as MS Word, MS Excel, support
MACROS. These macros are programmed as a macroembedded
in a document.
• Once a macrovirus gets onto a victim’s computer then every
document he/she produces will become infected.
• This type of virus is relatively new and may get slipped by the
antivirus software if the user does not have the most recent
version installed on his/her system.
Viruses and Worms
• Active X and Java Control:
• All the web browsers have settings about Active X and Java Controls.
• Little awareness is needed about managing and controlling these settings
of a web browser to prohibit and allow certain functions to work- such as
enabling or disabling pop-ups, downloading files and sound – which invites
the threats for the computer system being targeted by unwanted
software(s) floating in cyberspace.
Viruses and Worms
• Almost every day new viruses/worms are created and they become
new threat to netizens.
• In summary, in spite of different platforms (i.e., OS and/or
applications), a typical definition of computer virus/worms might
have various aspects[21] such as:
1. A virus attacks specific file types (or files).
2. A virus manipulates a program to execute tasks unintentionally.
3. An infected program produces more viruses.
4. An infected program may run without error for a long time.
5. Viruses can modify themselves and may possibly escape detection this
way.
Trojan Horses and Backdoors
• Trojan Horse is a program in which malicious or harmful code is contained
inside apparently harmless programming or data in such a way that it can get
control and cause harm, for example, ruining the file allocation table on the
hard disk.

• A Trojan Horse may get widely redistributed as part of a computer virus

• The term Trojan Horse comes from Greek mythology about the Trojan War
Trojan Horses and Backdoors
• Like Spyware and Adware, Trojans can get into the system in a number of
ways, including from a web browser, via E-Mail or in a bundle with other
software downloaded from the Internet.

• It is also possible to inadvertently transfer malware through a USB flash


drive or other portable media. It is possible that one could be forced to
reformat USB flash drive or other portable device to eliminate infection and
avoid transferring it to other machines.
Trojan Horses and Backdoors
• Unlike viruses or worms, Trojans do not replicate themselves but they
can be equally destructive.
• On the surface, Trojans appear benign and harmless, but once the
infected code is executed, Trojans kick in and perform malicious
functions to harm the computer system without the user’s knowledge.
• For example, waterfalls.scr is a waterfall screen saver as originally
claimed by the author; however, it can be associated with malware and
become a Trojan to unload hidden programs and allow unauthorized
access to the user’s PC.
Trojan Horses and Backdoors
• Some typical examples of threats by Trojans are as follows:
1. They erase, overwrite or corrupt data on a computer.
2. They help to spread other malware such as viruses (by a dropper Trojan).
3. They deactivate or interfere with antivirus and firewall programs.
4. They allow remote access to your computer (by a remote access Trojan).
5. They upload and download files without your knowledge.
6. They gather E-Mail addresses and use them for Spam.
7. They log keystrokes to steal information such as passwords and credit card numbers.
8. They copy fake links to false websites, display porno sites, play sounds/videos and display
images.
9. They slow down, restart or shutdown the system.
10. They reinstall themselves after being disabled.
11. They disable the task manager.
12. They disable the control panel.
Trojan Horses and Backdoors
Backdoors
•A means of access to a computer program that bypasses security
mechanisms. A programmer may sometimes install a backdoor so that
the program can be accessed for troubleshooting or other purposes.
• A backdoor works in background and hides from the user.
• Most backdoors are autonomic malicious programs that must be
somehow installed to a computer.
• Some parasites do not require installation, as their parts are already
integrated into particular software running on a remote host.
Trojan Horses and Backdoors
What a Backdoor does?
• It allows an attacker to create, delete, rename, copy or edit any
file, execute various commands; change any system settings; alter
the Windows registry; run, control and terminate applications;
install arbitrary software and parasites.
• It allows an attacker to control computer hardware devices,
modify related settings, shutdown or restart a computer without
asking for user permission.
Trojan Horses and Backdoors
What a Backdoor does? (Cont…)
• It steals sensitive personal information, valuable documents,
passwords, login names, ID details; logs user activity and tracks web
browsing habits.
• It records keystrokes that a user types on a computer’s keyboard
and captures screenshots.
• It sends all gathered data to a predefined E-Mail address, uploads it
to a predetermined FTP server or transfers it through a background
Internet connection to a remote host.
Trojan Horses and Backdoors
What a Backdoor does? (Cont…)
• It infects files, corrupts installed applications and damages
the entire system.
• It distributes infected files to remote computers with certain
security vulnerabilities and performs attacks against hacker-
defined remote hosts.
• It installs hidden FTP server that can be used by malicious
persons for various illegal purposes.
Trojan Horses and Backdoors
What a Backdoor does? (Cont…)
• It degrades Internet connection speed and overall system
performance, decreases system security and causes
software instability. Some parasites are badly programmed
as they waste too many computer resources and conflict
with installed applications.
• It provides no uninstall feature, and hides processes, files
and other objects to complicate its removal as much as
possible.
Trojan Horses and Backdoors
Two examples of backdoor Trojans
• Back Orifice: It is a well-known example of backdoor Trojan designed
for remote system administration. It enables a user to control a
computer running the MS Windows OS from a remote location. The
name is a word play on MS BackOffice Server software.
• Bifrost: It is another backdoor Trojan that can infect Windows95
through Vista. It uses the typical server, server builder and client
backdoor program configuration to allow a remote attacker, who uses
client, to execute arbitrary code on the compromised machine.
Trojan Horses and Backdoors
How to protect from Trojan Horses and Backdoors
1. Stay away from suspect websites/weblinks: Avoid downloading free/pirated
softwares that often get infected by Trojans, worms, viruses and other things.
2. Surf on the Web cautiously: Avoid connecting with and/or downloading any
information from P2P networks, which are most dangerous networks to spread
Trojan Horses and other threats. P2P networks create files packed with
malicious software, and then rename them to files with the criteria of common
search that are used while surfing the information on the Web.
3. Install antivirus/Trojan remover software: Free Trojan remover programs are
also available on the Web and some of them are really good.
Steganography
• Steganography is the art and science of writing hidden messages in
such a way that no one apart from the intended recipient knows
the existence of the message;
• That is in contrast to cryptography, where the existence of the
message itself is not disguised, but the content is obscured.
• The word “steganography” comes from the two Greek words:
steganos meaning “covered” and graphein meaning “to write” that
means “concealed writing.”
Steganography
• For example, in a digital image the least significant bit of each
word can be used to compromise a message without causing any
significant change in the image.

• Steganography can be used to make a digital watermark to detect


illegal copying of digital images. Thus, it aids confidentiality and
integrity of the data.
Steganography
• Interestingly, steganography in digital media is very similar
to “digital watermarking”. In other words, when
steganography is used to place a hidden “trademark” in
images, music and software, the result is a technique
referred to as “watermarking”.
• The term “cover” or “cover medium” is used to describe
the original, innocent message, data, audio, still, video and
so on. It is the medium that hides the secret message .
Steganography
• It must have parts that can be altered or used without
damaging or noticeably changing the cover media. If the
cover media are digital, these alterable parts are called
“redundant bits.”
• These bits or a subset can be replaced with the message
that is intended to be hidden. Interestingly, steganography in
digital media is very similar to “digital watermarking.”
Steganography
• In other words, when steganography is used to place a hidden “trademark”
in images, music and software, the result is a technique referred to as
“watermarking”
Steganography

Steganalysis

• Is the art and science of detecting messages that are hidden in images,

audio/video files using steganography. The goal is to identify suspected

packages and to determine whether or not they have a payload encoded

into them, and if possible recover it.


DoS Attacks
• In this type of criminal act, the attacker floods the bandwidth of the
victim’s network or fills his E-Mail box with Spam mail depriving him of
the services he is entitled to access or provide.
• It generally consists of the concerted efforts of a person or people to
prevent the Internet site or service from functioning efficiently or at all,
temporarily or indefinitely.
• The attackers typically target sites or services hosted on high-profile web
servers such as banks, credit card payment gateways, mobile phone
networks and even root name servers
DoS Attacks
• Buffer overflow technique is employed to commit such kind of
criminal attack known as Spoofing.
• The attacker spoofs the IP address and floods the network of the
victim with repeated requests.
• As the IP address is fake, the victim machine keeps waiting for
response from the attacker’s machine for each request.
• This consumes the bandwidth of the network which then fails to
serve the legitimate requests
DoS Attacks
• The United States Computer Emergency Response Team
defines symptoms of DoS attacks to include:
• Unusually slow network performance(opening files or accessing
websites);
• Unavailability of a particular website;
• Inability to access any website;
• Dramatic increase in the number of Spam E-Mails received(this
type of DoS attack is termed as E-Mail Bomb)
DoS Attacks
• A DoS attack may do the following:
• Flood a network with traffic, thereby preventing legitimate
network traffic.
• Disrupt connections between two systems, thereby preventing
access to a service.
• Prevent a particular individual from accessing a service.
• Disrupt service to a specific system or person.
DoS Attacks
• Classification of DoS Attacks:
DoS Attacks
• Classification of DoS Attacks (Cont…)
Tools Used to Launch DoS Attack
DDoS Attacks
• It is a distributed DoS wherein a large number of zombie systems are
synchronized to attack a particular system. The zombie systems are called
secondary victims and the main target is called primary victim.
• Malware can carry DDoS attack mechanisms- one of the better-known
examples of this is MyDoom.
• Typically, DoS mechanism triggered on a specific date and time. This type
of DDoS attacks involves hardcoding the target IP address prior to release
of the malware, Hence no further interaction is necessary to launch the
attack.
DDoS Attacks

•A system may also be compromised with a


Trojan, allowing the attacker to download a
zombie agent. Nowadays, Botnet is the popular
medium to launch DoS/DDoS attacks.
DDoS Attacks
How to protect from DoS/DDoS Attacks
Computer Emergency Response Team Coordination Center offers many preventive measures from
being a victim of DoS Attack:
1. Implement router filters. This will lessen your exposure to certain DoS attacks.
2. If such filters are available for your system, install patches to guard against TCP SYN flooding.
3. Disable any unused or inessential network service. This can limit the ability of an attacker to
take advantage of these services to execute a DoS attack.
4. Enable quota systems on your OS if they are available.
5. Observe your system’s performance and establish baselines for ordinary activity. Use the
baseline to gauge unusual levels of disk activity, CPU usage or network traffic.
6. Routinely examine your physical security with regard to your current needs.
DDoS Attacks
How to protect from DoS/DDoS Attacks
7. Use Tripwire or a similar tool to detect changes in configuration
information or other files.
8. Invest in redundant and fault-tolerant network configurations.
9. Invest in and maintain “hot spares” – machine that can be placed into
service quickly if a similar machine is disabled.
10. Establish and maintain regular backup schedules and policies, particularly
for important configuration information.
11. Establish and maintain appropriate password policies, especially access to
highly privileged accounts such as Unix root or MS Windows NT
Administrator.
SQL Injection(SQL Insertion)
• Structured Query Language (SQL) is a database computer language
designed for managing data in RDBMS.
• SQL injection is a code injection technique that exploits a security
vulnerability occurring in the database layer of an application.
• The vulnerability is present when user input is either filtered incorrectly for
string literal escape characters embedded in SQL statements or user input is
not strongly typed and thereby unexpectedly executed.
• It is an instance of a more general class of vulnerabilities that can occur
whenever one programming or scripting language is embedded inside
another.
SQL Injection(SQL Insertion)
• The prime objective behind SQL injection attack is to obtain the information while
accessing a database table that may contain personal information such as credit
card numbers, social security numbers or passwords.
• Just as a legitimate user enters queries and additions to the SQL database via a
web form, the attacker can insert commands to the SQL server through the same
web form field.
• The attacker determines whether a database and the tables residing into it are
vulnerable, before launching an attack. Many webpages take parameters from
web user and make SQL query to the database. With SQL injection, it is possible
for an attacker to send crafted username and/or password field that will change
the SQL query.
SQL Injection(SQL Insertion)
Steps for SQL Injection attack
1. The attacker looks for the webpages that allow submitting data, that is, login page,
search page, feedback, etc. The attacker also looks for the webpages that display the
HTML commands such as POST or GET by checking the site’s source code.
2. To check the source code of any website, right click on the webpage and click on “view
source”(if you are using IE) – source code is displayed in the notepad. The attacker
checks the source code of the HTML, and look for “FORM” tag in the HTML code.
Everything between the <FORM> and </FORM> have potential parameters that might
be useful to find the vulnerabilities.
<FORM action=search/search.asp method=post>
<input type=hidden name=A value=C>
</FORM>
SQL Injection(SQL Insertion)
Steps for SQL Injection attack
3. The attacker inputs a single quote under the text box provided on the
webpage to accept the username and password. This checks whether
the user-input variable is sanitized or interpreted literally by the server.
If the response is an error message such as use “a”=“a”(or something
similar) then the website is found to be susceptible to an SQL injection
attack.
4. The attacker uses SQL commands such as SELECT statement command
to retrieve data from the database or INSERT statement to add
information to the database.
SQL Injection(SQL Insertion)
In summary, using SQL injections, attackers can:
1. Obtain some basic information if the purpose of the attack is
reconnaissance
2. May gain access to the database by obtaining username and
their password
3. Add new data to the database
.
1. Modify data currently in the database
SQL Injection(SQL Insertion)
How to prevent SQL Injection Attacks
SQL injection attacks occur due to poor website administration and coding. The
following steps can be taken to prevent SQL injection:
1. Input validation
• Replace all single quotes to two single quotes.
• Sanitize the input: User input needs to be checked and cleaned of any
characters or strings that could possibly be used maliciously. For eg., character
sequences such as ;,--,select, insert and xp_ can be used to perform an SQL
injection attack.
• Numeric values should be checked while accepting a query string value.
Function – IsNumeric() for Active Server Pages should be used to check these
numeric values.
• Keep all text boxes and form fields as short as possible to limit the length of
user input.
SQL Injection(SQL Insertion)
How to prevent SQL Injection Attacks
2. Modify error reports: SQL errors should not be displayed to outside users and to avoid
this, the developer should handle or configure the error reports very carefully. These
errors some time display full query pointing to the syntax error involved and the
attacker can use it for further attacks.
3. Other preventions:
1. The default system accounts for SQL server should never be used.
2. Isolate database server and web server. Both should reside on different machines.
3. Most often attackers may make use of several extended stored procedures such as
xp_cmdshell and xp_grantlogin in SQL injection attacks. In case such extended
stored procedures are not used or have unused functions, triggers, stored
procedures, user-defined functions etc., then these should be moved to an
isolated server.

You might also like