Module 4:

Tools and Methods Used in

Cybercrime
Syllabus:

Module 4: Tools and Methods used in Cybercrime:

Introduction, Proxy servers and anonymizers, Phishing,
Password cracking.
SLT: Virus and Worms
Introduction:
• The basic stages of an attack are:
1. Initial Uncovering
2. Network Probe
3. Crossing the line toward electronic crime(E-Crime)
4. Capturing the network
5. Grab the data
6. Covering Tracks
1. Initial Uncovering:
• Reconnaissance
• Uncovers the information

2. Network Probe:
• Uses invasive techniques to scan the information.
• Ping sweep
• Port scanning tool
3. Crossing the line towards electronic crime (E-Crime):
• Make use of all possible holes on the target system.
• They use common gateway interface (CGI).
• Easiest way to gain an entry is by checking for default login accounts or
empty passwords.

4. Capturing the network:

• At this stage, the attacker attempts to “own” the network.
• The attacker gains the foothold in the internal network quickly and easily of
target system.
• The next step is to remove any evidence of the attack. There are number of
hacking tools, that the attacker will install to clean up log files and remove
any trace of an intrusion.
5. Grab the data:
• Attacker has “captured the network”.
• Steal the confidential data, customer credit card information etc.
• Launch attacks at other sites from victim’s network.

6. Covering Tracks:
• This refers to the activities undertaken by the attacker to extend misuse of
the system without being detected.
• The attacker remain undetected for long periods.

• During this entire 6 stages, the attacker takes optimum care to hide his/her
identity from the first step itself.
Proxy Servers and Anonymizers:
• Proxy server is a computer on the network which acts as an
intermediary for connections with other computers on that network.
• The attacker first connect to a proxy server and establish the connection
with the target system.
• This enables an attacker to surf on the web anonymously and hide the
attack.
Example: A client connects to the proxy server and requests some
services available from a different server.
The proxy server evaluates the request and provides the resource by
establishing the connection to the respective server and requests the
required service on behalf of the client.
• A proxy server can allow an attacker to hide ID.
 • A proxy server has following purposes:
1. Keep the systems behind the curtain.
2. Speed up access to a resource (through “caching”). It is usually used to
cache the webpages from a web server.
3. Specialized proxy servers are used to filter unwanted content such as
advertisements.
4. Proxy server can be used as IP address multiplexer to enable to connect
number of computers on the internet, whenever one has only one IP
address.

• Advantage of proxy server: its cache memory can serve all users.
• An anonymizer or an anonymous proxy is a tool that attempts to make
activity on the internet untraceable.
• It accesses the internet on the user’s behalf, protecting personal
information by hiding the source computer’s identifying information.
• In 1997, the first anonymizer software tool was created by Lance
Cottrell, developed by Anonymizer.com
• The anonymizer hides/remove all the identifying information from a
user’s computer while the user surfs on the Internet, which ensures the
privacy of the user.
Phishing:
• Phishing is a process of stealing personal and financial data and can also
infect systems with viruses and a method of online ID theft in various
cases.
Example: While checking E-Mail one day a user finds a message from
the bank threatening him/her to close the bank account if he/she does
not reply immediately.
Although the message seems to be suspicious from the contents of the
message, it is difficult to conclude that it is a false/ fake E-Mail.
• Most people associate Phishing with E-Mail messages that spoof or
mimic banks, credit card companies or other business such as Amazon.
• These messages look authentic and attempt to get users to reveal their
personal information.
 • How Phishing works?
1. Planning
2. Setup
3. Attack
4. Collection
5. Identity theft and Fraud
 Password Cracking:
• Password is like a key to get an entry into computerized system like a
lock.
• Password cracking is a process of recovering passwords from data that
have been stored in or transmitted by a computer system.
• Usually, an attacker follows a common approach- repeatedly making
guesses for the password.
• The purpose of password cracking is as follows:
1. To recover a forgotten password.
2. As a preventive measure by system administrators to check for easily
crackable passwords.
3. To gain unauthorized access to a system.
 • Manual password cracking is to attempt to logon with different
passwords.
• The attacker follows the following steps:
1. Find a valid user account such as an Administrator or Guest;
2. Create a list of possible passwords;
3. Rank the passwords from high to low probability;
4. Key-in each password;
5. Try again until a successful password is found.

• Passwords can be guessed sometimes with knowledge of the user’s

personal information.
Example: User’s DOB, Vehicle number, Mobile number etc.
• An attacker can also create a script file (e.g.: Automated programs) which
will be executed to try each password in a list.
• Passwords are stored in a database and password verification process is
established into the system when a user attempts to login or access a
restricted resource.
• To ensure confidentiality of passwords, the password verification data is
usually not stored in a clear text format.
Example: One-way Function ( either encryption function or cryptographic
hash) is applied to the password.
The most commonly used hash functions can be computed rapidly, and
the attacker can text these hashes with the help of password cracking
tools to get the plain text password.
Password Cracking Tools:
 • Password cracking attacks can be classified under three categories as
follows:
1. Online attacks
2. Offline attacks
3. Non-electronic attacks
1. Online Attacks:
• An attacker can create a script file that will be executed to try each password in a
list and when matches, an attacker can gain the access to the system.
• The most popular online attack is “man-in-the middle (MITM) attack”, also
termed as ‘bucket-brigade attack’ or sometimes ‘Janus attack’.
• MITM attack is a form of active eavesdropping in which the attacker establishes
a connection between a victim and the server to which a victim is connected.
• When a victim client connects to the fraudulent server, the MITM server
intercepts the call, hashes the password and passes the connection to the victim
server.
• This type of attack is used to obtain the password for E-Mail accounts on public
websites such as Yahoo, Hotmail, and Gmail and can also used to get the
passwords for financial websites that would like to gain the access to banking
websites.
2. Offline Attacks:
• Offline attacks are performed from a location other than the target where
these passwords reside or are used.
• Offline attacks usually require physical access to the computer and copying
the password file from the system onto removable media.
• Different types of offline password attacks:
Type of Attack Description Example of a
Password
1. Dictionary Attack Attempts to match all the words from Administrator
the dictionary to get the password.
2. Hybrid Attack Substitutes numbers and symbols to AdmInIstrator
get the password
3. Brute force Attack Attempts all possible Adm!n@09
permutation-combinations of letters,
numbers, and special characters
 3. Strong, Weak, and Random Passwords:
• A weak password is one, which could be easily guessed, short, common,
and a system default password that could be easily found by executing a
brute force attack and by using a subset of all possible passwords.
• Passwords that can be easily guessed by acquaintances of the netizens (such
as DOB, pet’s name) are considered to be very short.
Examples of weak passwords are:
1. Susan: Common personal name;
2. aaaa: Repeated letters, can be guessed;
3. Abc123: can be easily guessed;
4. Admin: can be easily guessed;
5. 12/3/75: date, possibly of personal importance;
6. December12
 • A strong password is long enough, random or otherwise difficult to
guess-producible only by the user who choose it.
• The length of time deemed to be too long will vary with the attacker, the
attacker’s resource, the ease with which a password can be tried and the
value of the password to the attacker.
• A password controlling access to large bank’s electronic money transfer
system might be worth many weeks of computer time for trying to crack it.
Examples of strong passwords:
1. Convert_$100 to Euros!
2. 382456390H
3. 4pRtelai@3
4. MoOoOfln245679
5. t3wahSetyeT4
4. Random Passwords:
• Password is stronger if it includes a mix of upper- and lower-case letters,
numbers and other symbols, when allowed, for the same number of
characters.
• The difficulty in remembering such a password increases the chance that
the user will write down the password, which makes it more vulnerable to
a different attack.
• A password can, at first sight, be random, but if we really examine it, it is
just a pattern. One of these types of passwords is 26845. Although short, it
is not easily guessed.
• Forcing the users to use system-created random passwords ensures that
the password will have no connection with that user and should not be
found in any dictionary.
• Almost all OS’s include password aging;
The general guidelines applicable to the password policies, which can be implemented
organization-wide are as follows:
Netizens should practice password guidelines to avoid being victim of getting their personal
E-Mail accounts hacked/ attacked by the attackers.
Virus and Worms:
• Computer virus is a program that can “infect” legitimate programs by
modifying them to include a possibly “evolved” copy of itself.
• Viruses spread themselves, without the knowledge or permission of the
users, to potentially large numbers of programs on many machines.
• A computer virus passes from computer to computer.
• Viruses may also contain malicious instructions that may cause damage or
annoyance.
• Viruses can often spread without any readily visible symptoms.
• A virus can start on event-driven effects, time driven effects, or can occur
at random.
 • Viruses can take some typical actions:
1. Display a message to prompt an action which may set of the virus;
2. Delete files inside the system into which viruses enter;
3. Scramble data on a hard disk;
4. Cause erratic screen behavior;
5. Halt the system (PC);
6. Just replicate themselves to propagate further harm.
• Difference between Computer virus and worm:
Types of Viruses:
1. Boot Sector viruses
2. Program viruses
3. Multipartite viruses
4. Stealth viruses
5. Polymorphic viruses
6. Macro viruses
7. Active X and Java Control
1. Boot Sector Viruses:
• It infects the storage media on which operating system is stored (e.g.:
floppy diskettes and hard drives) and which is used to start the computer
system.
• Entire data or programs are stored on the floppy disk and hard drives in
smaller sections called sectors.
• The first sector is called the BOOT and it carries the master boot
record(MBR).
• MBR’s function is to read and load OS, that is, it enables the computer
system to start through OS.
• Hence, if virus attacks an MBR or infects the boot record of the disk, such
floppy disk infects victim’s hard drive when he or she reboots the system
while the infected disk is in the drive.
• Once the victim’s hard drive is infected all the floppy diskette that are
being used in the system will be infected.
2. Program Viruses:
• These viruses became active when the program file is executed.
• Once these program files (usually with extensions .bin, .com, .exe) gets
infected, the virus make copies of itself and infects the other programs on
the computer system.

3. Multipartite Viruses:
• It is a hybrid of a boot sector and program viruses.
• It infects program files along with the boot record when the infected
program is active.
• When the victim starts the computer system next time, it will infect the
local drive and other programs on the victim’s computer system.
4. Stealth Viruses:
• It camouflages and/or masks itself and so detecting this type of virus is
very difficult.
• It can disguise itself such a way that antivirus software also cannot detect
it thereby preventing spreading into the computer system.
• It alters its file size and conceals itself in the computer memory to remain
in the system undetected.
• The first computer virus, named as BRAIN, was a stealth virus.
• A good antivirus detects a stealth virus lurking on the victim’s system by
checking the areas the virus must have infected by leaving evidence in
memory.
5. Polymorphic Viruses:
• It acts like a ‘Chameleon’ that changes its virus signature every time it
spreads through the system.
• Hence, it is always difficult to detect polymorphic virus with the help of
an antivirus program.
• Polymorphic generators are the routines(i.e., small programs) that can be
linked with the existing viruses.
• The first all-purpose polymorphic generator was the mutation
engine(MTE) published in 1991.
6. Macroviruses:
• Many applications such as Microsoft Word and Microsoft Excel, support
MACRO’s.
• These macros are programmed as a macro embedded in a document.
• Once a macrovirus gets onto a victim’s computer then every document,
he/she produce will be infected.
• This type of virus is relatively new and may get slipped by the antivirus
software if the user does not have the most recent version installed on
his/her system.
7. Active X and Java Control:
• All the web browsers have settings about active X and Java controls.
• Little awareness is needed about managing and controlling these
settings of the web browser to prohibit and allow certain functions to
work- such as enabling or disabling the pop ups, downloading the files
and sound- which invites the threats for the computer system being
targeted by unwanted software(s) floating in cyber space.