Tools and Methods

used in Cybercrime
UNIT 3
 Unit 3: Learning Objectives

• Proxy servers and anonymizers

• Password cracking
• Keyloggers and spywares
• Overview of virus and worms
• Trojan horses and backdoors
• Steganography
• DoS and DDoS attacks
Stages of an attack on network

1. Initial covering: two stages

1. Reconnaissance- social networking websites
2. Uncovers information on company’s IP
2. Network probe:
1. Ping sweep- seek out potential targets
2. Port scanning
3. Crossing the line toward electronic crime:
1. Commits computer crime by exploiting possible holes on the
target system
Stages of an attack on network
4. Capturing the network:
- attackers attempts to own the network
- uses tools to remove any evidence of the attack
- trojan horses, backdoors
5. Grab the data:
- attacker has captured the network
- steal confidential data, customer CC information, deface
webpages…
6. Covering the attack:
- extend misuse of the attack without being detected.
- start a fresh reconnaissance to a related target system
- continue use of resources
- remove evidence of hacking
Various tools used for the attack
• Proxy severs and Anonymizers
• Phishing
• Password cracking
• Keyloggers and spywares
• Virus and Worms
• Trojan horses and Backdoors
• Steganography
• SQL injection
• DoS and DDoS attack tools
• Buffer overflow
 1. Proxy severs and
Anonymizers
• A proxy server is a dedicated computer or a software
system running on a computer that acts as an intermediary
between an endpoint device, such as a computer, and
another server from which a user or client is requesting a
service.
• A client connects to the proxy server, requesting some
service, such as a file, connection, web page, or other
resource available from a different server and the proxy
server evaluates the request as a way to simplify and
control its complexity.
 Purpose of a proxy server

• Improve Performance:
• Filter Requests
• Keep system behind the curtain
• Used as IP address multiplexer
• Its Cache memory can serve all users
Attack on this: the attacker first connects to a proxy
server- establishes connection with the target through
existing connection with the proxy.
 An Anonymizer
• An anonymizer or an anonymous proxy is a tool that attempts to
make activity on the Internet untraceable.
• It is a proxy server computer that acts as an intermediary and
privacy shield between a client computer and the rest of the
Internet.
• It accesses the Internet on the user's behalf, protecting personal
information by hiding the client computer's identifying information.
• For example, large news outlets such as CNN target the viewers
according to region and give different information to different
populations
 2. Phishing

• Stealing personal and financial data

• Also can infect systems with viruses
• A method of online ID theft
 How Phishing works?

1. Planning : use mass mailing and address collection

techniques- spammers
2. Setup : E-Mail / webpage to collect data about the
target
3. Attack : send a phony message to the target
4. Collection: record the information obtained
5. Identity theft and fraud: use information to commit
fraud or illegal purchases
 3. Password Cracking
• password cracking is the process of recovering
passwords from data that have been stored in or
transmitted by a computer system.
• A common approach (brute-force attack) is to try guesses
repeatedly for the password and check them against an
available cryptographic hash of the password.
 The purpose of password
cracking
• help a user recover a forgotten password
• to gain unauthorized access to a system,
• or as a preventive measure by System
Administrators to check for easily crackable
passwords
 Manual Password Cracking
Algorithm
• Find a valid user
•Create a list of possible passwords
•Rank the passwords from high probability to
low
•Key in each password
•If the system allows you in - Success
•Else try till success
 Examples of guessable
passwords
• Blank
• Words like “passcode” ,”password”, “admin”
• Series of letters “QWERTY”
• User’ s name or login name
• Name of the user’s friend/relative/pet
• User’s birth place, DOB
• Vehicle number, office number ..
• Name of celebrity
• Simple modification of one of the precedings, suffixing 1 …
Categories of password cracking
attacks:
• Online attacks
• Offline attacks
• Non-electronic attacks
• Social engineering
• Shoulder surfing
• Dumpster diving
 Online attacks

• An attacker may create a script- automated

program- to try each password
• Most popular online attack;- man-in-the-middle
attack or bucket-brigade attack
• Used to obtain passwords for E-mail accounts on
public websites like gmail, yahoomail
• Also to get passwords for financial websites
 Offline attacks

• Are performed from a location other than the target

where these passwords reside or are used
• Require physical access to the computer and
copying the password
 Types of Password Attacks

• Password Guessing
• Attackers can guess passwords locally or remotely using either a
manual or automated approach
• Dictionary attacks
• work on the assumption that most passwords consist of whole
words, dates, or numbers taken from a dictionary.
• Hybrid password
• assume that network administrators push users to make their
passwords at least slightly different from a word that appears in a
dictionary.
 Weak passwords
• The password contains less than eight characters
• The password is a word found in a dictionary (English or foreign)
• The password is a common usage word such as:
• Names of family, pets, friends, co-workers, fantasy characters, etc.
• Computer terms and names, commands, sites, companies, hardware, software.
• The words "<Company Name>", "sanjose", "sanfran" or any derivation.
• Birthdays and other personal information such as addresses and phone numbers.
• Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc.
• Any of the above spelled backwards.
• Any of the above preceded or followed by a digit (e.g., secret1,1secret
 Strong Passwords
• Contain both upper and lower case characters (e.g., a-z, A-Z)
• Have digits and punctuation characters as well as letters e.g., 0-9, @#$%^&*()_+|~-=\
`{}[]:";'<>?,./)
• Are at least eight alphanumeric characters long.
• Are not a word in any language, slang, dialect, jargon, etc.
• Are not based on personal information, names of family, etc.
• Passwords should never be written down or stored on-line.
• Try to create passwords that can be easily remembered.
• One way to do this is create a password based on a song title, affirmation, or other
phrase.
• For example, the phrase might be: "This May Be One Way To Remember"
• and the password could be: "TmB1w2R!" or "Tmb1W>r~" or some other variation.
 Random passwords

• Secure Password Generator

• Password Length:
• Include Symbols:
• ( e.g. @#$% )
• Include Numbers:
• ( e.g. 123456 )
• Include Lowercase Characters:
• ( e.g. abcdefgh )
• Include Uppercase Characters:
• ( e.g. ABCDEFGH )
• Exclude Similar Characters:
• ( e.g. i, l, 1, L, o, 0, O )
• Exclude Ambiguous Characters:
• ({}[]()/\'"`~,;:.<>)
• Generate On The Client Side:
• 16. Do not store your critical passwords in the cloud.
• 17. Access important websites( e.g. Paypal ) from bookmarks directly, otherwise please check its
domain name carefully, it's a good idea to check the popularity of a website with Alexa toolbar to
ensure that it's not a phishing site before entering your password.
• 18. Protect your computer with firewall and antivirus software, download software from reputable
sites only, and verify the MD5 or SHA1 checksum of the installation package whenever possible.
• 19. Be careful when using online paste tools and screen capture tools, do not let them to upload your
passwords to the cloud.
• 20. If there are important files on your computer, and it can be accessed by others, check if there are
hardware keyloggers( e.g. wireless keyboard sniffer ), software keyloggers and hidden cameras
when you feel it's necessary.
• 21. If you're a webmaster, do not store the users passwords in the database, you should store the
salted hash values of passwords instead
• ( do NOT send across the Internet )
• Auto-Select:
• ( select the password automatically )
• Save My Preference:
• ( save all the settings above for later use )
• Load My Settings Anywhere:
• URL to load my settings on other computers quickly
 Contd..
• To prevent your passwords from being hacked by social engineering, brute force
or dictionary attack method, you should notice that:
• 1. Do not use the same password for multiple important accounts.
• 2. Use a password that has at least 16 characters, use at least one number, one
uppercase letter, one lowercase letter and one special symbol.
• 3. Do not use the names of your families, friends or pets in your passwords.
• 4. Do not use postcodes, house numbers, phone numbers, birthdates, ID card
numbers, social security numbers, and so on in your passwords.
• 5. Do not use any dictionary word in your passwords.
• 6. Do not use something that can be cloned( but you can't change ) as your
passwords, such as your fingerprints.
• 7. Do not let your Web browsers( FireFox, Chrome, Safari, Opera, IE ) store your
passwords, since all passwords saved in Web browsers can be revealed easily.
• 8. Do not log in to important accounts on the computers of others, or when
connected to a public Wi-Fi hotspot, Tor, free VPN or web proxy.
9. Do not send sensitive information online via HTTP or FTP connections, because messages in these connections
can be sniffed with very little effort. You should use encrypted connections such as HTTPS and SFTP whenever
possible.
10. When travelling, you can encrypt your Internet connections before they leave your laptop, tablet, mobile phone
or router. For example, you can set up a private VPN on your own server( home computer, dedicated server or
VPS ) and connect to it. Alternatively, you can set up an encrypted SSH tunnel between your router and your
home computer( or a remote server of your own ) with PuTTY and connect your programs( e.g. FireFox ) to
PuTTY. Then even if somebody captures your data as it is transmitted between your device( e.g. laptop, iPhone,
iPad ) and your server with a packet sniffer, he'll won't be able to steal your data and passwords from the
encrypted streaming data.
11. How secure is my password? Perhaps you believe that your passwords are very strong, difficult to hack. But if
a hacker has stolen your username and the MD5 hash value of your password from a company's server, and the
rainbow table of the hacker contains this MD5 hash, then your password will be cracked quickly.
    To check the strength of your passwords and know whether they're inside the popular rainbow tables, you can
convert your passwords to MD5 hashes on this MD5 hash generator, then decrypt your passwords by submitting
these hashes to an online MD5 decryption service. For instance, your password is "0123456789A", using the
brute-force method, it may take a computer almost one year to crack your password, but if you decrypt it by
submitting its MD5 hash( C8E7279CD035B23BB9C0F1F954DFF5B3 ) to a MD5 decryption website, how long
will it take to crack it? You can perform the test yourself.
12. It's recommended to change your passwords every 10 weeks.
13. It's recommended that you remember a few master passwords, store other passwords in a plain text file and
encrypt this file with 7-Zip, GPG or a disk encryption software such as BitLocker, or manage your passwords with
a password management software.
14. Encrypt and backup your passwords to different locations, then if you lost access to your computer or account,
you can retrieve your passwords back quickly.
15. Turn on 2-step authentication whenever possible.
 4. Keyloggers

• Keystroke logging, often referred to as keylogging or

keyboard capturing, is the action of recording (or
logging) the keys struck on a keyboard, typically in a
covert manner so that the person using the keyboard is
unaware that their actions are being monitored.
• It has uses in the study of human–computer interaction.
• There are numerous keylogging methods, ranging from
hardware and software-based approaches to acoustic
analysis.
 Software-based keyloggers

• Software-based keyloggers use the target computer’s

operating system in various ways, including: imitating a
virtual machine, acting as the keyboard driver (kernel-
based), using the application programming interface to
watch keyboard strokes (API-based), recording
information submitted on web-based forms (Form Grabber
based) or capturing network traffic associated with HTTP
POST events to steal passwords (Packet analyzers).
• Usually consists of two files DLL and EXE
 Hardware keyloggers

• installing a hardware circuit between the keyboard

and the computer that logs keyboard stroke activity
(keyboard hardware).
• Target- ATMs
 Acoustic keylogging

• Acoustic keylogging monitors the sound created by

each individual keystroke and uses the subtly
different acoustic signature that each key emits to
analyze and determine what the target computer’s
user is typing.
 AntiKeylogger

• An anti-keylogger (or anti–keystroke logger) is a

type of software specifically designed for the
detection of keystroke logger software; often, such
software will also incorporate the ability to delete
or at least immobilize hidden keystroke logger
software on your computer.
Benefits of Antikeyloggers
 Spywares

• Spyware is software that aims to gather

information about a person or organization without
their knowledge and that may send such
information to another entity without the
consumer's consent, or that asserts control over a
computer without the consumer's knowledge
 5. Virus and Worms

• A computer virus is a malware program that, when

executed, replicates by inserting copies of itself
(possibly modified) into other computer programs,
data files, or the boot sector of the hard drive; when
this replication succeeds, the affected areas are then
said to be "infected".
 Some typical virus actions

• Display a message to prompt an action

• Delete files in the system
• Scramble data on a hard disk
• Cause erratic screen behavior
• Halt the system
• Replicate themselves to propagate further harm
 Virus spread through

• The internet
• A stand alone PC
• Local networks
Difference between virus and worm
 Types of viruses

• Boot sector viruses

• Program viruses
• Multipartite viruses
• Stealth viruses
• Polymorphic viruses
• Macroviruses
• Active X and Java contrl
 Boot sector viruses
• A boot sector virus is a computer virus that infects a storage device's master boot
record (MBR).
• It is not mandatory that a boot sector virus successfully boot the victim's PC to
infect it.
• As a result, even non-bootable media can trigger the spread of boot sector viruses.
• These viruses copy their infected code either to the floppy disk's boot sector or to
the hard disk's partition table. During start-up, the virus gets loaded to the
computer's memory. As soon as the virus is saved to the memory, it infects the
non-infected disks used by the system.
• The propagation of boot sector viruses has become very rare since the decline of
floppy disks. Also, present-day operating systems include boot-sector safeguards
that make it difficult for boot sector viruses to infect them.
 Program viruses

• A program virus becomes active when the program

file (usually with
extensions .BIN, .COM, .EXE, .OVL, .DRV)
carrying the virus is opened.
• Once active, the virus will make copies of itself
and will infect other programs on the computer.
 Multipartite viruses
• A multipartite virus is a fast-moving virus that uses file infectors or boot infectors
to attack the boot sector and executable files simultaneously.
• Most viruses either affect the boot sector, the system or the program files.
• The multipartite virus can affect both the boot sector and the program files at the
same time, thus causing more damage than any other kind of virus.
• When the boot sector is infected, simply turning on the computer will trigger a
boot sector virus because it latches on to the hard drive that contains the data that is
needed to start the computer. Once the virus has been triggered, destructive
payloads are launched throughout the program files.
• A multipartite virus infects computer systems multiple times and at different times.
In order for it to be eradicated, the entire virus must be removed from the system.
• A multipartite virus is also known as a hybrid virus.
 Stealth viruses

• A stealth virus is a hidden computer virus that

attacks operating system processes and averts
typical anti-virus or anti-malware scans. Stealth
viruses hide in files, partitions and boot sectors and
are adept at deliberately avoiding detection.

Stealth virus eradication requires advanced anti-

virus software or a clean system reboot.
 Polymorphic viruses
• A polymorphic virus is a complicated computer virus that affects data
types and functions.
• It is a self-encrypted virus designed to avoid detection by a scanner.
• Upon infection, the polymorphic virus duplicates itself by creating
usable, albeit slightly modified, copies of itself.

• Polymorphism, in computing terms, means that a single definition

can be used with varying amounts of data. In order for scanners to
detect this type of virus, brute-force programs must be written to
combat and detect the polymorphic virus with novel variant
configurations.
 Macroviruses

• A macro virus is a computer virus that "infects"

a Microsoft Word or similar application and
causes a sequence of actions to be performed
automatically when the application is started or
something else triggers it.
 Active X and Java contrl
• ActiveX and Java were created for web page designers to
incorporate a wide array of impressive effects on web pages, giving
movement and added dimension to the previously "flat" web pages.
• To operate properly, these ActiveX controls and Java applets need
to gain access to your hard disk. Insufficient memory and
bandwidth problems necessitate this approach. Although this
desktop access provides a wealth of beneficial applications of these
controls and applets, malicious code developers have the same
access. They are now using it to read and delete or corrupt files,
access RAM, and even access files on computers attached via a
LAN.
6. Trojan horses and Backdoors

• A Trojan horse, or Trojan, in computing is

generally a non-self-replicating type of malware
program containing malicious code that, when
executed, carries out actions determined by the
nature of the Trojan, typically causing loss or theft
of data, and possible system harm
Examples of threats by Trojans
• Erase, overwrite or corrupt data on a computer
• Help to spread other malware such as viruses- dropper trojan
• Deactivate or interface with antivirus and firewall programs
• Allow remote access to your computer- remote access trojan
• Upload and download files
• Gather E-mail address and use for spam
• Log keystrokes to steal information – pwds, CC numbers
• Copy fake links to false websites
• slowdown, restart or shutdown the system
• Disable task manager
• Disable the control panel
 Backdoors
• A backdoor in a computer system is a method of
bypassing normal authentication, securing unauthorized
remote access to a computer, obtaining access to
plaintext, and so on, while attempting to remain
undetected.
• Also called a trapdoor. An undocumented way of
gaining access to a program, online service or an entire
computer system.
• The backdoor is written by the programmer who creates
the code for the program. It is often only known by the
programmer. A backdoor is a potential security risk.
 Functions of backdoors

Allows an attacker to
• create, delete, rename, copy or edit any file
• Execute commands to change system settings
• Alter the windows registry
• Run, control and terminate applications
• Install arbitrary software and parasites
• Control computer hardware devices,
• Shutdown or restart computer
 Functions of backdoors
• Steals sensitive personal information, valuable documents, passwords,
login name…
• Records keystrokes, captures screenshots
• Sends gathered data to predefined E-mail addresses
• Infects files, corrupts installed apps, damages entire system
• Distributes infected files to remote computers
• Installs hidden FTP server
• Degrades internet connection and overall system performance
• Decreases system security
• Provides no uninstall feature, hides processes, files and other objects
 Examples of Backdoor trojans
• Back Orifice : for remote system administration
• Bifrost : can infect Win95 through Vista, execute
arbitrary code
• SAP backdoors : infects SAP business objects
• Onapsis Bizploit: Onapsis Bizploit is an SAP
penetration testing framework to assist security
professionals in the discovery, exploration, vulnerability
assessment and exploitation phases of specialized SAP
security assessment
 How to protect from Trojan
Horses and backdoors
• Stay away from suspect websites/ links

• Surf on the web cautiously : avoid P2P networks

• Install antivirus/ Trojan remover software

 7. Steganography

• Steganography (from Greek steganos, or "covered," and

graphie, or "writing") is the hiding of a secret message
within an ordinary message and the extraction of it at its
destination.
• Steganography takes cryptography a step farther by hiding
an encrypted message so that no one suspects it exists.
Ideally, anyone scanning your data will fail to know it
contains encrypted data.
• Other names: data hiding, information hiding, digital
watermarking
 Digital watermarking
• Digital watermarking is the act of hiding a message (trademark)
related to a digital signal (i.e. an image, song, video) within the
signal itself.
• It is a concept closely related to steganography, in that they both
hide a message inside a digital signal.
• However, what separates them is their goal.
• Watermarking tries to hide a message related to the actual content
of the digital signal,
• while in steganography the digital signal has no relation to the
message, and it is merely used as a cover to hide its existence.
 Difference between
steganography and cryptography
• Cryptography is the study of hiding information, while Steganography deals
with composing hidden messages so that only the sender and the receiver know
that the message even exists.
• In Steganography, only the sender and the receiver know the existence of the
message, whereas in cryptography the existence of the encrypted message is
visible to the world.
• Due to this, Steganography removes the unwanted attention coming to the
hidden message.
• Cryptographic methods try to protect the content of a message, while
Steganography uses methods that would hide both the message as well as the
content.
• By combining Steganography and Cryptography one can achieve better security.
 Steganalysis

• Steganalysis is the study of detecting messages

hidden using steganography;
• The goal of steganalysis is to identify suspected
packages, determine whether or not they have a
payload encoded into them, and, if possible,
recover that payload.
 8.DoS and DDoS attacks

• In computing, a denial-of-service (DoS) or

distributed denial-of-service (DDoS) attack is an
attempt to make a machine or network resource
unavailable to its intended users.
• A DoS attack generally consists of efforts to
temporarily or indefinitely interrupt or suspend
services of a host connected to the Internet.
 Symptoms of DoS attacks

• Slow network performance

• Unavailability of a particular website
• Inability to access any website
• Dramatic increase in number of Spam E-mails
received
 A DoS attack may do the
following
• Flood the traffic, thereby preventing network traffic
• Disrupt connections between two systems-
preventing access to service
• Prevent a particular individual from accessing a
service
• Disrupt service to a specific system or person
 Classification of DoS

• Bandwidth attacks
• Logic attacks
• Protocol attacks
• Unintentional DoS attack
 Bandwidth attacks

• The most common DoS attacks

• target the computer's network bandwidth or
connectivity.
• Bandwidth attacks flood the network with such a
high volume of traffic, that all available network
resources are consumed and legitimate user
requests can not get through.
 Logic attacks
• An attacker sends more requests to a server than it can handle,
usually in a relentless manner, until the server buckles and gives in
to the attacker. Once this type of attack ends, the server can return
to normal operation.
• Generally, a logic attack requires your server to have a
discoverable weakness that the attacker can locate and then use
against it.
• Because of this prerequisite, it is usually easy to prevent by
keeping your server software and hardware up-to-date with the
latest security patches and firmware respectively
 Protocol attacks

• Denial of service attacks may take advantage of certain standard

protocol features.
• Several attacks capitalize on the fact that IP source addresses can
be spoofed.
• In addition, connection depletion attacks take advantage of the
fact that many connection-oriented protocols require servers to
maintain state information after a connection request is made but
before the connection is fully established.
• The most common connection depletion attack is SYN flooding
 Unintentional DoS attack

• This describes a situation where a website ends up

denied, not due to a deliberate attack by a single
individual or group of individuals, but simply due
to a sudden enormous spike in popularity.
• This can happen when an extremely popular
website posts a prominent link to a second, less
well-prepared site, for example, as part of a news
story.
 Types or levels of DoS attacks

• Flood attack
• Ping of death attack
• SYN attack
• Teardrop attack
• Smurf attack
• nuke
 Flood attack

• Flooding is a Denial of Service (DoS) attack that is

designed to bring a network or service down by flooding
it with large amounts of traffic.
• Flood attacks occur when a network or service becomes
so weighed down with packets initiating incomplete
connection requests that it can no longer process genuine
connection requests.
• By flooding a server or host with connections that cannot
be completed, the flood attack eventually fills the hosts
memory buffer. Once this buffer is full no further
connections can be made, and the result is a Denial of
Service.
 ping of death attack

• ping of death is a denial of service (DoS) attack

caused by an attacker deliberately sending an IP
packet larger than the 65,536 bytes allowed by the
IP protocol.
 SYN attack
• A SYN flood occurs when a host sends a flood of TCP/SYN
packets, often with a forged sender address.
• Each of these packets are handled like a connection request,
causing the server to spawn a half-open connection, by sending
back a TCP/SYN-ACK packet (Acknowledge), and waiting for a
packet in response from the sender address (response to the ACK
Packet).
• However, because the sender address is forged, the response never
comes. These half-open connections saturate the number of
available connections the server can make, keeping it from
responding to legitimate requests until after the attack ends
SYN attack
 Teardrop attack

• A teardrop attack is a denial of service (DoS) attack

conducted by targeting TCP/IP fragmentation reassembly
codes.
• This attack causes fragmented packets to overlap one
another on the host receipt;
• the host attempts to reconstruct them during the process
but fails.
• Gigantic payloads are sent to the machine that is being
targeted, causing system crashes.
 Smurf attack

• A smurf attack is a type of denial of service attack

in which a system is flooded with spoofed ping
messages.
• This creates high computer network traffic on the
victim’s network, which often renders it
unresponsive.
 Nuke

• A Nuke is an old denial-of-service attack against

computer networks consisting of fragmented or
otherwise invalid ICMP packets sent to the target,
achieved by using a modified ping utility to
repeatedly send this corrupt data, thus slowing
down the affected computer until it comes to a
complete stop.
 DDoS attack

• A Distributed Denial of Service (DDoS) attack is

an attempt to make an online service unavailable
by overwhelming it with traffic from multiple
sources.
• They target a wide variety of important resources,
from banks to news websites, and present a major
challenge to making sure people can publish and
access important information.
How to prevent dos/ddos attacks

• Filtering: Routers at the edge of the network can be

trained to spot and drop DDOS connections, preventing
them from slowing the network or the server.
• Moving: If the attack is pointed at a specific IP address,
the site’s IP can be changed.
• Blackholing: A host may simply “blackhole” a site that
is being DDOSed, directing all traffic to it to an address
that doesn’t exist. This is normally a last resort.