MODULE 3: C h a p t e r 4

Tools and Methods Used in Cybercrime

⦿ Introduction
⦿ Proxy Server and
Anonymizers
⦿ Phishing
⦿ Password C racking
⦿ Keylo g gers and Spywares
⦿ Virus and Worms
⦿ Trojan Horses and Backdoors
⦿ Steganography
⦿ DoS and DDoS Attacks
⦿ SQL Injection
⦿ Buffer O verflow
⦿ Attacks on Wireless Networks
⦿ Various tools and techniques used to launch
attacks against the target
• Scareware
• Malvertising
• Clickjacking
• Ransomware
⦿ Basicstag es of an attack are describ ed
here to understand how an attacker can
compromise a network here:

1. Initial uncovering:
🞄 Two steps involved: 1) Reconnaissance
2) Attacker uncovers information
2. Network Probe
3. Crossing the line toward E-crime
4. Capturing the network
5. Grab the data
6. Covering tracks
⦿ Proxy server is computer on a network
which acts as an intermediary for
connections with other computers on that
network

⦿ 1st attacker connects to proxy server

⦿ Proxy server can allow an attacker

to hide ID
⦿ Purpose of proxy server:

• Keep the system behind the curtain

• Speed up access to resource
• Specialized proxy servers are used to filter
unwanted content such as advertisement
• Proxy server can b e used as IP address
multiplexer to enable to connect no. of
computers on the Internet
⦿ An anonymizer or an anonymous proxy
is a tool that attempts to make activity on
the Internet untraceable

⦿ It
accesses the Internet user’s b ehalf,
protecting personal information by
hiding the source computer’s identifying
information
⦿ Introduced in 1996
⦿ Fake E-Mail using other reputed
companies or individual’s identity

⦿ People associate phishing with E-Mail

message that spoof or mimic banks,
credit card companies or other business
such as Amazon and eBay
Phishers works as follows
⦿ Planning: decide the target & determine how to get
E- Mail address
⦿ Setup: create methods for delivering the message & to
collect the data about the target
⦿ Attack: sends a phony message that appears to be
from
a reputable source
⦿ Collection:
record the information of victims entering
into web pages or pop-up window
⦿ Identify theft and fraud: use information that they have
gathered to make illegal purchases and commit fraud
⦿ C omputer virus is a program that can
“ infect” legitimate programs by
modifying them to include a possibly
“ evolve d ” copy of itself.

⦿ Viruses
spread themselves, without
the knowledge or permission of the
users

⦿ C ontains malicious instructions

⦿A virus can start on event driven effects,

⦿ Viruses can take some actions:

• Display a message to prompt an action into

which viruses enter
• Scramble data on hard disk
• Delete files inside the system
• Cause erratic screen behavior
• Halt the P C
• Replicate themselves
⦿ True virus can only spread from
one system to another

⦿ A worm spreads itself automatically

to other computers through networks
by exploiting security vulnerabilities
Categorized based on attacks on various
element of the system

⦿ Boot sector viruses:

• Infects the storage media on which OS is stored and
which is used to start the computer system
• Spread to other systems when shared infected disks
& pirated software(s) are used

⦿ Program viruses:
• Active when program file(usually with extensions
.bin, .com, .exe, .ovl, .drv) is executed
• Makes copy of itself
⦿ Multipartite Viruses:
• Hybrid of a boot sector and program viruses

⦿ Stealth viruses:
• Masks itself
• Antivirus S/W also cannot detect
• Alter its file system and hide in the computer
memory to remain in the system undetected
• 1st computer virus named as Brain
⦿ Polymorphic viruses:
• Like “ chameleon ” that changes its virus
signature (i.e., binary pattern) every time it
spread throug h the system (i.e., multiplies
& infect a new file)
• Polymorphic generators are routines that can
b e linked with the existing viruses
• Generators are not viruses but purpose to hide
actual viruses under the cloak of
polymorphism
⦿ Macroviruses:
• Infect documents produced by victims computer

⦿ Active X and Java control:

⦿ Trojan horse is a program in which
malicious or harmful code is contained
inside apparently harmless programming
or data in such a way that it can get
control and cause harm

⦿ G etinto system from no. of ways,

including web b rowser, via E-Mail,
or with S/W download from the
Internet
⦿ Trojans do not replicate
themselves but they can be
equally destructive
⦿ Examples of threats by Trojans:
• Erase, overwrite or corrupt data on computer
• Help to spread other malware
• Deactivate or interfere with antivirus and firewall
• Allow to remote access to your computer
• Upload and download files without user knowledge
• Gather E-Mail address and use them for spam
• Slow down , restart or shutdown the system
• Reinstall themselves after being disable
• Disable task manager or control panel
• Copy fake links to false websites, display porno sites, play
sounds/videos and display images
• Log keystrokes to steal info such as password or credit
card no.
⦿ It means of access to a computer program that
bypass security mechanisms
⦿ Programmer use it for troubleshooting
⦿ Attackers often use backdoors that they detect or
install themselves as part of an exploit
⦿ Works in background and hides from user
⦿ Most dangerous parasite, as it allows a malicious
person to perform any possible action
⦿ Programmer sometimes leave such backdoor in
their software for diagnostic and troubleshooting
purpose. Attacker discover these undocumented
features and use them
⦿ Allow an attacker to create, delete, rename, copy or edit any file; change any system
setting, alter window registry; run, control and terminate application; install arbitrary
software
⦿ To control computer hardware devices, modify related setting, shutdown or restart a
computer without asking for user permission
⦿ Steals sensitive personal information, logs user activity, tracks web browsing habits
⦿ Record keystrokes
⦿ Sends all g athered data to predefined E -Mail address
⦿ Infects files, corrupts installed app & damage entire system
⦿ Distributes infected files to remote computers and perform attack against hacker-
defined remote hosts
⦿ Installed hidden FTP server that can be used by malicious person
⦿ Degrade Internet connection speed and overall system performance
⦿ Provide uninstall feature and hides processes, files and other objects to compliacate its
removal as much as possible
⦿ Back
orifice:
• Enable user to control a computer running
the Microsoft Windows OS from remote
location
⦿ Bifrost:
• Infect Windows 95 throug h V ista
⦿ SAP b ackdoors
⦿ O napsis Bizploit
⦿ Stay away from suspect web sites/
web links
⦿ Surf on the web cautiously
⦿ Install antivirus/ Trojan remover
software
⦿ G ree k
word that means “ Sheltered
writing”
⦿ C omes from 2 G ree k words:
• Ste ganos means “ covere d ”
• G raphein means “ to write ” or
“ concealed writing”
⦿ Steg analysis:
• Detecting messages that are hidden in
images, audio/video files using
steganography
⦿ An attempt to make a computer
resources unavailable to its intended
users
⦿ DoS attack:
• Attacker floods the BW of the victim’s N/W or
fills his E-Mail box with Spam mail depriving him
of the services he is entitled to access or
provide
• Attacker typically target sites or services hosted
on high-profile web servers such as banks,
credit card payment g ateways, mobile phone
networks and even root name servers
⦿ Buffer overflow technique is employed to commit
such kind of criminal attack
⦿ Attacker spoofs the IP address and floods the
N/W of victim with repeated requests
⦿ As the IP address is fake, the victim machine
keeps waiting for response from the attacker’s
machine for each request
⦿ This consumes the BW of the N/W which then
fails to server the legitimate responses and
ultimately breaks down
⦿ US C omputer Emerg ency Response
defines it:
• Unusually slow n/w performance(opening file or
accessing websites)
• Unavailab ility of a particular web site
• Inability to access ay website
• Dramatic increase in the no. of Spam E-
Mails received
⦿ G oalof DoS is not to g ain unauthorized
access to systems or data, but to prevents
intended users of a service from using it.
⦿ Activity done by DoS
• Flood a n/w with traffic
• Disrupt connection between 2 systems
• Prevent a particular individual from accessing
service
• Disrupt service to a specific system or person
⦿ Bandwidth attacks
• C onsuming all the b andwidth of site
⦿ Log ic attack
• Exploit vulnerabilities in n/w s/w such as web
server or TCP/IP stack
⦿ Protocol attacks
• Exploit specific feature or implementation bug
of some protocol installed at victim’s system
to consume excess amount of its resources
⦿ Unintentional DoS attack
1. Flood attack: (Ping flood)
• Attacker sending no. of ping packets, using
“ pin g ” command, which result into more
traffic than victim can handle
• This requires the attacker to have faster n/w
connection than the victim
• Prevention is difficult
2. Ping of death attack:
• Sends oversized ICMP packets
• Receiving this packet, will crash, freeze
or reboot system
3. SYN attack: (TC P SYN
flooding)
4. Teardrop attack:

• Attack where fragmented packets are forged to

overlap each other when the receiving host tries
to reassemble them
• IP’s packet fragmentation algo is used to send
corrupted packets to confuse the victim and may
hang the system
• Windows 3.1x, 95 and NT , Linux versions 2.0.32,
2.1.63 are vulnerable to this attack
5. Smurf attack

• Generating significant computer n/w traffic on

victim n/w, using floods via spoofed
broadcast ping message
• Attack consists of a host sending ICMP echo
req uest to n/w b roadcast ping address
• Every host receive this packet & send back ICMP
echo response
• Internet relay chat(IRC)servers are primarily
victim of smurf attack
6. Nuke:

• An old DoS attack against computer n/w s consisting

of fragmented or otherwise invalid ICMP packets
sent to target

• Achieved by using a modified ping utility to

repeatedly send this corrupt data, thus slowing down
the affected computer until it comes to complete
stop

• Eg. WinNuke, which is exploited the vulnerability in

the NetBIOS handler in windows 95. A string of out-
of-band data was sent to TCP port 139 of victim’s
machine, causing it to lock up and display Blue
Screen Of Death(BSOD)
⦿ Jolt2: attack against window based machine-
consume 100% of CPU time on processing
of illegal packets
⦿ Nemesy: generates random packets of spoofed
source IP
⦿ Targa: used to run 8 different DoS attack
⦿ Crazy Pinger: send large packets of ICMP
⦿ SomeTrouble : remote flooder and
bomber– developed in Delphi
⦿ It is a more sophisticated attack that bundles some of the worst
asp e c ts of viruse s , worms, Trojan Horses and Malicious c o d e
into one single threat
⦿ Use server & Internet vulnerabilities to initiate,
transmit and thereafter spread attack
⦿ Characteristics:
• Cause harm to the infected system or n/w
• Propagate using multiple methods as attack may come from
multiple point
• Exploit vulnerability
⦿ Serve multiple attacks in one payload
⦿ To use multiple mode of transport
⦿ Rather than a specific attack on predetermined
“ .exe ” files, it could do multiple malicious acts,
such as modify your “. exe ” files, HTML files and
registry keys
⦿ Damag es a system so b adly that it
requires replacement or reinstallation of
h/w
⦿ Pure h/w sab otage
⦿ PhlashDance is a tool created by Rich
Smith who detected and demonstrated
PDoS
⦿ Attacker use your computer to attack another computer
⦿ By taking advantage of security vulnerabilities or
weaknesses, an attacker could tack control of your
computer, then force your computer to send huge amounts
of data to a website or send spam to particular E-Mail
addresses
⦿The attack is “distributed” because the attacker is using
multiple computers to launch the DoS attack
⦿ Large no. of zombie systems are synchronized to attack a
particular system. Zombie systems are called “secondary
victims” and main target is called “primary victim”
⦿ Implement router filter
⦿ If such filters are available in your system, install
patches to guard against TCP SYN flooding
⦿ Disable any unused or inessential n/w service
⦿ Observe your system performance and establish
baselines for ordinary activity
⦿ Routinely examine your physical security
⦿ Use tools to detect changes in configuration info or
other files
⦿ Invest and maintain “ hot spares”
⦿ Invest in redundant and fault-tolerant n/w
configuration
⦿ Establish and maintain regular backup
schedules
and policies
⦿ Establish and maintain appropriate
password
⦿ It is a code injection technique that exploits a
security vulnerability occurring in DB layer of
application
⦿ Also known as SQL insertion attacks
⦿ Target the SQL servers
⦿ Objective :“to obtain the info while accessing
a DB
table that may contain personal info”
⦿ Malicious code is inserted into a web form field or
the website’s code to make a system execute a
command shell or other arbitrary commands
⦿ Attacke r looks for the We b Page s that allow sub mitting
data, that is login page, search or feedback page etc. Also
looks HTML commands such as POST and GET by
checking the site’s source code
⦿ Checks the source code of HTML and looks for “FORM” tag.
⦿ Inputs a single quote under the textbox provided on the
webpage to accept the username and password. This
checks whether the user-input variable is sanitized or
interpreted literally by the server. If the response is an error
message then the website is found to b e susceptible to an
SQL injection
⦿ Uses SQL commands such as SELECT or INSERT
⦿ Using SQL injection, attacker can:
• Obtain some basic info if the purpose of the attack is
reconnaissance
🞄To g et directory listing
🞄To ping an IP address
• May gain access to the DB by obtaining username &
password
🞄 To get user listing: SELECT * FROM users WHERE
name=
“OR ‘1’=‘1’.”
• Add new data to the DB
🞄Execute INSERT command
• Modify data currently in the DB
🞄Execute UPDATE command
⦿ Itis used when a web application is
vulnerable to SQL injection but the
results of the injection are not visible to
the attacker
⦿ Attack occur due to poor web sites
administration and coding
⦿ Steps to prevent from attack:
1) Input validation:
🞄 Replace all single quotes to 2 single quotes
🞄 Sanitize the input: user inputs needs to be
checked and cleaned of any characters or strings
that could possibly be used maliciously
🞄 Nume ric value should be che cke d
🞄 Keep all text boxes and form fields as short
as possible to limit the length of user input
 2) Modify error reports

🞄 SQ L e rror should not be displaye d to outside use rs

3) Other preventions
🞄 SQL server 2000 never b e used
🞄 solate DB se rve r & we b se rve r. Both should re side
in different machine
🞄 Extended stored procedures are not used or have
unuse d trigge rs, store d proce dure s, use r de fine d
functions etc., then these should moved to an isolated
server
⦿ Buffer overflow or buffer overrun, is an
anomaly(irregularity) where a process stores data in a
buffer outside the memory the programmer has set aside
for it
⦿ Extra data may result in erratic program behavior, including
memory access errors, incorrect result, program
termination, or a breach of system security
⦿ It can b e triggered by inputs that are designed to execute
code or alter way the program operates
⦿ Programming language associated with it including C , C +
+ , which provide no built- in protection against accessing
or overwriting data in any part of memory
⦿ Security attack on data integrity
⦿ Stack- Based Buffer
O verflow:
• occurs when a program writes to memory
address on the program’s call stack outside the
intended data structure - usually fixed length
buffer
• Characteristic of stack based programming:
🞄 “Stack” is a memory space in which automatic
variables are allocated
🞄 Function parameters are allocated on stack & are
not
automatically initialized by the system
🞄 Once function has completed its cycle, the
reference to the variable inn the stack is removed
⦿ Stack- Based Buffer Overflow:
• The attacker may exploit stack-based buffer overflows to
manipulate the program in various ways by overwriting:
🞄 A local variable that is near the buffer in memory on the
stack to change the behavior of the program that may benefit
the attacker
🞄 Return address in a stack. Once the function returns,
execution will resume at the return address as specified by
the attacker, usually input-filled buffer
🞄 A function pointer, or execution handler, which
is subsequently executed

• Factors that contribute to overcome the

exploits are:
🞄Null bytes in address
🞄Variability in the location of shellcode
🞄Differences between environments
⦿ NOPs:
• It is an assembly language instruction/ command that
effectively does nothing at all
• NOP allows code to execute when the exact value of
the
instruction pointer is indeterminate
• It helps to know/locate the exact address of the buffer
by effectively increasing the size of the target stack
buffer area
• Attacker can increase the odds of findings the right
memory address by padding his/her code with NOP
operation.
• To do this, much larger sections of the stack are
corrupted with NOOP machine instruction
• At the end of the attacker- supplied data, after the NOOP,
an instruction is placed to perform a relative jump to the
top of buffer where shellcode is located
⦿ Heap Buffer
O verflow:
• Occurs in the heap data area and may b e
introduced accidentally by an application
programmer or it may result from a
delib erate exploit
⦿ Assessment of secure code manually
⦿ Disable stack execution
⦿ C ompiler tools
⦿ Dynamic run-time checks
⦿ Various tools are used to
detect/defend b uffer overflow: for eg.
StackG uard, ProPolice, Lib Safe
 ⦿ In security breaches, penetration of a wireless
network through unauthorized access termed as
wireless cracking

⦿ Trad itional tec hniq ue s:

• Sniffing
• Spoofing
• DoS
• Man-in-the-middle attack
• Encryption cracking
⦿ Change the default settings of all the equipments/
components of wireless network
⦿ Enable WPA/WEP encryption
⦿ Change the default SSID
⦿ Enable MAC address filtering
⦿ Disable remote login
⦿ Disable SSID broadcast
⦿ Disable the features that are not used in AP
⦿ Avoid providing the n/w a name which can b e easily
identified
⦿ Connect only to secured wireless n/w
⦿ Upgrade router’s firmware periodically
⦿ Assign static IP address to devices
⦿ Enable firewalls on each computer & the router
⦿ Position the router or AP safely
⦿ Turn off the n/w during extended periods when not
in use
⦿ Periodic and regular monitor wireless n/w security