2.1. System and Boot Record Infectors
System and Boot record infectors were the most common type of virus until the mid 1990s. These types of viruses infect system areas of a computer such as the Master Boot Record (MBR) on hard disks and the DOS boot record on floppy disks. By installing itself into boot records, the virus can run itself every time the computer is booted up. Floppy disks are often infected as users tend to leave floppy disks in the floppy drive.
If left in the floppy drive, on reboot, the computer may boot from the floppy disk. Thus, the virus has a chance to execute. These types of viruses were very common
in the early days of personal computing . However, with the introduction of more modern operating systems, and virus checks being enabled in the Basic Input Output System (BIOS), few of these viruses are being created today. New means of propagation, such as the Internet, are also much more attractive to virus creators.
Hackers can be people who are career criminal. They are competent and highly skilled at using computers. Once they analyze and discover a leak point in the target system, they will find ways to access and attack the system. They can use various kinds of attacks or even develop their own ways to attack the computer system. For example, they may access a system, and create bogus information or try to create an information flood. They can also break through Web servers to access or steal information.
Network Eavesdropping or network sniffing is a network layer attack consisting of capturing packets from the network transmitted by others’ computers and reading the data content in search of sensitive information like passwords, session tokens, or any kind of confidential information.
The attack could be done using tools called network sniffers. These tools collect packets on the network and, depending on the quality of the tool, analyze the collected data like protocol decoders or stream reassembling.
A Computer Virus is a small program designed to cause some kind of damage in the infected computer, by deleting data, capturing information, or by altering the normal operation of the machine.
In general there are 3 main types of computer virus:
- Boot Virus – Stays in the boot sector of the floppy and in the Master Boot Record (MBR) of hard disks.
- Macro Virus – The most common and most easily created virus, but less harmful. The macro virus uses the macro language of the application (such as Visual Basic or VBScript) to infect and duplicate documents and models. They attack any platform, but generally are made for Microsoft Office, using the programming environment from Microsoft for self-implementing the code of macro virus. When an infected document is opened, the virus runs and infects the models of the application user and can insert words, numbers or phrases in documents or change command functions. Once a macro virus infects the machine of a user, it can incorporate all the documents created in the future with the application.
- Program Virus – Normally be enforced with extensions .com, .exe and .bat and are activated only with a command from the user. Many of them are sent by e-mails or Instant Mesages.
- Crypto Virus – Hybrid method of infection using asymmetric cryptography, undetectable by antivirus generic.
A computer worm is a self-replicating malware computer program, which uses a computer network to send copies of itself to other nodes (computers on the network) and it may do so without any user intervention. This is due to security shortcomings on the target computer. Unlike a computer virus, it does not need to attach itself to an existing program. Worms almost always cause at least some harm to the network, even if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer.
A Trojan horse, or Trojan, is software that appears to perform a desirable function for the user prior to run or install, but (perhaps in addition to the expected function) steals information or harms the system. The term is derived from the Trojan Horse story in Greek mythology.
Phishing is misrepresentation where the criminal uses social engineering to appear as a trusted identity. They leverage the trust to gain valuable information; usually details of accounts, or enough information to open accounts, obtain loans, or buy goods through e-commerce sites.
Up to 5% of users seem to be lured into these attacks, so it can be quite profitable for scammers – many of whom send millions of scam e-mails a day.
The basic phishing attack follows one or more of these patterns:
- Delivery via web site, e-mail or instant message, the attack asks users to click on a link to “re-validate” or “re-activate” their account. The link displays a believable facsimile of your site and brand to con users into submitting private details.
- Sends a threatening e-mail to users telling them that the user has attacked the sender. There’s a link in the e-mail which asks users to provide personal details.
- Installs spyware that watches for certain bank URLs to be typed, and when typed, up pops a believable form that asks the users for their private details.
- Installs spyware (such as Berbew) that watches for POST data, such as usernames and passwords, which is then sent onto a third party system.
- Installs spyware (such as AgoBot) that dredges the host PC for information from caches and cookies.
- “Urgent” messages that the user’s account has been compromised, and they need to take some sort of action to “clear it up”.
- Messages from the “Security” section asking the victim to check their account as someone illegally accessed it on this date. Just click this trusty link…
- Worms have been known to send phishing e-mails, such as MiMail, so delivery mechanisms constantly evolve. Phishing gangs (aka organized crime) often use malicious software like Sasser or SubSeven to install and control zombie PCs to hide their actions, provide many hosts to receive phishing information, and evade the shutdown of one or two hosts.
- Sites that are not phished today are not immune from phishing tomorrow. Phishers have a variety of uses for stolen accounts — any kind of e-commerce is usable. For example:
- Bank accounts: Steal money. But other uses: Money laundering. If they cannot convert the money to cash, then just keep it moving. Just because you don’t have anything of value sitting in the account does not mean that the account has no value. Many bank accounts are linked. So compromising one will likely compromise many others. Bank accounts can lead to social security numbers and other account numbers. (Do you pay bills using an auto-pay system? Those account numbers are also accessible. Same with direct deposit.)
- PayPal: All the benefits of a bank without being a bank. No FDIC paper trail.
- eBay: Laundering.
- Western Union: “Cashing out”. Converting stolen money to cash.
- Online music and other e-commerce stores. Laundering. Sometimes goods (e.g., music) are more desirable than money. Cashing out takes significant resources. Just getting music (downloadable, instant, non-returnable) is easy. And easy is sometimes desirable.
- ISP accounts. Spamming, compromising web servers, virus distribution, etc. Could also lead to bank accounts. For example, if you use auto-pay from your bank to your ISP, then the ISP account usually leads to the bank account number.
- Physical utilities (phone, gas, electricity, water) directly lead to identity theft.
2.8. IP Spoofing Attacks
In computer networking, the term IP address spoofing or IP spoofing refers to the creation of Internet Protocol (IP) packets with a forged source IP address, called spoofing, with the purpose of concealing the identity of the sender or impersonating another computing system.
2.9. Denial of Service
The Denial of Service (DoS) attack is focused on making unavailable a resource (site, application, server) for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. If a service receives a very large number of requests, it may stop providing service to legitimate users. In the same way, a service may stop if a programming vulnerability is exploited, or the way the service handles resources used by it.
Sometimes the attacker can inject and execute arbitrary code while performing a DoS attack in order to access critical information or execute commands on the server. Denial-of-service attacks significantly degrade service quality experienced by legitimate users. It introduces large response delays, excessive losses, and service interruptions, resulting in direct impact on availability.
Unlike a password-based attack, the denial-of-service attack prevents normal use of your computer or network by valid users.
After gaining access to your network, the attacker can do any of the following:
- Randomize the attention of your internal Information Systems staff so that they do not see the intrusion immediately, which allows the attacker to make more attacks during the diversion.
- Send invalid data to applications or network services, which causes abnormal termination or behavior of the applications or services.
- Flood a computer or the entire network with traffic until a shutdown occurs because of the overload.
- Block traffic, which results in a loss of access to network resources by authorized users.
2.10. Password-Based Attacks
A common denominator of most operating system and network security plans is password-based access control. This means your access rights to a computer and network resources are determined by who you are, that is, your user name and your password.
Older applications do not always protect identity information as it is passed through the network for validation. This might allow an eavesdropper to gain access to the network by posing as a valid user.
When an attacker finds a valid user account, the attacker has the same rights as the real user. Therefore, if the user has administrator-level rights, the attacker also can create accounts for subsequent access at a later time.
After gaining access to your network with a valid account, an attacker can do any of the following:
- Obtain lists of valid user and computer names and network information.
- Modify server and network configurations, including access controls and routing tables.
- Modify, reroute, or delete your data.
2.11. Man-in-the-Middle Attack
As the name indicates, a man-in-the-middle attack occurs when someone between you and the person with whom you are communicating is actively monitoring, capturing, and controlling your communication transparently. For example, the attacker can re-route a data exchange. When computers are communicating at low levels of the network layer, the computers might not be able to determine with whom they are exchanging data.
Man-in-the-middle attacks are like someone assuming your identity in order to read your message. The person on the other end might believe it is you because the attacker might be actively replying as you to keep the exchange going and gain more information. This attack is capable of the same damage as an application-layer attack, described later in this section.
2.12. Compromised-Key Attack
A key is a secret code or number necessary to interpret secured information. Although obtaining a key is a difficult and resource-intensive process for an attacker, it is possible. After an attacker obtains a key, that key is referred to as a compromised key.
An attacker uses the compromised key to gain access to a secured communication without the sender or receiver being aware of the attack.With the compromised key, the attacker can decrypt or modify data, and try to use the compromised key to compute additional keys, which might allow the attacker access to other secured communications.
2.13. Sniffer Attack
A sniffer is an application or device that can read, monitor, and capture network data exchanges and read network packets. If the packets are not encrypted, a sniffer provides a full view of the data inside the packet. Even encapsulated (tunneled) packets can be broken open and read unless they are encrypted and the attacker does not have access to the key.
Using a sniffer, an attacker can do any of the following:
- Analyze your network and gain information to eventually cause your network to crash or to become corrupted.
- Read your communications.
2.14. Application-Layer Attack
An application-layer attack targets application servers by deliberately causing a fault in a server’s operating system or applications. This results in the attacker gaining the ability to bypass normal access controls. The attacker takes advantage of this situation, gaining control of your application, system, or network, and can do any of the following:
- Read, add, delete, or modify your data or operating system.
- Introduce a virus program that uses your computers and software applications to copy viruses throughout your network.
- Introduce a sniffer program to analyze your network and gain information that can eventually be used to crash or to corrupt your systems and network.
- Abnormally terminate your data applications or operating systems.
- Disable other security controls to enable future attacks.
2.15. Email Bombing and Spamming
Email bombing is characterised by abusers repeatedly sending an identical email message to a particular address. Email spamming is a variant of bombing; it refers to sending email to hundreds or thousands of users. Email spamming can be made worse if recipients reply to the email, causing all the original addressees to receive the reply. It may also occur innocently, as a result of sending a message to mailing lists and not
realizing that the list explodes to thousands of users, or as a result of an incorrectly set-up auto-responder message . Email bombing/spamming may be combined with email spoofing making it more difficult to determine who the email is actually coming from. If your email system looks slow or email doesn’t appear to be sent or received, the reason may be that your mailer is trying to process a large number of messages. When large amounts of email are directed to or through a single site, the site may suffer a denial of service through loss of network connectivity, system crashes, or failure of a service because of overloading network connections, using all available system resources and filling the disk as a result of multiple postings and resulting syslog entries.