17. Malware and Cyber Attacks

Methods

Many different methods to gain access to a target computer:

• Social engineering: persuading an authorized user to do something
• Hacking/cracking: guessing, corrupting or stealing information
• Viruses/worms
  • Virus:
    • Attaches itself to legitimate programs
    • Often causes undesirable behavior
    • Automatically spreads to other computers (e.g. through email attachments)
  • Worm:
    • Runs independently
    • Replicates complete copies of itself onto other hosts on a network, often using system vulnerabilities (e.g. WannaCry)
• Trojan horse:
  • Harmful piece of software that appears benign and legitimate
  • Do not infect files and does not necessarily self-propagate
  • Gives attacker remote access to a machine
  • Network can be scanned by the attacker’s servers to locate infected machines, forming a botnet:
    • Bot: software agent interacting with a service intended for people.
    • Botnet: collection of bots running autonomously; usually a collection of compromised machines (e.g. services exposed to the internet using default usernames/passwords) running trojans, worms or backdoors.
  • e.g. Zeus:
    • Stole bank information through a keylogger
    • Spread through drive-by-downloads and phishing attacks
• Network-layer attacks:
  • IP spoofing, sequence number predicition, TCP jacking
• Web-based attacks:
  • XSS, SQL injection, session hijacking
• Denial of Service (DoS)
  • Operating system attacks:
    • Ping of death, tear drop, land, snork
  • Network attacks:
    • SYN flood, TCP fin/rst
  • Distributed DoS:
    • TCP flood, reflection

Social Engineering

Persuading an authorized user to disclose sensitive information:

• Inviting user to log into fake website
• Impersonating employee that has forgotten their user ID and/password
• Impersonating technical support staff and requesting that they login to ‘check’ their account
• Persuading a user to install malicious software

Spear phishing:

• Email appearing to be from an individual or business you know
• Attempts to gain access to sensitive information such as credit card/bank account numbers, passwords etc.

Hacking/Cracking

Password discovery: default passwords.

Password cracking tools also readily available for many systems (e.g. zip files, Windows password files).

Password attacks:

• Brute force: all possible permutations of characters
• Dictionary attacks: real-world passwords or permutations of them
• Tools such as L0phtcrack, John the Ripper available

Denial of Service Attacks

Makes network services unavailable to users by overloading servers.

Financial incentive (DOS for hire services) and/or for extortion (stop attack when ransom paid).

No magic solution: use a properly-configured firewall to filter out illegitimate requests, and add more servers.

e.g. TCP SYN-ACK flood:

• Normal SYN-ACK sequence: client asks for connection (SYN), server allocates resources (SYN-ACK), client responds with ACK
• Attack can spoof sender IP address and flood target server with SYN connections; won’t receive response from the server, but forces it to allocate resources for the connection

Rootkits

Collection of programs used to mask intrusion and obtain admin access.

After gaining user-level access to a target system, attacker can install rootkits through known vulnerabilities, password cracking etc.

They may collect user IDs and passwords from other machines on the network. e.g.

Once installed they may:

• Monitor traffic and keystrokes
• Add backdoors
• Alter log files
• Attack other machines on the network
• Alter system tools to circumvent detection

Blended Threats

Combination of attacks using different vulnerabilities:

• Worms dropping viruses
• Destructive trojans horses
• Password stealers
• Remote access trojans (RATs)
  • Previously used against energy sectors
  • Now aimed at organizations using/making industrial machines/systems
  • 2013, Flavex: hacked into websites of manufacturers of industrial control systems and poisoned their software download files
• Trojanized applications that replace system tools
• Multi-platform attacks
• Advanced persistent threats (APTs)
  • Stealthy and continuous hacking processes: humans involved in real-time
  • Attacking organizations or nation-states
  • Requires high degree of covertness over a long period of time
  • External command-and-control, continuous monitoring and data extraction

Zero Day Attacks

Taking advantages of software vulnerabilities before the manufacturer can release a patch/fix.

Blaster worm (Windows 2000):

• Extremely virulent
• Optional patch released one month prior to release

Nachi worm:

• Variant of Blaster
• Carried dangerous payload
• Released two days after patch released

Time available to install updates shrinks over time and may be negative in some cases.

Attack Methods

Buffer Overflow

Exploits inadequate buffer boundary checking.

It often involves overwriting return addresses on the stack, making the machine run attacker-controlled code. However, it could also leak memory contents to the attacker.

Heartbleed was an example of the latter:

• https://xkcd.com/1354/
• Bug existed for over two years
• Leaked private keys, user details
• More than 300,000 attacks in a single day