System Attack Methods

Previous page
Table of content
Next page

Attackers develop new methods as fast as new products and technologies are introduced to be attacked. It seems as though as soon as something new and cool comes out, only days later we learn that someone has found a way to attack it.

Malicious code

As soon as data found a way to move easily from computer to computer, a creative individual with a bad attitude figured out that he could include something that would play a not-so-practical joke, like delete or alter files on someone else’s computer.

Unfortunately, several types of malicious code are out there; we define the most interesting ones here.

Viruses

The main purpose of a computer virus, a (usually) small program, is to replicate itself. Early computer viruses attached themselves to floppy disk boot sectors or to executables (such as .COM or .EXE files). Boot sector viruses spread if the PC was booted with an infected diskette. Viruses attached to executable files would spread when those executable files were run. Multipartite viruses spread by using both the boot sector and executable files.

Today, viruses spread in some new ways, including macros found in Microsoft Word and Excel documents, as well as in image files and ActiveX controls. We’ve also seen viruses spread through cross-site scripting vulnerabilities in Web sites and through instant messaging software. Virus writers - known as VXers - are always seeking new ways to propagate viruses and other malicious code.

Strictly speaking, a virus spreads by making (usually) identical copies of itself on files that are likely to be transported to other computers. Other types of malicious code such as worms and Trojan horses are often mistakenly called viruses.

If you find this topic fascinating (we sure do), you might consider picking up a copy of Computer Viruses For Dummies (Wiley Publishing, Inc.; yes, one of us wrote that book).

Worms

A worm is very similar to a virus: Both are designed to replicate quickly, but worms don’t attach themselves to programs like viruses do. Instead, worms propagate by attacking known weaknesses on computer systems. On those systems where a weakness is found, the worm is able to successfully break in and enter. Whatever the weakness happens to be, the result is the same: The worm is able to assume enough control of the system (or just of the application whose weakness it exploited) to use that system as a base to launch attacks against more systems. And in the meantime, the worm may also have some destructive characteristics as well: It could change or delete data on the system.

Some of the most successful malicious code events (NIMDA and Code Red) were worms.

Trojan horses

A Trojan horse, like its storybook namesake, is an object that claims to be something but turns out to be something far different (and not very nice).

image from book
 Technical Stuff   The Morris Worm

In 1988, computer researcher Robert Tappan Morris developed and released what is now known as The Internet Worm. This was the first widely successful worm in terms of the extent of its propagation and impact on the Internet. It exploited vulnerabilities in several UNIX utilities, and also exploited the transitive trust that existed between networks at that time. A report called “The Internet Worm Incident” gives a lucid description of the worm’s composition and propagation techniques. You should be able to find this report by using your favorite search engine or online encyclopedia. The worm used techniques still in use today to exploit known vulnerabilities; understanding it gives the reader insight into present-day malicious code.

image from book

Trojan horses generally don’t spread by replicating themselves, but they can be equally damaging nonetheless. Trojan horses became prevalent with the rise of the Internet and e-mail. A typical Trojan horse arrives in the payload of an e-mail message, usually an attached executable file or a file with macros. The text portion of the e-mail message may read something like Viagra without a prescription, click here or See Britney Spears naked!! or some other enticing message designed to lure people into executing the Trojan horse and aiding in its sword-wielding propagation through Cyberspace.

Hoaxes

As the popularity of e-mail increased, viruses rode the rails and propagated themselves via e-mail. Conscientious people everywhere, learning of real viruses, would write up warning messages and send them to their friends and colleagues. But chip-on-their-shoulder virus writers decided to attack on another front: creating phony virus warning messages in order to instill panic and occasionally to get naive users to unwittingly do harmful things. Such false warnings, like their offline predecessors, are called hoaxes.

Typically, a virus hoax will arrive via e-mail, making a plea like Please watch your inbox and DO NOT OPEN any message that has "Pictures for you" in the subject line. Whatever you do, do not open the message or your entire hard drive will be reformatted. I know - it happened to me two weeks ago, and I just got my computer back today.

Even hoaxes serve a purpose: They can account for millions of productivity hours lost in companies around the world. Sometimes hoax messages clog e-mail systems, which is often one of the intentions of the perpetrator of the hoax.

Logic bombs

A logic bomb is a program designed to cause damage when some event has occurred. For instance, a logic bomb could destroy files when the user invokes a certain program such as a text editor. Logic bombs don’t replicate themselves, but viruses or worms can leave them behind.

A common logic bomb is malicious code that will activate on a certain date. Disgruntled programmers sometimes plant logic bombs that activate and destroy data long after they have left their jobs. Nice parting gift eh? This doozy alone justifies the use of code reviews and controls that prevent unauthorized changes from being inserted into software and systems.

Malicious applets

ActiveX and Java applets have been known to carry malicious code and wreak havoc on users’ computers. Strictly speaking, writing destructive ActiveX applets is easier because the applets have unfettered access to the entire computer. Destructive Java applets are far more difficult to write because they must exploit some weakness in the Java “sandbox” in order to break out of it and do whatever damaging deed it was designed to do. For more, read the earlier section “Applets.”

Trap doors

A trap door is a type of logic bomb that functions as part of a program. The trap door performs an undocumented function when certain conditions are met. Often these functions are designed to bypass security and other control mechanisms. An example trap door that we saw many years ago was planted in the /bin/login program on a UNIX system. When any ordinary user logged in to the system, the login program performed by the book. But when a special password was typed in (the publisher won’t let me tell you what it is), the login program would log the person in as root; further, the login program, which usually logs the session to an audit file, would conveniently forget to log the trap door session. The login program was hard to detect because its date, size, and checksum were the same as the original login program. It was a great - and terrible - logic bomb.

Hidden code

If an attacker is able to modify or replace programs on the target system, he may elect to install hidden code. Hidden code is a set of computer instructions hiding inside another program that carries out some usually malicious act. An example of hidden code might be an application’s reporting program that also happens to erase certain audit trail entries.

An alteration of authorized code is an attack similar to a trap door, in which a program with specified privileges (for instance, the system’s administrator account or an application’s master user account) is modified to carry out some illicit functions of the attacker’s choosing.

image from book
Bot armies: The power of one

Computer researchers and engineers are familiar with the fact that large communities of computers are very powerful if they can be easily managed and controlled. The bad guys haven’t overlooked this fact. On the contrary, there is a respectable degree of sophistication on the part of those on the dark side. Here’s how it works: Many viruses and Trojan horses are designed to turn your PC into a remotely controlled zombie, or bot(short for robot). When a PC is infected with a bot, the bot software communicates back to a server, usually via an IRC (Internet Relay Chat protocol) channel, and registers itself.

The person behind this activity is called a bot herder. He or she has software on a server that can be used to control hundreds, thousands, even hundreds of thousands of these bots - called bot armies- to do their bidding, usually by sending or relaying large volumes of spam, hosting phishing Web sites, or performing DDOS attacks on businesses, governments, or universities.

image from book

Denial of Service

The Denial of Service (DOS) attack is an interesting one because the attacker never does gain entry into the targeted computer system - then again, he isn’t trying to get in. Instead, he floods the victim system with such a large number of network packets that legitimate users of the system are unable to reach it. The most successful DOS attacks not only slow down the system, but actually cause it to crash. This is because some methods of DOS attacks, such as the SYN attack, exhaust the system’s resources to the point that it can no longer function. True, SYN attacks are old hat, but it’s still interesting as it reveals a little bit about the creative thinking of the black hats out there.

A form of DOS attack, called Distributed Denial of Service (DDOS), occurs when an attacker uses hundreds, or even thousands or tens of thousands, of systems to attack a target simultaneously.

Dictionary attacks

The dictionary attack is a method used to crack computer account passwords by using common words found in a dictionary.

Most commonly, a dictionary attack tool acquires a copy of the UNIX password or shadow file, or the Windows SAM file. The hacker then loads the file on his local system and runs a password-cracking program to attempt to discover account passwords by guessing dictionary words and combinations of dictionary words and numbers: for example, 4food.

This type of attack has prompted companies to require their employees and customers to pick good passwords - that is, passwords that consist of random letters interspersed with numbers and special characters: !@#)(*&^%;[]{}:’”><. So rather than an easily guessed password like Alexis, a user would use a more difficult-to-guess password like Al3x1s*. Such a good password is practically impossible to break with a dictionary attack.

Spoofing

In a spoofing attack, the attacker uses some way to change the network identity of a computer or program in order to trick the targeted system into granting access to the attacker. For instance, a targeted computer may only accept Telnet requests from systems with specific IP addresses. Knowing this, the attacker can send spoofed TCP/IP packets to the system in an attempt to fool the target system and break in.

Social engineering

Social engineering is an attack against people as a way of getting access to targeted systems. The classic case of social engineering occurs when a hacker makes a number of telephone calls to various people in an organization and gets a tidbit of information from each one. For instance, he can get modem access numbers from one person, IP addresses and system names from another, a userid from another, and get a password reset from a help-desk employee. And voilà, the attacker puts these pieces together to log into the company’s system by using its established remote access facilities.

Another common social engineering ploy is one where the attacker, posing as the system or security administrator, tells people to change their passwords to a specified value. The attacker then tries to log into the system by using that account to see whether any suckers did what he asked them to.

 Remember   A social engineer preys on the human characteristic of the desire to help others. When you receive a phone call from someone who is pleading for help, you empathize with the person and want to help. Doesn’t it make you feel better to know that you’ve done your good deed for the day? Social engineers know this and use it to their advantage.

Pseudo flaw

A pseudo flaw attack is a special form of social engineering in which an attacker, posing as a system or security administrator or vendor, tells unsuspecting users that a security flaw has been discovered on their system and that they should install a certain patch, which is usually a Trojan horse.

Remote maintenance

Organizations need to be especially wary of vendors who need to connect via modem or through the Internet to one’s systems or networks in order to troubleshoot a problem or perform maintenance. If the vendor’s employee is dishonest, he may perform any number of acts that would constitute abuse at best and hacking at worst. This person may steal information or services, insert trap doors or logic bombs, or use his customer’s system to attack other systems in the enterprise.

In all fairness, most vendors have honest intentions when they have a legitimate need to connect to a customer’s computer in order to try and fix a problem. But a few dishonest employees in these vendor organizations have made this an activity that you should think twice about. Vendors should only be able to connect to your systems upon your request, and only for a defined period of time. The privileges given to the vendor should be the minimum needed for them to quickly get in and get out.

Maintenance hooks

Legitimate remote maintenance is one thing, but it’s quite another for a software developer to bury illicit hooks in software code that permit a program to expose features, functions, or data inappropriately. For instance, a program could drop into “maintenance mode” or “debug mode,” thereby exposing system internal information, if the user enters certain values in data fields.

 Tip   Maintenance hooks are trouble when they are undocumented and deliberately buried in software code to intentionally evade detection.

Sniffing and eavesdropping

An intruder (or employee) may devise some means for listening to traffic on the organization’s internal network by using a sniffer program. Sniffer programs can listen for and capture login sessions, recording userids and passwords. Systems that encrypt the login password on the wire aren’t necessarily better off in the case of sniffers. Hacking tools are available that can capture the encrypted password and later on perform a dictionary or brute force attack against it to discover the password. This can, however, take months or even years, so you should think of encrypted passwords over the network as being substantially safer than cleartext.

Eavesdropping isn’t limited to the high-tech approach. One can listen in on conversations in airports, restaurants, and other public places. An intruder can install listening devices in conference rooms, telephone lines, or in gifts given to the intended victim. “Here, have this large attractive lapel pin.”

Traffic analysis and inference

An attacker can analyze network traffic patterns and other types of transmissions in order to make inferences about something that he wants to know more about. In this type of attack, the attacker doesn’t have access to the contents of the transmissions - only their patterns. For instance, the attacker could be in a position to know the workload on a network, and thus infer that the network’s high utilization from 10 p.m.–1 a.m. is the organization performing backups over the network. The attacker can use this information to his advantage by attempting to sabotage systems shortly before 10 p.m. in order to prevent a backup from occurring. Usually, traffic analysis and inference isn’t an end to itself, but part of a bigger plan.

Brute force

The brute force attack is the most time consuming and is used as a last resort when more clever methods fail. Whatever the target, in a brute force attack the perpetrator repeatedly hits his target, making small changes each time, hoping that he’ll eventually get in.

Brute force attacks are most often seen in the form of an attacker trying to log in with some userid and trying every possible password until the right one is found. Most newer computer systems are designed to repel this sort of attack by locking out accounts that have had too many unsuccessful login attempts. Honest users see this sometimes when they try to log into their account at work, only to be locked out until they remember that they changed their password the day before and were using their old password to try to log in. D’oh!



Previous page
Table of content
Next page
CISSP For Dummies
CISSP For Dummies
ISBN: 0470537914
EAN: 2147483647
Year: 2004
Pages: 242
Authors: Lawrence C. Miller, Peter H. Gregory CISA CISSP
BUY ON AMAZON
ERP and Data Warehousing in Organizations: Issues and Challenges
A+ Fast Pass
Excel Scientific and Engineering Cookbook (Cookbooks (OReilly))
Java How to Program (6th Edition) (How to Program (Deitel))
Oracle SQL*Plus: The Definitive Guide (Definitive Guides)
The Lean Six Sigma Pocket Toolbook. A Quick Reference Guide to Nearly 100 Tools for Improving Process Quality, Speed, and Complexity
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy