DOCSLIB.ORG

Cyber Risk – Common Threats Part 1 of 2

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Cyber Risk – Common Threats Part 1 of 2 Table of Contents Threats to Information Systems ..................................................................................................... 2 Malware .......................................................................................................................................... 4 Viruses ............................................................................................................................................. 5 Virus Examples ................................................................................................................................ 6 Worms ............................................................................................................................................. 8 Brief Virus and Worm History ......................................................................................................... 9 Downloaders ................................................................................................................................. 11 Attack Scripts ................................................................................................................................ 13 Botnet -1 ....................................................................................................................................... 15 Botnet -2 ....................................................................................................................................... 17 IRCBotnet Example ....................................................................................................................... 19 Trojans........................................................................................................................................... 20 Denial of Service ( DoS ) ................................................................................................................ 23 Rootkits ......................................................................................................................................... 25 Notices .......................................................................................................................................... 26 Page 1 of 26 Threats to Information Systems Threats to Information Systems Networks face a multitude of threats every day. • Some are direct: malicious code, direct exploits. • Some target users: spearphishing, steganography. http://news.softpedia.com/news/PDF-Based-Targeted-Attack- http://datalossdb.org/ Against-Military-Contractors-Spotted-212139.shtml http://www.computerworlduk.com/news/security/3288274/microsoft- warns-rootkit-infection-requires-windows-reinstall/?olo=rss http://ddanchev.blogspot.com/2011/03/dissecting-massive-sql-injection-attack.html 4 **004 So some of the common threats. You probably can't read an article online or go through a news report without something related to cyber; cyber attack, denial of service, phishing attack, I mean, they're all over the place. It's very, very common. If you operate some type of network you are experiencing this stuff on a daily basis. Whether you see it or not is a totally different story, but I guarantee that if you're operating a network you're seeing this type of garbage. You're seeing scareware here. You're seeing data leakage, or data loss reports. You're seeing exploits and documents that come embedded with things to take advantage of computers. Page 2 of 26 You look at the cyber threat landscape, and it's huge. There are so many possible things that can wrong. So many ways that you can be taken advantage of if you operate a network. Why do people even bother? Why do we have networks? Why do we have computers? Student: Convenience. Chris Evans: Convenience, absolutely. Can you imagine doing anything now without your Smartphone, a laptop or a computer? I don't know how people lived 50 years ago. My laptop's attached to me at the hip. I've got it right here. If that ever goes away I start to shake. I go into withdrawal. So your networks really face a multitude of threats every day, but you put up with it because you need the networks. You need those computer systems. You need that connectivity. So you might face direct attacks where people are attacking your systems or your users directly like direct exploits, or SQL injection, or something like that, steganography attacks, or phishing attacks. Phishing is probably the number one attack that you will see. It's cheap, it's easy and it works, which is why it's so prevalent. Page 3 of 26 Malware Malware aka Malicious Code or Malicious Software Hostile, intrusive code designed to infiltrate a computer without users knowledge or consent Examples • Viruses • Worms • Trojans • Downloaders • Attack Scripts • Botnets 5 **005 You'll see a lot on malware. Malware is malicious code or malicious software. It is designed to do something hostile to you, take advantage of something, steal data, provide access to a computer, and generally wreck havoc with computer systems, hopefully without you knowing it as a user. That's what malware's intended to do. And so there are some different categories of malware; viruses, worms, Trojans, downloaders or dropper programs, there's all sorts of malware out there that you can be taken advantage of with, and we'll kind of step through all of these. Page 4 of 26 Viruses Viruses Self-replicating programs that require user intervention to spread Most spread through email, removable media drives, and commonly used files like Microsoft Office or Adobe documents Usually have two parts • Replication Element • Payload 6 **006 So viruses are self-replicating programs. You used to hear a lot about this in the '90s and early parts of the '00 decade. You don't really hear a whole lot about this anymore, because viruses, what were they intended to do? They were for notoriety. People wrote viruses because they wanted their name out there. "Hey, I wrote the Melissa something or another," or "I did this particular virus." Most viruses were spread through e-mail, removable media, or CDs, or USB drives, or something like that. It took advantage a lot of Microsoft Office files because you'd have Word documents with viruses embedded in them. Page 5 of 26 Usually they have two parts. They have a replication element, which tells the virus how it's going to spread to other computer systems, and it has a payload. What is a payload? A payload is what the virus actually does. Does it delete files? Does it shut off the computer? Does it popup annoying boxes on your computer screen? That's what a payload is. It's what the virus actually is intended to do. Virus Examples Virus Examples Chernobyl • First virus known to have the power to damage computer hardware • Attempts to erase the hard drive and overwrite the systems BIOS Melissa • A fast-spreading virus distributed as an e-mail attachment that, when opened, disables safeguards in Word 97 or Word 2000 • If Microsoft Outlook is used, the virus sends itself to addresses in the user's address books EICAR – a test virus • Not a virus, does not include any fragments of viral code • The file is a legitimate program, and produces sensible (non- malicious) results when run (it prints the message "EICAR- STANDARD-ANTIVIRUS-TEST-FILE!") 7 **007 Some interesting examples of viruses here. You have Chernobyl, which was interesting in and of itself because it was the first virus to actually damage hardware. So it tried to erase the hard Page 6 of 26 drive, overwrite the BIOS, or otherwise cause physical damage or physical manifestation of some type of malicious activity. It tried to attack the computer system itself, not just the information on it. Melissa was a really superfast spreading virus that came out through Word documents and that sort of thing. If you had Microsoft Outlook, so this ran rampant through corporations who had exchange with Outlook. So you would get this e-mail in your inbox. You would click on it, and it would exploit your computer, and then send itself to everybody in your address book. So you figure that companies with global address books where you've got six thousand people in the company, now you've got for each person who clicks on the message six thousand messages are going out. And so what you would see is one person would get it, six thousand people would get it, and then everybody would be sending it to each other and you'd crash the exchange server or whatever your mail program was. So this was a great virus to show how quickly these things can spread. And then the EICAR is a test virus. It doesn't actually do any damage, but it's good for testing virus scanners, testing your detection and your response procedures. So as you're going through, and if you determine that, let's say, viruses are a risk to you, how could you mitigate the risk of that? Well, come up with some processes and then test them with this, the EICAR virus. Page 7 of 26 Worms Worms Worms, in contrast, are self-replicating programs that do not require user intervention to spread, rather, they take advantage of vulnerabilities in operating systems and applications to spread. Examples Morris 1988, first worm to spread extensively in the wild; prompted establishment of the CERT/CC Storm 2007, added infected hosts to the Storm Botnet Conficker 2008/9, prompted the Conficker Working Group, but morphing code thwarted attempts to stop it Stuxnet 2010, first worm to target SCADA Morto 2011, targeted Remote Desktop Windows machines with a password dictionary 8 **008 Worms, so
Recommended publications
  • Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress

    Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress

    Order Code RL32114 Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress Updated January 29, 2008 Clay Wilson Specialist in Technology and National Security Foreign Affairs, Defense, and Trade Division Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress Summary Cybercrime is becoming more organized and established as a transnational business. High technology online skills are now available for rent to a variety of customers, possibly including nation states, or individuals and groups that could secretly represent terrorist groups. The increased use of automated attack tools by cybercriminals has overwhelmed some current methodologies used for tracking Internet cyberattacks, and vulnerabilities of the U.S. critical infrastructure, which are acknowledged openly in publications, could possibly attract cyberattacks to extort money, or damage the U.S. economy to affect national security. In April and May 2007, NATO and the United States sent computer security experts to Estonia to help that nation recover from cyberattacks directed against government computer systems, and to analyze the methods used and determine the source of the attacks.1 Some security experts suspect that political protestors may have rented the services of cybercriminals, possibly a large network of infected PCs, called a “botnet,” to help disrupt the computer systems of the Estonian government. DOD officials have also indicated that similar cyberattacks from individuals and countries targeting economic,
  • A the Hacker

    A the Hacker

    A The Hacker Madame Curie once said “En science, nous devons nous int´eresser aux choses, non aux personnes [In science, we should be interested in things, not in people].” Things, however, have since changed, and today we have to be interested not just in the facts of computer security and crime, but in the people who perpetrate these acts. Hence this discussion of hackers. Over the centuries, the term “hacker” has referred to various activities. We are familiar with usages such as “a carpenter hacking wood with an ax” and “a butcher hacking meat with a cleaver,” but it seems that the modern, computer-related form of this term originated in the many pranks and practi- cal jokes perpetrated by students at MIT in the 1960s. As an example of the many meanings assigned to this term, see [Schneier 04] which, among much other information, explains why Galileo was a hacker but Aristotle wasn’t. A hack is a person lacking talent or ability, as in a “hack writer.” Hack as a verb is used in contexts such as “hack the media,” “hack your brain,” and “hack your reputation.” Recently, it has also come to mean either a kludge, or the opposite of a kludge, as in a clever or elegant solution to a difficult problem. A hack also means a simple but often inelegant solution or technique. The following tentative definitions are quoted from the jargon file ([jargon 04], edited by Eric S. Raymond): 1. A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary.
  • ITEE Journal

    ITEE Journal

    Volume 3, Issue 6 ISSN: - 2306-708X December 201 4 ITEE Jo urnal Information Technology & Electrical Engineering ©2012-14 International Journal of Information Technology and Electrical Engineering Malware Contaminated Website Detection by Scanning Page Links 1 Mehdi Dadkhah, 2 Amin Dadkhah, 3 Jie Deng 1 Lecturer of Tiran Branch, Islamic Azad University, Isfahan, Iran. 2 Student of Tiran Branch, Islamic Azad University, Isfahan, Iran. 3 Queen Mary University London, London, UK. E-mail: [email protected], [email protected], 3 [email protected] ABSTRACT With increasing growth of communication networks, social interactions and financial transactions have been migrate to virtual environments. Internet is one of the most substantial platform for most people's social interactions and transactions. However, the notable challenge in online transactions is security in cyber environments and to understand the hazards accompanied with this communication platform. Because of the increased use of Internet and virtual environments in daily affairs such as financial transactions, this platform has become the focus of attackers and swindlers, for example the stealing of users' passwords. In this paper, we introduce main methods which attackers use to contaminate websites by malware. Even though several articles have been written on the subject, our main goal is introducing the advanced type of these frauds conducted by professional attackers which includes contaminating websites by any kind of malware like using phishing attacks, security vulnerability in web, social engineering and click hijacking. Finally we present our approach for confronting frauds conducted by installing spyware by contaminated websites attack and malware behavior. Keywords: Online fraud, cyber environment, phishing, web vulnerability, spyware.
  • The Downadup Codex a Comprehensive Guide to the Threat’S Mechanics

    The Downadup Codex a Comprehensive Guide to the Threat’S Mechanics

    Security Response The Downadup Codex A comprehensive guide to the threat’s mechanics. Edition 2.0 Introduction Contents Introduction.............................................................1 Since its appearance in late-2008, the Downadup worm has become Editor’s Note............................................................5 one of the most wide-spread threats to hit the Internet for a number of Increase in exploit attempts against MS08-067.....6 years. A complex piece of malicious code, this threat was able to jump W32.Downadup infection statistics.........................8 certain network hurdles, hide in the shadows of network traffic, and New variants of W32.Downadup.B find new ways to propagate.........................................10 defend itself against attack with a deftness not often seen in today’s W32.Downadup and W32.Downadup.B threat landscape. Yet it contained few previously unseen features. What statistics................................................................12 set it apart was the sheer number of tricks it held up its sleeve. Peer-to-peer payload distribution...........................15 Geo-location, fingerprinting, and piracy...............17 It all started in late-October of 2008, we began to receive reports of A lock with no key..................................................19 Small improvements yield big returns..................21 targeted attacks taking advantage of an as-yet unknown vulnerability Attempts at smart network scanning...................23 in Window’s remote procedure call (RPC) service. Microsoft quickly Playing with Universal Plug and Play...................24 released an out-of-band security patch (MS08-067), going so far as to Locking itself out.................................................27 classify the update as “critical” for some operating systems—the high- A new Downadup variant?......................................29 Advanced crypto protection.................................30 est designation for a Microsoft Security Bulletin.
  • Protecting Against the Top 5 Attack Vectors Stay Secure from the Most Common Threats Seen by Arctic Wolf’S Security Team

    Protecting Against the Top 5 Attack Vectors Stay Secure from the Most Common Threats Seen by Arctic Wolf’S Security Team

    Protecting Against the Top 5 Attack Vectors Stay secure from the most common threats seen by Arctic Wolf’s security team ©2019 Arctic Wolf Networks, Inc. All rights reserved. | Public PERSONAL | PREDICTABLE | PROTECTION CONTENTS Major Cyberattacks in the News ......................................................................................................................................3 The Top 5 Attack Vectors ...................................................................................................................................................4 The Cyber Kill Chain .............................................................................................................................................................7 Protecting Against the Top 5 Attacks Malware/Ransomware ....................................................................................................................................8 Phishing Attack ...................................................................................................................................................9 PUP/Adware ..................................................................................................................................................... 10 Account Hijacking ........................................................................................................................................... 11 Unpatched/Outdated Software .................................................................................................................
  • Post-Mortem of a Zombie: Conficker Cleanup After Six Years Hadi Asghari, Michael Ciere, and Michel J.G

    Post-Mortem of a Zombie: Conficker Cleanup After Six Years Hadi Asghari, Michael Ciere, and Michel J.G

    Post-Mortem of a Zombie: Conficker Cleanup After Six Years Hadi Asghari, Michael Ciere, and Michel J.G. van Eeten, Delft University of Technology https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/asghari This paper is included in the Proceedings of the 24th USENIX Security Symposium August 12–14, 2015 • Washington, D.C. ISBN 978-1-939133-11-3 Open access to the Proceedings of the 24th USENIX Security Symposium is sponsored by USENIX Post-Mortem of a Zombie: Conficker Cleanup After Six Years Hadi Asghari, Michael Ciere and Michel J.G. van Eeten Delft University of Technology Abstract more sophisticated C&C mechanisms that are increas- ingly resilient against takeover attempts [30]. Research on botnet mitigation has focused predomi- In pale contrast to this wealth of work stands the lim- nantly on methods to technically disrupt the command- ited research into the other side of botnet mitigation: and-control infrastructure. Much less is known about the cleanup of the infected machines of end users. Af- effectiveness of large-scale efforts to clean up infected ter a botnet is successfully sinkholed, the bots or zom- machines. We analyze longitudinal data from the sink- bies basically remain waiting for the attackers to find hole of Conficker, one the largest botnets ever seen, to as- a way to reconnect to them, update their binaries and sess the impact of what has been emerging as a best prac- move the machines out of the sinkhole. This happens tice: national anti-botnet initiatives that support large- with some regularity. The recent sinkholing attempt of scale cleanup of end user machines.
  • SQL Injection Authored By: Stephanie Reetz, SOC Analyst

    SQL Injection Authored By: Stephanie Reetz, SOC Analyst

    TLP: WHITE Technical White Paper January 2013 SQL Injection Authored by: Stephanie Reetz, SOC Analyst INTRODUCTION Web applications are everywhere on the Internet. Almost everything you do online is done through a web application whether you know it or not. They come in the form of web-based email, forums, bulletin boards, bill payment, recruitment systems, health benefit and payroll systems. It is important to understand that these types of websites are all database driven. Databases are an essential element of web applications because they are able to store user preferences, personal identifiable information, and other sensitive user information Web applications interact with databases to dynamically build customized content for each user. The web application communicates with the database using Structured Query Language (SQL). SQL is a programming language for managing databases that allows you to read and manipulate data in MySQL, SQL Server, Access, Oracle, DB2, and other database systems. The relationship between the web application and the database is commonly abused by attackers through SQL injection. SQL injection is a type of injection attack in which SQL commands are supplied in user-input variables, such as a web form entry field, in an attempt to trick the web application into executing the attacker's code on the database. SQL injection was one of the primary attack vectors responsible for many of 2011’s high profile compromises including Sony Pictures, HBGary, and PBS. It was also responsible for the more recent Adobe data breach in which names, email addresses, and password hashes were stolen from one of their customer databases.
  • The Botnet Chronicles a Journey to Infamy

    The Botnet Chronicles a Journey to Infamy

    The Botnet Chronicles A Journey to Infamy Trend Micro, Incorporated Rik Ferguson Senior Security Advisor A Trend Micro White Paper I November 2010 The Botnet Chronicles A Journey to Infamy CONTENTS A Prelude to Evolution ....................................................................................................................4 The Botnet Saga Begins .................................................................................................................5 The Birth of Organized Crime .........................................................................................................7 The Security War Rages On ........................................................................................................... 8 Lost in the White Noise................................................................................................................. 10 Where Do We Go from Here? .......................................................................................................... 11 References ...................................................................................................................................... 12 2 WHITE PAPER I THE BOTNET CHRONICLES: A JOURNEY TO INFAMY The Botnet Chronicles A Journey to Infamy The botnet time line below shows a rundown of the botnets discussed in this white paper. Clicking each botnet’s name in blue will bring you to the page where it is described in more detail. To go back to the time line below from each page, click the ~ at the end of the section. 3 WHITE
  • CONTENTS in THIS ISSUE Fighting Malware and Spam

    CONTENTS in THIS ISSUE Fighting Malware and Spam

    MARCH 2008 Fighting malware and spam CONTENTS IN THIS ISSUE 2 COMMENT EVASIVE ACTION Home (page) renovations Pandex has attracted very little attention from the media and generated little 3 NEWS discussion between malware Botherders herded researchers and among the 29A folds general populace. Chandra Prakash and Adam Thomas provide an overview of the Pandex operation and take an in-depth look at VIRUS PREVALENCE TABLE 3 the underlying code that has allowed this malware to evade detection for so long. 4 MALWARE ANALYSIS page 4 Pandex: the botnet that could PACKING A PUNCH In the fi nal part of the series on exepacker 9 FEATURE blacklisting, Robert Neumann takes a look at how all the processing and analysis techniques are put Exepacker blacklisting part 3 into practice in a real-life situation. page 9 15 CONFERENCE REPORT AVG TURNS 8 Black Hat DC and CCC 24C3 John Hawes gets his hands on a preview version of the latest offering from AVG. 18 PRODUCT REVIEW page 18 AVG Internet Security 8 22 END NOTES & NEWS This month: anti-spam news and events, and Ken Simpson considers the implications of rising spam volume despite increasing accuracy of content fi lters. ISSN 1749-7027 COMMENT ‘It is hoped that within all sizes of business. It is hoped that the comment facility will promote discussion among visitors and that the comment facility in some cases the more knowledgeable of VB’s readers will promote will be able to guide and assist those less well versed in discussion among the complexities of anti-malware technologies.
  • Blindfolded SQL Injection

    Blindfolded SQL Injection

    Blindfolded SQL Injection Written By: Ofer Maor Amichai Shulman Table of Contents Overview ......................................................................................................................3 Identifying Injections ................................................................................................5 Recognizing Errors ...........................................................................................................................5 Locating Errors............................................................................................................................... ...6 Identifying SQL Injection Vulnerable Parameters ........................................................................6 Performing the Injection ..........................................................................................8 Getting the Syntax Right..................................................................................................................8 Identifying the Database ..................................................................................................................9 Exploiting the Injection ...................................................................................................................10 UNION SELECT Injections ....................................................................................11 Counting the Columns....................................................................................................................11 Identifying Columns Types
  • Bibliography

    Bibliography

    Bibliography [1] M Aamir Ali, B Arief, M Emms, A van Moorsel, “Does the Online Card Payment Landscape Unwittingly Facilitate Fraud?” IEEE Security & Pri- vacy Magazine (2017) [2] M Abadi, RM Needham, “Prudent Engineering Practice for Cryptographic Protocols”, IEEE Transactions on Software Engineering v 22 no 1 (Jan 96) pp 6–15; also as DEC SRC Research Report no 125 (June 1 1994) [3] A Abbasi, HC Chen, “Visualizing Authorship for Identification”, in ISI 2006, LNCS 3975 pp 60–71 [4] H Abelson, RJ Anderson, SM Bellovin, J Benaloh, M Blaze, W Diffie, J Gilmore, PG Neumann, RL Rivest, JI Schiller, B Schneier, “The Risks of Key Recovery, Key Escrow, and Trusted Third-Party Encryption”, in World Wide Web Journal v 2 no 3 (Summer 1997) pp 241–257 [5] H Abelson, RJ Anderson, SM Bellovin, J Benaloh, M Blaze, W Diffie, J Gilmore, M Green, PG Neumann, RL Rivest, JI Schiller, B Schneier, M Specter, D Weizmann, “Keys Under Doormats: Mandating insecurity by requiring government access to all data and communications”, MIT CSAIL Tech Report 2015-026 (July 6, 2015); abridged version in Communications of the ACM v 58 no 10 (Oct 2015) [6] M Abrahms, “What Terrorists Really Want”,International Security v 32 no 4 (2008) pp 78–105 [7] M Abrahms, J Weiss, “Malicious Control System Cyber Security Attack Case Study – Maroochy Water Services, Australia”, ACSAC 2008 [8] A Abulafia, S Brown, S Abramovich-Bar, “A Fraudulent Case Involving Novel Ink Eradication Methods”, in Journal of Forensic Sciences v41(1996) pp 300-302 [9] DG Abraham, GM Dolan, GP Double, JV Stevens,
  • Bots and Botnets: Risks, Issues and Prevention

    Bots and Botnets: Risks, Issues and Prevention

    EMEA MSSD The Journey, So Far: Trends, Graphs and Statistics Martin Overton, IBM UK 20th September 2007 | Author: Martin Overton © 2007 IBM Corporation EMEA MSSD Agenda . The ‘First’ IBM PC Virus . Statistics, 80’s . Statistics, 90’s . Statistics, 00’s . Malware Myth-busting . Putting it all Together . Conclusions . Questions The Journey, So Far: Trends, Graphs and Statistics | Martin Overton © 2007 IBM Corporation EMEA MSSD Disclaimer . Products or services mentioned in this presentation are included for information only. Products and/or services listed, mentioned or referenced in any way do not constitute any form of recommendation or endorsement by IBM or the presenter. All trademarks and copyrights are acknowledged. The Journey, So Far: Trends, Graphs and Statistics | Martin Overton © 2007 IBM Corporation EMEA MSSD Brain . The very first malware written for the IBM PC [and clones] used ‘stealth’ to hide its presence[1]: . Here is a short extract from the description of Brain from F-Secure explaining how the stealth function it used works: . “The Brain virus tries to hide from detection by hooking into INT 13. When an attempt is made to read an infected boot sector, Brain will just show you the original boot sector instead. This means that if you look at the boot sector using DEBUG or any similar program, everything will look normal, if the virus is active in memory. This means the virus is the first "stealth" virus as well.” [1] Source : http://www.research.ibm.com/antivirus/timeline.htm [2] More data can be found here : http://www.f-secure.com/v-descs/brain.shtml