DOCSLIB.ORG

Common Internet Threats What an Attacker Might Do Once They Have

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Common Internet Threats What an Attacker Might Do Once They Have What an attacker might do once they have access. • Steal password file, credit card numbers, personal data. Common Internet Threats • Create new user accounts and back doors. • Replace existing libraries and application with malware. Tom Chothia Intro. to Computer Security, • Log key strokes. Lecture 19 • Send Spam. • Performs DoS attacks. • Install RootKit. RootKit Man in the Browser Attacks • Malware installed on Machines • Rootkits can be set to attack the browser. • Typically: – Gives repeated, root access to machine. • In this case all certificates can be faked. – Often installs other payloads – Hard to detect • Anything that looks like a credit card no. or bank log in can be collected. • E.g. Mebroot which alters the Master Boot Record of a machine to load • TLS and web defense can’t stop this. before the OS. Botnets Botnet Command and Control • Most attackers are in it to make money. C&C • A single credit card number or spam e- 131.253.18.12 mail isn’t worth very much. • Networks of hacked computers (bots) are organised into large networks Bot Bot Bot Bot Bot Bot (botnets). Bot Bot Bot Bot Bot Bot Bot Bot Bot Bot Bot Bot Bot Bot Bot 1 Denial-of-service attack Fast Flux • With this many computers it’s easy to • Instead of using a IP address bots look over load some web site. for a URL. • Easiest type of attack uses (rents) a • To stop the IPs getting blocked new IP botnet to perform a distributed denial-of- addresses are registered every few service attack. mins. • Often used to blackmail companies, or • Makes it impossible to go after the for political reasons. hosts. Botnet Command and Control Zeus • Zeus is one of the large botnets. C&C – Uses Fast Flux www.ealo.net – Many C&C servers – Spreads mainly via Trojans. – Man-in-the-browser (form grabbing) – Sends Spam, Phishing. Bot Bot Bot Bot Bot Bot Bot Bot Bot Bot Bot Bot Bot Bot Bot Bot Bot Bot • Code is available for sale on black Bot Bot Bot markets. Domain Flux Conflicker • Bots continuously generates new URLs. • Computer Worm that installs a botnet – E.g. based on a hash of the date and a – more than 10 million infections. secret value. – first version would not infect computers • Botmasters know and register the URL with Ukrainian keyboard layout. – spreads NetBIOS buffer overflows and in advance. guessing admin passwords. • Even if all C&C is shut down, bots will – uses Domain Flux and P2P switch to a new URL in a few days. • Largely contained by security researchers • We can try to block all future URLs who have blocked tens of thousands of (hard) domain names. 2 P2P Torpig/Mebroot • More recent malware sets itself up as a • Mebroot is a root kit, that writes itself P2P network. into the Master Boot Record. – Executes before OS loads • Malware connects to C&C and other – Very hard to detect. bots. • Spreads via drive by downloads. • Downloads and installs other payloads. • If the main C&C goes down botmasters can connect to any bot and update them • Torpig is a botnet downloaded and all with a new C&C. installed by Mebroot. Torpig Botnet take over paper In 2009 a team from the University of It took 10 days for California, Santa Barbara reverse Mebroot to replace engineered Torpig’s domain flux algorithm. Torpig with a new payload. Looking ahead they noticed that some For 10-days they had Torpig URLs weren't registered. complete control of the botnet and saw all data. So they decided to register the addresses themselves. Underground Markets Roles Market places 1. Attacker that steals the data (e.g. via • Internet Relay Channel (IRC) botnet’s, phishing etc). – Anyone can connect and live chat 2. Cashiers: take credit cards and bank accounts and removes cash. • Web forums, less common now. 3. Drops: people who provide a place to send goods. • Tor Hidden services, growing fast 4. Service sellers: bot masters rent – Although attacked by FBI in the last few botnets for spam, DDoS, phishing. months. 5. Based on web forums and IRC 3 Bitcoin Electronic Currency Other Payment Methods • Based on partial SHA hash collisions: • “Webmoney” online payment based in – If you can find a partial collision you have Russia minted a bitcoin. • Western Union money transfer • Passed from one person to another by signing an entry in a public database. • Closed down: – E-Gold another digital currency: trading • Only the person with the signing key shut down in 2009 due to crime can pass it on. – Liberty Reserve based in Costa Rica, taken down in May. Typical Transaction 1: Typical Transaction 1: • Hacker steals 1000 fullz (credit card • Cashiers meets “drops” in Internet chat number, CVV, name, address, etc.) rooms who agree to receive goods. • Sells them on forum for 10 bitcoins • Cashiers orders goods online and has (£4300) them sent to the “drops” • Buyer sells then in groups of 20 to • Drops sell goods and send half the cashiers for £300 in “Webmoney” money to the Cashiers via Western Union. Typical Transaction 2: Reading • Bot master offers network for DDoS attack at £200 a day. • The Symantec Internet Security Threat Report, 2014. • Attacker hires the botnet to attack small – what happened in cyber security last year company, bring down their site. • http://www.symantec.com/ • Attacker anonymously contacts the security_response/publications/ company and asks for £10,000 in threatreport.jsp bitcoins to stop. 4 .
Load more

Recommended publications
  • Identifying Threats Associated with Man-In-The-Middle Attacks During Communication Between a Mobile Device and the Back End Server in Mobile Banking Applications
    IOSR Journal of Computer Engineering (IOSR-JCE) e-ISSN: 2278-0661, p- ISSN: 2278-8727Volume 16, Issue 2, Ver. IX (Mar-Apr. 2014), PP 35-42 www.iosrjournals.org Identifying Threats Associated With Man-In-The-Middle Attacks during Communication between a Mobile Device and the Back End Server in Mobile Banking Applications Anthony Luvanda1,*Dr Stephen Kimani1 Dr Micheal Kimwele1 1. School of Computing and Information Technology, Jomo Kenyatta University of Agriculture and Technology, PO Box 62000-00200 Nairobi Kenya Abstract: Mobile banking, sometimes referred to as M-Banking, Mbanking or SMS Banking, is a term used for performing balance checks, account transactions, payments, credit applications and other banking transactions through a mobile device such as a mobile phone or Personal Digital Assistant (PDA). Mobile banking has until recently most often been performed via SMS or the Mobile Web. Apple's initial success with iPhone and the rapid growth of phones based on Google's Android (operating system) have led to increasing use of special client programs, called apps, downloaded to the mobile device hence increasing the number of banking applications that can be made available on mobile phones . This in turn has increased the popularity of mobile device use in regards to personal banking activities. Due to the characteristics of wireless medium, limited protection of the nodes, nature of connectivity and lack of centralized managing point, wireless networks tend to be highly vulnerable and more often than not they become subjects of attack. This paper proposes to identify potential threats associated with communication between a mobile device and the back end server in mobile banking applications.
    [Show full text]
  • A the Hacker
    A The Hacker Madame Curie once said “En science, nous devons nous int´eresser aux choses, non aux personnes [In science, we should be interested in things, not in people].” Things, however, have since changed, and today we have to be interested not just in the facts of computer security and crime, but in the people who perpetrate these acts. Hence this discussion of hackers. Over the centuries, the term “hacker” has referred to various activities. We are familiar with usages such as “a carpenter hacking wood with an ax” and “a butcher hacking meat with a cleaver,” but it seems that the modern, computer-related form of this term originated in the many pranks and practi- cal jokes perpetrated by students at MIT in the 1960s. As an example of the many meanings assigned to this term, see [Schneier 04] which, among much other information, explains why Galileo was a hacker but Aristotle wasn’t. A hack is a person lacking talent or ability, as in a “hack writer.” Hack as a verb is used in contexts such as “hack the media,” “hack your brain,” and “hack your reputation.” Recently, it has also come to mean either a kludge, or the opposite of a kludge, as in a clever or elegant solution to a difficult problem. A hack also means a simple but often inelegant solution or technique. The following tentative definitions are quoted from the jargon file ([jargon 04], edited by Eric S. Raymond): 1. A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary.
    [Show full text]
  • Post-Mortem of a Zombie: Conficker Cleanup After Six Years Hadi Asghari, Michael Ciere, and Michel J.G
    Post-Mortem of a Zombie: Conficker Cleanup After Six Years Hadi Asghari, Michael Ciere, and Michel J.G. van Eeten, Delft University of Technology https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/asghari This paper is included in the Proceedings of the 24th USENIX Security Symposium August 12–14, 2015 • Washington, D.C. ISBN 978-1-939133-11-3 Open access to the Proceedings of the 24th USENIX Security Symposium is sponsored by USENIX Post-Mortem of a Zombie: Conficker Cleanup After Six Years Hadi Asghari, Michael Ciere and Michel J.G. van Eeten Delft University of Technology Abstract more sophisticated C&C mechanisms that are increas- ingly resilient against takeover attempts [30]. Research on botnet mitigation has focused predomi- In pale contrast to this wealth of work stands the lim- nantly on methods to technically disrupt the command- ited research into the other side of botnet mitigation: and-control infrastructure. Much less is known about the cleanup of the infected machines of end users. Af- effectiveness of large-scale efforts to clean up infected ter a botnet is successfully sinkholed, the bots or zom- machines. We analyze longitudinal data from the sink- bies basically remain waiting for the attackers to find hole of Conficker, one the largest botnets ever seen, to as- a way to reconnect to them, update their binaries and sess the impact of what has been emerging as a best prac- move the machines out of the sinkhole. This happens tice: national anti-botnet initiatives that support large- with some regularity. The recent sinkholing attempt of scale cleanup of end user machines.
    [Show full text]
  • MALWARE ACTIVITY DETECTION THROUGH BROWSER EXTENSION Jayanth Betha1, Prakash Andavolu2, Mariyala V V Gupta3 Department of Computer Science and Engineering, St
    MALWARE ACTIVITY DETECTION THROUGH BROWSER EXTENSION Jayanth Betha1, Prakash Andavolu2, Mariyala V V Gupta3 Department of Computer Science and Engineering, St. Martin’s Engineering College, India. Abstract stretch out beyond the contaminated PC. A The drastic growth in Internet users and Malware infection may aim to damage the files Digital assets worldwide has created on storage devices; however, a keylogger is opportunities for cybercriminals to break utilized to take individual data, such as email into systems. The massive increase in ID's or passwords. While there are numerous malware and cybercrime is seen all over the approaches used to secure against keyloggers, globe; people have become more dependent this study mainly focuses on the detection of on the web environment. Malware (Malicious keyloggers. This research report will provide an Software), is a software that opens the door in-depth study on types of secretly monitoring for cybercriminals to access sensitive malware (keyloggers). A browser based solution information from the computing devices. In (browser extension) is needed to detect and alert the current technology-dependent world, the user about the keyloggers. attacks upon sensitive user information have In today’s technology-dependent world, continued to grow over time steadily. A attacks upon sensitive user information have common threat to data security is Malware. continued to evolve steadily over time. A Symantec discovered more than 430 million common threat to data security is Malware. new unique pieces of malware in 2015, up 36 According to (Symantec’s 2016 Internet percent from the year before. The objective of Security Threat Report. (n.d.).
    [Show full text]
  • Miscellaneous: Malware Cont'd & Start on Bitcoin
    Miscellaneous: Malware cont’d & start on Bitcoin CS 161: Computer Security Prof. Raluca Ada Popa April 19, 2018 Credit: some slides are adapted from previous offerings of this course Viruses vs. Worms VIRUS WORM Propagates By infecting Propagates automatically other programs By copying itself to target systems Usually inserted into A standalone program host code (not a standalone program) Another type of virus: Rootkits Rootkit is a ”stealthy” program designed to give access to a machine to an attacker while actively hiding its presence Q: How can it hide itself? n Create a hidden directory w /dev/.liB, /usr/src/.poop and similar w Often use invisiBle characters in directory name n Install hacked Binaries for system programs such as netstat, ps, ls, du, login Q: Why does it Become hard to detect attacker’s process? A: Can’t detect attacker’s processes, files or network connections By running standard UNIX commands! slide 3 Sony BMG copy protection rootkit scandal (2005) • Sony BMG puBlished CDs that apparently had copy protection (for DRM). • They essentially installed a rootkit which limited user’s access to the CD. • It hid processes that started with $sys$ so a user cannot disaBle them. A software engineer discovered the rootkit, it turned into a Big scandal Because it made computers more vulneraBle to malware Q: Why? A: Malware would choose names starting with $sys$ so it is hidden from antivirus programs Sony BMG pushed a patch … But that one introduced yet another vulneraBility So they recalled the CDs in the end Detecting Rootkit’s
    [Show full text]
  • Malware Analysis and Antivirus Technologies: Kernel Malware & A
    Malware Analysis and Antivirus Technologies: Kernel Malware & A Look at Malware Today Protecting the irreplaceable | f-secure.com Copyright F-Secure 2010. All rights reserved. 2 06 April, 2011 © F-Secure Confidential Brain • Brain is the first known PC virus • Discovered in 1986 • Boot sector virus • First versions only infected 360k floppies • Stealth features • Hides infected boot sector by hooking sector read interrupt • Marks sectors in FAT bad • … but after all hiding efforts, some variants change floppy label to “© Brain” 3 06 April, 2011 © F-Secure Brain: Boot Sector Before Infection 4 06 April, 2011 © F-Secure Brain: Infected Boot Sector 5 06 April, 2011 © F-Secure Demo: Brain PUBLIC 7 06 April, 2011 © F-Secure Confidential 8 06 April, 2011 © F-Secure Confidential 9 06 April, 2011 © F-Secure Confidential Definition “Kernel malware is malicious software that runs fully or partially at the most privileged execution level, ring 0, having full access to memory, all CPU instructions, and all hardware.” • Can be divided into two subcategories • Full-Kernel malware • Semi-Kernel malware Copyright F-Secure 2010. All rights reserved. History • Kernel malware is not new – it has just been rare • WinNT/Infis • Discovered in November 1999 • Full-Kernel malware • Payload – PE EXE file infector • Virus.Win32.Chatter • Discovered in January 2003 • Semi-Kernel malware • Payload – PE SYS file infector • Mostly proof of concepts Copyright F-Secure 2010. All rights reserved. Increase of Kernel-Mode Malware Unique malicious drivers 37000 32000 15500
    [Show full text]
  • The Botnet Chronicles a Journey to Infamy
    The Botnet Chronicles A Journey to Infamy Trend Micro, Incorporated Rik Ferguson Senior Security Advisor A Trend Micro White Paper I November 2010 The Botnet Chronicles A Journey to Infamy CONTENTS A Prelude to Evolution ....................................................................................................................4 The Botnet Saga Begins .................................................................................................................5 The Birth of Organized Crime .........................................................................................................7 The Security War Rages On ........................................................................................................... 8 Lost in the White Noise................................................................................................................. 10 Where Do We Go from Here? .......................................................................................................... 11 References ...................................................................................................................................... 12 2 WHITE PAPER I THE BOTNET CHRONICLES: A JOURNEY TO INFAMY The Botnet Chronicles A Journey to Infamy The botnet time line below shows a rundown of the botnets discussed in this white paper. Clicking each botnet’s name in blue will bring you to the page where it is described in more detail. To go back to the time line below from each page, click the ~ at the end of the section. 3 WHITE
    [Show full text]
  • An Introduction to Malware
    Downloaded from orbit.dtu.dk on: Sep 24, 2021 An Introduction to Malware Sharp, Robin Publication date: 2017 Document Version Publisher's PDF, also known as Version of record Link back to DTU Orbit Citation (APA): Sharp, R. (2017). An Introduction to Malware. General rights Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. Users may download and print one copy of any publication from the public portal for the purpose of private study or research. You may not further distribute the material or use it for any profit-making activity or commercial gain You may freely distribute the URL identifying the publication in the public portal If you believe that this document breaches copyright please contact us providing details, and we will remove access to the work immediately and investigate your claim. An Introduction to Malware Robin Sharp DTU Compute Spring 2017 Abstract These notes, written for use in DTU course 02233 on Network Security, give a short introduction to the topic of malware. The most important types of malware are described, together with their basic principles of operation and dissemination, and defenses against malware are discussed. Contents 1 Some Definitions............................2 2 Classification of Malware........................2 3 Vira..................................3 4 Worms................................
    [Show full text]
  • Generation of an Iot Botnet Dataset in a Medium-Sized Iot Network
    MedBIoT: Generation of an IoT Botnet Dataset in a Medium-sized IoT Network Alejandro Guerra-Manzanares a, Jorge Medina-Galindo, Hayretdin Bahsi b and Sven Nomm˜ c Department of Software Science, Tallinn University of Technology, Tallinn, Estonia falejandro.guerra, hayretdin.bahsi, [email protected], [email protected] Keywords: Botnet, Internet of Things, Dataset, Intrusion Detection, Anomaly Detection, IoT. Abstract: The exponential growth of the Internet of Things in conjunction with the traditional lack of security mecha- nisms and resource constraints associated with these devices have posed new risks and challenges to security in networks. IoT devices are compromised and used as amplification platforms by cyber-attackers, such as DDoS attacks. Machine learning-based intrusion detection systems aim to overcome network security lim- itations relying heavily on data quantity and quality. In the case of IoT networks these data are scarce and limited to small-sized networks. This research addresses this issue by providing a labelled behavioral IoT data set, which includes normal and actual botnet malicious network traffic, in a medium-sized IoT network infrastructure (83 IoT devices). Three prominent botnet malware are deployed and data from botnet infec- tion, propagation and communication with C&C stages are collected (Mirai, BashLite and Torii). Binary and multi-class machine learning classification models are run on the acquired data demonstrating the suitability and reliability of the generated data set for machine learning-based botnet detection IDS testing, design and deployment. The generated IoT behavioral data set is released publicly available as MedBIoT data set∗. 1 INTRODUCTION lam, 2017; Bosche et al., 2018; Pratt, 2019).
    [Show full text]
  • Iptrust Botnet / Malware Dictionary This List Shows the Most Common Botnet and Malware Variants Tracked by Iptrust
    ipTrust Botnet / Malware Dictionary This list shows the most common botnet and malware variants tracked by ipTrust. This is not intended to be an exhaustive list, since new threat intelligence is always being added into our global Reputation Engine. NAME DESCRIPTION Conficker A/B Conficker A/B is a downloader worm that is used to propagate additional malware. The original malware it was after was rogue AV - but the army's current focus is undefined. At this point it has no other purpose but to spread. Propagation methods include a Microsoft server service vulnerability (MS08-067) - weakly protected network shares - and removable devices like USB keys. Once on a machine, it will attach itself to current processes such as explorer.exe and search for other vulnerable machines across the network. Using a list of passwords and actively searching for legitimate usernames - the ... Mariposa Mariposa was first observed in May 2009 as an emerging botnet. Since then it has infected an ever- growing number of systems; currently, in the millions. Mariposa works by installing itself in a hidden location on the compromised system and injecting code into the critical process ͞ĞdžƉůŽƌĞƌ͘ĞdžĞ͘͟/ƚŝƐknown to affect all modern Windows versions, editing the registry to allow it to automatically start upon login. Additionally, there is a guard that prevents deletion while running, and it automatically restarts upon crash/restart of explorer.exe. In essence, Mariposa opens a backdoor on the compromised computer, which grants full shell access to ... Unknown A botnet is designated 'unknown' when it is first being tracked, or before it is given a publicly- known common name.
    [Show full text]
  • Common Threats to Cyber Security Part 1 of 2
    Common Threats to Cyber Security Part 1 of 2 Table of Contents Malware .......................................................................................................................................... 2 Viruses ............................................................................................................................................. 3 Worms ............................................................................................................................................. 4 Downloaders ................................................................................................................................... 6 Attack Scripts .................................................................................................................................. 8 Botnet ........................................................................................................................................... 10 IRCBotnet Example ....................................................................................................................... 12 Trojans (Backdoor) ........................................................................................................................ 14 Denial of Service ........................................................................................................................... 18 Rootkits ......................................................................................................................................... 20 Notices .........................................................................................................................................
    [Show full text]
  • Building an Intrusion Detection System (IDS) to Neutralize Botnet Attacks
    International Journal of Computer Applications Technology and Research Volume 4– Issue 2, 103 - 107, 2015, ISSN:- 2319–8656 Malware Hunter: Building an Intrusion Detection System (IDS) to Neutralize Botnet Attacks R. Kannan A.V.Ramani Department of Computer Science Department of Computer Science Sri Ramakrishna Mission Vidyalaya Sri Ramakrishna Mission Vidyalaya College of Arts and Science College of Arts and Science Coimbatore ,Tamilnadu,India. Coimbatore ,Tamilnadu,India Abstract: Among the various forms of malware attacks such as Denial of service, Sniffer, Buffer overflows are the most dreaded threats to computer networks. These attacks are known as botnet attacks and self-propagating in nature and act as an agent or user interface to control the computers which they attack. In the process of controlling a malware, Bot header(s) use a program to control remote systems through internet with the help of zombie systems. Botnets are collection of compromised computers (Bots) which are remotely controlled by its originator (Bot-Master) under a common Command-and-Control (C&C) structure. A server commands to the bot and botnet and receives the reports from the bot. The bots use Trojan horses and subsequently communicate with a central server using IRC. Botnet employs different techniques like Honeypot, communication protocols (e.g. HTTP and DNS) to intrude in new systems in different stages of their lifecycle. Therefore, identifying the botnets has become very challenging; because the botnets are upgrading their methods periodically for affecting the networks. Here, the focus on addressing the botnet detection problem in an Enterprise Network This research introduces novel Solution to mitigate the malicious activities of Botnet attacks through the Principle of component analysis of each traffic data, measurement and countermeasure selection mechanism called Malware Hunter.
    [Show full text]