Chapter 3 Network and Computer Attacks
Objectives After reading this chapter and completing the exercises, you will be able to: Describe the different types of malicious software and what damage they can do Describe methods of protecting against malware attacks Describe the types of network attacks Identify physical security attacks and vulnerabilities 2
Introduction As an IT security professional, you need to be aware of attacks an intruder can make on your network. Attacks include unauthorized attempts to access network resources or systems, attempts to destroy or corrupt information, and attempts to prevent authorized users from accessing resources. You must have a good understanding of both network security and computer security. Hands-On Ethical Hacking and Network Defense, Second Edition3
Malicious Software (Malware) Network attacks prevent a business from operating Malicious software (malware) Virus Worm Trojan program Goals Destroy data Corrupt data Shutdown a network or system Make money 4
Viruses Virus attaches itself to a file or program Needs host to replicate Does not stand on its own No foolproof prevention method Antivirus programs Detection based on virus signatures Signatures are kept in virus signature file Must update periodically Some offer automatic update feature 5
6 Table 3-1 Common computer viruses
Macro Viruses Virus encoded as a macro (a single instruction that expands automatically into a set of instructions to perform a particular task. ) Programs that support a macro programming language (e.g., Visual Basic for Applications) Lists of commands Can be used in destructive ways Example: Melissa Appeared in 1999 Even nonprogrammers can create macro viruses Instructions posted on Web sites Security professionals learn from thinking like attackers 7
Worms Replicates and propagates without a host Infamous examples: Code Red Nimda Theoretically can infect every computer in the world over a short period Cyber attacks against ATMs are a serious concern for the banking industry and law enforcement agencies worldwide Examples: Slammer and Nachi ATM worm attacks 8
9 Table 3-2 Common computer worms
10 Table 3-2 Common computer worms (cont’d.)
Trojan Programs Insidious attack against networks and computers Disguise themselves as useful programs Allow attackers remote access Can install backdoors and rootkits Backdoors or rootkits are programs that give attackers a means of regaining access to the attacked computer later. A rootkit is a type of malicious software that is activated each time your system boots up. Rootkits are difficult to detect because they are activated before your system's Operating System has completely booted up. A rootkit often allows the installation of hidden files, processes, hidden user accounts, and more in the systems OS. 11
Trojan Programs Back Orifice is one of the most common Trojan programs used today. It allows attackers to take full control of the attacked computer, like Windows XP Remote Desktop functions, except that Back Orifice works without the user’s knowledge. A good software or hardware firewall would most likely identify traffic that’s using unfamiliar ports. But Trojan programs that use common ports, such as TCP port 80 (HTTP) or UDP port 53 (DNS), are more difficult to detect. Also, many home users and small businesses don’t use software or hardware firewalls. 12
13 Table 3-3 Trojan programs and ports
Spyware Sends information from infected computer to attacker Confidential financial data Passwords PINs Any other stored data Can register each keystroke entered Prevalent technology Educate users about spyware 14
15 Figure 3-2 A spyware initiation program
Adware Similar to spyware Installed without users being aware Sometimes displays a banner Main purpose Determine user’s purchasing habits so that Web browsers can display advertisements tailored to this user Main problem Slows down computers 16
Protecting Against Malware Attacks Difficult task New viruses, worms, and Trojan programs appear daily Antivirus programs Detected many malware programs Educate users about these attacks Users who aren’t trained thoroughly can open holes into a network that no technology can protect against 17
18 Figure 3-3 Detecting a virus
Educating Your Users Structural training Includes all employees and management monthly security updates Recommend virus signature database updating Activate automatic updates SpyBot and Ad-Aware Two most popular spyware and adware removal programs Help protect against spyware and adware Firewalls Software (personal) and hardware (enterprise) 19
Avoiding Fear Tactics Avoid scaring users into complying with security measures Sometimes used by unethical security testers Against the OSSTMM’s Rules of Engagement Promote awareness rather than instilling fear Users should be aware of potential threats Build on users’ knowledge Makes training easier 20
Intruder Attacks on Networks and Computers Attack Any attempt by an unauthorized person to access, damage, or use network resources Network security Concern with security of network infrastructure Computer security Concerned with security of a stand alone computer Not part of a network infrastructure Computer crime Fastest growing type of crime worldwide 21
Denial-of-Service Attacks Denial-of-service (DoS) attack Prevents legitimate users from accessing network resources Some forms do not involve computers For example, intentionally looping a document on a fax machine by taping two pages together can use up reams of paper on the destination fax machine, thus preventing others from using it 22
Denial-of-Service Attacks DoS Do not attempt to access information, but: Cripples (disturbs) the network Makes it vulnerable to other attacks Installing an attack yourself is not wise Only explain how the attack could happen 23
Distributed Denial-of-Service Attacks Distributed denial-of-service (DDoS) attack Attack on host from multiple servers or workstations Network could be flooded with billions of packets Loss of bandwidth Degradation or loss of speed Often participants are not aware they are part of the attack They, too, have been attacked 24
Distributed Denial-of-Service Attacks 25
Distributed Denial-of-Service Attacks 26 DDoS attacks are difficult to stop because owners of the compromised computers, referred to as zombies, are unaware that their systems are sending malicious packets to a victim thousands of miles away. These compromised computers are usually part of a botnet (a network of “robot” computers) following instructions from a central location or system. For more information, do a search on “Estonia DDoS.”
Buffer Overflow Attacks Vulnerability in poorly written code Doesn’t check for amount of memory space use For example, if a program defines a buffer size of 100 MB (the total amount of memory the program is supposed to use), and the program writes data over the 100 MB mark without triggering an error or preventing this occurrence, you have a buffer overflow. 27
Buffer Overflow Attacks Attacker writes code that overflows buffer The trick is to not fill the overflow buffer with meaningless data, but fill it with executable program code. That way, the OS runs the code, and the attacker’s program does something harmful. Usually, the code elevates the attacker’s permissions to an administrator’s level or gives the attacker the same privileges as the program’s owner or creator Train programmer in developing applications with security in mind 28
Buffer Overflow Attacks 29
30 Table 3-4 Buffer overflow vulnerabilities
Ping of Death Attacks Type of DoS attack Not as common as during the late 1990s How it works Attacker creates a large ICMP packet More than allowed 65,535 bytes Large packet is fragmented into small packets Reassembled at destination Destination point cannot handle reassembled oversize packet Causes it to crash or freeze 31
Session Hijacking Enables attacker to join a TCP session Attacker makes both parties think he or she is the other party Complex attack Beyond the scope of this book 32
Addressing Physical Security Protecting a network from attacks is not always a software issue. You should have some basic skills in protecting a network from physical attacks as well. Inside attacks More likely than outside attacks 33
Keyloggers Used to capture keystrokes on a computer Software Loaded on to computer Behaves like Trojan programs Hardware Small and easy to install device Goes between keyboard and computer Examples: KeyKatcher and KeyGhost Available as software (spyware) Transfers information 34
35 Figure 3-4 An message captured by KeyKatcher
36 Figure 3-5 The KeyGhost menu
Behind Locked Doors As a security professional, you should be aware of the types of locks used to secure a company’s assets. If an intruder gets physical access to a server, whether it’s running Linux or Windows, it doesn’t matter how good your firewall or IDS is. Encryption or public key infrastructure (PKI) enforcements don’t help in this situation, either. If intruders can sit in front of your server, they can hack it. Simply put, lock up your server. 37
Behind Locked Doors (Solution) Lock up servers Average person Can pick deadbolt lock in less than five minutes After only a week or two of practice Experienced hackers Can pick deadbolt lock in under 30 seconds Rotary locks are harder to pick Require pushing in a sequence of numbered bars Keep a record of who enters and leaves the room Security cards can be used for better security 38
Summary Be aware of attacks Network infrastructures and standalone computers Can be perpetrated by insiders or outside attackers Malicious software Viruses Worms Trojan programs Spyware Adware 39
Summary (cont’d.) Attacks Denial-of-Service (DoS) Distributed Denial-of-Service (DDoS) Buffer overflow Ping of Death Session hijacking Keyloggers Monitor computer system Physical security Everyone’s responsibility 40