4. Malware
âMalware (for "malicious software") is any program or
file that is harmful to a computer user. Thus,
malware includes computer viruses, worms, Trojan
horses, and also spyware, programming that gathers
information about a computer user without
permission.â
CyBerwar and Intelligence
5. Virus
âa virus is a program or programming code that
replicates by being copied or initiating its copying to
another program, computer boot sector or document.
Viruses can be transmitted as attachments to an e-
mail note or in a downloaded file, or be present on a
CD. Some viruses wreak their effect as soon as their
code is executed; other viruses lie dormant until
circumstances cause their code to be executed by the
computer. Some viruses are benign or playful in
intent and effect and some can be quite harmful,
erasing data or causing your hard disk to require
reformattingâ
CyBerwar and Intelligence
6. Worms
âComputer worms are similar to viruses in that
they replicate functional copies of themselves and
can cause the same type of damage. In contrast to
viruses, which require the spreading of an infected
host file, worms are standalone software and do not
require a host program or human help to propagate.
To spread, worms either exploit a vulnerability on
the target system or use some kind of social
engineering to trick users into executing them. A
worm enters a computer through a vulnerability in
the system and takes advantage of file-transport or
information-transport features on the system,
allowing it to travel unaided.â
CyBerwar and Intelligence
7. Trojan
âIt is a harmful piece of software that looks legitimate.
Users are typically tricked into loading and executing it
on their systems. After it is activated, it can achieve any
number of attacks on the host, from irritating the user
(popping up windows or changing desktops) to damaging
the host (deleting files, stealing data, or activating and
spreading other malware, such as viruses). Trojans are
also known to create back doors to give malicious users
access to the system.
Unlike viruses and worms, Trojans do not reproduce by
infecting other files nor do they self-replicate. Trojans
must spread through user interaction such as opening an
e-mail attachment or downloading and running a file
from the Internet.â
CyBerwar and Intelligence
8. Bot
âBot" is derived from the word "robot" and is an
automated process that interacts with other network
services. Bots often automate tasks and provide
information or services that would otherwise be
conducted by a human being. A typical use of bots is to
gather information (such as web crawlers ), or interact
automatically with instant messaging (IM), Internet
Relay Chat (IRC), or other web interfaces. They may
also be used to interact dynamically with websites.
Bots can be used for either good or malicious intent. A
malicious bot is self-propagating malware designed to
infect a host and connect back to a central server or
servers that act as a command and control (C&C)
center for an entire network of compromised devices,
or "botnet.â
CyBerwar and Intelligence
9. Denial of Service (DOS) Attack
âan attempt to make a
computer resource run out
and make it unavaible to
its intended usersâ
CyBerwar and Intelligence
10. DDoS Attack
DoS Attack
The attacker mounts an attack from
a single host
DDoS Attack
The attacker uses many systems to
simultaneously launch attacks against a
remote host
CyBerwar and Intelligence
11. Zombie Computer
Is a computer connected on the Internet
that has been compromised by cracker,
computer virus or trojan virus and can be
used to perform malicious tasks of one sort
or another under remote direction
The computer attack is ampliefied:
The rate of packets
The size of packtes
The difficulty to trace back an attack to the
initiating attack
CyBerwar and Intelligence
13. General Attack Classification
Bandwidth Attack
intended to overflow and consume resources
available to the victim
Logic Attack
attempt to exploit a software program design flaw
Protocol Attack
take advantage of protocol inherent design
CyBerwar and Intelligence
15. Smurf Attack
Attacker sends a huge amount
of ICMP Echo Requests to
victim
Once network links become
overloaded, all legitimate traffic
will be slowed or stopped
Use of bandwidth consumption
to disable a victim's network
resources using amplification of
the attackers bandwitdh
CyBerwar and Intelligence
16. The Fraggle
Similar concept to ICMP
flooding
Networked slowed to the point
where all valid connections are
stopped
Achieves a smaller
amplication factor
CyBerwar and Intelligence
17. SYN Flood
â the client sends a SYN packet to
the server
â the server sends a SYN-ACK
back to the client
â the client sends an ACK back to
the server to
complete the three-way
handshake and
establish the connection TCP
CyBerwar and Intelligence
18. SYN Flood
⢠The half-open connections buffer
⢠The attack occurs by the
on the victim
attacker
server will eventually fill
initiating a TCP connection to
⢠The system will be unable to
the server
accept any new
with a SYN. (using a legitimate
incoming connections until the
or spoofed
buffer is emptied
source address)
out.
⢠There is a timeout associated
⢠The server replies with a SYN-
with a pending
ACK
connection, so the half-open
connections will
⢠The client then doesnât send
eventually expire.
back a ACK,
⢠The attacking system can
causing the server to allocate
continue sending
memory for
connection requesting new
the pending connection and
connections faster than
wait.
the victim system can expire the
pending
connections.
CyBerwar and Intelligence
20. How it works
Attackers recruits multiple
zombies machines
Zombie computers send the
attack packets and recruit
other machines
the identity of subverted
machine is hide through
spooking of the source address
filed in the attack packets
21. TrinOO
⢠Affects Windows and
many Unix OSâs
â˘Communication
⢠Attacker scans for between Master-
exploits, gains root, and >Daemon
downloads Trin00 through a password-
programs. protected cleartext
⢠Attacker->Master- UDP-based protocol.
>Daemon hierarchy
(One -> More -> Many) ⢠Daemons attack the
⢠Attacker can telnet
target with a UDP or
into a Master to
initiate commands,
TCP packet
which are distributed bombardment.
amongst its Daemons.
CyBerwar and Intelligence
22. Other attacks
TFN and TFN2k Stacheldraht
⢠Smurf attack
⢠Smurf attack ⢠The Fraggle
⢠The Fraggle ⢠SYN flood
⢠SYN flood
Encrypted
All three at once communication bw the
attacker and the Masters
The Agents can upgrade
their code automatically
CyBerwar and Intelligence
24. General Victim Classification
Application
Exploit some feature of a specific application in order to
make impossible the use of the resource
Host
The access to the target machine is impossible because its
communication mechianisms are overloading or disabling.
Network
The incoming bandwidth of the target network is consumed
Infrastructure
Target some distributed service that is crucial for global
internet operation or operation of a subnetwork
CyBerwar and Intelligence
25. Symptoms
Unusually slow network perfomance
Unavailability of a particular web site
Inability to access to any web site
Dramatic increase in the number of spam email
CyBerwar and Intelligence
27. Damage
Disruptive Degrade
Deny the victim's service Degrate some portion of a
to its clients. victim's resources. Since
In the case of recoverable this kind of attack
attacks, the victim can doesn't lead to total
recover as soon as the service disruption, it coul
influx of the attack is remain undected for a
stopped, but if is non significant period of
recoverable it requires time.
some human
interventions.
CyBerwar and Intelligence
29. Estonia .
Dispute with Russia over the removal of a Soviet-era war memorial, a
giant bronze soldier statue, from the center of Tallinn.
The botnet fooled Estonian network routers into continuously resending
useless packets of information to one another, rapidly flooding the
infrastructure used to conduct all online business in the country.
â
Bank websites became unreachable, paralyzing most of Estonia's
financial activity.
â
Press sites also came under attack, in an attempt to disable news
ROK&US
sources.
â
ISPs were overwhelmed, blacking out internet access for significant
portions of the population.
â
NATO stablished the alliance's cyber defense research center in
Tallinn in 2008.
â
Motivated Estonia to call on the European Union to make cyber
attacks a criminal offense.
CyBerwar and Intelligence
30. Georgia .
In the weeks leading up to the five-day 2008 South Ossetia war, a
DDoS attack directed ifirst to the Website of the Georgian president
Several Russian blogs, forums, and websites spread a Microsoft
Windows batch script that was designed to attack Georgian websites.
The effects was the Georgians could not connect to any outside
ROK&US
news or information sources and could not send email out of the
country. The aim of the attack was to prevent Georgians from
learning what was going on
Georgiaâs banking operations were paralyzed. Credit card
systems shut down, followed by the mobile phone system.
CyBerwar and Intelligence
32. Main Problem: Zombie Computers
patches for software defects that were reported
and fixed months ago are never installed
anti-virus tools are not kept up to date
the computer owners give away control of their
computers by indiscriminately running unknown
programs.
CyBerwar and Intelligence
33. Local Solutions
Local filtering
the victim can try to stop the inflitrating IP packets on
the local router by installing a filter to detect them
Changing IPs
Systems administrators must make a series of changes to
lead the traffic to the new IP address, once the IP change is
completed, all internet routers will been informed ad edge
routers will drop the attacking packets.
Creating client bottlnecks
The aim is creating bottleneck process on the zombie
computers, such as solving puzzle or requiring to answer a
random questions to the attacking computer before
establishing the connection. In this way the attacking
ability is limited because those strategies consume
computtational power, limiting attacker in the number of
connection requests it can make at the same time
CyBerwar and Intelligence
34. Global Solutions
improving the security of the entiry Internet
the victim can try to stop the inflitrating IP packets on
the local router by installing a filter to detect them
Using globally coordinate filters
to prevent the accomulation if a critical mass of attacking
packets in time. A victim can send information that it has
detected an attack, and the filters can stop attacking
packets earlier preventing it to spread
Tracing the source of IP address
to trace the intruders' path back to zombie computers and
stop their attacks.
CyBerwar and Intelligence