TYPES OF COMPUTER ATTACKS

Overview of Computer Attacks

In its broadest definition, a computer attack is any

malicious activity directed at a computer system or the services
it provides. Examples of computer attacks are viruses,
use of a system by an unauthorized individual, denial-of-
service by exploitation of a bug or abuse of a feature, probing
of a system to gather information, or a physical attack
against computer hardware. A subset of the possible types of
computer attacks were included in the 1998 DARPA intrusion
detection system evaluation, including: (1) Attacks that allow
an intruder to operate on a system with more privileges than
are allowed by the system security policy, (2) Attacks that deny
someone else access to some service that a system provides,
or (3) Attempts to probe a system to find potential weaknesses.

The following paragraphs provide some examples of the

many ways that an attacker can either gain access to a system
or deny legitimate access by others.

Social Engineering:

An attacker can gain access to a system by fooling an

authorized user into providing information that can be used to
break into a system. For example, an attacker can call an
individual on the telephone impersonating a network
administrator in an attempt to convince the individual to reveal
confidential 13 information (passwords, file names, details
about security policies). Or an attacker can deliver a piece of
software to a user of a system which is actually a Trojan horse
Containing malicious code that gives the attacker system
access.

Implementation Bug:

Bugs in trusted programs can be exploited by an attacker

to gain unauthorized access to a computer system. Specific
examples of implementation bugs are buffer overflows, race
conditions, and mishandled of temporary files.

Abuse of Feature:

There are legitimate actions that one can perform that

when taken to the extreme can lead to system failure. Examples
include opening hundreds of telnet connections to a machine to
fill its process table, or filling up a mail spool with junk e-mail.

System Misconfiguration:

An attacker can gain access because of an error in the

configuration of a system. For example, the default
configuration of some systems includes a “guest” account that
is not protected with a password.

Masquerading:

In some cases it is possible to fool a system into giving

access by misrepresenting oneself. An example is sending a
TCP packet that has a forged source address that makes the
packet appear to come from a trusted host.

Hackers are individuals or programs that attempt to gain

access to your system without your permission or your
knowledge. Some hackers are automated, searching for details
inside your computer in order to improve targeted advertising.
Other hackers are individuals searching for private information
such as financial account access data.

Viruses are one of the most common methods of computer

attack. There are some viruses circulating that are programmed
to destroy your computer. These viruses can sometimes corrupt
an entire network. Frequently, viruses come attached to an
email in the form of an executable file.
 Computer viruses have a long history. A virus attempts to
install itself on a user's system and to spread directly to other
files on that system with the aim that these infected files will be
transferred to another machine. The payload of a virus can
range from 'comical' pranks to destruction of the system itself.

A virus relies on users to spread by sharing infected files

either directly or via email. Once launched, a virus is
completely independent of its creator.

Although the most common threat to security, the

traditional virus does not attack other systems directly and so
is unlikely to be detected by KFSensor.

Preparing to do Battle
In general, how do viruses work? Well, first, the author
has to write the executable code required to carry out the
virus's activation process. What does the author want the virus
to accomplish? Should it reformat your hard drive? Delete JPG
files? Mail copies of itself to your friends and coworkers?
Making any of this happen requires executable code of some
kind. Second, in order for this code to execute, the virus needs
to be activated. The usual way a virus's executable code is run
is the direct method: some unwary user receives an e-mail
attachment called "Double-Click Here for Some Real Fun.exe"
or something equally enticing. This runs the program and the
virus is unleashed.
As easily avoided as this result seems to be—it still works
far more often than it should—virus writers have discovered a
number of other, less obvious techniques for getting a virus to
take over your computer. Let's take a look at some of these
techniques, beginning with the question of what constitutes
executable code, then I'll move on to examine several sneaky
activation methods. These activation methods are particularly
important, as this is how you'll unhook viruses from your
system in order to regain control of it following an infection.

A Trojan horse, or Trojan, is malware that appears to

perform a desirable function for the user prior to run or install
but instead facilitates unauthorized access of the user's
computer system. "It is a harmful piece of software that looks
legitimate. Users are typically tricked into loading and
executing it on their systems", as Cisco describes.[1] The term
is derived from the Trojan Horse story in Greek mythology.

Trojan horses may allow a hacker remote access to a

target computer system. Once a Trojan horse has been
installed on a target computer system, a hacker may have
access to the computer remotely and perform various
operations, limited by user privileges on the target computer
system and the design of the Trojan horse.

Operations that could be performed by a hacker on a target

computer system include:

• Use of the machine as part of a botnet (e.g. to perform

automated spamming or to distribute Denial-of-service
attacks)
• Data theft (e.g. retrieving passwords or credit card
information)
• Installation of software, including third-party malware
• Downloading or uploading of files on the user's computer
• Modification or deletion of files
• Keystroke logging
• Watching the user's screen
• Crashing the computer

Trojan horses in this way require interaction with a hacker to

fulfill their purpose, though the hacker need not be the
individual responsible for distributing the Trojan horse. It is
possible for individual hackers to scan computers on a network
using a port scanner in the hope of finding one with a malicious
Trojan horse installed, which the hacker can then use to control
the target computer.

Trojans take their name from the trojan horse of Greek

mythology. Computer trojans work in the same way. A game,
screen saver or cracked piece of commercial software is given
to a victim. The software may appear to work as normal, but its
real purpose is to deliver a payload, such as a virus or a root
kit.

Trojan Horses are malicious viruses that attach to your

computer using innocent-looking means. Often, you are lured to
a Trojan-infected website through a deceptive popup or email
advertisement. Another common method to receive a Trojan is
through downloading free software. Manufacturers can make
money from their "free" software by allowing advertisers to add
a Trojan horse. Certainly not all free software is rigged with
malicious content, but it's difficult to tell when the software is
truly free and when you will pay for it with loss choice or loss
of privacy.

One type of Trojan hijacks your homepage and search

engine preference in order to lead you to the sender's
webpage, which artificially inflates visitor numbers and adds to
the hijacker's advertising revenues. Hijackers also hope you'll
eventually buy products from their advertisers since you will be
stuck looking at their webpages so frequently. A Trojan horse is
like a rude taxi driver who takes you where he wants to go
instead of where you want to go, then charges you double fare.

Worms are similar to a virus but they don't attach

themselves to a file or a program on their own. Worms reside in
your computer's memory and replicate themselves to spread
throughout your system or network. They work their way across
the Internet by attaching invisible copies to outgoing email. The
most common types of worms are called backdoor worms.
These worms can be used by hackers to open ports that allow
the hacker clear access to the computer or network.

A worm is very similar to a virus. The key difference is

that a worm attempts to propagate itself without any user
involvement. It typically scans other computers for
vulnerabilities which it is designed to exploit. When such a
machine is identified, the worm will attack that machine,
copying over its files and installing itself, so that the process
can continue.

KFSensor excels at detecting worms as they scan and

attempt to attack very large numbers of systems at random.

A rootkit is software that enables continued privileged

access to a computer, while actively hiding its presence from
administrators by subverting standard operating system
functionality or other applications. Typically, a hacker installs a
rootkit on a computer after first obtaining user-level access,
either by exploiting a known vulnerability or cracking a
password. Once a rootkit is installed, it allows an attacker to
mask the active intrusion and to gain privileged access to a
computer by circumventing normal authentication and
authorization mechanisms. Although rootkits can serve a
variety of ends, they have gained notoriety primarily as
malware, appropriating computing resources or stealing
passwords without the knowledge of administrators and users
of affected systems. Rootkits can target firmware, a hypervisor,
the kernel or, most commonly, user-mode applications.

The term rootkit is a concatenation of the "root" user account in

Unix operating systems and the word "kit", which refers to the
software components that implement the tool. The term has
negative connotations through its association with malware.

A root kit is a piece of software that once installed on a

victim's machine opens up a port to allow a hacker to
communicate with it and take full control of the system. Root
kits are also known as back doors. Some root kits give a hacker
even more control of a machine than a victim may have
themselves.

The SubSeven root kit allows an attacker to turn off a

victim's monitor, move the mouse and even turn on an installed
web cam and watch the victim without their knowledge.

Rootkits go deeper into systems then typical Trojans.

They hide in the computer registry. When the Trojan attaches to
the system registry, it becomes much harder to detect and
remove. Some Rootkits allow a hacker to take control of system
devices, even web cams. Rootkits also have the ability to erase
log files, allowing the hacker to cloak his actions so that you
can't see what he's been up to in your system. If the Rootkit
came as a backdoor worm, it will also allow the hacker to
access your system again and again.

Hybrids are combinations of different viruses. A hybrid

takes on the characteristics of worms and Trojans and harms
software applications and computer systems. If you don't
remove a hybrid virus from your system properly it will continue
to infect your system until you are unable to remove it

Often malware is a dangerous hybrid that can combine the

features of the different classifications described above. The
SubSeven root kit is delivered and classified as a trojan.

Scanners are tools used by hackers to detect your

computer's vulnerability; they are usually attached with worms.
The scanner will check your ports looking for an open one to
gain access to your system. Firewalls use scanners to detect
open ports in order to secure them before they are breached.

Some people assume viruses also come in the form of

cookies, but this isn't accurate. But cookies can attack you.
Cookies are small packets of data that are created when you
visit a website; these are made by the vendor but stored on
your computer. Each time you revisit the website the cookie is
read by the vendor. Cookies are the vendor's way to store
information about you and your previous visits to their website
so that they can customize your visit. Cookies can also store
your mailing address and credit card information to make online
transactions with the vendor one step easier.

Some cookies take this a step further, however, and use

the opportunity to store a tidbit of data on your computer to
watch your internet surfing habits for marketing purposes since
cookies can track online movement. These cookies are called
spyware since they watch your actions.

Some malicious cookies, called adware, allow advertisers

to target you with ads. Though cookies don't damage your
computer, they can compromise your privacy. This is a good
reason to consider a firewall program that allows you to monitor
and block inbound and outbound cookies.

All these computer attacks are common, but many people

don't realize this until after they've become victims themselves.
That's why it's important for you to be prepared with a good
firewall whenever you browse the Internet.

Advanced firewall programs give you extra protection

through cookie control, spyware control, adware control and
software application control.

Scanners are tools designed to interrogate machines on

the Internet to elicit information about the types and versions of
the services that they are running. There are a variety of
scanners, some just ping for the presence of a machine, others
look for open ports, while others are more specialized in
looking for vulnerabilities of a particular type of service, or the
presence of a root kit. Scanners are often incorporated into
other malware such as worms.

Scanners are a favorite tool of a hacker, but are just as

useful to security professionals trying to detect and close down
system vulnerabilities. KFSensor detects scanners and is
effective at misleading them.

Hackers are individuals or programs that attempt to gain

access to your system without your permission or your
knowledge. Some hackers are automated, searching for details
inside your computer in order to improve targeted advertising.
Other hackers are individuals searching for private information
such as financial account access data.

Hacker, H4x0r5, crackers and black hats are all terms for
those individuals that KFSensor is ultimately designed to detect
and offer protection from. The term hacker is used in this
manual to cover all such individuals.

Direct, or manual actions, by a hacker are much rarer than

the attacks launched by the tools described above. Hackers
usually only attack a system directly once a system has been
identified as vulnerable or has already been exploited by an
automated tool.
I use the term "hacker attacks" to indicate hacker attacks that
are not automated by programs such as viruses, worms, or
trojan horse programs. There are various forms that exploit
weakneses in security. Many of these may cause loss of service
or system crashes.

• IP spoofing - An attacker may fake their IP address so the

receiver thinks it is sent from a location that it is not
actually from. There are various forms and results to this
attack.
o The attack may be directed to a specific computer
addressed as though it is from that same computer.
This may make the computer think that it is talking to
itself. This may cause some operating systems such
as Windows to crash or lock up.
• Gaining access through source routing. Hackers may be
able to break through other friendly but less secure
networks and get access to your network using this
method.
• Man in the middle attack -
o Session hijacking - An attacker may watch a session
open on a network. Once authentication is complete,
they may attack the client computer to disable it, and
use IP spoofing to claim to be the client who was
just authenticated and steal the session. This attack
can be prevented if the two legitimate systems share
a secret which is checked periodically during the
session.
• Server spoofing - A C2MYAZZ utility can be run on
Windows 95 stations to request LANMAN (in the clear)
authentication from the client. The attacker will run this
utility while acting like the server while the user attempts
to login. If the client is tricked into sending LANMAN
authentication, the attacker can read their username and
password from the network packets sent.