ECS401: Cryptography and Network Security: Module 5: Malicious Software
ECS401: Cryptography and Network Security: Module 5: Malicious Software
ECS401: Cryptography and Network Security: Module 5: Malicious Software
Network Security
2
Cyber Threat Map (from https://norse-corp.com/map/)
3
Attacks (Practical view)
• Application level attacks- These attacks happen
at an application level in the sense that the
attacker attempts to access, modify or prevent
access to information of a particular application.
4
Application level attacks
Example
5
Network level attacks
Example
Cross site scripting: It is a type of attack in which user enters right URL of a website and hacker on the other site 6
redirect the user to its own website and hack its credentials.
Programs that attack
Virus
Applets &
ActiveX Cookies
Controls
Worms
Trojan
Horse
7
Virus
Definition:
It is a piece of program code that attaches itself to legitimate program code and causes
damage to the computer system or to the network.
It can then infect other programs in that computer or programs that are in other computers
but on the same network.
After deleting all the files
from the current user’s
computer, the virus self-
propagates by sending its
code to all users whose
email addressed are stored
in the current user’s address
book.
8
Lifecycle of a Virus
Here, the virus is idle. It gets activated based on certain action or event (e.g. the user
typing a certain key or certain date or time is reached). This is an optional phase.
In this phase, a virus copies itself and each copy starts creating more
copies of self, thus propagating the virus.
A dormant virus moves into this phase when the action/event for which it
was waiting is initiated.
This is the actual work of the virus, which could be harmless (display Execution
some message on the screen) or destructive (delete a file on the disk). phase
Note: A virus is transferred to another through e-mail, file transfers, and instant messaging.
9
Types of Viruses
• Attaches itself to executable files and replicates.
• When the infected program is executed, it looks
Parasitic virus for other executables to infect.
10
Types of Viruses (contd..)
• Designed to hide itself from detection by anti-virus
software.
Stealth virus
11
Worm
• Similar in concept to a virus, a worm is actually different in implementation.
• A worm, however, does not modify a program. Instead, it replicates itself again and again. The replication grows so much
that ultimately the computer or the network on which the worm resides, becomes very slow, ultimately coming to a halt.
• A worm attack attempts to make the computer or the network under attack unusable by eating all its resources. .
Different from the virus because the worm does not need to
attach to a program to infect the host.
A worm does not perform any destructive actions, and instead, only consumes system resources to bring it down.
12
Worm (functioning)
13
Trojan Horse
• The name (Trojan horse) comes from the epic poem Iliad.
Working:
15
Cookies (contd..)
16
Cookies Misuse
17
Cookies Misuse
1. An advertising agency (say My Ads) contacts major web sites and places banner ads for its corporate clients'
products on their pages. It pays some fees to the site owners for this.
2. Instead of providing an actual image that can be embedded by the respective web sites in their pages directly, it
provides a link (URL) to add to each page.
3. Each URL contains a unique number in the file part. For example, HTTP://www.myads.com/5726740919.jpg
4. When a user visits a page for the first time the browser fetches the advertisement image from My ads along with
the main HTML page for the site it is visiting.
5. When the user visits the main site (e.g. the news site), my ads send a cookie to the browser containing a unique
user ID and records the relationship between this user ID and the file name.
6. Later, when the same user visits another page the browser sees another reference to my ads.
7. The browser sends the previous cookie to my ads and also fetches the current page from my ads as before.
8. My ads know that the same user has visited another webpage now.
18
9. It adds some reference to its database.
Dealing with Viruses
Preventing viruses is the best option. However, in today’s world, it is almost impossible to achieve cent per cent security given
that the world is connected to the Internet all the time.
This activity of removing all traces of the virus and restore the affected programs/files to their original states is carried out by
anti-virus software.
19
Dealing with Viruses (contd..)
20
Dealing with Viruses (contd..)
Anti-virus software is classified into four generations.
Fourth Generation
Consists of a variety of antivirus techniques used in conjunction
Behavior-blocking software, which integrates with the operating system
of the computer and keeps a watch on virus-like behavior in real time.
21
Other Specific Attacks
Sniffing
Spoofing
Phishing
22
Sniffing
On the Internet, computers exchange messages with each other in the form of small groups of data, called packets. A packet,
like a postal envelope contains the actual data to be sent, and the addressing information. Attackers target these packets, as they
travel from the source computer to the destination computer over the Internet.
These attacks take two main forms: (a) Packet sniffing (also called snooping), and (b) Packet spoofing.
Packet sniffing is a passive attack on an ongoing conversation. An attacker need not hijack a conversation, but instead, can
simply observe (i.e. sniff) packets as they pass by.
23
Spoofing
In this technique, an attacker sends packets with an incorrect source address. When this happens, the receiver (i.e. the party
who receives these packets containing false addresses) would inadvertently send replies back to this forged address (called
spoofed address), and not to the attacker.
The attacker can intercept the reply: If the attacker is between the
destination and the forged source, the attacker can see the reply and
use that information for hijacking attacks.
The attacker need not see the reply: If the attacker’s intention was a
Denial Of Service (DOS) attack, the attacker need not bother about
the reply.
The attacker does not want the reply: The attacker could simply be angry
with the host, so it may put that host’s address as the forged source
address and send the packet to the destination. The attacker does not
want a reply from the destination, as it wants the host with the forged 24
address to receive it and get confused.
Phishing
The attacker decides to create his/her own Web site, which looks very identical to a real Web site.
For example, the attacker can clone Citibank’s Web site. The cloning
is so clever that the human eye will not be able to distinguish
between the real (Citibank’s) and fake (attacker’s) site.
25
Phishing (contd..)
27
Pharming (DNS Spoofing)
28
Pharming (DNS Spoofing)
The DNS spoofing attack works as follows:
Suppose that there is a merchant (Bob) whose site’s domain name is www.bob.com, and the IP
address is 100.10.10.20. Therefore, the DNS entry for Bob in all the DNS servers is maintained as
follows:
www.bob.com 100.10.10.20
The attacker (say, Trudy) manages to hack and replace the IP address of Bob with her own (say
100.20.20.20) in the DSN server maintained by the ISP of a user, say Alice. Therefore, the DNS server
maintained by the ISP of Alice now has the following entry:
www.bob.com 100.20.20.20
Thus, the contents of the hypothetical DNS table maintained by the ISP would be changed.
29
Pharming (DNS Spoofing) (contd..)
When Alice wants to communicate with Bob’s site, her Web browser queries the DNS server maintained by her ISP for Bob’s IP
address, providing it the domain name (i.e. www.bob.com). Alice gets the replaced (i.e. Trudy’s) IP address, which is
100.20.20.20.
Now, Alice starts communicating with Trudy, believing that she is communicating with Bob!
Such attacks of DNS spoofing are quite common, and cause a lot of havoc. Even worse, the attacker (Trudy) does not have to listen
to the conversation on the wire! She has to simply be able to hack the DNS server of the ISP and replace a single IP address with
her own!
A protocol called DNSSec (Secure DNS) is being used to thwart such attacks.
30
Thank you
31