MALWARE

In previous article we examined the Denial of Service attack. It is very common attack and one that can easily to perpetrate. In this article you will continue your examination of security threats by learning about several other types of attacks. First, you will learn about virus outbreaks. Our discussion will focus on important information on how and why virus attacks work, including their deployment through Trojan horses. This article is not a “how to create your own virus” tutorial, but rather an introduction to the concepts underlying these attacks as well as an examination of some specific case studies.

This article will also explore buffer overflow attacks, spyware & several other forms of malware. Each of these brings a unique approach to an attack and each needs to be considered when defending a system. Your ability to defend against such attacks will be enhanced by expending your knowledge of how they work.

Viruses

 According to the definition, a computer virus is a self-replicated program. Generally, a virus will also have some other unpleasant function, but the self-replication and rapid spread are the hallmarks of virus. Often this growth, in and of itself, can be a problem for an affected network. In previous article discussed the Slammer virus and the effects of its rapid, high-volume scanning. Functionality and responsibility of network is reduced by rapid spreading virus. Simply by exceeding the traffic load that network was designed to carry, the network may be rendered temporarily non-functional.

How A Virus Spreads

Usually, a virus will primarily spread in one of two ways. The first is too simply scan your computer for connections to a network, and then copy itself to other machines on the network to which your computer has access. This method is efficient way to spreading virus. However, in this method more programming skills are required. The more common method is to read your e-mail address book and e-mail itself to everyone in your address book. Programming this is a trivial task, which explains why it is so common.

The latter method is, by far, the most common method for virus propagation and Microsoft Outlook may be the one e-mail program most often hit with such virus attacks. There is no reason of Outlook security flaw because it is easy to work with Outlook. All products of Microsoft is created for that purpose, a programmer creates an application that he can deep access in the application & can create such application which, integrate the application in Microsoft Office Suite. For example, a programmer could write an application that would access a Word document, import an Excel spreadsheet, & then use Outlook to automatically e-mail the resulting document to interested parties. It is a good job by Microsoft to make easy process for it usually, there is no need of programming finishing the work. Using Outlook, it takes less than five lines of code to reference Outlook and send out an e-mail. This means a program can literally cause Outlook itself to send e-mail, unbeknownst to the user. On Internet, there are several of code to show how to do this, free for the talking. There is no need of programmer for access your Outlook address book and automatically send e-mail. Essentially, the ease of programing Outlook is why there are so many virus attacks that target Outlook.

While the overwhelming majority of virus attacks spread by attaching themselves to the victim’s existing e-mail software, some recent virus outbreaks have used other methods for propagation method is to simply copy itself across the network. Virus outbreaks that spread via multiple routes are becoming more common.

The delivery of payload is very easy and it is depend on carelessness of end-user nor the skills of programmer of the virus. Enticing users to go to Web sites or open files they should not is a common method for delivering a virus and one that requires no programming skill at all. Regardless that how virus is come to you doorstep, when the virus is in your system that it tries to damage your system. Once a virus is on your system, it cans anything that any legitimate program can do. That means it could potentially delete files, change system setting or cause other harm.                                                                                                                                   

Recent Virus Examples

The threat from virus attacks cannot be overstated. While there are many Web pages that give virus information, in my opinion, there are only a handful of Web pages that consistently give the latest, most reliable, most detailed information on virus outbreaks. Any security professional will want to consult these sites on a regular basis. You can read about any virus, past or current, at the following websites:

·       www.f-secure.com/virus-info/virus-news/

·       www.cert.org/nav/index_red.html

·       Securityresponse.symantec.com/

·       Vil.nai.com/vil/

The sections below will look at a few recent virus outbreaks and review how they operated and what they did.

 The Sobig Virus:

The virus that received the most media attention and perhaps caused the most harm in 2003 was clearly the Sobig virus. The first interesting thing about this virus was how it spread. It spread utilizing a multi-modal approach to spreading. This means he used more than one mechanism to spread and infect new machines. It would copy itself to any shared drives on your network and it would e-mail itself out to everyone in your address book. For these reasons, this virus was particularly virulent.

FYI: Virulent Virus
The term virulent means basically the same thing with respect to a computer virus as it does with a biological virus.. It is a measure of how rapidly the infection spreads and how easily it infect new targets.

 In the case of Sobig, if one person on a network was unfortunate enough to open an e-mail containing the virus, not only would his machine be infected, but so would every shared drive on that network to which this person had access. However, Sobig, like most e-mail-distributed virus attacks, had tell-tale sign in the e-mail subject or title that could be used to identify the e-mail as one infected by a virus. The e-mail would have some enticing title such as “here is the sample” or “the document” to encourage you to be curious enough to open the attached file. The virus would then copy itself into the Windows system directory.

This particular virus spread so far and infected so many networks that just making multiple copies of the virus was enough to shut down some networks. This virus did not destroy files or damage the system, but it generated a great deal to traffic that bogged down the networks infected by it. The virus itself was of mode3rate sophistication. Once this was over, however, many different forms began to emerge, complicating the situation further. One of the side effects of some types of Sobeg was downloading files from the Internet that would then cause printing problems. Some network printers just start printing garbage. start printing junk. The Sobig.E variant would even write to the Windows registry, causing itself to be in the computer startup (F-Secure, 2003) these complex characteristics indicate that the creator knew how to access the Windows registry, access shared drives, alter the Windows startup and access Outlook.

This brings up the issue of virus variants and how they occur. In the case of a biological virus, mutations in the genetic code cause new virus strains to appear and the pressures of natural selections allow some of these stains to evolve into entirely new species of viruses. Obviously, the biological method is not what occurs with a computer virus. With a computer virus, what occurs is that some intrepid programmer with malicious intent will get a copy of a virus (perhaps her own machine becomes infected) and will then reverse-engineer it. Since many virus attacks are in the form of a script attached to an e-mail, unlike traditionally compiled programs, the source code of these attacks is readily readable and alterable. The programmer in question then simply takes the original virus code4 and introduces some change, then re-releases the variant. Frequently, the people who are caught for virus creation are actually the developers of the variant who lacked the skill of the original virus writer and therefore were easily caught.

The Miamai Virus

The Mimail virus did not receive as much media attention as Sobi, but it had its intriguing characteristics. This virus not only collected e-mail addresses from your address book, but also from other documents on your machine (Gudmundsson, 2004). Thus, if you had a word document on your hard drive and an e-mail address was in that document, mimail would find it. This strategy meant that Mimail would spread farther than many other viruses. Mimail had its own build-in e-mail engine, so it did not have to “piggy back” off your e-mail client. It could spread regardless of what e-mail software you used.

These two variations from most virus attacks made Mimail interesting to people who study computer viruses. There are variety of techniques that allow one of programmatically open and process files on your computer; however, most virus attacks don’t employ them. The scanning of the document for e-mail addresses indicates a certain level of skill and creativity on the part of the virus writer. In this author’s opinion, Mimail was not the work of an amateur, but rather a person with professional-level programming skill.

 The Bagle Virus

Another virus that spread rapidly in the fourth quarter of 2003 was a Bagle virus. The e-mail it sent claimed to be from your system administrator. It would tell you that your e-mail account had been infected by a virus and that you should open the attached file to get instructions. Once you opened the attached file, your system was infected. This virus was particularly interesting for several reasons. To begin with, it spread both through e-mail and copying itself to shared folders. Secondly, it could also scan files on you PC looking for e-mail addresses. Finally this virus took out your computer “immune system”. The disabling of virus scanners is a new twist that indicates at least moderates programming skills on the part of virus creator.

A Non – Virus Virus

Another new type of virus has been gaining popularity in the past few years and that is the “non-virus virus” or put simply, a hoax. Rather than actually writing a virus, a hacker sends an e-mail to every address he has. The e-mail claims to be from some well know antivirus center and warns of a new virus that is calculating. The e-mail instructs people to delete some file from their computer to get rid of the virus. However, the file is not really a virus but a part of system. The jdbgmgr.exe virus hoax used this scheme (Vmyths.com, 2002). It encouraged the reader to delete a file that was actually needed by the system. Surprisingly, a number of people followed this advice and not only deleted the file, but promptly e-mailed their friends and colleagues to warn them to delete file from their machines.

FYI: The Morris Internet Worm

The Morris worm was one of the first computer warms ever to be distributed over the Internet. And it was certainly the first to gain any significant media attention. Robert Tappan Morris, Jr., then a student of Cornel University, wrote this worm and launched it from an MIT system on 2nd of November 1088. Morris originally intend not to cause any damage with the worm. Instead, he wanted the worm to reveal bugs in the programs he exploited to spread it. However, bugs in the code allowed an individual computer to be infected multiple times and the worm become a menace. Every additional ‘infection’ spawned a new process on the infected system. At a certain point the high number of processes running on an infected system slowed down the computer to the point of being unusable.  At least 5000 Unix machines were infected with this worm. Morris was convicted of violating the 1986 Computer Fraud and Abuse Act and was sentenced to a $10,000 fine, three years’ probation and 400 hours of community service. But perhaps the greatest impact of this worm was that it led to the creation of the Computer Emergency Response Team (CERT).

 Rules for Avoiding Viruses

You should notice a common theme with all virus attacks (except the hoax), which is that they want you to open some kind of attachment. The most common way for a virus to spread is as an e-mail attachment. Use a virus scanner, McAffee and Norton are two of the most popular and used virus scanners.

§  Use a virus scanner, McAffee and Norton are the two most widely accepted and used virus scanners. Each costs about 30$ per year to keep your virus scanner updated. Do it.

     §  If you are not sure about an attachment, do not open it.

     §  Use a virus scanner, McAfee and Norton are two of the most popular and used virus scanners.

    §  Do not believe “security alerts” that are send to you. Microsoft does not send out alerts in this                 manner. Check the Microsoft Web site regularly, as well as one of this antivirus Web site.

These rules will not make your system 100% virus proof, but they will go a long way towards protecting your system.

Trojan Horses

A Trojan horse is a term for a program that looks benign but actually has a malicious purpose. You might receive or download a program that appears to be a harmless business utility or game. More likely, the Trojan horse is just a script attached to a benign-looking e-mail. When you run the program or open the attachment, it does something else other than or in addition to what you thought it would. It might:

  §  Download harmful software from a Web site.

  §  Install a key logger or other spyware on your machine.

  §  Delete files.

  §  Open a backdoor for a hacker to use.

It is common to find combination virus plus Trojan horse attacks. In those scenarios, the Trojan horse spreads like a virus. The MyDoom virus opened a port on your machine that a later virus, doomjuice, would exploit, thus making MyDoom a combination virus and Trojan horse.

A Trojan horse could also be crafted especially for an individual. If a hacker wished to spy on a certain individual, such as the company accountant, she could craft a program specifically to attract that person’s attention. For example, if she knew the accountant was an avid golfer courses. She would post that program on a free Web server. She would then e-mail a number of people, including the accountant, telling them about the free software. The software, once installed, could check the name of currently logged-on person. If the logged-on name matched the accountant’s name, the software could then go out, unknown to the user and download a key logger or other monitoring application. If the software did not damage files or replicate itself, then it would probably go undetected for quite a long time. 

FYI: Virus or Worm?
There is disagreement among the experts as to the distinction between a virus and a worm. Some experts would call MyDoom a worm because it spread without human intervention. For the purpose of this text, these malware will referred to as viruses.

 Such a program could be within the skill set of virtually any moderately competent programmer. This is one reason that many organization have rules against downloading ANY software onto company machines. I am unaware of any actual incident of a Trojan horse being custom-tailored in this fashion. However, it is important to remember that those creating virus attacks tend to be innovative people.

Another scenario to consider is one that would be quite devastating. Without divulging programming details, the basic premise will be outlined here to illustrate the grave dangers of Trojan horses. Imagine a small application that displays a series of unflattering pictures of Osama Bin Laden. This application would probably be popular with many people in the United States of America, particularly people in the military, intelligence community or defense-related industries. Now assume that this application simply sits dormant on the machine for a period of time. It need not replicate like a virus because the computer user will probably send it to many of his associates. On a certain date and time, the software connects to any drive it can, including network drives and begins deleting all files. If such a Trojan horse were released “in the wild”, within 30 days it would probably be shipped to thousands, perhaps millions, of people. Imagine the devastation when thousands of computers begin deleting files and folders.

This scenario is mentioned precisely to frighten you a littles. Computer users, including professionals who should know better, routinely download all sorts of things from the Internet, such as amusing flash videos and cute games. Every time an employee downloads something of this nature, there is a chance of downloading a Trojan horse. One need not be a statistician to realise that if employees continue that practice long enough, they will eventually downloading a Trojan horse onto a company machine. If so, hopefully the virus will not be as vicious as the theoretical one just outlined here.

The Buffer Overflow Attack

You have become knowledgeable about a number of ways to attack a target system: Denial of Service, virus and Trojan horse. While these attacks are probably the most common, they are not the only methods. Another method of attacking a system is called a buffer overflow (or buffer overrun) attack. A buffer overflow attack happens when one tries to put more data in a buffer than it was designed to hold (searchSecurity.com, 2004a). Any program that communicates with the Internet or a private network must take in some data. This data is stored, at least temporarily, in a space in memory called a buffer. If the programmer who wrote the application was careful, when you try to place too much information into a buffer, that information is then either simply truncated or outright rejected. Given the number of applications that might be running on a target system and the number of buffers in each application, the chances of having at least one buffer that was not written properly are significant enough to cause any prudent person some concern.

Someone who is moderately skilled in programming can write a program that purposefully writes more into the buffer than it can hold. For example, if the buffer can hold 1024 bytes of data and you try to fill it with 2048 bytes, the extra 24 bytes is then simple loaded into memory. If that extra data is actually a malicious program, then it has just been loaded into memory and is thus now running on the target system. Or, perhaps the perpetrator simply want to flood the target machine’s memory, thus overwriting other items that are currently in memory and causing them to crash. Either way, the buffer overflow is a very serious attack.

Fortunately, buffer overflow attacks are a bit harder to execute than a DoS or simple Microsoft Outlook script virus. To create a buffer overflow attack, you have a good working knowledge of some programming language (C or C++ is often chosen) and understand the target operating system / application well enough to know whether it has a buffer overflow weakness and how that weakness might be exploited.

The Sasser Virus

It should be interesting to note that several major new virus outbreaks took place—most notably, the Sasser virus. Sasser is a combination attack in that the virus (or worm) spreads by exploiting a buffer overrun.

The Sasser virus spreads by exploiting a known flaw in a Windows system program. Sasser copies itself to the Windows directory as avserve.exe and creates a registry key a load itself at startup. In that way, once your machine is infected, you will start the virus every time you start the machine. This virus scans random IP address, listing on successive TCP ports starting at 1068 for exploitable systems---that is, systems that have not been patched to fix this flaw. When one is found, the worm exploits the vulnerable system by overflowing a buffer in LSASS.EXE, which is a file that is part of the Windows operating system. That executable is build-in system file and is part of Windows. Sasser also acts as an FTP server on TCP port 5554 and it creates a remote shell on TCP port 9996. Next, Sasser creates an FTP script named cmd.ftp on the remote host and executes that script. This FTP script instructs the target victim to download and execute the worm from the infected host. The infected host accepts this FTP traffic on TCP port 5554. The computer also creates a file named win.log on the C: drive. This file contains the IP address of the localhost. Copies of the virus are created in the Windows System directory as #_up.exe. Examples are shown here:

            ·       C:\WINDOWS\system32\12553_up.exe

            ·       C:\WINDOWS\system32\17923_up.exe

            ·       C:\WINDOWS\system32\29679_up.exe

A side effect of this virus is that it causes your machine to reboot. A machine that is repeatedly rebooting without any other known cause may well be infected with the Sasser virus.

This is another case in which the infection can easily be prevented by several means. First, if you update your system on a regular basis, your systems should not be vulnerable to this flaw. Secondly, if your network’s routers or firewall block traffic on the ports mentioned (9996 and 5554), you will then prevent most of Sasser’s damage. Your firewall should only allow in traffic on specified ports, all other ports should be shut down. In short, if you as the network administrator are aware of security issues and are taking prudent steps to protect the network, your network will be safe. The fact that so many networks were affected by this virus should indicate that not enough administrators are properly trained in computer security.

Spyware

Spyware was mention as one of the threats to computer security. Using spyware, however, requires a great deal more technical knowledge on the part of the perpetrator than some other forms of malware. The perpetrator must be able to develop spyware for the particular situation or customize existing spyware for his needs. He must then be able to get the spyware on the target machine.

Spyware canbe as simple as a cookie used by a Web site to record a few brief facts about your visit to that Web site or spyware could be of a more insidious type, such as a key logger. That key board; this spyware then logs your keystrokes to the spy’s file. The most common use of a key logger is to capture usernames and passwords. However, this method can capture every username and password you enter and every document you type, as well as anything else you might type. This data can be stored in a small file hidden in your system for later extraction or sent out in TCP packets to some predetermined address. In some cases, the software is even set to wait until after hours to upload this data to some server or to use your own e-mail software to send the data to an anonymous shots from your system, revealing anything that is open on your computer. Whatever the specific mode of operation, spyware is software that literally spies on your activities on a particular computer.

Legal Uses of Spyware

There are some perfectly legal uses for spyware. Some employers have embraced such spyware as a means of monitoring employee use of company technology. Many companies have elected to monitor phone, e-mail or Web traffic within the organization. Keep in mind that the computer, network & phone system are the property of the company or organization, not of the employees. These technologies are supposedly only used for work purposes; therefore, company monitoring might not constitute any invasion of privacy. While courts have upheld this monitoring as a company’s right, it is critical to consult an attorney before initiating this level of employee morale.

Parents con also elect to use this type of software on their home computer to monitor the activities of their children on the Internet. The goal is usually a laudable one—protecting their children from online predators. Yet, as with employees in a company, the practice may illicit as strong negative reaction from the parties being spied upon—namely, their children Parents have to weigh the risk to their children versus what might be viewed as a breach of trust.

How is Spyware Delivered to a Target System?

Clearly, spyware programs can track all activity on a computer, and that information can be retrieved by another party via a number of different methods. The real question is this: How does spyware get onto a computer system in the first place? The most common method is a Trojan horse. It is also possible that, when you visit a certain Web site, spyware may download in the background while you are simply perusing the Web site. Of course, if an employer (or parent) is installing the spyware, it can then be installed non-covertly in the same way that organization would installed any other application.

Obtaining Spyware Software

Given the many other utilities and tools that have been mentioned as available from the Internet, you probably will not be surprised to learn that you can obtain many spyware products for free, or at very low cost, on the Internet. You can check the Counter exploitation (www.sungi.org) web site, for a lengthy list of known spyware products circulating on the Internet and for information about methods one can use to remove them. The Spyware Guide Web site (SpywareGuide,2004) (www.spywareguide.com) lists spyware that you can get right off the Internet should you feel some compelling reason to spy on someone’s computer activities. Several key logger applications are listed on this site. These application s include well known key loggers such as Absolute Keylogger, Tiny Keylogger and TypO. Most can be downloaded for free or for a nominal charge from Internet.

Some well-known Trojan horses are also listed at this site such as the 2^nd Thought application that downloads to a person’s personal computer (PC) and then blasts it with advertisement. This particular piece of spyware is one that downloads to your PC when you visit certain Web sites. It is benign in that it causes no direct harm to your system or files, not does it gather sensitive information from you PC. However, it is incredibly annoying as it inundates your machine with unwanted ads. This sort of software is often referred to as adware. Frequently, these ads cannot be stopped by normal protective pop-up blockers because the pop-up windows are not generated by a Web site that you visit, but rather by some rogue software running on your machine. Pop-up blockers only work to stop sites you visit from opening new windows. Web sites use well-known scripting techniques to cause your browser to open a window, and pop-up blockers recognize thes4e techniques and prevent the ad window from opening. However, if the adware launches a new browser instance, it bypasses the pop-up blocker’s faction.

 

 

HOW TO DEFEND AGAINST DOS ATTACKS

 

There is no guaranteed way to prevent all DoS, just as there is no sure way to prevent any hacking attack. However, there are steps you can take to minimize the danger. There are, we have already been mentioned some methodologies, such as SYN cookies and RST cookies. In this section, a few of the steps you can take to make your system less susceptible to a DoS attack will be examined.

One of the first things for you to consider is how these attacks are perpetrated. They may be executed via ICMP packets that are used to send error messages on the Internet or are sent by the ping and traceroute utilities. It is must that you have firewall and you must configure it to prevent ICMP packets from outside of the network. Since DoS/DDoS attacks can be executed via a wide variety of protocols, you can also configure your firewall to don’t allow any incoming traffic at all, regardless of what protocol or port it occurs on. This step may seem radical, but it is certainly a secure one.

It is also possible to detect some threats from certain DoS tools, such as TFN2K, by using information tools like NetStat. Many of these tools can be configured to look for the SYN_RECEIVCED state, which could include indicate  a SYN flood attack.

FYI: Blocking ICMP Packet
There are very few legitimate reasons (and, some would argue, no good reasons) for an ICMP packet from outside your network so enter your network. Thus, blocking such packets is very often used as one part of the strategy to defend against DoS attacks.

 

If your network is large enough to have internal routers, then you can configure those routers to disallow any traffic that does not originate with your network. In that way, should packets make it past your firewall; they will not be propagated though out the network. You should also consider disabling directed IP broadcast packets to all machines on the network, thus stopping many DoS attacks. Additionally, you can install a filter on the router to verify that external packets actually have external IP addresses and that Internal IPs have Internal IP addresses.

Because many distributed DoS attacks depend on “unwitting” computers being used as launch points, one way to reduce such attacks is to protect your computer against virus attacks and Trojan horses. it is important that you remember following three things:

Ø  Always use virus-scanning software and keep it updated.

Ø  Always keep operating system and software patches updated.

Ø  Have an organizational policy stating that employees cannot download anything onto their machines unless the download has been cleared by the IT staff.

As previously stated, none of these steps will make your network totally secure from either being the victim of a DoS attack or being the launch point for one, but they will help reduce the chances of either occurring. A good resource for this topic is the SANS Institute Web site, at www.sans.org/dosstep/.

 

DISTRIBUTED DENIAL OF SERVICE (DDOS)

 

Another form of trickery is the Distributed Denial of Service attack (DDoS). As with all such denial attacks, it is accomplished by the hacker getting a number of machines to attack the target. However, this attack works a bit differently than other DoS  attacks. Rather than getting coputie3rs to attack the target, one of the ways the hacker accomplishes a DDoS is to trick Internet routers into attacking a target. Another form of DDoS relies on compromised (zombie) hosts to simultaneously attack a given target with a large number of packets.

Recall from the discussion that many of the routers on the Internet backbone communication on port 179 (Gibson, 2002). This attack takes advantage of this communication line and acquires routers to attack the target system. What makes this attack particularly wicked is that it does not require the router in question to be compromised in any way. Accept of this, a hacker send packets of various massages to the connection. The packets have been altered so that they appear to come from the target system’s IP address. Routers respond by starting a connection with the target system. What happens next is a flood of connections to multiple routers, all targeting the same target system. The effect of this flood is to make the system inaccessible.

Real – World Example

 A good deal of time has been spent discussing the basics of how various DoS attacks are conducted. By now, you should have a firm grasp of what a DoS attack is and have a basic understanding of how it works. It is now time to begin discussing specific, real-world, examples of such attacks. This section will take the theoretical knowledge you have gained and give you real-world examples of this application.

MyDoom

One of the most well publicized DoS attacks was the MyDoom attack. This threat was a classically distributed DoS attack. The virus/worm would e-mail itself to everyone in your address book and then, at a preset time, all infected machines would begin a coordinated attack on www.sco.com (Delio, 2004). Estimates put the number of infected machines between 500,000 and I million. This attack was successful and promptly shut down the SCO web site. It should be noted that well before the day that the DoS attack was actually executed, network administrator and home users were well aware of what MyDoom would do. There were also several tools available free of charge on the Internet for removing the virus/worm. However, it appears that many people did not take the steps necessary to clean their machines of this virus / worm.

What makes this attack so interesting is that it is clearly an example of domestic cyber terrorism (although it is certain that the creators of MyDoom would probably see it differently) for those readers who do not know the story, it will be examined here briefly, Santa Cruz operation (SCO) makes a version is copyright protected. Several months before this attack, SCO began accusing certain Linux distributions of containing segments of SCO Unix code. SCO sent demand letters to many Linux users demanding license fees. Many people in the Linux community viewed this request as simply an attempt to undermine the growing popularity of Linux, an open-source operating system. SCO went even further and filed suit against major companies that were distributing Linux (SCO/Linux, 2003). This claim by SCO seemed unfounded to many legal and technology analysis. It was also viewed with great suspicion because SCO had close ties to Microsoft, which had been trying desperately to stop the grow popularity of Linux.

Many analysts feel that the MyDoom virus/worm was created by some individual (or group of individuals) who felt that the santa Cruz Operations tactics were unacceptable. The hackers wished to cause economic harm to SCO and damage its public image. This probable motive makes this case clearly one of domestic economic terrorism: One group attacks the technological assets of another group based on an ideological difference. Prior to this virus/worm, there were numerous Web site defacements and other small-scale attacks that were part of ideological conflicts. However, this virus / worm was the first such attack to be so widespread and successful. This incident began a new trend in information warfare. As technology becomes less expensive and the tactics more readily available, you can expect to see an increase in this sort of attack in the coming years.

Slammer

Another virus/worm responsible for DoS attacks was the Slammer virus/worm. Some experts rate Slammer as the fastest-spreading virus/worm to ever hit the Internet (Moore, 2004). This virus/worm achieved its DoS simply by spreading so fast that it clogged up networks. It began spreading on January 25^th 2003. It would scan a network for any computers running the Microsoft SQL Server Desktop Engine. It then used a flaw in that application to infect the target machine. It would continually scan every computer connected to the infected machine, seeking one with Microsoft SQL Server Desktop Engine. At its peak, it performed millions of scans per second. This activity resulted in a tremendous number of packets going across infected networks. That flood of scanning packets brought many systems down.

This particular attack was interesting for two reasons. First, what defines this virus as also being a worm is its method of propagation. It was able to spread without any downloading it or opening an attachment o0n an email. Instead, it would randomly scan IP addresses, looking for any machine it could infect. This method meant that it spread much faster than many other virus/worm attacks had previously. The second interesting fact about this attack was that it was totally preventable. Microsoft had released a patch for this flaw weeks before the attack took place. This story should illustrate the critical need to frequently update you machine’s software. You must make certain that you have all the latest patches installed on your machine.

 

DoS ATTACKS

DoS Attacks

As you can see, the basic concept for perpetrating a DoS is not complicated. The actual problem for the attacker is performing the attack without being caught. We will examine the few some specific types of DoS attacks and look at specific case studies. You will be able to deeply understand the danger of Internet through this information.

TCP SYN Flood Attack

SYN flood is one of most popular version of DoS. These particular attacks depend on the hacker’s knowledge of how connections are made to a server. When the session between Client & Server through TCP Protocol then there is must leave the buffer space in memory which is used for the proper exchange of massages. The SYN filed is included in establishing packet to identifying the sequence of message exchanging. An attacker can send a number of connection requests very rapidly and then fail to respond to the reply that is send back by the server, or he can supply a spoofed (forged) IP address. In other words, he requests connections and then never follows through with the rest of the connection sequence. This process has the effect of leaving connections on the server half open and the buffer memory allocated for them is reserved and not available to other applications. Although the packet in the buffer is dropped after a certain period of time (usually about three minutes) without a reply, the effect of many of these false connections requests is to make it difficult for legitimate request for a session to get established.

There have been a number of well-known SYN flood attack on Web servers. The main cause of this attach that machine is busy with TCP.

FYI: Flood Attacks
In a flood attack, the attacker overwhelms a target system by sending a continuous flood a traffic designed consume d

communication is in danger because all machines connected to the Internet engage in TCP communications. Such communication is obviously the entire reason for Web server. There are, however, several methods and techniques you can implement to protect against these attacks. These basic defensive techniques you can implement to protect against these attacks. The basic defensive techniques are:

Ø  SYN cookies

Ø  RST cookies

Ø  Stack tweaking

Some these methods require more technical sophistication than other. In general these methods will be discussed here. When you have task to defend the system against those form of attacks, then you select most competent method for your network system to show your expertise and also examine it in further at that time. Which method you want to implement it depend on operating system, which is used for Web Server by you. You will need to consult your operating system’s documentation or appropriate Web sites, in order to find explicit instruction on how to implement methods.

SYN Cookies As the name SYN cookies suggest, this method uses cookies, not unlike the standard cookies used on many Web site. In this way, the system can’t immediate creates buffer space in memory for hand wringing process. There is cookies in SYNACK, which is created very carefully, in which the information of IP address , port number and other information of client system which request for connect. When the client responds with a normal ACK (acknowledgement), the information from that cookie will be included, which the server then verifies. Thus, the system does not fully allocated any memory until the third stage of the hand-shaking process as illustrated. It enable to system for perform its functions, usually one effect to disable to large windows. However, the cryptographic hashing to use in SYN cookies is fairly resource intensive, therefore, this defensive technique,  the system administrators that expect a great deal of incoming connections may choose not to use.

FYI: Hashing

A hash value is a number generated by a string of text. He has is significantly smaller than the text itself and is generated by a formula in such a way it is extremely unlikely that some other text will produce the same hash value. Hashing plays a role in security when it is used to ensure that transmitted message have not been tampered with. To do this, the sending machine generates a hash of the message, encrypts it, and sends it with the message itself. Hash & message is decrypted by receiving machine and create second hash from receiving message also compares from each other. If both are same then there a big problems.

 

RST Cookies

Another easy method for SYN to compete RST cookie that client is received wrong message by server and client should generate an RST packet. Because the client send back a packet notifying the server of the error, the server now knows the client request is legitimate and can now accept incoming connections from that client in the normal fashion. This method has two disadvantages. It might cause problems with Windows 95 machines and or machines that are communicating form behind firewalls.

Stack Tweaking

The stack tweaking procedure involves changing the TCP stack on the server so that it takes less time to time out when the SYN connection is incomplete. Unfortunately, this precaution will make it more difficult for SYN Floods to perform against this target. For a determined hacker, an attack is still possible.

FYI: Stack Tweaking
The action of stack tweaking is complicated according to the operating system. On this subject there is no help by the documentation of operating system. For these reasons, this method is usually only used by very The advanced network administrators usually can use this method.

 Smurt IP Attack

Attack is a very popular version of the DoS attack. An ICMP(Internet Control Message Protocol) packet is sent out to the broadcast address of the network. Since it is broadcast, it responds to all hosts on the network by echoing the packet, which then sends it to the fake source address. Also, the address of the fake source can be found not only on the local subnet, but also anywhere on the internet. If the hacker can continually send such packets, she will cause the network itself to perform a DoS attack on one or more of its member servers. This attack is clever and rather simple. The only problem for the hacker is getting the packets started on on the target network. This task can be accomplished via some software, such as a virus or Trojan horse that will begin sending the packets.

In a Smurf attack, three individuals / systems are involved: the attacker, the middle (which can also be a victim) and the victim. The attacker first sends the ICMP echo request packet to the intermediary's IP broadcast address. Since this is send to the IP broadcast address, many of the machines on the intermediary’s network will receive this request packet and will send an ICMP echo reply packet back. If machines on network respond of request then the network becomes outage.

The attacker impacts the third part—the intended victim—the creating forged packets that contain the spoofed source address of the victim. Therefore, when all the machines on the intermediary’s network start replying to the echo request, those replies will flood the victim’s network. Thus, the network becomes congested as well as unusable.

The Smurf at5tack is an example of the creativity that some malicious parties can employ. It is sometimes viewed as the digital equivalent of the biological process in an auto-immune disorder. With such disorders, the immune system attacks the patient’s own body. In a Smurf attack, the network performs a DoS attack on one of its own systems. This method’s cleverness illustrates why it is important that you attempt to work creatively and in a forward-thing manner if you are responsible for system security in your network. The perpetrator of computer attacks are inventive and always coming up with new techniques. If your defense is less creative and clever than the attackers’ defense, then it is simply a matter of time before your system is compromised.

There are several ways to protect you system against this problem. One is to guard against Trojan horses. However, having policies prohibiting employees from downloading applications will help. Also, having adequate virus scanners can go a long way in protecting your system from a Trojan horse and thus, a Smurf attack. It is also imperative that you use a proxy server, which was explained in previous article. If the internal IP addresses of your network are not known, then it is more difficult to target one in Smurf attack. Probably the best way to protect your system is to combine these defenses along with prohibiting directed broadcasts and patching the hosts to refuse to reply to any directed broadcasts

 UDP Flood Attack

UDP, as you will recall a connection protocol that does not require any connection setup procedure prior to transferring data in a UDP flood attack. The attacker se3nds a UDP packet to random port on a target system. When the target system receives a UDP packet, it automatically determines what application is waiting on the destination port. In this case, there is no application waiting on the port, the target system will generate an ICMP packet of “destination unreachable” and attempt to send it back to the forged source address. If enough UDP packets are delivered to ports on the target, the system will become overloaded trying to determine awaiting application (which do not exist) and then generating and sending packets back.

ICMP Flood Attack

There are two basic types of ICMP flood attacks;  floods and nukes. An ICMP flood is usually accomplished by broadcasting a large number either pings or UDP packets. Like other floods attacks, the idea is to send so much data to the target system that it slows down. If it can be forced to slow down enough, the target will time out (not sent replies fast enough) & be disconnected from the Internet. ICMP nukes exploit known bugs in specific operation systems. The attacker send a packet of information that he knows the operation system on the target system cannot handle. In many cases, this will cause the target system to lock up completely.

The Ping of Death (PoD)

TCP packets are of limited size. In some cases simply sending a packet that is too large can shut down a target machine. This action is referred to as the Ping of Death (DoP). It works simply by overloading the target system. The hacker sends merely a single ping, but he does so with a very large packet and thus can shut down some machines.

This attack is quite similar to the classroom example discussed earlier in previous article. The aim in both cases is to overload the target system and cause it to quite responding. PoD works to compromise systems that cannot deal with extremely large packet size. If successful, the server will actually shutdown completely. It can, of course be rebooted.

The only real safeguard against PoD is to ensure that all operating systems and software are routinely patched. This attack relies on vulnerabilities. In the way a particular operating system (or application) handles abnormally large TCP packets. When such vulnerabilities are discovered, it is customary for the vendor to release a patch. The possibility of PoD is one reason, among many, why you must keep patches updated on all of your systems.

Teardrop Attack

In teardrop attack, the attacker sends a fragmented message. The two fragments overlap in ways that make it impossible to reassemble them properly without destroying the individual packet headers. Therefore, when the victim attempts to reconstruct the message, the message is destroyed. This causes the target system to halt or crash. There are a number of variations on the basic teardrop attack that are available such as TearDrop2, Boink, targa, Nestea Boink, NewTear and SYNdrop.

Land Attack

A land attack is probably the simplest in concept. The attacker sends a forged packet with the same source IP address and destination IP address (the target’s IP address). The method is to drive the target system “crazy” by having it attempt to send messages to and from itself. The victim system will often be confused and will crash or reboot.

Echo / Chargen Attack

The character generator (Chargen) service was designed primarily for testing purposes. It simply generates a stream of characters. In an echo/chargen attack, this service is abused by attackers who exhaust the target system’s resources. The attacker accomplishes this by creating a spoofed network session that appear to come from that local system’s echo service and which is pointed at the chargen service to form a “loop”. This session will cause huge amounts of data to be passed in an endless loop. This constant looping causes a heavy load to the system. Alternately, if the spoofed session is pointed at a system’s echo service, it will cause heavy network traffic that slows down the target’ network.