Cybercrime Tools & Methods PDF

Summary

This document discusses various tools and methods used in cybercrime, including tools like proxy servers, anonymizers, phishing, viruses, worms, and Trojan horses. It also covers DoS and DDoS attacks. The document is a presentation on a technology/management course.

Full Transcript

MODULE 3
TOOLS AND METHODS USED IN CYBERCRIME

Dayananda Sagar Academy of Technology & Management 1
 COURSE CONTENTS
vIntroduction
vProxy Server and Anonymizers
vPhishing
v Password Cracking
v Keyloggers and Spywares
v Virus and Worms
vTrojan Horses and Backdoors
v Steganography
vDoS and DDoS Attacks
vSQL Injection
vBuffer Overflow
vAttacks on Wireless Networks

Dayananda Sagar Academy of Technology & Management 2
Introduction
Various tools and techniques used to launch attacks against the target
Scareware
Malvertising
Clickjacking
Ransomware

Dayananda Sagar Academy of Technology & Management 3
Dayananda Sagar Academy of Technology & Management 4
Cont..
Basic stages of an attack are described here to understand how an attacker
can compromise a network here:
1. Initial uncovering: Two steps involved:
i. Reconnaissance
ii. Attacker uncovers information
2. Network Probe
3. Crossing the line toward E-crime
4. Capturing the network
5. Grab the data
6. Covering tracks

Dayananda Sagar Academy of Technology & Management 5
Proxy server and Anonymizer
Proxy server is computer on a network which acts as an intermediary for
connections with other computers on that network
1st attacker connects to proxy server
Proxy server can allow an attacker to hide ID

Dayananda Sagar Academy of Technology & Management 6
Cont..
Purpose of proxy server:
Keep the system behind the curtain
Speed up access to resource
Specialized proxy servers are used to filter unwanted content such as
advertisement
Proxy server can be used as IP address multiplexer to enable to connect no.
of computers on the Internet

Dayananda Sagar Academy of Technology & Management 7
Dayananda Sagar Academy of Technology & Management 8
Anonymizer
An anonymizer or an anonymous proxy is a tool that attempts to make
activity on the Internet untraceable
It accesses the Internet user’s behalf, protecting personal information by
hiding the source computer’s identifying information

Dayananda Sagar Academy of Technology & Management 9
Phishing
Introduced in 1996
Fake E-Mail using other reputed companies or individual’s identity
People associate phishing with E-Mail message that spoof or mimic banks,
credit card companies or other business such as Amazon and eBay

Dayananda Sagar Academy of Technology & Management 10
How Phishing Works?
Phishers works as follows
Planning: decide the target & determine how to get EMail address
Setup: create methods for delivering the message & to collect the data
about the target
Attack: sends a phony message that appears to be from a reputable source
Collection: record the information of victims entering into web pages or
pop-up window
Identify theft and fraud: use information that they have gathered to make
illegal purchases and commit fraud

Dayananda Sagar Academy of Technology & Management 11
Virus and Worms
Computer virus is a program that can “infect” legitimate programs by
modifying them to include a possibly “evolved” copy of itself.
Viruses spread themselves, without the knowledge or permission of the
users Contains malicious instructions
A virus can start on event driven effects, time driven effects, or can occur
random.

Dayananda Sagar Academy of Technology & Management 12
Virus
Computer virus is a program that can “infect” legitimate programs by
modifying them to include a possibly “evolved” copy of itself.
Viruses spread themselves, without the knowledge or permission of the
users
Contains malicious instructions
A virus can start on event driven effects, time driven effects, or can occur
random.

Dayananda Sagar Academy of Technology & Management 13
Cont..
Viruses can take some actions:
Display a message to prompt an action into which viruses enter
Scramble data on hard disk
Delete files inside the system
Cause erratic screen behavior
Halt the PC
Replicate themselves

Dayananda Sagar Academy of Technology & Management 14
How Virus Spread?

Dayananda Sagar Academy of Technology & Management 15
Cont..

Dayananda Sagar Academy of Technology & Management 16
Cont..

Dayananda Sagar Academy of Technology & Management 17
Cont..

True virus can only spread from one system to
another
A worm spreads itself automatically to other
computers through networks by exploiting
security vulnerabilities

Dayananda Sagar Academy of Technology & Management 18
Difference between Virus and Worms

Dayananda Sagar Academy of Technology & Management 19
Types of Viruses
Categorized based on attacks on various element of the system
1.Boot sector viruses:
Infects the storage media on which OS is stored and which is used
to start the computer system
Spread to other systems when shared infected disks & pirated
software(s) are used

2. Program viruses:
Active when program file(usually with extensions.bin,.com,.exe,.ovl,.drv) is executed
Makes copy of itself
Dayananda Sagar Academy of Technology & Management 20
Cont..
3. Multipartite Viruses:
Hybrid of a boot sector and program viruses

4. Stealth viruses:
Masks itself
Antivirus S/W also cannot detect
Alter its file system and hide in the computer memory to remain
in the system undetected
1 st computer virus named as Brain

Dayananda Sagar Academy of Technology & Management 21
Cont..
5. Polymorphic viruses:
Like “chameleon” that changes its virus signature (i.e., binary
pattern) every time it spread through the system (i.e., multiplies &
infect a new file)
Polymorphic generators are routines that can be linked with the
existing viruses
Generators are not viruses but purpose to hide actual viruses
under the cloak of polymorphism
6. Macroviruses:
Infect documents produced by victims computer
Active X and Java control:
Dayananda Sagar Academy of Technology & Management 22
Trojan horses
Trojan horse is a program in which malicious or harmful code is
contained inside apparently harmless programming or data in such a
way that it can get control and cause harm
Get into system from no. of ways, including web browser, via E-Mail,
or with S/W download from the Internet

Dayananda Sagar Academy of Technology & Management 23
Cont..
Trojans do not replicate themselves but they can be equally
destructive
Examples of threats by Trojans:
Erase, overwrite or corrupt data on computer
Help to spread other malware
Deactivate or interfere with antivirus and firewall
Allow to remote access to your computer
Upload and download files without user knowledge

Dayananda Sagar Academy of Technology & Management 24
Cont..
Gather E-Mail address and use them for spam
Slow down , restart or shutdown the system
Reinstall themselves after being disable
Disable task manager or control panel
Copy fake links to false websites, display porno sites, play
sounds/videos and display images
Log keystrokes to steal info such as password or credit card no.

Dayananda Sagar Academy of Technology & Management 25
Backdoor
It means of access to a computer program that bypass
security mechanisms
Programmer use it for troubleshooting
Attackers often use backdoors that they detect or install
themselves as part of an exploit
Works in background and hides from user
Most dangerous parasite, as it allows a malicious person
to perform any possible action
Programmer sometimes leave such backdoor in their
software for diagnostic and troubleshooting purpose.
Attacker discover these undocumented features and use
them

Dayananda Sagar Academy of Technology & Management 26
What a Backdoor does?
Allow an attacker to create, delete, rename, copy or edit any file;
change any system setting, alter window registry; run, control and
terminate application; install arbitrary software
To control computer hardware devices, modify related setting,
shutdown or restart a computer without asking for user
permission
Steals sensitive personal information, logs user activity, tracks
web browsing habits Record keystrokes

Dayananda Sagar Academy of Technology & Management 27
Cont..
Sends all gathered data to predefined E-Mail address
Infects files, corrupts installed app & damage entire system
Distributes infected files to remote computers and perform
attack against hacker-defined remote hosts
Installed hidden FTP server that can be used by malicious person
Degrade Internet connection speed and overall system
performance
Provide uninstall feature and hides processes, files and other
objects to compliacate its removal as much as possible

Dayananda Sagar Academy of Technology & Management 28
Examples of Backdoor Trojan
Back orifice:
Enable user to control a computer
running the Microsoft Windows OS
from remote location
Bifrost:
Infect Windows 95 through Vista
SAP backdoors
Onapsis Bizploit

Dayananda Sagar Academy of Technology & Management 29
How to protect from Backdoor and Trojan horses

Stay away from suspect websites/ web links
Surf on the web cautiously
Install antivirus/ Trojan remover software

Dayananda Sagar Academy of Technology & Management 30
Steganography
Greek word that means “Sheltered
writing”
Comes from 2 Greek words:
Steganos means “covered”
Graphein means “to write” or
“concealed writing”
Steganalysis:
Detecting messages that are
hidden in images, audio/video files
using Greek word that means
“Sheltered writing”

Dayananda Sagar Academy of Technology & Management 31
DoS and DDoS attack
An attempt to make a computer resources unavailable to its
intended users

DoS attack:
Attacker floods the BW of the victim’s N/W or fills his E-Mail box
with Spam mail depriving him of the services he is entitled to access
or provide
Attacker typically target sites or services hosted on high-profile
web servers such as banks, credit card payment gateways, mobile
phone networks and even root name servers

Dayananda Sagar Academy of Technology & Management 32
DoS attack
Buffer overflow technique is employed to commit such kind of
criminal attack
Attacker spoofs the IP address and floods the N/W of victim with
repeated requests
As the IP address is fake, the victim machine keeps waiting for
response from the attacker’s machine for each request
This consumes the BW of the N/W which then fails to server the
legitimate responses and ultimately breaks down

Dayananda Sagar Academy of Technology & Management 33
Symptoms of DoS attack
US Computer Emergency Response defines it:
Unusually slow n/w performance(opening file or accessing
websites)
Unavailability of a particular website
Inability to access ay website
Dramatic increase in the no. of Spam E-Mails received

Dayananda Sagar Academy of Technology & Management 34
What DoS attack does?
Goal of DoS is not to gain unauthorized access to systems or data,
but to prevents intended users of a service from using it.

Activity done by DoS
Flood a n/w with traffic
Disrupt connection between 2 systems
Prevent a particular individual from accessing service
Disrupt service to a specific system or person

Dayananda Sagar Academy of Technology & Management 35
Classification of Dos attack
Bandwidth attacks
Consuming all the bandwidth of site
Logic attack
Exploit vulnerabilities in n/w s/w such as web server or TCP/IP
stack
Protocol attacks
Exploit specific feature or implementation bug of some protocol
installed at victim’s system to consume excess amount of its
resources
Unintentional DoS attack

Dayananda Sagar Academy of Technology & Management 36
Types or Levels of Dos attack
1.Flood attack: (Ping flood)
Attacker sending no. of ping packets, using “ping” command,
which result into more traffic than victim can handle
This requires the attacker to have faster n/w connection than the
victim
Prevention is difficult

2. Ping of death attack:
Sends oversized ICMP packets Receiving this packet, will crash,
freeze or reboot system
3. SYN attack: (TCP SYN flooding)
Dayananda Sagar Academy of Technology & Management 37
Cont..
4. Teardrop attack:
Attack where fragmented packets are forged to overlap each other
when the receiving host tries to reassemble them
IP’s packet fragmentation algo is used to send corrupted packets
to confuse the victim and may hang the system
Windows 3.1x, 95 and NT , Linux versions 2.0.32, 2.1.63 are
vulnerable to this attack

Dayananda Sagar Academy of Technology & Management 38
Cont..
5. Smurf attack
Generating significant computer n/w traffic on victim n/w, using
floods via spoofed broadcast ping message
Attack consists of a host sending ICMP echo request to n/w
broadcast ping address
Every host receive this packet & send back ICMP echo response
Internet relay chat(IRC)servers are primarily victim of smurf attack

Dayananda Sagar Academy of Technology & Management 39
Cont..
6. Nuke:
An old DoS attack against computer n/w s consisting of
fragmented or otherwise invalid ICMP packets sent to target
Achieved by using a modified ping utility to repeatedly send this
corrupt data, thus slowing down the affected computer until it
comes to complete stop
Eg. WinNuke, which is exploited the vulnerability in the NetBIOS
handler in windows 95. A string of out-ofband data was sent to TCP
port 139 of victim’s machine, causing it to lock up and display Blue
Screen Of Death(BSOD)

Dayananda Sagar Academy of Technology & Management 40
Tools used to launch Dos attacks
Jolt2: attack against window based machineconsume 100% of CPU
time on processing of illegal packets
Nemesy: generates random packets of spoofed source IP
Targa: used to run 8 different DoS attack
Crazy Pinger: send large packets of ICMP
SomeTrouble: remote flooder and bomber– developed in Delphi

Dayananda Sagar Academy of Technology & Management 41
Blended Threat
It is a more sophisticated attack that bundles some of the worst aspects
of viruses, worms, Trojan Horses and Malicious code into one single
threat
Use server & Internet vulnerabilities to initiate, transmit and thereafter
spread attack
Characteristics:
1. Cause harm to the infected system or n/w
2. Propagate using multiple methods as attack may come from multiple
point
3. Exploit vulnerability

Dayananda Sagar Academy of Technology & Management 42
Cont..
Serve multiple attacks in one payload
To use multiple mode of transport
Rather than a specific attack on predetermined “.exe” files, it could do
multiple malicious acts, such as modify your “.exe” files, HTML files and
registry keys

Dayananda Sagar Academy of Technology & Management 43
Permanent DoS attacks
Damages a system so badly that it requires replacement or reinstallation
of h/w
Pure h/w sabotage
Phlash Dance is a tool created by Rich Smith who detected and
demonstrated PDoS

Dayananda Sagar Academy of Technology & Management 44
DDoS attacks
Attacker use your computer to attack another computer
By taking advantage of security vulnerabilities or weaknesses, an attacker
could tack control of your computer, then force your computer to send
huge amounts of data to a website or send spam to particular E-Mail
addresses
The attack is “distributed” because the attacker is using multiple
computers to launch the DoS attack
Large no. of zombie systems are synchronized to attack a particular
system. Zombie systems are called “secondary victims” and main target is
called “primary victim

Dayananda Sagar Academy of Technology & Management 45
How to Protect from DoS and DDoS attacks

Implement router filter
If such filters are available in your system, install patches to guard against
TCP SYN flooding
Disable any unused or inessential n/w service
Observe your system performance and establish baselines for ordinary
activity
Routinely examine your physical security
Use tools to detect changes in configuration info or other files
Invest and maintain “hot spares”
Invest in redundant and fault-tolerant n/w configuration
Establish and maintain regular backup schedules and policies
Establish and maintain appropriate password policies
Dayananda Sagar Academy of Technology & Management 46
Attacks on Wireless Networks

In security breaches, penetration of a wireless network through
unauthorized access termed as wireless cracking
Traditional techniques:
Sniffing Spoofing
DoS
Man-in-the-middle attack
Encryption cracking

Dayananda Sagar Academy of Technology & Management 47
How to Secure Wireless Networks

Change the default settings of all the equipments/ components of
wireless network
Enable WPA/WEP encryption
Change the default SSID
Enable MAC address filtering
Disable remote login
Disable SSID broadcast
Disable the features that are not used in AP

Dayananda Sagar Academy of Technology & Management 48
How to Secure Wireless Networks

Avoid providing the n/w a name which can be easily identified
Connect only to secured wireless n/w
Upgrade router’s firmware periodically
Assign static IP address to devices
Enable firewalls on each computer & the router
Position the router or AP safely
Turn off the n/w during extended periods when not in use
Periodic and regular monitor wireless n/w security

Dayananda Sagar Academy of Technology & Management 49