CS计算机代考程序代写 SQL dns crawler android data mining FTP 4. Cyberattack 1 – Attack Classification

4. Cyberattack 1 – Attack Classification

Cyberattack 1:
Attack Classification

CITS3004
Alvaro Monsalve

1

1. Attack trends
2. Classification

2.1. Social engineering
2.2. Cracking
2.3. Malware
2.4. Zero-day

Agenda

2

• Before the Internet, the only way to conduct
“cyberattack” is via physical access
– But the computational power at the time was lacking, did not

store much things to steal
• TCP/IP was designed in early 1980s

– IPv4
• Today, TCP/IP is used everywhere

– LAN, MAN, WAN, etc
– Various applications (voice, multimedia etc)

3

How did it all started?

There are many events that contribute toward attack
trends
– More people using the Internet
– Increase in software complexity
– Availability of attacking tools
– Dependability on cyberspace
– Lack of security implementation/deployment/adoption

4

1. Attack Trends

5

Attack Trends

Source: NIST: US Department of Commerce

?

6

Attack Trends

Howard Lipson. Tracking and Tracing Cyber-Attacks: Technical Challenges and Global Policy Issues. CERT Coordination Center. Nov. 2002

7

Attack Trends

Sophos 2021 Thread Report https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf

https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf

8

Attack Trends

Sophos 2021 Thread Report https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf

https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf

9

Attack Trends

The 2021 Crowdstrike Global Thread Report https://www.crowdstrike.com/

https://www.crowdstrike.com/

10

Attack Trends

The 2021 Crowdstrike Global Thread Report https://www.crowdstrike.com/

https://www.crowdstrike.com/

• Attacks are evolving with time
– Deepfakes

• Deepfake image, voice etc.
– AI-powered cyberattacks
– Disinformation in Social Media
– Vehicle cyberattacks
– Cloud jacking
– Etc…

11

Attack Trends

https://us.norton.com/internetsecurity-emerging-threats-cyberthreat-trends-cybersecurity-threat-review.html

https://us.norton.com/internetsecurity-emerging-threats-cyberthreat-trends-cybersecurity-threat-review.html

What issues do cyberattacks bring?
A. Technological
B. Economic
C. Sociological
D. Psychological
E. Legal

12

Attack Trends

Why do people carry out cyberattacks?
A. Status and fame
B. Illegal financial gain
C. Espionage
D. Political and social reasons

13

Attack Trends

}For example, ransomwares
}CryptoWall made over $130mil USD
}WannaCry made $130,000USD (June 2017)

Main techniques used are (but not limited to):
– Port-based
– Malicious email
– Buffer overflow
– Malicious web-based
– (Distributed) Denial of Service

14

2. Attack Classification

Attacks can be classified into:
1. Social Engineering
2. Cracking
3. Malware
4. Network Layer Attacks
5. Web-based Attacks
6. (Distributed) Denial of Service Attacks
7. Zero-day

15

Attack Classification

This week
Next week
The week after

You can of course use other classification methods

Persuasion-type of an attack to disclose sensitive
information
– E.g., phishing attack
– Persuade to install/execute malicious software
– Links to bogus website (e.g., spoofed bank website)
– Impersonating legitimate user to retrieve credentials
– Impersonating technical support member

16

2.1. Social Engineering

Is it effective?
– Given 0.1% success rate, send the phishing email to 1

million users -> 1000 users compromised
– 91% of cyberattacks start with a phishing email*

– Stuxnet, RSA breach all started with a phishing email

17

Social Engineering

*https://cofense.com/enterprise-phishing-susceptibility-report

Phishing attack is a mass distribution of a spoofed emails
– Comes from what it seems to be well known organisations

• Such as banks, insurance, retailers, credit card etc.
– Looks legitimate, but leads to fake or bogus sites
– Asking for personal credentials
– They are evolving!

• Less grammar/spelling mistakes
• More in context
• target-oriented contents
• Focused targeting is called “Spear Phishing”

18

Phishing

19

Phishing

Not so good one

20

Phishing

21

Phishing

https://www.mailguard.com.au/blog/new-year-new-phishing-ato-email-scam

Real or Fake?

22

Phishing

Real or Fake?

• Attack that redirects a website’s traffic to another website
• The browser may still display the web address you wanted,

but the content may not be correct
• DNS tampering to redirect the traffic to a different website

without users knowing
• What you are viewing is fake,

even though it looks real

23

Pharming

WHAT IF I TOLD YOU

THAT THIS ISN’T REAL?

• DNS server can be
manipulated

Or
• DNS lookup table on

the user’s computer
can be manipulated

24

Pharming

1

2

3

4

5

Attacker

User

DNS Legitimate
Site

Fake Site

• Microchips can be embedded on
USB lines.

• When plugged in, they are detected
by the US as a human interface
device (HID)
– E.g. mouse, keyboard etc

• You can control those malicious USB
lines via WiFi!

25

Offensive USB

Link to the video in additional materials

Phishing in physical domain

• Establishing frameworks
• Asset management
• Security protocol implementation and evaluation
• Security education
• Security review
• Trust establishment

26

Social Engineering –
Mitigation

• Conducting malicious activities to guess, corrupt or
steal information

• “Unethically exploits the highly sensitive information
and uses the flaws in the security systems”*

27

2.2. Cracking

*https://www.educba.com/hackers-vs-crackers/

Cracker – Uses the flaws in the security systems
Hacker – Finds and exploits flaws in the security systems

• Password guessing or using Password cracking tools
– Brute force and dictionary attacks
– Use of tools such as

• CRACK – www.pwcrack.com
• L0phtcrack – www.l0phtcrack.com
• John the Ripper www.openwall.com/john/
• Other password (and bunch of other security) tools

www.securityfocus.com/tools/

28

Cracking

http://www.pwcrack.com/
http://www.l0phtcrack.com/
http://www.openwall.com/john/
http://www.securityfocus.com/tools/

• Packet Sniffers
– Packet sniffing tools are used widely and legitimate tools

for network analysis
• E.g., Microsoft Protocol Analyser
• E.g., Wireshark

– Can also be used illegitimately
– Usually for monitoring IP packets

29

Cracking

30

Cracking

• Ensure your password is strong
– https://howsecureismypassword.net/

• Store salted hash of the password
• Close unused ports
• Ensure secure programming
• Enforce encryption
• Security education
• Multi-factor authentication

31

Cracking – Mitigation

https://howsecureismypassword.net/

• Short for malicious software
• Includes

– Viruses
– Worms
– Spyware
– Trojan Horses
– Rootkits
– Ransomware
– Etc…

32

2.3. Malware

• Malicious program that spreads through the network by
infecting various files

• Infected files will execute the malicious program without the
user knowing first, and then run the normal program

• Viruses will also replicate itself by replacing other executable
files by attaching the malicious program

• Many viruses spread through file sharing
– E.g., email attachments, USB sharing, FTP, downloads etc.
– Requires the infected files to be transferred to other hosts

33

Virus

• Viruses come in many forms:
– File infector viruses
– Boot sector viruses

• System area, memory area, or both
– Macro viruses

• Viruses mutate:
– Oligomorphic – using multiple decryptors. E.g., Whale
– Polymorphic – mutate certain part of itself. E.g., Virut
– Metamorphic – rewrites all (or most) of itself. E.g., Zmist, Virlock

34

Virus

35

Oligomorphic Virus
TTTTTTTTTTT
TTTTTTTTTTT
TTTTTTTTTTT
TTTTTTTTTTT
TTTTTTT

WWWWWW
WWWWWW
WWWWWW
WWWWWW
WWWW

EEEEEEEEEEE
EEEEEEEEEEE
EEEEEEEEEEE
EEEEEEEEEEE

EEEEEE

Enc
ryp

tio
n 1

Encryption 2
Encryption 3

Same

Decryption 1

Decryption 2

Dec
ryp

tion
3

Detection

36

Polymorphic Virus
BBBBBBBBB
BBBBBBBBB
BBBBBBBBB
BBBBBBBBB

BBBB

UUUUUUUU
UUUUUUUU
UUUUUUUU
UUUUUUUU

UUUU

FFFFFFFFFFF
FFFFFFFFFFF
FFFFFFFFFFF
FFFFFFFFFFF
FFFFFFFFF

En
cry

pti
on

1

Encryption 2

Encryption 3

Some difference

Decryption 1

Decryption 2

Dec
ryp

tion
3

Mutation

37

Metamorphic Virus

Different!

Mutation
TTTTTTTTTTT
TTTTTTTTTTT
TTTTTTTTTTT
TTTTTTTTTTT
TTTTTTT

VDKSLFREAT
RNEAOFDUS
AFEWAFNEL
AFDMVSHDA

IOVAFD

• New version of Silex released 2019 targeting IoT
devices
– So far, bricked over 2000 IoT devices

• What does it do?
– Remove storage
– Remove iptables
– Remove network configurations

38

Virus – Silex

Halting the device!

• Steps taken in the attack
1. Enumerate accessible IP addresses
2. Identify all Unix-like systems
3. Attempt default login credentials
4. Access all disk partitions via fdisk -l
5. Then delete network config
6. Next, run rm –rf / to delete everything else
7. Finally, flush all iptables and add DROPS to all connections.

39

Virus – Silex

• Antiviruses
– Scanning email attachments
– Checking virus activities (signatures and/or anomaly detection)
– Examples include Norton, McAfee, Trend Micro, Symantec, Sophos etc.
– Incorporate sandboxing, AI, data mining, machine learning etc.

• Access restriction
– Remote access control
– Firewalls
– Email filtering

40

Virus – Protection

• Focuses on spreading through the network
• Exploits various network vulnerabilities to spread itself

– Unprotected shared drives
– FTP vulnerabilities (typically buffer overflow)
– E.g., Ramen, Lion, Code-Red, Conficker

• May also release viruses upon opening
– E.g., MyDoom.A -> backdoor and DoS
– E.g., MyDoom.B -> MyDoom.A + block access to antivirus sites

41

Worm

• “Virus does not intentionally try to spread itself from that
computer to other computers. In most cases, that’s where
humans come in”

• “Worm is a program that is designed to copy itself from one
computer to another over a network (e.g., by using e-mail).
The worm spreads itself to many computers over a network”

42

Worm vs Virus

http://www.symantec.com/avcenter/reference/worm.vs.virus.pdf

Slammer worm
– Aliases: SQL Slammer, Saphire, W32.SQLExp.Worm
– January 25 2003, approx. 5.30am (GMT)
– Infected 75,000 victims
– Spread world-wide in under 10 minutes
– Doubled infections every 8.5 seconds
– 376 bytes long
– Buffer overflow in Microsoft SQL Server and Desktop Engine products
– DoS on some Internet hosts, general Internet slow down
– Patch was released 6 months before the worm, but many did not applied

43

Worm – Slammer

• Propagation technique
– A single UDP packet (only 376 byte payload)
– Target port 1434 (Microsoft SQL monitor)
– Keep sending itself to random IP addresses
– Once host identified running unpatched MS SQL server, it

is infected immediately

44

Worm – Slammer

45

Worm – Slammer

In 30 minutes!

• Patching up-to-date
– Applications and operating systems

• Security education
– do not click suspicious links
– Run executable files or programs

• Antivirus and anti-spyware software
• Firewall

46

Worm – Protection

• Malicious advertising
• Spread of malware through advertising
• Sometimes, just viewing can affect your system
• About 10 billion ads were malvertisement in 2012*

• In 2017, Google blocked 79 million ads with redirection and
removed 48 million ads trying to install unwanted software#

47

Malvertising

*Online Trust Alliance (2012-07-29). “Anti-Malvertising Resources”. Online Trust Alliance. Retrieved 2013-05-25.
#https://www.csoonline.com/article/3373647/what-is-malvertising-and-how-you-can-protect-against-it.html

https://otalliance.org/resources/malvertising.html
https://www.csoonline.com/article/3373647/what-is-malvertising-and-how-you-can-protect-against-it.html

• Many different ways they can get in:
– Pop-up ads
– Web widgets
– Hidden iframes
– Malicious banners
– Third-party advertisement
– Etc.

48

Malvertising

49

Malvertising

Malvertising!

50

Malvertising

1. User visits a site.
Can be legitimate or
bogus.

2. Hosts ad from a 3rd
party to generate
revenue

3. Sends ad, but
contains malware

4. The malvertisement
is viewed by the user

Ad

Malvertising can be “hidden” from
the user by creating invisible boxes

• Keeping up-to-date software and OS
• Antivirus and other malware protection methods
• Browser extensions alerting malvertising campaigns

51

Malvertising – Protection

• Variety of meanings including key loggers unsolicited
commercial software, scumware, Trojan horses etc.

52

Spyware

• Actions on computer is monitored and captured by adversaries
• Can be software or hardware
• Strong passwords are no longer effective

• Use:
– Anti keyloggers, antivirus, anti-spyware
– Monitor malicious network traffic
– Security tokens
– Automatic form fillers etc.

53

Spyware – Key Loggers

• Unsolicited commercial software are installed
without user’s intensions
– E.g., Piggyback software

• May contain spyware to snoop
user activities

• Always check what you are
agreeing to install

54

Spyware – Unsolicited
Software

• Refers to any malicious code that entered the system
without the user’s consent or permission

• Scumware can significantly changes the appearance
and functions of websites without permission
– Guiding to bogus websites for further malware infection

• Use anti-spyware and network filtering

55

Spyware – Scumware

56

Harvesting Personal
Information

Name
Address/geography

Place of work
Name of bank
Ebay/PayPal

Family information
Friend information

Highly focused
customised social
engineering attack

• We just trust them too much
– Chrome Incognito mode still allow third parties to collect data

https://www.wired.co.uk/article/google-chrome-incognito-mode-privacy
– Facebook listening in on user conversations (up to very recently)

https://www.scmp.com/news/world/united-states-canada/article/3022682/facebook-
admits-listening-transcribing-users

– Microsoft listening on Skype calls
https://www.scmp.com/news/world/united-states-canada/article/3021896/microsoft-
admits-its-workers-listen-your-skype

– Apps collect your data even you deny permissions
https://www.cnet.com/news/more-than-1000-android-apps-harvest-your-data-even-
after-you-deny-permissions/

57

Harvesting Personal
Information

Q: Is this okay or not?

https://www.wired.co.uk/article/google-chrome-incognito-mode-privacy
https://www.scmp.com/news/world/united-states-canada/article/3022682/facebook-admits-listening-transcribing-users
https://www.scmp.com/news/world/united-states-canada/article/3021896/microsoft-admits-its-workers-listen-your-skype
https://www.cnet.com/news/more-than-1000-android-apps-harvest-your-data-even-after-you-deny-permissions/

• Trojan, or Trojan Horse, is different to viruses and worms
– Do not infect files
– Do not spread

• Allow attackers to access user’s device remotely
• Has client and server applications
• User can unintentionally download and install on the system

– E.g., email attachments, file sharing, free software online etc.
• Attackers can also directly install

– E.g., physical access

58

Trojan

• Example: Zeus (2009)
– Stole banking information using keylogger
– Affected systems through downloads and phishing
– Compromised over 74,000 FTP accounts on websites

of companies (June 2009)
• Such as Bank of America (BoA), NASA, Oracle, Cisco, Amazon etc.

– Zeus botnet estimated millions of compromised computers
• Largest botnet on the Internet

– Also used for installing CryptoLocker ransomware

59

Trojan

Not me

• Best defence is safe computing practices
– Don’t trust what you get from the Internet

• Trojan Horses can come from unsolicited executable
e-mail attachments from recognised senders
– do not open if you are not sure

• Use file integrity monitoring systems
– E.g., Tripwire

60

Trojan – Mitigation

• Looks legitimate, but conducts malicious behaviours
• Used to obtain the root privilege

– But also hide its elements such as processes, files, and network
connections

• Have access to modify existing software
– Including tools to remove it

• Rootkit types include:
– Firmware (Persistent) – hides in firmware
– Kernel-mode – hide from kernel list of active processes
– User-mode – runs along with other applications

61

Rootkits

• Possible to hide spyware or virus that will not be
detected by traditional antivirus products

• F-Secure BlackLight Rootkit Eliminator
– www.f-secure.com/blacklight
– www.systernals.com

• Published Rootkits
– www.rootkit.com, eg AFX, Vanquish, HackerDefender

62

Rootkits – Mitigation

• A bot is an application that runs automated tasks over
the Internet
– E.g., web crawlers

• A botnet is a collection of connected devices that runs
one or more bots

• Botnet can deploy various types of attacks
– E.g., DDoS, spamming
– But also stealing data and accessing bots

63

Botnet

1. A botnet operator infects users
2. The bot on the infected PC

communicate back to the
command-and-control server

3. A spammer purchases the services
of the botnet from the operator

4. (a) The spammer provides the spam
messages to the operator
(b) The botnet operator uses bots to
send out the spam message

64

Botnet

https://commons.wikimedia.org/wiki/File:Botnet.svg

• Zero-day attacks take advantage of software
vulnerability for which there are no available fixes

• Attacks take advantage of flaws before software
makers can fix them

• Has become significant issue from 2008 on
• Emphasises importance of safe configuration policies

and good incident reporting systems

65

2.4. Zero-day

• Attackers are getting faster at discovering and
exploiting flaws

• For example: the Blaster worm (2003)
– Released August 2003, patch released January 2004
– Used buffer overflow, and also launched DDoS against

windowsupdate.com (but not very successful as it was
redirected to windowsupdate.microsoft.com)

66

Zero-day

67

Zero-day

http://securityaffairs.co/wordpress/wp-content/uploads/2013/12/zero-day-vulnerability-life-cycle.jpg

http://securityaffairs.co/wordpress/wp-content/uploads/2012/10/TimeLineZeroDay.jpg

68

Zero-day

Internet Security Threat Report – Symantec (2015)

Number of disclosed Zero-day Vulnerabilities

• According to the Zero Day
Initiative, 135 vulnerabilities
were discovered in Adobe
products during the first 11
months of 2016 and 76 in
Microsoft products.
Meanwhile, the number of
zero-day flaws in Apple
products doubled over the
previous year, to 50 from 25.

69

Zero-day

https://www.trendmicro.com/vinfo/us/security/research-and-analysis/predictions/2017

https://www.trendmicro.com/vinfo/us/security/research-and-analysis/predictions/2017

• A few techniques exist to detect zero-day attacks:
– Statistical-based:

• This approach to detecting Zero-Day exploits in real time relies on
attack profiles built from historical data.

– Behaviour-based:
• This model defence is based on the analysis of the exploit’s interaction

with the target.
– Hybrid-based:

• As the name suggests, this approach is a blending of different
approaches.

70

Zero-day: detection

Symantec “Guide to zero-day exploits” 2017 –
https://www.websecurity.symantec.com/content/dam/websitesecurity/digitalassets/desktop/pdfs/datasheet/Guide_to_Zero_Day_Exploits.pdf

https://www.websecurity.symantec.com/content/dam/websitesecurity/digitalassets/desktop/pdfs/datasheet/Guide_to_Zero_Day_Exploits.pdf

• www.cert.org (main index by year)
• www.securityfocus.com (bugtraq)
• www.symantec.com
• www.caida.org (analysis of propagation etc)
• technet.microsoft.com/en-us/security/bulletin

71

Keeping Up-to-Date

• Computer Emergency Response Team
– www.auscert.org.au (Australia)
– www.nzcert.org.nz (New Zealand)
– www.apcert.org (Asia-Pacific)
– www.cert.org/advisories (US)
– www.singcert.org.sg (Singapore)
– www.hkcert.org (Hong Kong)
– www.krcert.or.kr/english_www/ (South Korea)
– www.ccert.edu.cn/about_us/index_en.htm (China)
– www.jpcert.or.jp/english (Japan)

72

CERT

• Common Attack Pattern Enumeration and Classification
– https://capec.mitre.org/index.html

• USB hacking video
– https://twitter.com/i/status/1094389042685259776

• Virus Timeline
– https://en.wikipedia.org/wiki/Timeline_of_computer_viruses_and_worms#2010%E2%80%93present

• 8 famous viruses
– https://uk.norton.com/norton-blog/2016/02/the_8_most_famousco.html

• Zeus phishing email
– http://www.salisbury.edu/helpdesk/security/latest/phishing_attempt__4122012_VariousZeusbot.html

• Document analysis cheat sheet
– https://zeltser.com/analyzing-malicious-

documents/?fbclid=IwAR3d2de5lJfacOaHBtR5RbtPCW7QFccv18LOjAHGAPW4N99PubT951EGRSc

73

Additional Items

https://capec.mitre.org/index.html


https://en.wikipedia.org/wiki/Timeline_of_computer_viruses_and_worms
https://uk.norton.com/norton-blog/2016/02/the_8_most_famousco.html
http://www.salisbury.edu/helpdesk/security/latest/phishing_attempt__4122012_VariousZeusbot.html

Analyzing Malicious Documents Cheat Sheet