With so many government, commercial, defence and private systems connected to the ubiquitous Internet, cyber threats are becoming a major concern. It is important for everyone to know about various types of cyber threats in order to safeguard the confidentiality, integrity, authenticity, reliability and availability of data transmitted over the interconnected networks. Here is an overview
Dr Rajiv Kumar Singh
The use of information technology (IT) has changed our lives dramatically. Nearly all our basic societal activities and daily routines like financial transactions, ticketing, hotel booking, communication with others and working of any organisation depend on the functionality of the digitally operated and interconnected computer world.
This digital world, with or without the use of interconnected networks, is threatened by cyber criminals who try to steal important data about the user (such as credit card numbers, bank account information, user ID and password). Besides, they can damage information on the user’s computer, install unwanted software without the user’s consent, allow someone else to control the user’s computer remotely, use the user’s computer resources (such as hard disk space, fast processor and Internet connection) to attack other computers on the Internet), etc. In some cases, intruders take advantage of a particular vulnerability in one of the programs installed in the computer to gain access.
Given these risks, it is very important for everyone to have knowledge about cyber threats in order to safeguard the confidentiality, integrity, authenticity, reliability and availability of data transmitted over interconnected networks.
Cyber threats are usually classified as passive and active attacks. Passive attacks try to eavesdrop to learn contents or make use of information from the system without affecting the contents and system resources. In this way, passive attacks may be used for release of message contents and traffic analysis (observe pattern of messages, traffic flows, etc).
Active attacks, on the other hand, attempt to alter system resource, or affect their operation, in addition to modification of content and/or participation in communication in order to impersonate legitimate users (masquerade), replay, retransmit or modify the content in transit, and launch denial-of-service (DoS) attacks (Fig. 1).
Every computer on a network operates on the seven-layer architecture of Open System Interconnection (OSI) model developed by International Telecommunication Union (ITU). Specific functions of each layer and possible cyber attacks are shown in Fig. 2. It is noteworthy here that the entire security system is only as secure as the single weakest layer.
ITU-T recommendation X.800—security architecture for OSI model—defines a systematic approach to assessing and providing security. However, in reality, security is often overlooked and use of security measures in networks is not growing as fast as the number and size of networks. That’s why cyber attacks are becoming so common and easy.
Cyber threat tools are discussed below.
A computer virus is a program that spreads from one computer to another by making copies of itself on a computer, or by inserting a piece of computer code into the program or operating system files. It has the capability to replicate itself. Virus attacks can be active or passive type because they can either damage files and/or affect a computer’s performance and stability. A very common example of a virus infecting a computer or spreading is when you open an infected e-mail attachment.
Some e-mail viruses send confidential information in messages when spreading. Others do nothing beyond reproducing themselves. A computer virus may also send a Web address link as an instant message to all the contacts on an infected computer. As soon as this Web address link is accessed, the virus hosted at the link infects the new computer.
John Von Neumann, considered to be the theoretical father of computer virology, designed the world’s first self-reproducing computer program in 1949. Before the proliferation of computer networks, most viruses were only able to spread themselves via removable media, particularly floppy disks. Traditional viruses emerged with the growth of computer networks. In a network system, viruses can increase their chances of replication and spreading to other systems by infecting files on the network file system that is accessed by other computers.
There is no single indicator of a virus infection, but some of the more common symptoms include poor computer performance, pop-up ads displaying even when a pop-up blocker is turned on or the Internet getting disconnected.
File-infecting viruses. File-infecting viruses are the most common viruses that attach themselves, i.e., inject code to executable files, to infect other programs and files. As soon as the user runs the infected file, the virus executes its own code to attach itself to other executable files on the user’s computer. Obviously, the virus goes along for the ride when the user transfers infected files to another computer and infects more files onto the new computer.
Non-resident viruses. Non-resident viruses, when executed, immediately search for other computers to infect them and ultimately transfer control to the application program they infected. Such viruses consist of a finder module to search for new files and a replication module to infect these new files.
Resident viruses. Resident viruses consist of a replication module that they load into the memory on execution, and do not search for hosts when they are executed. These viruses ensure that the replication module is executed each time the operating system is called to perform a certain task. Upon execution, such viruses transfer control to the host program and remain active in the background to infect new hosts when those files are accessed by other application programs or the operating system itself.
Depending on the rate of infection-spread, resident viruses are roughly divided into two categories of fast and slow infectors. As the name suggests, slow infectors are designed deliberately to infect hosts infrequently so that detection of such viruses becomes very hard for anti-virus programs. Fast infectors, on the other hand, infect as many hosts (including anti-virus software program) as possible at a very fast pace. So these can become a ‘piggy-back’ on the anti-virus program itself and in this way infect all the files that are scanned. Detection of such viruses is easy because they heavily affect computer performance and perform several suspicious actions.
Cavity viruses. Cavity viruses take advantage of unused areas of portable executable files to overwrite these areas with their own small codes without increasing the size or damaging the executable files.
Boot-sector viruses. Boot-sector viruses install themselves into the boot sector on a floppy disk or the master boot record on a hard disk by overwriting the original boot code with their own code. Boot-sector viruses are especially dangerous because these are executed when the user boots the computer from the disk. A boot-sector virus in the master boot record is very harmful because on each start-up of the computer, it is loaded into the memory, from where it can spread to other parts of the hard disk and result in complete system crash. In such cases, the user’s computer becomes unable to start-up or even find its hard drive.
Macro viruses. Macro viruses are written in the macro/scripting languages provided with many applications such as MS Office. These viruses spread easily because they travel in documents and spreadsheets. They can spread with infected file sharing from one computer running on an operating system (Windows) to another computer running on a different operating system (Macintosh). Most of these macro viruses have the ability to replicate themselves by sending infected e-mails to everyone they find in the user’s contacts.
Stealth viruses. Stealth viruses intercept read requests to the operating system. These viruses make the operating system unaware by modifying and forging the results of calls to functions in the infected file, so the system believes it is reading the original file. Such interception is obtained by malicious code injection of the actual operating system files that would handle the read request. This will result in either denial of the read request or serve the read request with an uninfected version of the file.
These viruses can also trick an antivirus software by intercepting its read request to the operating system, handling the request itself, and returning an uninfected version of the file to the antivirus software. In this way, stealth viruses can sometimes fool the antivirus software into concluding that the system is free from viruses. Such viruses even go to great lengths to hide the fact that these are consuming memory.
Self-modifying viruses. Generally, most of the antivirus software search, in the files to be scanned, for virus signature that is nothing but a sequence of some bytes or a string. Upon detection of such patterns or strings, the antivirus software reports that the file is infected with virus. Self-modifying viruses are cleverly designed to modify their sequence of bytes on each infection. Thus detection of such viruses becomes difficult for antivirus software programs that rely on virus signatures only.
Encrypted viruses. Encrypted viruses make use of a variable key to encipher their code and also consist of a small decrypting module. Due to the use of variable key for encryption of the virus, it becomes difficult for the antivirus software to detect such viruses. The only thing that may be suspicious to antivirus software is the decrypting module.
Polymorphic viruses. Similar to encrypted viruses, polymorphic viruses use an encrypted copy of themselves. In addition, polymorphic viruses modify decryption module on each infection. Such viruses pose serious problems to antivirus software by changing their signature every time they infect a new host. Thus it becomes very difficult to detect such viruses using signatures. However, these viruses can be detected using statistical pattern analysis.
Metamorphic viruses. A metamorphic virus attempts to defeat antivirus software by rewriting itself completely each time it infects a new executable file. For this purpose, a metamorphic engine is used that consists of large bytes of code.
A computer worm is a self-replicating standalone program that independently spreads without attaching itself to an existing program. Worms often use a computer network to spread themselves very rapidly and cause a lot of damage (Fig. 2). Some worms only spread themselves without causing any harm to the system they pass through and thereby consume bandwidth up to a large extent.
Some worms, depending on the type of payload carried by them, can encrypt files or send important information via e-mail. The worm scans the infected computer for files such as address books and temporary webpages that contain e-mail addresses. It then uses the addresses to send an infected e-mail, often spoofing the address line in subsequent e-mail messages so that those infected messages appear to be from someone known.
Many worms are used to install backdoor programs on the targeted machines to take control of these machines for sending malicious mails or spam. In this way, attackers hide themselves under the group of such networked machines called ‘botnets.’
Computer worms can also be used for good purposes, such as to fix vulnerabilities in the host system while exploiting the same vulnerability to download and install patches from the legitimate software manufacturer. Many worms take advantage of a vulnerability in the operating system to spread. If the vulnerability is disclosed and patched by the vendor before attack, a zero-day cyber attack is possible.
Trojan horse, or Trojan, is a malicious software program that does not replicate itself and is technically not a virus. It is spread by viruses, worms or downloaded software. It enters a computer by hiding itself inside a legitimate program—often a game, a screen saver or a utility. It then puts malicious code into the operating system, which enables the attacker to gain access or control of the compromised computer.
Some Trojan horses may be used by the attacker/hacker to spy on the user’s activities. The attacker can use the machine as part of a botnet and send spam e-mail, distribute pornography, launch distributed denial-of-service attacks, install third-party malware, download/upload files on the machine, log keystrokes, modify or delete files, steal important data, crash the machine, etc.
Hackers use port scanner to find compromised machines on the network and, once found, they install malicious program on such compromised machines to use these networked machines as botnets. Due to the popularity of botnets among hackers, Trojan horse malware is on the rise, accounting for the largest percentage of the global malware detected in the computer network world.
Backdoors in a computer system are remote administration programs that allow hackers to access and control the user’s computer while attempting to remain undetected. Common examples of backdoors are BackOrifice, Netbus and SubSeven. Some backdoors rewrite the compiler and piggy-back themselves during the compilation process. Such compromised compiler includes backdoors in the compiled output, keeping the source code of a program intact.
Phishing attack is a way to trick computer users into divulging personal authentication data such as username, password and credit card number through a fraudulent e-mail message or website. These attacks involve mass distribution of spoofed e-mail messages that have links to the fraudulent websites and seem to come from a trusted source, such as a bank, big reputed merchant and trusted service provider. Upon access by the recipient, these fraudulent websites ask to provide personal information, which is later used for identity theft.
Cross-site scripting attacks
Security of the Web is somewhat based on the same origin policy that states that “if it is learnt that content from a trusted website is granted permission to access resources on a user’s system, then any content from that website will share the same resources, while content from some other website will have to get permission separately to access the resources.”
Hackers/attackers make use of some known vulnerability—like cross-site scripting—in a Web-based application to bypass access controls such as same origin policy and launch attacks by injecting client-side script into webpages viewed by other users. Thus, by cross-site scripting, an attacker gains elevated access privileges to sensitive page contents, session cookies, etc.
Attacks associated with cookies
Cookies are small text files that are created when the user visits a website. The website uses the cookie to remember who the user is and what activity has been performed by the user recently. The website retrieves the cookie from the hard disk the next time the user visits the same website. In this way, cookies are very helpful as the user doesn’t have to type the same information every time.
However, vulnerability in the browser may allow hackers to access important information stored in these cookies that hackers may use to gain advantage.
All kinds of software that arrive on a user’s computer without permission or awareness of the user, or sometimes with user permission, are known as invasive software. Typical forms of invasive software are adware, spyware, scareware, scumware, theftware and drug dealerware. These software may pollute the user’s screen with ads and popups, send user information, slow down the user’s computer or even cause system crash.
Adware. Adware is designed to advertise a commercial offering. It is commonly acquired when a user downloads freeware or shareware like games. When the user downloads the software, the user has to click through a page of unintelligible legal stuff that includes some kind of copyright and usually permission to install adware along with the software. After downloading the software, the user may start noticing more pop-up windows than usual.
Spyware. Spyware is a software that is more likely engaged in antisocial activities such as sending personal information like passwords, credit card numbers and other confidential corporate information to its creators. Spyware installs itself without the user’s permission and often hides so that it is difficult to find and eradicate it from the system.
One of the threats of spyware is key logging, which enables it to record anything that the user types, including the user’s passwords, credit card number, e-mail messages, chat messages, etc. Some spyware can even spy on the user by exploiting his own webcam.
Scareware. Scareware is a software that creates fear in users by asking them to perform some kind of activity while threatening with the adverse effects of not following the guidelines. Scareware can install malicious software that may steal information, make the system unstable or even crash it.
Other malware. Some other kinds of malware (malicious software) include scumware, drug dealerware and theftware. Scumware is designed to steal traffic and revenue from legitimate websites. Drug dealerware offers free software and then shuts down and demands payments months later when one has presumably become used to it. Theftware hijacks ad-space on webpages, replacing the ads space with its own ads.
Spam is unsolicited junk e-mail that can take the form of advertisements, chain mail, bulk e-mail, threatening or abusive e-mail, etc. Spammers often use tools like ‘harvesters’ that scan the Internet and newsgroup and collect e-mail addresses. Spammers may also buy a list of e-mail addresses from a website that holds user information in its database.
Most of the spams are used for fraudulent advertisements like won-lottery-jackpot announcements, get-rich-quick business opportunities, free gifts and work-at-home schemes. These spams may carry viruses or try to lure the user into providing some personal and financial information including user-ID, password, credit card number, etc.
Some dangerous spams come from worms, not spammers. These generate an infected e-mail from the systems of unsuspecting hosts. Some spams are circulated unknowingly through a common user who passes on chain letters, devotional messages, pleas for medical help, etc. Such type of chain letters or other things promise a large return for small effort and often also threaten bad luck if one breaks the chain.
Denial-of-service attack (DoS), as the name suggests, is a kind of cyber attack that makes a system, network resource, network components, website, or services hosted on reputed and important webservers unavailable temporarily or permanently.
Generally, there are two forms of DoS attacks: those that crash services and those that flood services. In its simplest form, DoS sends a large quantity of communication requests to a targeted resource in order to make the resource busy, saturate or overflow so that it becomes unavailable for a certain period of time or responds so slowly as to be rendered essentially unavailable. Such attacks may consume system resources (such as bandwidth, memory and processor time), disrupt configuration information (such as routing information), disrupt physical network component or even force systems to reset so as to make the system unavailable to its intended users.
Moreover, DoS may include execution of malicious software. Attackers frequently use compromised systems to form botnet. These compromised systems (bots) are then used as the launch pad for attacking other systems. This kind of attack is known as distributed denial-of-service (DDoS) attack.
Often intruders install ‘agent’ on several compromised systems awaiting command from the intruder. A single ‘handler’ instructs all such compromised systems to launch the attack on another system. If such attack is conducted on a sufficiently large scale, it may cause a serious network security event that may be problematic for users, service providers and law enforcement agencies.
Variants of DoS include smurf attack, ping flood, ping of death, SYN flood, teardrop, spoofed/reflected attack and unintentional attack (Fig. 2).
In smurf attack, a misconfigured network component allows packets to be sent to all systems on a particular network via the broadcast address of the network.
In ping flood attack, a large number of ping packets are sent to the targeted system, usually using ‘ping’ command.
In ping-of-death attack, a deformed ping packet is sent to the victim that can crash the system.
In SYN flood, the attacker sends a flood of TCP/SYN packets with a forged source address. In such a case, due to forged source address, the victim’s computer keeps waiting for a response from the source address and ultimately remains unavailable to its intended users.
Teardrop attack sends IP fragments with overlapping and over-sized payloads.
Spoofed or reflected attack involves setting of source address to that of the targeted system. This results in a large number of replies from several computers to the targeted system. Sometimes, due to a sudden enormous spike in the popularity of a website, denial-of-service event on such a less-equipped website occurs due to access requests from a huge number of people.
To sum up
Defending against cyber threats typically involves the use of a combination of attack detection, traffic classification, prevention and recovery from a security attack. There are a lot of techniques for defence. Keeping all the application software and operating system updated, changing passwords frequently, using firewall, antivirus and antispyware software, cryptographic tools, intrusion detection system and software/hardware/physical controls, and above all educating people on security solves many problems.
The author is working with Bharat Sanchar Nigam Limited as a junior telecom officer and is currently posted at Ludhiana, Punjab. He holds PhD degree in electronics engineering from Indian Institute of Technology-BHU, Varanasi, and has authored and co-authored more than 25 research papers in peer-reviewed national/international journals including IEEE and conference proceedings