Вы находитесь на странице: 1из 3

Bugbear (june 2003)

Infects the systems with unpatched outlook express servers.

Can infect even when the user is simply previewing the message.
It harvest the emails from the users email system and sends it self to the new
Copies it self in the startup group
Searchs for weakly protected network shares and closes the antivirus.
Drops and activates a keylogger program with an intent to capture the passwords,
Sends the captured keylogs and catched dialup passwords to on of the 10 prefefined
Lastly opens a backdoor at port 1080 so that attacker can manipulate and delete
any file.

Email worms
It is a curious intersection between social engineering and automation.
It appears as emails from friends, companies, etc
It is very popular because hard to track
Modifies a system in such a way that it is always loaded into the memory.
Can use microsofts MAPI ( Messaging Application programming interfcae) or
registery to find the physical location of email address file.
Sends it self to one or more emails.
Forging the sender address with one of the found addresses.
E-mail worms can use a preexisting SMTP server or use their own SMTP engine.

Trojan horse programs, or Trojans, work by posing as legitimate programs that are
activated by
an unsuspecting user. After execution, the Trojan may attempt to continue to pose
as the
other legitimate program (such as a screensaver) while doing its malicious actions
in the
background. Many people are infected by Trojans for months and years without
it. If the Trojan simply starts its malicious actions and doesn�t pretend to be a
program, it�s called a direct-action Trojan. Direct-action Trojans don�t spread
well because the
victims notice the compromise and are unlikely, or unable, to spread the program to
unsuspecting users.
An example of a direct-action Trojan is JS.ExitW.


RAT stands for remote access trojan

It is very popular and powerful tool in attacker circle.
Once installed it acts as backdoor which allows the attacker to do anything with
the compromised PC.
It can delete or damage a file, download content, manipulate the input and output
devices and capture the keystrokes and screen.
Keystrokes and screen shots allow the attaker to track what a user is doing.
RATs have even been known to record video and audio from the host computer�s web
camera and microphone.
It comes in two parts client and server.
Client is reponsible to create the server executables which are meant to be
installed in the client machines and server is installed
in the attackers system.
Once the client is executed it installs it self in backgroung and opens a port and
waits for the attacker or sends a mail to the attacker
Then the attacker can send a mayrid of commands.

APT ( Advanced persistent threat)

Use of sophisticated malware for targeted cyber crime is known as ATP.

they are intentionally stealthy and hard to find and remove.
They can stay in the organisations network without doing anything for months and
respond only when called by the remote controller.
It talkes place in a series of phases (3 phases)
First phase
It begins with a simple malware attack known as spear-phishing.
i.e. targeting an individual of a small group of people .......

Manual attack
- Typical scenario
1. Port scanning (scan open ports)
2. Fingerprinting
Os fingerpringting - nmap or xprobe
banner grabbing - connecting to open port can capturing any initial info
(service and version)
3. Compromise system in such a way to get highest privileges
4. Copy more hacking tools and close the hole which let then in.

Network layer
- packet sniffing
- packet anamoly exploit

Application layer attack (any attack direct at application layer)

- Content attack
� SQL injection attacks
� Unauthorized access of network shares
� File-system transversals
- buffer over flow
- password cracking attempt


- network authentication system based on the usage of tickets.

1. Client enter the password.

2. user data along with authenticator ( timestamp encrypted with user password),
plain copy of timestamp
3. KDC checks the timestamp against it own . if exceeding the skew than rejects.
3. usr password and the timestamp to encrypt and then compare with authenticator.
if match then grant tgt
4. sends tgt to KDC with fresh authenticator ,
5. kdc identifies the TGT as it was encryoted using .............


Sequential key
- enters passphrase and the no of passwords that can be geenrated in the server
- server generates a new code each time a request is made
- generator on the client side generates the same code when the passphrase is
- since both the system know the passphrase and are set to a spefici number of
time they can geenrayye the code independently

Time based
- hardewar or software generator is used
- authemticatoir generaytes the sme passwords

Two system that use certificate for authentication are as follows

- Smart cards

Cross certification

Cross certification can be obtained by issuing and exchanging the cross

certifications between the different hierrchies.

Network protocol attack

Flag exploit
Fragmentation and reassembling attack

Application Attacks
Content Obfusation
Data Normalization

-file integrity hids
-behavoir -monitoring