Computer Malware

Worm, DDoS, Buffer Overflow, Session Hijacking, DNS Spoofing,

Anonymisers
 Computer Worm
• Standalone Computer program that replicates itself and uses network
to spread to other computers
• Relies on security failures in target computers to access it. Failure
could be in any one of
• Hardware
• System software (Operating System) and / or
• Application programs (Browser, MS word, MS Excel, …)
Impact of worms
• Once it infects a machine, the machine is compromised
• If the worm is intended only to run and spread it is called “payload
free”. Cost is primarily memory and network bandwidth
• More malicious worms (referred to as worms with “payload” are
capable of damaging the computer it has infected –
• deleting files, stealing and spreading erroneous and confidential information
• Installs “backdoor” on the infected computer. This enables the computer to
be controlled remotely (from a “zombie” host).
• Network of zombie hosts are referred to as botnets. Typically used to send
spam and Denial of Service attacks
How to protect from worms?
• Always update latest security patches from computer manufacturer.
This includes both hardware and system software bug fixes. Typically
Intel and Microsoft make available their patches to both the computer
vendor and individual users.
• Use anti-virus and anti-spyware software.
• Carefully designed firewalls
• ACLs in routers and switches
• Packet filters
• TCP wrapper/ACL enabled network service daemons
• Nullroute
Stuxnet – Israeli Worm to sabotage Iranian Nuclear Project
Stuxnet ……

Step 1 Step 3 Step 4

Step 2
Wait for Attack Secondary
Record
Steady State Centrifuge Pressure
Snapshots
(30 days) Valves Reading

Step 5
Step 6
Step 8 Step 7 Wait for
Attack
Delete Wait 6 Pressure
Auxillary
Footprint minutes Change
Valves
(2 hours)
DDoS – Distributed Denial of Service

• concentrated attack on a system or service which employs zombies

and botnets to disrupt or deny access to the target
• Mail-Bomb the target server with voluminous email
• Zombies and botnets are other systems that have been impacted with
payload worms.
• Often used in large batches without the zombies and bots being
aware that they are the source of the attack
• Primary objective is to disable the target system without gaining
access to it.
DDoS – how does it work?
• Volumetric Attacks
• Overwhelm the machine’s network bandwidth with false data requests on
every open port on the target device
• UDP and ICMP floods are the most commonly used methods
• Application Layer Attacks
• Use HTTP, HTTPS, DNS and SMTP requests to attack the target server.
• Not Easy to catch
• Protocol Attacks
• Deliberately sending Malformed TCP SYN packets to slow down the target
server
Impact of DDoS

• The target server alone is brought down while the larger internet is
unaffected (except for the increased network bandwidth)
• Reason for the attack stems from personal (disgruntled employee) to
political.
• At different points in time many leading organizations have been
impacted – amazon, yahoo, ebay, …
Modus operandi of DDoS
How to mitigate / handle DDoS?
• Cannot be eliminated because source cannot be found till the attack happens.
• It takes a multi-level protection strategy to prevent DDoS attack from harming the
system.
• Defense mechanisms includes combination of firewalls, VPN, anti-spam, content filtering, load
balancing
• Have a well planned response team to handle DDoS attack. Some of the early warnings of DDoS
attack include network slowdown, spotty connectivity, intermittent website shutdown
• Systems check list – filtering tools including h/w, s/w level protection should always be ready.
• Strong Network architecture is very important. For example, a geographically distributed servers will
have two advantages:
• When one server is attacked, other servers can continue to be active
• Difficult for hackers to target distributed servers at the same time
• Consider using cloud especially for MSME that cannot afford big budget for network security.
• Major cloud service providers are better equipped to handle these attacks
• Consider using DDoS-as-a-service. It includes combination of in-house and third-party server hosting