Technical attacks and some methods for avoiding them
This lecture will give an overview of terminology that is related to malware and cyber-attacks. We will briefly cover the following topics: different types of malware, botnets, denial of service attacks, man-in-the-middle attacks, spoofing attacks, different types of vulnerabilities. In addition, we will see whether cyber attacks can lead to a "cyber war" or if such a thing could even exist on its own. Finally, we will briefly describe how antivirus software and firewalls work and how useful they are in real life for preventing infections.
Malware
Malicious software or malware is a program that is written with malicious intent. Malware may use its functionalities to attack the infected computer (e.g., to collect personal information) or direct the attack against other computers in the local network or on the Internet (e.g., sending spam / phishing emails). The properties of the malware allow to classify them into different categories. The following are some of the well-known malware categories.
Viruses and worms are trying to replicate and thus distribute the malware over the network. Viruses replicate by inserting themselves into existing files. When a file that is infected with a virus is executed, then the virus will usually try to infect other files on the same computer. Therefore, viruses needed the help of the users in order to spread. Contrarily to viruses, worms do not need the help of the user to spread; they are actively trying to distribute themselves. Worms might automatically copy themselves to USB sticks or to available shared folders, but they might also spread through emails. The most well known worms are I love you and Stuxnet.
Trojan horse or trojan is malware that hides its true purpose in order to trick the user into installing it. Usually, a trojan is advertised as a useful and harmless program in order to gain the trust of the users. Once the trojan is installed, it either infects the computer or creates a backdoor for the attacker. The backdoor might be a service that allows remote access to certain people, but it might also be a vulnerability designed into the software on purpose. Using the backdoor, the attacker may take full control over the computer. A famous example of a trojan is Zeus.
Rootkit is malware that tries to get privileged access to some parts of the system that are usually protected. Rootkits try to hide their tracks in order to stay hidden, but they might also hide some other malicious software. Rootkits are usually not seen in the process table of the operating system, and they may also delete logs in order to prevent detection. Usually, it is difficult to get rid of a rootkit even when it is found. In case a rootkit is found, and the corresponding program is closed or deleted, then most rootkits are still able to restart themselves. Some of the well known rootkits are the Sony rootkit and the rootkit from the Greek wiretapping case in 2004-2005: brief overview in Wikipedia, detailed description of the The Athens Affair (2007).
Ransomware is a type of malware that attacks the availability of the infected system. For example, ransomware might encrypt all the documents that are saved on the infected computer and ask the owner of the computer to pay for unlocking (i.e. decrypting) the documents. In recent years this type of ransomware has been quite widespread. The well known ransomware examples are Reveton, CryptoLocker, WannaCry, Petya / NotPetya. Interestingly, in many cases, attackers behind the ransomware really restore access to the encrypted documents after the payment is made. Once people get their documents back, they tend advertise their success, and so other people and companies are more likely to also pay to the attackers. It appears that the attackers have chosen a business model that is based on positive feedback. However, this is not always the case, as sometimes attackers have other motivations. Ransomware can be used as a part of a cyberweapon to destroy data and take down information systems. This was the case with NotPetya, which was created in 2017 by Russia in order to attack Ukraine. NotPetya was malware that was designed to disrupt and create chaos. Thus, it did not even have a functionality that would decrypt the data. The cyber attack became well known as it quickly spread outside of Ukraine and infected the systems of private companies, including large corporations like Maersk. NotPetya almost halted the business of Maersk, which caused significant monetary loss for the company. There is a good article giving a broad overview of how Maersk was affected by NotPetya: The Untold Story of NotPetya, the Most Devastating Cyberattack in History (autumn of 2018). The previous article contained an estimate that the total damages due to NotPetya could be around 10 billion US dollars.
Writing malware might not be extremely difficult, but the question is how the result is distributed. It is known that malware can also be distributed by hardware - e.g., as described in here: Mouse Trap: Exploiting Firmware Updates in USB Peripherals. However, there are also very practical tools, which can be legally bought for testing, like the malicious USB cable.
Cyberattacks
MITM
Man-in-the-middle attack is an active attack where the attacker listens to the communication and is able to modify the messages of the communicating parties. Victims of MiTM think that they are communicating privately or securely, but actually messages are intercepted by an attacker who might change them, delete them or insert new messages.
MiTM is possible only when the communicating parties have not done mutual authentication. Therefore, in order to be protected against MiTM, one would have to use a separate channel for exchanging authentication information. Thus, the end-user is usually not able to do much in order to protect against MiTM attack, and the defense against MiTM attack should be provided by the software or service.
MiTM can be applied if the attacker is in an advantageous position in the network. E.g., a MiTM attack could be quite easy if the attacker controls a router / switch / ISP / VPN server. MiTM attack could be done on an open Wifi network. Man-in-the-browser attack is a special form of the MiTM attack where the attacker has taken control over the user's browser. STARTTLS stripping is done by using the MiTM attack, an overview of the STARTTLS weakness is given in the following article: Neither Snow Nor Rain Nor MITM ... An Empirical Analysis of Email Delivery Security.
Man-in-the-middle attack, source.
Botnet
Botnet has gotten its name from the bots used in the IRC servers. However, the IRC bots were not malicious as they were designed to help the administrator of the chatroom.
Internet Relay Chat (IRC) is a protocol that allows running chatrooms in the Internet. The user of an IRC client can connect to an IRC server and then join the chatrooms (channels) that are available on the given server. IRC bots are members of the chatroom that are designed to automatically do some specific tasks like giving special privileges to higher ranking chatroom members. The IRC bots were usually distributed to several computers in order to avoid problems when the computer running the bot would lose its Internet connection. Such IRC bots formed a botnet that was actually not malicious. A malicious botnet works in a similar way, but in this case, the computers of the victims join the botnet without the victim noticing it.
One could say that a botnet is composed of a large number of computer programs (botnet clients) that are connected over the Internet and are fulfilling a given task. The botnet client needs to contact the command & control server in order to get instructions. If the computer programs in the botnet are installed without the users' permissions then they are most likely part of a malicious botnet, and in this case, usually the instructions given by the command & control server are also malicious.
Botnet manager controls the command & control server and can use it to give tasks to the infected computers. Therefore, a botnet could be used for:
- sending spam in a distributed manner which is difficult to block
- doing a distributed denial of service attack
- spreading malware
- computations that require a significant amount of processing power - cracking password hashes, mining bitcoin
- collecting information about the users of the infected computers - passwords, credit card numbers, confidential documents, pictures, etc.
Some of these functionalities can be resold as a service, and this is illustrated in the following picture:
According to Wikipedia the largest botnets have consisted of millions of computers. However, it is possible to cause significant damage with a much smaller botnet.
Zeus is one of the most well-known malware that has been used for creating botnets. Zeus is a trojan that works on Windows operating system and uses sophisticated methods to hide itself. Therefore, it was quite difficult to find out if the computer was infected. Zeus was developed as a simple tool that could be bought by cybercriminals. The business model of the creators of Zeus was to licence the malware for the people who were not able to write their own malware. However, in 2011 the source code of Zeus leaked, which caused the outbreak of many similar trojans that were built on top of the same source code. More information about Zeus can be found from: GameOver Zeus P2P Malware.
Managing a botnet has become a business, and therefore the tools for managing botnets have become quite user friendly. A good example was the admin panel of a Zeus derivative named Citadel, which allowed to control and get an overview of the infected computers. Screenshots from the admin panel of Citadel can be seen from: Inside Citadel 1.3.4.5 C & C & Builder - Botnet Control Panel. As seen from the two previous links, the user interface of Citadel admin panel was similar to a content management system, which shows that the management of the botnet is designed so that even people without specific knowledge would be able to use it.
DoS / DDoS
Denial of service attacks allow to overload a website or a service so that it would not be able to serve the users requests. Such attacks can be divided into two categories: a denial of service attack that originates from one source and a denial of service attack that originates from several sources. The latter is called a distributed denial of service attack (DDoS). A DDoS attack can be launched by using computers that are controlled by a botnet. However, if the attacker does not have his own botnet, then he could buy a service from the botnet owners. Usually, the aim of a DDoS attack is to briefly take down a website, and thus it is not a very sophisticated attack. However, media often reports that a website was hacked when actually just a simple DDoS was used.
In 2007 Estonian websites were the target of a massive DDoS attack. That attack was more sophisticated as it tried to take down several important services at the same time. In 2015 a massive DDoS was directed at the popular code hosting website GitHub as it was hosting a website that described how to bypass the Chinese censorship in Internet. More information about the GitHub attack can be found from the following article: DDoS attacks that crippled GitHub linked to Great Firewall of China (2015).
One idea to protect a website from DDoS attacks is to use cloud-based mitigation. Usually, the cloud service providers do not have problems with limited bandwidth, and they may also have special hardware that is more resistant to huge amount of requests. DDoS protection for websites and businesses is provided by several companies; one of them is Cloudflare. Google provides such service for free in order to protect the freedom of speech: Project Shield. However, the Project Shield is mainly aimed at organizations that provide news, information about elections or human rights content. An example from 2016 - after a massive DDoS attack the blog of Brian Krebs is now hosted by Project Shield.
DDoS protection is often built by using a reverse proxy. A reverse proxy receives the connections that are targeted to the client and forwards them to the server that has the requested resource. The proxy servers are hosted by the DDoS protection provider (in the previous examples, Cloudflare, Google). The problem with such approach is that it breaks TLS connection. By using Cloudflare or other similar DDoS protection services the TLS connection is done in two parts, first tunnel is created from the client browser to the reverse proxy and the second TLS tunnel is created from the reverse proxy to the webpage / service. Thus, the DDoS provider can read the contents of the packets as they are decrypted in the proxy. Therefore, Cloudflare is not suitable for banks or other companies & institutions who transmit confidential data. There has been some discussion about the negative side of the DDoS protection:
- My TLS conundrum and why I decided to leave CloudFlare (2014)
- Blog post -CloudFlare, We Have A Problem (2016)
In addition to Cloudflare, the HTTPS connection can be broken also by companies who want to monitor the network activity of their employees. This can be done by creating a local CA whose certificate is set to be trusted in the computers of the employees. Then the company can generate fake certificates for domains in real time by using its local CA. This allows to intercept the communication as the TLS tunnel is initially created by the fake certificate, which allows the company's proxy server to decrypt the information and then initiate a real TLS tunnel to the target server. Some antivirus software is behaving in a similar manner to make it possible to analyse the data that is sent over HTTPS. In principle, the proxy software is doing a MiTM attack. To get an overview of the problem, read the following article:
Estonian cyber security assessments
The Estonian Information System's Authority has composed multiple yearly reports regarding the state of cyber security in Estonia since 2013. These reports, both in English and in Estonian, can be found from the this link.
Cyber attacks and cyber warfare
There is still discussion about the term of cyber warfare and therefore different people have different opinions when talking about cyber war. There is the question of how to define that a cyber war has started. Is a single cyber attack already a sign of a cyber war or how many cyber attacks would constitute a cyber war. Many security researchers are saying that there hasn't been a single cyber war and that we have only seen countries exchanging cyber attacks.
A real cyber war might involve attacks against the information systems, communication systems, transport systems, power plants, water purification plants, factories, etc. It is well known fact that the machines in factories are very badly secured. There have been estimates that a large amount of the SCADA systems could be remotely controlled by the attackers and the attacker might be nation states. In 2015, Forbes wrote about the insecurity of the SCADA systems: Want Some Nuclear Power Plant 'Zero-Day' Vulnerabilities? Yours For Just $8,000. It might be quite realistic to assume that so called "cyber war" would involve attacks against factories or power plants. We will discuss the zero-day vulnerabilities while describing Stuxnet.
Cyber attacks are means for:
- espionage and collecting confidential information
- politically motivated sabotage
- sabotage that will support a conventional military conflict
- politically motivated denial of service attack
High-value targets:
- energetics and power plants
- factories
- water purification plants
- communication networks
- transport
- services provided by the government
- military systems (communication, control, navigation, etc.)
Examples of cyber attacks against nation states:
- 2007 - DDoS attacks against Estonian websites, banks
- 2008 - cyber attacks were used in the war between Russia and Georiga
- 2010 - Iran's nuclear facilities were attacked by Stuxnet
- 2015 - Attacks against Ukraine's electricity grid
- 2022, 2023, 2024 - Attacks against Ukraine
The Grugq gave a good overview on the topic of cyber war when presenting at Black Hat Asia 2018:
Stuxnet and zero-days
Stuxnet was the first example of cyber sabotage, it was detected in the July of 2010. Stuxnet was a highly sophisticated worm that was created for a specific target. The target for Stuxnet was the uranium enrichment facility in Iran. More specifically, Stuxnet was designed to sabotage the centrifuges in a classified nuclear facility and it was known that the hardware that had to be sabotaged was not even connected to the Internet. Therefore, Stuxnet used USB sticks to replicate itself and this allowed it to move to the networks that were not in Internet. The attack code inside of Stuxnet was set to run only on specific Siemens hardware that was present only in the Iranian nuclear facilities and therefore Stuxnet did not do any harm to other infected devices.
How was it possible for Stuxnet to infect a highly secured nuclear facility where the important devices where not connected to Internet? It has been suggested that the infection was intended to spread indirectly to the nuclear facility and the carriers of infection were the contractors who did maintenance in the facility. As a first step the computers of four maintenance companies were infected and the employees carried Stuxnet into the nuclear facility via their computers or USB sticks. Once Stuxnet found out that it is in the nuclear facility it started to slowly sabotage the centrifuges but it did this in a cleaver way by faking the diagnostics and showing to the employees that everything was working correctly.
Stuxnet managed to spread and stay undetected by using at least four zero-day vulnerabilities. Zero-day vulnerabilities are very valuable as they are not known to the public and can therefore be used to breach computers and networks. Therefore, antivirus software is not able to detect malware that is based on zero-day vulnerabilities and therefore such malware can stay undetected. Zero-day vulnerabilities are sold both on the black market but also legally to companies and governments. It is thought that governments are one of the biggest buyers of zero-days. You will find more information about this from the report created by RAND: Zero Days, Thousands of Nights - The Life and Times of Zero-Day Vulnerabilities and Their Exploits (2017). A presentation about the findings of the report was given in the 2017 Black Hat Europe. Another great source for information about the zero day market was provided in a BlueHat 2023 presentation by Mark Dowd: Inside the Zero Day Market. There is also a podcast that focuses on this presentation: Zero Day Markets with Mark Dowd (June 2024).
Who are using zero-days? (Source: _A Year in Review of Zero-Days Exploited In-the-Wild in 2023_, Google. PDF.
It is not exactly known when Stuxnet started the sabotage of the centrifuges but it is known that in June 2009 Stuxnet was detected in several locations over the globe. It managed to sabotage the centrifuges for about a year before it was detected. During that period it was able to destroy about 1000 uranium enrichment centrifuges, which set back the Iranian nuclear program by several years.
A good overview of Stuxnet is given in the following article: An Unprecedented Look at Stuxnet, the World’s First Digital Weapon. The following book covers Stuxnet in more detail: Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon.
Mikko Hyppönen predicted in 2011 that such complex attacks will become more common but this has not happened. The reason for that might lay in the cost and complexity of building so advanced attacks. It is not reasonable to use a very expensive attack against mid-level targets as one can use the surprise effect of the new malware only once. In addition, it is dangerous to attack powerful states as they might retaliate with similar kind of attacks and the situation might escalate.
How to defend against attacks
Penetration testing
Penetration testing or pentesting is a method for imitating a real attack on the system in order to check if the security is up to date and in order to find new vulnerabilities. Penetration testing is often required as a part of the auditing and certification of the system.
Conditions for the penetration test are negotiated beforehand such that both parties know which approach is allowed. Which systems are tested and which are off limits? Is it allowed to use social engineering? The regular employees of the company might not be aware of the penetration test and they might be a target for social engineering to check if they follow the security policy. The other option is that the employees are aware and are trying to prevent an attack.
Most of the penetration testing is done in front of the computer but in some cases the client might also ask for the review of physical security. This is shown in the following video (non-standard approach):
Ports and firewall
Ports
Port is the endpoint of the communication and it is associated with the IP address, protocol and port number. A port number is a two-byte number, i.e., a number from 0 to 216. Ports are used by the transport protocols TCP and UDP. The headers of TCP, UDP packets contain both the number of the source port and the number of the destination port. These port numbers are used by the operating system to direct the packet into a correct port, i.e., to the intended application.
Ports can be divided into well-known ports (0 to 1023), registered ports (1024 to 49151), and the dynamic ports (49152 to 65535). Ports from the registered port range can be registered for a certain service but they can also be used by normal users. Ports from the dynamic range can not be reserved, they are meant to be used according to the need for temporary services.
Ports in the well-known ports range are used by processes which provide common network services. These ports are reserved for the most frequently used services. Servers use the well-known ports in order to listen to the requests from the clients.
Examples:
- 80: HTTP (web server)
- 443: HTTPS (web server)
- 21: FTP
- 22: SSH
- 53: DNS
Web browsers use ports 80 and 443 in order to connect to the web servers, i.e., either by using HTTP or HTTPS protocol. If the browser want to create a connection with a web server then the operating system assigns a source port to the browser and the destination port is either 80 or 443. The source port is required as the web server has to be able to send back data to the browser and the operating system has to know where the incoming data packets have to be sent, i.e., which application is waiting for the corresponding incoming connection.
Some links:
Firewall
Firewall is something that analyzes both the incoming and outgoing traffic and filters it according to the rules. Firewall can be either software based or hardware based. Firewalls use different parameters to filter the traffic, e.g., IP, port number, protocol, application.
Firewall, source
The main goal of the firewall is to protect the inner network for the insecure outer network. Therefore, some ISP-s by default provide the Internet connection with closed ports in order to increase the security level of their clients. If the ports are closed then applications from outer network are not able to connect with the client's devices as the ISP filters requests to some ports. Actually, the open ports by itself are not the cause of the security problem, the real problem is with the vulnerable software that listens to the open ports. If the software that listens to an open port is vulnerable then attackers can abuse its vulnerabilities by sending specially crafted packets to the open port.
The second goal of the firewall is to filter the outgoing traffic. By filtering outgoing traffic it might be possible to stop the spreading of malware and spam or the leakage of classified information. In addition to filtering incoming and outgoing traffic the firewall can also log the incoming and outgoing connections. Creating logs is very important as they could be used to find out what has happened in the network. Thus, logs might help to detect an attack or they might help to find out what the attacker did in the network.
Windows firewall
To configure the Windows firewall navigate to: “Control Panel -> System and Security -> Windows Firewall -> Advanced Settings”
Mac OS X firewall
To configure the Mac OS X firewall navigate to: “System Preferences -> Security & Privacy -> Firewall -> Firewall Options.”
Antivirus software
Antivirus software is meant to protect the computer from all kinds of malicious programs. Although the name contains the term "virus" it does not mean that the software will only protect against viruses. Actually, viruses are not widespread anymore and therefore a more suitable term could contain the word malware as it describes all kinds of malicious programs.
How is malware detected
Antivirus software usually detects malware by using two main methods. First, the antivirus software developers have a database of signatures of malicious files. The files could be described in the database with hash values. The antivirus software gets daily of weekly updates which update the malicious file database and help the antivirus software to detect new malicious files.
Unfortunately, the attackers are usually one step ahead of the antivirus developers and this means that the antivirus company has to first detect the new malware and create an update before the antivirus software is able to detect it. Thus, it is important that the antivirus software would get updates as frequently as possible. But even this won't protect the computer from new threats that have not yet been detected by the antivirus software developers. In order to somehow lessen the problem antivirus software developers have added a second method for detecting malware. The antivirus software could also use heuristic methods to detect suspiciously behaving programs. The heuristics tries to detect the malware by monitoring the behavior of programs. However, it is not a trivial task to do and therefore most antivirus programs are either too passive or too active and when the antivirus software is too active and creates lots of false positives then the user might start to ignore it and disable the antivirus. Still, even the good heuristic measures are not able to detect all malicious programs as the malicious programs could mimic the functionalities of valid program. Thus, there is also the possibility that the antivirus software will execute the suspicious program in an isolated environment called sandbox to find out if the program does something malicious.
Real-time defense
Most of the antivirus programs works constantly in the background and they are automatically started when the operating systems starts running. This allows the antivirus software to scan the threats in real-time, e.g., to scan Internet traffic, contents of emails and the contents of USB sticks. However, scanning for threats in real-time might use a lot of resources and make the computer work slower.
The weaknesses and dangers of antivirus software:
- Antivirus software could give the false sense of security as people wrongly assume that antivirus software is able to detect all attacks. People are not aware that antivirus software just helps to protect against the common threats and not against new sophisticated malware.
- When malware is found then often the user has to decide what to do with the infected file and it is not trivial to make such decision.
- Antivirus programs which work in real-time make the system slow as they scan for all executed files and network traffic.
- Antivirus software which uses heuristic detection methods can make wrong decisions. It is possible that real malware get undetected (false negative) and that a non-malicious program gets detected as malware (false positive).
- Antivirus software has to be run in administrative permissions but this creates new opportunity for attacks, e.g., by spreading fake anti-virus software. Antivirus software works in administrative rights and is often configured to get automatic software updates. Thus, some people wonder if the antivirus companies and their products could be used during a "cyber war" as attack vectors.
How to choose a suitable antivirus software?
You will have to run an antivirus software in the Windows operating system as most malware is still created for Windows! Well known antivirus companies are for example F-Secure, Symantec, Kaspersky and ESET. In the autumn of 2017 Kaspersky received accusations of malicious behavior. The accusation were about the possibility of cooperating with the Russian government to get access to classified documents, but it was not clear whether the classified documents were uploaded on purpose. However, the threat could be real in case of a (cyber)war as then the government could force the local antivirus software vendor to cooperate and add a malicious piece of code into the next software update. Usually antivirus software runs in administrative rights and therefore it would be the perfect attack vector - the software is trusted and gets regular updates.
There are also some free antivirus programs which usually provide limited protection. These are for example AVG, Avira and Avast. However, one has to understand that the companies behind the free antivirus software are still trying to make a profit and therefore the EULA of the free antivirus might say that the company is selling the clients personal information like browsing history as it happened with AVG: AVG can sell your browsing and search history to advertisers (2015).
One useful tool for checking files for infections is VirusTotal. VirusTotal scans the uploaded file with different antivirus software and other detection tools.
Since Windows XP Microsoft provides a tool called Microsoft Security Essentials, which gives some protection against malware. Since Windows 8, Microsoft Security Essentials is incorporated into Windows Defender and comes preinstalled.
Further reading
- Attackers:
- Reports
- Cyber attacks / cyber warfare / interesting malware infections
- Hackers attacked the U.S. energy grid 79 times this year (2014)
- German nuclear plant infected with computer viruses, operator says (2016)
- Technical Report about the Malware used in the Cyberespionage against RUAG (2016)
- Hackers Make the First-Ever Ransomware for Smart Thermostats (2016)
- Wickedly Clever USB Stick Installs a Backdoor on Locked PCs (2016)
- How a Grad Student Found Spyware That Could Control Anybody’s iPhone from Anywhere in the World (2016)
- Unpatchable Flaw Affects Most of Today's Modern Cars (2017)
- Lessons from TV5Monde 2015 Hack (2017)
- Why the Equifax breach is very possibly the worst leak of personal info ever (2017)
- Billions of devices imperiled by new clickless Bluetooth attack (2017)
- Collection of links to IoT attack
- Understanding the Mirai Botnet (Usenix 2017)
- The Untold Story of NotPetya, the Most Devastating Cyberattack in History (2018)
- What You Need to Know About the SolarWinds Supply-Chain Attack (2020)
- A dying man, a therapist and the ransom raid that shook the world (2020)
- Colonial Pipeline attack: Everything you need to know (2021)
- Updated Kaseya ransomware attack FAQ: What we know now (2021)
- Defending Ukraine: Early Lessons from the Cyber War (2022)
- Fog of war: how the Ukraine conflict transformed the cyber threat landscape (2023)
- The Biggest Hack of 2023 Keeps Getting Bigger (2023)
- Other links: