UNIT 6

SOFTWARE FLAWS AND MALWARE

6.1 Software Flaws

• Programmers are human beings but not ‘robots’ who occasionally commit mistakes unintentionally. Some of these mistakes causes damage to the program e.g. Spelling mistakes. However there are certain mistakes if went un-noticed can cause serious negative implications on the program. Three such common non-malicious programming errors are:

Buffer Overflow:

• It occurs when a memory reference which is beyond the declared boundary occurs. When an array/ string is declared, a finite memory is reserved for that variable. E.g. Int arr[5] will reserve five memory slots.
• Some compiler check for such errors while some don’t (e.g. C compiler).

Incomplete Mediation:

• Very Often secret or private data gets exposed
• Considering a URL generated by a user’s browser to access a server: https://www.things.com/order/final&custID=101&part=555A&qy=10&price=10&ship=boat&shipcost=5&total=105
• Instead the user can edit the line as https://www.things.com/order/final&custID=101&part=555A&qy=10&price=1&ship=boat&shipcost=5&total=15
• A forged URL was used to access the server.

Time-of-Check to Time-of-Use errors:

• Non-static Program data is bound to change as time passes.
• In OS/DBMS scenario, transaction values needs to synchronized. If they are not synced properly, improper values will enter the system.
• E.g. X=Rs 1000 →→ A adds Rs 500 ; X=1000+500 →→ B reads X=1000; B adds Rs.200 →→ A writes 1500→→ B writes 1200 (Actual value should have been Rs.1700)
• A attacker can manipulate the bank accounts and move lost money to his personal account.

6.2 Malware

Malware, or malicious software, is a program or file that is harmful to a computer user. Types of malware includes computer viruses, worms, Trojan horses and spyware. These malicious programs can perform a variety of different functions such as stealing, encrypting or deleting sensitive data, altering or hijacking core computing functions and monitoring users' computer activity without their permission.

How malware works

Malware authors use various physical and virtual means to spread malware that infect devices and networks. For example, malicious programs can be delivered to a system with a USB drive or can spread over the internet through drive-by downloads. 

Phishing attacks are another type of malware delivery where emails disguised as legitimate messages contain malicious links or attachments that can deliver the malware executable to unsuspecting users.

Sophisticated malware attacks often feature the use of a command-and-control server that allows threat actors to communicate with the infected systems, exfiltrate sensitive data and even remotely control the compromised device or server.

Different types of malware contain unique traits and characteristics. Types of malware include:

• A virus is the most common type of malware which can execute itself and spread by infecting other programs or files.
• A  worm  can self-replicate without a host program and typically spreads without any human interaction or directives from the malware authors.
• A Trojan horse   is  designed to appear as a legitimate program in order to gain access to a system. Once activated following installation, Trojans can execute their malicious functions. 
• Spyware   is  made to collect information and data on the device user and observe their activity without their knowledge.
• Ransom ware is designed to infect a user's system and encrypt the data. Cybercriminals then demand a ransom payment from the victim in exchange for decrypting the system's data.
• A  root kit   is created  to obtain administrator-level access to the victim's system. Once installed, the program gives threat actors root or privileged access to the system.
• A backdoor virus or remote access Trojan (RAT) secretly creates a backdoor into an infected system that allows threat actors to remotely access it without alerting the user or the system's security programs.
• Adware is used to track a user’s browser and download history with the intent to display pop-up or banner advertisements that lure the user into making a purchase. For example, an advertiser might use cookies to track the web pages a user visits to better target advertising.
• Key loggers, also called system monitors, are used to see nearly everything a user does on their computer. This includes emails, opened web-pages, programs and keystrokes.

6.3 Miscellaneous Software-Based Attacks

Software Exploitation and Buffer Overflows

Here, a chunk of data or a sequence of commands take advantage of the vulnerability in order to cause unintended behaviour to a computer software or hardware. Normally it is the flaw in the programming of software which creates bugs within the software. One of the most common bug is buffer overflow where a small amount of memory has been allocated by the programmer to store a specific amount of data. When the volume of data written to the storage area exceeds the space allocated, a buffer overflow occurs causing the system to crash, wherein it is left open to any intruder.

Spoofing

A spoofing attack is a situation in which an individual or a program successfully masquerades as another by falsifying data and thereby gaining an illegitimate advantage. In routers for sending packets the destination address is only required, but the source address is required only when the destination responds to the sent packet. Hacker takes use of this vulnerability in the network and spoofs as the source address. MITM is an example of spoofing.

MITM Attack

In a MITM attack, the attacker intercepts messages in a public key exchange and then retransmits them, substituting with the attackers own public key for the requested one, so that the two parties still appear to be communicating with each other. Since in this scenario it attacks during the transmission, there are many methods used to authenticate this process. The most present way is to send an encrypted secondary data that must be verified before a transaction can take place. Some online businesses have started methods such as secret keys to verify the genuineness of a customer before processing an order.

Replay Attacks

A breach of security in which information is stored without authorisation and then retransmitted to trick the receiver into unauthorised operations such as false identification or authentication or a duplicate transaction. For example, if messages from an authorised user is captured and resent the next day. Though the attacker cannot open the encrypted message but it can get into the network using this retransmission. This attack can be prevented by attaching the hash function to the message.

TCP/IP Hijacking

It is also called session hijacking. Session hijacking is a security attack, carried out by an intruder, which attempts to insert commands into an active login session. The most common method of session hijacking is IP spoofing. In an IP spoofing, attacker uses source-routed IP packets that inserts commands into an active transmission between two nodes on a network. In this way the attacker masquerades itself as one of the authenticated users.

Wardialing

Wardialing is using communication devices such as a modem to find electronic devices that includes systems that are connected to an accessible network. Wardialing can be very troublesome for some with single line as it hangs system. Wardialers typically hangs after two rings or when a person answers or when it is rejected if uninterested. If there are numerous phone connections in an organisation then all of them will start ringing simultaneously.

Social Engineering

In computer security, social engineering is a term that describes a non-technical intrusion that relies heavily on human interaction and often involves tricking individuals to break normal security procedures.

Shoulder Surfing

Shoulder surfing refers to a direct observation, such as looking over an individual’s shoulder look at whatever they are entering to a form or a ATM machine or a password.

Dumpster Diving

It is the practice of sifting through commercial or residential trash to find items that have been discarded by their owners, but which may be useful to the dumpster diver. Information such as phone list, calendar or organisational chart can be used to assist an attacker using social engineering techniques.

For more information on Social Engineering refer chapter 2 Operational Organisational Security.

Passive Attacks

In passive attack the hacker attempt to steal information stored in a system by eavesdropping. The attacker only reads the information rather then modifying, deleting or replacing the information. This type of attack is mostly used in cryptanalysis.

Vulnerability Scanning

Vulnerability scanning is important to hackers as well as the one who protects a network. Hackers used this scanner to identify weakness in the system. Security administrator uses this to detect the flaws in the network and fix it.

Sniffing

Eavesdropping on a network is called sniffing. A sniffer illegitimately captures data transmitted on a network. Sniffer software can be used to monitor and analyze network traffic, detecting bottlenecks and problems. Tcpdump is the most common UNIX sniffing tool and it is available with most of the linux distributions.

Password Attacks

Password attacks are very common attacks as they are easy to perform with successful intrusion. There are two types of password guessing attack brute force attack and dictionary-based attack.

Brute Force Attacks

This attack consists of trying every possible code, combination or password until the right one is revealed. Since the exact number of character used in a password is estimated between 4 to 16 characters. So 100 different values can be used for each character of a password, there are only 1004 to 10016 password combinations. Though the number combination is large still it is vulnerable to brute force attack.

To increase the security against brute force attack:

Increase the length of the password

The password should contain characters other than numbers, such as * or #

Should impose a 30 second delay between failed authentication attempts

Add policies for locking the account after five failed authentication attempts

Dictionary-Based Attacks

A dictionary-based attack is a method of breaking into a password-protected computer or server by systematically entering every word in a dictionary as a password. This attack is not feasible on systems which apply multiple words or characters as password. These attacks are used by spammers.

Malicious Code Attacks

Malicious code is a threat which is hard to be blocked by antivirus software. Malicious codes are auto executable applications. It can take the form of Java applets, ActiveX controls, plug-ins, pushed content, scripting languages or a number of new programming languages designed to enhance Web pages and e-mail. Usually the victim is unaware of the malicious code attack, making it virtually impossible to recognise an assault until it is too late. Protection against malicious code attack should be proactive and frequently updated with the new set of attacks. The most dangerous malicious code attempts to access and delete, steal, alter or execute unauthorised files. This attack can steal passwords, files or other confidential data. Malicious code can also delete, encrypt or modify files on a disk.

In a system malicious code hides in specific areas. Some areas where the malicious code hides are as follows:

E-mail

Web Content

Legitimate Sites

File Downloads

Pushed Content

Cryptographic Attacks

Cryptographic attacks are methods of evading the security of a cryptographic system by finding weaknesses in the areas such as codes, ciphers, cryptographic protocol or key management scheme in the cryptographic algorithm. This attack includes backdoors, viruses, trojan, worms, software exploitation and weak keys.

Malware

It is software designed to infiltrate a computer system without the consent of the owner. Malware includes computer viruses, worms, trojan horses and spyware.

Viruses

Virus is a program or piece of code that is loaded onto a computer without the knowledge of the user and runs against the user’s wishes. Viruses can transmit themselves by attaching to a file or email or on a CD or on an external memory.

Spyware

Spyware is a type of malware that is installed on systems and collects small amount of information at a time about the users without their knowledge. Spyware is Internet terminology for advertising supported software such as Adware. All adwares are not spywares. There are also products that display advertising but do not install any tracking mechanism on the system. Spyware programs can collect various types of personal information such as Internet surfing habits and Websites that have been visited. It can also interfere with user’s control on the system such as installing additional software and redirecting Web browser activity. Updated antispywares is used to protect spywares from attacking the systemr.

References:

Text Book :

Information Security Principles & Practices by Mark Stamp, Wiley.

Reference Books :

Introduction to Computer Security by Bishop and Venkatramanayya, Pearson Education.

Cryptography and Network Security : Principles and Practice by Stallings, PHI.