Unit-3

⦿Tools and Methods Used in Cybercrime:

Introduction, Proxy Servers and Anonymizers, Phishing, Password
Cracking, Keyloggers and Spywares, Virus and Worms, Trojan Horse
and Backdoors, Steganography, DoS and DDoS attacks, Injection
Attacks, SQL Injection, Ransomware, Cross-Site Scripting Attacks,
ARP Spoofing Attacks, SYN Floods and detecting SYN Scans.
⦿Various tools and techniques used to
launch attacks against the target

• Scareware
• Malvertising
• Clickjacking
• Ransomware
⦿ Basic
stages of an attack are described
here to understand how an attacker
can compromise a network here:
1. Initial uncovering:
🞄Two steps involved: 1) Reconnaissance
2) Attacker uncovers information
2. Network Probe
3. Crossing the line toward E-crime
4. Capturing the network
5. Grab the data
6. Covering tracks
⦿ Proxyserver is computer on a network
which acts as an intermediary for
connections with other computers on that
network

⦿ 1st attacker connects to proxy server

⦿ Proxy server can allow an attacker to hide

ID
⦿Purpose of proxy server:

• Keep the system behind the curtain

• Speed up access to resource
• Specialized proxy servers are used to filter
unwanted content such as advertisement
• Proxy server can be used as IP address
multiplexer to enable to connect no. of computers
on the Internet
⦿An anonymizer or an anonymous proxy is
a tool that attempts to make activity on the
Internet untraceable

⦿ Itaccesses the Internet user’s behalf,

protecting personal information by hiding
the source computer’s identifying
information
⦿ Introduced in1996
⦿ Fake E-Mail using other reputed
companies or individual’s identity

⦿ Peopleassociate phishing with E-Mail

message that spoof or mimic banks, credit
card companies or other business such as
Amazon and eBay
Phishers works as follows
⦿ Planning: decide the target & determine how to get
E- Mail address
⦿ Setup: create methods for delivering the message
& to collect the data about the target
⦿ Attack:sends a phony message that appears to be
from a reputable source
⦿ Collection:
record the information of victims entering
into web pages or pop-up window
⦿ Identify
theft and fraud: use information that they
have gathered to make illegal purchases and
commit fraud
⦿Computer virus is a program that can “infect” legitimate
programs by modifying them to include a possibly “evolved”
copy of itself.

⦿Viruses spread themselves, without the knowledge

or permission of the users

⦿Contains malicious instructions

⦿A virus can start on event driven effects, time driven effects,

or can occur random.
⦿Viruses can take some actions:

• Display a message to prompt an action into which

viruses enter
• Scramble data on hard disk
• Delete files inside the system
• Cause erratic screen behavior
• Halt the PC
• Replicate themselves
⦿ Truevirus can only spread from one
system to another

⦿A worm spreads itself automatically to

other computers through networks by
exploiting security vulnerabilities
Categorized based on attacks on
various element of the system
⦿ Boot sector viruses:
• Infects the storage media on which OS is stored and
which is used to start the computer system
• Spread to other systems when shared infected disks &
pirated software(s) are used

⦿ Program viruses:
• Active when program file(usually with extensions .bin,
.com, .exe, .ovl, .drv) is executed
• Makes copy of itself
⦿Multipartite
• Hybrid of a boot sector and program viruses
Viruses:
⦿ Stealth viruses:
• Masks itself
• Antivirus S/W also cannot detect
• Alter its file system and hide in the computer
memory to remain in the system undetected
• 1st computer virus named as Brain
⦿ Polymorphic viruses:

• Like “chameleon” that changes its virus signature

(i.e., binary pattern) every time it spread through
the system (i.e., multiplies & infect a new file)
• Polymorphic generators are routines that can be
linked with the existing viruses
• Generators are not viruses but purpose to hide
actual viruses under the cloak of polymorphism
⦿

Macroviruses:
• Infect documents produced by victims computer

⦿ Active X and Java control:

⦿ Trojanhorse is a program in which
malicious or harmful code is contained
inside apparently harmless programming
or data in such a way that it can get control
and cause harm

⦿ Get
into system from no. of ways, including
web browser, via E-Mail, or with S/W
download from the Internet
⦿ Trojans
do not replicate themselves but they
can be equally destructive
⦿ Examples of threats by Trojans:
• Erase, overwrite or corrupt data on computer
• Help to spread other malware
• Deactivate or interfere with antivirus and firewall
• Allow to remote access to your computer
• Upload and download files without user knowledge
• Gather E-Mail address and use them for spam
• Slow down , restart or shutdown the system
• Reinstall themselves after being disable
• Disable task manager or control panel
• Copy fake links to false websites, display porno sites, play
sounds/videos and display images
• Log keystrokes to steal info such as password or credit card no.
⦿It means of access to a computer program that bypass security mechanisms
⦿ Programmer use it for troubleshooting
⦿ Attackers often use backdoors that they detect or install themselves as part of an
exploit
⦿ Works in background and hides from user
⦿ Most dangerous parasite, as it allows a malicious person to perform any possible
action
⦿ Programmer sometimes leave such backdoor in
their software for diagnostic and troubleshooting purpose. Attacker discover these
undocumented features and use them
⦿ Allow an attacker to create, delete, rename, copy or edit any file; change any system
setting, alter window registry; run, control and terminate application; install arbitrary
software

⦿ To control computer hardware devices, modify related setting, shutdown or restart a

computer without asking for user permission
⦿ Steals sensitive personal information, logs user activity, tracks web browsing habits
⦿ Record keystrokes
⦿ Sends all gathered data to predefined E-Mail address
⦿ Infects files, corrupts installed app & damage entire system
⦿ Distributes infected files to remote computers and perform attack against hacker-defined
remote hosts
⦿ Installed hidden FTP server that can be used by malicious person
⦿ Degrade Internet connection speed and overall system performance
⦿ Provide uninstall feature and hides processes, files and other objects to compliacate its
removal as much as possible
⦿ Back orifice:
• Enable user to control a computer running the
Microsoft Windows OS from remote location
⦿ Bifrost:
• Infect Windows 95 through Vista
⦿ SAP backdoors
⦿ Onapsis Bizploit
⦿ Stay away from suspect websites/ web
links
⦿ Surf on the web cautiously
⦿ Install antivirus/ Trojan remover software
⦿Greek word that means “Sheltered writing”
⦿Comes from 2 Greek words:

• Steganos means “covered”

• Graphein means “to write” or “concealed writing”
⦿ Steganalysis:
• Detecting messages that are hidden in images,
audio/video files using steganography
⦿An attempt to make a computer resources unavailable to its
intended users
⦿DoS attack:
• Attacker floods the BW of the victim’s N/W or fills his E-Mail box with
Spam mail depriving him of the services he is entitled to access or
provide
• Attacker typically target sites or services hosted on high-profile web
servers such as banks, credit card payment gateways, mobile phone
networks and even root name servers
⦿ Buffer overflow technique is employed to commit such kind of criminal attack

⦿ Attacker spoofs the IP address and floods the N/W of victim with repeated requests

⦿As the IP address is fake, the victim machine keeps waiting for response from
the attacker’s machine for each request

⦿ This consumes the BW of the N/W which then fails to server the legitimate responses
and ultimately breaks down
⦿US Computer Emergency Response defines it:

• Unusually slow n/w performance(opening file or

accessing websites)
• Unavailability of a particular website
• Inability to access ay website
• Dramatic increase in the no. of Spam E-Mails
received
⦿Goal of DoS is not to gain unauthorized access to systems or
data, but to prevents intended users of a service from using
it.
⦿Activity done by DoS

• Flood a n/w with traffic

• Disrupt connection between 2 systems
• Prevent a particular individual from accessing service
• Disrupt service to a specific system or person
⦿Bandwidth attacks

• Consuming all the bandwidth of site

⦿Logic attack
• Exploit vulnerabilities in n/w s/w such as web server or TCP/IP
stack
⦿Protocol attacks
• Exploit specific feature or implementation bug of some protocol
installed at victim’s system to consume excess amount of its
resources
⦿Unintentional DoS attack
1. Flood attack: (Ping flood)

• Attacker sending no. of ping packets, using “ping” command,

which result into more traffic than victim can handle
• This requires the attacker to have faster n/w connection than
the victim
• Prevention is difficult
2. Ping of death attack:
• Sends oversized ICMP packets
• Receiving this packet, will crash, freeze or reboot system