| At COE Security, our constant effort has been to protect the integrity of an enterprise's valuable information.
Our research labs have empowered us with the necessary knowledge to identify and combat both known and unknown threats that plague a product. While known threats are identified based on signatures, files copied onto the hard drive upon installation, registry keys, protocol analysis and others; we identify unknown threats by studying the product's behavior over a period of time.
The following is a description of few threats:-
|
REVERSE TROJAN(Server-to-Client)
The most dangerous and malicious program where the server is active and the client passive. This kind of attack can bypass firewalls, IDS, anti-virus softwares, spyware removal tools, etc.
[Click To Learn More]
When a PC has been infected by a reverse trojan, it starts to continuously send confirmaiton messages to a server located outside the organization's trusted network. It continues to message the server until there is a request present on the server. Once a request has been found, the trojan fetches it and performs the necessary tasks. These tasks can vary from transferring of data to formatting of a drive.
This trojan cannot be blocked by firewall or IDSs because the request is being 'fetched' from within than being sent from outside.
How can a Reverse Trojan enter your system?
1) It can be injected directly by somebody who has access to the PC or Network.
2)It can be sent in mail disgused as an innocuous discount offer or some other advertisement.(Mail Attachments)
3) It can be injected in a product that has either been downloaded or bought from the market or even developed in-house. This product, when installed on the PC, will also deploy the Reverse Trojan. This kind of poisoning of a software product can be done by a competitor or attacker or a disgruntled employee.
4) It can enter by way of file sharing (peer to peer).
Impact
1) Possibility of injection of other malicious code like Virus, Worms, etc.
2)Disclosure of sensitive informaiton like intellectual property, usernames and passwords, financial informaiton, encryption keys, etc to an unauthorised user.
3) Possibility of unauthorised remote access.
4) Possiblity of complete system and also network compromise.
5) Loss of information integrity.
6) Loss of revenue.
7) Loss of goodwill, brand value and credibility.
[Read Less]
|
| |
TIME BOMB
A dangerous logic in an application which gets activated only on a certain predetermined date and time.
[Click To Learn More]
Often used by disgruntled and dishonest employees who find out they're to be fired or by dishonest consultants who put unauthorized time-outs into their programs without notifying their clients. Time bombs are Trojan horse programs that activate at a certain time or date.
How can a Time Bomb enter your system?
1) It can be injected directly by somebody who has access to the PC or Network.
2)It can be sent in mail disguised as an innocuous discount offer or some other advertisement.(Mail Attachments)
3) It can be injected in a product that has either been downloaded or bought from the market or even developed in-house. This product, when installed on the PC, will also deploy the Time Bomb. This kind of poisoning of a software product can be done by a competitor or attacker or a disgruntled employee.
4) It can enter by way of file sharing (peer to peer).
Impact
1) It can impact in many ways depending on the kind of threat that gets activated at the predetermined time and date.
2) It can range from disclosure of confidential information to complete system compromise.
[Read Less]
|
| |
BOTS
They are a snippet of malicious code that can use your PC as a front for sending unsolicited advertisement emails or chat messages or even launch DoS attacks on remote servers and/or networks.
[Click To Learn More]
When a PC gets injected by a Bot, it inadvertently starts sending spam or random emails or chat messages containing advertisements to unsuspecting users. The bot, slyly, downloads promotional content from its parent server and uses your PC resources and network bandwidth to shoot out that content. Moreover, the source of all this unwanted traffic is shown as coming from your email or IRC (chat client) address.
Types
Spam Bots
These bots, like the name suggests, read email addresses from your address book and send spam emails masquerading them as coming from you.
IRC AD Bots
Popular chat servers are targeted by these bots. They, under the guise of the host PC, enter random chat rooms and start sending unsolicited and obscene chat messages to both users in the chat room and users on the chat client’s list of contacts.
DoS Bots
The most dangerous of all. These bots can launch a Denial of Service attack on a remote PC, server or network from your PC. This enables the actual attacker to remain hidden as he uses your credentials to perform his dirty work.
Impact
1) Loss of productivity due to slowed down system and network performance.
2) Impact on revenue owing to unnecessary consumption of valuable bandwidth.
3) Can lead to system crash and in turn loss of valuable data.
4) Loss of goodwill and brand value among customers and friends.
[Read Less]
|
LOGIC BOMB
This is another component which was designed to activate under certain conditions.
[Click To Learn More]
A Logic Bomb is a piece of code intentionally inserted into software system that will set off a malicious function when specified conditions are met.
How can a Logic Bomb enter your system?
1) It can be injected directly by somebody who has access to the PC or Network.
2)It can be sent in mail disguised as an innocuous discount offer or some other advertisement.(Mail Attachments)
3) It can be injected in a product that has either been downloaded or bought from the market or even developed in-house. This product, when installed on the PC, will also deploy the Logic Bomb. This kind of poisoning of a software product can be done by a competitor or attacker or a disgruntled employee.
4) It can enter by way of file sharing (peer to peer).
Impact
1) Can crash the system leading to data loss.
2) Can allow remote access to a remote user.
3) Loss of productivity.
4) Loss of revenue owing to data loss and subsequent recovery.
[Read Less]
|
KEY LOGGERS
Malicious programs that secretly capture or log all the keyboard inputs, take screen shots, caputure stored passwords and transfer or mail them to the attackers located outside the trusted local network.
[Click To Learn More]
Types
Type 1(Basic): This type of keyloggers are the most basic form of keyloggers available. They secretly capture all the keystrokes on a machine and store them in a file on the local machine itself. These are primarily used to spy on other users of the same PC.
Type 2 (Standard): Apart from logging all the keystrokes of a PC, Type 2 keyloggers, go a step ahead, and transfer the keystrokes file to a source (attacker) sitting outside the trusted network by way of email.
Type 3(Advanced): These types of keyloggers are a sophisticated version of Type 2 keyloggers. While a Type 2 keylogger can be blocked from sending emails by a firewall or an IDS, a Type 3 keylogger uses more advanced techniques like browser injection to transmit data.
Type 4(Sophisticated): These capture, not just keystrokes, but screenshots of all activities going on the PC. Screenshots are taken at a regular intervals, compressed and tranferred to an unauthorised user (owner of the keylogger).
The most sophisticated form of Keylogger can be called Spyware.
How can a Keylogger enter your system?
1) It can be injected directly by somebody who has access to the PC or Network.
2)It can be sent in mail disguised as an innocuous discount offer or some other advertisement.
3) It can be injected in a product that has either been downloaded or bought from the market or even developed in-house. This product, when installed on the PC, will also deploy the keylogger. This kind of poisoning of a software product can be done by a competitor or attacker or a disgruntled employee.
Impact
1) Revelation of confidential information like intellectual property, usernames and passwords, financial informaiton, encryption keys, etc to unauthorised sources.
2) Loss of revenue.
3)Loss of goodwill and brand value.
[Read Less]
|
| |
SNIFFERS
Like the name suggests, a Packet Sniffer can sniff network traffic travelling over the network and decode the content. The content might be anything from username and password to confidential emails.
[Click To Learn More]
This content after being decoded can be transmitted to unauthorised people outside the organization.
Types
Portable Sniffers:Portable sniffers are stand-alone software that can be installed in a PC. Portable sniffers can perform data capture in real-time and store them for later retrieval.
Distributed Sniffers:Distributed sniffers have two parts- a Monitoring Probe, which is a software program deployed at various points in the network; and a Console, which is a software package installed on a central machine like a server to monitor all probes.
Attackers commonly use Portable Sniffers to perform their activities as using Distributed Sniffers requires unlimited access to network resources.
How can a Sniffer enter your system?
1) It can be injected directly by somebody who has access to the PC or Network.
2)It can be sent in mail disguised as an innocuous discount offer or some other advertisement (Mail Attachments).
3) It can be injected in a product that has either been downloaded or bought from the market or even developed in-house. This product, when installed on the PC, will also deploy the Sniffer. This kind of poisoning of a software product can be done by a competitor or attacker or a disgruntled employee.
Impact
1) Disclosure of sensitive informaiton like usernames and passwords, business email, financial informaiton, etc to an unauthorised user.
2) Hogging of network bandwidth and slowing down of the network performance.
3) Loss of productivity
[Read Less]
|
| |
BACKDOORS
Developers usually put some access points in the software they develop for easy navigation during development and testing. Backdoors / trapdoors are such system access points that are inadvertently left available even after software release.
[Click To Learn More]
A backdoor can also be used by a hacker. He installs a backdoor on the victim computer to allow access to the system at a later time. The goal of backdoor is to remove the evidence of initial entry from the systems log. An efficient backdoor allows a hacker to retain access to a machine it has penetrated even if the intrusion factor has in the meantime been detected by the system administrator.
The main purpose of a backdoor is to get around the security measures installed to protect a computer system and allow remote access into the system. One of the most popular methods of opening backdoors is Trojan horses.
Impact:
- Allows unauthorized access to the machine by a remote user.
- Confidential information can be stolen or destroyed by the attacker.
- Can access servers on the network and take complete control of it.
- Can insert viruses, worms and spyware into the computer.
- Crash a single or multiple computers on the network.
- By sending hundreds of requests to a network server where the server can't respond and this can cause a corporate web site to crash if the site is stored on that server.
[Read Less]
|
| |
ROOTKITS
They are a set of tools that enable the intruder to maintain his stealth after gaining access to the system. In other words, the intruder uses rootkits in order to maintain access to the remote system without the owner’s knowledge.
[Click To Learn More]
Types
File or User Level Rootkits: These kits operate at application level and intercept standard user mode API’s affecting users with lower privileges. They can replace legitimate programs with trojaned versions like login, ls, ps, find, etc. They usually target files that are commonly used by administrators.
Kernel Level rootkits: These kits are more advanced than user level kits and are therefore more difficult to detect. They operate at kernel level masquerading as device drivers. Further, they do not modify system files in order to avoid detection from Integrity checkers. Attackers use these kits to intercept system calls as they operate at lower levels of the Windows architecture.
Process Hijacking: These are a kind of rootkits that sit inside legitimate process. They are extremely dificult to detect but they do not survive a system reboot.
How can a Rootkit enter your system?
Rootkits do not infect machines by themselves like viruses or worms, but rather, seek to provide an undetectable environment for malicious code to execute. Attackers will typically leverage vulnerabilities in the target machine, or use social engineering techniques, to manually install rootkits. Or, in some cases, rootkits can be installed automatically upon execution of a virus or worm or simply even by browsing to a malicious website.
Impact
2)Disclosure of sensitive informaiton like intellectual property, usernames and passwords, financial informaiton, encryption keys, etc to an unauthorised user.
3) Possibility of unauthorised remote access.
4) Possiblity of complete system and also network compromise.
5) Can cause system crash and in turn loss of valuable data.
6) Loss of information integrity.
7) Loss of revenue.
8) Loss of goodwill, brand value and credibility
[Read Less]
|
| |
VIRUS
Malicious software that causes damage to a computer system. The damage can range from repeatedly displaying a pop-message to crashing the system and loss of important data. It duplicates itself within a computer system, potentially attaching itself to every software application.
[Click To Learn More]
Types Boot viruses: These viruses infect floppy disk boot records or master boot records in hard disks. They replace the boot record program copying it elsewhere on the disk or overwriting it. Boot viruses load into memory if the computer tries to read the disk while it is booting.
Examples: Form, Disk Killer, Michelangelo, and Stone virus
Program viruses: These infect executable program files, such as those with extensions like .BIN, .COM, .EXE, .OVL, .DRV (driver) and .SYS (device driver). These programs are loaded in memory during execution, taking the virus with them. The virus becomes active in memory, making copies of itself and infecting files on disk.
Examples: Sunday, Cascade
Multipartite viruses: A hybrid of Boot and Program viruses. They infect program files and when the infected program is executed, these viruses infect the boot record. Examples: Invader, Flip, and Tequila
Stealth viruses: These viruses use certain techniques to avoid detection. They may either redirect the disk head to read another sector instead of the one in which they reside or they may alter the reading of the infected file’s size shown in the directory listing.
Examples: Frodo, Joshi, Whale
Polymorphic viruses: A virus that can encrypt its code in different ways so that it appears differently in each infection. These viruses are more difficult to detect.
Examples: Involuntary, Stimulate, Cascade, Phoenix, Evil, Proud, Virus 101
Macro Viruses: A macro virus is a new type of computer virus that infects the macros within a document or template. When you open a word processing or spreadsheet document, the macro virus is activated and it infects the normal template
Examples: DMV, Nuclear, Word Concept.
Active X: ActiveX and Java controls will soon be the scourge of computing. Most people do not know how to control their web browser to enable or disable the various functions like playing sound or video and so, by default, leave a nice big hole in the security by allowing applets a free run into their machine.
These are just few broad categories. There are many more specialized types.
How can a Virus enter your system?
1) It can be injected directly by somebody who has access to the PC or Network.
2)It can be sent in mail disgused as an innocuous discount offer or some other advertisement (Mail Attachments).
3) It can be injected in a product that has either been downloaded or bought from the market or even developed in-house. This product, when installed on the PC, will also deploy the Virus. This kind of poisoning of a software product can be done by a competitor or attacker or a disgruntled employee.
4) It can enter by way of file sharing (peer to peer).
Impact
1. Damage to expensive hardware, software and files.
2. Waste of time and money in recovery.
3. Loss of employee productivity. (Effects the entire organization)
4. Hogging of network bandwidth.
5. Can cause a system crash and lead to complete data loss.
5. Tarnished reputation and in turn loss of goodwill and brand value.
6. Loss of revenue.
7. Sometimes the virus spreads rapidly causing devastating impact on millions of computer users in thousands upon thousands of companies world wide.
[Read Less]
|
| |
SPYWARE
It is a broad category of malicious software which intercepts or takes partial control of a computer's operation without the informed consent of that machine's owner or legitimate user.
[Click To Learn More]
A Spyware can covertly gathers user’s information through the Internet connection without his or her knowledge. These Spyware applications are typically bundled as a hidden component of freeware or shareware programs that can be downloaded from the Internet. Once installed, the spyware monitors user activity on the Internet and transmits that information in the background to someone else.Most of the more advanced spy programs run completely hidden. Types
Web Bugs are ActiveX controls or cookies that track what the user is doing on web sites so that the web site can then display targeted advertising banners and popups.
Advertiser software (adware) is software installed with certain ad-supported programs which tracks what the user does online in order to send targeted advertising in the form of popups and other often annoying methods.
Stand-Alone Computer Monitoring/Surveillance software is software for use by bosses, spouses, private investigators, identity thieves, X's and others for one purpose: to record everything people do on their computers...SILENTLY. These include URL recorders, keyloggers, chat monitors, screen recorders, program loggers and more!
How can a Spyware enter your system?
1) It can be injected directly by somebody who has access to the PC or Network.
2)It can be sent in mail disgused as an innocuous discount offer or some other advertisement. (Mail Attachments).
3) It can be injected in a product that has either been downloaded or bought from the market or even developed in-house. This product, when installed on the PC, will also deploy the Spyware. This kind of poisoning of a software product can be done by a competitor or attacker or a disgruntled employee.
4) It can enter by way of file sharing (peer to peer).
5) From unscrupulous websites.
Impact
1)
Spy software makes it easy for anybody to get vital financial information, credit card numbers, intellectual property, business communicaiton (emails), website passwords, etc
2)Loss of confidential information
3)Loss of organization’s information integrity
4)Loss of brand value and goodwill.
5)Loss of revenue due to recovery and loss of information.
[Read Less]
|
| |
WORM
Propagates through a network thus hogging the bandwidth and slowing down the network considerably.
[Click To Learn More]
In other words, Worms are reproducing programs that run independently and travel across network connections.
Types
Email Worms:They spread through E-mail messages as an attachment or link to an infected website.
Instant Messaging Worms: Spread through instant messaging applications sending links to infected websites to everyone on the local contact list.
Internet Worms: These types of worms will scan all available network resources using local operating system services and/or scan for vulnerable machines in the internet. On finding any vulnerable machines it will send data packets or requests which installs the worm.
IRC Worms:These type of worms target chat channels for spreading by sending links to infected websites.
File-sharing Networks Worms: This type of worm copies itself into a shared folder, located on the local machine under a harmless name. It now spreads the infected file via Peer to Peer network.
Impact
1) Loss of productivity due to slowed down system and network performance.
2)Impact on revenue.
3) Can lead to system crash and in turn loss of valuable data.
[Read Less]
|
| |
TROJAN HORSE
Same as Virus or Worm, but also sometimes used to send confidential information like username and passwords, back to the perpetrator.
[Click To Learn More]
A Trojan horse is used to enter a victim's computer undetected, granting the attacker unrestricted access to the data stored on that computer and causing great damage to the victim. A Trojan can be a hidden program that runs on the computer without the owner's knowledge, or it can be 'wrapped' into a legitimate program and therefore have hidden functions that the user is not aware of.
Types
Remote access Trojans: With help of this attacker takes total control of the victim's machine. Examples are the Back Orifice and Netbus Trojans.
Data-sending Trojans (passwords, keystrokes etc.): The purpose of these Trojans is to send data back to the hacker with information such as passwords (ICQ, IRC, FTP, HTTP) or confidential information such as credit card details, chat logs, address lists, etc.
An example of this is the Badtrans.B email virus (released in the wild in December 2001)
Destructive Trojans: The only function of these Trojans is to destroy and delete files(for example, .dll, .ini or .exe files, and possibly others) on your machine.
Denial of service (DoS) attack Trojans: These Trojans give the attacker the power to start a distributed denial of service (DDoS) attack if there are enough victims.
Proxy Trojans: These Trojans turn the victim's computer into a proxy server, making it available to the whole world or to the attacker alone. It is used for anonymous Telnet, ICQ, IRC, etc., to make purchases with stolen credit cards, and for other such illegal activities.
FTP Trojans: These Trojans open an FTP server on the victim’s machine that might store and serve illegal software and/or sensitive data, and allow attackers to connect to your machine via FTP.
Security software disablers: These are special Trojans, designed to stop/kill programs such as anti-virus software, firewalls, etc. Once these programs are disabled, the hacker is able to attack your machine more easily.
How can a Trojan enter your system?
1) It can be injected directly by somebody who has access to the PC or Network.
2)It can be sent in mail disgused as an innocuous discount offer or some other advertisement. (Mail Attachments).
3) It can be injected in a product that has either been downloaded or bought from the market or even developed in-house. This product, when installed on the PC, will also deploy the Trojan. This kind of poisoning of a software product can be done by a competitor or attacker or a disgruntled employee.
4) It can enter by way of file sharing (peer to peer).
Impact
1) Private and sensitive information like credit card information, financial data, confidential documents can be stolen.
2) Compromising the computer and using it for illegal purposes such as to hack, scan or infiltrate other machines on the network or internet.
3) Important files can be destroyed. (Loss of data integrity).
4) Possiblity of complete system and also network compromise.
5) Loss of revenue.
6) Loss of goodwill, brand value and credibility.
[Read Less]
|
Software Malfunction
Malfunction in the operation of the software due to a faulty code or data. |
Hardware Malfunction
Faulty hardware.
|
|
