Security Academy – Course 105 : Botnets Part 2

Check other parts here:

In part two of this course, we will be talking about the types of attack that can be done from an infected computer with a bot.

Types of attacks

Distributed Denial of Service DDoS is the most common one, where the whole Zombie army will try to bring a published service down by sending millions of requests using Ping of Death, or using ICMP through a reflector (Smurf Attack).

Another technique would be something called (Teardrop) where bots send pieces of an illegitimate packet; the victim system tries to recombine the pieces into a packet and crashes as a result

Mailbomb on the other side is when bots send a massive amount of e-mail, crashing e-mail servers.

Botmasters nowadays will rent their Zombie army to another people for certain amount of money to send spam emails and advertisements or even to do DDoS attacks.

Even worse, botmasters may use botnet to perform some phishing attacks or install key logging programs to steal your credit card information and passwords.

One of the most interesting usage of botnet is to play with internet poll results or performing Click Fraud. Click Fraud refers to the practice of setting up a botnet to repeatedly click on a particular link. Sometimes, crackers will commit Click Fraud by targeting advertisers on their own Web sites. Since Web advertisers usually pay sites a certain amount of money for the number of clicks an ad gets, the botmaster could stand to earn quite a few dollars from fraudulent site visits.

It becomes way dangerous when it comes to Identity theft or unknowingly participate in an attack on an important Web site

How to prevent your computer from becoming one

Prevention is the name of the game here, below you can find some tips to prevent your computers from being a bot:

  • Implement a good Antivirus.
  • Keep your systems patched all the time.
  • Implement a strong firewall.
  • Deploy very complex passwords that are hard to guess.
  • Do not open emails or attachments from people you do not trust.

Sadly, if your computer is already a bot, your options are minimum. Your best shot is to erase everything and format the box.

Check out this YouTube link http://www.youtube.com/watch?v=RTCpCy_FFXc

Security Academy – Course 105 : Botnets Part 1

Check other parts here:

Imagine that the internet is a city, it would be the most crowded city in the world, but it would be incredibly seedy and dangerous. You can find all types of criminals out there waiting to infect you with malwares.

Inside this city, you would also discover that not everyone is who they seem to be – even yourself. You might find out that you’ve been misbehaving, although you don’t remember it. You discover you’ve been doing someone else’s bidding, and you have no idea how to stop it.

An attacker can infect a computer to become (Zombie Computer) and use it to do illegal activities. The user generally remains unaware that his computer has been taken over – he can still use it, though it might slow down considerably. As his computer begins to either send out massive amounts of spam or attack Web pages, he becomes the focal point for any investigations involving his computer’s suspicious activities.

Moving to a New Blog Platform

This post is now moved to my new blog platform at https://blog.ahasayen.com. To continue reading this blog post, please click here

https://blog.ahasayen.com/malware-and-malicious-programs/

Security Academy – Course 104 : Malware Part 3

Check other parts here:

It is part three of the Malware course. In part one, we have identified malware as the umbrella term. This is a big catchall phrase that covers all sorts of software with nasty intent. In part two, we talked about how malware will reach you [Delivery Methods]. In this part, we will talk about some of the [Actions] that malware will do once you get infected. This is the interesting part !

Spyware: Steals Your Information

It is malicious computer program that does exactly what its name implies -i.e., spies on you. After downloading itself onto your computer either through an email you opened, website you visited or a program you downloaded, spyware scans your hard drive for personal information and your internet browsing habits.

spyware 121

Some spyware programs contain keyloggers that will record personal data you enter in to websites, such as your log on usernames and passwords, email addresses, browsing history, online buying habits, your computer’s hardware and software configurations, your name, age and sex, as well as sensitive banking and credit information.

Some spyware can interfere with your computer’s system settings, which can result in a slower internet connection.

Since spyware is primarily meant to make money at your expense, it doesn’t usually kill your PC—in fact, many people have spyware running without even realizing it, but generally those that have one spyware application installed also have a dozen more. Once you’ve got that many pieces of software spying on you, your PC is going to become slow.

Scareware: Holds Your PC for Ransom !!

Sometime it is called Ransomware.

Lately a very popular way for Internet criminals to make money. This malware alters your system in such a way that you’re unable to get into it normally. It will then display some kind of screen that demands some form of payment to have the computer unlocked. Access to your computer is literally ransomed by the cyber-criminal.

Sometime the user is tricked into downloading what appears to be an antivirus application, which then proceeds to tell you that your PC is infected with hundreds of viruses, and can only be cleaned if you pay for a full license. Of course, these scareware applications are nothing more than malware that hold your PC hostage until you pay the ransom—in most cases, you can’t or even use the PC.

Ransomware can be Lock Screen type (locks your computer until you pay), or Encryption type, which will encrypt your files with a password until you pay.

The most famous malware of this type is the “FBI MoneyPak”. It will lock your screen saying that you break some copyright laws or visited unauthorized pages, and you need to pay the FBI money to unlock your PC. Really smart !!

FBIMoneyPak

Adware: We will get you some Advertisements

Adware is any software that, once installed on your computer, tracks your internet browsing habits and sends you popups containing advertisements related to the sites and topics you’ve visited. While this type of software may sound innocent, and even helpful, it consumes and slows down your computer’s processor and internet connection speed. Additionally, some adware has keyloggers and spyware built into the program, leading to greater damage to your computer and possible invasion of your private data.

Adware

Security Academy – Course 104 : Malware Part 2

Check other parts here:

In part one, we have identified malware as the umbrella term. This is a big catchall phrase that covers all sorts of software with nasty intent. In this post, we will talk about how malware will reach you [Delivery Methods]

Virus : Breaks Stuff

[Key thing to remember] They need the first click from the user!!!]

Virus_Stuff

It is a type of Malware and it is nothing but a piece of code that is designed to render your PC completely inoperable, while others simply delete or corrupt your files—the general point is that a virus is designed to cause havoc and break stuff.

Often viruses are disguised as games, images, email attachments, website URLs, shared files or links or files in instant messages.

Spread:

Viruses can spread sometimes to other machines, but usually it spread slowly and most of the time, rely on the user to transfer the infected file. You can have viruses in your computer but they are setting there doing nothing until you click on the executable they attach themselves to. So it needs a human action and they don’t propagate by themselves. Infected USB drives are famous way of moving the virus around.

An interesting  type of viruses are Macro Viruses. A macro is a piece of code that can be embedded in a data file. In most respects, macro viruses are like all other viruses. The main difference is that they are attached to data files (i.e., documents) rather than executable programs.

Effect:

It infects files and programs and usually destroy files and can also interfere with computer operations by multiplying itself to fill up disk space or randomly access memory space, secretly infecting your computer.

Worm: Copy Themselves <massive effect>

[Key thing to remember] They don’t need the first user click or any action. They can propagate by their own using your network.

worm

Some consider them sub class of viruses but the key difference is that they don’t need the first user click or any action. They can propagate by their own.

It is called warm because they can move around by their own. You can think of them as viruses that are self-contained and go around searching out other machines to infect.

Effect:

Due to the copying nature of a worm and its capability to travel across networks the end result in most cases is that the worm consumes too much system memory (or network bandwidth), causing Web servers, network servers and individual computers to stop responding.

Examples

Some of the most famous worms include the ILOVEYOU worm, transmitted as an email attachment, which cost businesses upwards of 5.5 billion dollars in damage. The Code Red worm defaced 359,000 web sites, SQL Slammer slowed down the entire internet for a brief period of time (75000 infections in the first 10 minutes !), and the Blaster worm would force your PC to reboot repeatedly.

Spread

 worms are standalone software and do not require a host program or human help to propagate. It also uses a vulnerability or social engineering to trick the user into spreading them.

Worm rely on network to spread. One example would be for a worm to send a copy of itself to everyone listed in your e-mail address book. Then, the worm replicates and sends itself out to everyone listed in each of the receiver’s address book, and the manifest continues on down the line.

Trojans Horses: Install a Backdoor

In simple words, it is a software that you thought was going to be one thing, but turns out to be something bad.

Do you remember that story you had to read in high school about the big wooden horse that turned out to be full of guys with spears? This is the computer equivalent.

trojan horse

It is a program that either pretends to have, or is described as having, a set of useful or desirable features but actually contains damaging code.

Generally, you receive Trojan horses though emails, infected webpages, instant message, or downloading services like games, movies, and apps. True Trojan horses are not technically viruses, since they do not replicate; however, many viruses and worms use Trojan horse tactics to initially infiltrate a system.  So although Trojans are not technically viruses, they can be just as destructive.

Security Academy – Course 104 : Malware Part 1

Check other parts here:

The point of today’s lesson is to help you teach your friends and family more about the different types of malware, and debunk a few of the common myths about viruses. Who knows, maybe you’ll learn a thing or two as well.

The meaning of those words have changed over time and people may use some meaning the other. In this academy, I will project my own perspective by dividing and separating this topic to  [How you get infected] and [Type of actions] once infected. This will make it easy for you to digest.

Why should I care in the first place to know those stuff??

Why it is good practice to know these terms and distinguish between them, someone may ask? Well, if you know that you get infected by a worm, then you should panic more than if you get hit by a virus because of the speed of spread. It is also nice to read in the news about one of those terms and say “OH, I know what this means!”

Another important thing is that when you purchased an Antivirus software, that you check with the supplier what kind of malware it can detect. Sometimes, those Antivirus software will protect you against some but not all of those bad guys. So pay attention!!

You will hear a lot about vulnerability and Exploit

Funny thing about software: it’s written by humans. Humans are fallible and sometimes they do mistakes. Sometimes those mistakes create strange behavior in programs. And sometimes that strange behavior can be used to create a hole that malware or hackers could use to get into your machine more easily. That hole is otherwise known as a vulnerability.

The strange behavior that can be used to create a hole for hackers or malware to get through generally requires someone to use a particular sequence of actions or text to cause the right (or is that wrong?) conditions. To be usable by malware (or on a larger scale by hackers), it needs to be put into code form, which is also called exploit code.

It is all Malware

The word malware is a combination of two words malicious” and “software”. Malware is the big umbrella term. It covers viruses, worms and Trojans, and even exploit code. But not vulnerabilities or buggy code, or products whose business practices you don’t necessarily agree with.

The difference between malware and vulnerabilities is like the difference between something and the absence of something. Yeah, okay, that’s a bit confusing. What I mean is malware is a something. You can see it, interact with it, and analyze it. A vulnerability is a weakness in innocent software that a something (like malware or a hacker) can go through.

umbrella term

If you recall from previous Security Academy courses, we talked about types of attack.Well, some kinds of malware can be considered Denial of Service DoS attacks, because usually they do nasty stuff to your files or consume your bandwidth, memory or disks pace, and  preventing you from using corporate resources.

Sometimes you’ll hear the term “rootkit” or “bootkit” used to describe a certain type of malware. Generally, this refers to methods that the malware uses to hide itself deep inside the inner workings of Windows so as to avoid detection.

Security Academy – Course 103 : Why in the heck do I get attacked?

 

Check other parts here:

Come on guys !! You should have asked your self by now the WHY question !! So this course is about asking WHY?

Forget for a moment about attacks and how to protect your network and ask the original question “Why do i get hacked?” and who are those crazy people ? you may also ask your self “Well, i didn’t do something bad to anyone, and i was a good boy”. Knowing the WHY helps you add more logic to the equation.

Many of the people who are causing damage in our networks today are best compared to the people who spray-paint highway overpasses. They are in it for the sheer joy of destruction.

They may not be out to attack you specifically. As long as they ruin some one’s day, that is sufficient. In some cases, they may not actually be after you at all. They may be after the vendor from whom you purchased your software or hardware. By causing damage to you, they discredit the vendor by making it seem as if the vendor’s products are more insecure or cause more problem than some other vendor’s system.

Hacker_asa

The people you really have to worry about are the ones who are directly targeting you. In some cases, they are attacking you actively only because you use some technology that they know how to take advantage of, and taking advantage of will earn them money, fame, or prestige in the community of like-minded deviants.

 In other cases, they are after you because you have something they want, like customer accounts for example or angry employees who get fired.

 It really doesn’t matter what organization or business you are running. There is always something that is of value to someone else. You need as a security expert to consider what those things are, how much they worth, and how much money to spend protecting them.

Finally, always keep in mind that the value of technology is not the technology itself, it is what you do with it. Technology is replaceable, but the services and data you are using it for are not. If your systems are down, the services they would have rendered while they are down are lost forever.

As I always say : THERE IS ALWAYS SOMEONE OUT THERE WHO ARE REALLY TARGETING YOU.

References:  sessions and theories from Steve Riley and Jesper Johansson

Security Academy – Course 102: Types of Network Damage

Check other parts here:

I am under attack !!! Bad for you, but what damage can I expect from getting attacked? Let me talk from my experience and from a lot of theory that i have read in the past years.

Since we have four types of network attacks, we also have four types of network damage:

1. Denial of Service DoS:  the simplest and most obvious type of damage, where the attacker slows down or disrupts completely services of your infrastructure or portion of it. In some cases, this could be crashing or destroying a system or simply flooding your network and IP ranges with so much data that it is incapable of servicing legitimate requests.

In a flooding scenario, it usually comes down to a matter of bandwidth or speed, whoever has the fattest pipe or fastest computers usually wins. In simple automated attack, moving the computers or service IP to different IP address can mitigates the attack.

Do not ever underestimate DoS attack. No matter how much you think your network is secure, an attacker from his home can flood your external IP ranges and brings your whole published services down. Some attackers simply flood your public DNS IP ranges, make them inaccessible for legitimate requests, and thus bringing your whole published services down since everything depend on DNS.

Even more, nowadays DoS attacks are offered as payed service per hour !! So a determined attacker can ask one of those companies that sell this service, to flood your network public IP ranges for certain amount of money! Funny right.

We can see also DoS attacks in the form of distributed DoS attacks. The idea is pretty simple , an attacker tells all the computers on his botnet to contact a specific server or web site repeatedly. Attacker nowadays uses Zombie army and bots. Check out future courses in this academy to know about botnet and Zombie army.

ddos attack - 1221

2. Data Destruction:  more serious consequence attack than DoS. In this type of attack, you cannot access your resources because they are destroyed. This can be corrupted database files or operating system. This type of attack can be mitigated by maintaining backup copies of your data.

data destrcution - 2322

3. Information Disclosure: This damage can be more serious than data destruction because your public reputation can be affected. This happened to Microsoft on 2004 when someone posted portions of Microsoft Windows Source code on the Internet. This attack involved portions of intellectual property. Even more, in more sophisticated attack, the victim may not known for years weather any data was disclosed. This is exactly the the objective of government spies, to steal information such that they get an advantage while the enemy is unaware of what is happening.

Think of confidential trade secretes that can be used to undermine market share to cause embarrassment or to obtain access to money.

Some people argue that information disclosure is more serious than data destruction (that can be mitigated by going back to backup). After all, ask victims of identity theft if they would have rather had the criminal destroy their bank data rather than steal them.

Information Disclosure_232

4. Data Modification:  this can cause the most serious damage of all. The reason, as in the case of information disclosure is that it is very difficult to detect. Suppose that an attacker added him self to your payroll, how long will it take you to detect that? It depends on the company size.

data modification threat

Conclusion 

I read once that a big company forces all its employee to come and pickup their paychecks instead of getting them automatically deposited. Apparently, several fake employees were discovered in the process !!!

When Microsoft source code was discovered on the internet, the immediate concern was weather the attackers also been able to insert back door into the source code.

This type of damage can be so serious. Consider for example, what will happen if attackers modified the patient blood type data in a medical database, or tax information in an accounting database.

To learn more about those types of damage, just watch the news or browse the internet for such news, and you will be amazed.

Security Academy – Course 101: Know Your Enemy

Check other parts:

I decided to start the course with the most fundamental stuff “Know your enemy” !! So this post is about the first thing that you need to know, which is what are the types of Network attacks?

Don’t under estimate this knowledge, as knowing what you are facing is the first step towards protecting your network.

Network attacks can be divided to:

  1. Passive Attacks: simply listening to your network traffic and may capture sensitive information, or scanning your IP ranges without doing an action.
  2. Active Attacks: an attacker is actively going after your protected resources and trying to get access to it, by modifying or injecting traffic.

We can also divide attacks to two categories:

  1. Automated Attacks: Nowadays, we have the automated attacks. The vast majority of attacks that we hear about are automated attacks, where the attacker creates a tool that attacks the network by itself. Those tools can get so intelligence.

To give a simple example, worms are the famous type of automated attacks. Those automated attacks uses vulnerability in a system and use it, so the best way of defense against those automated attacks are patching your systems and to monitor your network for suspicious events.

  1. Manual Attacks: the attacker is actively analyzing your network and act accordingly. Those types of attacks are much rarer and the most dangerous types of attacks.

Moving to a New Blog Platform

This post is now moved to my new blog platform at https://blog.ahasayen.com. To continue reading this blog post, please click here

https://blog.ahasayen.com/malware-and-malicious-programs/

References:  sessions and theories from Steve Riley and Jesper Johansson

Security Academy – Registration Is Open

Hi everyone, and welcome to the opening of the Security Academy. Let me tell you more about this easy to register academy.

IT Security is a hot topic nowadays, and we always hear about big organizations  getting attacked by cyber criminals. Moreover, have a look at your home computer and tell me if you are sure it does not host malware.

Security awareness and best practices are not something that many IT people posses or know about. So i thought that we can establish a small academy that can introduce the simplest security principles in a structured way.

Let us jump to the cost. The cost of this academy is five minutes from your time per blog post. Posts are short, simple to learn and direct to the point.

To schedule for courses, just filter this blog with the (Security Academy) tag or category and you will get a list of the available courses of this academy.

The first course is (Course 100), which will introduce the basic terms and concepts that you need to know in the IT security. Courses are marked as Course 101, Course 102,…etc.

Courses will become available online each couple of days. Take your time reading them and enjoy your time.

Here is the link to your first course (Course 101 : http://wp.me/p1eUZH-cj)

Security Academy_232