Day and night, good and evil, angel and devil-there are two sides to
everything. Even IT has a positive and a negative side, and ironically the first
traces of this negative side appeared long before computers and for a totally
different set of reasons. Many consider that the theory behind the first virus
came from mathematician John von Neumann's theory of Cellular Automata or
self-replication. Neumann devised this theory before computers, on pen and
paper. Later, other mathematicians presented their views on automated
self-replication, and finally , Frederick Stahl reproduced the theory in machine
code on an IBM machine. Rest as they say is history. While these scientists
tried to come up with such theories for the good of mankind, there were others
who used it for malicious intent, thus forming the dark side of IT. Presented
here is that dark side, which has prevailed for many decades, and continues to
grow with the positive side of IT. We follow it up with where this dark side is
heading in the future.
Today there are many facets to the dark side of IT. Life has gone far beyond
viruses and worms, and into many other forms of attacks, which are far more
dreadful. Presented here are some of the most dreaded attacks of the past,
followed by what's brewing for the future.
Buffer Overflow attacks
These have been around since 1972, and the first exploitation of buffer
overflows was done by the Morris worm. According to U.S. Government
Accountability office, the damages done by the Morris worm were anywhere from
$10M-100M. Its creator, Robert Tappan Morris, was a student of Cornell
University then , and created this worm to gauge the size of the Internet.
Whatever the case, it gave way to many other worms that utilized buffer
overflow vulnerabilities in programs. Two notable names worth remembering for
having caused the maximum damage were Code Red and SQL Slammer.
Bruteforce attacks
Initially Bruteforce attack was a method of decrypting a cryptographic
scheme by randomly trying large number of combinations till the scheme is
broken. Bruteforce attacks also include dictionary attacks. Other than Crypto
Analysis, Bruteforce attacks were also used to break passwords.
A Brief History of Viruses & Worms Early 1970s Creeper virus |
Botnets
These are software bots spread across remotely controlled zombie systems.
Botnets can perform various attacks ranging from DoS, Spamming, Spyware, Click
frauds, etc. Most Botnets use IRC as a way of communication with their owners.
The most recent Botnet attack is Storm Botnet which was introduced in Jan 2007
and infected at least 1,000,000 machines. Botnets have also resulted in the rise
of Honeypots and Honeynets. Honeypot is a technique to monitor attackers running
Botnets and other similar malicious tools.
Denial of Service
It's hard to say when the first DoS attack took place. Some say DoS attacks
like Ping flood, UDP flood, etc on IRC have been there since 1988, but it was
not until July 1999 when the Trinoo attack tool launched a Distributed Denial of
Service (DDoS) attack on a University of Minnesota system. Then in Feb 2000 came
the ever popular week of DDoS attacks, when Yahoo, CNN, E-bay and many others
felt the heat of these attacks. After that we saw worms such as Blaster, etc
which launched DDoS attacks; but seven years later in Feb 2007, a DNS Backbone
DDoS attack was back in news. In DNS Backbone DDoS Attack, DNS root servers are
targeted as these servers are responsible for resolving domain names' IP
addresses. So bringing down a name server can result in inaccessibility of many
websites as compared to a DDoS attack that brings down a single website.
Man in the Middle (MITM) attacks
One of the oldest kind of attacks that is still very popular. In MITM, the
attacker captures information exchanged between two parties and sometimes even
modifies it. The most popular form of this attack is packet sniffing which,
interestingly, was meant for network trouble shooting. To counter MITM attacks
various sorts of encryption solutions were launched to ensure secure
communication.
Reverse Engineering
Originally Reverse Engineering was devised to find out how software performs
under particular conditions and how to improve its performance by understanding
the program's logic. But soon it became a way of breaking software and using it
without having to pay for it, and became one of the main contributors to the
piracy industry. To stop this, techniques like encrypting the source code of
programs appeared, but weren't able to make much of an impact and piracy still
remains one of the major problems for vendors.
Social Engineering
This technique has been in use even before computers came into existence,
but in terms of computing, it is a collection of techniques used to trick people
to perform certain actions or retrieve critical information from them. Also
known as socio-technical attacks, they describe humans as the weakest link in
security. Pretexting is the most widely used social engineering technique which
is mostly performed over phone. Other social engineering techniques include
Dumpster Diving, Shoulder Surfing, etc.
Phishing
Phishing was first talked about in 1987 and almost 9 years later the first
phishing attack was detected in Jan 1996 on Usenet newsgroups. But it was not
before 2004-2005 that it caused maximum damages, estimated to be to the tune of
$929 million.
Open Source malware
Not to be confused with Malware for Open Source, these malware are created
the Open Source way, ie source code of malware is made publically available.
Most of you would remember Agbot/Sdbot, which were released under GPL license
and developed in modules. Open Source malware gives anonymity to original
malware authors, as a lot of developers contribute to its code. It also became
the first choice for script kiddies, who could easily add new features to
malware, without having to write them from scratch.
Zero Day attacks
Whenever the underground hacker community comes to know about a flaw in any
application, they start creating an exploit for it. The time between the
creation of the exploit and the public availability of a patch for it is called
the Zero Day Period, and any attack, during this period is called a Zero Day
Attack or ZDA.
With so many different types of attacks having been created, it's not
difficult to predict the future. Expect many more different and even more
malicious forms of attacks in the future.
In fact, the days of unintentional or 'just-for-fun-and-curiosity' attacks
are numbered. In the future, expect most of the attacks to happen with a
malicious intent.
Most of you might remember the news of Paris Hilton's missing phone and the
posting of its address book online. That is not an amusing thought, because with
the exponential growth in cellphones and laptops, the number of thefts of these
devices is also growing.
If a petty thief steals a phone or laptop and sells it for a paltry amount,
the owner can be considered lucky. But what if the thief threatens to give away
important
information from it to others (maybe competition)? Just the thought of such a
thing happening is enough to give anyone nightmares.
There's no IT involved in equipment theft, but they do affect the IT
community, and we must be careful about them.
Increase in mobile malware
The fact that smart phones are getting cheaper and people save critical data
on them is good enough reason for crackers to exploit these devices. According
to a report, there are at least 370 samples where malware has been detected for
smart phones. And already anti-virus vendors are coming up with anti-viruses for
mobile phones, so we might see a serious Mobile malware soon.
There are various ways in which smart phones can be infected; and one of the
most common modes is Internet, just like PCs.
Smart phones can also catch infections if they are synchronized with an
infected computer. A compromised smart phone can further infect other smart
phones through wireless personal area networks.
An example of such kind of an attack is the Cabir prototype worm, which used
Bluetooth as a medium to infect other smart phones. A concept of mobile botnets
was also presented some time ago in a black hat conference but is yet to turn
into reality.
Another demo attack showed by a security researcher was buffer overflows,
exploited through an MMS that contained malicious software. In future we are
likely to see more attacks of this kind.
VoIP attacks
Almost everybody is aware of sniffing attacks on VoIP traffic. While many
steps have been taken to reduce such man in the middle attacks on VoIP, many
other threats are emerging. Another VoIP threat that's doing the rounds is VoIP
Spam, also known as vamming or SPIT (Spam over Internet Telephony).
Vendors are gearing up to deal with VoIP Spam. NEC has announced its
anti-spam VoIP software called VoIP Seal which is scheduled for release in 2008.
Another similar threat is VoIP phishing. These attacks can be more convincing
and harder to detect as compared to email phishing. So far they originate only
through emails that contain a number to call instead of conventional links. The
number usually belongs to a PBX with auto-attendant so that it would appear as
if the number belongs to a legitimate company, thereby tricking users to enter
private information.
Another VoIP phishing attack is where you get a call from a bot and number
spoofed to appear from a known source. Here again the bot pretends to be
authentic and asks users to provide confidential information.
Virtual world threats
Over the past few years, MMOGs (massively multiplayer online games) have
gained considerable popularity. One of the first threats to the persistent
virtual worlds came in the form of Copybot, which replicated objects and avtars
in second life without permission.
One of the threats to such PVWs are software which claim to improve the
performance of the virtual worlds or perform automated tasks and stealthily run
some malicious code which can steal information from players. Other
possibilities include PVW, spamming and phishing attacks on virtual world users.
Virtualization threats
Advantages of virtualization are many and as more companies deploy
virtualization, attackers are going to look for ways to exploit them.
One of the most talked about security threats in virtualization has been
dangers to hypervisor. There have been claims that if hypervisor can be
compromised, attackers can gain access to virtual machines. There are also talks
of hypervisor root kits and malware.
One example of such an attack, is Blue Pill, where complete control of the
virtual machine was taken by manipulating kernel mode paging and related
instructions, used for controlling communication between hypervisor and the
virtual machine. You can find more details about this attack on the researchers'
website at http://www.invisiblethings.org/.