Unit-3

Tools and Methods Used in Cybercrime

The basic stages of an attack are described under the following section to understand how an attacker can compromise a
network here:

1. Initial uncovering: Two steps are involved here- In the first step called as reconnaissance, the attacker gathers
information, as much as possible, about the target by legitimate means searching the information about the target on
the Internet by Googling social networking websites and people finder websites.

In the second step, the attacker uncovers as much information as possible on the company's internal network, such as,
Internet domain, machine names and the company's Internet Protocol (IP) address ranges.

2. Network probe: At the network probe stage, the attacker uses more invasive techniques to scan the
information. Usually, a "ping sweep" of the network IP addresses is performed to seek out potential
targets, and then a "port scanning" tool is used to discover exactly which services are running on the target
system. At this point, the attacker has still not done anything that would be considered as an abnormal
activity on the network or anything that can be classified as an intrusion.

3. Crossing the line toward electronic crime (E-crime): Now the attacker is toward committing what is technically a
"computer crime." He/she does this by exploiting possible holes on the target system.
The attacker usually goes through several stages of exploits to gain access to the system. Once the attackers are able to
access a user account without many privi-leges, they will attempt further exploits to get an administrator or "root"
access. Root access is a Unix term and is associated with the system privileges required to run all services and acces all
files on the system.

4. Capturing the network: At this stage, the attacker attempts to "own" the network. The attacker gains a

foothold in the internal network quickly and easily, by compromising low-priority target systems. The next step

is to remove any evidence of the attack. The attacker will usually install a set of tools that replace existing files

and services with Trojan files and services that have a backdoor password.

5.Grab the data: Now that the attacker has "captured the network," he/she takes advantage of his/her

position to steal confidential data, customer credit card information, deface web pages, alter processes

and even launch attacks at other sites from your network, causing a potentially expensive and

embarrassing situation for an individual and/or for an organization.

6. Covering tracks: This is the last step in any cyber attack, which refers to the activities undertaken by the attacker to
extend misuse of the system without being detected. The attacker can reminds or use this phase either to start a fresh
reconnaissance to a related target system of resources, removing evidence of hacking, avoiding legal action, etc.
Tools used to cover attacks

ELSave: It is a tool to save and/or clear an NT event log. ELSave is written by Jesper Lauritsen. The
executable is available on the weblink, but source code is not available.
WinZapper: This tool enables to erase event records selectively from the security log in Windows NT
4.0 and Windows 2000.

Evidence eliminator: It is simple and one of the top-quality professional PC cleaning program that is
capable of defeating all known investigative Forensic analysis becomes impossible.

Traceless: It is a privacy cleaner for Internet explorer that can delete common Internet tracks, including
history, cache, typed URLs, cookies, etc.

Tracks Eraser Pro: It deletes following history data:

* Delete address bar history of IE, Netscape, AOL, Opera.
* Delete cookies of IE, Netscape, AOL, Opera.
* Delete Internet cache (temporary Internet files),
* Delete Internet history files.

Proxy Servers and Anonymizers

Proxy server is a computer on a network which acts as an intermediary for connections with other computers on
that network.

A proxy server has following purposes:

1. Keep the systems behind the curtain (mainly for security reasons).

2. Speed up access to a resource (through "caching"). It is usually used to cache the web pages from a web
Server.
3. Specialized proxy servers are used to filter unwanted content such as advertisements.

4. Proxy server can be used as IP address multiplexer to enable to connect number of computers on
the Internet, whenever one has only one IP address.
Advantages of a proxy server is that its cache memory can serve all users. If one or more websites are
requested frequently, may be by different users, it is likely to be in the proxy's cache memory, which will
improve user response time.
Listed are few websites where free proxy servers can be found:

1. http://www.proxy4free.com
2. http://www.publicproxyservers.com

3. http://www.proxz.com

An anonymizer or an anonymous proxy is a tool that attempts to make activity on the Internet
untraceable. It accesses the Internet on the user's behalf, protecting personal information by hiding the source
computer's identifying information.) Anonymizers are services used to make Web surfing anonymous by utilizing
a website that acts as a proxy server for the web client. In 1997 the first anonymizer software tool was created by
Lance Cottrell, developed by Anonymizer.com. The anonymizer hides/removes all the identifying information
from a user's computer while the user surfs on the Internet, which ensures the privacy of the user.

Listed are few websites where more information about anonymizers can be found:

1. http://www.anonymizer.com
2. http://www.browzar.com

3. http://www.anonymize.net

Phishing
The fraudulent practice of sending emails ог other messages purporting to be from reputable companies in order to
induce individuals to reveal personal information, such as passwords and credit card numbers.
How Phishing Works?
Phishers work in the following ways:

1. Planning: Criminals, usually called as phishers, decide the target and determine how to get E-Mail address of that
target or customers of that business. Phishers often use mass mailing and address collection techniques as
spammers.
2. Setup: Once phishers know which business/business house to spoof and who their victims are, they will
create methods for delivering the message and to collect the data about the target. Most often this involves
E-Mail addresses and a webpage.

3. Attack: This is the step people are most familiar with the phisher sends a phony message that appears
to be from a reputable source.

4. Collection: Phishers record the information of victims entering into web pages or pop-up windows.
5. Identity theft and fraud: Phishers use the information that they have gathered to make illegal purchases
or commit fraud.

Password Cracking
Password is like a key to get an entry into computerized systems recovering passwords from data that like
a lock. Password cracking is a process of have been stored in or transmitted by a computer system.

The purpose of password cracking is as follows:

1. To recover a forgotten password.

2. As a preventive measure by system administrators to check for easily crackable passwords.

3. To gain unauthorized access to a system,

Manual password cracking is to attempt to logon with different passwords. The attacker follows the
following steps:

1. Find a valid user account such as an Administrator or Guest.

2. create a list of possible passwords;

3. rank the passwords from high to low probability;

4. 4 key-in each password;

5. try again until a successful password is found.

Examples of guessable passwords include:

1. Blank (none)

2. the words like "password," "passcode" and "admin"

3. series of letters from the “QWERTY" keyboard, for example, qwerty, asdf or qwertyuiop

4. user's name or login name;

5. name of user's friend/relative/ pet;

6. user's birthplace or date of birth, or a relative's or a friend's;

7. user's vehicle number, office number, residence number or mobile number;
8. name of a celebrity who is considered to be an idol (e.g. actors, actress, spiritual gurus) by the user;

9. simple modification of one of the preceding, such as suffixing a digit, particularly 1, or reversing the the
order of letters.

Password cracking tools

1. Default password(s): Network devices such as switches, hubs and routers are equipped with "default
passwords" and usually these passwords are not changed after commissioning these devices into the network (i.e.,
into LAN).

2. Cain & Abel: This password recovery tool is typically used for Microsoft Operating Systems (OSs). It
allows to crack the passwords by sniffing the network, cracking encrypted passwords using dictionary,
 brute force attacks, decoding scrambled passwords and recovering wireless network keys.
John the Ripper: 'This is a free and open-source software fast password cracker, compatible with many OSs like
different favors of Unix, Windows, DOS, BeOS and OpenVMS. Its primary purpose is to detect weak Unix
passwords.
3.THC-Hydra: It is a very fast network logon cracker which supports many different services.

4.Aircrack-ng: It is a set of tools used for wireless networks. This tool is used for 802.11a/b/g wired

equivalent privacy (WEP) and Wi-Fi Protected Access (WPA) cracking.

5. Solar Winds: It is a plethora of network discovery/monitoring/attack tools and has created dozens of
special-purpose tools targeted at systems administrators
6. Pwdump: It is a Window password recovery tool, Pwdump is able to extract pwdump NTLM and
LanMan hashes from a Windows target, regardless of whether Syskey is enabled. It is also capable of
displaying password histories if they are available.

7. RainbowCrack: It is a hash cracker that makes use of a large-scale time-memory trade-off, A

traditional brute force cracker tries all possible plain texts one by one, which can be time-consuming for
complex passwords.

8. Brutus: It is one of the fastest, most flexible remote password crackers available for free. It is available
for Windows 9x, NT and 2000.

Password cracking attacks can be classified under three categories as follows:

1. Online attacks

2. Offline attacks

3. Non-electronic attacks (e.g., social engineering, shoulder surfing and dumpster diving)

1. Online Attacks
The most popular online attack is man-in-the middle (MITM) attack, also termed as "bucket-brigade attack"
or sometimes "Janus attack". When a victim client connects to the fraudulent server, the MITM server
intercepts the call, hashes the password and passes the connection to the victim server. This type of attack is
used to obtain the passwords for E-Mail accounts on public websites such as Yahoo, Hotmail and Gmail and
can also used to get the passwords for financial websites that would like to gain the access to banking
websites.
 2. Offline Attacks
Mostly offline attacks are performed from a location other than the target (i.e., either a computer system or while on the
network) where these passwords reside or are used. Offline attacks usually require physical access to the computer and
copying the password file from the system onto removable media. Different types of password Cracking attacks:
Dictionary attack: Attempts to match all the words from the dictionary to get the password.

Hybrid attack: Substitutes numbers and symbols to get the password

Brute force attack: Attempts all possible permutation-combinations of letters, numbers and special characters

Strong, Weak and Random Passwords

A weak password is one, which could be easily guessed, short, common and a system default
password that could be easily found by executing a brute force attack. Passwords that can be easily guessed by
acquaintances of the netizens (such as date of birth, pet's name and spouses' name) are considered to be very weak.

Here are some of the examples of"weak passwords":

1. Susan: Common personal name;

2. aaaa: repeated letters, can be guessed;

3. rover: common name for a pet, also a dictionary word;
4. abc123: can be easily guessed;
5. admin: can be easily guessed;
6. 1234; can be easily guessed;
7. QWERTY: a sequence of adjacent letters on many keyboards;
8. 12/3/75: date, possibly of personal importance;
9. nbusr123: probably a username, and if so, can be very easily guessed;
10. p@$$Word: simple letter substitutions are preprogrammed into password cracking tools;
11,_password: used very often-trivially guessed;
12. December12: using the date of a forced password change is very common.

A strong password is long enough, random or otherwise difficult to guess-producible only by the user who
chooses it.

Here are some examples of strong passwords:

1. Convert £100 to Euros!: Such phrases are long, memorable and contain an extended symbol to increase the strength
of the password.
a. 382465304H: It is mix of numbers and a letter at the end, usually used on mass user accounts and such

passwords can be generated randomly, for example, in schools and business.

b. 4pReelai@3: It is not a dictionary word; however it has cases of alpha along with numeric and punctuation
characters.

c. Mo0o0fin245679: It is long with both alphabets and numerals.

d. 13wahSetyeT4: It is not a dictionary word; however, it has both alphabets and numerals.

Random Passwords
Forcing users to use system-created random passwords ensures that the password will have no connection with that
user and should not be found in any dictionary. Several OSS have included such a feature.
Almost all the OSs also include password aging; the users are required to choose new passwords regularly, usually
after 30 or 45 days. Many users dislike these measures, particularly when they have not been taken through security
awareness training.
The imposition of strong random passwords may encourage the users to write down passwords, store them in
personal digital assistants (PDAs) or cell phones and share them with others against memory failure, increasing the
risk of disclosure.

The general guidelines applicable to the password policies, which can be implemented organization-
wide, are as follows:

1. Passwords and user logon identities (IDs) should be unique to each authorized user.

2. Passwords should consist of a minimum of eight alphanumeric characters (no common names or phrases).
 3. There should be computer-controlled lists of prescribed password rules and periodic testing (e.g., letter

and number sequences, character repetition, initials, common words and standard names) to identify any

password weaknesses.

4. Passwords should be kept private, that is, not shared with friends, colleagues, etc. They shall not be

coded into programs or noted down anywhere.

5. Passwords shall be changed every 30/45 days or less. Most operating systems (OSS) can enforce a

password with an automatic expiration and prevent repeated or reused passwords.

6. User accounts should be frozen after five failed login attempts. All erroneous password entries should
be recorded in an audit log for later inspection and action, as necessary.

7. Sessions should be suspended after 15 minutes (or other specified period) of inactivity and require the

passwords to be re-entered.
8. Successful logons should display the date and time of the last logon and logoff.

9. Logon IDs and passwords should be suspended after a specified period of non-use.

10. For high-risk systems, after excessive violations, the system should generate an alarm and be able to simulate a
continuing session (with dummy data) for the failed user (to keep this user connected while personnel attempt to
investigate the incoming connection).

Netizens should practice password guidelines to avoid being victim of getting their personal E- Mail accounts
hacked/attacked by the attackers.

1. Passwords used for business E-Mail accounts, personal E-Mail accounts (Yahoo/Hotmail/Gmail) and
banking/financial user accounts (e.g., online banking/securities trading accounts)should be kept separate.

2. Passwords should be of minimum eight alphanumeric characters (common names or phrases should be phrased).

3. Passwords should be changed every 30/45 days.

4. Passwords should not be shared with relatives and/or friends.

5. Password used previously should not be used while renewing the password.
 6. Passwords of personal E-Mail accounts (Yahoo/Hotmail/Gmail) and banking/financial user accounts (e.g.,
online banking/securities trading accounts) should be changed from a secured system, within couple of days, if
these E-Mail accounts has been accessed from public Internet facilities such as cybercafes/hotels/libraries.
7. Passwords should not be stored under mobile phones/PDAs, as these devices are also prone to cyber attacks.

8. In the case of receipt of an E-Mail from banking/financial institutions, instructing to

change the passwords, before clicking the weblinks displayed in the E-Mail, legitimacy of the E-Mail should be
ensured to avoid being a victim of Phishing attacks.
9. Similarly, in case of receipt of SMS from banking/financial institutions, instructing to change the
passwords, legitimacy of the E-Mail should be ensured to avoid being a victim of Smishing attacks.
10. In case E-Mail accounts/user accounts have been hacked, respective agencies/institutes should be
contacted immediately.

Keyloggers and Spywares

Keystroke logging, often called keylogging, is the practice of noting (or logging) the keys struck on a
keyboard, typically in a covert manner so that the person using the keyboard is unaware that such actions are
being monitored. It can be classified as software keylogger and hardware keylogger.
1. Software Keyloggers
Software keyloggers are software programs installed on the computer systems which usually are located
between the OS and the keyboard hardware, and every keystroke is recorded. Software keyloggers are installed
on a computer system by Trojans or viruses without the knowledge of the user. Cybercriminals always install
such tools on the insecure computer systems available in public places and can obtain the required information
about the victim very easily.
A keylogger usually consists of two files that get installed in the same directory: a dynamic link library (DLL)
file and an EXEcutable (EXE) file that installs the DLL file and triggers it to work. DLL does all the
recording of keystrokes.

Software keyloggers
 SC-KeyLog PRO: It allows to secretly record computer user activities such as E-Mails, chat conversations,
visited websites, clipboard usage, etc. in a protected log file. SC-KeyLog PRO also captures Windows user
logon Passwords.
  Spytech SpyAgent Stealth: It provides a large variety of essential computer monitoring features as well as
website and application filtering, chat blocking and remote delivery of logs via E-Mail or FTP.
 All In One Keylogger: It is an invisible keystrokes recorder and a spy software tool that registers every
activity on the PC to encrypted logs. This keylogger allows secretly tracking of all activities from all
computer users and automatically receiving logs to a desired E-Mail/FTP accounting.

 Stealth Keylogger: It is a computer monitoring software that enables activity log report where the entire
PC keyboard activities are registered either at specific time or hourly on daily basis. "The entire log reports
are generated either in text or HTML file format as defined by the user.

 Perfect Keylogger: It has its advanced keyword detection and notification. User can create a list of "on
alert" words or phrases and keylogger will continually monitor keyboard typing, URLS and web pages for
these words or phrases .When a keyword is detected, perfect keylogger makes screenshot and sends E-Mail
notification to the user.

2. Hardware Keyloggers
Hardware keyloggers are small hardware devices. These are connected to the PC and/or to the keyboard and save
every keystroke into a file or in the memory of the hardware device. Cybercriminals install such devices on ATM
machines to capture ATM Cards' PINS. Each key press on the keyboard of the ATM gets registered by these
keyloggers.

Listed are few websites where more information about hardware keyloggers can be found:
http://www.keyghost.com

http://www.keelog.com

http://www.keydevil.com

http://www.keykatcher.com

Antikeylogger

Antikeylogger is a tool that can detect the keylogger installed on the computer system and also
 can remove the tool.

Advantages of using antikeylogger are as follows:

1. Firewalls cannot detect the installations of keyloggers on the systems; hence, antikey loggers can
detect installations of keylogger.

2. This software does not require regular updates of signature bases to work effectively such as other
antivirus and antispy programs; if not updated, it does not serve the purpose, which makes the users at
risk.
3. It Prevents Internet banking frauds. Passwords can be easily gained with the help of installing
keyloggers.

4. It prevents ID theft.

5. It secures E-Mail and instant messaging/chatting.

Spywares

Spyware is a type of malware that is installed on computers which collects information about users without their
knowledge.
It is clearly understood from the term Spyware that it secretly monitors the user. The features and functions of such
Spywares are beyond simple monitoring. Spyware programs collect personal information about the victim, such as the
Internet surfing habits/patterns and websites visited

The Spyware can also redirect Internet surfing activities by installing another stealth utility on the users' computer
system.

Spyware may also have an ability to change computer settings, which may result in slowing of the Internet connection
speeds and slowing of response time that may result into user complaining about the Internet speed connection with
Internet Service Provider (ISP).

To overcome the emergence of Spywares that proved to be troublesome for the normal user, anti-Spyware
are available in the market. Installation of anti-Spyware software has become a common element nowadays from
computer security practices perspective.

Spyware Tools

1. Spector Pro: It has following key features:

* Captures and reviews all chats and instant messages

* captures E-Mails (read, sent and received)
* captures websites visited
* captures activities performed on social networking sites such as MySpace and Facebook

2. eBlaster: Besides keylogger and website watcher, it also records E-Mails sent and received, files

uploaded/downloaded, logging users' activities, record online searches, recording MySpace and
Facebook activities and any other program activity.

3.Remotespy: Besides remote computer monitoring, silently and invisibly, it also monitors and records

users' PC without any need for physical access, Moreover, it records keystrokes (keylogger),
screenshots,

E-Mail, passwords, chats, instant messenger conversations and websites visited.

4. Stealth Recorder Pro: It is a new type of utility that enables to record a variety of sounds and transfer

them automatically through Internet without being notified by original location or source. It has following
 features:

* Real-time MP3 recording via microphone, CD, line-in and stereo mixer as MP3, WMA or WAV formatted files

* transferring via E-Mail or FTP, the recorded files to a user-defined E-Mail address or FTP

automatically controlling from a remote location

* voice mail, records and sends the voice messages.

5. Stealth Website Logger: It records all accessed websites and a detailed report can be available on a specified
E-Mail address. It has following key features:

* Monitor visited websites reports sent to an E-Mail address

* daily log

* global log for a specified period

*log deletion after a specified period.

* hotkey and password protection

* not visible in add/remove programs or task manager.

6. Flexispy: It is a tool that can be installed on a cell/mobile phone. After installation, Flexispy secretly

records coversation that happens on the phone and sends this information to a specified E-Mail
address.

7. Wiretap Professional: It is an application for monitoring and capturing all activities on the system. It can
capture the entire Internet activity. This spy software can monitor and record E-Mail, chat messages and
websites visited. In addition, it helps in monitoring and recording of keystrokes, passwords entered and all
documents, picturesand folders viewed.
8. PC PhoneHome: It is a software that tracks and locates lost or stolen laptop and desktop computers,
Every time a computer system on which PC PhoneHome has been installed, conneced to the Internet, a

stealth E-Mail is sent to a specified E-Mail address of the user's choice and to PC PhoneHome Product
Company.

9. SpyArsenal Print Monitor Pro: It has following features:

* Keep track on a printer/plotter usage
* record every document printed
* find out who and when certain paper printed with your hardware.

Virus and Worms

A computer virus passes from computer to computer in a similar manner as a biological virus passes from
person to person. Viruses may also contain malicious instructions that may cause damage or annoyance; the
combination of possibly Malicious Code with the ability to spread is what makes viruses a considerable
concern. Viruses can often spread without any readily visible symptoms, A virus can start on event-driven
effects (e.g., triggered after a specific number of executions), time-driven effects (e.g.. triggered on a specific
date, such as Friday the 13th) or can occur at random.

Viruses can take some typical actions:

1. Display a message to prompt an action which may set of the virus
2. delete files inside the system into which viruses enter
3. scramble data on a hard disk

4. cause erratic screen behavior

5. halt the system (PC)

6. just replicate themselves to propagate further harm

Types of Viruses

1. Boot sector viruses: It infects the storage media on which OS is stored (e.g., Hoppy diskettes and hard
drives) and which is used to start the computer system. The entire data/programs are stored on the floppy disks
and hard drives in smaller sections called sectors. The first sector is called the BOOT and it carries the master
boot record (MBR). MBR's function is to read and load OS, that is, it enables computer system to start through
OS. Hence, if a virus attacks an MBR or infects the boot record of a disk, such floppy disk infects victim's hard
drive when he/she reboots the system while the infected disk is in the drive. Once the victim's hard drive is
infected allthe floppy diskettes that are being used in the system will be infected.
2. Program viruses: These viruses become active when the program file (usually with. extensions .bin,
.com.exe, .ovl, .drv) is executed (i.e., opened program is started). Once these program files get
 infected, the virus makes copies of itself and infects the other programs on the computer system.
3. Multipartite viruses: It is a hybrid of a boot sector and program viruses. It infects Program files along with the
boot record when the infected program is active
4. Stealth viruses: It camouflages and/or masks itself and so detecting this type of virus is very difficult. It can
disguise itself such a way that antivirus software also cannot detect it thereby preventing spreading into the
computer system, It alters its file size and conceals Itself in the computer memory to remain in the system
undetected. The first computer virus, named as Brain, was a stealth virus. A good antivirus detects a stealth
virus lurking on the victim's system by checking the areas the virus must have infected by leaving evidence in
memory.

5. Polymorphic viruses: It acts like a "chameleon" that changes its virus signature (ie., binary pattern)every
time it spreads through the system (i.e., multiplies and infects a new file). Hence, it is always difficult to detect
polymorphic virus with the help of an antivirus program. Polymorphic generators are the routines (i.e., small
programs) that can be linked with the existing viruses. These generators are not viruses but the purpose of these
generators is to hide actual viruses under the cloak of poly-morphism.
6. Macroviruses: Many applications, such as Microsoft Word and Microsoft Excel, support MACROS(ie.,
macro languages). These macros are programmed as a macro embedded in a document. Once a macro virus gets
onto a victim's computer then every document he/she produces will become infected. This type of virus is
relatively new and may get slipped by the antivirus software if the user does not have the most recent version
installed on his/her system.
7. Active X and Java Control: All the web browsers have settings about Active X and Java Controls. Little
awareness is needed about managing and controlling these settings of a web browser to pro-hibit and allow certain
functions to work such as enabling or disabling pop-ups, downloading files and sound which invites the threats for
the computer system being targeted by unwanted software floating in cyberspace.

The world's worst virus attacks

1. Conficker: The name Conficker is blended from a English term "configure" and the German word "Ficker,"
which means "to have sex with" or "to mess with" in colloquial German. It is also known as Downup, Downadup
and Kido. It targets Microsoft Windows OS and was first detected in November 2008.
2. INF/AutoRun: AutoRun and the companion feature AutoPlay are components of the Microsoft Windows OS
that dictate what actions the system takes when a drive is mounted. This is the most common threat that infects a
PC by creating an"autorun.inf file. The file contains information about programs meant to run automatically
when removabledevices are connected to the computer.
3. Win32 PSW: It is a dangerous virus that replicates itself as other viruses and spreads from one Online
Games computer system to another carrying a payload of destruction. It can infect several computers
within few minutes.
4. Win32/Agent: This virus is also termed as Trojan. It copies itself into temporary locations and steals
information from the infected system. It adds entries into the registry, creating several files at different
places in the system folder, allowing it to run on every start-up, which enables to gather
complete information about the infected system and then transferred to the intruder's system.
5. Win32/FlyStudio: It is known as Trojan with characteristics of backdoor. This virus does not
replicate itself, but spreads only when the circumstances are beneficial. It is called as backdoors
becausethe information stolen from a system is sent back to the intruder.
6. Win32/Pacex.Gen: This threat designates a wide range of malwares that makes use of an
Obfuscation layer to steal passwords and other information from the infected system.
7. Win32/Qhost: This virus copies itself to the System32 folder of the Windows directory giving control of the
computer to the attacker. The attacker then modifies the Domain Name Server/System (DNS) settings redirecting the
computer to other domains.
8. WMAI/Trojan Downloader: This threat as the suffix. GetCodec modifies the audio files present on the
system to .wma format and adds a URL header that points to the location of new codec. This means that
the end-user will download the new codec believing that something new might happen, whereas the
Malicious Code runs in the background causing harm to the host computer.

The world's worst virus and worm attacks

1. Morris Worm: It is also known as "Great Worm" or Internet Worm. It was written by at student,
Robert Tappan Morris, at Cornell University and launched on 2 November 1988 from MIT, It was
reported that around 6,000 major Unix machines were infected by the Morris worm and the total cost of
the damage calculated was USS 10-100 millions.
2. ILOVEYOU: It is also known as VBS/Loveletter or Love Bug Worm. It successfully attacked tens of
millions of Windows computers in 2000, The E-Mail was sent with the subject line as "ILOVEYOU" and
an attachment "LOVE-LETTER-FOR-YOU, TXT.vbs."
3. Code Red: This computer worm was observed on the Internet on 13 July 2001. It attacked computers
running on Microsoft's IIS web server. The Code Red worm was first discovered and researched by eEye
Digital Security employees, Marc Maiffret and Ryan Permeh. They named the worm Code Red because
they were drinking Pepsi's "Mountain Dew Code Red" over the weekend.

4. Melissa: It is also known as "Melissa," "Simpsons," "Kwyjibo" or "Kwejeebo." It is a mass-mailing

macro worm. Melissa was written by David L. Smith in Aberdeen Township, New Jersey, who named it
after a lap dancer he met in Florida. The worm was
in a file called "List. DOC" which had passwords that allow the access into 80 pornographic websites. This
worm in the original form was sent through an E-Mail to many Internet users. Melissa spread on Microsoft
Word 97, Word 2000 and also on Microsoft Excel 97, 2000 and 2003.

5. MSBlast: The Blaster Worm: It is also known as Lovsan or Lovesan, found during August 2003, which
spread across the systems running on Microsoft Windows XP and Windows 2000. The worm also creates an
entry under OS registry to launch the worm every time Windows starts.
 6. Sobig: This worm, found during August 2003, infected millions of Internet-connected computers chat were
running on Microsoft Windows. It was written in Microsoft Visual C++ and compressed using a data
compression tool, "tElock." This Worm not only replicates by itself but also a Trojan Horse that it
masquerades as something other than malware.

7. Storm Worm: This worm, found on 17 January 2007, is also known as a backdoor Trojan Horse that
affects the systems running on Microsoft OSs. The Storm worm infected thousands of computer systems in
Europe and in the US on Friday, 19 January 2007, through an E-Mail with a subject line about a recent
weather disaster, “230 dead as storm batters Europe”.
8. Michelangelo: It is a worm discovered in April 1991 in New Zealand. This worm was designed primarily
to infect the systems that were running on disk operating system (DOS) systems. Like other boot sector
viruses, Michelangelo operated at the BIOS level and remained dormant until 6 March, the birthday of an
artist "Michelangelo di Lodovico Buonarroti Simoni"- an Italian Renaissance painter, sculptor architect and
poet.
9. Jerusalem: This worm is also known as "BlackBox." Jerusalem infected the files residing on DOS that was
detected in Jerusalem, Israel, in October 1987. It has become memory resident (using 2 KB of memory). Once
the system gets infected then it infects every executable file, except "COMMAND.COM." ".COM" files grow
By 1,813 bytes when infected by Jerusalem and are not reinfected.

A typical definition of computer virus/worms might have various aspects

1. A virus attacks specific file types (or files),

2. A virus manipulates a program to execute tasks unintentionally.

3. An infected program produces more viruses.

4. An infected program may run without error for a long time.

5. Viruses can modify themselves and may possibly escape detection this way.

Worm
A worm is a type of malware or malicious software that can replicate rapidly and spread across devices within a
network. As it spreads, a worm consumes bandwidth, overloading infected systems and making them unreliable or
unavailable. Worms can also change and delete files or introduce other malware.

Trojan Horses and Backdoors

Trojan Horse is a program in which malicious or harmful code is contained inside apparently harmless
programming or data in such a way that it can get control and cause harm, for example, ruining the file
allocation table on the hard disk.
Some typical examples of threats by Trojans are as follows:

1. They erase, overwrite or corrupt data on a computer.

2. 'They help to spread other malware such as viruses (by a dropper Trojan).
3. They deactivate or interfere with antivirus and firewall programs.
4. They allow remote access to your computer (by a remote access Trojan).
5. "They upload and download files without your knowledge.
6. They gather E-Mail addresses and use them for Spam.
7. They log keystrokes to steal information such as passwords and credit card numbers.
8. They copy fake links to false websites, display porno sites, play sounds/videos and display images.
9. They slow down, restart or shutdown the system.
10. They reinstall themselves after being disabled.
11. They disable the task manager.
12. They disable the control panel.

Backdoor

A backdoor is a means of access to a computer program that bypasses security mechanisms. A programmer
may sometimes install a backdoor so that the program can be accessed for troubleshooting or other
purposes. However, attackers often use backdoors that they detect or install themselves as part of an exploit.
In some cases, a worm is designed to take advantage of a backdoor created by an earlier attack.

Following are some functions of backdoor

1. It allows an attacker to create, delete, rename, copy or edit any file, execute various commands,
change any system settings; alter the Windows registry; run, control and terminate applications
2. It allows an attacker to control computer hardware devices, modify related settings, shutdown or
restart a computer without asking for user permission.
3. It steals sensitive personal information, valuable documents, passwords, login names, ID details; logs user
activity and tracks web browsing habits.
4. It records keystrokes that a user types on a computer's keyboard and captures screenshots.
5. It sends all gathered data to a predefined E-Mail address, uploads it to a predetermined FTP server or
 transfers it through a background Internet connection to a remote host.
6. It infects files, corrupts installed applications and damages the entire system.
7. It distributes infected files to remote computers with certain security vulnerabilities and performs attacks
against hacker-defined remote hosts.

8. It installs hidden FTP server that can be used by malicious persons for various illegal purposes.
9. It degrades Internet connection speed and overall system performance, decreases system security and
causes software instability. Some parasites are badly programmed as they waste too many computer
resources and conflict with installed applications.
10. It provides no uninstall feature, and hides processes, files and other objects to complicate its removal as
much as possible.

Following are a few examples of backdoor Trojans:

1. Back Orifice: It is a well-known example of backdoor Trojan designed for remote system
administration. It enables a user to control a computer running the Microsoft Windows OS from a
remote location

2. Bifrost: It is another backdoor Trojan that can infect Windows 95 through Vista. It uses the typical
server, server builder and client backdoor program configuration to allow a remote attacker, who uses
client, to execute arbitrary code on the compromised machine.
3. SAP backdoors: SAP is an Enterprise Resource Planning (ERP) system and nowadays ERP is the
heart of the business technological platform. These systems handle the key business processes of the
organization, such as procurement, invoicing, human resources management, billing, stock
management and financial planning, Backdoors can present into SAP User Master that supports
anauthentication mechanism when a user connects to access SAP and ABAP Program Modules
whichsupport SAP Business Objects.
4. Onapsis Bizploit: It is the open-source ERP penetration testing framework developed by the
Onapsis Research Labs. Bizploit assists security professionals in the discovery, exploration,
vulnerability assessment and exploitation phases of specialized ERP penetration tests.

How to Protect from Trojan Horses and Backdoors

1. Stay away from suspect websites/weblinks: Avoid downloading free/pirated softwares that often
get infected by Trojans, worms, viruses and other things. We have addressed "how to determine a
legitimate website.
2. Surf on the Web cautiously: Avoid connecting with and/or downloading any information from
 peer-to-peer (P2P) networks, which are most dangerous networks to spread Trojan Horses and other
threats. P2P networks create files packed with malicious software, and then rename them to files with
the criteria of common search that are used while surfing the information on the Web.

3. Install antivirus/Trojan remover software: Nowadays antivirus software(s) have built- in feature
for protecting the system not only from viruses and worms but also from malware such as Trojan
Horses. Free Trojan remover programs are also available on the Web and some of them are really
good.

Steganography
Steganography is a Greek word that means "sheltered writing." It is a method that attempts to hide the
existence of a message or communication. The word "steganography" comes from the two Greek words:
steganos meaning "covered" and graphein meaning "to write" that means "concealed writing." This idea of
data hiding is not a novelty; it has been used for centuries all across the world under different regimes. The
practice dates back to ancient Rome and Greece where the messages were etched into wooden tablets and
then covered with wax or when messages were passed by shaving a messengers head and then tattooing a
secret message on it, letting his hair grow back and then shaving it again after he arrived at the receiving
party to reveal the message.

The term "cover" or "cover medium" is used to describe the original, innocent message, data, audio, still,
video and so on. It is the medium that hides the secret message. It must have parts that can be altered or
used without damaging or noticeably changing the cover media. If the cover media are digital these
alterable parts are called "redundant bits." These bits or a subset can be replaced with the message that is
intended to be hidden. Interestingly, steganography in digital media is very similar to "digital water-
marking." In other words, when steganography is used to place a hidden “trademark" in images, music and
software, the result is a technique referred to as "watermarking".
 Steganography tools:

1. DiSi-Steganograph: It is a very small, DOS-based steganographic program that embeds data in PCX
images.
2. Invisible Folders: It has the ability to make any file or folder invisible to anyone using your PC even on
a network.

3. Invisible Secrets: It not only encrypts the data and files for safe-keeping or for secure transfer across the
Net but also hides them in places such as picture or sound files or web pages. These types of files are a
perfect disguise for sensitive information.
4. Stealth Files: It hides any type of file in almost any other type of file. Using steganography technique,
Stealth Files compresses, encrypts and then hides any type of file inside various types of files (including
EXE, DLL, OCX, COM, JPG, GIF, ART, MP3, AVI, WAV, DOC, BMP) and other types of video, image
and executable files.
5. Hermetic Stego: It is a steganography program that allows to encrypt and hide contents of any data file in
another file so that the addition of the data to the container file will not noticeably change the appearance of
that file
6. DriveCrypt Plus (DCPP): It has following features:
a. It allows secure hiding of an entire OS inside the free space of another OS.
b. Full-disk encryption (encrypts parts or 100% of your hard disk including the OS).
c. Preboot authentication (before the machines boots, a password is requested to decrypt the disk and start
your machine).
7. MP3Stego: It hides information in MP3 files during the compression process. The data is first compressed,
encrypted and then hidden in the MP3 bit stream.
8. MSU StegoVideo: It allows hiding any file in a video sequence. Main features are as follows:

* Small video distortions after hiding information.

* It is possible to extract information after video compression
* Information is protected with the password.

Steganalysis

Steganalysis is the art and science of detecting messages that are hidden in images, audio/video files using
steganography. The goal of steganalysis is to identify suspected packages and to determine whether or not they
have a payload encoded into them, and if possible recover it. Automated tools are used to detect such
steganographed data/information hidden in the image and audio and/or video files Steganalysis tools:
 1. StegAlyzerAS: It is a digital forensic analysis tool designed to scan “suspect media" or "forensic
images" of suspect media for known artifacts of steganography applications.
2. StegAlyzerSS: It is a digital forensic analysis tool designed to scan “suspect media" or "forensic images"
of suspect media for uniquely identifiable hexadecimal byte patterns, or known signatures, left inside files
when particular steganography applications are used to embed hidden information within them.
3. StegSpyis a program that is always in progress and the latest version includes identification of a
"steganized" file. It detects steganography and the program used to hide the message.
4. Stegdetect: It is an automated tool for detecting steganographic content in the images. It is capable of
detecting several different steganographic methods to embed hidden information in JPEG images.
5. Stegsecret: It is a steganalysis open-source project that makes detection of hidden information possible
in different digital media. It is a JAVA-based multiplatform steganalysis tool that allows the detection of
hidden information by using the most known steganographic methods.
6. Virtual Steganographic Laboratory (VSL): It is a graphical block diagramming tool that allows
complex using, testing and adjusting of methods both for image steganography and steganalysis.

DoS and DDoS Attacks

A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make
a computer resource (i.e., information systems) unavailable to its intended users.

DoS Attacks

In this type of criminal act, the attacker Floods the bandwidth of the victim's network or fills his E-Mail
box with Spam mail depriving him of the services he is entitled to access or provide. Although the means to carry
out, motives for, and targets of a DoS attack may vary, it generally consists of the concerted efforts of a person or
people to prevent the Internet site or service from functioning efficiently or at all, temporarily or indefinitely, The
attackers typically target sites or services hosted on high-profile web servers such as banks, credit card payment
gateways, mobile phone networks and even root name servers.
The United States Computer Emergency Response Team defines symptoms of DoS attacks to include
1. Unusually slow network performance (opening files or accessing websites)
2. Inability to access any website
3. Unavailability of a particular website
4. Dramatic increase in the number of Spam E-Mails received (this type of DoS attack is termed as an E-Mail
bomb).
The goal of DoS is not to gain unauthorized access to systems or data, but to prevent intended user (i.e.,
legitimate users) of a service from using it. A DoS attack may do the following:

1. Flood a network with traffic, thereby preventing legitimate network traffic.

2. Disrupt connections between two systems, thereby preventing access to a service.
3. Prevent a particular individual from accessing a service.
4. Disrupt service to a specific system or person.

Classification of DoS Attacks

1. Bandwidth attacks: Loading any website takes certain time. Loading means complete webpage (ie., with
entire content of the webpage -text along with images) appearing on the screen and system is awaiting user's
input. This "loading" consumes some amount of memory. Every site is given with a particular amount of
bandwidth for its hosting, say for example, 50 GB. Now if more visitors consume all 50 GB bandwidth then
the hosting of the site can ban this site. The attacker does the same he/she opens 100 pages of a site and
keeps on refreshing and consuming all the bandwidth, thus, the site becomes out of service.
2. Logic attacks: These kind of attacks can exploit vulnerabilities in network software such as web
server or TCP/IP stack.
3. Protocol attacks: Protocols here are rules that are to be followed to send data over network. These kind of
attacks exploit a specific feature or implementation bug of some protocol installed at the victim's system to
consume excess amounts of its resources.
4. Unintentional DoS: This is a scenario where a website ends up denied not due to a deliberate attack
attack by a single individual or group of individuals, but simply due to at sudden enormous spike in
popularity. This can happen when an extremely popular website posts a prominent link to a second, less
well-prepared site, for example, as part of a news story. The result is that a significant proportion of the
primary sites regular users, potentially hundreds of thousands of people, click that link within a few hours
and have same effect on the target website as a DDoS attack.
Types or Levels of DoS Attacks

1. Flood attack: This is the earliest form of DoS attack and is also known as ping flood. It is based on an
attacker simply sending the victim overwhelming number of ping packets, usually by using the "ping"
command, which result into more traffic than the victim can handle, This requires the attacker to have a
faster network connection than the victim (ie., access to greater bandwidth than the victim). It is very
simple to launch, but to prevent it completely is the most difficult.
2. Ping of death attack: The ping of death attack sends oversized Internet Control Message Protocol
(ICMP) packets, and it is one of the core protocols of the IP Suite. It is mainly used by networked
computers' OSS to send error messages indicating (e.g., that a requested service is not available or that a
host or router could not be reached) datagrams (encapsulated in IP packets) to the victim.
3. SYN attack: It is also termed as TCP SYN Flooding. In the Transmission Control Protocol (TCP)
handshaking of network connections is done with SYN and ACK messages. An attacker initiates a TCP
connection to the server with an SYN (using a legitimate or spoofed source address).
4. Teardrop attack: The teardrop attack is an attack where fragmented packets are forged to overlap
each other when the receiving host tries to reassemble them. IP's packet fragmentation algorithm is used
to send corrupted packets to confuse the victim and may hang the system. This attack can crash various
OSS due to a bug in their TCP/IP fragmentation reassembly code
5. Smurf attack: It is a way of generating significant computer network traffic on a victim
network, This is a type of DoS attack that floods a target system via spoofed broadcast ping messages.
6. Nuke: Nuke is an old DoS attack against computer networks consisting of fragmented or otherwise invalid
ICMP packets sent to the target. It is achieved by using a modified ping utility to repeatedly send this
corrupt data, thus slowing down the affected computer until it comes to a complete stop.

Tools Used to Launch DoS Attack

Various tools use different types of traffic to flood a victim, but the objective behind the attack and
the result is the same: A service on the system or the entire system (i.e., application/website/network)
is unavailable to a user because it is kept busy trying to respond to an exorbitant number of requests.
A DoS attack is usually an attack of last resort because it is considered to be an unsophisticated attack as
the attacker does not gain access to any information but rather annoys the target and interrupts the
service.
 1. Jolt2- A major vulnerability has been discovered in Windows' networking code. The
vulnerability allows remote attackers to cause a DoS attack against Windows-based machines — the
attack causes the target machine to consume 100% of the CPU time on processing of illegal packets.

2. Nemesy- This program generates random packets of spoofed source IP to enable the attacker to
launch DoS attack.

3. Targa. It is a program that can be used to run eight different DoS attacks. The attacker has the
option to launch either individual attacks or try all the attacks until one is successful.

4. Ctazy Pinger-This tool could send large packets of ICMP to a remote target network.

5. Somelrouble- It is a remote flooder and bomber. It is developed in Delphi.

DDoS Attacks

In a DDoS attack, an attacker may use your computer to attack another computer. By taking
advantage of security vulnerabilities or weaknesses, an attacker could take control of your
computer. He/she could then force your computer to send huge amounts of data to a website or
send Spam to particular E-Mail addresses. The attack is "distributed" because the attacker is using
multiple computers, including yours, to launch the DoS attack.

Tools used to launch DDoS attack

1. Trinoo It is a set of computer programs to conduct a DDoS attack, It is believed. that Trinoo
networks have been set up on thousands of systems on the Internet that have been compromised by
remote buffer overrun exploit.

2. Tribe Flood It is a set of computer programs to conduct various DDoS attacks such as ICMP.
3. Nerwork (TFN) flood, SYN flood, UDP flood and Smurf attack.
4. Stacheldraht It is written by Random for Linux and Solaris systems, which acts as a DDoS agent. It combines
features of Trinoo with TFN and adds encryption.
 5 Shaft This network looks conceptually similar to a Trinoo; it is a packet Hooding attack and the
client controls the size of the flooding packets and duration of the attack.
6 MStream It uses spoofed TCP packets with the ACK Hag set to attack the target, Communication
is not encrypted and is performed through TCP and UDP packets. Access to the handler is password
protected. This program has a feature not found in other DDoS tools. It informs all connected users of
access, successful or not, to the handler(s) by competing parties.

How to Protect from DoS/DDoS Attacks

1. Implement router filters. This will lessen your exposure to certain DoS attacks.
2. If such filters are available for your system, install patches to guard against TCP SYN flooding.
3. Disable any unused or inessential network service. This can limit the ability of an attacker
to take advantage of these services to execute a DoS attack.
4. Enable quota systems on your OS if they are available.
5. Observe your system's performance and establish baselines for ordinary activity. Use the
baseline to gauge unusual levels of disk activity, central processing unit (CPU) usage or network
traffic.
6. Routinely examine your physical security with regard to your current needs.
7. Use Tripwire or a similar tool to detect changes in configuration information or other files
8. Invest in and maintain "hot spares" - machines that can be placed into service quickly if a similar
machine is disabled.
9.Invest in redundant and fault-tolerant network configurations.
10. Establish and maintain regular backup schedules and policies, particularly for important
configuration information.
11.Establish and maintain appropriate password policies, especially access to highly privileged
accounts such as Unix root or Microsoft Windows NT Administrator.

SQL Injection:
 SQL injection is a code injection technique that exploits a security vulnerability occurring in the
database layer of an application.
 The vulnerability is present when user input is either filtered incorrectly for string literal escape
characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly
executed.
 Attackers target the SQL servers – common database servers used by many organizations to store
confidential data.
 During an SQL injection attack, Malicious Code is inserted into a web form field or the website’s code
to make a system execute a command shell or other arbitrary commands.
 Just as a legitimate user enters queries and additions to the SQL database via a web form, the attacker
can insert commands to the SQL server through the same web form field.

Blind SQL Injection

 Blind SQL injection is used when a web application is vulnerable to an SQL injection but the results of
the injection are not visible to the attacker.
 The page with the vulnerability may not be the one that displays data; however, it will display
differently depending on the results of a logical statement injected into the legitimate SQL statement
called for that page.

Using SQL injections, attackers can:

1. Obtain some basic information if the purpose of the attack is reconnaissance
2. May gain access to the database by obtaining username and their password
3. Add new data to the database
4. Modify data currently in the database
How to Prevent SQL Injection Attacks
SQL injection attacks occur due to poor website administration and coding. The following steps can be
taken to prevent SQL injection.
1. Input validation
2. Modify error reports
3. Other preventions
 The default system accounts for SQL server 2000 should never be used.
 Isolate database server and web server. Both should reside on different machines.
 Most often attackers may make use of several extended stored procedures such as xp_cmdshell and
xp_grantlogin in SQL injection attacks. In case such extended stored procedures are not used or have
unused triggers, stored procedures, user-defined functions, etc., then these should be moved to an
isolated server.

Buffer Overflow
 Buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data
storage area) than it was intended to hold.
 As buffers are created to contain a finite amount of data, the extra information can overflow into
adjacent buffers, corrupting or overwriting the valid data held in them.
 Although it may occur accidentally through programming error, buffer overflow is an increasingly
common type of security attack on data integrity.
 Types of Buffer Overflow
Stack-Based Buffer Overflow
 Stack buffer overflow occurs when a program writes to a memory address on the program’s call stack
outside the intended data structure – usually a fixed length buffer.
 The attacker may exploit stack-based buffer overflows to manipulate the program in various ways by
overwriting.
NOPs
 NOP or NOOP (no peration or no operation performed) is an assembly language which enables the
developer to force memory alignment to act as a place holder to be replaced by active instructions later
on in program development.
 NOP opcode can be used to form an NOP slide, which allows code to execute when the exact value of
the instruction pointer is indeterminate.

Heap Buffer Overflow

 Heap buffer overflow occurs in the heap data area when an application copies more data into a buffer
than the buffer was designed to contain.

How to Minimize Buffer Overflow

The following methods will definitely help to minimize such attacks:
1. Assessment of secure code manually
2. Disable stack execution
3. Compiler tools
4. Dynamic run-time checks
5. Various tools are used to detect/defend buffer overflow

Attacks on Wireless Networks

In the yesteryears, "working" meant leaving home, commuting to the workplace, spending those
typical 9 a.m.- 6 p.m. in the office and then shutting down the work and commuting back home or
wherever that one wished to be after office hours. The "working" and "away from work" were
cleanly delineated distinct states that one could be in. Gone are those days and now we are in the
era of computing anywhere, anytime! There is no doubt that workforce "mobility" is on the rise.
The following are different types of "mobile workers:

1. Tethered/remote worker: This is considered to be an employee who generally remains at a

 single point of work, but is remote to the central company systems. This includes home workers,
tele-cottagers and, in some cases, branch workers.

2. Roaming user: This is either an employee who works in an environment (e.g., warehousing, shop
floor, etc.) or in multiple areas (e.g., meeting rooms).

3. Nomad: This category covers employees requiring solutions in hotel rooms and other semi-tethered
environments where modem use is still prevalent, along with the increasing use of multiple wireless
technologies and devices.

4. Road warrior: This is the ultimate mobile user and spends little time in the office; however, he/she
requires regular access to data and collaborative functionality while on the move, in transit or in hotels.
This type includes the sales and field forces.

Wireless technologies have become increasingly popular in day-to-day business and personal lives. Hand-held
devices such as the PDAs allow individuals to access calendars, E-Mail addresses, phone number lists and the
Internet. Wireless networks extend the range of traditional wired networks by using radio waves to transmit data
to wireless-enabled devices such as laptops and PDAs.

Wireless networks are generally composed of two basic elements: (a) access points (APs) and (b) other wireless-
enabled devices, such as laptops radio transmitters and receivers to communicate or "connect" with each other.

Wireless technology is no more buzzword in today's world. Let us understand important components of wireless
network, apart from components such as modems, routers, hubs and firewall, which are integral part of any wired
network as well as wireless network.
1. 802.11 networking standards: Institute of Electrical and Electronics Engineers. (IEEE)-802.11 is a
family of standards for wireless local area network (WLAN), stating the specifications and/or
requirements for computer communication in the 2.4, 3.6 and 5 GHz frequency bands.
a. 802.11: It is applicable to WLANs and provides 1 or 2 Mbps transmission in the 2.4 GHz
bandusing either frequency-hopping spread spectrum (FHSS) or direct sequence spread
spectrum(DSSS).
b. 802.11a: It provides 54 Mbps transmission in the 5 GHz band and uses orthogonal
 frequency division multiplexing (OFDM) which is more efficient coding technique compared
with FHSS and DSSS.
c. 802.11b: It provides 11 Mbps transmission in the 2.4 GHz band and uses complementary
codekeying (CCK) modulation to improve speeds. In 1999, ratification was made to the original
d. 802.11 standard, and was termed as 802.11b, which allowed wireless functionality
comparable to Ethernet. Although it was being a slowest standard, at the same time being the
least expensive, the evolution led to the rapid acceptance of 802.11b across the world as the
definitive WLAN technology and known as "Wi-Fi standard."
e. 802.11g: It provides 54 Mbps transmission in the 2.4 GHz band and the same OFDM coding as 802.11a,
hence it is a lot faster than 802.11a and 802.11b.
f. 802.11n: It is the newest standard available widely and uses multiple-input multiple-output (MIMO) that
enabled to improve the speed and range significantly. For example, although 802.11g provides 54 Mbps
transmission theoretically, however, it can only achieve 24 Mbps of speed because of network traffic
congestion. However, 802.11n can achieve speeds as high as 140 Mbps.
2. Access points: It is also termed as AP. It is a hardware device and/or a software that acts as a central
transmitter and receiver of WLAN radio signals. Users of wireless device, such as laptop/PDAs get connected
with these APs, which in turn get connected with the wired LAN. An AP acts as a communication hub for
users to connect with the wired LAN.
3. Wi-Fi hotspots: A hotspot is a site that offers the Internet access by using Wi-Fi technology over a WLAN.
Hotspots are found in public areas
a. Free Wi-Fi hotspots: Wireless Internet service is offered in public areas, free of cost and that to
without any authentication. The users will have to enable the wireless on their devices, search for
such hotspots and will have to say (click) connect. The Internet facility is made available to the user.
As the authentication mechanism on the router is disabled, user gets connected to WLAN and
cybercriminals get their prey. As, access to free hotspots cannot be controlled, cyber security is
always questioned
b. Commercial hotspots: The users are redirected to authentication and online payment to avail the
wireless Internet service in public areas. The payment can be made using credit/debit card through
payment gateways such as PayPal, Major airports and business hotels are usually charged to avail
wireless Internet service.
4. Service set identifier (SSID): It is the name of 802.111 WLAN and all wireless devices on a WLAN must
use the same SSID to communicate with each other. While setting up WLAN, the user (or WLAN
administrator) sets the SSID, which can be up to 32 characters long so that only the users who knew the SSID
will be able to connect the WLAN. It is always advised to turn OFF the broadcast of the SSID, which results.
in the detected network displaying as an unnamed network and the user would need to manually enter the
correct SSID to connect to the network.
5. Wired equivalence privacy (WEP): Wireless transmission is susceptible to eavesdropping and to provide
confidentiality, WEP was introduced as part of the original 802.11i Protocol in 1997. It is always termed as
deprecated security algorithm for IEEE 802.111 WLANs. SSID along with WEP delivers fair amount of
secured wireless network.
6. Wi-Fi protected access (WPA and WPA2): During 2001, serious weakness in WEP was identified that
resulted WEP cracking software(s) being made available to enable cybercriminals to intrude into WLANs.
WPA was introduced as an interim standard to replace WEP to improve upon the security features of WEP.
7. Media access control (MAC): It is a unique identifier of each node (i.e., each network interfaces) of the
network and it is assigned by the manufacturer of a network interface card (NIC) stored in its hardware. MAC
address filtering allows only the devices with specific MAC addresses to access the network. The router should
be configured stating which addresses are allowed.

Tools used for hacking wireless networks

1. NetStumbler: This tool is based on Windows OS and easily identifies wireless signals being
broadcast within range. It also has ability to determine signal/noise that can be used for site surveys.
2. Kismet: This tool detects and displays SSIDs that are not being broadcast which is very critical in
finding, wireless networks, NetStumbler do not have this key functional clement ability to display
wireless networks that are not broadcasting their SSID.
3. Airsnort: This tool is very easy and is usually used to sniff and crack WEP keysairsnort/files/
(htep://airsnort.shmoo.com/).
4. CowPatty: This tool is used as a brute force tool for cracking WPA-PSK
andContents/coWPAttyMain.htm is considered to be the "New WEP" for home wireless security. This
program simply tries a bunch of different options from at dictionary file to see if one ends up matching
what is defined as the preshared key.
5. Wireshark (formerly ethereal): Ethereal can scan wireless and Ethernet data and comes with some
robust filtering capabilities. It can also be used to sniff out 802.11 management Beacons and probes,
and subsequently could be used as a tool to sniff out non-broadcast SSIDs.
Traditional Techniques of Attacks on Wireless Networks

In security breaches, penetration of a wireless network through unauthorized access is termed as wireless
cracking. There are various methods that demand high level of technological skill and knowledge, and
availability of numerous software tools made it less sophisticated with minimal technological skill to crack
WLANs.

1. Sniffing: It is eavesdropping on the network and is the simplest of all attacks. Sniffing is the simple
process of intercepting wireless data that is being broadcasted on an unsecured network. Also termed as
reconnaissance technique, it gathers the required information about the active/available Wi-Fi networks.
The attacker usually installs the sniffers remotely on the victim's system and conducts activities such as:
Passive scanning of wireless network
detection of SSID
colleting the MAC address
collecting the frames to crack WEP
2. Spoofing: The primary objective of this attack is to successfully masquerade the identity by falsifying
data and thereby gaining an illegitimate advantage. The attacker often launches an attack on a wireless
network by simply creating a new network with a stronger wireless signal and a copied SSID in the same
area as a legitimate network. The attacker can conduct this activity easily because while setting up a
wireless network, the computers no longer need to be informed to access the network; rather they access it
automatically as soon asthey move within the signal range. This convenient feature is always exploited by
the attacker MAC address Spoofing: It is a technique of changing an assigned media access Control
(MAC) address of a networked device to a different one. This allows the attacker to bypass the acces
control lists on servers or routers by either hiding a computer on a network or allowing it to impersonate
another network device.

IP Spoofing: It is a process of creating IP packets with a forged source IP address, with the purpose
of concealing the identity of the sender or impersonating another computing system. To engage in
IP Spoofing, the attacker uses a variety of techniques to find an IP address of a crusted host(s) and
then modifies the packet headers so that it appears that the packets are coming from that host, that
is, legitimate sender

Frame Spoofing: The attacker injects the frames whose content is carefully spoofed and
 which are valid as per 802.11 specifications. Frames themselves are not authenticated in 802.11
networks and hence when a frame has a spoofed source address, it cannot be detected unless the
address is entirely faked/bogus.

3. Denial of service (DoS): when a website is accessed massively and repeatedly from different locations,
preventing legitimate visitors from accessing the website. When a DoS attack is launched from different
locations in a coordinated fashion, it is often referred to as a distributed denial of service attack (DDoS).
4. Man-in-the-middle attack (MITM): It refers to the scenario wherein an attacker on host A inserts A
between all communications between hosts X and Y without knowledge of X and Y. All messages sent by
X do reach Y but through A and vice versa.
5. Encryption cracking: It is always advised that the first step to protect wireless networks is to use
WPA encryption. The attackers always devise new tools and techniques to deconstruct the old
erencryption technology, which is quite easy for attackers due to continuous research in this held.
Hence, the secondstep is to use a long and highly randomized encryption key; this is very important, It is a
little pain to remember long random encryption; however, at the same time these keys are much harder to
crack.

Theft of Internet Hours and Wi-Fi-based Frauds and Misuses

Information communication technology (ICT) is within reach of people nowadays and most of the
new systems (i.e., computers) are equipped for wireless Internet access as more and more people are opting for
Wi-F in their homes, Wireless network into homes is becoming common necessity because of lifestyle and
availability of inexpensive broadband routers that can be configured easily and/or there is no need to configure
these devices at all because of plug-and- play feature
Cybercriminals know that they should not steal Internet hours purchased by others but somehow they
want to get their work done without paying for the Internet connection and they also want to know if anyone
knows how to find out who they are stealing it from. Here is what they are mostly likely to do:
(a) they find out the IP address of the router that you are using
(b) open up a command prompt (go to start click on run with; type cmd and press enter at the command
(c) type this command ipconfig/all and press enter.

How to Secure the Wireless Networks

Nowadays, security features of Wi-Fi networking products are not that time-consuming and non- intuitive:
however, they are still ignored, especially, by home users. Although following summarized steps will help to
improve and strengthen the security of wireless network.
 1. Change the default settings of all the equipments/components of wireless network (e.g., IP address/user
Ds/administrator passwords, etc.).
2. Enable WPA/WEP encryption.
3.Change the default SSID.
4.Enable MAC address filtering.
5. Disable remote login.
6. Disable SSID broadcast.
7. Disable the features that are not used in the AP (e.g., printing/ music support).
8. Avoid providing the network a name which can be easily identified (e.g., My_Home_Wif).
9. Connect only to secured wireless network (i.e., do not auto connect to open Wi-Fi hotspots).
10. Upgrade router's firmware periodically.

Tools to protect wireless network

1. Zamzom Wireless Network Tool: New freeware tool helps to protect wireless networks and maintain
computer security, detects all computer names, Mac and IP addresses utilizing a single wireless network,
reveals all computers both authorized and unauthorized who have access to any given wireless network.
2. AirDefense Guard: The tool provides advanced intrusion detection for wireless LANs and is based on
signature analysis, policy deviation, protocol assessment policy deviation and statistically anomalous
behavior. Air Defense detects responds to:

Denial-of-service (DoS) attacks;

man-in-the-middle artacks:
identity theft.
3. Wireless Intrusion Detection System (WIDZ): This is an intrusion detection for wireless LANS for
802.11. It guards APs and monitors local frequencies for potentially malevolent activity. It can detect
scans, association foods and bogus APs, and it can easily be integrated with other products such as
SNORT or Real secure.

Phishing and Identity Theft: Introduction to Phishing

Phishing is a method of identity theft that relies on individuals unwittingly volunteering personal details or
information that can be then be used for nefarious purposes. It is often carried out through the creation of a
fraudulent website, email, or text appearing to represent a legitimate firm.
The following highlights signs of phishing, and how to protect yourself:

1. Exceptionally good deals or offers: If an email touts offers that are too good to be true, they probably are. For
example, an email claiming you've won the lottery or some other lavish prize may be luring you in to get you to
click a link or relay sensitive personal information.
2. Unknown or unusual senders: Though phishing emails may look like they originate from someone you know, if
anything seems out of the ordinary, be cautious. When in doubt, hover over the email address of the sender to
ensure the email address matches the email address you expect. Place a phone call to the company if you are
unsure of an email or website. Don't respond to emails with any personal information. (See the image below for an
example of an unusual sender's email address).
3. Hyperlinks and attachments: These are particularly concerning if received from an unknown sender. Never open
links or attachments unless you are confident they are from a safe sender. Type in the link address rather than
clicking the link.
4. Incorrect spelling in the web address: Phishing sites often use web addresses that look similar to the correct site,
but contain a simple misspelling, like replacing a "1" for an "l".
5. Immediate pop-ups: Be wary of websites that immediately display pop-up windows, especially those asking for
your username and password. Use two-factor authentication, a browser with anti-phishing detection, and keep
security on your systems up-to-date.

Identity Theft (ID Theft):

Identity theft is a crime in which an attacker uses fraud or deception to obtain personal or sensitive information from
a victim and misuses it to act in the victim’s name. Usually, perpetrators of such crime are motivated by their own
economic gain.
Identity thieves usually obtain personal information such as passwords, ID numbers, credit card numbers or social
security numbers, and misuse them to act fraudulently in the victim’s name. These sensitive details can be used for
various illegal purposes including applying for loans, making online purchases, or accessing victim’s medical and
financial data.

How to protect yourself from identity theft:

 Secure your connection: If you are going to use your personal information online, make sure you do so only when
your connection is secure – preferably via home or corporate network or cellular data. If possible, avoid public Wi-
Fi with no password protection. Should you have no other choice, use a virtual private network (VPN) that will
encrypt all your communication and thus protect you from eavesdropping criminals.
 Keep your devices secure: Protect your laptop, smart phone and tablet from malicious software and attackers by
using a reliable, multi-layered, up-to-date security solution.