Cyber Attack Taxonomy – (unfinished draft) script kiddies, newbies, novices

This is the least sophisticated category of adversaries, comprised of individuals with limited programming skills. They are new to hacking and rely on pre-written scripts known as „toolkits‟ in their exploits; examples of these include NeoSploit, WebAttacker, and IcePack (Westervelt, 2007) . The primary motivation of these adversaries is boredom and thrill-seeking; they are often young and eager for acceptance from the hacker subculture. Though they are attracted to deviant behavior, their overall maliciousness level tends to be low, because of their limited skills. With the increasing sophistication of the available toolkits, their ability to pull off larger-scale attacks is on the rise, as in the case of the denial-of-service attacks perpetuated by „Mafia Boy‟ in Canada (Rogers, 2006).

These adversaries are different than the other classes in that they are motivated by a political cause rather than a form of personal gain. Their attacks consist primarily of denial of service and defacement attacks against the sites of rival organizations, though they have also been known to employ worms and viruses (Denning, 2001). Their maliciousness is highly focused against the targeted organizations, though it can still have broad-reaching consequences. Some examples of hacktivism include the „virtual sit-ins‟ perpetuated by Electronic Disturbance Theater against the Pentagon and other agencies, in protest of perceived civil rights violations; email bombs used by the Internet Black Tigers throughout Sri Lanka to gain publicity for the Tamil Tigers; and worm propagation by WANK (Worms Against Nuclear Killers) on computers in NASA‟s Goddard Space Flight center, protesting an upcoming launch (Denning, 2001).

Adversaries in this class have similar motivations but greater skills than those in the novice category. They are capable of writing their own (limited) scripts and engaging in malicious acts such as spamming, defacing, and identity theft. These hackers seek attention and prestige and are most likely to be featured in the media, often because they pick high-profile targets and come under the notice of authorities (Rogers, 2006). Occasionally such adversaries will go on to become internet security consultants, as in the case of Kevin Mitnick, who combined his hacking skills with social engineering to gain access to restricted systems (Mitnick, 2002; Rogers, 2006).

This group of adversaries represents arguably the greatest risk to companies, and yet is often the least publicized (Rogers, 2006; Gelles et al., 2008). Insiders are most frequently motivated by revenge, usually in response to a negative work-related event; this frustration leads them to deliberately attack their own company (Kowalski et al., 2008). The scope of insider damage can be extremely large, as these individuals are often very familiar with the systems that they are attacking and often hold elevated access privileges. Insiders often seek to sabotage systems, as in the case of Michael Lauffenberger, who planted a logic bomb to delete data in a system that he designed and envisioned subsequently coming to „rescue‟ his company (Shaw et al., 1998).

Adversaries in this category are primarily involved in writing the codes and exploits that are used by others, especially those in the novice category. Their motivation is power and prestige: they see themselves as the mentors to the younger hackers and like feeling important (Rogers, 2006). There is a continuum of ability within individuals in the category, and it has been suggested that many such writers eventually „age out‟ of this behavior (Gordon, 2006). In general, such writers can be quite dangerous, as their software can be widely distributed and acquire a life of its own.

white hat hackers, old guard, sneakers

Individuals in this category consider themselves „purists‟ and ascribe to the flavor of hacking initially popularized at MIT in the early days of computers. They are not malicious hackers and do not wish to cause damage, though they often show a lack of regard for personal privacy (Rogers, 2006). White hat hackers are primarily motivated by the intellectual challenge of testing security systems and creating new programming. They are often hired as security analysts, paid to test a company‟s defenses by trying to break into their system and assessing its response (Barber, 2001). The National Security Agency even offers certification in such „ethical hacking‟ activities (Taylor et al., 2006). Although these individuals probably should not be considered “adversaries,” we include them in our treatment for the sake of completeness.

The adversaries in this category are professional criminals, who use their technical skills in pursuance of their criminal activities. Similar to criminals outside the cyber domain, they are motivated by money and greed. Rather than seeking fame, they prefer to lay low and evade authorities (Rogers, 2006). These hackers are both rare and very dangerous, as they have strong technical skills and are often able to support themselves through their criminal exploits. Such adversaries are often employed by organized crime, and can be described as „guns for hire‟. Although this is one of the most dangerous types of cyber adversaries, it is also the one about which the least is known (Rogers, 2006).

The most dangerous and skilled of all cyber adversary classes, cyber terrorists engage in state-sponsored information technology warfare. Their job is to conduct attacks that destabilize, disrupt, and destroy the cyber assets and data of an enemy nation or government organization (Rogers, 2006). Attacks by cyber terrorists are typically well-funded and highly secretive; individuals engaging in such activities have extremely high skills and are motivated by ideology. One of the best known examples of such terrorism occurred in Estonia in 2007, following the removal of a Russian World War II monument; a massive denial of service attack crippled the websites of Parliament, several national newspapers, and the central bank (Landler & Markoff, 2007). A similarly crippling DDoS attack preceded the conflict between Russia and the Republic of Georgia in 2008 (Markoff, 2008). Such attacks are hard to prosecute, which makes them even more dangerous, and guarding against these attacks has become a top national priority.

A computer virus is a program that can copy itself and infect system files without knowledge of the user. Viruses are transferred when their host is connected with the target system, either via a computer network, the internet, or a form of removable media. The spread of viruses is dependent on user interaction, in particular in the execution of the corresponding virus code; for this reason many viruses are attached to legitimate program executables. The term „computer virus‟ was first used in 1983 by Frederick Cohen, who likened the spread of the program to a biological system (Highland, 1997). Possibly the most destructive virus to date is the ILOVEYOU virus, a visual basic scripting virus that originated in the Philippines and caused 10 to 15 billion dollars of damage worldwide in the year 2000 (Jones, 2006).

File infector viruses infect files on the victim’s computer by inserting themselves into a file. Usually the file is an executable file, such as a .EXE or .COM in Windows. When the infected file is run, the virus executes as well.

The Infector Virus is an example of a file infector virus obtained from [65]. The Infector Virus infects .COM files in Windows based systems by attaching itself to the end of the target file. Infection occurs when the infected file is run with the virus selecting one .COM file in the current directory as the target file.
System and Boot Record Infectors

System and boot record infectors were the most common type of virus until the mid 1990s. These types of viruses infect system areas of a computer such as the Master Boot Record (MBR) on hard disks and the DOS boot record on floppy disks. By installing itself into boot records, the virus can run itself every time the computer is booted up. Floppy disks are often infected as users tend to leave floppy disks in the floppy drive. If left in the floppy drive, on reboot the computer may boot from the floppy disk. Thus, the virus has a chance to execute. These types of viruses were very common in the early days of personal computing. However, with the introduction of more modern operating systems, and virus checks being enabled in the Basic Input Output System (BIOS), few of these viruses are being created today. New means of propagation, such as the Internet, are also much more attractive to virus creators.

Macro viruses are simply macros for popular programs, such as Microsoft Word, that are malicious. For example, they may delete information from a document or insert phrases into it. Propagation is usually through the infected files. If a user opens a document that is infected, the virus may install itself so that any subsequent documents are also infected. Some macro viruses propagate via email1, such as the Melissa virus covered in the next section. Often the macro virus will be attached as an apparently benign file to fool the user into infecting themselves.

The Melissa virus is the best known macro virus. It was released in March 1999, and targeted Microsoft Word 97 and 2000. The virus worked by emailing a victim with an email that appeared to come from an acquaintance. The email contained an Microsoft Word document as an attachment, that if opened, would infect Microsoft Word and if the victim used the Microsoft Outlook 97 or 98 email client, the virus would be forwarded to the first 50 contacts in the victim’s address book. Melissa caused a significant amount of damage, as the email sent by the virus flooded email servers. ICSA estimated that Melissa could have caused damage as high as USD $385 million. The classification of Melissa is interesting. Some consider it a virus, others consider it a worm. Under the proposed taxonomy in Chapter 4, Melissa is considered to be a mass-mailing worm with a viral payload.
Virus Properties

Viruses often have additional properties, beyond being an infector or macro virus. A virus may also be multi-partite, stealth, encrypted or polymorphic. Multi-partite viruses are hybrid viruses that infect both files and system and/or boot-records. This means multi-partite viruses have the potential to be more damaging, and resistant. Which makes them type of blended attack. A stealth virus is one that attempts to hide its presence. This may involve attaching itself to files that are not usually seen by the user. Viruses can use encryption to hide their payload. A virus using encryption will know how to decrypt itself to run. As the bulk of the virus is encrypted, it is harder to detect and analyze. Some viruses have the ability to change themselves as either time goes by, or when they replicate themselves. Such viruses are called polymorphic viruses. Polymorphic viruses can usually avoid being eradicated longer than other types of viruses as their signature changes.

A computer worm is a self-replicating program that uses a host network to send copies of itself to other computers on the network. As opposed to viruses, worms do not need to attach themselves to existing programs and can be spread without any user interaction; moreover, they seek to infect the network infrastructure rather than individual files. Worms spread primarily by exploiting vulnerabilities in operating systems, most often striking unupdated systems after a major security patch. Commonly, worms install a „backdoor‟ on infected systems to allow remote control; using this, the Sobig worms were able to create a massive „botnet‟ of systems dedicated to sending spam (Levy, 2003). Worms can spread very quickly, as in the case of SQL Slammer, which shut down all of South Korea‟s online capacity for 12 hours after its launch in 2003 (Jones, 2006).

Mass-mailing worms are an interesting category as many attacks in this category could quite easily be classified as a worm, virus or both. For the purpose of this research and the taxonomy, a mass-mailing worm is a worm that spreads through email. Once the email has reached its target it may have a payload in the form of a virus or trojan. Email, although it may become a file on its journey, is more abstract than a file. Therefore, while some attacks may use email attachments to send viruses, the attack vector2 is still email. A case could be made that a mass-mailing virus category would be more appropriate, but the proposed taxonomy attempts to

use the attack vector as the first means of classification. Therefore, an attack such as Melissa should be classified first as a mass-mailing worm.
Network-Aware Worms

Network-aware worms are a major problem for the Internet. Worms such as SQL Slammer have shown that the Internet can be degraded by a well written worm. Network-aware worms generally follow a four stage propagation model. Although this is a generalization, most network-aware worms will fit into this model. Four stages of network worm propagation:

The first step is target selection. The compromised host3 targets a host. The compromised host then attempts to gain access to the target host by exploitation. For example, the SQL Slammer worm exploited a known vulnerability in Microsoft SQL Server 2000 and Microsoft Desktop Engine. Once the worm has access to the target host, it can infect it. Infection may include loading trojans onto the target host, creating back doors or modifying files. Once infection is complete, the target host is now compromised and can be used by the worm to continue propagation.
trojans

Much like the mythical Trojan horse, trojan attacks function by concealing their malicious intent. They masquerade as a piece of software that performs a desired function, while secretly executing malicious content. Users can are fooled into installing the trojan via one of many vectors, most often online downloads or email links. The most common types of trojans install a „backdoor‟ on infected systems to allow remote access, or engage in data destruction. As opposed to viruses and worms, trojans do not self-replicate and rely entirely on the distribution of their host program to propagate. The earliest trojan horse dates back to 1975, when the computer game ANIMAL housed the subroutine PERVADE, which copied itself into every directory in which the user had access (Walker, 1996). More recently, in 2008 the Chinese password-collecting trojan Mocmex was found housed in digital photo frames (Soper, 2008).

In programming, a buffer overflow occurs when a program writes more information into the buffer (temporary memory storage) than the space allocated to it in memory. During a buffer overflow attack, malicious users exploit this property by forcing a buffer overflow to overwrite local variables and alter program execution, forcing the process to execute malicious code introduced by the user. Such techniques are well-documented and most often used to gain control of host systems (Levy, 1996).

This buffer overflow technique may be used as a method of enabling other attacks such as worms to be executed on a system. This method was used in both the Code Red and SQL Slammer worms, which exploited overflow vulnerabilities in Microsoft‟s Internet Information Services and SQL server respectively (Chen & Robert, 2004).
denial of service

A denial of service attack functions by making a computer network or resource inaccessible to legitimate users. Most often this is accomplished by “flooding” the target with data, so that it is overloaded with such requests. Common targets of these attacks include network routers (resulting in very slow network performance), DNS servers (resulting in an inability to access websites), and email accounts (resulting in a “mail bomb” deluge of spam). In a distributed denial of service attack, multiple systems combine to flood the bandwidth and resources of the target. The first widely publicized distributed attack occurred in 2000, when numerous high-profile websites (including Amazon.com, Yahoo, eBay, and CNN) were crippled for several hours (Garber, 2000). Such attacks can also have political overtones, as in the bombardment of Georgian government websites shortly preceding conflict with Russia (Markoff, 2008).

Buffer overflows are probably the most widely used means of attacking a computer or network. They are rarely launched on their own, and are usually part of a blended attack. Buffer overflows are used to exploit flawed programming, in which buffers are allowed to be overfilled. If a buffer is filled beyond its capacity, the data filling it can then overflow into the adjacent memory, and then can either corrupt data or be used to change the execution of the program. There are two main types of buffer overflows described below.

A stack is an area of memory that a process uses to store data such as local variables, method parameters and return addresses. Often buffers are declared at the start of a program and so are stored in the stack. Each process has its own stack, and its own heap (as explained in the next section). Stack overflows are the most common form of buffer overflows. Overflowing a stack buffer was one of the first types of buffer overflows and is one that is commonly used to gain control of a process. In this type of buffer overflow, a buffer is declared with a certain size.

If the process controlling the buffer does not make adequate checks, an attacker can attempt to put in data that is larger than the size of the buffer. This means once the buffer is full, the remaining data being put into it overflows the buffer and overwrites the adjacent memory. An attacker may place malicious code in the buffer. Part of the adjacent memory will often contain the pointer to the next line of code to execute. Thus, the buffer overflow can overwrite the pointer to point to the beginning of the buffer, and hence the beginning of the malicious code. Thus, the stack buffer overflow can give control of a process to an attacker.
Heap Overflows

Heap overflows are similar to stack overflows but are generally more difficult to create. The heap is similar to the stack, but stores dynamically allocated data. The difference between stack allocated data and heap allocated data is shown below:

#include

int main(){

char stack_buffer[256];

char *heap_buffer = (char *) malloc(256 * sizeof(char));

return 0;

}

The heap does not usually contain return addresses like the stack, so it is harder to gain control over a process than if the stack is used. However, the heap contains pointers to data and to functions. A successful buffer overflow will allow the attacker to manipulate the process’s execution. An example would be to overflow a string buffer containing a filename, so that the filename is now an important system file. The attacker could then use the process to overwrite the system file (if the process has the correct privileges).

Denial of Service (DoS) attacks, sometimes known as nuke attacks, are designed to deny legitimate users of a system from accessing or using the system in a satisfactory manner. DoS attacks usually disrupt the service of a network or a computer, so that it is either impossible to use, or its performance is seriously degraded. There are three main types of DoS attacks: host based, network based and distributed.

Host based DoS attacks aim at attacking computers. Either a vulnerability in the operating system, application software or in the configuration of the host are targeted.

Some host based DoS are designed to use up (hog) resources on a computer. Resources such as CPU time and memory use are the most common targets. For example, a trivial resource hog is the fork bomb. A fork bomb simply spawns child processes continually, thus over time, more and more resources are taken up by the bomb and its children. A Unix based fork bomb4, written in C, is shown below:

#include

int main(){

while(1){

fork();

return 0;

}

Fork bombs, while very effective, are usually easily detected, either through the marked increase in processes, or through logging. They can also be easily prevented by configuring the operating system correctly. Another type of resource hogs access memory in certain patterns, so that thrashing5 occurs. CPU hogs such as Snork, exploit vulnerabilities in the operating system. The Snork attack consumes 100% of the target’s CPU time. Snork also has a network based DoS component that allows Snork to reduce network bandwidth for legitimate users by continuously bouncing packets between hosts on the network.

Crashers are a form of host based DoS that are simply designed to crash the host system, so that it must be restarted. Crashers usually target a vulnerability in the host’s operating system. Many crashers work by exploiting the implementation of network protocols by various operating systems. Some operating systems cannot handle certain packets, and if received cause the operating system to hang or crash. Some examples of crashers include Land and Teardrop, and the Ping o’ Death.

Network based DoS attacks target network resources in an attempt to disrupt legitimate use. Network based DoS usually flood the network and the target with packets. To succeed in flooding, more packets than the target can handle must be sent, or if the attacker is attacking the network, enough packets must be flooded so that the bandwidth left for legitimate users is severely reduced.

Three main methods of flooding have been identified in:

TCP Floods: TCP packets are streamed to the target. ICMP Echo Request/Reply:

ICMP packets are streamed to the target.When run on a Gentoo Linux 1.4 box, the fork bomb caused an almost instantaneous lock up. Where more memory pages are accessed than can fit in the physical memory. This results in writing and reading memory pages to and from the hard disk repeatedly, which slows the system significantly down. Essentially “pinging” the target UDP Floods: UDP packets are streamed to the target.

In addition to a high volume of packets, often packets have certain flags set to make them more difficult to process. If the target is the network, the broadcast address7 of the network is often targeted. One simple way of reducing network bandwidth is through a ping flood. Ping floods can be created by sending ICMP request packets of a large size to a large number of addresses (perhaps through the broadcast address) at a fast rate. On most modern operating systems, root access is required to run the ping utility in that way.

The last type of DoS attack is perhaps the most interesting. Distributed DoS (DDoS) attacks are a recent development in computer and network attack methodologies. The DDoS attack methodology was first seen in 1999 with the introduction of attack tools such as The DoS Project’s Trinoo, The Tribe Flood Network and Stacheldraht. Between February 7 and 11, 2000, DDoS attacks were put into the spotlight when DDoS attacks were launched at a number of high-profile web-sites, including Ebay.com, Amazon.com, Yahoo.com and CNN.com. The DDoS attacks were effective enough to disrupt the websites’ operation for several hours. DDoS attacks work by using a large number of attack hosts to direct a simultaneous attack on a target or targets. A number of master nodes are used to control a larger number of daemon nodes10 which launch the attack on the target. The master nodes then order all daemon nodes under them to launch the attack. Finally, the daemon nodes attack the target simultaneously, causing a denial of service. With enough daemon nodes, even a simple web page request will stop the target from serving legitimate user requests.