CYBER SECURITY

MODULE-III

Tools and Methods used in Cyber crime

Proxy servers and Anonymizer, Classification of

Password cracking attacks, Keyloggers and
Spywares, Types of Virus, Types of Worms,
TrojanHorses and Backdoors, DOS & DDOS
attacks, SQL injection.
 Proxy Server
• It is a server (a computer system or an application) that acts as an
intermediary for requests from clients seeking resources from other
servers.

• A client connects to the proxy server, requesting some service, such

as a file, connection, web page, or other resource available from a
different server and the proxy server evaluates the request as a way
to simplify and control its complexity.

• Proxies were invented to add structure and encapsulation to

distributed systems.

• Today, most proxies are web proxies, facilitating access to content

on the World Wide Web and providing anonymity.
 Purposes of Proxy Server
• Keep the system behind the curtain(mainly for security reason).

• Speedup access to a resource(through caching). It is usually used to

cache the web page from a web server.

• Specialized proxy server are used to filter unwanted content such as

advertisement.

• Proxy server can be used as IP address multiplexer to enable to

connect number of computers on the internet whenever one has
only one IP address.
 Advantage of Proxy Server
• Its cache memory can serve all users.

• If one or more websites are requested frequently may be by

different users it is likely to be in proxy’s cache memory, which will
improve user response time.

• There are special servers available known as cache server.

 Types of proxy

• A proxy server may reside on the user’s local computer, or at

various points between the user’s computer and destination servers
on the Internet.
• A proxy server that passes requests and responses unmodified is
usually called a gateway or sometimes a tunneling proxy.

• A forward proxy is an Internet-facing proxy used to retrieve from a

wide range of sources (in most cases anywhere on the Internet).

• A reverse proxy is usually an Internet-facing proxy used as a front-

end to control and protect access to a server on a private network.
A reverse proxy commonly also performs tasks such as load-
balancing, authentication, decryption or caching.
 Open proxies
• An open proxy is a forwarding proxy server that is accessible by any
Internet user.

• Gordon Lyon estimates there are “hundreds of thousands” of open

proxies on the Internet.

• An anonymous open proxy allows users to conceal their IP address

while browsing the Web or using other Internet services.

• There are varying degrees of anonymity however, as well as a

number of methods of ‘tricking’ the client into revealing itself
regardless of the proxy being used.
 Reverse proxies
• A reverse proxy (or surrogate) is a proxy server that appears to clients to be an ordinary
server.

• Requests are forwarded to one or more proxy servers which handle the request.

• The response from the proxy server is returned as if it came directly from the original
server, leaving the client no knowledge of the origin servers.

• Reverse proxies are installed in the neighborhood of one or more web servers.

• All traffic coming from the Internet and with a destination of one of the neighborhood’s
web servers goes through the proxy server.

• The use of “reverse” originates in its counterpart “forward proxy” since the reverse
proxy sits closer to the web server and serves only a restricted set of websites.
 Anonymizer
• An anonymizer or an anonymous proxy is a tool that attempts to
make activity on the Internet untraceable.

• It is a proxy server computer that acts as an intermediary and

privacy shield between a client computer and the rest of the
Internet.

• It accesses the Internet on the user’s behalf, protecting personal

information by hiding the client computer’s identifying information.
 Use of Anonymizer

• It helps to minimize the risk.

• It can be used to prevent identity theft, or to protect search

histories from public disclosure.
Types of Anonymizer
 Protocol specific anonymizers
• Sometimes anonymizers are implemented to work only with one
particular protocol.
• The advantage is that no extra software is needed.
• The operation occurs in this manner:
• A connection is made by the user to the anonymizer.
• Commands to the anonymizer are included inside a typical
message.
• The anonymizer then makes a connection to the resource specified
by the inbound command and relays the message with the
command stripped out.
• An example of a protocol-specific anonymizer is an anonymous
remailer for e-mail.
• Also of note are web proxies, and bouncers for FTP and IRC.
Protocol independent anonymizers
• Protocol independence can be achieved by creating a tunnel to an
anonymizer.

• The technology to do so varies.

• Protocols used by anonymizer services may include SOCKS, PPTP, or

OpenVPN.

• In this case either the desired application must support the tunneling
protocol, or a piece of software must be installed to force all connections
through the tunnel.

• Web browsers, FTP and IRC clients often support SOCKS for example,
unlike telnet.
Classification of Password Cracking Attacks
• Password is like a key to get an entry into computerized systems like a
lock.
• Password cracking is a process of recovering passwords from data that
have been stored in or transmitted by a computer system.
• Usually, an attacker follows a common approach-repeatedly making
guesses for the password.
• The purpose of password cracking is as follows:
– To recover a forgotten password.
– As a preventive measure by system administrators to check for easily
crackable passwords.
– To gain unauthorized access to a system.
• Manual password cracking is to attempt to logon with different
passwords.
• The attacker follows the following steps:
– Find a valid user account such as an Administrator or Guest
– Create a list of possible passwords;
– Rank the passwords from high to low probability;
– Key-in each password;
– Try again until a successful password is found.
• Passwords can be guessed sometimes with knowledge of the user's
personal information. Examples of guessable passwords include:
– The words like "password," "passcode" and "admin";
– Series of letters from the "QWERTY" keyboard, for example, qwerty,
asdf or qwertyuiop;
– User's name or login name;
– Name of user's friend/relative/pet;
– User's birthplace or date of birth, or a relative's or a friend's;
– User's vehicle number, office number, residence number or mobile
number
– Name of a celebrity who is considered to be an idol (e.g, actors,
actress, spiritual gurus) by the user;
– Simple modification of one of the preceding, such as suffixing a digit,
particularly 1, or reversing the order of letters.
• An attacker can also create a script file (i.e, automated program)
which will be executed to try each password in a list. This is still
considered manual cracking, is time-consuming and not usually
effective.
• Passwords are stored in a database and password verification
process is established into the system when a user attempts to
login or access a restricted resource. To ensure confidentiality of
passwords, the password verification data is usually not stored in a
clear text format. For example, one-way function is applied to the
password, possibly in combination with other data, and the
resulting value is stored. When an user attempts to login to the
system by entering the password, the same function is applied to
the entered value and the result is compared with the stored value.
If they match, user gains the access; this process is called
authentication.
• Password cracking attacks can be classified
under three categories as follows:
– Online attacks;
– Offline attacks;
– Non-electronic attacks
 Online Attacks
• An attacker can create a text file(automated program) that will be
executed to try each password in a list and when matches, an attacker gain
the access to the system.
• The most popular online attack is man-in-the-middle(MITM) attack.
 Man In The Middle Attack
• A man-in-the-middle (MiTM) attack is a type of cyber attack in
which the attacker secretly intercepts and relays messages between
two parties who believe they are communicating directly with each
other. The attack is a type of eavesdropping in which the attacker
intercepts and then controls the entire conversation.

• MiTM cyber attacks pose a serious threat to online security because

they give the attacker the ability to capture and manipulate
sensitive personal information -- such as login credentials, account
details or credit card numbers -- in real time.
 How do MitM attacks work?
• During MiTM attacks, cybercriminals insert themselves in the
middle of data transactions or online communication.
• Through the distribution of malware, the attacker gains easy access
to the user's web browser and the data it sends and receives during
transactions.
• Online banking and e-commerce sites, which require secure
authentication with a public key and a private key, are the prime
targets of MiTM attacks as they enable attackers to capture login
credentials and other confidential information.
 Offline Attack
• Mostly offline attacks are performed from a
location other than the target (i.e., either a
computer system or while on the network)
where these passwords reside or are used.
• Offline attacks usually require physical access
to the computer and copying the password file
from the system onto removable media.
Different types of offline password attacks are
described in below table.
Type of attack Description Example of Password
Dictionary Attack Attempts to match all the Administrator
words from the
dictionary to get the
password
Hybrid Attack Substitutes numbers and Administrator
symbols to get the
password
Brute Force Attack Attempts all possible Admin@09
permutation
combinations of letter
numbers and special
characters
 Weak Password
A weak password is short, common, a system default, or something that
could be rapidly guessed by executing a brute force attack using a subset
of all possible passwords, such as words in the dictionary, proper names,
words based on the user name or common variations on these themes.
Example:
 Any word that can be found in a dictionary, in any language (e.g.,
airplane or aeroplano).
 A dictionary word with some letters simply replaced by numbers
(e.g., a1rplan3 or aer0plan0).
 A repeated character or a series of characters (e.g., AAAAA or
12345).
 A keyboard series of characters (e.g., qwerty or poiuy).
 Personal information (e.g., birthdays, names of pets or friends,
Social Security number, addresses).
 Strong Password
A password that is hard to detect both by humans and by the computer.
Two things make a password stronger: (1) a larger number of characters,
and (2) mixing numeric digits, upper and lower case letters and special
characters ($, #, etc.)
Example:
.Susan53
jelly22fi$h
a11Black$
 Random Password
Random passwords use a combination of
letters, numbers, cases, and symbols to form
an unpredictable string of characters that
doesn't resemble words or names.
Keyloggers
• A keylogger or keystroke logger/keyboard capturing is a form
of malware or hardware that keeps track of and records your
keystrokes as you type. It takes the information and sends it to a
hacker using a command-and-control (C&C) server. The hacker then
analyzes the keystrokes to locate usernames and passwords and
uses them to hack
• Types of Keyloggers
– Software Keylogers
– Hardware Keyloggers
– Antikeylogger
 Software Keylogers
• Software keyloggers consist of applications that have to be installed on a
computer to steal keystroke data. They are the most common method
hackers use to access a user’s keystrokes.
• A software keylogger is put on a computer when the user downloads an
infected application. Once installed, the keylogger monitors the keystrokes
on the operating system you are using, checking the paths each keystroke
goes through. In this way, a software keylogger can keep track of your
keystrokes and record each one.
• After the keystrokes have been recorded, they are then automatically
transferred to the hacker that set up the keylogger. This is done using a
remote server that both the keylogger software and the hacker are
connected to. The hacker retrieves the data gathered by the keylogger and
then uses it to figure out the unsuspecting user’s passwords.
• The passwords stolen using the key logger may include email accounts,
bank or investment accounts, or those that the target uses to access
websites where their personal information can be seen. Therefore, the
hacker's end goal may not be to get into the account for which the
password is used. Rather, gaining access to one or more accounts may
pave the way for the theft of other data.
 Hardware Keyloggers
• A hardware keylogger works much like its software counterpart.
The biggest difference is hardware keyloggers have to be physically
connected to the target computer to record the user's keystrokes.
For this reason, it is important for an organization to carefully
monitor who has access to the network and the devices connected
to it.
• If an unauthorized individual is allowed to use a device on the
network, they could install a hardware keylogger that may run
undetected until it has already collected sensitive information. After
hardware keystroke loggers have finished keylogging, they store the
data, which the hacker has to download from the device.
• The downloading has to be performed only after the keylogger has
finished logging keystrokes. This is because it is not possible for the
hacker to get the data while the key logger is working. In some
cases, the hacker may make the keylogging device accessible via
Wi-Fi. This way, they do not have to physically walk up to the
hacked computer to get the device and retrieve the data.
 Antikeylogger
• Anti-keylogger is software that is designed in such a manner, that it
can detect any keylogger present in the system.
• It has the capacity to stop any keylogger activity from taking place.
• It is specifically designed to prevent the activity of the keylogger.
• It protects the user from the keystrokes getting captured by the
keylogger.
• So using Anti-keylogger the user’s confidential or sensitive or
personal details can be saved from the attacker.
• This is used by companies and more to stop the keylogger activity
from taking place.
Spywares
• Spyware is malicious software that enters a user's computer,
gathers data from the device and user, and sends it to third parties
without their consent.
• Spyware is a breach of cyber security as they usually get into the
laptop/ computer system when a user unintentionally clicks on a
random unknown link or opens an unknown attachment, which
downloads the spyware alongside the attachment.
• Spyware is a type of software that unethically without proper
permissions or authorization steals a user’s personal or business
information and sends it to a third party.
• Spywares perform the function of maliciously tracking a user’s
activity, having access to data, or even resulting in the crashing of
the computer/ laptop system.
• Spyware in many cases runs as a background process and slows
down the normal functioning of the computer system.
 Spyware enters the laptop/computer system through the below-listed
ways:

• Phishing: It is a form of a security breach where spyware enters the

system when a suspicious link is clicked or an unknown dangerous
attachment is downloaded.

• Spoofing: It goes alongside phishing and makes the unauthorized emails

appear to come from legitimate users or business units.

• Free Softwares or Shared Softwares: It gets into the system when a user
installs software that is free of cost but has additional spyware added to
them.

• Misleading software: This is advertised as very beneficial for the system

and would boost up the speed of the system but lead to stealing
confidential information from the system.
 Types of Spywares
• Adware: It is a type of Spyware that keeps track of the user’s activity and
gives advertisements based on the tracked activity of the user.
• Tracking Cookies: It is a type of Spyware that tracks a user’s activity and
supplies the same to third parties.
• Trojans: It is a type of Spyware that is the most dangerous. It aims to steal
confidential user information such as bank details, passwords and
transfers it to a third party to perform illegal transactions or frauds.
• Keyloggers: It is a type of Spyware that keeps a track of all the keystrokes
that the user enters through the keyboard. It is dangerous as it contributes
bro cyber fraud where sensitive passwords can be stolen by keeping an
eye on the user who entered the information.
• Stalkerware: It is a type of Spyware that is installed on mobile phones to
stalk the user. It tracks the movement of the user and sends the same to
the third party.
• System Monitor: It is a type of Spyware that monitors and keep a track of
the entire system including users activity, sensitive information,
keystrokes, calls, and chats. It is extremely dangerous to user privacy.
 How Spyware Infects Devices?
• Spyware gets attached to websites and downloads without going much
into the notice of the user.
• There are many software’s that get downloaded without any warning
alongside the needed software and are very dangerous for our computer
system.
• Another way of spyware, entering our systems is when the user clicks
unverified links or downloads malicious contents on the computer system.
• When spyware enters the computer system it unethically accesses the
information that it is not authorized to view.
• In most cases, it also supplies this information to third-party users leading
to data leaks. Sensitive information such as passwords and bank
information are at much risk if spyware enters the computer system.
• Data leak, stealing of sensitive information, tracking user’s activity/
preferences, making the system slow down, and even crashing the
computer system are the effects that can be caused when spyware enters
the computer system without the user’s consent.
 How to Prevent Spyware?
• Installing Antivirus/ Antispyware
• Beware of Cookie Settings
• Beware of the Pop-ups on Websites
• Never Install Free Software
• Always read Terms & Conditions
Virus
• A computer program that can copy itself
and infect a computer without permission or
knowledge of the user.
• A virus might corrupt or delete data on a
computer, use e-mail programs to spread itself
to other computers, or even erase everything
on a hard disk.
 Types of Virus
• File Virus
– This type of virus infects the system by appending
itself to the end of a file.
– It changes the start of a program so that the
control jumps to its code.
– After the execution of its code, the control returns
back to the main program.
– Its execution is not even noticed.
– It is also called a Parasitic virus because it leaves
no file intact but also leaves the host functional.
• Boot sector Virus
– It infects the boot sector of the system, executing
every time system is booted and before the
operating system is loaded.
– It infects other bootable media like floppy disks.
– These are also known as memory viruses as they
do not infect the file systems.
• Macro Virus
– Unlike most viruses which are written in a low-
level language(like C or assembly language), these
are written in a high-level language like Visual
Basic.
– These viruses are triggered when a program
capable of executing a macro.
– For example, the macro viruses can be contained
in spreadsheet files.
• Source code Virus
It looks for source code and modifies it to
include virus and to help spread it.
• Polymorphic Virus
– A virus signature is a pattern that can identify a
virus(a series of bytes that make up virus code).
– So in order to avoid detection by antivirus a
polymorphic virus changes each time it is
installed.
– The functionality of the virus remains the same
but its signature is changed.
• Encrypted Virus
– In order to avoid detection by antivirus, this type
of virus exists in encrypted form.
– It carries a decryption algorithm along with it.
– So the virus first decrypts and then executes.
• Stealth Virus
– It is a very tricky virus as it changes the code that
can be used to detect it.
– Hence, the detection of viruses becomes very
difficult.
– For example, it can change the read system call
such that whenever the user asks to read a code
modified by a virus, the original form of code is
shown rather than infected code.
Tunneling Virus
– This virus attempts to bypass detection by
antivirus scanner by installing itself in the
interrupt handler chain.
– Interception programs, which remain in the
background of an operating system and catch
viruses, become disabled during the course of a
tunneling virus. Similar viruses install themselves
in device drivers.
• Multipartite Virus

This type of virus is able to infect multiple

parts of a system including the boot sector,
memory, and files. This makes it difficult to
detect and contain.
• Armored Virus
– An armored virus is coded to make it difficult for
antivirus to unravel and understand.
– It uses a variety of techniques to do so like fooling
antivirus to believe that it lies somewhere else
than its real location or using compression to
complicate its code.
• Browser Hijacker
– As the name suggests this virus is coded to target
the user’s browser and can alter the browser
settings.
– It is also called the browser redirect virus because
it redirects your browser to other malicious sites
that can harm your computer system.
• Memory Resident Virus
– Resident viruses installation store for your RAM
and meddle together along with your device
operations.
– They behave in a very secret and dishonest way
that they can even connect themselves for the
anti-virus software program files.
• Direct Action Virus
– The main perspective of this virus is to replicate
and take action when it is executed.
– When a particular condition is met the virus will
get into action and infect files in the
directory that are specified in the AUTOEXEC.BAT
file path.
Worms
• A worm is a type of malware or malicious
software that can replicate rapidly and spread
across devices within a network.

• As it spreads, a worm consumes

bandwidth, overloading infected systems and
making them unreliable or unavailable.
• Bandwidth is consumed and servers are overloaded that causes harm to the
network.
• Also rather than spreading and destroying the network, codes are written inside
the worm so that the systems are destroyed with these codes. These codes steal
data or create backdoors so that other systems can control the system.
• The codes also called payloads to destroy the system in a way that the infected
systems are used to spread spams and destroy the entire network.
• Computer worms need no assistance and also they replicate by themselves.
• The worms use the contacts of the infected system to send mails through which
other systems are infected by opening those emails.
• Once the mail is opened, the worm is downloaded and it does its work for some
time without any further actions.
• Only after the system is infected, the user will know about the worm.
• Computer worms need not be attached to any software. They spread to other
systems by all means.
• Worms either modify or delete the files of the system thereby overloading the
system and hence the network.
• The worm creates space for a hacker to enter the system and destroy the entire network.
• Computer worms destroy the data worth years and are very malicious. Protecting our data
from worms is very important.
• Security features are mostly exploited by the worms.
• Some worms also try to change the system settings.
• Examples of worms include Morris Worm, Storm Worm, SQL Slammer and so on.
• Morris developed a few lines of code to know how vast the internet is but the codes had
bugs that destroyed the host systems and caused damage worth millions.
• Storm worm, as the name suggests sends mails of a news report regarding the storm. Once
opened the system is affected and other contacts are also sent emails. This worm was
created in 2007. Many believe that the systems are still affected by this worm which the user
does not know.
• SQL Slammer created many IP addresses that were not protected with any security. This
worm affected many major websites and hence the vulnerabilities of the system were
exposed.
• Automatic updates should be done for all the applications to avoid potential attacks from
worms.
• Most worms are identified with the help of antiviruses but since many worms are created on
a daily basis, some are not detected.
• Stuxnet is a famous computer worm that was intended to destroy Iran’s nuclear plans.
 Types of Worms
• Email Worms: Email Worms spread through malicious email as an
attachment or a link of a malicious website.

• Instant Messaging Worms: Instant Messaging Worms spread by

sending links to the contact list of instant messaging applications
such as Messenger, WhatsApp, Skype, etc.

• Internet Worms: Internet worm searches all available network

resources using local operating system services and/or scans
compromised computers over the Internet.

• IRC Worms: IRC Worms spread through Internet Relay Chat (IRC)
chat channels, sending infected files or links to infected websites.

• File sharing Worms: File sharing Worms place a copy of them in a

shared folder and distribute them via Peer To Peer network.
Trojan Horse
• A Trojan Horse Virus is a type of malware that
downloads onto a computer disguised as a legitimate
program. The delivery method typically sees an
attacker use social engineering to hide malicious code
within legitimate software to try and gain users' system
access with their software.

• A simple way to answer the question "what is Trojan" is

it is a type of malware that typically gets hidden as an
attachment in an email or a free-to-download file, then
transfers onto the user’s device. Once downloaded, the
malicious code will execute the task the attacker
designed it for, such as gain backdoor access to
corporate systems, spy on users’ online activity, or steal
sensitive data.
How Do Trojans Work?
• Unlike computer viruses, a Trojan horse cannot manifest by itself, so it
needs a user to download the server side of the application for it to work.
This means the executable (.exe) file should be implemented and the
program installed for the Trojan to attack a device’s system.
• A Trojan virus spreads through legitimate-looking emails and files attached
to emails, which are spammed to reach the inboxes of as many people as
possible. When the email is opened and the malicious attachment is
downloaded, the Trojan server will install and automatically run every
time the infected device is turned on.
• Devices can also be infected by a Trojan through social engineering tactics,
which cyber criminals use to force the users to download a malicious
application. The malicious file could be hidden in banner advertisements,
pop-up advertisements, or links on websites.
• A computer infected by Trojan malware can also spread it to other
computers. A cyber criminal turns the device into a zombie computer,
which means they have remote control of it without the user knowing.
Hackers can then use the zombie computer to continue sharing malware
across a network of devices, known as a botnet.
• For example, a user might receive an email from someone they
know, which includes an attachment that also looks legitimate.
However, the attachment contains malicious code that executes
and installs the Trojan on their device. The user often will not know
anything untoward has occurred, as their computer may continue
to work normally with no signs of it having been infected.
• The malware will reside undetected until the user takes a certain
action, such as visiting a certain website or banking app. This will
activate the malicious code, and the Trojan will carry out the
hacker’s desired action. Depending on the type of Trojan and how it
was created, the malware may delete itself, return to being
dormant, or remain active on the device.
• Trojans can also attack and infect smart phones and tablets using a
strand of mobile malware. This could occur through the attacker
redirecting traffic to a device connected to a Wi-Fi network and
then using it to launch cyberattacks.
Most Common Types of Trojan Malware
• Backdoor Trojan: A backdoor Trojan enables an attacker to
gain remote access to a computer and take control of it
using a backdoor. This enables the malicious actor to do
whatever they want on the device, such as deleting files,
rebooting the computer, stealing data, or uploading
malware. A backdoor Trojan is frequently used to create a
botnet through a network of zombie computers.
• Banker Trojan: A banker Trojan is designed to target users’
banking accounts and financial information. It attempts to
steal account data for credit and debit cards, e-payment
systems, and online banking systems.
• Distributed denial-of-service (DDoS) Trojan: These Trojan
programs carry out attacks that overload a network with
traffic. It will send multiple requests from a computer or a
group of computers to overwhelm a target web address
and cause a denial of service.
• Downloader Trojan: A downloader Trojan targets a computer that
has already been infected by malware, then downloads and installs
more malicious programs to it. This could be additional Trojans or
other types of malware like adware.
• Exploit Trojan: An exploit malware program contains code or data
that takes advantage of specific vulnerabilities within an application
or computer system. The cyber criminal will target users through a
method like a phishing attack, then use the code in the program to
exploit a known vulnerability.
• Fake antivirus Trojan: A fake antivirus Trojan simulates the actions
of legitimate antivirus software. The Trojan is designed to detect
and remove threats like a regular antivirus program, then extort
money from users for removing threats that may be nonexistent.
• Game-thief Trojan: A game-thief Trojan is specifically designed to
steal user account information from people playing online games.
• Instant messaging (IM) Trojan: This type of Trojan
targets IM services to steal users’ logins and
passwords. It targets popular messaging platforms such
as AOL Instant Messenger, ICQ, MSN Messenger,
Skype, and Yahoo Pager.
• Infostealer Trojan: This malware can either be used to
install Trojans or prevent the user from detecting the
existence of a malicious program. The components of
infostealer Trojans can make it difficult for antivirus
systems to discover them in scans.
• Mailfinder Trojan: A mailfinder Trojan aims to harvest
and steal email addresses that have been stored on a
computer.
• Ransom Trojan: Ransom Trojans seek to impair a
computer’s performance or block data on the device so
that the user can no longer access or use it. The attacker
will then hold the user or organization ransom until they
pay a ransom fee to undo the device damage or unlock the
affected data.
• Remote access Trojan: Similar to a backdoor Trojan, this
strand of malware gives the attacker full control of a user’s
computer. The cyber criminal maintains access to the
device through a remote network connection, which they
use to steal information or spy on a user.
• Rootkit Trojan: A rootkit is a type of malware that conceals
itself on a user’s computer. Its purpose is to stop malicious
programs from being detected, which enables malware to
remain active on an infected computer for a longer period.
• Short message service (SMS) Trojan: An SMS
Trojan infects mobile devices and is capable of
sending and intercepting text messages. This
includes sending messages to premium-rate
phone numbers, which increases the costs on a
user’s phone bill.
• Spy Trojan: Spy Trojans are designed to sit on a
user’s computer and spy on their activity. This
includes logging their keyboard actions, taking
screenshots, accessing the applications they use,
and tracking login data.
 Virus vs. Worm
A Virus is a malicious executable code
attached to another executable file
which can be harmless or can modify or
delete data.
The main objective of viruses is to modify The main objective of worms is to eat the
the information.
A Worm is a form of malware that
replicates itself and can spread to
different computers via Network.
system resources. It consumes system
resources such as memory and
bandwidth and made the system slow in
speed to such an extent that it stops
responding.
Backdoor Attack
In cybersecurity, a backdoor is a means of
bypassing an organization’s existing security
systems. While a company may have various
security solutions in place, there may be
mechanisms in place that allow a legitimate
user or attacker to evade them. If an attacker
can identify and access these backdoors, they
can gain access to corporate systems without
detection.
 What is a backdoor attack?
• A backdoor attack occurs when threat actors
create or use a backdoor to gain remote
access to a system.
• These attacks let attackers gain control of
system resources, perform network
reconnaissance and install different types of
malware.
• In some cases, attackers design
a worm or virus to take advantage of an
existing backdoor created by the original
developers or from an earlier attack.
The malicious actions threat actors perform
once they access a system include the
following
– stealing sensitive information;
– performing fraudulent transactions;
– installing spyware, keyloggers and Trojan horses;
– using rootkits;
– launching denial of service (DoS) attacks;
– hijacking servers;
– defacing websites.
 Consequences of a backdoor attack
• They can be immediate and severe and
result in a data breach that harms customers
and the business.

• In other cases, the effect shows up later, as

the attacker uses the backdoor first for
reconnaissance and returns later to execute a
series of direct attacks.
How do backdoors work
• backdoors are hidden mechanisms attackers use
to access a system without authentication.
• vendors sometimes create backdoors for
legitimate purposes, such as restoring a user's
lost password.
• Developers sometimes use backdoors during the
development process and don't remove them,
leaving them as a potential vulnerability point.
• In some cases, malware is a first-line backdoor,
where it provides a staging platform for
downloading other malware modules that
perform an actual attack.
 Types of backdoor attacks
• Cryptojacking occurs when a victim's computing resources are
hijacked to mine crypto currency. Cryptojacking attacks target all
sorts of devices and systems.
• DoS attacks overwhelm servers, systems and networks with
unauthorized traffic so that legitimate users can't access them.
• Ransom ware is malware that prevents users from accessing a
system and the files it contains. Attackers usually demand payment
of a ransom for the resources to be unlocked.
• Spyware is malware that steals sensitive information and relays it to
other users without the information owner's knowledge. It can steal
credit card numbers, account login data and location information.
Keyloggers are a form of spyware used to record a user's keystrokes
and steal passwords and other sensitive data.
• Trojan horse is a malicious program that's often installed through a
backdoor and appears harmless. A backdoor Trojan includes a
backdoor that enables remote administrative control of a targeted
system.
• Federated learning. This decentralized method of machine learning trains models
locally on edge devices, as opposed to collecting data and training it in a
centralized location. Edge devices have limited communication with the
centralized servers. This lets threat actors poison a training data set and embed a
backdoor on the central server when it does communicate with the edge device.
• Hardware. Attackers use modified chips, processors, hard drives and USBs to
create backdoors.
• Internet of things (IoT). Components of these systems, such as security cameras,
drones and smart thermostats, can act as backdoors and turn into security
vulnerabilities. IoT devices often come equipped with default passwords that
function as a backdoor. Administrators often don't change them, and hackers can
easily guess them.
• Island hopping. These types of attacks target an organization's third-party business
partners to gain unauthorized access to the larger organization being targeted.
Supply chains can be compromised using island hopping.
• Phishing. Seemingly legitimate emails are used to trick users into giving hackers
sensitive information and can be used to install backdoor malware.
• Steganography. Malware is concealed in the bitmap of an image file. These files
would normally not be considered a security threat, but steganography turns them
into one.
 Detection and prevention
• Antimalware. Some antimalware software can detect and prevent a backdoor
from being installed.
• Firewalls. Ensure a firewall protects every device on a network. Application
firewalls and web application firewalls can help prevent backdoor attacks by
limiting the traffic that can flow across open ports.
• Honeypots. These security mechanisms lure attackers to a fake
target. Honeypots are used to protect the real network and study the behavior of
an attacker without their knowledge.
• Network monitoring. IT professionals use a protocol monitoring tool or network
analyzer to inspect network packets. Malicious traffic can contain signatures that
indicate the presence of a backdoor, and abnormal spikes in traffic can signal
suspicious activity.
• Security best practices. Standard security measures and a layered cyber security
strategy help prevent attackers from creating backdoors. If a backdoor is created
for a legitimate purpose, its attack surface should be minimized. It also must be
monitored and removed once its legitimate use is finished.
• Allowlisting. Use allowlisting to avoid un trusted software and only allow trusted
user access with proper authentication. Choose applications and plug-in with
caution, as cybercriminals often hide backdoors in free applications and plug-in.
 Famous backdoor attacks
• SolarWinds
• Zyxel
• Back Orifice
 Denial of Service(DoS) Attack
• A Denial-of-Service (DoS) attack is an attack meant to shut
down a machine or network, making it inaccessible to its
intended users.
• DoS attacks accomplish this by flooding the target with
traffic, or sending it information that triggers a crash.
• In both instances, the DoS attack deprives legitimate users
(i.e. employees, members, or account holders) of the
service or resource they expected.
• Victims of DoS attacks often target web servers of high-
profile organizations such as banking, commerce, and
media companies, or government and trade organizations.
• Though DoS attacks do not typically result in the theft or
loss of significant information or other assets, they can cost
the victim a great deal of time and money to handle.
 Types of DoS attack
• Flood attack: Attacker simply sending the victim overwhelming
number of ping packets usually by sending ping command, which result
into more traffic than the victim can handle.
• Ping of death attack : A Ping of death (PoD) attack is a denial-
of-service (DoS) attack, in which the attacker aims to disrupt a targeted
machine by sending a packet larger than the maximum allowable size,
causing the target machine to freeze or crash
• SYN attack: In TCP handshaking of network connections is done
with SYN and ACK message. An attacker initiates server replies with an
SYN-ACK message. The client then does not send back an ACK causing
the server to allocate memory for the pending connection and wait.
This fills up the buffer space for SYN messages on the target system,
preventing other system on the network from communicating with the
target system.
• Teardrop attack: A teardrop attack is a denial-of-service (DoS)
attack that involves sending fragmented packets to a target machine.
Since the machine receiving such packets cannot reassemble them due to
a bug in TCP/IP fragmentation reassembly, the packets overlap one
another, crashing the target network device.
 Permanent Denial of Service:
• PDoS (Permanent Denial of Service) is a form of
Denial of Service that involves causing harm to
the computer hardware/ peripheral devices.
• This mechanism adopted by PDoS (Permanent
Denial of Service) of physical damage to the
hardware is termed ‘phlashing’.
• Permanent Denial of Service is an extremely
dangerous type of cyber attack as the damage to
the hardware is so risky that it causes loss of
information and also hampers the hardware
device permanently.
What Makes PDoS (Permanent Denial
of Service) Cyberattacks Risky?
• Permanent Denial of Service is relatively easy to adopt by
cybercriminals, as data is directly harmed by causing harm to the
hardware.
• The cyber attackers find Permanent Denial of Service easy as it
requires less time and effort to carry out this form of cybercrime.
• Organizations depending largely on hardware for their day-to-day
daily work are at extreme risk with this form of cyberattack, as
information loss is the easiest through them by PDoS.
• In Permanent Denial of Service, the hardware is damaged to such
an extent that the person/organization has no option left to recover
the data.
• The organizations are then forced to forcefully repair or purchase
new hardware for their organization to replace the old systems.
 Methods to Prevent PDoS (Permanent Denial of
Service) Cyber attacks

• Keep a close watch on the accessibility of your

hardware devices.
• Hardware devices should not be easily accessible
for attack by unauthorized people/
cybercriminals.
• Make sure that the most important and critical
hardware devices are in a safe and secure place.
Always update/ upgrade your devices regularly.
 Distributed Denial-of-Service (DDoS)
Attack
• In DDoS attack an attacker may use your
computer to attack another computer.
• By taking security weakness attacker could take
control of your computer.
• Then force your computer to send huge amounts
of data to a website or send spam to particular E-
Mail address.
• This attack is distributed because the attacker is
using multiple computers including yours to
launch the DoS attack.
 SQL Injection
• SQL injection (SQLi) is a web security vulnerability
that allows an attacker to interfere with the
queries that an application makes to its database.
• This can allow an attacker to view data that they
are not normally able to retrieve.
• This might include data that belongs to other
users, or any other data that the application can
access.
• In many cases, an attacker can modify or delete
this data, causing persistent changes to the
application's content or behavior.
 What is the impact of a successful
SQL injection attack?
A successful SQL injection attack can result in
unauthorized access to sensitive data, such as:

• Passwords.
• Credit card details.
• Personal user information.
 Example of SQLI
• SQL Injection Based on 1=1 is Always True
• If there is nothing to prevent a user from entering "wrong"
input, the user can enter some "smart" input like this:
• UserId: 125 OR 1=1

• Then, the SQL statement will look like this:

• SELECT * FROM Users WHERE UserId = 125 OR 1=1;

• The SQL above is valid and will return ALL rows from the
"Users" table, since OR 1=1 is always TRUE.

• Does the example above look dangerous? What if the

"Users" table contains names and passwords?
 How to prevent SQL Injection attack
• Input Validation
– Replace all single quotes(escape quotes) to single
quotes.
– The developer must sanitize all input, not only web
form inputs such as login forms.
– Numeric value values should be checked while
accepting a query string value.
• Modify error reports
– SQL errors should not be displayed to outside users
and to avoid this the developer should handle or
configure the error reports very carefuly.
Thank you