UNIT -IV: Tools and Methods Used in

Cybercrime
Introduction

Different forms of attacks through which attackers target the computer systems are as follows

1. Initial uncovering:
Two steps are involved here.
 In the first step called as reconnaissance, the attacker gathers information about the
target on the Internet websites.
 In the second step, the attacker finds the company’s internal network, such as,
Internet domain, machine names and the company’s Internet Protocol (IP) address
ranges to steal the data.
2. Network probe (investigation) :
 And then a “port scanning” tool is used to discover exactly which services are
running on the target system.
 At this point, the attacker has still not done anything that would be considered as an
abnormal activity on the network or anything that can be classified as an intrusion.
3. Crossing the line toward electronic crime (E-crime):
 Once the attackers are able to access a user account, then they will attempt further
exploits to get an administrator or “root” access.
 “Root” is basically an administrator or super-user access and grants them the
privileges to do anything on the system.
4. Capturing the network:
 At this stage, the attacker attempts to “own” the network.
 The attacker will usually install a set of tools that replace existing files and services
with Trojan files and services that have a backdoor password.
5. Grab the data:
 Now that the attacker has “captured the network,” he/she takes advantage of his/her
position to steal confidential data
6. Covering tracks:
 During this entire process, the attacker takes optimum care to hide his/her identity
(ID) from the first step itself.
Proxy Servers and Anonymizers
 Proxy server is a computer on a network which acts as an intermediary for
connections with other computers on that network.
 A client connects to the proxy server and requests some services (such as a file,
webpage) available from a different server.
 The proxy server evaluates the request and provides the resource by establishing the
connection to the respective server and/or requests the required service on behalf of
the client.
 An anonymizer or an anonymous proxy is a tool that attempts to make activity on the
Internet untraceable. It accesses the Internet on the user’s behalf, protecting personal
information by hiding the source computer’s identifying information.
4.3Phishing
 Phishing” refers to an attack using mail programs to deceive Internet users into
disclosing confidential information that can be then exploited for illegal
purposes.
 In addition to stealing personal and financial data – and can infect systems with viruses
and also a method of online ID theft in various cases.
How Phishing Works?
1. Planning: Criminals, usually called as phishers, decide the target.
2. Setup: Once phishers know which business/business house to spoof and who their
victims.
3. Attack: the phisher sends a phony message that appears to be from a reputable source.
4. Collection: Phishers record the information of victims entering into webpages or pop-
up windows.
5. Identity theft and fraud: Phishers use the information that they have gathered to
make illegal purchases or commit fraud.
4.4 Password Cracking
 Password is like a key to get an entry into computerized systems like a lock.
 Usually, an attacker follows a common approach – repeatedly making guesses for
the password.
The purpose of password cracking is as follows:
1. To recover a forgotten password.
2. As a preventive measure by system administrators to check for easily crack able
passwords.
3. To gain unauthorized access to a system
Passwords can be guessed sometimes with knowledge of the user’s personal
information. Examples of guessable passwords include:
1. Blank (none);
2. the words like “password,” “passcode” and “admin”;
3. series of letters from the “QWERTY” keyboard, for example, qwerty, asdf or
qwertyuiop;
4. user’s name or login name;
5. name of user’s friend/relative/pet;
6. user’s birthplace or date of birth, or a relative’s or a friend’s;
7. user’s vehicle number, office number, residence number or mobile number;
8. name of a celebrity who is considered to be an idol (e.g., actors, actress, spiritual
gurus) by the user;
Password cracking attacks can be classified under three categories as follows:
1. Online attacks;
2. offline attacks;
3. non-electronic attacks (e.g., social engineering, shoulder surfing and dumpster diving).
1. Online Attacks
 An attacker can create a script file that will be executed to try each password in a list
and when matches, an attacker can gain the access to the system.
 When a victim client connects to the fraudulent server, the MITM server intercepts the
call, hashes the password and passes the connection to the victim server (e.g., an
attacker within reception range of an unencrypted Wi-Fi wireless access point can
insert himself as a man-in- the-middle).
2. Offline Attacks
Offline attacks usually require physical access to the computer and copying the
password file from the system onto removable media.
Password guidelines.

1. Passwords used for business E-Mail accounts, personal E-Mail accounts and
banking/financial user accounts should be kept separate.
2. Passwords should be of minimum eight alphanumeric characters (common names or
phrases should be phrased).
3. Passwords should be changed every 30/45 days.
4. Passwords should not be shared with relatives and/or friends.
5. Password used previously should not be used while renewing the password.
6. Passwords of personal E-Mail accounts and banking/financial user accounts should be
changed from a secured system, within couple of days, if these E-Mail accounts has
been accessed from public Internet facilities such as cybercafes/hotels/libraries.
7. Passwords should not be stored under mobile phones/PDAs, as these devices are also
prone to cyberattacks.
8. In case E-Mail accounts/user accounts have been hacked, respective agencies/institutes
should be contacted immediately.
4.5 Keyloggers and Spywares
 Keystroke logging, often called keylogging, is the practice of noting (or logging) the
keys struck on a keyboard, typically in a covert manner so that the person using the
keyboard is unaware that such actions are being monitored.

 It can be classified as software keylogger and hardware keylogger.

Software Keyloggers

 Software keyloggers are software programs installed on the computer systems

which usually are located between the OS and the keyboard hardware, and every
keystroke is recorded.

 Software keyloggers are installed on a computer system by Trojans or viruses

without the knowledge of the user.

 Cybercriminals always install such tools on the insecure computer systems

available in public places (i.e., cybercafés, etc) and can obtain the required
information about the victim very easily.

 A keylogger usually consists of two files that get installed in the same directory: a
dynamic link library (DLL) file and an EXEcutable (EXE) file that installs the DLL
file and triggers it to work. DLL does all the recording of keystrokes.
Hardware Keyloggers

 Hardware keyloggers are small hardware devices.

 These are connected to the PC and/or to the keyboard and save every keystroke into
a file or in the memory of the hardware device.

 Cybercriminals install such devices on ATM machines to capture ATM Cards’ PINs.

 Each keypress on the keyboard of the ATM gets registered by these keyloggers.
Antikeylogger

 Antikeylogger is a tool that can detect the keylogger installed on the computer system
and also can remove the tool.
Advantages of using antikeylogger are as follows:
1. Firewalls cannot detect the installations of keyloggers on the systems; hence,
antikeyloggers can detect installations of keylogger.
2. This software does not require regular updates of signature bases to work effectively
such as other antivirus and antispy programs; if not updated, it does not serve the
purpose, which makes the users at risk.
3. It prevents ID theft
4. It secures E-Mail and instant messaging/chatting.
 Virus: Attached as a executable file and infected when opened.
Available on internet and spread through mails and removable disks.
 Trojans: Steal sensitive data such as passwords and emails and give
access to unauthorized users.(social networks)
 Ransome ware: Lock the computers or files or data and demand for
Ransome to release the data
 Worms: Replicate them selves and infect multiple computers on
network causing damage. These are standalone programs and donot
require humans to spread.
 Viruses need human help to spread.
 Spyware: Secretly gathers internet activities using keylogger
software.
 Botnet: IT is a network of computers infected with malware. These
are called bots or zombies and a master to control them. Spread
through trojans.
Spywares

 Spyware is a type of malware (i.e., malicious software) that is installed on computers which
collects information about users without their knowledge.

 The presence of Spyware is typically hidden from the user; it is secretly installed on the user’s
personal computer.

 Spywares such as keyloggers are installed by the owner of a shared, corporate or public
computer on purpose to secretly monitor other users.

 Malware can be classified as follows

1. Viruses and worms
2. Trojan Horses
3. Rootkits
4. Backdoors
5. Spyware
6. Botnets
7. Keystroke loggers
4.6 Virus and Worms

 Computer virus is a program that can “infect” legitimate programs by modifying

them to include a possibly “evolved” copy of itself.
 Viruses spread themselves, without the knowledge or permission of the users, to
potentially large numbers of programs on many machines.
 A computer virus passes from computer to computer in a similar manner as a
biological virus passes from person to person.
Viruses can take some typical actions:

1. delete files inside the system into which viruses enter;

2. scramble data on a hard disk;
3. cause erratic screen behavior;
4. halt the system (PC);
5. just replicate themselves to propagate further harm.
Types of Viruses

1. Boot sector viruses: It infects the storage media on which OS is stored (e.g., hard drives) and which is
used to start the computer system.
2. Program viruses: These viruses become active when the program file (usually with
extensions .bin, .com,.exe, .ovl, .drv) is excuted
3. Multipartite viruses: It is a hybrid of a boot sector and program viruses. It infects program files along
4. with the boot record when the infected program is active.

Stealth viruses: It hides itself and so detecting this type of virus is very difficult. It can hiding itself
such a way that antivirus software also cannot detect it. Example for Stealth virus is “Brain Virus”.
5. Polymorphic viruses: It acts like a “chameleon” that changes its virus signature (i.e., binary pattern)
every time it spreads through the system (i.e., multiplies and infects a new file). Hence, it is always
difficult to detect polymorphic virus with the help of an antivirus program.
6. Macro viruses: Many applications, such as Microsoft Word and Microsoft Excel, support MACROs
(i.e., macrolanguages). These macros are programmed as a macro embedded in a document. Once
macrovirus gets onto a victim’s computer then every document he/she produces will become infected.
7. Active X and Java Control: All the web browsers have settings about Active X and Java Controls.
4.7Trojan Horses and Backdoors

 Trojan Horse is a program in which malicious or harmful code is contained inside

apparently harmless programming or data in such a way that it can get control and
cause harm, for example, ruining the file allocation table on the hard disk.

 The term Trojan Horse comes from Greek mythology about the Trojan War.

 Like Spyware and Adware, Trojans can get into the system in a number of ways,
including from a web browser, via E-Mail.
Some typical examples of threats by Trojans are as follows:

1. They erase, overwrite or corrupt data on a computer.

2. They help to spread other malware such as viruses (by a dropper Trojan).
3. They deactivate or interfere with antivirus and firewall programs.
4. They allow remote access to your computer (by a remote access Trojan).

6. They upload and download files without your knowledge.

5.

They gather E-Mail addresses and use them for Spam.

7. They log keystrokes to steal information such as passwords and credit card numbers.
8. They copy fake links to false websites, display porno sites, play sounds/videos and display
images.
9. They slow down, restart or shutdown the system.
10. They reinstall themselves after being disabled.
11. They disable the task manager.
4.7.1 Backdoor
 A backdoor is one of the most dangerous parasite, as it allows a malicious person to
perform any possible action on a compromised system.
 Following are some functions of backdoor:
1. It allows an attacker to create, delete, rename, copy or edit any file, execute various
commands; change any system settings; alter the Windows registry; run, control and
terminate applications; install arbitrary software and parasites.
2. It allows an attacker to control computer hardware devices, modify related settings,
shutdown or restart a computer without asking for user permission.
3. It steals sensitive personal information, valuable documents, passwords, login names,
ID details; logs user activity and tracks web browsing habits.
4. It records keystrokes that a user types on a computer’s keyboard and captures
screenshots.
5. It sends all gathered data to a predefined E-Mail address, uploads it to a predetermined
FTP server or transfers it through a background Internet connection to a remote host.
6. It infects files, corrupts installed applications and damages the entire system.
4.8 Steganography

 Steganography is the practice of concealing (hiding) a file, message, image, or video

within another file, message, image, or video
 The different names for steganography are data hiding, information hiding and digital
watermarking.
 Digital watermarking is the process of possibly irreversibly embedding information
into a digital signal.
 The Digital signal may be, for example, audio, pictures or video.
 If the signal is copied then the information is also carried in the copy.
 In other words, when steganography is used to place a hidden “trademark” in
images, music and software, the result is a technique referred to as “watermarking”
Steganalysis
 Steganalysis is the art and science of detecting messages that are hidden in images,
audio/video files using steganography.
 The goal of steganalysis is to identify suspected packages and to determine whether
or not they have a payload encoded into them, and if possible recover it.
 Automated tools are used to detect such steganographed data/information hidden in
the image and audio and/or video files.
4.9 DoS and DDoS Attacks

 A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS

attack) is an attempt to make a computer resource (i.e., information systems)
unavailable to its intended users
 In this type of criminal act, the attacker floods the bandwidth of the victim’s
network or fills his E-Mail box with Spam mail depriving him of the services he is
entitled to access or provide.
 The attackers typically target sites or services hosted on high-profile web
servers such as banks, credit card payment gateways, mobile phone networks and
even root name servers
 Buffer overflow technique is employed to commit such kind of criminal attack
known as Spoofing.
A DoS attack may do the following:

1. Flood a network with traffic, thereby preventing legitimate network traffic.

2. Disrupt connections between two systems, thereby preventing access to a service.
3. Prevent a particular individual from accessing a service.
4. Disrupt service to a specific system or person.
Classification of DoS Attacks

1. Bandwidth attacks: Loading any website takes certain time. Loading means complete
webpage appearing on the screen and system is awaiting user’s input.
2. Logic attacks: These kind of attacks can exploit vulnerabilities in network software
such as web server or TCP/IP stack.
3. Protocol attacks: Protocols here are rules that are to be followed to send data over
network.
4. Unintentional DoS attack : This is a scenario where a website ends up denied not due
to a attack by a single individual or group of individuals, but simply due to a sudden
enormous spike in popularity.
Tools Used to Launch DoS Attack

1. Jolt2 : The vulnerability allows remote attackers to cause a DoS attack against
Windows-based machines – the attack causes the target machine to consume of the
CPU time on processing of illegal packets.
2. Nemesy : This program generates random packets of spoofed source IP to enable the
attacker to launch DoS attack.
3. Targa : It is a program that can be used to run eight diff erent DoS attacks. Th e
attacker has the option to launch either individual attacks or try all the attacks until one
is successful.
4. Crazy Pinger : This tool could send large packets of ICMP(Internet Control Message Protocol) to a
remote target network.
5. SomeTrouble: It is a remote flooder and bomber. It is developed in Delphi.
DDoS Attacks

 In a DDoS attack, an attacker may use your computer to attack another computer.
 By taking advantage of security vulnerabilities or weaknesses, an attacker could take control of
your computer.
 He/she could then force your computer to send huge amounts of data to a website or send
Spam to particular E-Mail addresses.
 The attack is “distributed” because the attacker is using multiple computers, including yours, to
launch the DoS attack.
 A DDoS attack is a distributed DoS wherein a large number of zombie systems are
synchronized to attack a particular system.
 The zombie systems are called “secondary victims” and the main target is called “primary
victim.”
 Malware can carry DDoS attack mechanisms – one of the better-known examples of this is
MyDoom.
 Botnet is the popular medium to launch DoS/DDoS attacks.
 Attackers can also break into systems using automated tools that exploit flaws in programs that
listen for connections from remote hosts.
4.10 SQL Injection

 Structured Query Language (SQL) is a database computer language designed for

managing data in relational database management systems (RDBMS).
 SQL injection is a code injection technique that exploits a security vulnerability
occurring in the database layer of an application.
 SQL injection attacks are also known as SQL insertion attacks.
 Attackers target the SQL servers – common database servers used by many
organizations to store confidential data.
 The prime objective behind SQL injection attack is to obtain the information while
accessing
 a database table that may contain personal information such as credit card numbers,
social security numbers or passwords.
 For example, when a user logs in with username and password, an SQL query is
sent to the database to check if a user has valid name and password.
 With SQL injection, it is possible for an attacker to send crafted username and/or
password field that will change the SQL query.
Steps for SQL Injection Attack
Following are some steps for SQL injection attack:
1. The attacker looks for the webpages that allow submitting data, that is, login page,
search page, feedback,
2. To check the source code of any website, right click on the webpage and click on “view
source” – source code is displayed in the notepad. The attacker checks the source code
of the HTML, and look for “FORM” tag in the HTML code.
3. The attacker inputs a single quote under the text box provided on the webpage to accept the username
and password. This checks whether the user-input variable is interpreted literally by the server. If the
response is an error message such as use “a” = “a” then the website is found to be susceptible to an SQL
injection attack.
4. The attacker uses SQL commands such as SELECT statement command to retrieve data from the
database or INSERT statement to add information to the database.
Blind SQL Injection

 Blind SQL injection is used when a web application is vulnerable to an SQL

injection but the results of the injection are not visible to the attacker.
 The page with the vulnerability may not be the one that displays data; however, it
will display differently depending on the results of a logical statement injected into
the legitimate SQL statement called for that page.
 This type of attack can become time-intensive because a new statement must be
crafted for each bit recovered.
 There are several tools that can automate these attacks once the location of the
vulnerability and the target information have been established.
Buffer Overflow

 Buffer overflow, or buffer overrun, is an anomaly where a process stores data in a

buffer outside the memory the programmer has set aside for it.
 This may result unreliable program behavior, including memory access errors,
incorrect results, program termination (a crash) or a breach of system security
 Programming languages commonly associated with buffer overflows include C and
C++, which provide no built-in protection against accessing or overwriting data in
any part of memory and do not automatically check that data written to an array.
 Buffer overflow occurs when a program or process tries to store more data in a
buffer (temporary data storage area) than it was intended to hold.
Types of Buffer Overflow

 Stack-Based Buffer Overflow

 Heap Buffer Overflow