Computer infiltration means unauthorised entering programme code into computer system in order to perform undesired (often concealed) activities. Currently, there are about 80,000 types of infiltration (according to AEC) with 500 to 800 new types appearing every month. The problem is that classification is not unified and types are difficult to differentiate from mutations of the type. Based on behaviour and programme code construction we can differentiate the bellow types of infiltration.
Usually an interesting or somehow useful programme which, in addition to the useful code, contains a code performing undesired activities characterized as follow:
- does not replicate its code and is not able to spread
- harmful activities involve eavesdropping (Internet activity monitoring, password monitoring) as well as destruction (erasing data, disc formatting, erasing a random hard drive sector etc.)
- harmful activities are launched by a pre-defined impulse unknown to the user (number of launches of a programme, system date etc.)
In the past two years Trojans have been spread as part of other infiltrations (worms). Based on handling activities Trojans can be classified as:
- Spyware/Adware – programmes performing concealed monitoring of Internet sites visited and consequently launching aimed advertising based on client profile
- Key logger (password thief) – monitoring output codes of keyboard router and providing remote access to sensitive data (access password, code key, PIN etc.)
- Remote Access Trojan (RAT) – providing remote access
- d) BOT – programme reacting to commands from the control server (robot), enabling DDoS attacks
Independent programme (set of programmes) requiring no host code with the following features:
- active worm is able to replicated and spread its functional copies without human assistance to other computer systems via Internet – using known weak point in applications and OS (e-mail, IRC, WWW etc.), recently the same functions as BOT
- I-worm is spread in the form of an e-mail attachment and usually uses “social engineering” and weak points of mail clients, to cone users into activating it (e.g. by changing .exe file to .pif, .scr, .lnk, or doubling the affix to .txt.vbs, jpg.exe, .zip.exe and changing the .exe file icon to WinZip etc.)
- launched automatically upon OS systemstart (infects Registry and *.ini files)
- usually using its own SMTP routine to spread themselves, extracting addresses of their victims on the attacked hard drive in windows address book, personal address book, temporary internet files, ICQ database and other files
- often able to attack files in shared file systems in a local network, unless the access to them is sufficiently secured, or in Internet operated peer-to-peer networks
- destructive activities range is very wide, often involving eavesdropping for sensitive data via Internet
- very common
Dependent programme code connected to a host executable unit, which is a desired part of a computer system (programme, script, command file, macro, OS installer etc.). Launching this executable unit also executes virus code with the following features:
- infects other available executable unit by inserting its replication (mutation) to this unit
- able to spread to other computer systems
- performs destructive activities (optional feature)
Fake alarm e-mails using “social engineering” (fraud, lie, moral blackmail) to send the message to all available addresses. They have the following features:
- reporting shocking news (e.g. on a “new” infiltration), or appeal to humanitarian considerations (helping the seriously ill, helping in connection with an actual humanitarian crisis etc.)
- referring to reputable IT companies (IBM, Microsoft, etc.), giving trustworthy reference
- require instant action, i.e. sending to all potentially affected people
- sent consciously by people who the addresse knows
Reasons for creating hoaxes:
- bothering addresses to confuse them and decrease their attention, causing them to ignore actual alarm messages
- damage to the user’s system by convincing the user to perform a destructive action (e.g. destroying a part of OS by „removing infiltration“)
The protection is based on monitoring hoax databases, e.g. at www.mcafee.com
Is an unsolicited mail message offering goods or services often with immoral content. It is sent via infiltrated systems connected to the Internet (BOT) with a fake heading making it difficult to track the actual sender and to block the respective SMTP communication. E-mail addresses are gathered, e.g. as part of a prior infiltration of an intermediary system by a worm or from public databases (ICQ).
The motive is “cheap” marketing, as laws in many countries restrict unsolicited electronic advertising (in the Czech Republic it is Certain Information Society Services Act No. 480/2004 Coll. – „Antispam Act“).
Phishing is based on fake e-mail messages using “social engineering” and technological tricks (redirecting URL links, keylogger infiltration) to convince the user to disclose personal data and sensitive banking details (access password to Internet banking, bank account data, credit card data, etc.). Pharming is a similar type of attack redirecting the user to fake Internet banking sites, typically by compromising DNS.
One of the activities aimed against such attacks is Anti-Phishing Working Group (APWG), which recorded an immense increase in number of fake sites in February 2005 (see http://www.antiphishing.org).
Author: Jirka Dvořák