UNIT-1

Virus
• A computer virus is a type of malicious software (malware) designed
to attach itself to a legitimate file or program in order to spread from
one system to another. Much like a biological virus, it needs a host to
survive and replicate.
Key Characteristics of a Computer Virus

 Requires Human Action: A virus cannot spread by itself. It needs the user to run the infected program or
file (for example, opening a malicious email attachment or executing an infected application) for it to
activate and start infecting the system.

 Attaches to Host Files: Viruses embed themselves into other executable files, documents, or system files.
When the infected file is run, the virus activates.

 Spreads Locally or Through Devices: Viruses often spread through USB drives, shared files, infected
downloads, or email attachments. They are less likely to spread rapidly over a network compared to worms.

 Can Cause Damage: Depending on its purpose, a virus can:

o Delete or corrupt files
o Slow down system performance
o Display unwanted messages
Types of Computer Viruses

 File Infector Virus: Attaches to executable files (.exe or .dll).

 Macro Virus: Infects documents like Word or Excel by exploiting
macros.
 Boot Sector Virus: Targets the boot sector of hard drives or USBs.
 Polymorphic Virus: Changes its code each time it spreads, making it
hard to detect.
Worms
• Worms are similar to a virus but it does not modify the program. A
computer worm is a type of malware that can replicate itself and
spread across computers and networks without needing a host file or
any user interaction. It is self-contained, meaning it doesn’t require
attachment to other programs or files to function. Worms can be
controlled by remote. The primary objective of worms is to consume
the system’s resources.
Key Characteristics of a Computer Worm

 Self-Replicating: Unlike a virus, a worm can duplicate itself automatically. Once it infects one
system, it scans for other vulnerable systems and spreads to them.
 No User Action Needed: Worms exploit system vulnerabilities or network protocols to spread.
Users do not need to click, open, or download anything for a worm to infect a system.
 Spreads Through Networks: Worms are designed to move quickly across networks, email
systems, and the internet. They often cause large-scale disruptions in a short amount of time.
 Can Carry a Payload: Although the primary function of a worm is to spread, many worms also
carry harmful code called a payload that:
o Installs backdoors for hackers.
o Deletes or steals files.
o Launches denial-of-service (DoS) attacks.
Difference Between Worms and Viruses
Difference Between Worms and Viruses
Difference Between Worms and Viruses
Difference Between Worms and Viruses
Trojan Horse
• A Trojan Horse attack is a malware program that takes, in front of
most of the targets, a mask of legitimate software so that users, in
turn, install malware on their devices. Unlike worms or viruses,
Trojans do not self-replicate. Instead, they hook up with social
engineering means of proliferation underhandedly, appearing mostly
as useful applications or enticing downloads and even innocent email
attachments.
Impact of Trojan Horse Attack

1. Data Theft: The stealing of sensitive information from a system, including login passwords, financial data,
and personal information, leading later to cases of fraud or identity theft.

2. Financial loss: Companies can experience direct financial loss from theft, ransom, or expenses related to
system recovery and brand reputation management.

3. Operational Disruption: Trojans have some power to destroy critical systems, erase files, or make
computers inoperable, which invariably enforces frustratingly extended periods of downtime and loss of
productivity.

4. Brand Equity and Loss of Consumer Confidence: An organization that becomes a victim of a Trojan may
have its brand diminished or its credibility in the minds of the customers affected back down to the
promise or total confidence.

5. Compliance Violations: Among regulated industries, such an attack would likely lead to data breaches that
evoke a lack of compliance with data protection regulations, with the possibility of high fines and/or legal
actions.
Most Common Types of Trojan Malware:

1. Backdoor Trojans: This type of malicious software creates a backdoor in the infected system,
giving remote access to attackers through hidden points. Therefore, such attacks can be
conducted discreetly—meaning they won’t be detected by the existing security measures taken
on the computer. These backdoors can be utilized to install malicious programs further, steal
data, or manipulate the system secretly.
2. Downloader Trojans: As the name would imply, their purpose is basically to download additional
malware on an infected host.
3. Infostealer Trojans: These are malware that mainly focus on sensitive information from the
infected system. They might target specific information, like passwords, credit card numbers, or
even cryptocurrency wallet information. In such circumstances, the most commonly used
technique to execute infostealer Trojans is keylogging and screen capture.
4. DDoS Trojans: This class of Trojans turns compromised computers into “zombies.” These can
then be remotely controlled to participate in a DDoS attack against a target server or network.
How Does the Trojan Horse Work?

• Distribution: Most of the time, what would appear to be very legitimate channels, such
as email attachments, software downloads from compromised websites, or even
legitimate software that has been tampered with, are used to distribute the Trojans.
• Installation: Upon execution by the user, the program automatically installs on the
system. This sometimes involves the creation of hidden files or modifications in system
settings for the automatic execution of the Trojan and to get the Trojan to remain
undetected. Some advanced Trojans even exploit system vulnerabilities to get escalated
to privileged levels upon installation.
• Activation: After installation, the Trojan gets itself ready to work by dropping its payload
behavior. This can be many things, such as starting to gather data, or building a way back
using any one of numerous tactics, then going quiet and remaining dormant until all
conditions are right.
How Does the Trojan Horse Work?

• Execution of Malware Activities: Based on the accessed type, thereafter, the Trojan will
perform the intended activities—data theft, remote access, or malware downloading.
• Persistence: A good number of Trojans apply methods to keep themselves within the
system after reboots or attempts to delete them. It could be in the form of manipulation
in the system start-up processes, the addition of scheduled tasks, or the use of rootkit
techniques for distraction.
• Changing startup settings, so they launch every time the system turns on.
• Creating scheduled tasks that run the malware at certain times.
• Using rootkits, which are special tools that hide the malware from antivirus programs.
• Propagation: Trojans do not self-replicate, whereas viruses do. However, some do have
capabilities to propagate to other systems over the network.
Backdoor
• “A backdoor refers to any method by which authorized and
unauthorized users can get around normal security measures and
gain high-level user access (aka root access) on a computer system,
network, or software application.”
Dangers of Backdoors in Cybersecurity

Hackers can use a backdoor to install all manner of malware on your computer.
 Spyware is a type of malware that, once deployed on your system, collects information
about you, the sites you visit on the Internet, the things you download, the files you
open, usernames, passwords, and anything else of value.
 Ransomware is a type of malware designed to encrypt your files and lock down your
computer.
 Use your computer in a DDoS attack. Using the backdoor to get super user access on
your system, cybercriminals can take command of your computer remotely, enlisting it
in a network of hacked computers, aka a botnet.
 Cryptojacking malware is designed to use your system’s resources to mine
cryptocurrency.
Protecting Your System from Backdoors

• Change your default passwords. The hardworking people in your company’s IT department never
intended for your actual password to be “guest” or “12345.” If you leave that default password in
place, you’ve unwittingly created a backdoor. Change it as soon as possible and enable multi-
factor authentication (MFA) while you’re at it.
• Monitor network activity. Any weird data spikes could mean someone is using a backdoor on
your system. To stop this, use firewalls to track inbound and outbound activity from the various
applications installed on your computer.
• Choose applications and plugins carefully. As we’ve covered, cybercriminals like to hide
backdoors inside of seemingly benign free apps and plugins. The best defense here is to make
sure whatever apps and plugins you choose come from a reputable source.
• Use a good cybersecurity solution. Any good anti-malware solution should be able to stop
cybercriminals from deploying the Trojans and rootkits used to open up those pesky backdoors.
Steganography
• Steganography is the practice of concealing information within another
message or physical object to avoid detection. Steganography can be used
to hide virtually any type of digital content, including text, image, video, or
audio content. That hidden data is then extracted at its destination.
• Content concealed through steganography is encrypted before being
hidden within another file format.
• Steganography is relevant to cybersecurity because ransomware gangs and
other threat actors often hide information when attacking a target. For
example, they might hide data, conceal a malicious tool, or send
instructions for command-and-control servers. They could place all this
information within innocuous-seeming image, video, sound, or text files.
Types of steganography

• Text steganography

• Text steganography involves hiding information inside text files. This includes changing the format of existing
text, changing words within a text, using context-free grammars to generate readable texts, or generating
random character sequences.

• Image steganography

• This involves hiding information within image files. In digital steganography, images are often used to
conceal information because there are a large number of elements within the digital representation of an
image, and there are various ways to hide information inside an image.

• Audio steganography

• Audio steganography involves secret messages being embedded into an audio signal which alters the binary
sequence of the corresponding audio file. Hiding secret messages in digital sound is a more difficult process
compared to others.
Types of steganography
• Video steganography

• This is where data is concealed within digital video formats. Video steganography allows large
amounts of data to be hidden within a moving stream of images and sounds.

• Network steganography

• Network steganography, sometimes known as protocol steganography, is the technique of

embedding information within network control protocols used in data transmission such TCP,
UDP, ICMP, etc.
Uses of steganography

 Avoiding censorship: Using it to send news information without it being

censored and without fear of the messages being traced back to their
sender.
 Digital watermarking: Using it to create invisible watermarks that do not
distort the image, while being able to track if it has been used without
authorization.
 Securing information: Used by law enforcement and government agencies
to send highly sensitive information to other parties without attracting
suspicion.
Mitigating steganography-based attacks

 Cybersecurity training can raise awareness of the risks involved in downloading media from untrusted
sources.

 Organizations should implement web filtering for safer browsing and should also stay up to date with the
latest security patches when updates are available.

 Companies should use modern endpoint protection technologies that go beyond static checks, basic
signatures, and other outdated components as code hidden in images and other forms of obfuscation are
more likely to be detected dynamically by a behavioral engine.

 Companies should also use threat intelligence from multiple sources to keep updated with trends, including
cyber attacks affecting their industry where steganography has been observed.

 Using a comprehensive antivirus solution will help to detect, quarantine, and delete malicious code from
your devices. Modern antivirus products update themselves automatically, to provide protection against
the latest viruses and other types of malware.
Denial of Service Attack
• A DOS (Denial of Service) attack is a type of cyberattack where one
internet-connected computer floods a different computer with traffic
especially a server to instigate a crash. It always floods the server with
requests which will cause it to either crash or be unavailable to users of
the website in question. DOS attacks specifically appear when targeted at
a website, making the site unavailable and causing a major disruption of
online services.
• Key Characteristics of a DOS Attack:
• Single Source: It is started from one system
• Traffic Volume: The Turnover is high, however, it is a single point of call
Turnover.
• Traceability: As the attack originates from a particular system it is
traceable as compared to the case of the distributed one.
• Blockability: It is more easily blocked since ALL of the traffic comes from
one source as opposed to a DDOS attack.
Distributed Denial of Service attack

• A DDOS Which is a short form of Distributed Denial of Service

attack works on similar lines as the DOS attack but is more
complicated in that the attack is launched with the help of
several systems located in different places.
• An inherent advantage of a distributed attack is that it is difficult
to track the origin and, therefore, put a stop to it.
Distributed Denial of Service attack

Key Characteristics of a DDOS Attack

• Multiple Sources: The attack is initiated from the different
systems; at times, originated from different environments.
• Traffic Volume: It has multiple sources and the volume of traffic
is much higher and for this reason it is much more devastating.
• Difficulty in Tracing: This is because the attack is launched in
several instances of computers at different locations, hence it is
difficult to track its origin.
• Complexity in Blocking: It is even more challenging to block a
DDOS attack because the attack originates from many different
places.
Difference Between DoS and DDoS
Attacks
Difference Between DoS and DDoS
Attacks
DoS and DDoS Attacks
• DoS and DDoS attacks can take many forms and be used for various
means. It can be to make a company lose business, to cripple a
competitor, to distract from other attacks, or simply to cause trouble
or make a statement.
Types Of DoS Attacks And DDoS Attacks

• Teardrop attack

• A teardrop attack is a DoS attack that sends countless Internet Protocol (IP) data fragments to a network. When the network tries to recompile the
fragments into their original packets, it is unable to.

• For example, the attacker may take very large data packets and break them down into multiple fragments for the targeted system to reassemble.
However, the attacker changes how the packet is disassembled to confuse the targeted system, which is then unable to reassemble the fragments into
the original packets.

• Flooding attack

• A flooding attack is a DoS attack that sends multiple connection requests to a server but then does not respond to complete the handshake.

• For example, the attacker may send various requests to connect as a client, but when the server tries to communicate back to verify the connection,
the attacker refuses to respond. After repeating the process countless times, the server becomes so inundated with pending requests that real clients
cannot connect, and the server becomes “busy” or even crashes.

• IP fragmentation attack

• An IP fragmentation attack is a type of DoS attack that delivers altered network packets that the receiving network cannot reassemble. The network
becomes bogged down with bulky unassembled packets, using up all its resources.
Types Of DoS Attacks And DDoS Attacks

• Protocol attack
• A protocol attack is a type of DDoS attack that exploits weaknesses in Layers 3 and 4 of
the OSI model. For example, the attacker may exploit the TCP connection sequence,
sending requests but either not answering as expected or responding with another
request using a spoofed source IP address. Unanswered requests use up the resources of
the network until it becomes unavailable.
• Application-based attack
• An application-based attack is a type of DDoS attack that targets Layer 7 of the OSI
model. An example is a Slowloris attack, in which the attacker sends partial Hypertext
Transfer Protocol (HTTP) requests but does not complete them. HTTP headers are
periodically sent for each request, resulting in the network resources becoming tied up.
SQL injection

• SQL injection (SQLi) is a web security vulnerability that allows an

attacker to interfere with the queries that an application makes to its
database. This can allow an attacker to view data that they are not
normally able to retrieve. This might include data that belongs to
other users, or any other data that the application can access. In
many cases, an attacker can modify or delete this data, causing
persistent changes to the application's content or behavior.
• In some situations, an attacker can escalate a SQL injection attack to
compromise the underlying server or other back-end infrastructure.
Impact of a successful SQL injection attack
• A successful SQL injection attack can result in unauthorized access to
sensitive data, such as:
o Passwords.
o Credit card details.
o Personal user information.
• SQL injection attacks have been used in many high-profile data breaches
over the years. These have caused reputational damage and regulatory
fines. In some cases, an attacker can obtain a persistent backdoor into an
organization's systems, leading to a long-term compromise that can go
unnoticed for an extended period.
What is a Buffer Overflow?
• A buffer overflow happens when more data is written to the buffer
than it can hold.The extra data overflows into adjacent memory,
potentially overwriting critical information (like return addresses or
variables).
How Does Buffer Overflow Work?
#include <stdio.h>
#include <string.h>

int main() {
char buffer[8];
gets(buffer); // No length check
printf("You entered: %s\n", buffer);
}
• If the user inputs more than 8 characters, the memory beyond buffer
gets overwritten.If crafted carefully, this can overwrite the return
address on the stack and redirect program execution.
Types of Buffer Overflow
What Can an Attacker Do with a Buffer Overflow?

• Crash the program (Denial of Service)

• Execute arbitrary code (e.g., open a backdoor)
• Escalate privileges (gain root/admin access)
Preventing Buffer Overflows
What is the cyber kill chain?

• The cyber kill chain (CKC) is a classic cybersecurity model

developed by the computer security incident response team
(CSIRT) at Lockheed Martin. The purpose of the model is to better
understand the stages required to execute an attack, and to help
security teams stop an attack at each of its stages.
• The CKC model describes an attack by an external attacker
attempting to gain access to data or assets inside the security
perimeter. The attacker performs reconnaissance, intrusion of the
security perimeter, exploitation of vulnerabilities, gains and escalates
privileges, moves laterallyt to gain access to more valuable targets,
attempts to obfuscate their activity, and finally, exfiltrates data from
the organization.
8 phases of the cyber kill chain

• 1. Reconnaissance
• At the reconnaissance stage, the attacker gathers information about the
target organization. They can use automated scanners to find
vulnerabilities and weak points that may be able to be penetrated.
Attackers will try to identify and investigate security systems that are in
place, such as firewalls, intrusion prevention systems, and authentication
mechanisms.
• 2. Intrusion
• At the intrusion stage, attackers are attempting to get inside the security
perimeter. Attackers commonly inject malware into a system to get a
foothold. Malware could be delivered by social engineering emails, a
compromised system or account, an “open door” representing a gap in
security — such as an open port or unsecured endpoint — or an insider
accomplice.
8 phases of the cyber kill chain

• 3. Exploitation
• At the exploitation stage, attackers seek additional vulnerabilities or
weak points they can exploit inside the organization’s systems. For
example, from the outside, the attacker may have no access to an
organization’s databases, but after the intrusion, they can see that a
database uses an old version and is exposed to a well-known
vulnerability.
• 4. Privilege Escalation
• In the privilege escalation stage, the goal of the attacker is to gain
privileges to additional systems or accounts. Attackers may attempt
brute force attacks, look for unsecured repositories of credentials,
monitor unencrypted network traffic to identify credentials, or change
permissions on existing compromised accounts.
8 phases of the cyber kill chain

• 5. Lateral Movement
• In the lateral movement stage, attackers connect to additional
systems and attempt to find the organization’s most valuable assets.
Attackers move laterally from one system to another to gain access
to privileged accounts, sensitive data, or critical assets. Lateral
movement is a coordinated effort that may span multiple user
accounts and IT systems.
• 6. Obfuscation
• At the obfuscation stage, the attacker tries to cover their tracks. They may
try to delete or modify logs, falsify timestamps, tamper with security
systems, and take other actions to hide previous stages in the CKC and
make it appear that sensitive data or systems were not touched.
8 phases of the cyber kill chain

• 7. Denial of Service
• At the denial of service (DoS) stage, attackers attempt to disrupt an organization’s
operations. Usually the aim is to distract security and operational staff, enabling
the malicious actorsto achieve their real goal, which is data exfiltration. DoS can
be waged against networks and production systems, including websites, email
servers, or customer-facing applications.
• 8. Exfiltration
• At the exfiltration stage, an advanced attacker finally hits home, getting
their hands on the organization’s most sensitive data. Attackers will find a
mechanism — typically some sort of protocol tunneling — to copy the data
outside the organization. Then, they can sell it, use it for additional attacks
(for example, in the case of customer personal data or payment details), or
openly distribute it to damage the organization.
Security controls you can use to stop the
cyber kill chain
• Detect – Determine attempts to scan or penetrate the
organization.
• Deny – Stop attacks as they happen.
• Disrupt -Intercept data communications carried out by the
attacker and interrupt them.
• Degrade – Create measures that will limit the effectiveness of
an attack.
• Deceive – Mislead an attacker by providing false information or
setting up decoy assets.
What is Authentication, Authorization, and
Accounting (AAA)?
• Authentication, Authorization, and Accounting (AAA) is a three-
process framework used to manage user access, enforce user
policies and privileges, and measure the consumption of
network resources.
• The AAA system works in three chronological and dependent
steps, where one must take place before the next can begin.
These AAA protocols are typically run on a server that performs
all three functions automatically. This enables IT management
teams to easily maintain network security and ensure that users
have the resource access they need to perform their jobs.
What is Authentication, Authorization, and
Accounting (AAA)?

• Authentication
• Authentication is the process of identifying a user and granting
them access to the network. Most of the time, this is done
through traditional username and password credentials.
However, users could also use passwordless
authentication methods, including biometrics like eye scans or
fingerprints, and hardware such as hardware tokens or smart
cards.
• The server evaluates the credential data submitted by the user
compared to the ones stored in the network's database. Active
Directory is used as the database for many enterprises to store
and analyze those credentials.
What is Authentication, Authorization, and
Accounting (AAA)?

• Authorization
• After authentication, the authorization process enforces the network
policies, granular access control, and user privileges. The
cybersecurity AAA protocol determines which specific network
resources the user has permission to access, such as a particular
application, database, or online service. It also establishes the tasks
and activities that users can perform within those authorized
resources.
• For example, after the system grants access to the network, a user
who works in sales may only be able to use the customer
relationship management (CRM) software and not the human
resources or enterprise resource planning systems. Additionally,
within the CRM, they might only be allowed to view and edit data and
not manage other users. It's the authorization process that would
enforce all of these network rules.
What is Authentication, Authorization, and
Accounting (AAA)?

• Accounting
• Accounting, the final process in the framework, is all about
measuring what's happening within the network. As part of the
protocol, it will collect and log data on user sessions, such as
length of time, type of session, and resource usage. The value
here is that it offers a clear audit trail for compliance and
business purposes.
• Accounting helps in both security and operational evaluations.
For instance, network administrators can look at user access
privileges to specific resources to see about any changes. They
could also adjust capacity based on the resources most
frequently used and common activity trends.
The AAA Framework

• The AAA security model applies to numerous use cases, such as

accessing a private corporate network remotely, using a wireless
hotspot for the internet, and enforcing network segmentation for Zero
Trust Network Access (ZTNA)—all for security purposes. Security
teams can prevent unauthorized access by having control and
visibility over network and resource access, privileges, and user
activity.
• The framework uses a client/server model to deploy and run the
protocol. The client—the device seeking access—is first stopped by
an enforcement point requiring authentication credentials. Next, the
user submits the credentials such as a username, password, piece
of hardware, or biometric. The device could also present its digital
certificates through public-key infrastructure (PKI) procedures.
The AAA Framework

• Upon submission, the AAA server reviews the credential data

with information stored in the database and determines if it's a
match. Once authenticated, the user has the right to perform
certain actions and access specific data or resources per what's
configured automatically or by a network administrator. During
the user's session, all operations and activities get recorded.
AAA Benefits

• Improves Network Security: The framework requires all users and

devices to undergo credential-based authentication before receiving
network access and enforces the principle of least privilege,
preventing malicious or negligent-based behavior that could cause
data theft, deletion, or compromise.
• Centralizes Protocol Management: The security model gives
system administrators a single source of truth and helps standardize
protocols for AAA access control across the whole organization.
• Allows Granular Control and Flexibility: Deploying an AAA system
lets network-security teams and administrators enforce detailed rules
about network resources users can access along with their functional
limitations.
AAA Benefits

• Provides Scalable Access Management: Standardizing

network access protocols using AAA functionality gives IT
teams the capacity to manage new devices, users, and
resources added to a network—even as they quickly grow.
• Enables Information-Based Decision Making: Logging
activity and session information allow administrators to make
user-resource authorization, capacity planning, and resource
adjustments based on collected data rather than gut feelings.