Attackers lurk almost everywhere. If you have computer systems, you can’t escape them. However, you can be proactive in identifying the different types of attacks and take steps to prevent them, or at least prevent their effectiveness. If you’re planning to take the SY0-501 version of the Security+ exam, you should have a good understanding of common and advanced types of attacks launched against systems and networks.
For example, can you answer this practice test question?
Q. An attacker recently attacked a web server hosted by your company. After investigation, security professionals determined that the attacker used a previously unknown application exploit. Which of the following BEST identifies this attack?
A. Buffer overflow
B. Zero-day attack
C. Man-in-the-browser
D. Session hijacking
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation are available at the end of this post.
Domain Hijacking
In a domain hijacking attack, an attacker changes the registration of a domain name without permission from the owner. Attackers often do so with social engineering techniques to gain unauthorized access to the domain owner’s email account.
As an example, imagine that Homer sets up a domain named homersimpson.com. He uses his Gmail account as the email address when he registers it, though he rarely checks his Gmail account anymore.
Attackers watch his Facebook page and notice that he often adds simple comments like “Doh!” Later, they try to log on to his Gmail account with a brute force attempt. They try the password of Doh!Doh! and get in. They then go to the domain name registrar, and use the Forgot Password feature. It sends a link to Homer’s Gmail account to reset the password. After resetting the password at the domain name registrar site, the attackers change the domain ownership. They also delete all the emails tracking what they did. Later, Homer notices his web site is completely changed and he no longer has access to it.
Man-in-the-Browser
A man-in-the-browser is a type of proxy Trojan horse that infects vulnerable web browsers. Successful man-in-the-browser attacks can capture browser session data. This includes keyloggers to capture keystrokes, along with all data sent to and from the web browser.
As an example, Zeus is a Trojan horse that has used man-in-the-browser techniques after infecting systems. Zeus includes keystroke logging and form grabbing. Once the attackers collect logon information for a user’s bank, they use it to log on and transfer money to offshore accounts.
Driver Manipulation
Operating systems use drivers to interact with hardware devices or software components. For example, when you print a page using Microsoft Word, Word accesses the appropriate print driver via the Windows operating system. Similarly, if you access encrypted data on your system, the operating system typically accesses a software driver to decrypt the data so that you can view it.
Occasionally, an application needs to support an older driver. For example, Windows 10 needed to be compatible with drivers used in Windows 8, but all the drivers weren’t compatible at first. Shimming provides the solution that makes it appear that the older drivers are compatible.
A driver shim is additional code that can be run instead of the original driver. When an application attempts to call an older driver, the operating system intercepts the call and redirects it to run the shim code instead. Refactoring code is the process of rewriting the internal processing of the code, without changing its external behavior. It is usually done to correct problems related to software design.
Developers have a choice when a driver is no longer compatible. They can write a shim to provide compatibility or they can completely rewrite the driver to refactor the relevant code. If the code is clunky, it’s appropriate to rewrite the driver.
Attackers with strong programming skills can use their knowledge to manipulate drivers by either creating shims, or by rewriting the internal code. If the attackers can fool the operating system into using a manipulated driver, they can cause it to run malicious code contained within the manipulated driver.
Zero-Day Attacks
A zero-day vulnerability is a weakness or bug that is unknown to trusted sources, such as operating system and antivirus vendors. A zero-day attack exploits an undocumented vulnerability. Many times, the vendor isn’t aware of the issue. At some point, the vendor learns of the vulnerability and begins to write and test a patch to eliminate it. However, until the vendor releases the patch, the vulnerability is still a zero-day vulnerability.
In most cases, a zero-day vulnerability is a new threat. However, there have been zero-day vulnerabilities that have existed for years.
Both attackers and security experts are constantly looking for new threats, such as zero-day vulnerabilities. Attackers want to learn about them so that they can exploit them. Most security experts want to know about them so that they can help ensure that vendors patch them before causing damage to users.
Remember this
Zero-day exploits are undocumented and unknown to the public. The vendor might know about it, but has not yet released a patch to address it.
Q. An attacker recently attacked a web server hosted by your company. After investigation, security professionals determined that the attacker used a previously unknown application exploit. Which of the following BEST identifies this attack?
A. Buffer overflow
B. Zero-day attack
C. Man-in-the-browser
D. Session hijacking
Answer is B. A zero-day attack takes advantage of an undocumented exploit or an exploit that is unknown to the public.
A buffer overflow attack sends unexpected data to a system to access system memory or cause it to crash. Although some buffer overflow attacks are unknown, others are known. If the server isn’t kept up to date with patches, it can be attacked with a known buffer overflow attack.
A man-in-the-browser attack is a type of proxy Trojan horse that takes advantage of vulnerabilities in web browsers, not web servers.
Session hijacking takes over a user’s session and isn’t related to an attack on a server.
See Chapter 7 of the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide for more information on advanced attacks.