UNIT-4

Trojans Horses
 Trojans and backdoors are types of malware used to infect and compromise
computer systems
 A Trojan horse is a program with an overt effect and a covert effect.
 An overt channel is the normal and legitimate way that programs communicate
within a computer system or network.
 A covert channel uses programs or communications paths in ways that were not
intended.
 Trojans can use covert channels to communicate. Some client Trojans use covert
channels to send instructions to the server component on the compromised system.
 Trojan horses can make copies of themselves a propagating Trojan horse
 Trojan horse hides in an independent program that performs a useful or appealing
function or appears to perform that function.
 Along with the apparent function, however, the program performs some other
unauthorized operation
 A typical Trojan horse tricks a user into running a program, often an attractive or
helpful one. When the unsuspecting user runs the program, it does indeed perform
the expected function.
 But its real purpose is often to penetrate the defenses of the system by usurping the
user’s legitimate privileges and thus obtaining information that the penetrator isn’t
authorized to access.
 An example of this would be the modern rootkit, which is a script that controls a
small suite of programs that create an administrative level account on the targeted
system, and then create a backdoor.
 Backdoor is an unmonitored entrance way that evades the security mechanisms,
through which the attacker can later gain convenient access.
Backdoors
 Backdoor is a program or a set of related programs that a hacker installs on a target
system to allow access to the system at a later time.
 A backdoor can be embedded in a malicious Trojan.
 The objective of installing a backdoor on a system is to give hackers access into the
system at a time of their choosing.
  The key is that the hacker knows how to get into the backdoor undetected and is
able to use it to hack the system further and look for important information.

WORKING OF TROJAN HORSE -

Unlike computer viruses, a Trojan horse cannot manifest by itself, so it needs a user to
download the server side of the application for it to work. This means the executable (.exe)
file should be implemented and the program installed for the Trojan to attack a device’s
system. 
A Trojan virus spreads through legitimate-looking emails and files attached to emails, which
are spammed to reach the inboxes of as many people as possible. When the email is opened
and the malicious attachment is downloaded, the Trojan server will install and automatically
run every time the infected device is turned on. 
Devices can also be infected by a Trojan through social engineering tactics, which cyber
criminals use to coerce users into downloading a malicious application. The malicious file
could be hidden in banner advertisements, pop-up advertisements, or links on websites. 
A computer infected by Trojan malware can also spread it to other computers. A cyber
criminal turns the device into a zombie computer, which means they have remote control of
it without the user knowing. Hackers can then use the zombie computer to continue sharing
malware across a network of devices, known as a botnet.
For example, a user might receive an email from someone they know, which includes an
attachment that also looks legitimate. However, the attachment contains malicious code
that executes and installs the Trojan on their device. The user often will not know anything
untoward has occurred, as their computer may continue to work normally with no signs of it
having been infected. 
The malware will reside undetected until the user takes a certain action, such as visiting a
certain website or banking app. This will activate the malicious code, and the Trojan will
carry out the hacker’s desired action. Depending on the type of Trojan and how it was
created, the malware may delete itself, return to being dormant, or remain active on the
device.
Trojans can also attack and infect smartphones and tablets using a strand of mobile
malware. This could occur through the attacker redirecting traffic to a device connected to a
Wi-Fi network and then using it to launch cyberattacks.

TYPES OF TROJANS:
1.Remote Access Trojans -
A remote access Trojan (RAT) is a malware program that opens a backdoor, enabling
administrative control over the victim’s computer. RATs are typically downloaded together
with a seemingly legitimate program, like a game, or are sent to the target as an email
attachment. Once the attacker compromises the host’s system, they can use it to distribute
RATs to additional vulnerable computers, establishing a botnet.
RAT can be deployed as a malicious payload using exploit toolkits such as Metasploit. After a
successful installation, RAT achieves direct connectivity to the command-and-control (C&C)
server, controlled by the attackers. The attackers accomplish this using the predefined
open TCP port on the compromised device.
Because RAT provides administrative control, the attacker can do almost anything on the
victim’s computer, for example:
 Monitor user behavior via spyware or keyloggers
 Access sensitive details, including social security numbers and credit card
 Activate a system’s recording video and webcam
 Take screenshots
 Distribute malware and viruses
 Format drives
 Download, alter, or delete files and file systems

2. Data Sending Trojans –

A data-sending Trojan is a kind of Trojan virus that relays sensitive information back to its
owner. This type of Trojan can be used to retrieve sensitive data, including credit card
information, email addresses, passwords, instant messaging contact lists, log files and so on.
Some data-sending Trojans are not used for malicious acts, but they still relay information.
Usually, this is to serve ads to the user. Hackers use data-sending Trojans to gain data about
user activity on the Web, such as the sites visited and the ads or other icons clicked. Using
this information, the Trojans serve the relevant ads to the user.
Sometimes, data-sending Trojans will install key loggers on a computer so that all key
strokes are recorded and sent back to the hacker. Then another program parses the data
and separates it into readable words.
Data-sending Trojans are quite annoying, even though some are only used to present ads to
a user. However, these ads may arrive irregularly and can be cunning if they advertise
something like virus removal when in fact the Trojan pushing the ad for a product to remove
itself from the user’s computer.

3. Destructive Trojans –
A destructive Trojan is a virus designed to destroy or delete files. Destructive Trojans have
more typical virus characteristics than other types of Trojans but do not always result in
data theft.
Destructive Trojans may not be detected by antivirus software. Once a destructive Trojan
infects a computer system, it randomly deletes files, folders, and registry entries, often
resulting in OS failures. A destructive Trojan is usually in program form or manipulated to
strike like a logic bomb programmed and specified by the attacker.
Destructive Trojans are viruses, but they do not self-replicate like other viruses or worms.
Destructive Trojans are written as simple crude batch files with commands like "DEL,"
"DELTREE" or "FORMAT." This code is usually compiled as ".exe" or ".com" files, such as
BAT2COM. Thus, it is difficult to determine if a computer system infection is caused by a
destructive Trojan.
Computing platforms that are susceptible to destructive Trojans include:
 Windows: Commonly attacked platform
 Linux: Increased attacks have been reported.
Apple firmware has been attacked by destructive compiled AppleScript Trojans that invade
privacy and compromise security. Additionally, personal digital assistants (PDA) reportedly
have been attacked by destructive and data-stealing Trojans.
Certain tools help prevent destructive Trojans, including rollback software, antivirus
software and anti-Trojan software.

4. Proxy Trojans –
A proxy Trojan is a virus which hijacks and turns the host computer into a proxy
server, part of a botnet, from which an attacker can stage anonymous activities
and attacks.
The whole point of a proxy Trojan is to hide the attacker, making it harder to
trace the true origin of an attack since the attacks will look like they are coming
from random and multiple directions because of the proxy bots.
A proxy Trojan, as the name suggests, is a kind of Trojan malware which
creates proxy servers out of infected computers for staging anonymous
attacks.
Like all Trojans, the proxy is spread disguised as legitimate software downloads
and attachments or piggy-backing on legitimate downloads and attachments.
This Trojan gives the attacker a lot of opportunity to do malicious activities
such as credit card fraud, hacking and other illegal activities since it masks the
true location of the attacker.
Aside from that, it can collect information from the host computer and send it
to the attacker.
5. FTP Trojans –
An FTP Trojan is a special type of Trojan allowing the attacker to access a machine using the
FTP Protocol.
Generally, a Trojan is a type of virus entering a system in an undetected manner and
accessing all confidential data, thereby causing trouble by compromising or exposing data.
One of the ways a Trojan can manifest itself is in the form of a genuine program performing
malicious functions.
An FTP Trojan installs an FTP server on the victim’s machine allowing the attacker to gain
access to sensitive data through the FTP Protocol. The Trojan opens port 21 and makes it
accessible to the attacker or a group of individuals. Some password attacks can also be
employed where only the attacker gains access to the system. The system tries to download
and upload files from the victim system.
The types of information affected include:
Credit card information
All types of username and password information
Confidential data
Email addresses to propagate
Using the victim’s computer as a source for propagating other attacks

6. Security Software Diasblers Trojan –

A Security Software Disabler Trojan is specifically designed to affect the overall working of
an antivirus program of a system. It aims at disabling the Firewall and antivirus software and
works in packages with other trojans as payloads. 
Once the security walls of a system are stopped it gives an easy way to the hackers to attack
the PC. Individual machines are the main targets of a Security Software Disabler trojan, it is
less applicable to the corporate devices.
To explain the working of this malicious malware in a simple language , it disables the
security system of a device without the user knowing to conduct cyber attacks. 

VIRUSES AND WORMS-

1. Worms : 
Worms are similar to a virus but it does not modify the program. It replicates itself more and
more to cause slow down the computer system. Worms can be controlled by remote. The
main objective of worms is to eat the system resources. The WannaCry ransomware worm
in 2000 exploits the Windows Server Message Block (SMBv1) which is a resource-sharing
protocol.
2. Virus : 
A virus is a malicious executable code attached to another executable file that can be
harmless or can modify or delete data. When the computer program runs attached with a
virus it performs some action such as deleting a file from the computer system. Viruses can’t
be controlled by remote. The ILOVEYOU virus spreads through email attachments. 

Sr.No Basis of
. Comparison WORMS VIRUS

A Virus is a malicious executable

code attached to another
A Worm is a form of malware that executable file which can be
replicates itself and can spread to harmless or can modify or delete
1. Definition different computers via Network. data. 

The main objective of worms is to eat the

system resources. It consumes system
resources such as memory and bandwidth
and made the system slow in speed to The main objective of viruses is to
2. Objective such an extent that it stops responding.  modify the information.

It doesn’t need a host to replicate from It requires a host is needed for

3. Host one computer to another. spreading.

4. Harmful It is less harmful as compared. It is more harmful.

Detection
and Worms can be detected and removed by Antivirus software is used for
5. Protection the Antivirus and firewall. protection against viruses.

Viruses can’t be controlled by

6. Controlled by Worms can be controlled by remote. remote.

Worms are executed via weaknesses in Viruses are executed via

7. Execution the system. executable files.

Worms generally comes from the

downloaded files or through a network Viruses generally comes from the
8. Comes from connection. shared or downloaded files.
  Hampering computer performance
by slowing down it
 Pop-up windows linking to
 Automatic opening and running of malicious websites
programs
 Hampering computer
 Sending of emails without your performance by slowing
knowledge down it
 Affected the performance of web  After booting, starting of
browser unknown programs.
 Error messages concerning to  Passwords get changed
9. Symptoms system and operating system without your knowledge

 Installation of Antivirus
software
 Never open email
attachments
 Keep your operating system and
 Avoid usage of pirated
system in updated state
software
 Avoid clicking on links from
 Keep your operating
untrusted or unknown websites
system updated
 Avoid opening emails from
 Keep your browser
unknown sources
updated as old versions
 Use antivirus software and a are vulnerable to linking
10. Prevention firewall to malicious websites

Boot sector virus, Direct Action

Internet worms, Instant messaging worms, virus, Polymorphic virus, Macro
Email worms, File sharing worms, Internet virus, Overwrite virus, File
relay chat (IRC) worms are different types Infector virus are different types
11. Types of worms. of viruses

Examples of worms include Morris worm, Examples of viruses include

12. Examples storm worm, etc. Creeper, Blaster, Slammer, etc.

It does not need human action to It needs human action to

13. Interface replicate. replicate.
Computer viruses have four phases (inspired by biologists’ classification of a real-life virus’s
life cycle).
 Dormant phase: This is when the virus is hidden on your system, lying in wait.
 Propagation phase: This is the viral stage, when the virus begins to self-replicate,
stashing copies of itself in files, programs, or other parts of your disk. The clones may
be slightly altered in an attempt to avoid detection, and these copies will also self-
replicate, creating more clones that continue to copy and spread.
 Triggering phase: A specific action is generally required to trigger or activate the
virus. This could be a user action, like clicking an icon or opening an app. Other
viruses are programmed to come to life after a certain amount of time, such as
a logic bomb designed to trigger after your computer has rebooted a certain number
of times (this is done to obfuscate the origin of the virus).
 Execution phase: Now the virus’s program is executed and releases its payload, the
malicious code that harms your device.

SNIFFING -
Sniffing is the process of monitoring and capturing all the packets passing through a given
network using sniffing tools. It is a form of “tapping phone wires” and get to know about the
conversation. It is also called wiretapping applied to the computer networks.
There is so much possibility that if a set of enterprise switch ports is open, then one of their
employees can sniff the whole traffic of the network. Anyone in the same physical location
can plug into the network using Ethernet cable or connect wirelessly to that network and
sniff the total traffic.
In other words, Sniffing allows you to see all sorts of traffic, both protected and
unprotected. In the right conditions and with the right protocols in place, an attacking party
may be able to gather information that can be used for further attacks or to cause other
issues for the network or system owner.
What can be sniffed?
One can sniff the following sensitive information from a network −
 Email traffic
 FTP passwords
 Web traffics
 Telnet passwords
 Router configuration
 Chat sessions
 DNS traffic
How it works
A sniffer normally turns the NIC of the system to the promiscuous mode so that it listens to
all the data transmitted on its segment.
Promiscuous mode refers to the unique way of Ethernet hardware, in particular, network
interface cards (NICs), that allows an NIC to receive all traffic on the network, even if it is not
addressed to this NIC. By default, a NIC ignores all traffic that is not addressed to it, which is
done by comparing the destination address of the Ethernet packet with the hardware
address (a.k.a. MAC) of the device. While this makes perfect sense for networking, non-
promiscuous mode makes it difficult to use network monitoring and analysis software for
diagnosing connectivity issues or traffic accounting.

A sniffer can continuously monitor all the traffic to a computer through the NIC by decoding
the information encapsulated in the data packets.
Types of Sniffing
Sniffing can be either Active or Passive in nature.
Passive Sniffing - In passive sniffing, the traffic is locked but it is not altered in any way.
Passive sniffing allows listening only. It works with Hub devices. On a hub device, the traffic
is sent to all the ports. In a network that uses hubs to connect systems, all hosts on the
network can see the traffic. Therefore, an attacker can easily capture traffic going through.
Active Sniffing - In active sniffing, the traffic is not only locked and monitored, but it may
also be altered in some way as determined by the attack. Active sniffing is used to sniff a
switch-based network. It involves injecting address resolution packets (ARP) into a target
network to flood on the switch content addressable memory (CAM) table. CAM keeps track
of which host is connected to which port.
PHISING – Phishing is a fraud technique where a malicious actor sends messages
impersonating a legitimate individual or organization, usually via email or other messaging
system. Many cyber attackers distribute malicious attachments and links through phishing
emails to trick unsuspecting users into downloading malware.
In most phishing attacks, attackers extract sensitive information from the victim, such as
user credentials and account details. Exploiting human weaknesses to bypass security
controls is often easier than breaking through digital defenses. Many people easily mistake
phishing emails for legitimate messages.

1. Too Good To Be True - Lucrative offers and eye-catching or attention-grabbing

statements are designed to attract people’s attention immediately. For instance,
many claim that you have won an iPhone, a lottery, or some other lavish prize.
Just don't click on any suspicious emails. Remember that if it seems to good to be
true, it probably is!
2. Sense of Urgency - A favorite tactic amongst cybercriminals is to ask you to act fast
because the super deals are only for a limited time. Some of them will even tell you
that you have only a few minutes to respond. When you come across these kinds of
emails, it's best to just ignore them. Sometimes, they will tell you that your account
will be suspended unless you update your personal details immediately. Most
reliable organizations give ample time before they terminate an account and they
never ask patrons to update personal details over the Internet. When in doubt, visit
the source directly rather than clicking a link in an email.
3. Hyperlinks - A link may not be all it appears to be. Hovering over a link shows you
the actual URL where you will be directed upon clicking on it. It could be completely
different or it could be a popular website with a misspelling, for instance
www.bankofarnerica.com - the 'm' is actually an 'r' and an 'n', so look carefully.
4. Attachments - If you see an attachment in an email you weren't expecting or that
doesn't make sense, don't open it! They often contain payloads like ransomware or
other viruses. The only file type that is always safe to click on is a .txt file.
5. Unusual Sender - Whether it looks like it's from someone you don't know or
someone you do know, if anything seems out of the ordinary, unexpected, out of
character or just suspicious in general don't click on it!
TYPES OF PHISHING -

 Spear phishing- involves targeting a specific individual in an organization to try to

steal their login credentials. The attacker often first gathers information about the
person before starting the attack, such as their name, position, and contact details.
Example of Spear Phishing- An attacker tried to target an employee of NTL World, which is a
part of the Virgin Media company, using spear phishing. The attacker claimed that the victim
needed to sign a new employee handbook. This was designed to lure them into clicking a
link where they would have been asked to submit private information.

 Vishing, which is short for "voice phishing," is when someone uses the phone to try
to steal information. The attacker may pretend to be a trusted friend or relative or to
represent them.
Example of Vishing- In 2019, there was a vishing campaign that targeted members of the
UK’s parliament and their staffers. The attack was part of an assault that involved at least 21
million spam emails targeting UK lawmakers.

 Email Phishing- In an email phishing scam, the attacker sends an email that looks
legitimate, designed to trick the recipient into entering information in reply or on a
site that the hacker can use to steal or sell their data.
Example of Email Phishing- Hackers used LinkedIn to grab contact information from
employees at Sony and targeted them with an email phishing campaign. They got away with
over 100 terabytes of data.

 An HTTPS phishing attack is carried out by sending the victim an email with a link to
a fake website. The site may then be used to fool the victim into entering their
private information.
Example of HTTPS Phishing- Hacker group Scarlet Widow searches for the employee emails
of companies and then targets them with HTTPS phishing. When the user gets a mostly
empty email, they click on the little link that is there, taking the first step into Scarlet
Widow's web.

 Pop-up phishing often uses a pop-up about a problem with your computer’s security
or some other issue to trick you into clicking. You are then directed to download a
file, which ends up being malware, or to call what is supposed to be a support
center.
Example of Pop-up Phishing- Users have sometimes received pop-ups saying they can
qualify for AppleCare renewal, which would supposedly avail them of extended protection
for their Apple devices. However, the offer is fake.

 Whaling- A whaling attack is a phishing attack that targets a senior executive. These
individuals often have deep access to sensitive areas of the network, so a successful
attack can result in access to valuable info.
Example of Whaling- A founder of Levitas, an Australian hedge fund was the target of a
whaling attack that led the individual to a fake connection using a fraudulent Zoom link.
After following the link, they had malware installed on their system, and the company lost
$800.000.

 Clone Phishing- A clone phishing attack involves a hacker making an identical copy of
a message the recipient already received. They may include something like
“resending this” and put a malicious link in the email.
Example of Clone Phishing- In a recent attack, a hacker copied the information from a
previous email and used the same name as a legitimate contact that had messaged the
victim about a deal. The hacker pretended to be a CEO named Giles Garcia and referenced
the email Mr. Garcia had previously sent. The hacker then proceeded to pretend to carry on
the previous conversation with the target, as if they really were Giles Garcia.

 Smishing is phishing through some form of a text message or SMS.

Example of Smishing- Hackers pretended to be from American Express and sent text
messages to their victims telling them they needed to tend to their accounts. The message
said it was urgent, and if the victim clicked, they would be taken to a fake site where they
would enter their personal information.

 Image phishing uses images with malicious files in them meant to help a hacker steal
your account info or infect your computer.
Example of Image Phishing- Hackers have made use of AdGholas to hide malicious code
written in JavaScript inside images and HTML files. When someone clicked on an image
generated by AdGholas, malware would be downloaded onto their computer that could be
used to phish for their personal information

 Search Engine Phishing- A search engine phishing attack involves an attacker making
fake products that look attractive. When these pop up in a search engine, the target
is asked to enter sensitive information before purchasing, which then goes to a
hacker.
Example of Search Engine Phishing- In 2020, Google said that they found 25 billion spam
pages every day, like the one put up by hackers pretending to be from the travel company
Booking.com. An ad would pop up in users’ search results that looked like it was from
booking.com and included the site’s address and the kind of wording users would expect
from a real ad by the company. After users clicked, they were prompted to enter sensitive
login information that was then transmitted to hackers.

 Man-in-the-Middle (MTM) Attacks- With a man-in-the-middle attack, the hacker

gets in “the middle” of two parties and tries to steal information exchanged between
them, such as account credentials.
Example of Man-in-the-Middle-Attack- In 2017, Equifax, the popular credit score company,
was targeted by man-in-the-middle attacks that victimized users who used the Equifax app
without using HTTPS, which is a secure way to browse the internet. As the users accessed
their accounts, the hackers intercepted their transmissions, stealing their login credentials.

 Deceptive Phishing- Deceptive phishers use deceptive technology to pretend they

are with a real company to inform the targets they are already experiencing a
cyberattack. The users then click on a malicious link, infecting their computer.
Example of Deceptive Phishing- Users were sent emails that came from the address
[email protected] and had “Apple Support” in the sender information. The message
claimed that the victim’s Apple ID had been blocked. They were then prompted to validate
their accounts by entering information the hacker would use to crack it.

 Website Spoofing- With website spoofing, a hacker creates a fake website that looks
legitimate. When you use the site to log in to an account, your info is collected by
the attacker.
Example of Website Spoofing- Hackers made a fake Amazon website that looked nearly
identical to the real Amazon.com but had a different Uniform Resource Locator (URL). All
other details, including fonts and images, looked legitimate. Attackers were hoping that
users would put in their username and password.

 Domain Spoofing- Domain spoofing, also referred to as DNS spoofing, is when a

hacker imitates the domain of a company—either using email or a fake website—to
lure people into entering sensitive information. To prevent domain spoofing, you
should double-check the source of every link and email.
Example of Domain Spoofing
An attacker would execute a domain spoofing attack by creating a fraudulent domain made
to look like a real LinkedIn site, for example. When users go to the site and enter any
information, it is sent straight to hackers who could use it or sell it to someone else.

#MALWARE BASED PHISHING -

Email Attachments
You get an email that looks like it’s coming from a well-known company, a charity organization,

government, or someone you know ( like your friends, relatives, boss, neighbors, colleagues, vendors,

etc.). Hackers try to sound as genuine as possible. They attach malware in email attachments such as 

PDF files, Microsoft Office files, folders, images, etc. When you download such an attachment, the

malware gets installed on your device.

Password Protected Attachments

Hackers send you attachments that are password protected and provide the password for
you to access them. As these attachments are coming from a person/entity you trust, you
would be tempted to open them. You may be wondering why the document is password
protected—that’s a sneaky little trick to get the attachment past virus scanners on email
servers. They encrypt and password-protect the document so the virus scanner can’t see
what’s inside it!
Use of Social Media
For malware-based phishing, hackers use social media as well. They hack a person’s social
media profile and send a malware-infected attachment to the victim’s contact list. It is
understandable that if you receive a private message from your friend, relative, or
colleagues, you are going to take it seriously and open it.
Trojan Horse
Sometimes hackers make a malicious program which is known as a trojan horse and use
phishing techniques to deliver it. The minus point for trojans is that they can’t work until
users download and install them and also provide them all the necessary permissions.
Trojans can’t automatically get installed and corrupt the system like viruses.
SMS Phishing
Just like emails, hackers use SMS to distribute malware. You think the SMS is coming from a
legit company or person, but when you click on the given link or attachment, the malware
gets installed on your phone.

CROSS-SITE SCRIPTING
Cross-site scripting (also known as XSS) is a web security vulnerability that allows an attacker
to compromise the interactions that users have with a vulnerable application. It allows an
attacker to circumvent the same origin policy, which is designed to segregate different
websites from each other. Cross-site scripting vulnerabilities normally allow an attacker to
masquerade as a victim user, to carry out any actions that the user is able to perform, and
to access any of the user's data. If the victim user has privileged access within the
application, then the attacker might be able to gain full control over all of the application's
functionality and data.
WORKING- Cross-site scripting works by manipulating a vulnerable web site so that it
returns malicious JavaScript to users. When the malicious code executes inside a victim's
browser, the attacker can fully compromise their interaction with the application.
There are three main types of XSS attacks. These are:
 Reflected XSS, where the malicious script comes from the current HTTP request.
 Stored XSS, where the malicious script comes from the website's database.
 DOM-based XSS, where the vulnerability exists in client-side code rather than server-
side code.

SQL injection (SQLi)

SQL injection (SQLi) is a cyberattack that injects malicious SQL code into an
application, allowing the attacker to view or modify a database. According to the
Open Web Application Security Project, injection attacks, which include SQL
injections, were the third most serious web application security risk in 2021 . In
the applications they tested, there were 274,000 occurrences of injection.
To protect against SQL injection attacks, it is essential to understand what their
impact is and how they happen so you can follow best practices, test for
vulnerabilities, and consider investing in software that actively prevents attacks.

Consequences of a Successful SQL Injection Attack

SQL injection attacks can have a significant negative impact on an organization.

Organizations have access to sensitive company data and private customer
information, and SQL injection attacks often target that confidential information.
When a malicious user successfully completes an SQL injection attack, it can
have any of the following impacts:

 Exposes Sensitive Company Data: Using SQL injection, attackers can

retrieve and alter data, which risks exposing sensitive company data stored
on the SQL server.
 Compromise Users’ Privacy: Depending on the data stored on the SQL
server, an attack can expose private user data, such as credit card numbers.
 Give an attacker administrative access to your system: If a database user
has administrative privileges, an attacker can gain access to the system using
malicious code. To protect against this kind of vulnerability, create a database
user with the least possible privileges.
 Give an Attacker General Access to Your System: If you use weak SQL
commands to check user names and passwords, an attacker could gain
access to your system without knowing a user’s credentials. With general
access to your system, an attacker can cause additional damage accessing
and manipulating sensitive information.
 Compromise the Integrity of Your Data: Using SQL injection, attackers can
make changes to or delete information from your system.

Distributed Denial of Service (DDoS)

Distributed Network Attacks are often referred to as Distributed Denial of Service (DDoS)
attacks. This type of attack takes advantage of the specific capacity limits that apply to any
network resources – such as the infrastructure that enables a company’s website. The DDoS
attack will send multiple requests to the attacked web resource – with the aim of exceeding
the website’s capacity to handle multiple requests… and prevent the website from
functioning correctly.
Typical targets for DDoS attacks include:
 Internet shopping sites
 Online casinos
 Any business or organisation that depends on providing online services
How a DDoS attack works
Network resources – such as web servers – have a finite limit to the number of requests that
they can service simultaneously. In addition to the capacity limit of the server, the channel
that connects the server to the Internet will also have a finite bandwidth / capacity.
Whenever the number of requests exceeds the capacity limits of any component of the
infrastructure, the level of service is likely to suffer in one of the following ways:
 The response to requests will be much slower than normal.
 Some – or all – users’ requests may be totally ignored.
Usually, the attacker’s ultimate aim is the total prevention of the web resource’s normal
functioning – a total ‘denial of service’. The attacker may also request payment for stopping
the attack. In some cases, a DDoS attack may even be an attempt to discredit or damage a
competitor’s business.

SMURF ATTACK
A Smurf attack is a distributed denial-of-service (DDoS) attack in which an attacker floods a
victim’s server with spoofed Internet Protocol (IP) and Internet Control Message Protocol
(ICMP) packets. As a result, the target’s system is rendered inoperable. This type of attack
gets its name from a DDoS. Smurf malware tool that was widely used in the 1990s. The small
ICMP packet generated by the malware tool can cause significant damage to a victim’s
system, hence the name Smurf.
How Does a Smurf Attack Work?
Smurf attacks are similar to a form of denial-of-service (DoS) attacks called ping floods, since
they’re accomplished by flooding a victim’s computer with ICMP Echo Requests. The steps in
a Smurf attack are as follows:
1. Attacker locates the target’s IP address: An attacker identifies the target victim’s IP
address.
2. Attacker creates spoofed data packet: Smurf malware is used to create a spoofed
data packet, or ICMP Echo Request, that has its source address set to the real IP
address of the victim.
3. Attacker sends ICMP Echo Requests: The attacker deploys ICMP Echo Requests to
the victim’s network, causing all connected devices within the network to respond to
the ping via ICMP Echo Reply packets.
4. Victim is flooded with ICMP replies: The victim then receives a flood of ICMP Echo
Reply packets, resulting in a denial-of-service to legitimate traffic.
5. Victim’s server becomes overloaded: With enough ICMP Reply packets forwarded,
the victim’s server is overloaded and potentially rendered inoperable.
Buffer Overflow Attack - A buffer is a temporary area for data storage. When more data
(than was originally allocated to be stored) gets placed by a program or system process, the
extra data overflows. It causes some of that data to leak out into other buffers, which can
corrupt or overwrite whatever data they were holding.
In a buffer-overflow attack, the extra data sometimes holds specific instructions for actions
intended by a hacker or malicious user; for example, the data could trigger a response that
damages files, changes data or unveils private information.
Attacker would use a buffer-overflow exploit to take advantage of a program that is waiting
on a user’s input. There are two types of buffer overflows: stack-based and heap-based.
Heap-based, which are difficult to execute and the least common of the two, attack an
application by flooding the memory space reserved for a program. Stack-based buffer
overflows, which are more common among attackers, exploit applications and programs by
using what is known as a stack memory space used to store user input.

PING OF DEATH ATTACK

A Ping of Death (PoD) attack is a form of DDoS attack in which an attacker sends the
recipient device simple ping requests as fragmented IP packets that are oversized or
malformed. These packets do not adhere to the IP packet format when reassembled,
leading to heap/memory errors and system crashes.
Internet Control Message Protocol (ICMP) ping requests are used to check for connectivity
and the health of networking devices. In a legitimate ICMP ping, the recipient device replies
to an ICMP echo request. The response indicates the health of the recipient. Sending a ping
request with a header larger than 65,535 bytes violates the Internet Protocol.
How does a Ping of Death Attack work?
Once the ping request (with its fragmented IP packets) is reassembled by the recipient
device, it may result in an IP request size exceeding 65,535 bytes which can lead to system
crashes. The crashes are caused by heap/memory errors due to overflow of buffers
allocated to reassemble the IP headers and body.
Although PoD is a legacy DDoS attack and ICMP flood attacks are more commonly used, PoD
can still impact unpatched systems. Vulnerabilities to PoD have been uncovered as recently
as 2018 in Apple devices which were using an unpatched XNU kernel. This resulted in heap
overflows and made them susceptible to remote execution of code.

TEARDROP ATTACK
A teardrop attack is a type of denial-of-service (DoS) attack (an attack that attempts to make
a computer resource unavailable by flooding a network or server with requests and data.)
The attacker sends fragmented packets to the target server, and in some cases where
there’s a TCP/IP vulnerability, the server is unable to reassemble the packet, causing
overload.
TCP/IP implementations differ slightly from platform to platform. Some operating systems—
especially older versions of Windows and Linux— contain a TCP/IP fragmentation
reassembly bug. Teardrop attacks are designed to exploit this weakness. In a teardrop
attack, the client sends an intentionally fragmented information packet to a target device.
Since the packets overlap, an error occurs when the device tries to reassemble the packet.
The attack takes advantage of that error to cause a fatal crash in the operating system or
application that handles the packet.

What is a SYN Attack?

SYN flood attack, also known as the half-open attack, is a protocol attack, which exploits the
vulnerabilities in the network communication to make the victim’s server unavailable to
legitimate requests. By consuming all the server resources, this type of attack can bring
down even high-capacity components capable of handling millions of connections.
How Does the SYN Flood Attack Work?
As SYN flood DDoS attacks exploit TCP three-way handshake connection and its limitation in
handling half-open connections, let’s begin with how normal TCP handshake mechanism
works and proceed to how SYN attack disturbs the connection.
 When a client system wants to start a TCP connection, it sends the SYN (synchronize)
message as a request to the server.
 The server responds to this request by sending SYN-ACK to the client.
 Then, the client answers the SYN-ACK with an ACK to the server. After completion of
this sequence of packets sending and receiving, the TCP connection is open for
communication.

In the SYN flooding attack, the hacker, pretending as a client, sends the TCP SYN connection
requests at a higher rate than the victim machine can process. It is a kind of resource
exhausting DoS attack. The hackers can do the SYN flood attack in three different ways:
1.     Direct SYN Flood Attack
In this method, the hacker initiates the attack using his own IP address. He sends multiple
SYN requests to the server. However, when the server responds with SYN-ACK, as an
acknowledgment, he doesn’t respond with ACK but keeps sending the new SYN request to
the victim server.
While the server waits for ACK, the arrival of SYN packets preserves the Server resources
with a half-open connection session for a certain time, which eventually makes the server
unable to operate normally and deny the requests from the legitimate client.

In this direct attack method, to ensure the SYN/ACK packets are ignored, the hacker
configures the firewall accordingly or restricts the traffic to outgoing SYN requests. Since the
hackers use their own IP addresses, the attackers are more vulnerable to detect. This attack
is rarely used.
 
2.     SYN Spoofed Attack
As an alternative to avoid being detected, the malicious attack sends the SYN packets from
spoofed/forged IP addresses. Upon receiving the SYN request, the server sends the SYN-ACK
to the forged IP address and waits for a response. Since the spoofed source didn’t send the
packets, they don’t respond.
For this kind of SYN flood attack, the attackers choose the IP addresses, which are not in use,
which ensures the system never responds back to the SYN-ACK response.
3.     DDoS (Distributed Denial of Service) SYN attack
In this variant of SYN flood attack, the victim server receives SYN packets simultaneously
from several infected computers under the control of the attacker. This combination of
hijacked machines is called a botnet.

SESSION HIJACKING
Session hijacking is a technique used by hackers to gain access to a target’s computer or
online accounts. In a session hijacking attack, a hacker takes control of a user’s browsing
session to gain access to their personal information and passwords. This article will explain
what session hijacking is, how it works, and how to prevent it from happening.
How Does Session Hijacking Work?
A session hijacker can take control of a user’s session in several ways. One common method
is to use a packet sniffer to intercept the communication between the user and the server,
which allows the hacker to see what information is being sent and received. They can then
use this information to log in to the account or access sensitive data.
Session hijacking can also be performed by deploying malware to infect the user’s
computer. This gives the hacker direct access to the machine, enabling them to then hijack
any active sessions.

SPOOFING VS HIJACKING
In spoofing hackers’ main goal is to win the trust of the target (Victim) by convincing him
that they are interacting with a trusted source. After winning trust, hackers can easily enter
the target system, spread the malicious code of the malware, and steal useful information
such as passwords, PINs, etc., that the target stores in the system. In spoofing, the hacker’s
main objective is to psychologically manipulate the target and win their trust. For example,
hackers create a clone of a banking website that completely appears to be legal but when
the target enters sensitive information then the whole information is sent to the hacker,
which the hacker can use for their own benefit or for other purposes.
In Hijacking, a hacker can take complete control of a target computer system or hijack a
network connection. Once hijacked, the hacker can take control of the target user’s
computer system and even easily read and modify the transmitted data or messages. In
hijacking, the main goal of a hacker is to take control of a target computer system or
network connection to steal information without getting known to the target that they are
getting hacked or hijacked. For example, hackers take all the control of the target Computer
System and use its camera to gather sensitive information and spy.

Topics to
Discuss  Spoofing Hijacking

The main objective of hackers in hijacking is to

The main objective of hacker in
take control over the target computer system
spoofing is to psychologically
Objective or network connections to steal information
manipulate the target and win
without getting known to the target that they
their trust by convincing him.
are getting hacked or hijacked.

hacker technical Knowledge is

Requirement required but coding is not that Technical Knowledge and Coding are Required.
much important.

Malicious software may or may not be required

Software The Malicious software needs
to download on the victim’s computer. As
to be downloaded to the
Requirements Hackers, , other security suites do different
victim’s computer.
types of attacks for hijacking.

Types Browser hijacking, session hijacking, domain

IP Spoofing, Email Spoofing,
hijacking, domain name system (DNS) hijacking,
Topics to
Discuss  Spoofing Hijacking

Internet Protocol (IP) hijacking, page hijacking

URL Spoofing etc.
etc.

TCP/IP Hijacking:
TCP/IP hijacking is a man-in-the-middle network attack. This is a network attack where an
authorized user can gain access to another user’s or client’s authorized network connection.
After hijacking a TCP/IP session, an attacker is able to easily read and modify the transferred
packets and the hacker is also able to send its own requests to the user. For TCP/IP
hijacking, attackers use DOS attacks and IP spoofing.
TCP/IP Hijacking Process:
The first major goal of an attacker is to obtain the IPs of two devices that communicate
using the same network or connection. To do this, the attacker monitors the data
transmission on the network until the IP of the device is obtained.
After successfully grabbing the user IP. Hackers can easily attack the connection.
In order to gain access to the connection, the hacker put down the connection of another
user through a DOS attack, and the user’s connection waits for reconnection.
By spoofing the disconnected user’s IP, hackers can easily restore communication.

CAPTCHA
CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is
a type of security measure known as challenge-response authentication. CAPTCHA helps
protect you from spam and password decryption by asking you to complete a simple test
that proves you are human and not a computer trying to break into a password protected
account.
A CAPTCHA test is made up of two simple parts: a randomly generated sequence of letters
and/or numbers that appear as a distorted image, and a text box. To pass a the test and
prove your human identity, simply type the characters you see in the image into the text
box.
Working of Captcha :
Quite simply, CAPTCHA works by asking end users to perform some task that a
software bot cannot do. If the user can do the task correctly, it provides authentication to
the service that the user is a human being and not a spambot and allows the user to
continue.
Tests often involve JPEG or GIF images because while bots can identify the existence of an
image by reading source code, they cannot tell what the image depicts.
Because some CAPTCHA images are difficult to interpret, human users are usually given the
option to request a new CAPTCHA test.