<<< Date Index >>>     <<< Thread Index >>>

RE: On classifying attacks



Ok, so let's split them like this:

1. Simple
  1.1 Remote
  1.2 Local
2. Compound
  2.1 Social engineered
  2.2 Technical
  2.3 Local


remote with no victim intervention - "Simple remote attack"

logged with a valid local account(shell access) , no victim intervention (no
remote attack involved) - "Simple local attack".

remote with victim intervention - "Compound social engineered attacks", also
called "Stupid attack" :D

remote with tiny victim intervention (like reading the e-mail body, without
running any script/executable) to trigger the attack - "Compound technical
attack".

logged with a valid local account (shell access) , with victim intervention
- "Compound local attack".


Uhm.. suppose somebody attacks a webserver with a remote exploit. If   is
succesful, in the "worst" case he gets a shell of the httpd user. Then he
uses a vulnerability in the kernel to obtain root priviledge. The attacks
are one simple remote and one simple local.

If say .. the kernel vuln needed restart .. and the victim(not the hacker)
restarts the server... that makes the attacks .. one simple remote and one
"compound local attack".

Basicaly, compound attacks need the victim intervention. If the victim is
the same person as the hacker.. there is only simple attacks :D. But there's
allways two people involved. If the victim does anything to make the attack
possible.. even touching one key .. that attack is compound.

Let's see .. if you download and execute a trojaned sshd binary and execute
it .. is compound because .. err .. you're the victim. If you download it
and execute it on your friend's computer ... is simple .. because he didn't
do anything to make the attack possible...

If you e-mail it to your friend - and type in the body : "DO NOT OPEN THIS
IS A VIRUS!" - is "compound social engeneered". If you craft a special email
which exploits outlook and runs it, is "compound technical".

Phtiu !
Does this makes sense to anyone ?!




-----Original Message-----
From: Crispin Cowan [mailto:crispin@xxxxxxxxxx] 
Sent: Sunday, July 24, 2005 2:47 PM
To: Technica Forensis
Cc: Black, Michael; James Longstreet; Derek Martin;
bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: On classifying attacks

Technica Forensis wrote:
> This really depends on the situation.  Say I write an exploit that
> when run as a user spawns a listening ssh service with root priv.  I
> get on the system however I do, download this file and exec it.  I
> think everyone would agree that is a local exploit.
> I send that same file as an email attachment to some dolt and peer
> pressure him into running it.  Just because I downloaded the file by
> emailing it to said dolt doesn't change the exploit from local to
> remote. It potentially changes it from 'exploit' to trojan, but it is
> still being executed locally.
>   
That sounds like a compound attack with 2 stages:

    * a social engineering attack to get the victim to run the code
          o can be very simple like "please run this code"
          o can be very sophisticated, like phishing attacks carefully
            crafted to resemble legitimate mail to get the user to click
            on something
    * a local attack that happens when you run the malware

What makes this compound attack "remote" is that the social engineering
attack is remote.

This makes most common viruses compound remote/local attacks with a
remote social engineering attack to somehow induce the user to run a
local attack. The exception to this is e-mail viruses that require no
social engineering because they can exploit some flaw in the preview
pane or such like so that the user only has to browse the mail to run
the malware.

Crispin
-- 
Crispin Cowan, Ph.D.                      http://immunix.com/~crispin/
Director of Software Engineering, Novell  http://novell.com



-- 
This message was scanned for spam and viruses by BitDefender.
For more information please visit http://linux.bitdefender.com/





-- 
This message was scanned for spam and viruses by BitDefender.
For more information please visit http://linux.bitdefender.com/