Malicious Activity and Code



The Latin root word “mal” means, simply, “bad”. Malicious activity is thus characterized by the intent to do harm. In hacking, that harm might take the form of the theft of money, property, or reputation. It may also simply amount to sabotage for its own sake or to serve some other cause. Because so many vital systems are now digitized, interconnected, and online, hackers have the potential to do damage on small and large scales

Denial-of-Service Attacks When we see somebody on the street, whether friend or stranger, that we wish to speak to, we typically don’t just walk up to them and begin speaking about whatever topic is on our mind. The general protocol for human communication is to first execute some sort of greeting. One might say “hello” (or some variant) and say the person’s name, and perhaps give a quick handshake - then when the other party responds, the conversation begins. The same sort of procedure is expected when initiating a telephone call, in which case it serves more of a practical purpose because both participants in the conversation generally want to be sure that they know with whom they are speaking. The first few words in the conversation serve to acknowledge the identity of both parties. This protocol is also used in computer network communications. Rather than simply blasting out requests, commands, or data haphazardly, one node in a network will attempt to first acknowledge the presence and readiness of the node with which it is attempting to communicate.


 In normal network conversation, typically through TCP protocol, a three way handshake procedure is expected to occur. During this handshake, a synchronization (SYN) packet is first sent from the initiator of the conversation to the receiver. This packet contains the IP address of the sender and a flag within the packet indicates to the receiver that it is indeed an SYN packet. If the SYN packet is successfully delivered, and the recipient is ready for communication, it will send an acknowledgment (ACK) packet back to the sender containing its own IP address as well as a flag indicating that it is an ACK packet. Finally, the original sender will send an ACK packet to the recipient and then normal communication can commence. Sometimes, packets are lost in delivery between network nodes for one reason or another. This can occur because of high traffic, because of malfunctions in the network hardware, electrical or electromagnetic interference, and other reasons. Therefore if a sender does not receive an ACK packet from the intended recipient within a prescribed period of time, it will send out another synchronization request. Likewise, a recipient will continue to transmit an ACK packet indefinitely until it receives an acknowledgment from the original sender. A normal handshake, without the interruptions that result from loss packets, is summarized as follows: 

1) Sender: SYN → Recipient

 2) Recipient: ACK → Sender

 3) Sender: ACK → Recipient

 4) Sender ⇄ Recipient

 Any given network node only has the capacity to communicate with a finite number of other nodes. When a hacker is able to disrupt the handshake process by causing the repeated transmission of SYN and ACK packets, legitimate communication can be significantly slowed down or even stopped entirely. This type of attack is known as a denial-of-service (DoS) attack.

 Basic DoS

 The essential idea behind a denial-of-service attack is to forge the flags within an IP packet header in order to trick a server into transmitting repeated ACK requests. The simplest way to do this is to disrupt the traditional handshake process between steps two and three above. When the recipient sends an ACK request back to the original sender it is expecting another ACK packet in return so that communication can commence. However, if the sender responds with another SYN request, the recipient is forced to respond with another ACK packet. If this back-and-forth continues, it ties up network resources and ports on the server machine. The situation is analogous to a “knock-knock” joke that never ends… (“knock-knock”, “who’s there?”, “knock-knock”, “who’s there?”, “knock-knock”, “who’s there?”, etc.). This type of simple DoS attack is known as SYN flooding. There are multiple methods of executing a DoS attack, most of which take advantage of vulnerabilities within the TCP/IP protocol itself. 

Distributed DoS

 A distributed denial-of-service (DDoS) attack is one in which a hacker or a group of hackers is able to execute a coordinated DoS attack from a large number of machines. Working together, the machines transmitting the attack packets can simply overwhelm a target system to the point where the server is unreachable by legitimate users, or so slow in response to user requests that it is virtually unusable. In most cases, the machines that are transmitting the attack-related packets are not even in the possession of the hackers that are executing the attack. When hackers are preparing for a large DDoS attack, they implant malicious code on as many machines as possible that belong to users who are not knowing participants in the attack. Often, these machines are spread out over a large geographic area and multiple networks, sometimes even worldwide, making it difficult for authorities or the security personnel of a victimized system to cut off the attack.

* Malware

 The word malware is a portmanteau describing malicious software. The term covers many different kinds of software that might be implanted on a target machine by hackers to either cause damage or seize control of all or a part of the target. Malware is a widespread and serious problem throughout the internet. There are myriad ways in which malware can behave once activated on a host machine. Some are designed to spread themselves to other machines and others remain covertly on a host machine to either gather confidential information for the hacker, tie up computer resources, or cause damage to the system. Sometimes malware is placed on a machine in order to later control that machine for use in attacks, such as DDoS, in coordination with other machines that have been taken over en masse.

Viruses 

Viruses are the oldest and most commonly known type of malware.

 Like their biological namesakes, viruses are designed to spread from machine to machine, infecting large number of users, and sometimes entire selfcontained networks in the process. These malicious devices are segments of code that attach themselves (just like biological viruses) to other programs that have otherwise legitimate purposes. When the legitimate program is activated by an unsuspecting user, the virus code is executed and can run without ever being noticed. When a virus is activated it makes a copy of itself and attempts to attach itself to other legitimate programs within the system or domain to which it has access. This allows the virus to spread throughout an individual node and also to other nodes on the network. A virus is not usually written by a hacker to simply spread itself around, however. Typically, the hacker has a specific task in mind for the virus to complete when it reaches its destination.

 Since it is designed to remain hidden, a virus can perform any number of actions on its host machine. It can collect personal and financial information and covertly use the computer’s own communications capabilities to relay the information back to the hacker. Other viruses are designed to delete information or cause disruptions in a computer’s operation or communication. A virus can even be written to cause physical damage to a computer system. For example, one particular virus that was widespread in the 1990’s was designed to cause the motor-controlled armature on the host’s optical hard drive to rapidly move back and forth until the motor failed. This sort of virus can do a great deal of damage to computer-controlled machinery that has network connectivity. 

* Worms 

Worms are similar to viruses in that they are designed to replicate and spread throughout a system or network. However, since viruses are part of larger programs, they must be downloaded by the user and their host program must be launched before the malicious code can be executed. Conversely, a worm is its own self-contained program. Worms also differ from viruses in that they do not require a user to open another program in order for them to execute. Once a worm infects a machine, it can replicate itself and then spread to another system through the network.

 Rather than causing damage or gaining access to systems, the purpose of a worm is normally to consume system and network resources in order to slow down or halt that system’s operation by occupying memory and network bandwidth. Occasionally, a worm may be used to gather information as well.

 Beware of “Geeks” Bearing Gifts Legend has it that the epic war between the Achaeans (ancient Greeks) and the Trojans ended when the crafty hero Odysseus fashioned a giant wooden horse and left it at the gates of Troy as an apparent offering to the city. Unbeknownst to the grateful Trojans, who wheeled the large gift into their city and behind their notoriously secure walls, there was a contingent of Greek soldiers hiding inside the hollow belly of the horse. The soldiers emerged that night under cover of darkness to open the gates for the rest of the Achaean army ,who entered and subsequently sacked the city. For thousands of years, whether true or not, this story has served as a cautionary tale - reminding us to be vigilant and that sometimes things which might seem harmless or innocent can lead to our downfall. In computer hacking, a Trojan horse is a piece of malware that appears to be legitimate or desirable software. It may even function normally in whatever purpose for which the user downloaded it. The typical purpose of a Trojan horse, often just called a “Trojan” is to give a hacker remote access and control of the target system. Any malware that is written to give a hacker surreptitious control over the processes of a user’s machine is known as a rootkit. 

Viruses, worms, and Trojans, as well as the various payloads that they deliver to target systems take a good bit of programming skill in their creation to be successful. Computer security professionals as well as antimalware products focus a great deal of effort on thwarting these malicious programs. Hackers that deal in malware are constantly honing their skills and their creations are evolving in complexity