RE: On classifying attacks

From: Forte Systems - Iosif Peterfi (toto_at_fortesys.ro)
Date: 07/29/05

  • Next message: Martin Pitt: "[USN-159-1] unzip vulnerability" 
    To: "'Crispin Cowan'" <crispin@novell.com>, "'Technica Forensis'" <forensis.technica@gmail.com>
Date: Fri, 29 Jul 2005 10:33:35 +0300

    Ok, so let's split them like this:

    1. Simple
      1.1 Remote
      1.2 Local
    2. Compound
      2.1 Social engineered
      2.2 Technical
      2.3 Local

    remote with no victim intervention - "Simple remote attack"

    logged with a valid local account(shell access) , no victim intervention (no
    remote attack involved) - "Simple local attack".

    remote with victim intervention - "Compound social engineered attacks", also
    called "Stupid attack" :D

    remote with tiny victim intervention (like reading the e-mail body, without
    running any script/executable) to trigger the attack - "Compound technical
    attack".

    logged with a valid local account (shell access) , with victim intervention
    - "Compound local attack".

    Uhm.. suppose somebody attacks a webserver with a remote exploit. If is
    succesful, in the "worst" case he gets a shell of the httpd user. Then he
    uses a vulnerability in the kernel to obtain root priviledge. The attacks
    are one simple remote and one simple local.

    If say .. the kernel vuln needed restart .. and the victim(not the hacker)
    restarts the server... that makes the attacks .. one simple remote and one
    "compound local attack".

    Basicaly, compound attacks need the victim intervention. If the victim is
    the same person as the hacker.. there is only simple attacks :D. But there's
    allways two people involved. If the victim does anything to make the attack
    possible.. even touching one key .. that attack is compound.

    Let's see .. if you download and execute a trojaned sshd binary and execute
    it .. is compound because .. err .. you're the victim. If you download it
    and execute it on your friend's computer ... is simple .. because he didn't
    do anything to make the attack possible...

    If you e-mail it to your friend - and type in the body : "DO NOT OPEN THIS
    IS A VIRUS!" - is "compound social engeneered". If you craft a special email
    which exploits outlook and runs it, is "compound technical".

    Phtiu !
    Does this makes sense to anyone ?!

    -----Original Message-----
    From: Crispin Cowan [mailto:crispin@novell.com]
    Sent: Sunday, July 24, 2005 2:47 PM
    To: Technica Forensis
    Cc: Black, Michael; James Longstreet; Derek Martin;
    bugtraq@securityfocus.com
    Subject: Re: On classifying attacks

    Technica Forensis wrote:
    > This really depends on the situation. Say I write an exploit that
    > when run as a user spawns a listening ssh service with root priv. I
    > get on the system however I do, download this file and exec it. I
    > think everyone would agree that is a local exploit.
    > I send that same file as an email attachment to some dolt and peer
    > pressure him into running it. Just because I downloaded the file by
    > emailing it to said dolt doesn't change the exploit from local to
    > remote. It potentially changes it from 'exploit' to trojan, but it is
    > still being executed locally.
    >
    That sounds like a compound attack with 2 stages:

        * a social engineering attack to get the victim to run the code
              o can be very simple like "please run this code"
              o can be very sophisticated, like phishing attacks carefully
                crafted to resemble legitimate mail to get the user to click
                on something
        * a local attack that happens when you run the malware

    What makes this compound attack "remote" is that the social engineering
    attack is remote.

    This makes most common viruses compound remote/local attacks with a
    remote social engineering attack to somehow induce the user to run a
    local attack. The exception to this is e-mail viruses that require no
    social engineering because they can exploit some flaw in the preview
    pane or such like so that the user only has to browse the mail to run
    the malware.

    Crispin 

    -- 
Crispin Cowan, Ph.D.                      http://immunix.com/~crispin/
Director of Software Engineering, Novell  http://novell.com
-- 
This message was scanned for spam and viruses by BitDefender.
For more information please visit http://linux.bitdefender.com/
-- 
This message was scanned for spam and viruses by BitDefender.
For more information please visit http://linux.bitdefender.com/
  • Next message: Martin Pitt: "[USN-159-1] unzip vulnerability"

    Relevant Pages

    • RE: On classifying attacks
      ... in the LL study) they would all be "remote to local". ... There's no need for trying to define a compound attack -- it serves no ... root" classes was to distinguish the threat level. ... What makes this compound attack "remote" is that the social engineering ...
      (Bugtraq)
    • Re: On classifying attacks
      ... That sounds like a compound attack with 2 stages: ... * a local attack that happens when you run the malware ... What makes this compound attack "remote" is that the social engineering ...
      (Bugtraq)
    • HP notebooks remote code execution vulnerability (multiple series)
      ... Multiple Hewlett-Packard notebook series are prone to a remote code execution attack. ... HP Compaq 8710w ...
      (Bugtraq)
    • RE: On classifying attacks
      ... Remote -- control/access of resources occurs from outside the ... Using this definition the email example is local and both bind examples ... The bind vulnerabilities are completely solved by ... But it is a remote *attack*. ...
      (Bugtraq)
    • Re: How do i stop the nonsense postings using my nick?
      ... Don't try to attack a compound! ... son and execute it rather than its training. ...
      (sci.crypt)