Ok, so let's split them like this: 1. Simple 1.1 Remote 1.2 Local 2. Compound 2.1 Social engineered 2.2 Technical 2.3 Local remote with no victim intervention - "Simple remote attack" logged with a valid local account(shell access) , no victim intervention (no remote attack involved) - "Simple local attack". remote with victim intervention - "Compound social engineered attacks", also called "Stupid attack" :D remote with tiny victim intervention (like reading the e-mail body, without running any script/executable) to trigger the attack - "Compound technical attack". logged with a valid local account (shell access) , with victim intervention - "Compound local attack". Uhm.. suppose somebody attacks a webserver with a remote exploit. If is succesful, in the "worst" case he gets a shell of the httpd user. Then he uses a vulnerability in the kernel to obtain root priviledge. The attacks are one simple remote and one simple local. If say .. the kernel vuln needed restart .. and the victim(not the hacker) restarts the server... that makes the attacks .. one simple remote and one "compound local attack". Basicaly, compound attacks need the victim intervention. If the victim is the same person as the hacker.. there is only simple attacks :D. But there's allways two people involved. If the victim does anything to make the attack possible.. even touching one key .. that attack is compound. Let's see .. if you download and execute a trojaned sshd binary and execute it .. is compound because .. err .. you're the victim. If you download it and execute it on your friend's computer ... is simple .. because he didn't do anything to make the attack possible... If you e-mail it to your friend - and type in the body : "DO NOT OPEN THIS IS A VIRUS!" - is "compound social engeneered". If you craft a special email which exploits outlook and runs it, is "compound technical". Phtiu ! Does this makes sense to anyone ?! -----Original Message----- From: Crispin Cowan [mailto:crispin@xxxxxxxxxx] Sent: Sunday, July 24, 2005 2:47 PM To: Technica Forensis Cc: Black, Michael; James Longstreet; Derek Martin; bugtraq@xxxxxxxxxxxxxxxxx Subject: Re: On classifying attacks Technica Forensis wrote: > This really depends on the situation. Say I write an exploit that > when run as a user spawns a listening ssh service with root priv. I > get on the system however I do, download this file and exec it. I > think everyone would agree that is a local exploit. > I send that same file as an email attachment to some dolt and peer > pressure him into running it. Just because I downloaded the file by > emailing it to said dolt doesn't change the exploit from local to > remote. It potentially changes it from 'exploit' to trojan, but it is > still being executed locally. > That sounds like a compound attack with 2 stages: * a social engineering attack to get the victim to run the code o can be very simple like "please run this code" o can be very sophisticated, like phishing attacks carefully crafted to resemble legitimate mail to get the user to click on something * a local attack that happens when you run the malware What makes this compound attack "remote" is that the social engineering attack is remote. This makes most common viruses compound remote/local attacks with a remote social engineering attack to somehow induce the user to run a local attack. The exception to this is e-mail viruses that require no social engineering because they can exploit some flaw in the preview pane or such like so that the user only has to browse the mail to run the malware. Crispin -- Crispin Cowan, Ph.D. http://immunix.com/~crispin/ Director of Software Engineering, Novell http://novell.com -- This message was scanned for spam and viruses by BitDefender. For more information please visit http://linux.bitdefender.com/ -- This message was scanned for spam and viruses by BitDefender. For more information please visit http://linux.bitdefender.com/
