Transcript Lab 8 Summary - ECE Users Pages

Lab 8 Summary
Worms, Viruses, WEP
Group 15
Matt Peter
Pranav Sawjiany
Group 17
Neha Jain
Ayaz Lalani
Outline

Worms
•
•
•
•
•
•
SQL Slammer: SPOC worm
Real World worm: AnnaKournikova
Viruses
Worm Generator
Wireless Security
Wired Equivalent Privacy (WEP)
•
Aircrack
Worms
“A computer worm is a self-replicating computer
program that propagates copies of itself via a
network. A worm is self-contained and does not
need to be part of another program to propagate
itself. They are often designed to exploit the file
transmission capabilities found on many computers.
A worm uses a network to send copies of itself to
other systems and it does so without any
intervention. Worms harm the network and consume
bandwidth.” - Wikipedia
Worms

SPOC Worm
•
•
•
•
Uses “vuln_service”
Opens TCP socket on Port 3333
Propagates using buffer overflow vulnerability
Infected machine begins scanning network
Worms

How do you detect the presence of such worms?




How could the worm bypass detection?


CPU usage jumps to nearly 100%
Run honeypot using dummy service
Network Analyzer / Antivirus / Firewall
Use a “common port” such as port 80
What is the growth rate of the SPOC worm given a
network with many copies of the vulnerable service
running?

Exponential!
Worms

Rule for Snort that will detect the worm:
alert tcp $External _NET any $ Home 3333 (msg: “vuln_serve Attempt”)

What do you do if you are responsible for the
server?



Disconnect from the network
Check AIDE Database
Use a rootkit detection tool to detect the presence of
any rootkits
Worms
// sockfd is a socket file descriptor to a client
void svcHandle(int sockfd)
{
..
}
..
..
bzero( userinput, BUFFER_SIZE);
printf( "1- Input:%s(%d)\n", userinput, strlen(userinput));
printf( "please input a 16 character string:\n");
gets( userinput);
Vulnerability to buffer Overflow!!
printf( "2- Input:(%d)\n", strlen(userinput));
}
What’s the fix?
Use fgets and the Buffer size
AnnaKournikova Worm




Pictures of Anna Kournikova are amongst the
most popular on the internet
Launches a viral Visual Basic Script that
forwards itself to everybody in your Microsoft
Outlook address book.
On January 26th it connects to
https://www.dynabyte.nl
Clogs mailservers
Removal:
• Requires a system reboot to kill the running worm
• Removal of the e-mail message and its attachment
• Removal of the AnnaKournikova.jpg.vbs file in the windows directory
• Removal of the registry key: HKCU\software\OnTheFly\mailed
Defend Against Worms




Close any unused network services
Patch your system!
Use a properly configured firewall to help
protect your system and help isolate the
worm once your system is infected
Scan each attachment for viruses and worms
before opening
Viruses
“A virus is a self-replicating program that
spreads by inserting copies of itself into other
executable code or documents. A computer
virus behaves in a way similar to a biological
virus, which spreads by inserting itself into
living cells. Extending the analogy, the
insertion of a virus into the program is termed
as an "infection", and the infected file is called
a "host". Generally computer viruses cannot
directly damage hardware, but only software.”
- Wikipedia
Viruses

Vscr2.c
/* this is the new close() that replaces the one in the stdio.h
* library, as can be seen it executes the virus functionality
* before it closes the file
*/
int close(int fd)
{
virfunc(); /* execute virus */
return Close(fd); /* close the file */
}

This exploit is going to put a hacked copy of stdio.h in
/usr/local/include which will be used (if it exists) before the
copy in /usr/include/stdio.h will be used.
Viruses

test_virus.c
#include <stdio.h>



References the stdio.h file in /usr/local/include
Once test_virus.c is compiled it is affected
Any new host that runs this file will be infected
by the virus because of stdio.h
Viruses
Which source code is malicious, Vscr2.c or test_virus.c?
Vscr2.c
 Why is the second Linux machine infected by a virus?
Propagated through test_virus
 If you use a Linux machine, download the file test_virus, and run it, will
your system be infected?
Yes
 How do you prevent computer virus?

•
•
•

Use software from trusted sources
Test new/suspicious item on isolated machine
Employ and update virus detectors
What are some notable differences between worms and virus in respect
to how they infect a system?
•
•
Virus: Requires human interaction to spread; damage can be severe
Worms: Can travel without the help of a person; generally for annoyance
Worm Generator

Ssiwg.exe – Senna Spy Internet Worm Generator




Similarity to AnnaKournikova – How does it spread?



Outlook and network compatible
Windows 95, 98, NT, 2000, XP
Generate VB script code
Both use OUTLOOK to spread
“CreateObject (“Outlook.application”)”
Prevention techniques:


Scan your computer for viruses regularly!!
Do not open unknown email attachments!!
802.11 Overview
IEEE 802.11 denotes a set of wireless
standards definied by IEEE




Most popular include 802.11a/b/g
802.11a is in the 5GHz band, b/g is in the
2.4GHz band
802.11i is intended to improve security
Wireless Network Security

Service Set Identifier (SSID)



MAC address filtering



Need to turn off SSID broadcast
Most people keep it on default mode
Allows only a set list of network cards to connect
Can be bypassed using MAC spoofing
WEP-Wired Equivalent Privacy
Router Scan



Use NmapFE to scan router
Determine the type of router
The default login/password for D-link router is:



Login: admin
Password: blank (nothing)
Advantage HACKER!!!
Unencrypted Traffic


Used Ethereal to sniff unencrypted packets
Prevention?




Difficult to detect actual attacker
Use secure protocols - SFTP, SSH
VPN Solution for secure connection between two
points
Disadvantage of leaving traffic unencrypted

Information can be read and intercepted by any
legitimate or illegitimate user on the network
MAC Address filtering

Access allowed to trusted MAC addresses
ONLY

With MAC filtering attacker cannot connect to
the network

However, this can be easily exploited using MAC
spoofing
MAC Address filtering

Used Kismet to see active MAC addresses
on the network





Kismet works passively
Does not send any loggable packets
Detects wireless AP’s and wireless clients, and
associates them to each other
Can sort the networks by the SSID
Checked for the wireless_ece4112 network
MAC Address Spoofing

Obtained MAC addresses from Kismet

Changed attackers MAC & IP to gain access

Why both?



Keeps MAC-IP pairing intact
Can bypass ArpWatch alarms
Perform Man-in-the-middle attacks
WEP




Uses stream cipher RC4 for confidentiality
Uses CRC-32 checksum for integrity
Has 2 Key sizes: 40 bit and 104 bit + (24 bit) IV
The same traffic key must never be used twice


The purpose of an IV, which is transmitted as plaintext,
is to prevent any repetition, but a 24-bit IV is not long
enough to ensure this on a busy network.
Two generic weakness:
 WEP usage was optional
 Relies on a single shared key
Breaking WEP




Airodump collects packets
Aircrack is used on the output file from
Airodump
It uses “interesting” IVs to break the WEP key
~88,000 unique IVs and Aircrack broke the
key
Aircrack

Why is Aircrack so effective?




Vulnerability in the Security Protocol itself
Combines FMS with Korek attacks
Makes it the fastest and most effective attack
Preventing aircrack attacks?

Greater key lengths


Only Stalls hackers for longer
WPA
Fake Access Point





The tool we used allowed us to setup our wireless
card as an access point
“Deauthenticated” a client from his AP,
Client connects to our fake AP
By forging a web page we can potentially steal
important login information
This attack is very hard for the victim to realize until
it is far too late

“How can we prevent this?
 Verisign, SSL Logos
 Check URL to make sure it is what you expect