Computer Networking Part 2

1
Computer Networking Part 2
When Good Computers Go Bad!
2
Overview

• Viruss
• Worms
• Script kiddies
• Denial of Service
• Logic bombs
• Hackers
• Crackers
• Trojans
• Back doors
• Zombies
• Spam
• Hoaxes/chain letters
• Phishing
• Adware
• Spyware

3

• To err is human to make real mess, you need a
  computer

4
The Joys of Computing in 2004

• 65,336 PC viruses discovered to date
• 4,129 IT vulnerabilities in 2002
  http//www.bullguard.com/antivirus/news_184.aspx
  
• 40 Critical Microsoft Vulnerabilities by Oct.
• Billions Reported in Damage Last Year Due to
  Viruses
• MSBlast Continues to Spread
• Sobig.C The Tip of the Iceberg
• IE users defenceless to trojan attack
• Broadband severely increases security risk

5
Virus

• Viruses being named after biological counterpart,
  are segments of code, that attach them selves to
  existing programs to perform some predetermined
  malicious activities.
• Always remember viruses are not stand alone
  programs. They need a host application or an
  operating system for activation. Once activated
  they search operating systems for other
  executable programs.
• Viruses dont infect data files in operating
  systems. Or do they???

6
Viruses

• Famous representatives
• Michelangelo
• In 1992, hysteria swept over the planet as the
  media proclaimed that on March 6 up to 1/4 of all
  hard drives would be completely erased
• Anti-virus software sales skyrocketed
• When March 6 came, the virus struck only about
  10,000 computers
• Author never caught!

Viruses, hackers and fraud Walking on the thin
ice of Internet security
McMenemy Seminars 12/3/2003 Evangelos Kotsovinos
7
Symptoms of Virus Attack

• Computer runs slower then usual
• Computer no longer boots up
• Screen sometimes flicker
• PC speaker beeps periodically
• System crashes for no reason
• Files/directories sometimes disappear

8
Worms

• What is a worm?

worm

• Arrives to the victims computer usually as an
  email attachment
• When executed, it searches the occupied computer
  for other potential victims addresses
• Attacks them by email/telnet/etc.
• Similar to viruses, but do not infect other files
  worms are stand-alone programs that spread
  through the network.
• Much like an Internet-era kind of viruses
• Usually depend more on user naivety

Computer 1
3
2
4
9
Worms

• Famous representatives
• Robert Morris (1988)
• Exploited debugging code in UNIX sendmail, caused
  over 6,000 Internet servers to become so busy
  that they were no longer able to be accessed by
  their legitimate users until reset
• Sentenced to three years of probation, 400 hours
  of community service, a fine of 10,050, and the
  costs of his supervision.
• The federal Computer Emergency Response Team
  formed in response.
• Now an assistant professor at MIT!

10
Macro

• Specific to certain applications
• Comprise a high percentage of the viruses
• Usually made in WordBasic and Visual Basic for
  Applications (VBA)
• Microsoft shipped Concept, the first macro
  virus, on a CD ROM called "Windows 95 Software
  Compatibility Test" in 1995

11
Macro

• Melissa
• requires WSL, Outlook or Outlook Express Word 97
  SR1 or Office 2000
• 105 lines of code (original variant)
• received either as an infected template or email
  attachment
• lowers computer defenses to future macro virus
  attacks
• may cause DoS
• infects template files with its own macro code
• 80 of of the 150 Fortune 1000 companies were
  affected

12
LoveLetter

• The I Love You Virus hit in May, 2000.
• It started with an innocent letter, appealing to
  lonely email readers (social engineering). The
  subject was I Love You, and the payload was a
  VBS script that, when executed, quickly spread in
  email to all the users in your address book, and
  wormed its way through fileshares, destroying
  image files
• At least 82 variants of this worm were discovered

13
Blaster

• History The Blaster virus came out in August
  2003.
• It used a recent exploit announced (DCOM RPC) by
  Microsoft.
• It also looked for open TFTP shares.
• This virus used common ports that Microsoft also
  uses for filesharing.
• It also attempted a Denial of Service against
  Microsoft.
• It tried to download a trojan and install it.
• Several variations on the theme followed.

14
TROJANS, BACKDOORS ZOMBIES

• Definition These spread as viruses and worms,
  and include hidden code that will allow a remote
  user to access the computer or use the computer
  to attack another.
• Some will use your computer as a launching point
  in a multi-layered attack against another target.
  They can use you as a zombie in a Distributed
  Denial of Service (DDoS) attack.

15
Trojan Horse

• Back Orifice
• Discovery Date 10/15/1998
• Origin Pro-hacker Website
• Length 124,928
• Type Trojan
• SubType Remote Access
• Risk Assessment Low
• Category Stealth

16
Trojan Horse

• About Back Orifice
• requires Windows to work
• distributed by Cult of the Dead Cow
• similar to PC Anywhere, Carbon Copy software
• allows remote access and control of other
  computers
• install a reference in the registry
• once infected, runs in the background
• by default uses UDP port 54320
• TCP port 54321
• In Australia 72 of 92 ISP surveyed were infected
  with Back Orifice

17
Trojan Horse

• Features of Back Orifice
• pings and query servers
• reboot or lock up the system
• list cached and screen saver password
• display system information
• logs keystrokes
• edit registry
• server control
• receive and send files
• display a message box

18
Denial Of Service

• What is it?
• An attack in which the primary goal is to deny
  the victim access to a particular resource
• Effectively, overload the victim by forcing it to
  consume all its computational strength in doing
  useless things

19
Denial of Service

• How it works
• TCP handshake

Client
Server
SYN
Processing time
ACK
SYNACK
20
Denial of Service

• How it works
• Generates massive amount of SYN packets

Attacker
Victim
SYN
Processing time
Processor busy
21
SPYWARE/ADWARE

• History These are annoying and often you dont
  even know they are running, or what they are
  reporting.
• They can include hidden programs to spy on your
  activities.
• They can be simple marketing gimmicks
  (gator.exe),
• Or they can be annoying and alter your browser
  and cause pop-ups.
• They can even be used to steal passwords.
• Sometimes these get installed when you download a
  free program off the Internet. Always be careful
  what you download and what you click on. You may
  agree to install something by clicking on the
  EULA without realizing it.

22
SPAM

• History
• SPAM is annoying, unsolicited email.
• Often the spammer generates a subject that looks
  legitimate, or a FROM address that looks like
  someone you might know. It might say MOM or
  JOHN, and may refer to something that looks like
  you already discussed in a previous email.
• Sometimes they try to use the Authority card, and
  pose as an update from Microsoft or Dell.
• Most people report over a third of their email is
  now SPAM (and growing!)
• SPAM costs businesses an estimated 11.9B/year in
  2003.

23
FROMBARRISTER FRANKLIN TIMOTHY ESQ. TIMOTHY
CO ATTORNEYS/LEGAL PRACTITIONER
NIGERIA WE NEED YOUR ASSISTANCE. DEAR
FRIEND, COMPLIMENTS OF THE SEASON. GRACE AND
PEACE AND LOVE FROM THIS PART OF THE ATLANTIC TO
YOU. I HOPE MY LETTER DOES NOT CAUSE YOU TOO
MUCH EMBARRASSMENT AS I WRITE TO YOU IN GOOD
FAITH BASED ON THE CONTACT ADDRESS GIVEN TO ME
BY A FRIEND WHO WORKS AT THE NIGERIAN EMBASSY IN
YOUR COUNTRY. PLEASE EXCUSE MY INTRUSION INTO
YOUR PRIVATE LIFE. I AM BARRISTER FRANKLIN
TIMOTHY ESQ. I REPRESENT MOHAMMED ABACHA, SON
OF THE LATE GEN.SANI ABACHA, WHO WAS THE FORMER
MILITARY HEAD OF STATE IN NIGERIA. HE DIED IN
1998. SINCE HIS DEATH, THE FAMILY HAS BEEN
LOSING A LOT OF MONEY DUE TO VINDICTIVE
GOVERNMENT OFFICIALS WHO ARE BENT ON DEALING
WITH THE FAMILY. BASED ON THIS THEREFORE, THE
FAMILY HAS ASKED ME TO SEEK FOR A FOREIGN
PARTNER WHO CAN WORK WITH US AS TO MOVE OUT
THE TOTAL SUM OF US75,000,000.00 ( SEVENTY FIVE
MILLION UNITED STATES DOLLARS ), PRESENTLY IN
THEIR POSSESSION. THIS MONEY WAS OF COURSE,
ACQUIRED BY THE LATE PRESIDENT AND IS NOW KEPT
SECRETLY BY THE FAMILY. THE SWISS
GOVERNMENT HAS ALREADY FROZEN ALL THE ACCOUNTS OF
THE FAMILY IN SWITZERLAND, AND SOME OTHER
COUNTRIES WOULD SOON FOLLOW TO DO THE SAME. THIS
BID BY SOME GOVERNMENT OFFICIALS TO DEAL WITH
THIS FAMILY HAS MADE IT NECESSARY THAT WE SEEK
YOUR ASSISITANCE IN RECEIVING THIS MONEY AND IN
INVESTING IT ON BEHALF OFTHE FAMILY.
24
HOAXES CHAIN LETTERS

• Definition Hoaxes and Chain letters are
  sometimes just jokes, sometimes annoying, and
  sometimes dangerous
• Social Engineering Often these email messages
  are a great waste of time and bandwidth, with
  people sending them to all of their friends.
  Sometimes, they convince the user to actually
  delete files (like the JBDGMGR teddy bear
  hoax).
• With a misconfigured email system, the confusion
  alone can cause many replies which then route to
  all the users on a mailing list, and the noise
  can take days to die down.
• Some antivirus programs treat these like viruses
  and quarantine them.

25

• I found the little bear in my machine because of
  that I am sending this message in order for you
  to find it in your machine. The procedure is very
  simple
• The objective of this e-mail is to warn all
  Hotmail users about a new virus that is spreading
  by MSN Messenger. The name of this virus is
  jdbgmgr.exe and it is sent automatically by the
  Messenger and by the address book too. The virus
  is not detected by McAfee or Norton and it stays
  quiet for 14 days before damaging the system.
• The virus can be cleaned before it deletes the
  files from your system. In order to eliminate it,
  it is just necessary to do the following steps
• 1. Go to Start, click "Search"
• 2.- In the "Files or Folders option" write the
  name jdbgmgr.exe
• 3.- Be sure that you are searching in the drive
  "C"
• 4.- Click "find now"
• 5.- If the virus is there (it has a little
  bear-like icon with the name of jdbgmgr.exe DO
  NOT OPEN IT FOR ANY REASON
• 6.- Right click and delete it (it will go to the
  Recycle bin)
• 7.- Go to the recycle bin and delete it or empty
  the recycle bin.
• IF YOU FIND THE VIRUS IN ALL OF YOUR SYSTEMS SEND
  THIS MESSAGE TO ALL OF YOUR CONTACTS LOCATED IN
  YOUR ADDRESS BOOK BEFORE IT CAN CAUSE ANY DAMAGE.

26
Hackers/crackers

• What is a hacker?
• A person who enjoys exploring the details of
  systems and how to stretch their capabilities
  (i.e. tries to gain unauthorized access to remote
  machines)
• Usually inventive, has significant knowledge and
  expertise, and doesnt cause damage
• And a cracker?
• A malicious meddler who tries to discover
  sensitive information by breaking into remote
  systems
• Uses off-the-shelf tools, typically a schoolboy

27
Script Kiddie

• The typical script kiddy uses existing and
  frequently well-known and easy-to-find techniques
  and programs or scripts to search for and exploit
  weaknesses in other computers on the Internet -
  often randomly and with little regard or perhaps
  even understanding of the potentially harmful
  consequences.
• Hackers view script kiddies with alarm and
  contempt since they do nothing to advance the
  "art" of hacking but sometimes unleashing the
  wrath of authority on the entire hacker
  community.
• While a hacker will take pride in the quality of
  an attack - leaving no trace of an intrusion, for
  example - a script kiddy may aim at quantity,
  seeing the number of attacks that can be mounted
  as a way to obtain attention and notoriety.
• Script kiddies are sometimes portrayed in media
  as bored, lonely teenagers seeking recognition
  from their peers.

28
Phishing

• A scam where the perpetrator sends out
  legitimate-looking e-mails appearing to come from
  some of the Web's biggest sites, including eBay,
  PayPal, MSN, Yahoo, BestBuy, and America Online,
  in an effort to phish (prounounced "fish") for
  personal and financial information from the
  recipient.
• Takes advantage of any number of different social
  engineering and e-mail spoofing ploys to try to
  trick their victims.
• In a recent case before the Federal Trade
  Commission (FTC), a 17-year-old male sent out
  messages purporting to be from America Online
  that said there had been a billing problem with
  recipients' AOL accounts. The perpetrator's
  e-mail used AOL logos and contained legitimate
  links. If recipients clicked on the "AOL Billing
  Center" link, however, they were taken to a
  spoofed AOL Web page that asked for personal
  information, including credit card numbers,
  personal identification numbers (PINs), social
  security numbers, banking numbers, and passwords.

29
SPAM Fighting

• How you might fight the SPAM
• Dont open anything from anyone you dont know.
• Dont answer SPAM it tells them that you exist.
• At home, buy a spam filtering program and update
  it.
• At work, or ask your ISP to install spam
  filtering. Content filtering can block certain
  adult material, as well as messages that appear
  suspicious. (This can also destroy legitimate
  emails.)
• At work, use a web proxy to avoid downloading
  web bugs.
• At work, subscribe to a Black Hole List.
• Register online for FTC No Spam Registry. (legal?)

30
SPAM Resources

• Realtime Blackhole Listhttp//www.mail-abuse.org/
  rbl
• Boycott Internet Spamhttp//spam.abuse.net
• Network Abuse Clearinghousehttp//www.abuse.net
• Forum for Responsible and Ethical
  Emailhttp//www.spamfree.org

31
The Corporate Threat

• Game Plan
• Defense in Depth!
• Firewalls
• DMZ for Internet exposed applications
• Web Proxy
• Content Filtering (web, smtp, ftp)
• Client Antivirus, Email Antivirus, SMTP Gateway
  Antivirus
• Intrusion Detection
• Access Controls on Remote Access/Wireless
• Security Awareness
• A Good Security Team!
• Documentation and tested response

32
Hackers/crackers

• Solutions
• Firewall
• Careful system administration
• Hard-to-guess passwords

33
On the Homefront

• Be extra careful if you have children and/or
  broadband.
• Fork over the money and buy ANTIVIRUS!
• Keep your antivirus UPDATED!
• Keep your computer patched!
• Get SPAM filtering software / Pop-up blocking
• If youre on broadband, you should have a
  firewall too.

34

• Virus Protection
• - BUY a copy of a good antivirus program (like
  Symantec, McAfee, Trend, Panda...)Available for
  all platforms. If you like the online scanner
  below, you can purchase a commercial version from
  their site for around 30 with a 1- year
  subscription.
• - Keep it updated AT LEAST once a week. Try to
  set it to autocheck at a convenient time so you
  don't forget. The paid subscription lets you
  auto-update. If you don't pay after it expires,
  you can still get virus updates manually from the
  vendor website, in most cases.
• - Here are some links to FREE ONLINE resources
  for scanning your PC.
• Symantec (PC)
• http//security.symantec.com/sscv6/home.asp?j1la
  ngidievenidsym
• (you can perform a virus scan, or check for
  vulnerabilities)
• Trend Micro (PC) http//housecall.trendmicro.c
  om/
• Panda (PC)
• http//www.pandasoftware.com/activescan/com/active
  scan_principal.htm
• McAfee (PC) http//us.mcafee.com/root/mfs/defa
  ult.asp

35
On the Homefront

• SPAM
• McAfee/Spamkiller (PC, 30)
  http//us.mcafee.com/root/package.asp?pkgid156
• Matterform/Spamfire (Mac only for now,
  25/40) http//www.matterform.com/
• CoffeeCup PC - haven't tried, but good
  reviews, 30) http//www.tucows.com/preview/295
  552.html
• SpamWeed for POP3(bayesian spam filter, should
  learn and improve over time - haven't tried but
  looks good, 30) http//www.tucows.com/p
  review/318216.html

36

• Ad-Ware
• Dealing with Ad-Ware/Malware (the stuff that
  gets installed when you download another program
  or visit a website that reports on what you do)
• - This is primarily a PC problem, so these tools
  are
• exclusively for the PC.
• - Here are links to a couple FREE software
  packages that you
• can use to scan for any adware that
  might be installed on
• your system (i.e. Gator, etc.)
• Ad-aware (PC, FREE)
• http//www.lavasoft.de/support/download/
  
• Spybot (PC, FREE) http//www.safer-netw
  orking.org/

37

• Pop-up Blocking
• There are several vendors that have tools to
  block pop-ups. Always be careful that you don't
  install spyware in the process of downloading a
  neat toolbar to block pop-ups. Here are some I
  like. They may also have additional
  functionality, like Google searching, etc.
  (Mozilla might be the only pop-up blocker for
  classic MacOS users.)
• Google Toolbar (PC, FREE) http//toolbar.googl
  e.com/
• You might also try running Mozilla, instead of
  Internet Explorer http//www.mozilla.org/
• On MacOS X, use Safari, it will block pop-ups
  
• http//www.apple.com/safari/
• CoffeeCup Pop-up Blocker (20)
• http//www.tucows.com/preview/289024.htm
  l

38

• Vulnerability Patching
• It is vital that your PC remain patched from
  critical security vulnerabilities. This Windows
  site will check your computer for missing
  patches, you should keep the security patches
  updated, but may decide not to install other
  large patches that are not "critical security
  patches".
• Note Most new operating systems offer the
  ability to auto-patch your system, you may decide
  this is your best option, and that way you won't
  forget.
• FOR MAC USERS You can also use the control panel
  to look for "software updates" on the Mac... this
  site is for the savvy MacOS X user. In general,
  the Mac is much less vulnerable to viruses than
  the PC.
• Some of the recent "blended" threats, like
  Blaster, will infect ANY unpatched computer that
  is vulnerable if left long enough on the
  Internet. Even if you have the latest antivirus.
  Remember that antivirus is NOT a 100 solution
  anymore.
• Microsoft(PC) http//windowsupdate.microsof
  t.com/
• Apple(MacOS X) Security Updates
• http//docs.info.apple.com/article.html?
  artnum61798

39
The Future

• In the future, the Internet will extend its reach
  into your home and every aspect of your life.
• Viruses and threats will become commonplace.
• Vendors will need to ship computers with default
  deny, instead of default allow.
• If you keep updated and practice safe
  computing,you will probably stay safe and keep
  your data in the chaos.

40
RESOURCES

• CERT http//www.cert.org/other_sources/viruses.ht
  ml
• VMyths http//www.vmyths.com/
• Computer Secutiry Institute http//www.gocsi.com/
  
• Johns Security Page http//www.cybermaze.com/sec
  urity/index2.html
• A Virus Tutorial http//www.cknow.com/vtutor/
• NIST http//cs-www.ncsl.nist.gov/virus/
• X-Force (ISS) http//xforce.iss.net/
• Microsoft Updates http//windowsupdate.microsoft.
  com
• You may also go to a good online software site,
  like http//www.tucows.com/ and go under your
  operating system (Windows, Mac, Linux) and then
  click on Internet to pull up tons of freeware and
  software titles if you don't find something that
  you like in my list above.