Lab 8 SummaryWorms, Viruses, WEP

Group 15Matt Peter

Pranav Sawjiany

Group 17Neha Jain

Ayaz Lalani

Outline Worms

• SQL Slammer: SPOC worm• Real World worm: AnnaKournikova

• Viruses• Worm Generator• Wireless Security• Wired Equivalent Privacy (WEP)

• Aircrack

Worms“A computer worm is a self-replicating computer program that propagates copies of itself via a network. A worm is self-contained and does not need to be part of another program to propagate itself. They are often designed to exploit the file transmission capabilities found on many computers. A worm uses a network to send copies of itself to other systems and it does so without any intervention. Worms harm the network and consume bandwidth.” - Wikipedia

Worms

SPOC Worm• Uses “vuln_service” • Opens TCP socket on Port 3333• Propagates using buffer overflow vulnerability• Infected machine begins scanning network

Worms How do you detect the presence of such worms?

CPU usage jumps to nearly 100% Run honeypot using dummy service Network Analyzer / Antivirus / Firewall

How could the worm bypass detection? Use a “common port” such as port 80

What is the growth rate of the SPOC worm given a network with many copies of the vulnerable service running? Exponential!

Worms

Rule for Snort that will detect the worm:alert tcp $External _NET any $ Home 3333 (msg: “vuln_serve Attempt”)

What do you do if you are responsible for the server? Disconnect from the network Check AIDE Database Use a rootkit detection tool to detect the presence of

any rootkits

Worms// sockfd is a socket file descriptor to a client

void svcHandle(int sockfd){ .. } ....

bzero( userinput, BUFFER_SIZE);printf( "1- Input:%s(%d)\n", userinput, strlen(userinput));printf( "please input a 16 character string:\n");

gets( userinput);

printf( "2- Input:(%d)\n", strlen(userinput));}

What’s the fix? Use fgets and the Buffer size

Vulnerability to buffer Overflow!!

AnnaKournikova Worm Pictures of Anna Kournikova are amongst the

most popular on the internet Launches a viral Visual Basic Script that

forwards itself to everybody in your Microsoft Outlook address book.

On January 26th it connects to https://www.dynabyte.nl

Clogs mailservers Removal: • Requires a system reboot to kill the running worm

• Removal of the e-mail message and its attachment

• Removal of the AnnaKournikova.jpg.vbs file in the windows directory

• Removal of the registry key: HKCU\software\OnTheFly\mailed

Defend Against Worms

Close any unused network services Patch your system! Use a properly configured firewall to help

protect your system and help isolate the worm once your system is infected

Scan each attachment for viruses and worms before opening

Viruses“A virus is a self-replicating program that spreads by inserting copies of itself into other executable code or documents. A computer virus behaves in a way similar to a biological virus, which spreads by inserting itself into living cells. Extending the analogy, the insertion of a virus into the program is termed as an "infection", and the infected file is called a "host". Generally computer viruses cannot directly damage hardware, but only software.” - Wikipedia

Viruses Vscr2.c/* this is the new close() that replaces the one in the stdio.h* library, as can be seen it executes the virus functionality* before it closes the file */int close(int fd) { virfunc(); /* execute virus */ return Close(fd); /* close the file */} This exploit is going to put a hacked copy of stdio.h in

/usr/local/include which will be used (if it exists) before the copy in /usr/include/stdio.h will be used.

Viruses test_virus.c#include <stdio.h>

References the stdio.h file in /usr/local/include Once test_virus.c is compiled it is affected Any new host that runs this file will be infected

by the virus because of stdio.h

Viruses Which source code is malicious, Vscr2.c or test_virus.c? Vscr2.c Why is the second Linux machine infected by a virus? Propagated through test_virus If you use a Linux machine, download the file test_virus, and run it, will

your system be infected? Yes How do you prevent computer virus?

• Use software from trusted sources• Test new/suspicious item on isolated machine• Employ and update virus detectors

What are some notable differences between worms and virus in respect to how they infect a system?• Virus: Requires human interaction to spread; damage can be severe • Worms: Can travel without the help of a person; generally for annoyance

Worm Generator

Ssiwg.exe – Senna Spy Internet Worm Generator Outlook and network compatible Windows 95, 98, NT, 2000, XP Generate VB script code

Similarity to AnnaKournikova – How does it spread? Both use OUTLOOK to spread “CreateObject (“Outlook.application”)”

Prevention techniques: Scan your computer for viruses regularly!! Do not open unknown email attachments!!

802.11 Overview

IEEE 802.11 denotes a set of wireless standards definied by IEEE

Most popular include 802.11a/b/g

802.11a is in the 5GHz band, b/g is in the2.4GHz band

802.11i is intended to improve security

Wireless Network Security

Service Set Identifier (SSID) Need to turn off SSID broadcast Most people keep it on default mode

MAC address filtering Allows only a set list of network cards to connect Can be bypassed using MAC spoofing

WEP-Wired Equivalent Privacy

Router Scan

Use NmapFE to scan router Determine the type of router The default login/password for D-link router is:

Login: admin Password: blank (nothing)

Advantage HACKER!!!

Unencrypted Traffic

Used Ethereal to sniff unencrypted packets Prevention?

Difficult to detect actual attacker Use secure protocols - SFTP, SSH VPN Solution for secure connection between two

points Disadvantage of leaving traffic unencrypted

Information can be read and intercepted by any legitimate or illegitimate user on the network

MAC Address filtering

Access allowed to trusted MAC addresses ONLY

With MAC filtering attacker cannot connect to the network

However, this can be easily exploited using MAC spoofing

MAC Address filtering

Used Kismet to see active MAC addresses on the network Kismet works passively Does not send any loggable packets Detects wireless AP’s and wireless clients, and

associates them to each other Can sort the networks by the SSID Checked for the wireless_ece4112 network

MAC Address Spoofing

Obtained MAC addresses from Kismet

Changed attackers MAC & IP to gain access

Why both? Keeps MAC-IP pairing intact Can bypass ArpWatch alarms Perform Man-in-the-middle attacks

WEP

Uses stream cipher RC4 for confidentiality Uses CRC-32 checksum for integrity Has 2 Key sizes: 40 bit and 104 bit + (24 bit) IV The same traffic key must never be used twice

The purpose of an IV, which is transmitted as plaintext, is to prevent any repetition, but a 24-bit IV is not long enough to ensure this on a busy network.

Two generic weakness: WEP usage was optional Relies on a single shared key

Breaking WEP

Airodump collects packets Aircrack is used on the output file from

Airodump It uses “interesting” IVs to break the WEP key ~88,000 unique IVs and Aircrack broke the

key

Aircrack

Why is Aircrack so effective? Vulnerability in the Security Protocol itself Combines FMS with Korek attacks Makes it the fastest and most effective attack

Preventing aircrack attacks? Greater key lengths

Only Stalls hackers for longer WPA

Fake Access Point

The tool we used allowed us to setup our wireless card as an access point

“Deauthenticated” a client from his AP, Client connects to our fake AP By forging a web page we can potentially steal

important login information This attack is very hard for the victim to realize until

it is far too late “How can we prevent this?

Verisign, SSL Logos Check URL to make sure it is what you expect