1 / 26

Lab 8 Summary Worms, Viruses, WEP

Lab 8 Summary Worms, Viruses, WEP. Group 15 Matt Peter Pranav Sawjiany Group 17 Neha Jain Ayaz Lalani. Outline. Worms SQL Slammer: SPOC worm Real World worm: AnnaKournikova Viruses Worm Generator Wireless Security Wired Equivalent Privacy (WEP) Aircrack. Worms.

Download Presentation

Lab 8 Summary Worms, Viruses, WEP

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Lab 8 SummaryWorms, Viruses, WEP Group 15 Matt Peter Pranav Sawjiany Group 17 Neha Jain Ayaz Lalani

  2. Outline • Worms • SQL Slammer: SPOC worm • Real World worm: AnnaKournikova • Viruses • Worm Generator • Wireless Security • Wired Equivalent Privacy (WEP) • Aircrack

  3. Worms “A computer worm is a self-replicating computer program that propagates copies of itself via a network. A worm is self-contained and does not need to be part of another program to propagate itself. They are often designed to exploit the file transmission capabilities found on many computers. A worm uses a network to send copies of itself to other systems and it does so without any intervention. Worms harm the network and consume bandwidth.” - Wikipedia

  4. Worms • SPOC Worm • Uses “vuln_service” • Opens TCP socket on Port 3333 • Propagates using buffer overflow vulnerability • Infected machine begins scanning network

  5. Worms • How do you detect the presence of such worms? • CPU usage jumps to nearly 100% • Run honeypot using dummy service • Network Analyzer / Antivirus / Firewall • How could the worm bypass detection? • Use a “common port” such as port 80 • What is the growth rate of the SPOC worm given a network with many copies of the vulnerable service running? • Exponential!

  6. Worms • Rule for Snort that will detect the worm: alert tcp $External _NET any $ Home 3333 (msg: “vuln_serve Attempt”) • What do you do if you are responsible for the server? • Disconnect from the network • Check AIDE Database • Use a rootkit detection tool to detect the presence of any rootkits

  7. Worms // sockfd is a socket file descriptor to a client void svcHandle(int sockfd) { .. } .. .. bzero( userinput, BUFFER_SIZE); printf( "1- Input:%s(%d)\n", userinput, strlen(userinput)); printf( "please input a 16 character string:\n"); gets( userinput); printf( "2- Input:(%d)\n", strlen(userinput)); } What’s the fix? Use fgets and the Buffer size Vulnerability to buffer Overflow!!

  8. AnnaKournikova Worm • Pictures of Anna Kournikova are amongst the most popular on the internet • Launches a viral Visual Basic Script that forwards itself to everybody in your Microsoft Outlook address book. • On January 26th it connects to https://www.dynabyte.nl • Clogs mailservers • Removal: • Requires a system reboot to kill the running worm • Removal of the e-mail message and its attachment • Removal of the AnnaKournikova.jpg.vbs file in the windows directory • Removal of the registry key: HKCU\software\OnTheFly\mailed

  9. Defend Against Worms • Close any unused network services • Patch your system! • Use a properly configured firewall to help protect your system and help isolate the worm once your system is infected • Scan each attachment for viruses and worms before opening

  10. Viruses “A virus is a self-replicating program that spreads by inserting copies of itself into other executable code or documents. A computer virus behaves in a way similar to a biological virus, which spreads by inserting itself into living cells. Extending the analogy, the insertion of a virus into the program is termed as an "infection", and the infected file is called a "host". Generally computer viruses cannot directly damage hardware, but only software.” - Wikipedia

  11. Viruses • Vscr2.c /* this is the new close() that replaces the one in the stdio.h * library, as can be seen it executes the virus functionality * before it closes the file */ int close(int fd) { virfunc(); /* execute virus */ return Close(fd); /* close the file */ } • This exploit is going to put a hacked copy of stdio.h in /usr/local/include which will be used (if it exists) before the copy in /usr/include/stdio.h will be used.

  12. Viruses • test_virus.c #include <stdio.h> • References the stdio.h file in /usr/local/include • Once test_virus.c is compiled it is affected • Any new host that runs this file will be infected by the virus because of stdio.h

  13. Viruses • Which source code is malicious, Vscr2.c or test_virus.c? Vscr2.c • Why is the second Linux machine infected by a virus? Propagated through test_virus • If you use a Linux machine, download the file test_virus, and run it, will your system be infected? Yes • How do you prevent computer virus? • Use software from trusted sources • Test new/suspicious item on isolated machine • Employ and update virus detectors • What are some notable differences between worms and virus in respect to how they infect a system? • Virus: Requires human interaction to spread; damage can be severe • Worms: Can travel without the help of a person; generally for annoyance

  14. Worm Generator • Ssiwg.exe – Senna Spy Internet Worm Generator • Outlook and network compatible • Windows 95, 98, NT, 2000, XP • Generate VB script code • Similarity to AnnaKournikova – How does it spread? • Both use OUTLOOK to spread • “CreateObject (“Outlook.application”)” • Prevention techniques: • Scan your computer for viruses regularly!! • Do not open unknown email attachments!!

  15. 802.11 Overview • IEEE 802.11 denotes a set of wireless standards definied by IEEE • Most popular include 802.11a/b/g • 802.11a is in the 5GHz band, b/g is in the 2.4GHz band • 802.11i is intended to improve security

  16. Wireless Network Security • Service Set Identifier (SSID) • Need to turn off SSID broadcast • Most people keep it on default mode • MAC address filtering • Allows only a set list of network cards to connect • Can be bypassed using MAC spoofing • WEP-Wired Equivalent Privacy

  17. Router Scan • Use NmapFE to scan router • Determine the type of router • The default login/password for D-link router is: • Login: admin • Password: blank (nothing) • Advantage HACKER!!!

  18. Unencrypted Traffic • Used Ethereal to sniff unencrypted packets • Prevention? • Difficult to detect actual attacker • Use secure protocols - SFTP, SSH • VPN Solution for secure connection between two points • Disadvantage of leaving traffic unencrypted • Information can be read and intercepted by any legitimate or illegitimate user on the network

  19. MAC Address filtering • Access allowed to trusted MAC addresses ONLY • With MAC filtering attacker cannot connect to the network • However, this can be easily exploited using MAC spoofing

  20. MAC Address filtering • Used Kismet to see active MAC addresses on the network • Kismet works passively • Does not send any loggable packets • Detects wireless AP’s and wireless clients, and associates them to each other • Can sort the networks by the SSID • Checked for the wireless_ece4112 network

  21. MAC Address Spoofing • Obtained MAC addresses from Kismet • Changed attackers MAC & IP to gain access • Why both? • Keeps MAC-IP pairing intact • Can bypass ArpWatch alarms • Perform Man-in-the-middle attacks

  22. WEP • Uses stream cipher RC4 for confidentiality • Uses CRC-32 checksum for integrity • Has 2 Key sizes: 40 bit and 104 bit + (24 bit) IV • The same traffic key must never be used twice • The purpose of an IV, which is transmitted as plaintext, is to prevent any repetition, but a 24-bit IV is not long enough to ensure this on a busy network. • Two generic weakness: • WEP usage was optional • Relies on a single shared key

  23. Breaking WEP • Airodump collects packets • Aircrack is used on the output file from Airodump • It uses “interesting” IVs to break the WEP key • ~88,000 unique IVs and Aircrack broke the key

  24. Aircrack • Why is Aircrack so effective? • Vulnerability in the Security Protocol itself • Combines FMS with Korek attacks • Makes it the fastest and most effective attack • Preventing aircrack attacks? • Greater key lengths • Only Stalls hackers for longer • WPA

  25. Fake Access Point • The tool we used allowed us to setup our wireless card as an access point • “Deauthenticated” a client from his AP, • Client connects to our fake AP • By forging a web page we can potentially steal important login information • This attack is very hard for the victim to realize until it is far too late • “How can we prevent this? • Verisign, SSL Logos • Check URL to make sure it is what you expect

More Related