lab 8 summary worms viruses wep
Skip this Video
Download Presentation
Lab 8 Summary Worms, Viruses, WEP

Loading in 2 Seconds...

play fullscreen
1 / 26

Lab 8 Summary Worms, Viruses, WEP - PowerPoint PPT Presentation

  • Uploaded on

Lab 8 Summary Worms, Viruses, WEP. Group 15 Matt Peter Pranav Sawjiany Group 17 Neha Jain Ayaz Lalani. Outline. Worms SQL Slammer: SPOC worm Real World worm: AnnaKournikova Viruses Worm Generator Wireless Security Wired Equivalent Privacy (WEP) Aircrack. Worms.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' Lab 8 Summary Worms, Viruses, WEP' - kiri

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
lab 8 summary worms viruses wep

Lab 8 SummaryWorms, Viruses, WEP

Group 15

Matt Peter

Pranav Sawjiany

Group 17

Neha Jain

Ayaz Lalani

  • Worms
    • SQL Slammer: SPOC worm
    • Real World worm: AnnaKournikova
  • Viruses
  • Worm Generator
  • Wireless Security
  • Wired Equivalent Privacy (WEP)
    • Aircrack

“A computer worm is a self-replicating computer program that propagates copies of itself via a network. A worm is self-contained and does not need to be part of another program to propagate itself. They are often designed to exploit the file transmission capabilities found on many computers. A worm uses a network to send copies of itself to other systems and it does so without any intervention. Worms harm the network and consume bandwidth.” - Wikipedia

  • SPOC Worm
    • Uses “vuln_service”
    • Opens TCP socket on Port 3333
    • Propagates using buffer overflow vulnerability
    • Infected machine begins scanning network
  • How do you detect the presence of such worms?
    • CPU usage jumps to nearly 100%
    • Run honeypot using dummy service
    • Network Analyzer / Antivirus / Firewall
  • How could the worm bypass detection?
    • Use a “common port” such as port 80
  • What is the growth rate of the SPOC worm given a network with many copies of the vulnerable service running?
    • Exponential!
  • Rule for Snort that will detect the worm:

alert tcp $External _NET any $ Home 3333 (msg: “vuln_serve Attempt”)

  • What do you do if you are responsible for the server?
    • Disconnect from the network
    • Check AIDE Database
    • Use a rootkit detection tool to detect the presence of any rootkits

// sockfd is a socket file descriptor to a client

void svcHandle(int sockfd)


.. }



bzero( userinput, BUFFER_SIZE);

printf( "1- Input:%s(%d)\n", userinput, strlen(userinput));

printf( "please input a 16 character string:\n");

gets( userinput);

printf( "2- Input:(%d)\n", strlen(userinput));


What’s the fix?

Use fgets and the Buffer size

Vulnerability to buffer Overflow!!

annakournikova worm
AnnaKournikova Worm
  • Pictures of Anna Kournikova are amongst the most popular on the internet
  • Launches a viral Visual Basic Script that forwards itself to everybody in your Microsoft Outlook address book.
  • On January 26th it connects to
  • Clogs mailservers
  • Removal:
  • Requires a system reboot to kill the running worm
  • Removal of the e-mail message and its attachment
  • Removal of the AnnaKournikova.jpg.vbs file in the windows directory
  • Removal of the registry key: HKCU\software\OnTheFly\mailed
defend against worms
Defend Against Worms
  • Close any unused network services
  • Patch your system!
  • Use a properly configured firewall to help protect your system and help isolate the worm once your system is infected
  • Scan each attachment for viruses and worms before opening

“A virus is a self-replicating program that spreads by inserting copies of itself into other executable code or documents. A computer virus behaves in a way similar to a biological virus, which spreads by inserting itself into living cells. Extending the analogy, the insertion of a virus into the program is termed as an "infection", and the infected file is called a "host". Generally computer viruses cannot directly damage hardware, but only software.” - Wikipedia

  • Vscr2.c

/* this is the new close() that replaces the one in the stdio.h

* library, as can be seen it executes the virus functionality

* before it closes the file


int close(int fd)


virfunc(); /* execute virus */

return Close(fd); /* close the file */


  • This exploit is going to put a hacked copy of stdio.h in /usr/local/include which will be used (if it exists) before the copy in /usr/include/stdio.h will be used.
  • test_virus.c

#include <stdio.h>

  • References the stdio.h file in /usr/local/include
  • Once test_virus.c is compiled it is affected
  • Any new host that runs this file will be infected by the virus because of stdio.h
  • Which source code is malicious, Vscr2.c or test_virus.c?


  • Why is the second Linux machine infected by a virus?

Propagated through test_virus

  • If you use a Linux machine, download the file test_virus, and run it, will your system be infected?


  • How do you prevent computer virus?
    • Use software from trusted sources
    • Test new/suspicious item on isolated machine
    • Employ and update virus detectors
  • What are some notable differences between worms and virus in respect to how they infect a system?
    • Virus: Requires human interaction to spread; damage can be severe
    • Worms: Can travel without the help of a person; generally for annoyance
worm generator
Worm Generator
  • Ssiwg.exe – Senna Spy Internet Worm Generator
    • Outlook and network compatible
    • Windows 95, 98, NT, 2000, XP
    • Generate VB script code
  • Similarity to AnnaKournikova – How does it spread?
    • Both use OUTLOOK to spread
    • “CreateObject (“Outlook.application”)”
  • Prevention techniques:
    • Scan your computer for viruses regularly!!
    • Do not open unknown email attachments!!
802 11 overview
802.11 Overview
  • IEEE 802.11 denotes a set of wireless

standards definied by IEEE

  • Most popular include 802.11a/b/g
  • 802.11a is in the 5GHz band, b/g is in the

2.4GHz band

  • 802.11i is intended to improve security
wireless network security
Wireless Network Security
  • Service Set Identifier (SSID)
    • Need to turn off SSID broadcast
    • Most people keep it on default mode
  • MAC address filtering
    • Allows only a set list of network cards to connect
    • Can be bypassed using MAC spoofing
  • WEP-Wired Equivalent Privacy
router scan
Router Scan
  • Use NmapFE to scan router
  • Determine the type of router
  • The default login/password for D-link router is:
    • Login: admin
    • Password: blank (nothing)
  • Advantage HACKER!!!
unencrypted traffic
Unencrypted Traffic
  • Used Ethereal to sniff unencrypted packets
  • Prevention?
    • Difficult to detect actual attacker
    • Use secure protocols - SFTP, SSH
    • VPN Solution for secure connection between two points
  • Disadvantage of leaving traffic unencrypted
    • Information can be read and intercepted by any legitimate or illegitimate user on the network
mac address filtering
MAC Address filtering
  • Access allowed to trusted MAC addresses ONLY
  • With MAC filtering attacker cannot connect to the network
  • However, this can be easily exploited using MAC spoofing
mac address filtering1
MAC Address filtering
  • Used Kismet to see active MAC addresses on the network
    • Kismet works passively
    • Does not send any loggable packets
    • Detects wireless AP’s and wireless clients, and associates them to each other
  • Can sort the networks by the SSID
  • Checked for the wireless_ece4112 network
mac address spoofing
MAC Address Spoofing
  • Obtained MAC addresses from Kismet
  • Changed attackers MAC & IP to gain access
    • Why both?
      • Keeps MAC-IP pairing intact
      • Can bypass ArpWatch alarms
      • Perform Man-in-the-middle attacks
  • Uses stream cipher RC4 for confidentiality
  • Uses CRC-32 checksum for integrity
  • Has 2 Key sizes: 40 bit and 104 bit + (24 bit) IV
  • The same traffic key must never be used twice
    • The purpose of an IV, which is transmitted as plaintext, is to prevent any repetition, but a 24-bit IV is not long enough to ensure this on a busy network.
  • Two generic weakness:
    • WEP usage was optional
    • Relies on a single shared key
breaking wep
Breaking WEP
  • Airodump collects packets
  • Aircrack is used on the output file from Airodump
  • It uses “interesting” IVs to break the WEP key
  • ~88,000 unique IVs and Aircrack broke the key
  • Why is Aircrack so effective?
    • Vulnerability in the Security Protocol itself
    • Combines FMS with Korek attacks
    • Makes it the fastest and most effective attack
  • Preventing aircrack attacks?
    • Greater key lengths
      • Only Stalls hackers for longer
    • WPA
fake access point
Fake Access Point
  • The tool we used allowed us to setup our wireless card as an access point
  • “Deauthenticated” a client from his AP,
  • Client connects to our fake AP
  • By forging a web page we can potentially steal important login information
  • This attack is very hard for the victim to realize until it is far too late
    • “How can we prevent this?
      • Verisign, SSL Logos
      • Check URL to make sure it is what you expect