Lab 8 summary worms viruses wep
1 / 26

Lab 8 Summary Worms, Viruses, WEP - PowerPoint PPT Presentation

  • Uploaded on

Lab 8 Summary Worms, Viruses, WEP. Group 15 Matt Peter Pranav Sawjiany Group 17 Neha Jain Ayaz Lalani. Outline. Worms SQL Slammer: SPOC worm Real World worm: AnnaKournikova Viruses Worm Generator Wireless Security Wired Equivalent Privacy (WEP) Aircrack. Worms.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Lab 8 Summary Worms, Viruses, WEP' - kiri

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Lab 8 summary worms viruses wep

Lab 8 SummaryWorms, Viruses, WEP

Group 15

Matt Peter

Pranav Sawjiany

Group 17

Neha Jain

Ayaz Lalani


  • Worms

    • SQL Slammer: SPOC worm

    • Real World worm: AnnaKournikova

  • Viruses

  • Worm Generator

  • Wireless Security

  • Wired Equivalent Privacy (WEP)

    • Aircrack


“A computer worm is a self-replicating computer program that propagates copies of itself via a network. A worm is self-contained and does not need to be part of another program to propagate itself. They are often designed to exploit the file transmission capabilities found on many computers. A worm uses a network to send copies of itself to other systems and it does so without any intervention. Worms harm the network and consume bandwidth.” - Wikipedia


  • SPOC Worm

    • Uses “vuln_service”

    • Opens TCP socket on Port 3333

    • Propagates using buffer overflow vulnerability

    • Infected machine begins scanning network


  • How do you detect the presence of such worms?

    • CPU usage jumps to nearly 100%

    • Run honeypot using dummy service

    • Network Analyzer / Antivirus / Firewall

  • How could the worm bypass detection?

    • Use a “common port” such as port 80

  • What is the growth rate of the SPOC worm given a network with many copies of the vulnerable service running?

    • Exponential!


  • Rule for Snort that will detect the worm:

    alert tcp $External _NET any $ Home 3333 (msg: “vuln_serve Attempt”)

  • What do you do if you are responsible for the server?

    • Disconnect from the network

    • Check AIDE Database

    • Use a rootkit detection tool to detect the presence of any rootkits


// sockfd is a socket file descriptor to a client

void svcHandle(int sockfd)


.. }



bzero( userinput, BUFFER_SIZE);

printf( "1- Input:%s(%d)\n", userinput, strlen(userinput));

printf( "please input a 16 character string:\n");

gets( userinput);

printf( "2- Input:(%d)\n", strlen(userinput));


What’s the fix?

Use fgets and the Buffer size

Vulnerability to buffer Overflow!!

Annakournikova worm
AnnaKournikova Worm

  • Pictures of Anna Kournikova are amongst the most popular on the internet

  • Launches a viral Visual Basic Script that forwards itself to everybody in your Microsoft Outlook address book.

  • On January 26th it connects to

  • Clogs mailservers

  • Removal:

  • Requires a system reboot to kill the running worm

  • Removal of the e-mail message and its attachment

  • Removal of the AnnaKournikova.jpg.vbs file in the windows directory

  • Removal of the registry key: HKCU\software\OnTheFly\mailed

Defend against worms
Defend Against Worms

  • Close any unused network services

  • Patch your system!

  • Use a properly configured firewall to help protect your system and help isolate the worm once your system is infected

  • Scan each attachment for viruses and worms before opening


“A virus is a self-replicating program that spreads by inserting copies of itself into other executable code or documents. A computer virus behaves in a way similar to a biological virus, which spreads by inserting itself into living cells. Extending the analogy, the insertion of a virus into the program is termed as an "infection", and the infected file is called a "host". Generally computer viruses cannot directly damage hardware, but only software.” - Wikipedia


  • Vscr2.c

    /* this is the new close() that replaces the one in the stdio.h

    * library, as can be seen it executes the virus functionality

    * before it closes the file


    int close(int fd)


    virfunc(); /* execute virus */

    return Close(fd); /* close the file */


  • This exploit is going to put a hacked copy of stdio.h in /usr/local/include which will be used (if it exists) before the copy in /usr/include/stdio.h will be used.


  • test_virus.c

    #include <stdio.h>

  • References the stdio.h file in /usr/local/include

  • Once test_virus.c is compiled it is affected

  • Any new host that runs this file will be infected by the virus because of stdio.h


  • Which source code is malicious, Vscr2.c or test_virus.c?


  • Why is the second Linux machine infected by a virus?

    Propagated through test_virus

  • If you use a Linux machine, download the file test_virus, and run it, will your system be infected?


  • How do you prevent computer virus?

    • Use software from trusted sources

    • Test new/suspicious item on isolated machine

    • Employ and update virus detectors

  • What are some notable differences between worms and virus in respect to how they infect a system?

    • Virus: Requires human interaction to spread; damage can be severe

    • Worms: Can travel without the help of a person; generally for annoyance

Worm generator
Worm Generator

  • Ssiwg.exe – Senna Spy Internet Worm Generator

    • Outlook and network compatible

    • Windows 95, 98, NT, 2000, XP

    • Generate VB script code

  • Similarity to AnnaKournikova – How does it spread?

    • Both use OUTLOOK to spread

    • “CreateObject (“Outlook.application”)”

  • Prevention techniques:

    • Scan your computer for viruses regularly!!

    • Do not open unknown email attachments!!

802 11 overview
802.11 Overview

  • IEEE 802.11 denotes a set of wireless

    standards definied by IEEE

  • Most popular include 802.11a/b/g

  • 802.11a is in the 5GHz band, b/g is in the

    2.4GHz band

  • 802.11i is intended to improve security

Wireless network security
Wireless Network Security

  • Service Set Identifier (SSID)

    • Need to turn off SSID broadcast

    • Most people keep it on default mode

  • MAC address filtering

    • Allows only a set list of network cards to connect

    • Can be bypassed using MAC spoofing

  • WEP-Wired Equivalent Privacy

Router scan
Router Scan

  • Use NmapFE to scan router

  • Determine the type of router

  • The default login/password for D-link router is:

    • Login: admin

    • Password: blank (nothing)

  • Advantage HACKER!!!

Unencrypted traffic
Unencrypted Traffic

  • Used Ethereal to sniff unencrypted packets

  • Prevention?

    • Difficult to detect actual attacker

    • Use secure protocols - SFTP, SSH

    • VPN Solution for secure connection between two points

  • Disadvantage of leaving traffic unencrypted

    • Information can be read and intercepted by any legitimate or illegitimate user on the network

Mac address filtering
MAC Address filtering

  • Access allowed to trusted MAC addresses ONLY

  • With MAC filtering attacker cannot connect to the network

  • However, this can be easily exploited using MAC spoofing

Mac address filtering1
MAC Address filtering

  • Used Kismet to see active MAC addresses on the network

    • Kismet works passively

    • Does not send any loggable packets

    • Detects wireless AP’s and wireless clients, and associates them to each other

  • Can sort the networks by the SSID

  • Checked for the wireless_ece4112 network

Mac address spoofing
MAC Address Spoofing

  • Obtained MAC addresses from Kismet

  • Changed attackers MAC & IP to gain access

    • Why both?

      • Keeps MAC-IP pairing intact

      • Can bypass ArpWatch alarms

      • Perform Man-in-the-middle attacks

Lab 8 summary worms viruses wep

  • Uses stream cipher RC4 for confidentiality

  • Uses CRC-32 checksum for integrity

  • Has 2 Key sizes: 40 bit and 104 bit + (24 bit) IV

  • The same traffic key must never be used twice

    • The purpose of an IV, which is transmitted as plaintext, is to prevent any repetition, but a 24-bit IV is not long enough to ensure this on a busy network.

  • Two generic weakness:

    • WEP usage was optional

    • Relies on a single shared key

Breaking wep
Breaking WEP

  • Airodump collects packets

  • Aircrack is used on the output file from Airodump

  • It uses “interesting” IVs to break the WEP key

  • ~88,000 unique IVs and Aircrack broke the key


  • Why is Aircrack so effective?

    • Vulnerability in the Security Protocol itself

    • Combines FMS with Korek attacks

    • Makes it the fastest and most effective attack

  • Preventing aircrack attacks?

    • Greater key lengths

      • Only Stalls hackers for longer

    • WPA

Fake access point
Fake Access Point

  • The tool we used allowed us to setup our wireless card as an access point

  • “Deauthenticated” a client from his AP,

  • Client connects to our fake AP

  • By forging a web page we can potentially steal important login information

  • This attack is very hard for the victim to realize until it is far too late

    • “How can we prevent this?

      • Verisign, SSL Logos

      • Check URL to make sure it is what you expect