lab 8 summary worms viruses wep n.
Skip this Video
Loading SlideShow in 5 Seconds..
Lab 8 Summary Worms, Viruses, WEP PowerPoint Presentation
Download Presentation
Lab 8 Summary Worms, Viruses, WEP

Lab 8 Summary Worms, Viruses, WEP

168 Views Download Presentation
Download Presentation

Lab 8 Summary Worms, Viruses, WEP

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Lab 8 SummaryWorms, Viruses, WEP Group 15 Matt Peter Pranav Sawjiany Group 17 Neha Jain Ayaz Lalani

  2. Outline • Worms • SQL Slammer: SPOC worm • Real World worm: AnnaKournikova • Viruses • Worm Generator • Wireless Security • Wired Equivalent Privacy (WEP) • Aircrack

  3. Worms “A computer worm is a self-replicating computer program that propagates copies of itself via a network. A worm is self-contained and does not need to be part of another program to propagate itself. They are often designed to exploit the file transmission capabilities found on many computers. A worm uses a network to send copies of itself to other systems and it does so without any intervention. Worms harm the network and consume bandwidth.” - Wikipedia

  4. Worms • SPOC Worm • Uses “vuln_service” • Opens TCP socket on Port 3333 • Propagates using buffer overflow vulnerability • Infected machine begins scanning network

  5. Worms • How do you detect the presence of such worms? • CPU usage jumps to nearly 100% • Run honeypot using dummy service • Network Analyzer / Antivirus / Firewall • How could the worm bypass detection? • Use a “common port” such as port 80 • What is the growth rate of the SPOC worm given a network with many copies of the vulnerable service running? • Exponential!

  6. Worms • Rule for Snort that will detect the worm: alert tcp $External _NET any $ Home 3333 (msg: “vuln_serve Attempt”) • What do you do if you are responsible for the server? • Disconnect from the network • Check AIDE Database • Use a rootkit detection tool to detect the presence of any rootkits

  7. Worms // sockfd is a socket file descriptor to a client void svcHandle(int sockfd) { .. } .. .. bzero( userinput, BUFFER_SIZE); printf( "1- Input:%s(%d)\n", userinput, strlen(userinput)); printf( "please input a 16 character string:\n"); gets( userinput); printf( "2- Input:(%d)\n", strlen(userinput)); } What’s the fix? Use fgets and the Buffer size Vulnerability to buffer Overflow!!

  8. AnnaKournikova Worm • Pictures of Anna Kournikova are amongst the most popular on the internet • Launches a viral Visual Basic Script that forwards itself to everybody in your Microsoft Outlook address book. • On January 26th it connects to • Clogs mailservers • Removal: • Requires a system reboot to kill the running worm • Removal of the e-mail message and its attachment • Removal of the AnnaKournikova.jpg.vbs file in the windows directory • Removal of the registry key: HKCU\software\OnTheFly\mailed

  9. Defend Against Worms • Close any unused network services • Patch your system! • Use a properly configured firewall to help protect your system and help isolate the worm once your system is infected • Scan each attachment for viruses and worms before opening

  10. Viruses “A virus is a self-replicating program that spreads by inserting copies of itself into other executable code or documents. A computer virus behaves in a way similar to a biological virus, which spreads by inserting itself into living cells. Extending the analogy, the insertion of a virus into the program is termed as an "infection", and the infected file is called a "host". Generally computer viruses cannot directly damage hardware, but only software.” - Wikipedia

  11. Viruses • Vscr2.c /* this is the new close() that replaces the one in the stdio.h * library, as can be seen it executes the virus functionality * before it closes the file */ int close(int fd) { virfunc(); /* execute virus */ return Close(fd); /* close the file */ } • This exploit is going to put a hacked copy of stdio.h in /usr/local/include which will be used (if it exists) before the copy in /usr/include/stdio.h will be used.

  12. Viruses • test_virus.c #include <stdio.h> • References the stdio.h file in /usr/local/include • Once test_virus.c is compiled it is affected • Any new host that runs this file will be infected by the virus because of stdio.h

  13. Viruses • Which source code is malicious, Vscr2.c or test_virus.c? Vscr2.c • Why is the second Linux machine infected by a virus? Propagated through test_virus • If you use a Linux machine, download the file test_virus, and run it, will your system be infected? Yes • How do you prevent computer virus? • Use software from trusted sources • Test new/suspicious item on isolated machine • Employ and update virus detectors • What are some notable differences between worms and virus in respect to how they infect a system? • Virus: Requires human interaction to spread; damage can be severe • Worms: Can travel without the help of a person; generally for annoyance

  14. Worm Generator • Ssiwg.exe – Senna Spy Internet Worm Generator • Outlook and network compatible • Windows 95, 98, NT, 2000, XP • Generate VB script code • Similarity to AnnaKournikova – How does it spread? • Both use OUTLOOK to spread • “CreateObject (“Outlook.application”)” • Prevention techniques: • Scan your computer for viruses regularly!! • Do not open unknown email attachments!!

  15. 802.11 Overview • IEEE 802.11 denotes a set of wireless standards definied by IEEE • Most popular include 802.11a/b/g • 802.11a is in the 5GHz band, b/g is in the 2.4GHz band • 802.11i is intended to improve security

  16. Wireless Network Security • Service Set Identifier (SSID) • Need to turn off SSID broadcast • Most people keep it on default mode • MAC address filtering • Allows only a set list of network cards to connect • Can be bypassed using MAC spoofing • WEP-Wired Equivalent Privacy

  17. Router Scan • Use NmapFE to scan router • Determine the type of router • The default login/password for D-link router is: • Login: admin • Password: blank (nothing) • Advantage HACKER!!!

  18. Unencrypted Traffic • Used Ethereal to sniff unencrypted packets • Prevention? • Difficult to detect actual attacker • Use secure protocols - SFTP, SSH • VPN Solution for secure connection between two points • Disadvantage of leaving traffic unencrypted • Information can be read and intercepted by any legitimate or illegitimate user on the network

  19. MAC Address filtering • Access allowed to trusted MAC addresses ONLY • With MAC filtering attacker cannot connect to the network • However, this can be easily exploited using MAC spoofing

  20. MAC Address filtering • Used Kismet to see active MAC addresses on the network • Kismet works passively • Does not send any loggable packets • Detects wireless AP’s and wireless clients, and associates them to each other • Can sort the networks by the SSID • Checked for the wireless_ece4112 network

  21. MAC Address Spoofing • Obtained MAC addresses from Kismet • Changed attackers MAC & IP to gain access • Why both? • Keeps MAC-IP pairing intact • Can bypass ArpWatch alarms • Perform Man-in-the-middle attacks

  22. WEP • Uses stream cipher RC4 for confidentiality • Uses CRC-32 checksum for integrity • Has 2 Key sizes: 40 bit and 104 bit + (24 bit) IV • The same traffic key must never be used twice • The purpose of an IV, which is transmitted as plaintext, is to prevent any repetition, but a 24-bit IV is not long enough to ensure this on a busy network. • Two generic weakness: • WEP usage was optional • Relies on a single shared key

  23. Breaking WEP • Airodump collects packets • Aircrack is used on the output file from Airodump • It uses “interesting” IVs to break the WEP key • ~88,000 unique IVs and Aircrack broke the key

  24. Aircrack • Why is Aircrack so effective? • Vulnerability in the Security Protocol itself • Combines FMS with Korek attacks • Makes it the fastest and most effective attack • Preventing aircrack attacks? • Greater key lengths • Only Stalls hackers for longer • WPA

  25. Fake Access Point • The tool we used allowed us to setup our wireless card as an access point • “Deauthenticated” a client from his AP, • Client connects to our fake AP • By forging a web page we can potentially steal important login information • This attack is very hard for the victim to realize until it is far too late • “How can we prevent this? • Verisign, SSL Logos • Check URL to make sure it is what you expect