Understanding Network Attacks

  

Any computer that is on the Internet is susceptible to a computer attack. The attack may not be successful, but it is an attack nevertheless. Attackers may constantly test the system for vulnerabilities and keep track of possible weaknesses. It is up to the organization and individual to diligently keep track of the attacker to judge where these attacks have occurred and where they are headed.

If an organization does not monitor its networks and systems, it is susceptible to being attacked and not even knowing it. When a company is attacked and doesn't know it, the company may find that its private information has become public after it is too late. Any anomaly on a network should be investigated to ensure that security has not been breached. Many companies spend a lot of money to check the integrity of their networks. Some companies have rooms full of network engineers monitoring the packets of the networks.

Network monitoring terms

Network monitoring software is easy to get, and any network that is open to the Internet can easily be sniffed. Sniffing the network is when the protocol packets are being observed . Anyone who understands the socket Application Programming Interface (API) can write specialized sniffers and redirectors. By sniffing the packets, the hacker can understand the frame data. The frame may potentially include plaintext passwords. After the packets are understood on the network, they can be used for impersonation or redirection. Figure 2-3 demonstrates the sniffer technique.

click to expand
Figure 2-3: Network sniffing
Note  

The Socket API is supported on multiple systems and languages and is used to support network programming. However, it can also be misused for attacks.

Sniffing the network for a host

Many network programs and applications are described as sniffers. A simple query on a search engine can provide a list. One site is www.sniffer.com . The purpose of a sniffer application is to provide packet and statistics information for the protocol packets being transmitted on a network. Some sniffers may be programs that are run on a remote host, and others may involve hardware that is plugged into the network. An example of a sniffer that doesn't require a host computer is the Fluke LanMeter, which I helped develop. If the packet being sniffed is Ethernet, the packet will contain the destination address, source address, connection synchronization, data packet, protocol type, and cyclic redundancy check. If there is any plaintext information in the packet, such as a password, it can be observed. Firewalls use the source and destination of addresses as well as the connection synchronization to secure and filter the packets on the network. Once the hacker understands this information, the hacker can simulate the information to fake the firewall into believing that it came from a secure location.

Some operating systems support some of the protocol utilities that will be mentioned for sniffing the network. These protocol utilities can be pulled down by separate packages online for those operating systems that do not support them. The starting point for scanning services and ports can be found on your local machine. Common files that are searched for information are the etc/services , etc/ hosts , etc/networks , and etc/protocols files. The etc/services file contains entries that have information about port numbers , the protocol type, and the protocol service. Listing 2-1 demonstrates the entries for File Transfer Protocol (FTP).

Tip  

Because hackers are familiar with and explore the weaknesses of the Request for Comments (RFCs), you should be at least familiar with the RFCs too. The site www.ietf.org provides network protocol information and specifications.

Listing 2-1: FTP entries
start example
 ftp-data           20/tcp                        #FTP, data ftp                21/tcp                        #FTP. control 
end example
 

Listing 2-1 shows the FTP entry for the data for the TCP protocol at port 20 and shows that the FTP control is at port 21. This is valuable information for a hacker because it details available port services.

Caution  

Some applications use host and service files to establish their connectivity, and overriding these files may redirect the service to different ports and allow hackers to impersonate services.

For Java sockets, the Java InetAddress class has the getByName() method which first looks in the etc/hosts file. If the host is not found in the etc/hosts file, it does a DNS lookup based on how the DNS is set up. Changing the hosts file affects an application using this method.

Tip  

Java sockets do not support the getservbyname() functionality for retrieving information from the services file.

The hacker's arsenal of utilities

Some of the hacker's arsenal includes the whois utility, the ping utility, and the traceroute utility. The whois utility lists the hosts of an organization that are publicly listed through the Domain Name Service (DNS). The ping utility is used to see if a computer is active on the network. The ping utility gives the time to the target host and back. The traceroute utility does one better and gives hop information, which is IP information on the devices in between the source and the target host. These utilities are common network protocols that can be picked up almost anywhere and that are used to find the target computer and the computers surrounding it. Finding a nearby host with less security helps hackers in launching their attacks. Hackers can launch their attacks from the nearby machine and check it occasionally when they think that it is safe.

Cross-Reference  

See Chapter 21 for more information on ping and network security.

The uninvited "guest"

Other utilities used by hackers include telnet and FTP . A typical example of what a hacker can do is log in to firewalls and routers using the telnet protocol with a "guest" account if one is enabled. The process of logging in often generates a screen output that is useful to the hacker. The screen output may contain essential information such as the type of device and the software version. The hacker can try a password cracker to guess the username and password.

FTP provides a means to copy files to and from the network devices. The FTP server utility and file system on the device must be compromised in order to be susceptible to an attack, but sometimes the hacker gets lucky and the system wasn't set up correctly. Firewalls and routers are complicated network devices to set up. Network administrators require years of training and experience to set them up correctly. The hacker's only advantage is that he could be more experienced with the device and the holes found in the devices. Holes for the network devices are published on hacker sites and in books. Many other network devices require routing tables and firewall access, so some of the tables allow read access to all the members in the organization. By reading the routing table, an understanding can be gained on how the networks are configured in the organization. Figure 2-4 demonstrates an attack on a target machine from a nearby machine.

click to expand
Figure 2-4: Attacks from a nearby local machine
Note  

The closer physical access that a hacker has to a machine, the more he can focus an attack to that particular machine. For instance, if the hacker has access to a machine in the same subnet as the target machine, it is easier for the hacker to try an attack because he bypasses the security measures established to protect the subnet.

Password crackers

If the password and other vital information are not displayed in packets from the network traffic, a hacker may use password crackers. Password crackers use dictionary attacks. Dictionary attacks use a dictionary for passwords and try every word in it.

Many systems that fear this attack will disable a user's account if many incorrect passwords are used to try to log in. If the user's account is disabled, the user can no longer log in. This is the nature of a denial of service attack . If the entire user set, including the administrator users, are denied login, the system can never be accessed again unless there is backdoor. The backdoor is a login that bypasses most of the enforced security mechanisms.

Note  

In a dictionary attack, the attacker performs guesses for the password, such as all possible combinations of six letters . Because passwords are small (by crytographic standards), they can be determined in a very short periods of time (days, hours, or even seconds) depending on the skill of the attacker, the system, and the password itself.

Another useful utility in the hacker's arsenal is the port scanner . The port scanner will scan all of the ports on a remote machine to see which are active. If port 20 and port 21 are active, the hacker can review the file in Listing 2-1 and know that the remote computer is supporting the FTP protocol. The etc/services file lists the ports that the services must use. Any service that uses port 20 and port 21 that is not an FTP service will have problems because FTP services will try to log in to those ports from the Internet. Once access is granted on a machine, even as a guest, files can be read, what processes are running can be determined, and users who are locally logged on can be observed. The netstat utility can be used to determine the current ports that are being used by services. The ps utility can be used to determine other processes running on the machine. Even a guest has access to many of these utilities.

Other information about access can be found at Web sites, such as e-mail addresses for contacts, information about the founders of the organization, and where the organization is located. Social engineering can be used in conjunction with some of this information. For example, if the IT department is listed on the Web site, the hacker can call and complain about not being able to log in to his account. If the hacker is believable, the IT department may be helpful.

IT impersonations

Another method is for the hacker to contact a salesperson and act as if he is from the IT department. This works best when the salesperson is telecommuting . The hacker tells the salesperson that there is an upgrade in software or new software that the salesperson must install and provides an FTP address for the salesperson to download the file. The file can be tainted for the hacker's use. Or, the hacker can say there is an issue with the salesperson's computer and say he (the hacker) needs to log in to fix it. Once a hacker accesses a system, he can access FTP or e-mail to transfer files to the hacker's machine. If the files are write accessible, the hacker can transfer them to the machine to overwrite key files.

Using sniffing tools provides packet information. Some of the first sniffers were hardware sniffers from companies such as Network General. Now sniffers can easily be run on remote machines. Listing 2-2 gives a fragment of a sniffer example of a telnet packet.

Note  

The following screen dump was made by the "analyzer" product, a public domain sniffer found at http://analyzer.polito.it/ . Another public domain version is http://www.ethereal.com/ . I recommend to anyone who wants more powerful port sniffers and protocol to visit http://www.tigertools.net .

Listing 2-2: Sniffer output example
start example
 ----- General ----- Item number 1, position in logfile 1% Timestamp: 14h:23m:00s:367000us ----- Description ----- Item type: Partial frame, 62 bytes available Frame size is 62 (3E hex) bytes ----- MAC Header ----- [0-13] Destination = Computer 004854-0133F7 (Universal; Vendor: ???) - [0-5] Source = Computer 004854-013412 (Universal; Vendor: ???) - [6-11] Ethertype = 0800h (DOD IP) - [12-13] ----- IP v4 Header ----- [14-33] Version = 4 - {14-14} Header length = 5 bytes - {14-14} Type of service = 00h - [15-15]  000. .... = priority 0 - {15-15}  ...0 .... = normal delay - {15-15}  .... 0... = normal throughput - {15-15}  .... .0.. = normal reliability - {15-15} Total length = 48 bytes - [16-17] Identification = 8193 - [18-19] Flags = 4h - {20-20}  0... .... = must be 0 - {20-20}  .1.. .... = do not fragment - {20-20}  ..0. .... = last fragment - {20-20} Fragment offset = 0 bytes - {20-20} Time to live = 128 seconds/hops - [22-22] Protocol = 6 (TCP [Transmission Control Protocol]) - [23-23] Header checksum = C6C4h - [24-25] Source address = [10.0.0.2] - [26-29] Destination address = [10.0.0.1] - [30-33] No IP options ----- TCP Header ----- - [34-61] Source port = 1037 (???) - [34-35] Destination port = 23 (telnet) - [36-37] Sequence number = 742731 - [38-41] Acknowledgement number = 0 - [42-45] Header length = 28 bytes - {46-46} Flags = 02h - [47-47]  ..0. .... = No urgent pointer - {47-47}  ...0 .... = No acknowledgement - {47-47}  .... 0... = No push - {47-47}  .... .0.. = No reset - {47-47}  .... ..1. = SYN - {47-47}  .... ...0 = No FIN - {47-47} Window = 8192 - [48-49] Checksum = F5A2h - [50-51] Urgent pointer = 0 - [52-53] Options = 8 bytes - [54-61]  Code = 204 (MSS)   Required MSS: 1029  Other Options Next Protocol: Unsupported (s:1037,d:23) - [34-37] ----- Telnet ----- [0 byte(s) of data] ========================================================================== * 00 48 54 01  33 F7 00 48  54 01 34 12  08 00 45 00 [.HT.3..HT.4...E.] * 00 30 20 01  40 00 80 06  C6 C4 0A 00  00 02 0A 00 [.0 .@...........] * 00 01 04 0D  00 17 00 0B  55 4B 00 00  00 00 70 02 [........UK....p.] * 20 00 F5 A2  00 00 02 04  05 B4 01 01  04 02       [ .............] 
end example
 

Listing 2-2 shows an extraction for a telnet packet. The output shows the computer MAC Header and the TCP Header. As you can see, the destination port is port 23 for telnet, and the packet information and data is also displayed. Knowing what is being transmitted into and out of the computer is useful for gaining access into the computer.

The information in the packet is a telnet session. If a secure shell or encryption is not used to shield the password, the plaintext password can be seen going across the session. A hacker could reuse the information and log in at a later time. The hacker could also use a port sniffer instead of a packet sniffer to see which protocols are being supported. If a telnet server is not available on the host machine, a hacker could impersonate a telnet session.

A hacker has to establish a reason for people logging in to the telnet session, such as broadcasting that there is a new machine to deliver source code. Just knowing that a telnet server is available will give reason to look for telnet packets being transported on the network. Some telnet servers may have the "guest" or "anonymous" user active, giving some access to start with to the telnet servers. Some telnet servers have known bugs and issues that can be used, such as backdoors, for hackers to gain access.

Once inside the computer, it is important to understand the operating system. Just as it is important to understand the network for reaching and impersonating a connection, it is important to understand the operating system to impersonate processes.

Sniffing the system computer

Understanding the security of the operating system is important for impersonating secure processes or embedding a process into the operating system. Also, it is important to understand the security that is used for accessing file systems and device drivers. The file system is a type of device driver for accessing files. To have access to everything on the computer, the current user must be set to the system or administrator user.

Device drivers and system daemons normally have to be installed and managed by the system administrator. Even though a user might have minimal access on a computer, some of the daemon services and device drivers that are running in the background are running as the system user at all times. The daemon services and device drivers have to run as a system user to access some of the operating system resources. For this reason, anyone who has administration privileges on a machine may take over the machine because he has write permission to all system files on that machine. Other users may have access to read the system and the files but are very limited on write access.

A gold mine for hackers

In the Microsoft Windows operating systems, one gold mine for the hackers is the registry entries. The registry describes the operation and setup to the devices and many of the processes. The registry database can be protected from read and write access. Sometimes administrators may not set this up correctly, or the hacker might have somehow cracked the registry. If the hacker accesses the registry, the computer can be mapped out for further hacks. If write access is granted to the hacker, the hacker can replace device drivers and system services with his own.

The difference in the UNIX operating system is that there are system environment configurations, and the UNIX operating system has a hierarchical file structure for where files should be placed, such as /dev for device drivers. The hacker can apply the same rules in that he can modify the startup shells for the user and redirect to his own processes and device drivers. The difference in the UNIX operating system is that the startup shells normally live under the user's home directory and they run with the user's privileges.

The file system is a common place for most hacks. The file system is a device driver such as NTFS, meaning the Window's NT File System, and is tightly integrated with the operating system. If the device driver is interrupted or overwritten, it is possible to read and write all files on a device; however, that hack is very complicated and requires complete administration access. A more passive hack is just to read any files that are accessible for information-gathering purposes.

Cracks to common encryption

Many users will now encrypt their files using Microsoft Word or other applications, but many cracks exist on hacker sites for some of these applications. When gathering information, users might have passwords for databases stored in files or even their e-mail files saved to hard disk. Many users do not have private read access on these files, and if others can read the files, hackers may copy these files and move them to a different location to be cracked at a later time. A waiting hacker might also pick up any log files that an application might leave around. Log files usually give detailed information on how the application is behaving and sometimes information on how it is connecting to other applications.

Some of the files that are susceptible in the J2EE applications are setup files that contain database identification and deployment descriptors that describe the security of the application components . If there is any file that has read access to a less secure user than an administrator, the hacker will probably target that user for file access. Once the hacker retrieves a database username and password and has access to a database, he can gain control of the database and implement backdoor passwords. Then the chase for the hacker will start to move from the system administrator to a database administrator.

JSP cookies

Other files from the J2EE that are used for information are the Java Server Pages (JSP) cookies. Cookies are files saved to a machine to retain session state information for a Web site. Some cookies are used to store usernames and passwords that can be sniffed from the cookie file. Other cookies retain personal information used when logging onto the Web site. Cookies keep information based on the Web site visited. If a hacker who understands cookies can gain access to the cookies in a system's machine, he can at a minimum gather the Web sites that a user has visited. By understanding the Web sites that a user has visited, the hacker can start with a hack at a Web site to try to impersonate the user.

A more active hack is to replace application setup files and deployment descriptors with the hacker's own version. The objective is to change the behavior of the application server. A hacker could only replace these files if he were granted write access to them. If the files were overwritten with the hacker's own files, he could create an identical server which would forward the credit card numbers to the hacker's private account. A hack like this would require a lot of skill and patience, but it can happen if requirements for the proper security on the files and file systems are not mapped out and enforced. Simply put, changing files on the system can change the behavior of the system.

Caution  

As you may already know, some of the most pervasive viruses live in the boot sectors of the file system, and these viruses are capable of infecting the files that the given file system manages .

Unsafe memory

The file system is not the only part of the operating system that is susceptible to hackers. Memory, either cached or shared, is also a possible target in the operating system.

Note  

The concept of shared memory refers to a read and write block of data directly to memory. Many operating systems support the concept of shared memory using the system's native language, such as C.

A hacker who has detailed knowledge of the memory system can peruse the memory allocation blocks and try to determine what is being loaded into memory. A person who has detailed knowledge of the operating system and its devices, such as NTFS, could use shared memory routines to try to rewrite a section of memory. Very few people can accomplish a hack like this one, and the operating system is prone to crash when something is written to its protected memory location.

Protected memory is used because the memory section is protected by the operating system, and if writes do occur without system access permissions, an operating system exception occurs. In Windows NT, the term for a system exception is a BSOD, or Blue Screen of Death. Other programs that use memory are not part of the operating system and are not loaded into protected memory. These programs could be changed, but a detailed knowledge of the operating system and assembly code is required.

Note  

Java doesn't use shared memory as an interprocess communication and so doesn't have some these security holes that can be programmatically used.

Debugging past and present

Because understanding the file system and operating system usually requires great skill, some hackers will try to change a system process by using the registry and debug commands that are part of the operating system or application. When MS-DOS was prevalent , many users would simply use the DEBUG command to change how a process operated. Many operating systems still support the DEBUG command for debugging an executable. By using available debug commands, the hacker can interrupt the normal operation of an executable. Java applications are not immune to the DEBUG command.

Java uses the jdb utility for its debugging. Debug commands can attach themselves to a process that is already running or to an address space of a running application. Some of the most pervasive hacks that I have witnessed in my career are accomplished when a person who is knowledgeable about machine or assembly language has gone in an application and changed the byte or assembly code. In older versions of operating systems, a person could use the DEBUG utility to change the behavior of running applications. These techniques require detailed knowledge of the operating system. A simpler method would be to impersonate a server to get information about a company.

Impersonating hosts

When I want to log in to a Web site, I put in a Uniform Resource Locator (URL) on a browser page, such as "www.somesite.com". The local machine will do a DNS lookup on the name servers specified from the local machine. Domain name servers (DNS) provide the logical mapping of names to IP addresses. The DNS servers use the etc/hosts file to map the information. The etc/resolv.conf file stores the name servers to do further lookups if the DNS could not resolve the host name. DNS spoofing is easier than IP spoofing in that the logical mapping is redirected to a different server.

Tip  

RFC 1033 and RFC 1034 describe the DNS system.

These domain name servers will search their etc/hosts file and may also do a name server lookup on the DNS servers that are specified. If the name is really obscure, it might do a lookup all the way to a master INTERNIC DNS server. The site host name will resolve to an IP address where an etc/hosts file will eventually have an entry with "www.somesite.com" if the host is valid.

The idea behind DNS spoofing is to resolve the host's name to the hacker's address for a set of users. When the user or set of users log in to the hacker's Web site or server, they are to believe that they are logging into a valid Web site. When the user logs into the hacker's Web site, the hacker is capturing the keystrokes for the username and password. The hacker now has access to one of the user's Web sites. The idea could apply to other network protocols such as FTP and telnet. In order to accomplish this task, the hacker will have to change either the DNS that the user will use or the hosts table that the DNS will use. Figure 2-5 demonstrates host impersonation.

click to expand
Figure 2-5: Host impersonation

IP spoofing attacks

Many firewalls and other network security mechanisms give access to the host if the source of the connection comes from a trusted network or host. For example, the application server may only accept connections coming from the Web server at www.richware.com . The application server will look for the source address in the TCP/IP packet to verify that connection originated at the Web server. IP spoofing is the ability to fake the trusted network source.

In order to perform the operation of providing a fake IP source address, it cannot conflict with an active host on the network. The first step is to down or block the host that is being impersonated. The hacker will have to disconnect or interrupt the trusted Web server for a small period of time and access the application as if it came from the Web server. The Web server could even be down for a scheduled maintenance without the application server being aware of it, so the hacker, in this case, wouldn't have to ensure a disconnect from the valid Web server.

The concept of IP spoofing is to impersonate the trusted source of the connection for a trusted connection. After sniffing the packets across the network and knowing what the application server is expecting, the hacker duplicates the packets for the application server. Figure 2-6 demonstrates IP spoofing.

click to expand
Figure 2-6: IP spoofing
Cross-Reference  

See Chapter 21 for more information on firewalls and network security.

Operating system active attacks

The passive attacks for operating systems have been discussed, but there are many more ways to corrupt an operating system. The attacks against operating systems to bring them down are active attacks against the operating system. These attacks may not be totally malicious, but rather a way for a hacker to get recognition by painting a message on your screen similar to "You have been hacked." These hacks may not even be geared toward any one organization. They might be geared toward any consumer that buys a specific software product. The attack could be directed to anyone, for instance someone who answers through a specific newsgroup or answers certain e-mail. I have seen hacks like these geared toward people who copy specific software packages onto other software packages in their systems. These hacks might not be done by someone just learning a system but by a competitor of a software package or done for some other business reason.

Backing up: the best defense

The first active hack that I was a victim of occurred when I pulled down a compiler off a Bulletin Board System (BBS) using a modem and a local number. The result was that my screen looked like it was raining and system files started deleting themselves. For those very reasons, I kept a backup of everything, but it was lot easier to reload a 128-megabyte hard drive. The amount of damage that active hacks can cause can be in the millions and can bring down an organization for days.

The jarsigner utility: a defense up to a point

One of the most significant additions to Java is the use of the jarsigner utility. The jarsigner allows the Java Archive (JAR) to be signed by principals who are located in the local keystore database of certificates. The jarsigner utility prohibits users from changing a JAR file. The JAR file can contain Java applications or Java components. The limitation of JARs and Java components is that many still use the operating system's native libraries, file system, and network system. The operating system, file system, and network system are still susceptible to hackers.

Even though Java provides a lot of security functionality as part of its basic foundation, the limitations of the operating system, file system, and network system still can affect Java applications. If the operating system could enforce Java security down to the device driver and operating system levels, I believe many of the hack attacks could be avoided by using the jarsigner utility. However, at this point there is no Java operating system. A Java operating system, with Java libraries and device drivers, could fully use the jarsigner utility and take advantage of the jarsigner utility security features right down to the device level. A possible way this could work is to have the entire operating system signed in a JAR file, which could not be overwritten unless one has the keystore to match the JAR. Therefore, the operating system would be as secure as how the keystore is protected.

Tip  

Because the operating system, at this point, does not support Java security, if you are a victim of an attack and suspect the operating system, you can easily verify your suspicion by moving the JAR to another operating system and verifying the attack.

Virus attacks

The most common active attack on an operating system is the virus. There are more than 69,000 known computer viruses. The purpose of a digital virus is to infect a host and replicate. Digital viruses, very much like the biological forms, will attack their hosts, disrupting the normal operation of the host. Just as a person slows down and becomes disrupted when they catch a virus, so does the host computer.

Biological and digital viruses: a frightening similarity

Biological viruses infect human cells by replicating thousands of the viruses and infecting the system. The digital virus replicates itself as well on the Internet or through the host computer systems. The virus may try to hide itself in the disk format or operating system of a specific system, surfacing occasionally to infect other systems. The biological virus takes on the same form by hiding itself in the human subsystem.

Like the biological virus, the computer virus can usually replicate itself to spread to other systems that it comes into contact with through a connection. The virus incubates in a particular system or set of systems and once it believes it can spread, it tries . When a virus lays waiting for a chance to spread, it is in its dormant phase. After the virus has the nutrients to spread, it will enter a replication phase where it reproduces. The digital virus will replicate itself in programs and disk sectors, as the biological form replicates through a bloodstream.

When a computer program contains a virus, it usually contains an exact clone of the virus. After the virus has significantly reproduced or realizes it is about to be caught, it may believe itself strong enough to attack the host system. An attack on the computer host system can take many forms, from changing the screen to deleting files. If the computer host contains the correct anti-virus software, like antibodies for biological virus, the virus can be fought and destroyed. If the computer host does not contain the correct anti-virus software, the computer host can be destroyed .

Types of viruses

The virus is meant to hide in the host's operating system through a variety of means. There are boot sector viruses that go live when the operating system boots up in hopes of being started before any anti-virus software. The objective here is to destroy the anti-virus software when it starts. There are stealth viruses that are built specifically to hide from anti-virus software. Parasitic viruses attach themselves to programs in the hopes that destroying them will also destroy the program. There are macro viruses that can only be executed by Microsoft Word or Microsoft Outlook that are started when these programs are started. There are also polymorphic viruses that change every time they reproduce to create a mutant virus, so that the anti-virus software doesn't recognize them. There are many more types of viruses. Studying them all, and their variations, is just as complex and overwhelming as studying biological viruses.

There are so many types of viruses now that knowing a programming language is not even required. Viral kits can be used from different hacking sites to create different types of viruses. The viral kit normally asks the creator a set of questions about how they would like their virus to behave. One of the questions might be "Should it delete system files?"

One thing that all digital viruses have in common is that they need a way to enter the system and they need a process to start them. The process could be an operating system call, a device driver call, or even the startup of a system service by the operating system. Just as easily as a network can be sniffed by hackers to find useful information, the user of the host computer can see what information is traveling to his system. The user of the host machine can monitor the operating system of the host machine just as easily as a hacker can. The best defense against a virus is to know your host machine and network. Something as simple as setting the security to its highest for Microsoft Outlook and not clicking on an attachment until the user knows what it is for can go a long way in the prevention of the macro virus alone. Equal steps must be taken for other viruses.

The cost of combatting a virus

One of the most difficult viruses that I had to track down happened almost ten years ago when I was installing a network operating system. The virus would infect the boot sector of the normal operating system, and it would occasionally spread itself to other operating systems. It turned out that the virus was on a floppy that a person copied the setup to from original disks for installation. The virus hid itself in the File Allocation Table (FAT) partition of the floppy. Copying new files to the floppy disk did not get rid of the virus. I eventually just bought a new box of floppies and went back to the original disks. Time and money was spent to destroy the virus.

The difficulty in finding this virus was that any virus protection software was always installed after the network operating system installation; and when the virus protection software was installed, the virus would prevent the virus protection software from looking for the virus. This scenario is an example of the complexities of finding viruses. The prevention was simply not to use copied disks. Constantly monitoring the processes and transmissions goes a long way in preventing viruses. There are many anti-virus programs that can help check for viruses whenever new software is brought into the machine.

Backdoors and logic bombs

Many programs have backdoors or even Easter eggs that never try to do anything malicious. With Easter eggs , when a certain combination of keys is pressed you get a surprise. For example, with the new Space Invaders games if certain keys are pressed, the old Space Invaders game can be played . Many games have Easter eggs and so do many programs. Most of the Easter eggs in some of my applications simply list the authors and contributors to the programs. Easter eggs are fun, but they can produce bugs just like any other program. If the Easter egg is not part of the test plan, which it usually is not, it might not be fully tested and bugs can arise, which hackers take advantage of. For instance, if the authors of the program come up when pushing a key combination, using a similar combination can cause a security breach.

A developer or tester usually leaves a backdoor in order to bypass the main security to test or recover the system. Developers and testers use the backdoor to perform quick tests or debug the programs without having to go through the normal security in order to save time in their testing. The developer may also want to have a backdoor in case the normal security authentication breaks so there is an alternative way to enter the system to fix the issues. There have been incidents in some older operating systems, such as Multics, where backdoors were not planned at all but were a side effect of a bug. A tiger team , which is an offsite team that tests the system like a hacker would by using the same tools and techniques, later found the bug.

A logic bomb is a more malicious program. A logic bomb is code embedded in the application, and is set to "explode" when certain conditions are met. The bomb could be set up to go off on a certain date or when certain keys are pressed in sequence. Once it explodes, it damages the system by deleting data, forcing the machine to crash, or by some other damaging action. The software could also be set to go off if the system doesn't receive a certain combination of keys every week. Disgruntled employees or contractors may implement logic bombs that have to be updated with a key sequence into the organization's system at certain intervals. If they don't get paid or if they get laid off, they no longer enter the sequence. When the sequence is not entered, the bomb explodes and damages the system.

Trojan horses and worms

A Trojan horse is a seemingly useful program or utility that can be downloaded off a Web site, but when started on the machine it damages the system. The damage that it does may not be apparent at first, such as changing the access to files on the local machine. The program may even work and appear useful, but the idea is for the user to download it and install it so the hacker can get entry into the user's computer. Another example is downloading an FTP client that, when it is used, it keeps a running log of the keystrokes and passes them to the hacker. It is difficult to detect Trojan horses because they act as normal programs, and they usually give no warning that something malicious is taking place. The idea of the Trojan horse is to masquerade a hacker utility as a legitimate program and to attack when the user is executing the program. Backdoors would be considered a Trojan horse if the purpose of distributing the application is to apply a backdoor into the user's system.

Worms are viruses or Trojan horses that crawl from system to system. Unlike viruses, the worm depends on a network connection to spread. A worm will search for weaknesses in protocols in order to spread. Worms may be created to infect a particular protocol, such as e-mail, or a list of protocols, such as e-mail, FTP, TELNET, and RLOGIN. After a worm gets through a network protocol, it will replicate itself on the remote machine, and continue to spread in the same manner. The Internet worm attack of 1988 is the most famous example of a worm attack. Sending new code to the finger daemon created the spreading of the Internet worm. The Internet worm spread because there were logic errors in the finger daemon when retrieving data. The Internet worm of 1988 clogged the networks and brought down many machines that it encountered on the network. This worm brought a lot of organizations' systems down until they deleted the worm.

  


Java Security Solutions
Java Security Solutions
ISBN: 0764549286
EAN: 2147483647
Year: 2001
Pages: 222

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net