Viruses and Worms

Apply Your Knowledge

As an ethical hacker, it is important to be able to find vulnerabilities before attackers do. One tool that can help you accomplish this goal is the vulnerability scanner. Vulnerability scanners are effective at finding known vulnerabilities and buffer overflows.

Exercises

11.1. Locating Known Buffer Overflows and Security Holes

In this exercise, you run a well-known vulnerability scanner to search for known buffer overflows and security holes.

Estimated Time: 15 minutes.

  1. Download a copy of the SAINT vulnerability scanner from www.saintcorporation.com/download.html. SAINT reverences the Common Vulnerabilities and Exposures database to check for known buffer overflows and security holes.
  2. Instructions for installing SAINT onto a Linux system are provided on the download page. Once installed, you can start SAINT by entering the saint-5.9.3 directory and executing ./saint.
  3. After you have started, you will want to configure SAINT to scan a single host. SAINT has several tabs that can be used to configure the vulnerability scanner. These tabs include

    The Sessions tab Create a session or open an existing session.

    The Scan Setup tab Select targets and set up a scan to run now or later.

    The Data Analysis tab View results and generate reports.

    The Configuration tab Change the scanning policy, process control, network information, and other options.

    The Schedule tab View the current scan schedule and delete unneeded jobs.

    The Documentation tab Introduction, frequently asked questions, vulnerability information, and reference information.

  4. Under the Scan Setup tab, you will need to configure the IP address you would like to scan. Remember to only scan computers that you own. Do not scan other individual's systems without prior permission.
  5. As you scroll down the Scan Setup tab, you will notice several settings under the scanning level section. Choose the "Top 20" setting. This allows you to scan for the 20 most dangerous vulnerabilities. This Top 20 list is important in that these are the most commonly exploited vulnerable services in Windows, UNIX, and Linux systems. Although there are thousands of security incidents each year affecting operating systems, the overwhelming majority of successful attacks target one or more of these 20 vulnerable services.
  6. Leave all other settings at their default and choose Scan Now.
  7. After the scan is complete, review the results. Notice that SAINT uses the CVE database. This makes it easy to perform further research and locate patches and updates.

Exam Prep Questions

1.

Which of the following is an example of a multipartite virus or worm?

A. Brain

B. Nimda

C. Sasser

D. Staog

2.

Buffer overflows can be a serious problem. Which of the following C/C++ functions perform bound checks?

A. gets()

B. memcpy()

C. strcpr()

D. strncat()

3.

Which of the following is not considered an optional part of a virus program?

A. Infection routine

B. Payload routine

C. Anti-detection routine

D. Trigger routine

4.

Which piece of malicious code was written with the VBS worm generator?

A. Melissa

B. Anna Kournikova

C. Code Red

D. Klez

   
5.

The functionality of Tripwire could best be compared to which of the following?

A. Stack guard program

B. Heuristic scanning

C. Integrity verifier

D. Signature scanning

6.

Which of the following describes the stack mechanism that computers use to pass arguments to functions and reference local variables?

A. FIFO

B. Push

C. LIFO

D. Pop

7.

Heap-based buffer overflows are different from stack based buffer overflows because stack-based buffer overflows are dependant on overflowing what?

A. A buffer

B. A buffer that is placed on the lower part of the heap

C. A fixed length buffer

D. A buffer that is placed on the upper part of the heap

8.

Which of the following is not a defense against buffer overflows?

A. Enable stack execution

B. Safer C library support

C. Better compiler techniques

D. Manual auditing of code

9.

Jon has written a virus that is executed when opened in Word or Excel. Which of the following best describes this type of virus?

A. MBR infector

B. Macro infector

C. File infector

D. Mass mailer

   
10.

Which malicious program exploited vulnerability in Local Security Authority Subsystem Service (LSASS)? LSASS is used by Windows computers to verify a user logging in to a Windows domain or computer.

A. Sasser

B. Sobig

C. Netsky

D. Code Red

11.

You are visiting a client site and have noticed a sheep dip system. What is it used for?

A. A sheep dip system is used for integrity checking.

B. A sheep dip system is another name for a honeypot.

C. A sheep dip system is used for virus checking.

D. A sheep dip system is used to find buffer overflows.

12.

Which of the following is Melissa considered?

A. MBR infector

B. Macro infector

C. File infector

D. True worm

13.

Which type of virus or worm has the capability to infect a system in more than one way?

A. Appenders

B. Polymorphic

C. Prependers

D. Multipartite

14.

Which portion of the virus is responsible for copying the virus and attaching it to a suitable host?

A. Infection routine

B. Search routine

C. Anti-detection routine

D. Trigger routine

   
15.

In the Intel architecture, which of the following instructions is one byte long and is represented in assembly language by the hex value 0X90?

A. Add

B. Mov

C. NOP

D. Sub

Answers to Exam Questions

A1:

1. B. Nimda had the capability to infect in many different ways, including malformed MIME header and IFrame exploit within email propagation, placing an infected riched20.dll in the document, prepending itself to target executable files, and by attempting to connect to open shares and copy itself to these locations. Answer A is incorrect, as the Brain virus is an MBR virus. Answer C is incorrect, as Sasser exploited a buffer overflow, and answer D is incorrect because Staog was a single infector Linux virus.

A2:

2. D. The strncat function accepts a length value as a parameter, which should be no larger than the size of the destination buffer. Answers A, B, and C are incorrect as gets, memcpy, and strcpy do not perform automatic bounds checking and should be avoided.

A3:

3. A. Virus programs have two required components, which include search routines and infection routines. The infection routine is the portion of the virus responsible for copying the virus and attaching it to a suitable host. Answers B, C, and D are incorrect because the payload routine, anti-detection routine, and trigger routine are all considered optional.

A4:

4. B. Anna Kournikova was created in only a few hours using a tool called the VBS Worm Generator. Answers A, C, and D are incorrect because they were not created with the VBS Worm Generator.

A5:

5. C. Tripwire provides integrity assurance. Tripwire looks for changes that may have occurred from hackers or malicious software. By monitoring attributes of files that typically do not change, such as binary signatures, size, changes in size, or integrity scans, Tripwire can be useful for detecting intrusions, attacks, and the corruption of data. Answer A is incorrect because Tripwire is not used to guard the stack against buffer overflow. Answer B is incorrect, as heuristic scanning looks for actions that programs or applications would not typically perform. Answer D is incorrect, as signature scanning is performed to look for known signatures of viruses and worms.

A6:

6. C. The stack is a last in first out (LIFO) mechanism that computers use to pass arguments to functions as well as reference local variables. Answer A is incorrect, as a first in first out mechanism is useful for buffering a stream of data between a sender and receiver, which are not synchronized but is not used in stack operations. Answers B and D are incorrect because push refers to the act of pushing elements onto the stack, whereas pop refers to removing elements off the stack.

   
A7:

7. C. Heap-based buffer overflows are different from stack based buffer overflows in that stack based buffer overflows are dependant on overflowing a fixed length buffer. This makes answers A, B, and D incorrect. In heap based buffer overflow attacks, the attacker overflows a buffer that is placed in the lower part of the heap.

A8:

8. A.. Answers B, C, and D are incorrect because the question asks which of the following is not a defense, and each of those items are a defense. Defenses against buffer overflows include manual auditing of code, disabling stack execution, safer C library support, and better compiler techniques. Answer A is the correct choice, as enabling stack execution is something you would not want to do.

A9:

9. B. A macro virus is designed to be imbedded in a document. After being embedded, the virus writer can have the macro execute each time the document is opened. Many applications, such as Microsoft Word and Excel, support powerful macro languages. Answer A is incorrect, as an MBR infector targets the boot sector of a disk. Answer C is incorrect, as a file infector typically targets files or applications and can append or prepend themselves to the infected item. Answer D is incorrect because a mass mailer is a type of virus or worm that sends itself to many or all the individuals listed in your address book.

A10:

10. A. The Sasser worm targets a security issue with the Local Security Authority Subsystem Service. Answer B is incorrect because Sobig does not exploit LSASS. Sobig activates from infected emails when a victim clicks on the infected attachment. After this, the worm will install itself and start to spread further. Answer C is incorrect because Netsky spreads via email as a .pif or .zip attachment. Answer D is incorrect, as Code Red exploits an idq.dll buffer overflow.

A11:

11. C. A sheepdip system is used for checking media, file, diskettes, or CD-ROMs for viruses and malicious code before they are used in a secure network or computer. Answers A, B, and D are incorrect because a sheep dip system is not specifically for an integrity checker, honeypot, or to detect buffer overflows.

A12:

12. B. Melissa is a good example of a macro infector. Answer A is incorrect, as Melissa is not an MBR infector. Answer C is incorrect because Melissa is not a file infector. Answer D is incorrect, as a true worm requires no interaction from the end user, and Melissa requires no interaction from a user. Melissa needed to trick the victim into opening an attachment to execute its payload.

A13:

13. D. A multipartite virus can use more than one propagation method. Answer A is incorrect because an appender is a virus that adds its code to the end of a file. Answer B is incorrect, as a polymorphic virus is one that has the capability to mutate. Answer C is incorrect, as a prepender is a virus that adds its code to the beginning of a file.

A14:

14. A. The infection routine is the portion of the virus responsible for copying the virus and attaching it to a suitable host. Answers B, C, and D are incorrect, as the search routine is responsible for locating new files, disk space, or RAM to infect. The anti-detection routine is designed to make the virus more stealth like and avoid detection. The trigger routine's purpose is to launch the payload at a given date and time.

A15:

15. C. NOP, which stands for no operation, is a one byte long instruction and is represented in assembly language by the hex value 0X90? Answer A is incorrect, as Add is 03 hex. Answer B is incorrect, as Mov is 8B; and answer D is incorrect because Sub is 2B.

Suggested Reading and Resources

www.l0t3k.org/programming/docs/b0fBuffer overflow information

www.insecure.org/stf/smashstack.txtSmashing the stack for fun and profit

http://searchwindowssecurity.techtarget.com/tip/1,289483,sid45_gci1046472,00.html?bucket=ETAHow buffer overflows work

http://en.tldp.org/HOWTO/Secure-Programs-HOWTOSecure programming

www.phrack.org/phrack/56/p56-0x05Limitations of Stackguard and other buffer overflow protections

www.exn.ca/nerds/20000504-55.cfmThe history of viruses

www.ntsecrets.com/info/nimda.htmHow Nimda works

www.iwriteiam.nl/Ha_iloveyou.htmlAnalysis of the I Love You virus

www.extremetech.com/article2/0,1697,325439,00.aspHow antivirus works

www.madchat.org/vxdevl/vdat/epheurs1.htmHeuristic scanning

http://vx.netlux.orgVirus toolkits and virus writing information

Cryptographic Attacks and Defenses

Категории