Read: Spyware If you do a search on the keyword "spyware" you'll be bombarded with hundreds of links. Some simply tout spyware removal, but some install spy ware on a computer when the user clicks the Yes button in a dialog box asking whether the computer should be checked for spyware (see Figure 3-2). When you click the “Yes” button, the spyware installation begins. Figure 3-2 A spyware initiation program A spyware program sends information from the infected computer to the person who initiated the spyware program on your computer. This information could be confidential financial data, passwords, PINs—just about any data stored on your computer. You need to make sure your users understand that this information collection is possible and that spyware programs can register each keystroke entered. It's that simple. This type of technology not only exists, but is prevalent It can be used to record and send everything a user enters to an unknown person located halfway around the world Tell your users they shouldn't assume that just because they're sitting in an office with the doors and windows locked, they're safe from an intruder. I. Activity 3-4: Identifying Spyware Time Required: 30 minutes Objective: Examine prevalent spyware programs. Description: Network security professionals know that spyware is one of the worst types of malicious attacks on corporate networks. Spyware can be installed on any computer through various means; the most common approach is installing spyware automatically after a user clicks a hyperlink or runs a program without verifying its authenticity. You should be aware of any new spyware programs as well as software that can remove spyware from a computer. 1. Start your Web browser, type http://www.google.com in the Address text box, and then press Enter. 2. Type spyware in the Search box and press Enter. 3. List some of your search results. 4. Write a description of spyware based on one of the sites you listed in Step 3. 5. In your Web browser, enter www.spywareguide.com/, and press Enter. 6. On. the home page, click the List of Products link. 7. Click one of the links you found in Step 6, and write a brief description of the spyware. (Note: The list is in alphabetical order; you can scroll it with the arrow keys.) Required: (1). Screen print only 8. Close your Web browser. Read only: Buffer Overflow Attacks A number of buffer overflow attacks have taken place on many different OSs over the years. In a buffer overflow attack, a programmer finds a vulnerability in poorly written code that doesn't check for a defined amount of space utilization. For example, if a program defines a buffer size of 100 MB (the total amount of memory the program is supposed to use), and the program writes data over the 100 MB mark without triggering an error or preventing this occurrence, you have a buffer overflow. Basically, the attacker writes code that overflows the buffer; this is possible because the buffer capacity hasn't been defined correctly in the program. The trick is to not fill the overflow buffer with meaningless data, but to fill it with executable program code. That way, the OS runs the code and the attacker's program does something harmful. Usually, the code elevates the attacker's permissions to that of an administrator or gives the attacker the same privileges as the owner or creator of the poorly written program. Table 3-4 describes some current buffer overflow vulnerabilities. In defense of computer programmers, many are not trained to write programs with computer security in mind. In the past, programs were written for ease of use and to create efficient executable code that ran quickly and used as few computer resources as possible. Today, the trend is to make sure programmers are aware of how their code might be vulnerable to attack, but it's going to take a while before checking for security vulnerabilities becomes standard practice. Most Universities do not offer courses on writing computer programs with security in mind. At Microsoft, computer programmers are now rewarded for writing code that doesn't show up later as vulnerability in the system. In Activity 3-5, you take a look at some Microsoft programs that overlooked the security factor in their program design. II. Activity 3-5: Identifying Microsoft Buffer Overflow Vulnerabilities Time Required: 30 minutes Objective: Examine Microsoft buffer overflow vulnerabilities. Description: As a network security professional conducting a security test on a customer's network, you need to investigate any vulnerabilities that might be used. After discovering vulnerabilities that might affect a client's network, you must create documentation of your findings and make recommendations to correct the problem. In this activity, you examine buffer overflow vulnerabilities of Microsoft programs and learn what solutions or recommendations you might give to customers. 1. Start your Web browser, type www. microsoft.com in the Address text box, and then press Enter. 2. In the Search Microsoft.com for text box, type MS03-041 and press Enter. 3. Click the Microsoft Security Bulletin MS03-041 link. 4. Scroll down the document and click to expand the Technical Details option. 5. If the user who activated the ActiveX control from the attacked workstation was logged on as Administrator, what rights would you, the attacker, have? 6. What recommendations would you give a customer running Microsoft Windows 2000, Service Pack 2? 7. On the Microsoft Security Bulletin page, type MS03-042 in the Search text box and press Enter. 8. On the search page, click the Microsoft Security Bulletin MS03-042 link. 9. Scroll down the document and click to expand the Technical Details option. 10. Which ActiveX control has a buffer overflow vulnerability? 11. If the customer is running Microsoft Windows XP, what recommendation would you give? 12. Close your Web browser. The previous activity gives you insight into how buffer overflows are used to exploit an OS. Usually, a buffer overflow's main purpose is to insert code into the overwritten area of memory that elevates the attacker's permissions to that of the user. Read only! Ping of Death Attacks The Ping of Death attack, a type of DoS attack, is not as common as it was during the late 1990s. The attacker simply creates an ICMP packet, that's larger than the maximum allowed 65,535 bytes. The large packet is fragmented into smaller packets and reassembled at its destination. The user's system at the destination point can't handle the reassembled oversized packet, thereby causing the system to crash or freeze. Session Hijacking Session hijacking enables an attacker to join a TCP session and make both parties think he or she is the other party. Macro Viruses A macro virus is a computer virus encoded as a macro in programs that support a macro language, such as Visual Basic Application (VBA). For example, you can write a macro, which is basically a list of commands, in MicrosoftWord that highlights the contents of a document (Ctrl+A), copies the selected data (Ctri+C), and then pastes the information into a different part of the document (Ctrl+V) Macro language commands that open and close files, however, can be used in destructive ways. These commands can be set to run automatically as soon as a data file is opened or clicked on, as in an e-mail attachment. The most infamous macro virus is Melissa, which appeared in 1999. The virus was initiated after a user opened an infected document; the virus then sent an e-mail message to the first 50 entries it located in the infected computer's address book. In the past, viruses were created by computer programmers who found the challenge of creating a destructive program rewarding. Today, even nonprogrammers can easily create macro viruses. In fact, anyone with Internet access can go to many Web sites to learn how to create a macro virus step by step. This adds to the problems you must deal with as a security professional. It's helpful to put yourself in the computer criminal's frame of mind. You have to begin thinking like the bad guys and, like an FBI profiler, understand the perverse mind of a computer criminal A good place to start is visiting Web sites of virus creators and seeing what die have to say. For example, a search for "Macro Virus tutorial" at www.google.com LOW directs you to many different Web sites. The following excerpt was taken from the site http://web.textfiles.com/virus/mactut.txt: The rest of the document was deleted because of space constraints. However, you can see that finding information on creating a macro virus is all too easy. III. Activity 3-2: Identifying Macro Viruses Time Required: 30 minutes Objective: Examine macro viruses that are current threats to computer users. Description: Many antivirus programs detect macro viruses, so you need to know how to turn off the feature that enables macros to run automatically without prompting the user first. You should also be aware of new macro viruses. Again, the Internet is an excellent resource. 1. Start yourWeb browser, type http://www.google.com in the Address text box, and then press Enter. 2. On the search page, enter macro virus in the Search box. 3. List some of the current macro virus threats your search returned. 4. Select one of the macro viruses you listed in Step 3. Use the name of the macro to search for more information about the virus. Are any fixes available? 5. Begin a new Google query by entering macro virus tutorial in the Search box and clicking Search. Did you locate any sites with instructions on creating a macro virus? If not, attempt the search again with a different search engine. 6. Read the tutorial information on a site you discovered in Step 5. Does creating a macro virus seem difficult or easy? 7. Close your Web browser. Worms A worm is a computer program that replicates and propagates itself without having to attach itself to a host (unlike a virus, -which needs to attach itself to a computer program or host). The most infamous worms are Code Red (covered in Activity 3-3) and Nimda. Theoretically, a worm that replicates itself multiple times to every user it infects can infect every computer in the world over a short period. This result is unlikely, but as with many pyramid schemes, it's easy to see how a worm can propagate throughout an entire network and even across the Internet.