Dalia Solomon











Trojan Horse Attacks
Smurf Attack
Port Scan
Buffer Overflow
FTP Exploits
Ethereal Exploit
Worm
Virus
Password Cracker
DNS Spoofing



A computer becomes vulnerable to this attack when the user downloads and installs a file onto their system.
This opens a port without the knowledge of the user. The open port gives the remote user access to ones computer



NetBus is a tool that allows a remote user to gain administrative privileges
NetBus consists of two programs a server and a client.


To infect a computer, NetBus disguises itself as an ICQ executable file that a naive user install on their computer.


NetBus server – This application will open a backdoor on the target computer. This application can be configured to be either invisible or visible to the user.


NetBus - This application will connect to a computer that is running NetBus server. It allows the hacker to spy and take control of the infected computer.



A Smurf Attack occurs when a packet such as an ICMP echo frame (in this application) is sent to a group of machines.
The packet sent has the source address replaced by the target computer or network IP address. This causes a flurry of echo responses to be sent to the target machine, which can overflow the target computer.


Here we are attacking our computer



This program allows the hacker to scan a target computer to detect open ports.
This is primarily used to detect vulnerable applications using certain ports on the target computer.


Buffer Overflow
• Most common form of exploits
• Occurs when you put more data in the buffer than what it can hold
• Occurs if bounds are not checked by program
• Purpose of buffer overflow is to execute codes and gain special privileges



This exploit shows how it is possible for somebody to get a shell
(command prompt) from Serv-U FTP server.
This exploit causes a buffer overflow condition to occur in Serv-U FTP when it parses the MDTM command.


The exploit required that the user have login access to a server.


This shows how the hacker gains shell access to the target machine.


Here is a segment of the code that causes the buffer overflow.


Vulnerability exist in Ethereal. By sending carefully crafted packets to the sniffed wire or by convincing someone to load a malicious packet capture file into Ethereal a user can overflow a buffer and execute malicious code
• The vulnerability exist in the following packets: BGP, EIGRP, IGAP, IRDA, ISUP,
NetFlow, PGM, TCAP and UCP.


Ethereal IGAP message
• This exploits a vulnerability in Ethereal when handling IGAP messages
• Works on Ethereal 0.10.0 to Ethereal
0.10.2.
• Will either crash Ethereal or open a port that allows a user to gain root privileges


This code will create a malformed
IGAP header that when sent, causes the Ethereal application to crash because of its vulnerability in handling
IGAP packets.



A worm is a program that makes copies of itself and causes major damage to the files, software, and data
Method of replication include
• Email
• File sharing


W32/Bugbear-A
• Is a network worm that spreads by emailing attachments of itself
• It creates a thread which attempts to terminate anti-virus and security programs
• The worm will log keystrokes and send this information when the user is connected online
• The worm will open port 80 on the infected computer

http://www.sophos.com/virusinfo/analyses/w32bugbeara.html



W32/MyDoom-A is a worm which spreads by email.
When the infected attachment is launched, the worm harvests email addresses from address books and from files with the following extensions: WAB, TXT, HTM, SHT,
PHP, ASP, DBX, TBB, ADB and PL.


Attached files will have an extension of
BAT, CMD, EXE, PIF, SCR or ZIP.


 the worm will attempt a denial-of-service attack to www.sco.com, sending numerous GET requests to the web server.
Drops a file named shimgapi.dll to the temp or system folder. This is a backdoor program loaded by the worm that allows outsiders to connect to TCP port 3127.
http://www.sophos.com/virusinfo/analyses/ w32mydooma.html



A virus is program that infect operating system and applications.
Replication methods
• Application File (Word doc.)
• Hard drive or Boot record (boot disk)
• Scripts (batch file)




W97M/Marker Virus is a Word macro virus
It collects user information from
Word and sends the information through FTP
It adds a log at the end of the virus body for every infected user.
• This log contains information for system time, date, users name and address


When you open a document file it will display a message

Depending on the user’s response the user will get one of these messages



Some applications and web pages are vulnerable to remote password cracker tools.
Application such as HTTP, FTP and telnet that don’t handle login properly and have small size password are vulnerable to brute force password cracker tools.


Brutus is a remote password cracker tool, on an older Serv-U v 2.5 application it can crack a password by sequentially sending in all possible password combination



A DNS attack that involves intercepting and sending a fake DNS response to a user.
This attack forwards the user to a different address than where he wants to be.


WinDNSSpoof
• spoof DNS packets
• http://www.securesphere.net/download/papers/dnsspoof.htm



Zodiac is a robust DNS protocol monitoring and spoofing program
Features:
• Captures and decodes DNS packets
• DNS local spoofing
• DNS ID spoofing, exploiting a weakness within the DNS protocol itself.
• Etc… http://teso.scene.at/projects/zodiac/