DOC PREVIEW
GT ECE 4112 - Lab 8: Viruses, Worms, and Wireless

This preview shows page 1-2-3-4-5-6-42-43-44-45-46-47-85-86-87-88-89-90 out of 90 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 90 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 90 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 90 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 90 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 90 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 90 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 90 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 90 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 90 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 90 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 90 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 90 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 90 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 90 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 90 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 90 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 90 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 90 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 90 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

1 ECE 4112: Internetwork Security Lab 8: Viruses, Worms, and Wireless Group Number: _______________ Member Names: _________________________ _________________________ Date Assigned: March 3, 2009 Date Due: March 10, 2009 Last Edited: November 5, 2007 Please read the entire lab and any extra materials carefully before starting. Be sure to start early enough so that you will have time to complete the lab. Answer ALL questions and be sure you turn in ALL materials listed in the Turn-in Checklist ON or BEFORE the Date Due. NOTE: The wireless lab section requires you to reserve slots to use the equipment. The signup sheets will be posted on the lab door. The equipment you need to sign up for will not be available at the last minute. PLAN AHEAD. Part 1 Viruses and Worms Goal: The goal of this lab is to come to a better understanding of viruses and worms by experimenting with them in a safe environment. Summary: In this lab we will first look at two worms, one designed as a learning tool and an actual worm that had infected computers. Then we will look at a virus. In all three cases we will actually infect our computer to see how it is done and what happens to our computer then we will completely remove the malicious program. Background and Theory: A worm is any program that propagates copies of itself via a network. They come in many varieties, from simple email worms to those that attack network services such as Code Red and SQL Slammer. We are going to analyze a simple version of the latter. This worm, dubbed the SPOC Worm (Simple Proof Of Concept) propagates itself through a buffer overflow in a network service known as “vuln_service.” This is a service created for this lab. It opens up a TCP socket on port 3333 that allows a connection and can be easily compromised. The program simply reads any data sent to it, but it uses a weak command (see question 1.6) that allows it to be overflowed. Any other network service with a buffer overflow vulnerability can be targeted instead, but “vuln_service” is particularly easy to study due to its simplicity.2 The SPOC Worm first scans all LANs it is connected to and tries to connect to port 3333 (the port that “vuln_service” runs on). Upon finding any open ports, it connects, sends a special string formatted to overflow the buffer, and executes a copy of the worm. After finishing, it begins scanning random IP addresses looking for more vulnerable services. Detailed information about this worm may be found in the paper “Design and Implementation of a Research Worm.” [on class web site] In 2001, there was a worm called “AnnaKournikova” that propagated by being sent as an e-mail attachment with the subject “Here you have, ;o)” and a body of “Hi:”,”Check This!” By opening the attachment, a VBScript file ran that sent a duplicate e-mail to every entry in a Microsft Outlook Address Book. In order for this worm to run, it required a Windows platform machine with the Windows Scripting Host and Microsoft Outlook installed. This worm did not damage any files, but it clogged up many mailservers. The AnnaKournikova worm VBScript file and its unencrypted source code can be downloaded from this site: http://www.packetstormsecurity.org/viral-db/ Viruses work in a different way by infecting files but not spreading until a user moves that file to another computer. Prelab Questions: None. Lab Scenario: You will be using the RedHat WS 4 Physical Machine, RedHat7.2 Virtual Machine, and later a Windows XP virtual machine in the last part of the lab. The setup you will be implementing for section 1 is shown below: In the above diagram, 57.35.6.a corresponds to the IP of your RH WS4 Physical Machine and 57.35.6.b corresponds to the IP of one of your RH7.2 Virtual Machine. These can be checked with #ifconfig After you copy what you need from the NAS, to be safe, make sure your network cable is unplugged, this will ensure your worms do not try to infect another groups machine. When you unplug your network cable, your host network card will not RH WS4 Physical Machine Attacker 57.35.6.a RH7.2 Virtual Machine Server 57.35.6.b3 work even to talk to a virtual machine. To get around this use a “cross over plug” that the TAs have and plug this into your Ethernet card to trick your computer into leaving the network interface running. Copy the following files from the NAS, Lab8/Attacker folder to your RedHat WS4 Physical Machine (Attacker) directory /home/lab8 : worm.c, worm(an executable file), Vsrc2.c, test_virus.c. Copy the following files from the NAS, Lab8/Server folder to you RedHat7.2 Virtual Machine (Server) directory /home/lab8 : stackinfo.h, vuln_server.c, vuln_server (an executable file). Copy the following file from the NAS, Lab8/AnnaWorm folder to your WindowsXP Copy Virtual Machine into a desktop folder “anna”: AnnaKournikova.jpg.vbs.txt. Note: This lab also requires the use of Snort on your RedHat7.2 Virtual Machine (Server). You should have this installed from a previous lab, but if not, the appropriate files are also on the NAS in the Lab8 folder, they are libcap-0.7.2.tar.gz and snort-1.9.1.tar.gz. To install them: (from the directory on your hard-drive you copied the tar files to): #tar –xzvf libpcap-0.7.2.tar.gz #tar –xzvf snort-1.9.1.tar.gz #cd libpcap-0.7.2 #./configure #make #make install #cd ../snort-1.9.1 #./configure #make #make install Section 1: Worms On the RedHat7.2 Virtual Machine (Server), you have vuln_server.c and the executable vuln_server in /home/lab8. You do not need to compile the code, it was provided only so you could see what the program is intended to do. You will also find this source code in Appendix A. We can watch “vuln_service” executing by logging into the RedHat7.2 Virtual Machine (Server) machine and typing: #cd /home/lab8 #strace ./vuln_service Strace is a program which will allows us to watch what each program is doing by printing each system call that the program makes. We should see a lot of stuff go by and then see4 it settle on a call to accept. Accept makes the program wait until it receives a connection from the network. Now run Ethereal on the RedHat WS4 Physical Machine (Attacker), and have it begin capturing packets RedHat -> Internet -> Ethereal Network Analyzer Capture-> options then start OK To get more acquainted with strace, let’s watch what happens


View Full Document

GT ECE 4112 - Lab 8: Viruses, Worms, and Wireless

Documents in this Course
Firewalls

Firewalls

40 pages

Firewalls

Firewalls

126 pages

Load more
Download Lab 8: Viruses, Worms, and Wireless
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Lab 8: Viruses, Worms, and Wireless and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Lab 8: Viruses, Worms, and Wireless 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?