CST 232 JOURNAL

Site hosted by Angelfire.com: Build your free website today!

CST 232 JOURNAL

CHAPTER 3

Activity 3-1: Identify New Computer Viruses Check out the following sites: -------------http://www.cert.org/advisories CERT® Advisory CA-2003-28 Buffer Overflow in Windows Workstation Service Systems Affected: * Microsoft Windows 2000 Service Pack 2, Service Pack 3, Service Pack 4 * Microsoft Windows XP * Microsoft Windows XP Service Pack 1 * Microsoft Windows XP 64-Bit Edition Description: A buffer overflow vulnerability exists in Microsoft's Windows Workstation Service (WKSSVC.DLL). A remote attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service. Solution: Apply a patch from your vendor Apply the appropriate patch as specified in Microsoft Security Bulletin MS03-049. http://www.symantec.com Name Detected Protected* Trojan.Mespam 02-09-2007 02-10-2007 W32.Fujacks.AW 02-08-2007 02-08-2007 W32.Annew.A 02-08-2007 02-09-2007 W32.Surubat.A@mm 02-07-2007 02-07-2007 Trojan.Mdropper.Y 02-07-2007 02-08-2007 Trojan.Mdropper.Y: When the Trojan is executed, it creates the following files: * %Temp%\top10.exe * %System%\wuanserv.dll It attempts to exploit the Microsoft Office Malformed String Remote Code Execution Vulnerability (BID 22383) in Microsoft Excel and drop additional threats on the compromised computer. The dropped .exe files are a variant of the Backdoor.Bias family. The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines. 1. Disable System Restore (Windows Me/XP). 2. Update the virus definitions. 3. Run a full system scan.

Activity 3-2: Identifying Macro Viruses Launch Google search site. #1 - Search for "macro virus" What are the various definitions? A=W97M.Melissa Word Macro Virus XM.Delta WM.Helper WM.Helper is a virus first reported in the United States when several users notices that their files were mysteriously password-protected. WM.Helper resides in one macro: o AutoClose The NORMAL.DOT global template file is initially infected when the user closes an infected document. This copies the AutoClose macro from the infected document to the global template. After that, all documents that are not already infected become infected when they are closed. On the 10th of each month, WM.Helper sets the file-saving options to always save files with the password "help". Recommendations: 1-Turn off and remove unneeded services. 2-Always keep your patch levels up-to-date, 3- Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised. 4-Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files. 5-Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media. 6-Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.How many tutorials did you find? Could you easily create a macro virus? A= yes there were many different sites showing how to create a micro virus

Activity 3-3: Identifying the Code Red Worm Launch the Google search site. #1 - search on "code red" #2 - What did you find?

A = The "Code Red" worm is self-replicating malicious code that exploits a known vulnerability in Microsoft IIS servers a remotely exploitable buffer overflow in the Indexing Services used by Microsoft IIS 4.0 and IIS 5.0

#3 - What vulnerability did the Code Red worm use to propagate itself? A= a remotely exploitable buffer overflow

#4 - What port did Code Red use to connect to the attached server? A = code red uses TCP port 80

#5 - Did the word deface or destroy any web pages? A = hosts with a default language of English experienced the following defacement on all pages requested from the server: HELLO! Welcome to http://www.worm.com! Hacked By Chinese!

#6 - What solutions were offered for infected computers? A= Since the worm resides entirely in memory, a reboot of the machine will purge it from the system. However, patching the system for the underlying vulnerability remains imperative since the likelihood of re-infection is quite high due to the rapid propagation of the worm.

Activity 3-4: Identifying Spyware
Launch Google search engine.
#1 - Search for spyware.
#2 - List some of your search results.
1-Spyware - Wikipedia, the free encyclopedia
2-Protect your computer
3-What is spyware?

#3 - Write a description of spyware based on one of the sites you listed in step 2.
- A Word Definition From the Webopedia Computer ... description of spyware:
Any software that covertly gathers user information through the user's Internet connection without his or her knowledge.
#4 - Goto site http://www.spywareguide.com
#5 - Click the list of products link.
#6 - Choose a product from the list, and write a brief description of the spyware.
List of product description:
Advanced KEYLOGGER can capture passwords and logins keep track of all Key Strokes record all Internet Activity keep Screen visual statistics watch everything opened, typed and saved monitor instant messaging software keep tabs on all E-mail clients send reports secretly to your E-mail address reveal others secrets

Activity 3-5: Identifying MS Buffer Overflow Vulnerabilities

Launch the site: www.microsoft.com

#1 - Search for "MS03-041"

#2 - Review the vulnerability.

#3 - If you were logged on as Administrator, or equivalent, what rights would the ActiveX control have over the computer?

A= An attacker would have full control.

#4 - What recommendations would you give to a customer running Windows 2000, service pack 2?

A= Apply the patch included with Microsoft Security bulletin MS03-040 and install Outlook Email Security Update.

#5 - Search the Microsoft site for "MS03-042"

#6 - Which ActiveX control has a buffer overflow vulnerability?

A= A security vulnerability exists in the Microsoft Local Troubleshooter ActiveX control

#7 - If a customer has Windows XP, what recommendations would you give?

A= None this bulletin affects only Windows 2000 OS's