Sign In Sign-Up

Welcome!

Close

Would you like to make this site your homepage? It's fast and easy...

Yes, Please make this my home page!

No Thanks

  Don't show this to me again.

Close

Destructive Devices

 Destructive devices are software programs or techniques that accomplish either of the following objectives:

 Ø      Harassment

Ø      Destruction of data

 These devices are all relatively low-level tools and techniques, more likely to be employed by immature users, disgruntled employees, or kids. Such tools and techniques exist, to the chagrin of the serious computing communities, but they exist nonetheless. It is important that new system administrators (and indeed, average users) know about such destructive devices, so here we have  included them here even though they are not front-line security issues for most networks.

 The use of these devices is becoming widespread. With the rise of the GUI (and the increased availability of programming tools and languages to the general populace), this trend can only be expected to continue.

 It should be noted that destructive devices can be a security risk for small networks or single servers. If your box is hooked up via Ethernet with a fast connection and you have only one mail server, an e-mail bomb attack on one of your users could temporarily grind your machine to a halt.

 We have chosen to highlight four key utilities within the destructive device class:

 Ø      E-mail bombs and list linking

Ø      Flash bombs and war scripts

Ø      Denial-of-service tools

Ø      Viruses

 Of these items, only the last two (denial-of-service tools and viruses) are of any real consequence. They have the potential for real damage or, equally dangerous, serious breach of a server's security. The first two, in contrast, have been briefly dealt with in previous chapters. Here, I take a more comprehensive look at these innocuous but irritating tidbits.

 The E-mail Bomb

 we cannot say for certain when the first user "e-mail bombed" another. However, I imagine it wasn't long after e-mail became available. (Old-timers adamantly dispute this, explaining that they were far too responsible for such primitive activity. Hmmm.) In any event, in this section you will find the key utilities being distributed for this purpose.

 Up Yours

The Up Yours mail-bombing program is probably the most popular bomber out there. It uses minimal resources, does a superb job, has a simple user interface, and attempts to obscure the attacker's source address. Features of the program include being able to specify times of day to start and stop as well as the number of messages with which it will hammer the target.

 KaBoom

KaBoom differs significantly from Up Yours. For one thing, KaBoom has increased functionality. For example, traveling from the opening screen (see Figure 14.2) to the main program, you find a utility to list link. Using this function, you can subscribe your target to hundreds of e-mail lists.

 Avalanche

The Avalanche e-mail bombing utility works smoothly and is well designed. the list groups are displayed in a drop-down combo box, and their individual lists are displayed in a list box. Three clicks of a mouse and your target is in hot water.

 Unabomber

The Unabomber utility is a rudimentary tool, but one must give the author credit for humor. As you can see in Figure 14.4, Unabomber offers no list-linking capabilities. It is essentially a flat e-mail bomber and does no more than send messages over and over. One interesting element is that Unabomber comes with a help function.

 eXtreme Mail

eXtreme Mail is well programmed. It has all the basic features of a commercial application, including an interactive installation process. The installation process performs all the routine checks for disk space, resources, and so forth. It also observes proper registry conventions and is easily uninstalled. This is a relatively new mail bomber, and apparently, the name eXtreme is also the name of the group that produced the software.

 Homicide

The Homicide utility was written by a youngster with the moniker Frys and was discontinued in 1996. The author claims that he wrote the utility because Up Yours 2.0 was inadequate as an e-mail bombing tool. However, with the release of Up Yours 3.0, Frys apparently decided to discontinue any further releases.

 The UNIX MailBomb

This UNIX e-mail bomber is reportedly written by CyberGoat, an anonymous cracker out in the void. The programming is so-so. In fact, the author made no provisions in the event that the originating server has restrictions on multiple processes.

 IRC: Flash Bombs and War Scripts

 Flash utilities (also referred to as flash bombs) belong to a class of munitions that are used on Internet Relay Chat (IRC). IRC is the last free frontier because it is spontaneous and uncontrollable. It consists of people chatting endlessly, from virtual channel to virtual channel. There is no time for advertisements, really, and even if you tried to push your product there, you would likely be blown off the channel before you had a chance to say much of anything.

 In this respect, IRC is different from any other networked service on the Internet. IRC is grass roots and revolutionary Internet at its best (and worst), and with all likelihood, it will remain that way forever.

 IRC was developed in Finland in the late 1980s. Some suggest that its purpose was to replace other networking tools of a similar ilk (for example, the talk service in UNIX). Talk is a system whereby two individuals can communicate on text-based terminals. The screens of both users split into two parts, one for received text and one for sent text. In this respect, talk operates a lot like a direct link between machines using any of the popular communications packages available on the market (Qmodem and ProComm Plus are good examples). The major difference is that talk occurs over the Internet; the connection is bound by e-mail address. For example, to converse with another party via talk, you issue a command as follows:

 talk person@provider.com

 This causes the local talk program to contact the remote talk daemon. If the person is available (and hasn't disabled incoming connections via talk), the screen soon splits and the conversation begins.

 IRC differs from talk in that many people can converse at the same time. This was a major innovation, and IRC chatting has become one of the most popular methods of communication on the Net.

 crash.irc

 Although not originally designed for it, crash.irc will blow a Netcom target out of IRC. In other words, an attacker uses this utility to force a Netcom user from a channel (Netcom is a very large ISP located in northern California).

 botkill2.irc

 The botkill2.irc script kills bots. Bots are other automated scripts that run in the IRC environment.

 ACME

 ACME is a typical "war" script. Its features include flooding (where you fill the channel with garbage, thereby denying others the ability to communicate) and the ability to auto-kick someone from a channel.

 Denial-of-Service Tools

 we examine denial-of-service attacks in a more comprehensive manner Here, we will refrain from discussing how such attacks are implemented, but will tell you what tools are out there to do so.

 Ancient Chinese "Ping of Death" Technique

 On more than one occasion, this technique for killing a Windows NT 3.51 server has been so called. (Actually, it is more commonly called just "Ping of Death.") This is not a program, but a simple technique that involves sending abnormally large ping packets. When the target receives (or in certain instances, sends) these large packets, it dies. This results in a blue screen with error messages from which the machine does not recover.

 Syn_Flooder

 Syn_Flooder is a small utility, distributed in C source, that when used against a UNIX server will temporarily render that server inoperable. It utilizes a standard technique of flooding the machine with half-open connection requests. The source is available on the Net, but I will refrain from printing it here. This is a powerful tool and, other than its research value, it is of no benefit to the Internet community. Using such a tool is, by the way, a violation of federal law, punishable by a term of imprisonment. The utility runs on any UNIX machine, but was written on the Linux platform by a well-known hacker in California.

 DNSKiller

 DNSKiller is a C program written and intended for execution on the Linux platform. It is designed to kill the DNS server of a Windows NT 4.0 box.

 cbcb.c

 cbcb.c is the filename for Cancelbot, written in C. This utility can be used to target Usenet news postings of others. It generates cancel control messages for each message fitting your criteria. Using this utility, you can make thousands of Usenet news messages disappear. Although this is not traditionally viewed as a denial-of-service attack, I have included it here simply because it denies the target Usenet service, or more directly, denies him his right to self expression. (No matter how obnoxious his opinion might seem to others.)

 win95ping.c

 The win95ping.c file is C source code and a program to reproduce and implement a form of the Ping of Death attack from a UNIX box. It can be used to blow a machine off the Net temporarily (using the oversized Ping packet technique). There are two versions: one for Linux, the other for BSD 4.4 systems.

 Other resources exist, but most of them are shell scripts written for use on the UNIX platform. Nevertheless, I would expect that within a few months, tools programmed in GUI for Windows and Mac will crop up. Denial-of-service (DoS) attacks are infantile and represent only a slightly higher level of sophistication than e-mail bombing. The only benefit that comes from DoS attacks is that they will ultimately provide sufficient incentiive for the programming community to completely eliminate the holes that allowed such attacks in the first place.

Virus

A COMPUTER VIRUS is a computer program that can infect other computer programs by modifying them in such a way as to include a (possibly evolved) copy of itself. Note that a program does not have to perform outright damage (such as deleting or corrupting files) in order to to be called a "virus". However, Cohen uses the terms within his definition (e.g. "program" and "modify") a bit differently from the way most anti-virus researchers use them, and classifies as viruses some things which most of us would not consider viruses.

Top 20 viruses*

1. W32.Magistr@mm

2. W32.BadTrans.A@MM

3. W32.Hybris

4. VBS.LoveLetter Family

5. W95.MTX

6. W32.Qaz

7. W32.Funlove

8. W32.Navidad

9. VBS.Haptime@MM

10. W95.CIH

11. VBS.KakWorm  

12. O97M.Tristate  

13. VBS.VBSWG.X@mm  

14. VBS.VBSWG.Z@MM aka VBS.Mawanella.@mm  

15. X97M.Laroux  

16. X97M.Divi  

17. W97M.Marker Family  

18. W97M.Melissa.BG  

19. W97M.Thursday Family

*refered at http://securityportal.com/research/research.top20.html

As always, it is recommends that you avoid opening email attachments, regularly update antivirus software, use an on-access scanner, and back up important work often. For more assistance email the experts, get antivirus tips, subscribe to the mailing lists which inform of the new viruses.

 Destructive devices are of significant concern not only to those running Internet information servers, but to all users. Many people find it hard to fathom why anyone would create such programs, especially because data is now so heavily relied on. This is a question that only virus writers can answer. In any event, every user (particularly those who use the Internet) should obtain a basic education in destructive devices. If you are now using the Internet, it is very likely that you will eventually encounter such a device. For this reason, you must observe one of the most important commandments of computer use: back up frequently. If you fail to observe this, you may later suffer serious consequences.