Ubiquitous Insecurity? How to “Hack” IT Systems

Abstract

ly, a port specifies the endpoint of a connection on a networked device. Ports are identified as numbers. Many port numbers are standardized14 and denote a specific network or application protocol (e.g. port number 80 for HTTP or 23 for Telnet). A lot of the software components serving the respective protocols contain well-known and well-documented vulnerabilities or weaknesses (for instance, a system with anonymous login enabled). Thus, it is only a matter of finding computers that make use of those vulnerable protocols in order to try and attack the affected systems. This search can be automated using a number of tools. One famous example is SATAN (Security Administrator Tool for Analyzing Networks). SATAN is downloadable at no charge and comes with an easy-to-use HTML-based user interface. The tool automatically and efficiently scans any given host (or the respective subnet) for a number of known vulnerabilities and produces a clear and readable report. This report can then be used as a basis to look for actual vulnerabilities.15 2.3. How to Write a Computer Virus Computer viruses and worms are a common way of accessing computer systems without authorization. The effects differ: some viruses merely cause annoyance and inconvenience; others affect the functionality and stability of computing environments or compromise the confidentiality or integrity of (sometimes valuable) information. Three major aspects are important if someone wants to write their own computer virus: ● Payload. What does the virus do once it has infected a system? The amount of damage to be caused by the virus is arbitrary and can be freely specified by the author; ● Delivery and Propagation. How does the virus reach the target systems? And, in case of a (selfpropagating) worm, how does the worm automatically spread to other computer systems? ● Execution. How is the virus payload executed on the target machine? Computer viruses are not dangerous as long as they are not executed. There are two generic methods of ensuring that a virus is executed: (1) The virus can be programmed to exploit one of the countless vulnerabilities that exist in many of today’s mail clients or operating system components. Consequently, these types of viruses are executed without any form of user interaction; (2) Alternatively, the virus can rely on user interaction, in which case the virus is typically delivered as a simple e-mail attachment with a subject heading and content that invites people to open the attachment. The virus is executed as soon as the attachment is opened. Short Analysis of the ILOVEYOU Worm This section gives a short overview of the infamous ILOVEYOU worm by exploring each of the three aspects identified above. The goal is to give some insights into the internals of a virus (or worm) and show how easy it is to create this digital germ. ● Payload: The ILOVEYOU worm is written in Visual Basic Script, an easy-to-learn and powerful programming language by Microsoft, which is often used in (dynamic) web pages or e-mails. The complete payload of the ILOVEYOU worm serves the purpose of selfpropagation exclusively, and no further damage is done. Among other activities,16 the worm searches for certain types of files on the target machine and modifies those files depending on the type of file. It will, for instance, replace all occurrences of JPEG files (a commonly used image format) with a copy of itself and add the .vbs extension (denoting a Visual Basic Script file). If the user later tries to open one of the modified JPEG files, he or she will not see the image but rather (re-)activate the worm. The respective excerpt from the worm’s source code is given in Figure 2:17