Professional Documents
Culture Documents
JavaScript Botnets
Heading 1
Anybody who has had even a slight brush with the security industry would have heard of Botnets atleast once. Botnets are a group of computers compromised and controlled by an attacker, these computers or zombies would perform any actions that the attacker commands them to do. Botnets are usually created by compromising the victims' systems with some remote code execution exploits and then installing backdoors on them. The attackers must have been working on exploits for 0-days or newly discovered vulnerabilities to be able to infect more victims. Even then they are usually restricted to only one platform unless they have exploits and backdoors for the different platforms out there. There is another type of remote code execution that is far more easier to perform
- JavaScript in web pages. Executing JavaScript in someone's system does not require any 0-days or exploits but simply requires the person to visit a website. Moreover the same piece of JavaScript would work across all OSs and platform(desktops, tablets, mobiles etc). Every time a user clicks on a link he is giving a remote website an opportunity to execute code (JavaScript) on his machine. The window of this opportunity is widened by the concept of tabbed browsing. Most users have multiple open tabs and most tabs remain open throughout the browsing session which could stretch for hours. This enables an external entity to utilize the users processing power and bandwidth for his malicious needs. Spammers, especially on sites like Twitter, have been able to get thousands of users to click on their links in very short durations. But JavaScript is believed to be handicapped due to performance constraints and the restrictions enforced by the browsers sandbox. This however is a misconception as JavaScript engines have become extremly
fast over the recent years. Moreover HTML5 introduces WebWorkers which is a threading model for JavaScript. This lets any website start a background JavaScript thread unknown to the user and execute code without slowing down or making the browser unresponsive.
2) Extending execution lifetime: Once a victim visits the attacker controlled page it is essential to keep this page open in the victims browser for as long as possible. This can be done by using a combination of Clickjacking and Tabnabbing. When the page is loaded, it would contain an invisible link with the target attribute set to _blank. This link is always placed under the mouse pointer using the document.onmousemove event handler. This way, when the victim clicks anywhere on the page a new tab opens and grabs the victims attention. With multiple tabs open the likelihood of the victim coming back to the main tab and closing it is reduced. To add to this effect Tabnabbing can be used to refresh the page after the user leaves it, to update the favicon and appearance to seem similar to popular websites like YouTube, Google or Facebook so that the page blends in with the other tabs the victim would usually have open. There is a working demo[http://www.andlabs.org/hacks/xtend _life.html] for this available on the Attack and Defense Labs website.
Applicationlevel DDoS attack is an effective type of DDoS attack that has affected even sites like Twitter. Usually these attacks involve large number for HTTP requests to specific sections of the website that could potentially be resource intensive for the server to process. Background JavaScript threads that were started using WebWorkers can send cross domain XMLHttpRequests even though the remote website does not support it. The Cross Origin Request security restriction is only on reading the response. A website that does not support Cross Origin requests will also process these request thereby creating load on the server. A simple request like http://www.target.site/search_product.php ?product_id=% when sent in large numbers can create serve performance issues on the server. A browser can send surprisingly large of GET requests to a remote website using COR from WebWorkers. During tests it was found that around 10,000 requests/minute can be sent from a single browser. With even a very small botnet of just 600 zombies we would be sending around 100,000 requests/sec, depending on the nature of the page being requested this could be enough to bring a website down. After I wrote about DDoS attacks with COR a very smart person[http://shellex.info] showed me that similar numbers could also be achieved by using the img tag to request remote resources. Ben Schmidt has gone one step further by creating a malcious URL shortening service called d0z.me[http://d0z.me/]. d0z.me seems to work like any other URL shortening service but it actually shows the destination page in an iframe while perform DoS attacks on a target website from the victim's browser. It executes this so well that it is extremly
unlikely that the user will even sense that he is part of a DDoS attack. 2) Email Spam Spam mails are largely sent using openrelay mail servers and botnet zombies. Though it would not be possible to a regular openrelay mail server from JavaScript still it would be possible to send such spam mails through the web equivalent of openrelay mails servers. Many websites have feedback sections which ask the user to enter their name, email ID, subject and feedback. Once these are entered and the form is submitted, the server would craft this in the form of an email, with hardcoded from and to mail addresses and send it to the internal mail server. Poorly designed websites would contain the from and to mail addresses in hidden form fields on the browser and by overwriting them to external addresses it should be possible to send mails with spoofed addresses if the companys mail server is also configured to operate in an openrelay mode. Since only GET requests can be sent through COR, the feedback form should either be sending all data in QueryString or it should be differentiating between QueryString and POST parameters. Alternatively if it is JSP page then HTTP Parameter Pollution can be used to submit forms over GET. 3) Distributed password cracking Password cracking has always been a task assigned for programs written in native code with performance enhancement by writing some sections in Assembly. With its relatively slower execution rate JavaScript has never been considered for performing such resourceintensive tasks. Things however have changed, JavaScript engines in modern browser are becoming
increasingly fast and the concept of WebWorkers allows creation of dedicated background threads for the purpose of password cracking. During our tests it has been possible to observe password guessing rates of 100,000 MD5 hashes/second in JavaScript. This figure is still slow compared to native code which can easily loop through a few million MD5 hashes/second on a machine with similar configuration. The JavaScript approach has been found to be on an average about 100115 times slower than that of native code but more than that it makes up in scalability. ~110 machines running the JavaScript password cracking program can match the cracking rate of one machine running a similar program written in native code. As shown in the previous sections it would be very easy to build a botnet of a few thousand zombies executing our JavaScript password cracker in the background. Even with 1100 zombies our cracking rate would be equivalent to that of having 10 machines of similar configurations running a password cracked written in native code. An effective botnet creation effort could potentially get hundreds of thousands of such zombies to crack password hashes providing unimaginable computing capability. I have built Ravan[http://www.andlabs.org/tools/ravan .html], a JavaScript distributed hash cracking system which is an implementation of this concept designed to be used for legitimate needs.
Installation of Ourmon
Ourmon can be downloaded from http://sourceforge.net/projects/ourmon/. The latest version is ourmon29.tar.gz.Installation of Ourmon is bit tricky because it depends on many things like the OS you are using and the web server that is running and some specific libraries. We need following libraries to be installed before installing Ourmon. libpcap-devel pcre pcre-devel rrdtool rrdtool-perl
You can use "yum install" or zypper install whichever suits you best. Also make sure that all these libraries and devel-tools are compatible with the version of your OS. You also need to install a web server for the GUI display of results. For this article, we have used Fedora as OS. Here are the screen prints of installation. ---------------------------------------------------[root@localhost mrourmon]# ./makeclean.sh [root@localhost mrourmon]# ./configure.pl configuration script to install ourmon. note: default is suggested like so: [default] note: just hit carriage-return for default actions -------------------------------Would you like to install the ourmon probe? [y] y Front-end configuration phase started ####################
Would you like to compile/install ourmon? [y] y ourmon build: using make -f Makefile.linux cc -I. -I/usr/local/include -O4 -DLINUX -DDAEMON -c ourmon.c cc -I. -I/usr/local/include -O4 -DLINUX -c ipanalyze.c cc -I. -I/usr/local/include -O4 -DLINUX -c machdep.c cc -I. -I/usr/local/include -O4 -DLINUX -c util.c cc -I. -I/usr/local/include -O4 -DLINUX -c interfaces.c cc -I. -I/usr/local/include -O4 -DLINUX -c filter.c filter.c: In function write_report: filter.c:1324: warning: passing argument 7 of print_icmplist makes integer from pointer without a cast hashicmp.h:62: note: expected int but argument is of type int * filter.c:1324: warning: passing argument 8 of print_icmplist from incompatible pointer type hashicmp.h:62: note: expected char * but argument is of type char (*)[1024] cc -I. -I/usr/local/include -O4 -DLINUX -c monconfig.c cc -I. -I/usr/local/include -O4 -DLINUX -c hashsort.c cc -I. -I/usr/local/include -O4 -DLINUX -c hashport.c cc -O4 -DLINUX -c signal.c cc -I. -I/usr/local/include -O4 -DLINUX -c hashsyn.c cc -I. -I/usr/local/include -O4 -DLINUX -c hashicmp.c cc -I. -I/usr/local/include -O4 -DLINUX -c hashscan.c cc -I. -I/usr/local/include -O4 -DLINUX -c ircscan.c cc -I. -I/usr/local/include -O4 -DLINUX -c trigger.c cc -I. -I/usr/local/include -O4 -DLINUX -c cprogram.c cc -I. -I/usr/local/include -O4 -DLINUX -c nonipanalyze.c
cc -I. -I/usr/local/include -O4 -DLINUX -c patmatch.c cc -O4 -DLINUX -c spinlock.c cc -O4 -DLINUX -c sync.c cc -I. -I/usr/local/include -O4 -DLINUX -c ourpcap.c cc -I. -I/usr/local/include -O4 -DLINUX -c hashblist.c cc -O4 -DLINUX -c thread.c cc -I. -I/usr/local/include -O4 -DLINUX -c stringstore.c cc -I. -I/usr/local/include -O4 -DLINUX -c hashdns.c cc -O4 -DLINUX -c pktlinux.c cc -O4 -o ourmon ourmon.o ipanalyze.o machdep.o util.o interfaces.o filter.o monconfig.o hashsort.o hashport.o signal.o hashsyn.o hashicmp.o hashscan.o ircscan.o trigger.o cprogram.o nonipanalyze.o patmatch.o spinlock.o sync.o ourpcap.o hashblist.o thread.o stringstore.o hashdns.o pktlinux.o -lpcre -lpcap /usr/lib/libJudy.a Next we determine the ourmon config/filter file to use. By default, we use the local /opt/ourmon/mrourmon/etc/ourmon. conf to provide input filters to ourmon. WARNING: you should read/edit/understand ourmon.conf! Do you want to use another ourmon.conf file in some other directory than /opt/ourmon/mrourmon/etc? [n] n Next we suggest one modification to the ourmon.conf file. If this is a default install, you should change the following config directive: topn_syn_homeip network/netmask
and set it to your home network and mask (A.B.C.D/maskbits style) Do you want to change the topn_syn home network address? [y] y note: the home net address may be a subnet or host address (/32). enter a home net address and mask. [127.0.0.1/32] 192.168.0.17/24 netmask: 192.168.0.17/24 Do you want to install the ourmon startup script in the ourmon bin? [y] y WARNING: the default for the interface may not be what you want. WARNING: use #ifconfig -a to determine interfaces. Please enter the input interface name to sniff from: [eth0] eth0 input interface is eth0 Please enter directory for probe output files (mon.lite, etc.): [/opt/ourmon/mrourmon/tmp] /opt/ourmon/mrourmon/tmp probe output directory name is: /opt/ourmon/mrourmon/tmp Creating bin/ourmon.sh driver for startup of ourmon. ourmon.sh placed in ourmon bin for ourmon front-end/probe startup ./ourmon.sh start WARNING: this is a gross guess and it may be best handled by you yourself! WARNING: linux has at least two major variations in distributions in this area! install the startup script (bin/ourmon.sh) in /etc somewhere for boot startup? [y] y ourmon front-end install complete ourmon front-end build worked
You should now run /opt/ourmon/mrourmon/bin/ourmon. sh to start ourmon e.g., # /opt/ourmon/mrourmon/bin/ourmon. sh start You can use ourmon.sh stop to stop ourmon part 2: install the back-end, omupdate.pl, etc. (web part)? [y] y Back-end configuration phase started ################################ We need a local web directory for generated web output. hint: the webpath given here is a guess: give the CORRECT base web directory with /ourmon at the end enter absolute web server web path directory: [/var/www/apache2default/ourmon] /var/www/html/ourmon your output web path is: /var/www/html/ourmon Do you want to create the web directory for ourmon? HINT: good idea if it doesn't exist. [y] y mkdir: cannot create directory `/var/www/html/ourmon': File exists cp bard/* /var/www/html/ourmon/bard cp batchip.sh batchipall.sh omupdate.sh /opt/ourmon/mrourmon/bin cp *.pl /opt/ourmon/mrourmon/bin cp mklogdir.sh /opt/ourmon/mrourmon/bin chmod +x /opt/ourmon/mrourmon/bin/*.sh chmod +x /opt/ourmon/mrourmon/bin/*.pl
INFO only: also setting up logging directory (if needed) creating log rrddata tmp dirs, if necessary, in /opt/ourmon/mrourmon hit CR to continue: If different, enter front-end output file directory absolute path: [/opt/ourmon/mrourmon/tmp] probe output file path (back-end input/s) is /opt/ourmon/mrourmon/tmp Now we copy supplied .html files to the web directory for later editing do you want to copy base web files to the web directory? [y] y INFO only: setting up local rrdbase directory at /opt/ourmon/mrourmon/rrddata your runtime rrds get stored in this directory, along with the rrd error log file if you create new BPF filters, check rrdbase/ourmon.log for errors. hit CR to continue: We need a UDP weight threshold for UDP scan alerts what should be the weight (default is given): [10000000] Install backend crontab commands in /etc/crontab (default answer y)?: [y] y ourmon system config complete see INSTALL for post-config sanity checking [root@localhost mrourmon]# ls ACKS CHANGES dumps INSTALL makeclean.sh README.bsd README.openbsd scripts tmp ubuntudep.sh VERSION bin configure.pl etc logs README
README.linux rrddata src TODO uninstall.txt web.pages [root@localhost mrourmon]# cd bin/ [root@localhost bin]# ls batchipall.sh daily.pl logbackup.pl mklogdir.sh ombatchip.pl ombatchsyn.pl omupdate.sh ourmon.sh ssh.pl udpreport.pl batchip.sh irc.pl makebar.pl monbackup.pl ombatchipsrc.pl omupdate.pl ourmon sshdb.pl tcpworm.pl wormtolog.pl [root@localhost bin]# ---------------------------------------------------When in doubt, read the supplied INSTALL file at mrourmon/ as shown above. We can detect the botnets from the GUI screen of the Ourmon which runs continuously. Reports are generated in daily, weekly, monthly and yearly basis. Here are some screen shots of the results. Note that here we are showing you the screenshots of a private network. In real time scenario the screen shots will be different. But the procedure of installation and results viewing process remains the same.
DNS RRDs:
UDP Summarizations:
It is a huge tool and it can be used for multiple purposes. Users are encouraged to go through this tool carefully and find out many interesting features. We also can see evil channel sorts which show us all the four types (PINGs, PONGs, JOINs and PRIVMSG) of IRC messages. An IRC channel having more than few clients with high maxworm values can be a potential botnet channel. Also, non-scanning host in an evil-channel could be botnet servers.
Further Reading
1. Ourmon and Network Monitoring Performance", James Binkley, Bart Massey, April 2005 Freenix/USENIX paper 2. "Anomaly-based Botnet Server Detection," James R. Binkley, Computer Science, PSU, FLOCON CERT/SEI, Vancouver WA, October 2006. 3. "Traffic Analysis of UDP-based flows in Ourmon," Jim Binkley and Divya Parkeh, FLOCON CERT/SEI 2009, Phoenix, Arizona.
Documentation
1. http://sourceforge.net/projects/our mon/ 2. http://ourmon.sourceforge.net/
Malwares are any malicious computer programs, which intentionally or unintentionally cause harmful, irritating, unrecoverable damages to ones computer systems. There are varied types into which a malware can be categoriesed, vizVirusesfile infectors, inserting/appending code in the original code and executes when the file is accessed. Worms Self-replicating programs which propagate through networks. Trojans Programs which disguise as normal programs but, steal/sniff data of victim and send it to the attackers/infectors. Rootkits Sophisticated malware category, which is stealth to be detected and perform maximum damage. Spyware Fake / Copy of original programs, which are not harmful but disguise to open backdoors into the system for further attacks. Ransomware Normally termed as spywares, but are specifically used for money laundering and economical frauds. And of course, the newly evolving technique of Bots/Botnets.
The Botmaster tries to install the malicious code in the users system by wooing them to access/download a fake file. Once the system is infected with the code, it tries to infect other systems connected to it. The infected systems are known as Zombies. Thus the infection is spread exponentially into the computer systems and an army of
zombies is created All the Zombies are connected to the attacker by a Command and Control Center (C&C). Attacker can send any commands to all systems to which the connection has been established using this.All this happens with absolute no knowledge to the user.
infected his/her system and deploy their stub for the botnet. Thus the infected system is now turned into a Zombie. Most of the analyzed botnets till date used IRC based C&C mechanism. For E.g., SDBot, Agobot, etc. But to create more sophisticated botnets attackers have already slowly moved on to P2P services, Dynamic DNS services, HTTP C&C, etc. One of the major advantages of these is that many organizations may not allow IRC connections into their network, but almost all, allow services like HTTP. Zombie Control Mechanism : To control the zombies, attacker decides his own commands and protocols. Using these, attackers control the infected systems (zombies). Many known bots have their own set of commands to change the passwords, download a file to the victims computer, upload the logs of victim and to gather victims sensitive information. Attackers change the passwords/ deploy a backdoor so that the access can be maintained for the next time. Attackers disable the antivirus software in order to avoid detection/removal from the system. Propagation Techniques : As mentioned earlier, once a system gets infected with the botnet, it itself can infect other machines connected to it. For e.g., if one system gets infected, it tries to infect other systems connected to it. Thus there are now total two systems spreading the botnet.
When a botnet is being considered, some of the important aspects which are involved are, Botnet Control Methodology, Zombie Control Techniques, Propagation Techniques, Target Exploits Techniques, File Delivery and Deception Strategies used. and Attack
All the above points define the architecture of a Botnet. Botnet Control Methodology : When an Attacker writes a code to deploy botnet, attacker first needs a control mechanism to find his victim, deploy the botnet and to have control on the infected systems. When botnets were first deployed, the only mechanism which was used was (Internet Relay Chat) IRC Servers. IRC servers were one of the most vulnerable and easy to use Control mechanisms used by attackers to start a botnet. Attackers used to setup an IRC server and woo users to join into it. Once a user joins in, attackers
Thus the botnet spreads exponentially. (Remember the movie scene where snake kind of thing spirals out from nowhere.) Attackers use different mechanism for the propagation. Attackers send emails to users and ask them to click on a malicious URL or to download a greeting/joke file. An automated code tries to perform a vertical or horizontal scan to find out open ports across a single address or a range of addresses.
Deception Strategies : Since long IRC base bots could be used without any stopping into a botnet. But with the increase in awareness among the people about the botnets, it has been easy to detect compromised machines. Hence attackers have started to come up with more and more sophisticated techniques to avoid detection. Common methods used were, - disabling any AV programs found onto the systems, - disguise as a legitimate program,
and
Attack
- delete system logs, etc. Now attackers are even trying to hide into a system using rootkit technology. Rootkits are the most stealth and undetectable malwares. Attackers have been trying to incorporate this kind of technology to avoid detection.
Most of the systems which fall prey to botnets are often unpatched systems. Attackers try to exploit known vulnerabilities of a system. A specific botnet can be designed to exploit a specific vulnerability. In such cases, attacker only makes changes to the malwares it drops into victims system. These kind of botnets have the same basic architecture and hence are variants of their previous.
File Delivery : By now it is quite clear, that every botnet involves some kind of malware which is deployed onto victim machine. When a system has been compromised, attacker acquires sufficient rights and sends/downloads malwares into the victim machine. Attacker may use utilities provided by IRC server for download/upload purpose. Attacker may also use HTTP/FTP protocols to send/receive files depending upon the system vulnerabilities.
Espionage
Botnets cause a significant amount of loss to an organization which has been plagued by a botnet.Once a system/network gets infected by the botnet it no longer belongs to the user/owner. The attacker can have full control of the system and can perform all kinds of malicious activities using the system. If current scenario of terrorism is taken under consideration, botnets can be an important weapon to affect a countrys stability and infrastructure. According to recent observations, around 10000bot nodes are created per hour. Also as stated in the Wikipedia page for Botnet, up to one quarter of all personal computers connected to the internet may be a part of some or other botnet. There have been many attempts to bring down as many botnets as possible. But as the old saying goes Prevention is better than cure, its always better to avoid getting infected than to detect and remove it after infection. You never know how much amount of damage has been done till its detection. Standard methods of computer security should strictly be followed in an organization. Keep users well acquainted with the best security practices to follow at the workplace. Even though Content Security products like AVs, IDS, IPS may not be able to detect the new emerging threats, its still a best practice to keep them updated.
worlds top experts on RBN, the infamous Russian Business Network were used to hear about. Besides being a wonderful person and an highly-skilled professional, Jart belongs to an international network of experts, closing working with Law Enforcement and the IT Industry while fighting cybercrime every day. Summing up our backgrounds, we have been able to develop this very first presentation on such topics, bridging both experiences and contacts, in order to build something new, aiming to bring a totally new approach to the subject. Giving the amount and nature of feedbacks, both onside (after my talk) and those emails Ive received, I may definitely say that weve been able to reach the goals :)
for hacking resources to be hired, with specific goals. At the beginning, US Government was informally seeking for hackers, in order to attack and/or infiltrate into Al Qaeda communication network. I do remember requests related to hacking into Thuraya (http://www.thuraya.com/), a Middle-East based satellite operator. Intelligence gossip at that time was claiming that Al-Qaedas members were seen while using Thuraya phones, and obviously this may have lead IAs to imagine a scenario in which, if somebody would have been able to obtain both CDRs and satellite information of specific Thurayas users, then analyzing and correlating those data, the war against one of the main actors in worldwide terrorism could have been won. Then, the time passed by, and no more requests of on-demand hacking to Thurayas network have been made to worlds most notorious, old-school hackers, at least as far as I know. During 2002 and 2003 tough, those guys assisted to a huge escalation of different requests, this time coming from US and Israel based IAs. These agencies were asking for 0-days, probably to be used in specific scenarios. Also, a few people got softly detailed requests to run black operations (hacking attacks for Intelligence purposes) 2005 observed the official claim of attacks pointing to China as the source of them, and popped up the very big issue of the Source of the Attack or Attack Source Attribution, thats still pending today. Finally, since 2008 up to now we started being aware of National Critical Infrastructures (NCIs) and those issue while trying to secure them, summed up to the
very deep link with SCADA and Industrial Automation (IA) security.
malware
trends
and
around it: server farm rather than home users, so to speak. This is one of the main reasons why Industrial Espionage incidents raised up drastically in the last 20 years, thanks to the Digital Revolution, and IT and TLC resources and chances. In both cases we found instruments like botnets, DDoS tools, 0-days and so on that, depending on the scenario itself, can be labeled as cybercrime tools or eweapons. While the Underground Economy business model is indeed a wonderful and exciting study, its my opinion that what we should learn and apply to our needs and scenarios from the cybercrime environment is mostly the technical-related part. Analysing the life of botnets, rather than reverse engineering latest malware and 0-day exploited vulnerabilities may lead us to a total new world and perspectives, where the concept of electronic weapons to be applied and used in Information Warfare scenarios become totally true. We will assist to an escalation of digital attacks, where some of them will became
So, during the very next years will hear about a few new terms, such as Next Generation Cybercrime (NGC) and Next Generation Walfare (NGW), along with the evergreen Cyberwar and Information Warfare. From Cybercrime to Warfare, through Espionage Information Industrial
They do exist deep links between Cybercrime and the concept itself of Information Warfare. This happens because todays information is digitally stored, parked on hard drives rather then on-line, from virtual hard drives to social networks, passing-by the Cloud. So, we just said that this information is digital. This means, beside the media where it is stored, that it stays into a file: it could be an email file, an Excel or Word document, a PDF or a Power Point presentation, an Open Office document, a simple text (txt) note. But its still a file, whose security relays on the operating system of the computer storing it, rather than the whole context and scenario
public while others will not. The recent NATO interest shown in Lisbona a few weeks ago is an important sign: in case of cyberattacks to a NATO Member, the other Members should support and help the State under attack. This means really a lot, and automatically includes perspectives such as Information Sharing, CERT (Gov and Mil ones, mainly) involvement, Incident Management, a Coordination Center, and establishing defined Point of Contacts among all the Members, as well as defining the Chain of Cyber Command and how it will interlink and interact with the external. Because the threat is global, just as well as the cybercrime is borderless. Whats already happening? Former speaker at Duma, Nikolai Kuryanovich, back in 2007 made a very strong but visionary statement: In the very near future, many conflicts will not take place on the open field of battle, but rather in spaces on the Internet, fought with the aid on information soldiers This means that a small force of hackers is stronger than the multi-thousand force of the current armed forces. Nowadays many States already began, trough their Minister of Defence, to work on topics such as an Official Cyber Doctrine, Cyberwarfare Training, Cyberwarfare exercise and simulations, building an IT roadmap (from a military and National Security point of view), working as well with the IT industry and technical universities (see Malaysia, China and many others), establishing Information Warfare units and, obviously, starting keeping record of hacking activities on other Nations. Its not a futuristic scenario, here we are talking about something that already happened a long time ago. It was in the middle of the 80s when CCC members Hagbard and Pengo used to hack into Government and Military contracts, as well as centers and research labs, in the USA, giving back the results of their hacks to the KGB and receiving money and facilities from them. Hagbard was found dead, hanged to a tree out of the town he was living it, and burned. Vodafone Head of Network Design, possibly involved in the 2005 Vodafone Greece affair, was found suicide. The same for Adamo Bove, working at Telecom Italia Lawful Interception System. And, the same recently happened to Majid Shahriari in Iran, and everything seems to be related to the Stuxnet worm (http://www.debka.com/article/20406/).
Applicable Sections Sections 43, 66 and 66 (A) of the Information Technology Act and Section 426 of Indian Penal Code Sec. 43
If any person without permission of the owner or any other person who is incharge of a computer, computer system or computer network, (c) Introduces or causes to be introduced any computer contaminant or computer virus into any computer, computer system or computer network; He shall be liable to pay damages by the way of compensation to the person so affected; Explanation for the purposes of this section,
The Law
Case Study Siddarth, a skilled programmer creates a malicious code and releases it on the internet. It has compromised vast number of computers and caused a loss of worth millions of dollars. (i) "Computer Contaminant" means any set of computer instructions that are designed
(a) to modify, destroy, record, transmit data or program residing within a computer, computer system or computer network; or (b) by any means to usurp the normal operation of the computer, computer system, or computer network;
Sec. 66A
Any person who sends, by means of a computer resource or a communication device (a) any information that is grossly offensive or has menacing character; or
Sec. 66 (b) any information which he knows to be false, but for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred or ill will, persistently by making use of such computer resource or a communication device,
Any person dishonestly or fraudulently (c) Introduces or causes to be introduced any computer contaminant or computer virus into any computer, computer system or computer network; He shall be liable for an imprisonment which may extend upto 3 years and fine upto Rs. 5 lakh. For the purpose of this Section, The word dishonestly shall have the meaning assigned to it in Section 24 of the Indian Penal Code. , i.e.:Whoever does anything with the intention of causing wrongful gain to one person or wrongful loss to another person is said to do that thing "dishonestly". The word fraudulently shall have the meaning assigned to it in Section 25 of the Indian Penal Code, i.e.:A person is said to do a thing fraudulently if he does that thing with intent to defraud but not otherwise.
(c) any electronic mail or electronic mail message for the purpose of causing annoyance or inconvenience or to deceive or to mislead the addressee or recipient about the origin of such messages, He shall be punishable with imprisonment for a term which may extend to three years and with fine.
Punishment for mischief Whoever commits mischief shall be punished with imprisonment of either description for a term which may extend to three months, or with fine, or with both.
Additionally provisions are also made in Sec. 66F Cyber terrorism and Sec. 69B Power to authorise to monitor and collect traffic data or information through any computer resource for cyber security regarding introduction, intrusion and spread of Computer Contaminant.
Windows
Although again we are dividing this article in windows vs linux subsections, remember most of the commands will work on both the OS. All you have to be careful is with additional tools you are using to filter results. To start with well see on how many ports is my machine listening to a connection
C:\> netstat -na | find /i "Listening"
This will give you a list of ports on your machine which are in listening mode. Make sure you check reason behind each. to be sure which application has opened that port You may want to use switch o to see the PID of the process which has opened the port
C:\> netstat -noa | find /i "Listening"
Now how can you check which application does that PID belong to? For that use WMIC
This will tell you the process with your chosen PID. You may also try other switches of netstat like -b = display executable name responsible for the connection -p = specific protocol -o = display process ID -a = display all -n = display IP only and no the fqdn
Aah! I hate & love the case sensitivity of Linux environment. And thats why we use i to ignore case while searching and use only listen in filter as it may differ among various Linux flavors. I know Linux users are geek themselves, so this article was just a reminder that dont forget your friend netstat, keep using it
But the most interesting youll find is using a continous netstat to keep looking at the results
C:\> netstat na 5
This will keep checking the result of netstat na every 5 seconds. You may choose your own time interval and make a script out of it For more work on netstat there is an interesting but more difficult way in Microsoft Powershell but well keep that out from this article
Linux
For linux more or less all the parameters are same. You may want to try the same command on linux too. Remember parameter for netstat are same, not the other executables Like the first example in linux will become
# netstat -na | grep i "listen"