ch08.htm

Maximum Security (First Edition) 网络安全 英文版

	and <TT>PKZ300B.ZIP</TT>. CIAC verified the following warning from PKWARE:</P>
	<P>&quot;Some joker out there is distributing a file called <TT>PKZ300B.EXE</TT>
	and <TT>PKZ300B.ZIP</TT>. This is NOT a version of PKZIP and will try to erase your
	hard drive if you use it. The most recent version is 2.04G. Please tell all your
	friends and favorite BBS stops about this hack.</P>
	<P>&quot;<TT>PKZ300B.EXE</TT> appears to be a self extracting archive, but actually
	attempts to format your hard drive. <TT>PKZ300B.ZIP</TT> is an archive, but the extracted
	executable also attempts to format your hard drive. While PKWARE indicated the trojan
	is real, we have not talked to anyone who has actually touched it. We have no reports
	of it being seen anywhere in the DOE.

</BLOCKQUOTE>


<DL>
	<DD>&quot;According to PKWARE, the only released versions of PKZIP are 1.10, 1.93,
	2.04c, 2.04e and 2.04g. All other versions currently circulating on BBSs are hacks
	or fakes. The current version of PKZIP and PKUNZIP is 2.04g.&quot;
</DL>

<P>That advisory was issued very quickly after the first evidence of the malicious
code was discovered. At about the same time, a rather unsophisticated (but nevertheless
destructive) virus called Caibua was released on the Internet. Many users were infected.
The virus, under certain conditions, would overwrite the default boot drive.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>Virus attacks and defenses
	against them are discussed in Chapter 14, &quot;Destructive Devices.&quot; However,
	I highly recommend that all readers bookmark <A HREF="http://ciac.llnl.gov/ciac/CIACVirusDatabase.html"><B>http://ciac.llnl.gov/ciac/CIACVirusDatabase.html</B></A>.
	This site is one of the most comprehensive virus databases on the Internet and an
	excellent resource for learning about various viruses that can affect your platform.
	
<HR>


</BLOCKQUOTE>

<P>Here's an interesting bit of trivia: If you want to be virus-free, use UNIX as
your platform. According to the CIAC, there has only been one recorded instance of
a UNIX virus, and it was created purely for research purposes. It was called the
<I>AT&amp;T Attack Virus</I>.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>If you want to see an
	<I>excellent</I> discussion about UNIX and viruses, check out &quot;The Plausibility
	of UNIX Virus Attacks&quot; by Peter V. Radatti at <A HREF="http://www.cyber.com/papers/plausibility.html"><B>http://www.cyber.com/papers/plausibility.html</B></A>.
	
<HR>


</BLOCKQUOTE>

<P>Radatti makes a strong argument for the plausibility of a UNIX virus. However,
it should be noted that virus authors deem UNIX a poor target platform because of
access-control restrictions. It is felt that such access-control restrictions prevent
the easy and fluid spread of the virus, containing it in certain sectors of the system.
Therefore, for the moment anyway, UNIX platforms have little to fear from virus authors
around the world.</P>
<P>Nonetheless, as I discuss in Chapter 14, at least one virus for Linux has been
confirmed. This virus is called <I>Bliss</I>. Reports on Bliss at the time of this
writing are sketchy. There is some argument on the Internet as to whether Bliss qualifies
more as a trojan, but the majority of reports suggest otherwise. Furthermore, it
is reported that it compiles cleanly on other UNIX platforms.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>The only known system
	tool that checks for Bliss infection was written by Alfred Huger and is located at
	<A HREF="ftp://ftp.secnet.com/pub/tools/abliss.tar.gz"><B>ftp://ftp.secnet.com/pub/tools/abliss.tar.gz</B></A>.<BR>
	
<HR>

<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>There is some truth to the assertion
	that many viruses are written overseas. The rationale for this is as follows: Many
	authorities feel that authors overseas may not be compensated as generously for their
	work and they therefore feel disenfranchised. Do you believe it? I think it's possible.
	
<HR>


</BLOCKQUOTE>

<P>In any event, all materials downloaded from a nontrusted source should be scanned
for viruses. The best protection is a virus scanner; there are many for all personal
computer platforms. Even though this subject is covered extensively later, Table
8.1 shows a few.
<H4><FONT COLOR="#000077"><B>Table 8.1. Virus scanners by platform.</B></FONT></H4>
<P>
<TABLE BORDER="1">
	<TR ALIGN="LEFT" rowspan="1">
		<TD ALIGN="LEFT" VALIGN="TOP"><I>Platform</I></TD>
		<TD ALIGN="LEFT" VALIGN="TOP"><I>Virus</I></TD>
	</TR>
	<TR ALIGN="LEFT" rowspan="1">
		<TD ALIGN="LEFT" VALIGN="TOP">Windows/DOS</TD>
		<TD ALIGN="LEFT" VALIGN="TOP">Thunderbyte, F-PROT, McAfee's Virus Scan, TBAV</TD>
	</TR>
	<TR ALIGN="LEFT" rowspan="1">
		<TD ALIGN="LEFT" VALIGN="TOP">Windows 95</TD>
		<TD ALIGN="LEFT" VALIGN="TOP">McAfee's Virus Scan, Thunderbyte, Dr. Antivirus</TD>
	</TR>
	<TR ALIGN="LEFT" rowspan="1">
		<TD ALIGN="LEFT" VALIGN="TOP">Windows NT</TD>
		<TD ALIGN="LEFT" VALIGN="TOP">Norton Antivirus, Sweep, NTAV, NT ViruScan, McAfee's Virus Scan</TD>
	</TR>
	<TR ALIGN="LEFT" rowspan="1">
		<TD ALIGN="LEFT" VALIGN="TOP">Macintosh</TD>
		<TD ALIGN="LEFT" VALIGN="TOP">Gatekeeper, Disinfectant, McAfee's Virus Scan</TD>
	</TR>
	<TR ALIGN="LEFT" rowspan="1">
		<TD ALIGN="LEFT" VALIGN="TOP">OS/2</TD>
		<TD ALIGN="LEFT" VALIGN="TOP">McAfee's Virus Scan</TD>
	</TR>
</TABLE>
</P>
<P>Malicious code is slightly different from a virus, but I want to mention it briefly
(even though I cover malicious code extensively in Chapter 14). Malicious code can
be defined as any programming code that is not a virus but that can do some harm,
however insignificant, to a user's software.</P>
<P>Today, the most popular form of malicious code involves the use of <I>black widow
apps</I>,<I> </I>or small, portable applications in use on the WWW that can crash
or otherwise incapacitate your WWW browser. These are invariably written in scripting
languages like JavaScript or VBScript. These tiny applications are embedded within
the HTML code that creates any Web page. In general, they are fairly harmless and
do little more than force you to reload your browser. However, there is some serious
talk on the Net of such applications being capable of:</P>

<UL>
	<LI>Circumventing security and stealing passwords
	<LI>Formatting hard disk drives
	<LI>Creating a denial-of-service situation
</UL>

<P>These claims are not fictional. The programming expertise required to wreak this
havoc is uncommon in prankster circles. However, implementing such apps is difficult
and risky because their origin can be easily traced in most instances. Moreover,
evidence of their existence is easily obtained simply by viewing the source code
of the host Web page. However, if such applications were employed, they would be
employed more likely with Java, or some other compiled language.</P>
<P>In any event, such applications do exist. They pose more serious risks to those
using networked operating systems, particularly if the user is browsing the Web while
logged into an account that has special privileges (such as root, supervisor, or
administrator). These privileges give one great power to read, write, alter, list,
delete, or otherwise tamper with special files. In these instances, if the code bypasses
the browser and executes commands, the commands will be executed with the same privileges
as the user. This could be critical and perhaps fatal to the system administrator.
(Not physically fatal, of course. That would be some incredible code!)
<H3><FONT COLOR="#000077"><B>Cracking</B></FONT></H3>
<P>Cracking an individual is such a broad subject that I really cannot cover it here.
Individuals use all kinds of platforms, and to insert a &quot;cracking the individual&quot;
passage here would defeat the purpose of this book (or rather, the whole book would
have to appear in this chapter). I say this because throughout this book, I discuss
cracking different platforms with different techniques and so on. However, I will
make a general statement here:</P>
<P>Users who surf using any form of networked operating system<I> are</I> viable
targets. So there is no misunderstanding, let me identify those operating systems:</P>

<UL>
	<LI>Windows 95
	<LI>Windows NT
	<LI>Novell NetWare
	<LI><I>Any</I> form of UNIX
	<LI>Some versions of AS/400
	<LI>VAX/VMS
</UL>

<P>If you are connected to the Net with such an operating system, you are a potential
target of an online crack. Much depends on what services you are running, but be
assured: If you are running TCP/IP as a protocol, you are a target. Equally, those
Windows 95 users who share out directories are also targets. (I discuss this in detail
in Chapter 16, &quot;Microsoft,&quot; but briefly, <I>shared out</I> <I>directories</I>
are those that allow file sharing across a network.)
<H2><FONT COLOR="#000077"><B>The Public and Corporations</B></FONT></H2>
<P>This section starts with the general public. The general public is often a target
of Internet warfare, though most Internet users may remain unaware of this. Attacks
against the general public most often occur on the Usenet news network. I want to
briefly describe what Usenet is, for many users fail to discover Usenet news even
after more than a year of Internet use. In that respect, Usenet news is much like
IRC. It is a more obscure area of the Internet, accessible through browsers, but
more commonly accessed through newsreaders. Some common newsreaders for various platforms
are shown in Table 8.2.
<H4><FONT COLOR="#000077"><B>Table 8.2. Newsreaders by platform.</B></FONT></H4>
<P>
<TABLE BORDER="1">
	<TR ALIGN="LEFT" rowspan="1">
		<TD ALIGN="LEFT" VALIGN="TOP"><I>Platform</I></TD>
		<TD ALIGN="LEFT" VALIGN="TOP"><I>Newsreader</I></TD>
	</TR>
	<TR ALIGN="LEFT" rowspan="1">
		<TD ALIGN="LEFT" VALIGN="TOP">Windows</TD>
		<TD ALIGN="LEFT" VALIGN="TOP">Free Agent, WinVn, Smart Newsreader, Virtual Access, 32 bit News, SB Newsbot, News
			Xpress, Microsoft News</TD>
	</TR>
	<TR ALIGN="LEFT" rowspan="1">
		<TD ALIGN="LEFT" VALIGN="TOP">UNIX</TD>
		<TD ALIGN="LEFT" VALIGN="TOP">TRN, TIN, Pine, Xnews, Netscape Navigator, INN</TD>
	</TR>
	<TR ALIGN="LEFT" rowspan="1">
		<TD ALIGN="LEFT" VALIGN="TOP">Windows 95</TD>
		<TD ALIGN="LEFT" VALIGN="TOP">Free Agent, WinVn, Smart Newsreader, Virtual Access, 32 bit News, SB Newsbot, News
			Xpress, Microsoft News</TD>
	</TR>
	<TR ALIGN="LEFT" rowspan="1">
		<TD ALIGN="LEFT" VALIGN="TOP">Windows NT</TD>
		<TD ALIGN="LEFT" VALIGN="TOP">Free Agent, WinVn, Smart Newsreader, Virtual Access, 32 bit News, SB Newsbot, News
			Xpress, Microsoft News</TD>
	</TR>
	<TR ALIGN="LEFT" rowspan="1">
		<TD ALIGN="LEFT" VALIGN="TOP">Macintosh</TD>
		<TD ALIGN="LEFT" VALIGN="TOP">Netscape Navigator, NewsWatcher, Cyberdog, Internews, Nuntius,</TD>
	</TR>
	<TR ALIGN="LEFT" rowspan="1">
		<TD ALIGN="LEFT" VALIGN="TOP">OS/2</TD>
		<TD ALIGN="LEFT" VALIGN="TOP">Newsbeat, Postroad,</TD>
	</TR>
</TABLE>
</P>
<P>The interface of a typical browser includes a listing of newsgroup messages currently
posted to the selected newsgroup. These messages are displayed for examination in
the newsreader. For example, examine Figure 8.5, which shows a Free Agent Usenet