Malicious programs, Types of malicious programs, Example intrusions – ZyXEL Communications ZyXEL ZyWALL IDP 10 User Manual

ZyWALL IDP10 User’s Guide

A-4

Introduction to Intrusions

A TCP connect() call is used to open a connection to every interesting port on the machine. If the port
is listening, connect() will succeed, otherwise the port isn't reachable.

SYN scanning (half-open scanning) does not open a full TCP connection. A SYN packet is sent,
pretending to open a genuine connection and waits for a response. A SYN/ACK will indicate that the
port is listening. If a SYN/ACK is received, a RST is sent to tear down the connection.

The Port Scanner Nmap uses raw IP packets to determine what hosts are available on the network,
what services (ports) they are available, what operating system (and OS version) they are running,
what type of packet filters/firewalls are in use, and other characteristics.

After a target has been found, a layer-7 scanner such as Nikto (web vulnerability scanner) can be used
to exploit vulnerabilities.

A.5 Malicious

Programs

A computer virus is a small program designed to corrupt and/or alter the operation of other legitimate
programs. The effect of a virus attack varies from doing so little damage that you are unaware your
computer is infected to wiping out the entire contents of a hard drive to rendering your computer
inoperable.

A.5.1 Types of Malicious Programs

The following table describes some of the common malicious programs.

Table A-2 Common Malicious Programs

TYPE DESCRIPTION

File Infector

This is a small program that embeds itself in a legitimate program. A file infector is able to
copy and attach itself to other programs that are executed on an infected computer.

Boot Sector Virus This type of virus infects the area of a hard drive that a computer reads and executs during

startup. The virus causes computer crashes and to some extend renders the infected
computer inoperable.

Macro Virus

Macros are small programs that are created to perform repetitive actions. Macros run
automatically when a file to which they are attached is opened. Macro viruses spread more
rapidly than other types of viruses as data files are often shared on a network.

Trojan Horse

A Trojan horse is a harmful program that s hidden inside apparently harmless programs or
data.

Worm

A worm is a program that is designed to copy itself from one computer to another on a
network. A worm’s uncontrolled replication consumes system resources thus slowing or
stopping other tasks.

E-mail virus

E-mail viruses are malicious programs that spread through e-mail. These can infect your
computer even if you do not read the e-mail messages.

A.6 Example

Intrusions

A.6.1 SQL Slammer Worm

W32.SQLExp.Worm is a worm that targets the systems running Microsoft SQL Server 2000, as well as
Microsoft Desktop Engine (MSDE) 2000. The worm sends 376 bytes to UDP port 1434, the SQL Server
Resolution Service Port. The worm has the unintended payload of performing a Denial of Service attack due to
the large number of packets it sends. Refer to Microsoft SQL Server 2000 or MSDE 2000 vulnerabilities in
Microsoft Security Bulletin MS02-039 and Microsoft Security Bulletin MS02-061.