Eli M. Dow 42474 Tuesday, April 6, 2004
Graduate Networks Projects: An Email Virus Let Loose*
* Well, sort of. It was let loose onto the following simulated Internet in the manner described in detail in this document.
To begin, let us look at the network we used to simulate this virus in the wild. The network consisted of 4 computers connected together via a hub. The machines are all physically the same, yet run a gambit of operating systems. It is important to note these machines were in NO WAY connected to any external network at any time.
The 4 machines were obtained and networked together via a DHCP serving hub. Each was then formatted in turn, in order to accept a fresh operating system installation. The machines were names Alpha, Beta, Gamma, and Delta. The topology is presented below with operating system annotation:
Once the network topology was set up, and the operating systems were running smoothly, it was time to begin the actual experiment. Upon the recommendation of another participant in the course, I chose to research a virus that propagated via email. These types of virus are widespread in both reality on the Internet, and in their coverage by popular media. There is little doubt that you, the reader, may have experience the bombardment of emails from persons with infected machines, or even been the unknowing victim of such a virus yourself!
In order to simulate such a virus in the wild, each machine will need to be set up with an email client. Since the most common form of email is obtained via pop and sent via smtp we have chosen to set up one of the machines as a server for that purpose. An email account was created on the server for each machine in the simulation {alpha@fakedomain.com, beta@fakedomain.com, gamma@fakedomain.com, and delta@fakedomain.com}. The passwords were set for simplicity to be of the form "$HOSTNAME_pass". To limit the number of machines required for this simulation, one of the computers running Linux (gamma) was configured as a pop3 and SMTP server. This was done using applications called courier-pop3d and postfix.
The client setup varied from machine to machine because of the different mail clients bundled with the operating systems we chose. All machines were set up with "addressbooks" containing each of the other email accounts in the simulation.
The relationships in the addressbooks are as follows:
Alpha's Contacts:
bunsen@192.168.1.1
beaker@192.168.1.1
Beta's Contacts:
fozzie@192.168.1.1
ralph@192.168.1.1
kermit@192.168.1.1
Delta's Contacts:
gonzo@192.168.1.1
piggy@192.168.1.1
Gamma's Contacts:
scooter@192.168.1.1
skeeter@192.168.1.1
rizzo@192.168.1.1
Note: Even though no clients were configure to check the mail of fozzie, ralph, kermit, gonzo, or piggie, accounts had to be created on the mail server for them. This was done to prevent needless "bounce" messages from cluttering the ethereal trace. The accounts were confirmed working by sending mail from the client machines to each contact, then inspecting the mail servers directories for mail files.
Ethereal was installed on both machines running the windows operating systems (although, any 2 machines would have been an appropriate choice). Logging will be enabled on both machines in order to ensure proper logging has taken place, should one machine fail.
At this time additional configuration was done to Delta to provide ftp services. These services will be part of a test to compromise security via a password cracking utility. The ftp server chosen was serv-U. Serv-U was configured with anonymous accounts enabled, as well as 2 real accounts. The actual accounts configured had the usernames "statler", and "waldorf", with passwords of "jim", and "henson" respectively. Serv-U was configured to start automatically at boot as a service as was all mail services from Gamma.
At that point the stage was set to begin the trace. The next phase of the simulation was to inject the virus into the system. This could have been done in several ways, but the method chosen was to manually place the virus (BugBear_4836.doc) as an email attachment from one of the Linux mail clients and send it to one of the windows hosts.
The virus used in this particular trace was obtained from
http://www.treachery.net/~jdyson/trojans/
There is a decent listing of recent virus executables with their MD5 checksums.
An interesting facet about virus research is that I was initially unsure if I had the correct virus. The only obvious way to determine what virus I had was to execute it and either watch it be caught by anti-virus software, or observe the signature it produces manually.
A more risky method was to place the virus on a machine in the hopes that antivirus software would identify, and hopefully confirm our understanding of, the virus we obtained. Extreme caution should be taken to ensure this is done safely. The windows email worm was stored only on Linux machines while being studied and compared. The antivirus software was installed on a remote machine and all virus definitions were updated to their newest packages. The virus chosen was certainly not cutting edge.
Figure 1 is the confirmation received when viewing the contents of a destroyable piece of media (a floppy disk which was physically destroyed after all experiments had been run) after it had been written under Linux and evaluated with the antivirus equipped station.
Figure 1
I had confirmed the virus was installed but no activity was present with the mail system. It occurred to me at this point that the actions expected to occur as a result of the virus, might become active upon the machines next boot. I once again restarted the trace to keep it short and easy to follow.
This virus proved to be much more interesting. It did indeed provide us with noteworthy ethereal traces.
