Module 04

Information Security Threats and

Attacks
Ethical Hacking Associate
Information Security Threats and Attacks

Define Threat, Vulnerability, and Exploit Study Various Types Of

and Their
Study Various Types Of Internal Countermeasures
Attacks and Their Countermeasures External Attacks
Malware
Sniffing
Attacks
Scanning
ARP Spoofing
Social
DOS and DDOS
Engineering
Spamming Spoofing
TCP session Hijacking
Eavesdropping
Corporate Espionage
Password Cracking

by

CODynghtN Rikhts is

Module 04 Page 90 Ethical Hacking Associate Copyright O by EC•CounC" All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking Associate
Information Security Threats and Attacks

a
Copyright by EC•Couocil, Rights Reserved Reprodxt•co is Pronini[efl.

SC'
Copyti%hta hy Ail Rithts Re Aetl, is Strictlw Pmhibited.

Understanding Threat, Vulnerability and Exploit Threat

Threat is a potential occurrence of an undesired event that can eventually damage
and interrupt the operational and functional activities of an organization. A threat can
affect the integrity and availability factors of an organization. The impact of threats is

Module 04 Page 91 Ethical Hacking Associate Copyright O by EC•CounC" All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking Associate
Information Security Threats and Attacks

very high and it can affect the existence of the physical IT assets in an organization.
The existence of threats may be accidental, intentional or due to the impact of some
other action.

Vulnerability
Vulnerability is the existence of a weakness, design, or implementation error that,
when exploited, leads to an unexpected and undesired event compromising the
security of the system. Simply put, a vulnerability is a security loophole that allows an
attacker to enter the system by bypassing various user authentications.

Exploit
An exploit is a breach of IT system security through vulnerabilities, in the context of
an attack on a system or network. It also refers to malicious software or commands
that can cause unanticipated behavior of legitimate software or hardware through
attackers taking advantage of the vulnerabilities.

Internal Threats
Internal threats are threats from individual or group within an organization. They occur when
a legitimate user tries to illegitimately access network resources. Most of the corporate
security funds are spent on deterring external threats (access breaches by persons who are
not the authorized users on a network). As external security breaches are often highly
publicized, companies focus their efforts on fighting external access attempts. The users of
the workstations have free access to attack the servers as often, an organization's servers
and workstations reside on the same network behind a firewall.

Module 04 Page 92 Ethical Hacking Associate Copyright O by EC•CounC" All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking Associate
Information Security Threats and Attacks

The internal attacks' effect on a company can range from small inconvenience to permanent
damage. For example, the attacker is someone involved with the systems on the network,
such as a system administrator. A well-planned attack will involve the theft of items such as
backup tapes, system software, and possibly even hardware. The simplest and most
dangerous thing the attacker can do is formatting the hard disks. This makes it impossible to
load the operating system or access the data stored on the hard disks.
This attack is complete, data has been lost and the backups, operating system media, and
application media are missing. The company has now suffered a potentially deadly attack.
Internal threat can be from a disgruntled former or current employee or contractor to profit
from archived records selling health and financial information by:
Deleting the valuable corporate data.
Publishing or distributing private corporate data.

• Changing administrative policy settings or passwords.

• Disrupting the corporate network.
• Sending offensive e-mail messages from the corporate messaging system
An internal user may attack a system for any number of reasons, including the following:
• Data theft
• Espionage Sabotage

General malice

Module 04 Page 93 Ethical Hacking Associate Copyright O by EC•CounC" All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking Associate
Information Security Threats and Attacks

O One of the major internal threat is "sniffing"

O According to uninet.net, "sniffing is the process Of reading the packets that are being
transmitted on a network"

O TELNET, FTP, and SMTP (Email) packets if unencrypted can be successfully sniffed

For example: Passwords e Credit card numbers

SC'
Copyti%hta hy Ail Rithts Re Aetl, is Strictlw Pmhibited.

Sniffing
According to http://Webopedia.com/, a "Sniffer is a program and/or device that monitors
data traveling over a network". Sniffers can be used for legitimate work, i.e. network
management, as well as for illegitimate work, i.e. stealing information on the network. They
are available for several platforms; both commercial and open source variations.
Some of the simplest packages use a command line interface and dump captured data to the
screen, while sophisticated ones use GUI, graph traffic statistics, track multiple sessions, and
offer several configuration options. Network utilization and monitoring programs often use
sniffers to gather data necessary for metrics and analysis. It is to be noted that sniffers do not
intercept or alter the data captured. The most common way of networking computers is
through Ethernet.
One of the major internal threats is "sniffing". According to the www.uni.net, "Sniffing is the
process of reading the packets that are being transmitted on a network".
Sniffing uses packet sniffer to capture data from the information packets as they travel over
the network. The data may include user names, passwords, sensitive information, and
proprietary information that travel within the network in clear text format. Typical services
that are sniffed are TELNET, FTP, SMTP (E-mail) packets if unencrypted. Installing a packet
sniffer does not require any great knowledge of networks or hacking and the programs can
be downloaded from the Internet free of charge. Nor does installing packet sniffer
necessarily require administrator-level access and, as a result, organizations of all sizes are
misused.

Module 04 Page 94 Ethical Hacking Associate Copyright O by EC•CounC" All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking Associate
Information Security Threats and Attacks

Sniffing can be used both for legitimate network management functions and for stealing
information of a network. Unauthorized sniffers can be dangerous to a network's security
because they are virtually impossible to be detected and can be inserted almost anywhere.
This makes them a favorite weapon in the attacker's arsenal.

Restrict the physical access to the network media

0 toconfidential
01 ensure that a packet sniffer cannot be installed 5
Use end-to-end encryption to
protect information
tables to prevent Use switch instead of hub as switch 0 delivers data
02 only
ARP entries for to the intended recipient 6
Use static IP addresses and ARP
attackers from adding the
Turn Offspoofed
network machines
identificationin the
broadcasts and if possible restrict network
the network to
03 Permanently add the MAC address of the gateway authorized from being to users to protect
network the ARP cache
discovered with sniffing
tools

Use encrypted sessions such as SSH instead of Telnet,

Secure Copy (SCP) instead of FTP, SSL for email
connection, etc. to protect wireless network users
against sniffing attacks

Com,nght bw Rights Reset-vul Reproductim is

Sniffing Countermeasures
Listed below are some of the countermeasures to be followed to defend against sniffing:
Restrict the physical access to the network media to ensure that a packet sniffer
cannot be installed.
Use end-to-end encryption to protect confidential information.
Permanently add the MAC address of the gateway to the ARP cache.
Use static IP addresses and ARP tables to prevent attackers from adding the spoofed
ARP entries for machines in the network.
Turn off network identification broadcasts and if possible restrict the network to
authorized users in order to protect the network from being discovered with sniffing
tools.

Module 04 Page 95 Ethical Hacking Associate Copyright O by EC•CounC" All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking Associate
Information Security Threats and Attacks

Use IPv6 instead of IPv4 protocol.

Use encrypted sessions such as SSH instead of Telnet, Secure Copy (SCP) instead of
FTP, SSL for email connection, etc. to protect wireless network users against sniffing
attacks.
Use HTTPS instead of HTTP to protect usernames and passwords.
Use switch instead of the hub as switch delivers data only to the intended recipient.
Use Secure File Transfer Protocol (SFTP), instead of FTP for secure transfer of files.
Use PGP and S/MIME, VPN, IPSec, SSL/TLS, Secure Shell (SSH), and One-time
passwords (OTP).
Always encrypt the wireless traffic with a strong encryption protocol such as WPA and
WPA2.

Retrieve MAC directly from NIC instead of OS; this prevents MAC address spoofing.
Use tools to determine if any NICs are running in the promiscuous mode.
Use a concept of ACL or Access Control List to allow access to only a fixed range of
trusted IP addresses in a network.
Change default passwords to complex passwords.
Avoid broadcasting SSID (Session Set Identifier).
Implement MAC filtering mechanism on your router.

Module 04 Page 96 Ethical Hacking Associate Copyright O by EC•CounC" All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking Associate
Information Security Threats and Attacks

Copyti%htfo hy RithtsRe Aetl, isStrictlwPmhibited.

ARP is Address Resolution Protocol. It is used to map network layer IP address to data
link layer MAC addresses
For knowing the MAC address Of another host on network, ARP broadcasts message
requesting for MAC address
The hosts on the network will reply with their MAC addresses. ARP will store the MAC address
in the cache for future data transfer
ARP Spoofing involves constructing a large number Of forged ARP request and reply packets to
overload a switch
Switch is set in 'forwarding mode' after ARP table is flooded with spoofed ARP replies
and attackers can sniff all the network packets
Attackers flood a target computer's ARP cache with forged entries, which is also known as
poisoning
SC'

ARP Spoofing
ARP resolves IP addresses to the MAC (hardware) address of the interface to send data. ARP
packets can be forged to send data to the attacker's machine. ARP Spoofing involves
constructing a large number of forged ARP request and reply packets to overload a switch. If
the machine sends an ARP request, it assumes that the ARP reply comes from the right
machine. ARP provides no means of verifying the authenticity of the responding device. Even
systems that have not made an ARP request can also accept the ARP reply coming from other
devices. Attackers use this flaw in ARP to create malformed ARP replies containing spoofed IP
and MAC addresses. Assuming it to be the legitimate ARP reply, the victim's computer blindly
accepts the ARP entry into its ARP table. Once the ARP table is flooded with spoofed ARP
replies, the attacker sets the switch in forwarding mode, which intercepts all the data that
flows from the victim machine without the victim being aware of the attack. Attackers flood a
target computer's ARP cache with forged entries which is also known as poisoning. ARP
spoofing is an intermediary to perform attacks such as DOS, MITM, and Session Hijacking.
How Does ARP Spoofing Work?
ARP spoofing is a method of attacking an Ethernet LAN. When a legitimate user initiates a
session with another user in the same Layer 2 broadcast domain, the switch broadcasts an
ARP request using the recipient's IP address, while the sender waits for the recipient to
respond with a MAC address. An attacker eavesdropping on this unprotected Layer 2
broadcast domain can respond to the broadcast ARP request and replies to the sender by
spoofing the intended recipient's IP address. The attacker runs a sniffer and turns the
machine's NIC adapter to promiscuous mode.
ARP spoofing is a method of attacking an Ethernet LAN. ARP spoofing succeeds by changing
the IP address of the attacker's computer to the IP address of the target computer. A forged

Module 04 Page 97 Ethical Hacking Associate Copyright O by EC•CounC" All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking Associate
Information Security Threats and Attacks

ARP request and reply packet find a place in the target ARP cache in this process. As the ARP
reply has been forged, the destination computer (target) sends frames to the attacker's
computer, where the attacker can modify the frames before sending them to the source
machine (User A) in an MITM attack. In addition, the attacker can also launch a DOS attack by
associating a nonexistent MAC address to the IP address of the gateway, or may sniff the
traffic passively and then forward it to the target destination.

SC'
Copyti%hta hy Ail Rithts Re Aetl, is Strictlw Pmhibited.

ARP Spoofing Countermeasures

For small networks, use of static IP addresses and static ARP tables can help prevent ARP
spoofing. Using CLI commands, such as "ipconfig /all" in Windows or "ifconfig" in UNIX, the IP
address and MAC address of every system in the network can be known. Then, using the "arp
s" command, static ARP entries for all the known devices can be added. "Static" addressing
prevents attackers from adding spoofed ARP entries for machines in the network. A login
script can also be created that would add these static entries to the systems as they boot.
However, static ARP entries are hard to maintain in small networks, and impossible in large
networks. This happens because every device added to the network should be manually
added to the ARP script or entered into each machine's ARP table.
For large network, enable the network switch "Port Security" features. The "Port Security"
feature forces the switch to allow only one MAC address for each physical port on the switch.
This feature prevents attackers from changing the MAC address of their machine or from
trying to map more than one MAC address to their machine. It can often help prevent ARP-
based man-in-the-middle attacks. ARPwatch is a tool that monitors Ethernet activity and

Module 04 Page 98 Ethical Hacking Associate Copyright O by EC•CounC" All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking Associate
Information Security Threats and Attacks

keeps a database of Ethernet/lP address pairings. It also reports certain changes via e-mail. It
uses libpcap, a system-independent interface for user-level packet capture.

External threats are threats from outside the organization, who have no legitimate rights to
corporate systems or information

SC'

Copyti%hta hy Ail Rithts Re Aetl, is Strictlw Pmhibited.

External Threats
These originate from organizations working outside the organization, which does not have
authorized access to the computer systems or network. They usually work their way into a
network from the Internet or dialup access servers.
An external attack originates from outside a network's firewall. Depending on the location of
your servers in the network architecture and the configuration of the firewalls at your
network entry points, your servers may be vulnerable to attack from users who are not
located on the trusted networks under your control. The firewall separates your internal,
private network from the external, public world—the Internet. In theory, users on the public
networks know less about the configuration of your network and servers, so they would
seem to be less of a threat; however, poor security can allow them to collect system and
network information and create their own map of your systems.
Examples of external threats include the following:
Malware Attacks
o Virus o
Worms o Trojan
Social Engineering o Identity Theft
o Phishing

Module 04 Page 99 Ethical Hacking Associate Copyright O by EC•CounC" All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking Associate
Information Security Threats and Attacks

Spamming
Eavesdropping
Password Cracking Scanning
Denial-of-Service (DOS)
Distributed Dos (DDoS)
Spoofing
IP Spoofing

Man-in-the-Middle attack (MITM)

TCP Session Hijacking Corporate
Espionage Accidental Security
Breach Automated Computer
Attacks

Module 04 Page 100 Ethical Hacking Associate Copyright O by EC•CounC" All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking Associate
Information Security Threats and Attacks

Malware is a malicious software that damages or disables computer systemsand gives limited
or full control of the systems to the malware creator for the purpose of theft or fraud

Examples of Malware
Trojan Horse Virus

Backdoor Worrns

Rootkit

Ransomwaxe

Adware Crypter
SC'

Copyti%hta hy Ail Rithts Re Aetl, is Strictlw Pmhibited.

Malware Attacks
Malware is malicious software that damages or disables computer systems and gives limited
or full control of the systems to its creator for theft or fraud. Malware includes viruses,
worms, trojans, rootkits, backdoors, botnets, ransomware, spyware, adware, scareware,
crapware, roughware, crypters, keyloggers, etc. These may delete files, slow down
computers, steal personal information, send spam, and commit fraud. Malware can perform
various malicious activities that range from simple email advertising to complex identity theft
and password stealing. Malware programmers develop and use it to: Attack browsers and
track websites visited
Affect system performance, making it very slow
Cause hardware failure, rendering computers inoperable
Steal personal information, including contacts
Erase valuable information, resulting in the substantial data losses
Attack additional computer systems directly from a compromised system
Spam inboxes with advertising emails

Module 04 Page 101 Ethical Hacking Associate Copyright O by EC•CounC" All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking Associate
Information Security Threats and Attacks

Characteristics Of Viruses Purpose of Creating Viruses

Infects other programs Inflict damage to competitors

Transforms itself Financial benefits
Vandalism
Encrypts itself
Playing a prank
Alters data
Corrupts files and programs Research projects
Cyberterrorism
Self-replication Distribute political messages
Damage network or computers
Gain remote access of the victims
computer
SC'

Copyti%hta hy Ail Rithts Re Aetl, is Strictlw Pmhibited.

Introduction to Virus
Viruses are the scourge of modern computing. Computer viruses have the potential to wreak
havoc on both business and personal computers. The lifetime of a virus depends on its ability
to reproduce itself. Therefore, attackers design every virus code in such a manner that the
virus replicates itself n number of times.
A computer virus is a self-replicating program that produces its code by attaching copies of
itself to other executable codes and operates without the knowledge or desire of the user.
Like a biological virus, a computer virus is contagious and can contaminate other files;
however, viruses can infect outside machines only with the assistance of computer users.
Some viruses affect computers as soon as their code is executed; other viruses lie dormant
until a pre-determined logical circumstance is met. Viruses infect a variety of files, such as
overlay files (.OVL) and executable files (.EXE, .SYS, .COM or .BAT). Viruses are transmitted
through file downloads, infected disk/flash drives, and as email attachments.
Characteristics of Viruses
The performance of the computer is affected due to virus infection. This infection can lead to
data loss, system crash, and file corruption. The following are some of the characteristics of
the virus:
Infects other programs
Transforms itself

Encrypts itself

Module 04 Page 102 Ethical Hacking Associate Copyright O by EC•CounC" All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking Associate
Information Security Threats and Attacks

Corrupts data, files and programs

Self-replication
Purpose of Creating Viruses
Attackers create viruses with disreputable motive. Criminals create viruses to destroy a
company's data, as an act of vandalism, or to destroy a company's products; however, in
some cases, viruses aid the system.
Some of the significant purposes for creating a virus by an attacker are mentioned below:
Inflict damage to competitors
Financial benefits
Vandalism
Play prank
Research project
Cyberterrorism

Distribute political messages

Damage network or computers
Gain remote access of the victim's computer

Module 04 Page 103 Ethical Hacking Associate Copyright O by EC•CounC" All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking Associate
Information Security Threats and Attacks

Year Of Discovery Virus Name

1981 Apple Il Virus- First Virus in the wild

1983 First Documented Virus

1986 Brain, PC-write Trojan, and Virdem

1989 AIDS Trojan

1995 Concept

1998 Strange Brew & Back Orifice

1999 Melissa, Corner, Tristate, andBubbleboy

2000 I Love You

2001 Nimda, Badtrans, Code Red

2002 Klez, Yaha, Bugbear

hy SC'
Copyti%hta Ail Rithts Re Aetl, is Strictlw Pmhibited.

Year Of Discovery Virus Name

2003 Slammer, Sobig, Lovgate, Fizzer, Blaster/Welchia/Mimail
21114 I-Worm.NetSky.r, I-Worm.Baqle.au, Mydoom

2005 Email-Worm .Win32.Za fl. d, Net-worm -Win32. Mytob.t

2006 Dropper. UN

2007 Downloader. MDW, MaliciousP, Rebooter.J

2008 AdsRevenue, Conficker.C, Bagle.RP

2009 Auto run. ITA, Lineage.KOT

2010 Here you have

2011 Morto worm

2012 Shamoon
Z
Copyright Rights Reye wed. is Strictly

Virus History
The first virus was discovered in 1981. Later, many new viruses kept popping up. The list of
viruses and the respective years in which they emerged is as follows:
• 1981 — The Senior Most Virus!!

Module 04 Page 104 Ethical Hacking Associate Copyright O by EC•CounC" All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking Associate
Information Security Threats and Attacks

The first virus in the wild predated the experimental work that defined current-day
viruses.
It was spread on Apple Il floppy disks that contained the operating system, and is
presumed to have spread from Texas A&M.
This virus called Elk Cloner showcased the following six-liner:
It will get on all your disks.
• It will infiltrate your chips.
• Yes it's Cloner!
• It will stick to you like glue.
It will modify RAM too.
1983 — The First Documented Experimental Virus
In the seminal paper, "Computer Virus—Theory and Experiments," Fred Cohen writes
about viruses, ranging from their definition to an experimental description that
demonstrates how computer viruses could theoretically be generated.
• 1986 — Brain, PC-Write Trojan, and Virdem
• Reportedly, the "Pakistani Brothers" succeeded in corrupting the boot sector of
the floppy disk with a virus called, "Brain." It diffused into the then popular MS
DOS PCs and, hence, is considered to be the first virus, even though Cohen's
experiments and the Apple Il virus predated it.
• The first file virus, Virdem, was also discovered in 1986.
1987 — File Infectors, Lehigh, and Christmas Worm o A virus called, "Lehigh
Virus," was the first virus to infect command.com.
• Another fast-spreading "IBM Christmas Worm," with a rate of 500,000 replications
per hour, hit IBM mainframes this year.
• 1988 — MacMag, Scores and Internet Worm
• The first Macintosh virus was MacMag. A Hypercard Stack Virus and the Scores
Virus were the sources of the first major Macintosh outbreak.
• The Internet Worm, created by Robert Morris, caused the first Internet crisis, and
shut down many computers in this year,

• 1989 — AIDS Trojan

• The AIDS Trojan is well known for locking up the user's data, also referred to as
holding data hostage. The Trojan was sent out under the pretext of an AIDS
information program. When run, it encrypted the user's hard drive, and claimed
charges for unveiling the decryption key.

Module 04 Page 105 Ethical Hacking Associate Copyright O by EC•CounC" All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking Associate
Information Security Threats and Attacks

• 1990 — VX BBS and Little Black Book (AT&T Attack)

• The first virus exchange (VX) BBS went online in Bulgaria. Here, virus authors
could trade code and exchange ideas.
• During this year, AT&T found proof of attackers suspected of taking down its
longdistance switching system.
• 1991 — Tequila
o Tequila was the first polymorphic virus, which changed itself in an attempt to avoid
detection. It originated in Switzerland.
• 1992 — Michelangelo, DAME, and VCL
o Michelangelo was the first popular and worldwide alert, which was about to be
deployed for massive damage. However, it did not affect much.
o The Dark Avenger Mutation Engine (DAME) was the first toolkit that turns any virus
into a polymorphic virus.
• The Virus Creation Laboratory (VCL) became the first actual virus creation kit
during the same year. It had drop down menus and optional payloads.
1996 — Boza, Laroux, and Staog o Boza was the first virus designed
specifically for Windows 95 files.
• Laroux and Staog were the first Excel macro virus and Linux virus, respectively.
• 1998 — Strange Brew and Back Orifice o The first virus based on Java, Strange
Brew, was found in the wild.
o Back Orifice, the first Trojan designed to be a remote administration tool, permitting
others to access a remote computer via the Internet, was also found the same
year.
• 1999 — Melissa, Corner, Tristate, and Bubbleboy
• Melissa, the first combination of a Word macro virus and a worm, used the
Outlook and Outlook Express address books to send itself to others via email.
• Corner was the first virus that infected MS Project files.
• Tristate, the first multi-program macro virus, corrupts Word, Excel, and
PowerPoint files; and
• Bubbleboy, the first worm to get stimulated when a user just opened an email
message in Microsoft, were all found in this year.

• 2000 — Love Letter, Timofonica, Liberty (Palm), Streams, and Pirus

Module 04 Page 106 Ethical Hacking Associate Copyright O by EC•CounC" All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking Associate
Information Security Threats and Attacks

Love Letter, a worm that appeared in May, was the fastest-spreading worm to date
that had the capability of shutting down all email systems globally.
The first attack against a telephone system was in June 2000 when the Visual Basic
Script Worm called, Timofonica, sent messages to Internet-enabled phones in the
Spanish telephone network.
• Liberty was the first Trojan developed for the Palm PDA in August 2000. This
Trojan was developed as un-installation software, and was given to some people
who could trace those who might steal the program.
• Pirus was Malware programmed in the PHP scripting language. Pirus tried to add
itself to HTML or PHP files. It was discovered on November 9, 2000.
• 2001 — Gnuman, Winux Windows/Linux Virus, LogoLogic-A Worm, AplS/Simpsons
Worm, PeachyPDF-A, and Nimda
• The Gnuman worm was found in the wild at the end of February. This worm
masked itself within the Gnutella file-sharing system and acted as if it were an
MP3 file to download.
o In March, the Winux virus, a cross between both Windows and Linux, was designed
to infect both operating systems.
• The LogoLogic-A Worm was spread via MIRC chat and email.
• The first Apple Script worm was found in May. It used Outlook Express or
Entourage on the Macintosh to spread via email to address book entries.
• The first worm programmed to spread using Adobe's PDF software, PeachyPDF,
was found in August.
o In September, a significant flexibility in the ability to spread, displaying several firsts,
was demonstrated by the Nimda Worm.
• 2002 — LFM-926, Donut, Sharp A, SQLSpider, Benjamin, Perrun, and Scalper
• The LFM-926 virus infected Shockwave Flash (.SWF) files. It displayed a message,
"Loading.Flash.Movie. . . ," while it infected.
Donut came up as the first worm directed at .NET services. The first worm called,
Sharp-A, aimed to infect the .NET platform of Microsoft. Sharp-A was written in
C#, and released in March.
• The Javascript Worm, SQLSpider, made its appearance in May. It was unique
because it preyed upon installations running Microsoft SQL Server (and programs
that use SQL Server technology).
• Benjamin, which used the peer-to-peer group KaZaA to spread, was also released.

Module 04 Page 107 Ethical Hacking Associate Copyright O by EC•CounC" All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking Associate
Information Security Threats and Attacks

The Perrun Virus attached itself to JPEG image files.

• In the same year, the Scalper Worm compromised the FreeBSD/Apache web
server.
• 2003 — Sobig, Slammer, Lovgate, Fizzer, and Blaster/Welchia/Mimail
• The Sobig Worm made its appearance in 2003. It had its own SMTP mail program
and used the Windows network.
• The Slammer Worm took advantage of the vulnerabilities in Microsoft's SQL 2000
servers. Lovgate is a unique combination of a Trojan and a worm.

Module 04 Page 108 Ethical Hacking Associate Copyright O by EC•CounC" All Rights Reserved. Reproduction is Strictly Prohibited.