1|Page Please provide references. Dont ignore PLAGIARISM, avoid it!

Department of Computer Science and Computer Engineering

NSW Assignment Stage 05 (Prac 05)
Individual Submission: Hard copy/ Soft copy shown to the tutor/lecturer
Deadline: End of this lab session
Worth: 1% for lab work + 0.5% BONUS for at least 1 hour attendance
Objectives:
(1) To understand and learn more about computer and IT security based on lecture
notes and internet sources.
Exercise 1
1. Answer the following questions about the virus and its working:
i. What is a computer virus?
ii. Explain the 4 phases of how a virus behaves.
iii. Explain the typical structure of a virus with the help of any programming
language.
iv. How does a worm differ from a virus?


Answer:
i) Viruses are malicious software those need a host program to be attached to
and can replicate themselves (copy themselves into other host programs).
When user run the host program, executes secretly. Once a virus is executing, it
can perform any function, such as erasing files and programs. Viruses are designed
for specific Operating system and sometimes specified to hardware.
ii) Four phases of virus lifecycle:
Dormant phase: The virus is idle and waiting to be activated by some event, such
as a date, the presence of another program or file or hardware. Not all viruses have
this stage.
Propagation phase: The virus places an identical copy of itself into other programs
or into certain system areas on the disk. Each infected program will now contain a
clone of the virus, which will itself enter a propagation phase.
2|Page Please provide references. Dont ignore PLAGIARISM, avoid it!

Triggering phase: The virus is activated from the dormant phase being triggered
by any event and ready to perform the task for which it has been designed.
Execution phase: Perform actual function of the virus. It can cause erase of files,
change system configuration, cause hardware to operate incorrectly and many other
things. It may be harmless too just showing some error message.

iii) Example in C++


Program V()
{ main();}
void infect()
{
While (true)
{
Search for a file;
If(first_line_of_file = 1234){continue; //while loop }
Else {infect file with V; break;}
}
}

bool trigger()
{
If(certain condition met){return true;}
else return false;
}
void do_damage()
{ /* code for doing damage*/}

int main()
{
Infect();
If(trigger())
{ do_damage(); }
}

3|Page Please provide references. Dont ignore PLAGIARISM, avoid it!

Main function is the entry method of virus program V; main method infects another file.
Before infecting it checks whether the is already infected or not. Then main method looks
for condition for trigger. If true, damage method is called to perform the actual damage.


iv) Viruses require a host program to carry them. But worms are independent.



2. Based on your understanding of firewalls answer the following questions:
i. What is a firewall? Explain types of firewalls based on (1) filters at various OSI
layers, (2) hosting.
ii. What are the limitations of firewalls?


i. A firewall is a choke point in a network commonly used in the interface of
internet and external network to control and monitor traffic.

Firewalls can be implemented based on OSI layers:
At Layer 3 (IP, network layer)
examine each IP packet (no context; just source and destination addresses) and
permit or deny according to rules
At Layer 4 (TCP, transport layer)
A circuit-level gateway relays two TCP connections, one between itself and an inside TCP
user, and the other between itself and a TCP user on an outside host. Once the two
connections are established, it relays TCP data from one connection to the other without
examining its contents. The security function consists of determining which connections
will be allowed. It is typically used when internal users are trusted to decide what
external services to access.
At Layer 7 (application layer)

have application specific gateway / proxy to allow certain application to access network.


Firewalls can be implemented based on Hosting:
4|Page Please provide references. Dont ignore PLAGIARISM, avoid it!

Bastion machines (Bastion host)
Running a common operating system, such as UNIX or Linux. Firewall functionality can
also be implemented as a software module in a router or LAN switch.
Server machines (Host-based)
Firewall can be installed in servers that can tailor filtering rules to host environment.
Protection is provided independent of topology, provides an additional layer of
protection
Individual user machines (Personal host)
controls traffic between PC/workstation and Internet or enterprise network
























Exercise 2
5|Page Please provide references. Dont ignore PLAGIARISM, avoid it!

Here, you are to experiment and see how malicious software, such as a computer virus
operates. As discussed in Question 1 of Exercise 1 of this tutorial, virus code generally
consists of 3 components:
(1) Infection Mechanism
(2) Trigger
(3) Payload
And so its activity can be considered as mentioned 4 parts below:
(1) Infect the executable (memory) -> (2) Trigger -> (3) Do Damage (Payload) -> (4) Exit.

For reverse-engineering purposes, the following demo already consists of inserted malicious
code (DontCallThisFunction()) and involves manual manipulation of the memory stack that is
otherwise performed by the virus.
Now, please follow the steps below:
1. Visit http://nsfsecurity.pr.erau.edu/bom/Smasher.html
2. Observe the program on the left hand side of the applet and try to summarize the
working of the program based on your understanding.
3. First, to simulate the original program that is not infected yet, click on Step Forward
one at a time (or Play if impatient!), read the explanations shown at the bottom of
the demo screen and carefully study the memory stack (the grid shown on the right-
hand side).
4. When prompted enter the input of less than or equal to 10 characters and Step
Forward/Play.
Note your observations.
5. Next, let us try to understand the operations of a computer virus.
Observe the location of the virus in the memory grid.
What is the Hexadecimal value of the location of the virus? What is its corresponding
ASCII value?
6. Click on Reset. And simulate the program until its prompts you to enter something.
7. Now, enter 11 characters, with 10 random characters and 11
th
character as the ASCII
value of the memory location of virus and continue the program.
Note your observation.





6|Page Please provide references. Dont ignore PLAGIARISM, avoid it!

Based on the above observation:
a) Summarise your understanding of the working of this virus program and try to map
the functioning of the program with the 3 components of the virus in less than half a
page.
b) Is this demo/program also an illustration of Buffer Overflow Attack? Explain.

Could not run in my PC. Java is running and java blocked the application as it is untrusted.