Stratford University WMAL Tech Talk May 20, 2000

Tech Talk Radio
Sponsored by Stratford University

May 20, 2000 Show

Home Network Rundown
  How do you Set up a Network?
  How do you Share an Internet Connection?
  How do you Share a Printer?
LoveBug Code Revealed
  Variants of the LoveBug
  What Can You Do?
  How did Tech Talk Open this Code?
  Overview of Program Flow
  Detailed Description of Program Code
IT Career Opportunities

Top of Page

Home Networking Rundown
You have heard of the problem before. There are multiple computers in the home and only one printer and one Internet connection. Some way to share these resources must be found. Attaching your computers to a home network and enabling resource sharing will permit such sharing. Accomplishing this task is a three step process.

First, you need to connect the computers to a network. Each computer needs a Network Interface Card (NIC). The NIC must be connected to a communication medium (either wireless or wired).
Second, you must install a proxy service (which may also be a firewall) on the the computer connected to the Internet. This proxy service will share the single Internet connection.
Third, you must install peer-to-peer resource sharing to share the printer.

How do you set up the network? Top of Page
     The computers can either be connected with wires or with wireless broadcasting.
     There are several wireless standards groups (Wireless Ethernet, HomeRF, Bluetooth, and BRAN). Wireless Ethernet (802.11b) and HomeRF are currently shipping wireless hardware. Bluetooth Wireless standards are designed to connect peripherals to a computer (like a digital camera or printer) and are not designed for networking and are still in development. Broadband Radio Access Networking (BRAN) standards (802.11a) will provide high bandwidth wireless connection and are still in development. BRAN will be the technology of the future. Tech Talk recommends Wireless Ethernet as today's best wireless technology.
     The two wired standards that are available are Home Phoneline and Category 5 Cabling. In an existing home, Tech Talk recommends Home Phoneline cabling, since it uses existing phone wiring in the home. In new construction, Tech Talk recommends installing Category 5 cabling with the regular telephone cabling.
     All of these wired and wireless standards are shown below.

Wireless Ethernet Compatibility Alliance
Speed: 11Mbps
Frequency band: 2.4Ghz
Supports IEEE 802.11b High Rate Standard
Configuration: Multiple clients per access point
Markets: Both home and business
Range: 50 to 300 feet
Frequency Sharing (Direct Sequence spread spectrum)
Backers: Cisco, Lucent, 3Com
Status: Shipping (many vendors, including 3Com)
Cost: Medium
Wireless Ethernet Compatibility Alliance (www.wirelessethernet.com)

HomeRF Wireless
Speed: 1, 2Mbps now. 10Mbps in the future
Frequency band: 2.4Ghz
May support 802.11b as a second generation standard
Configuration: Point-to-point or multiple devices per access point
Market: Strictly for the home
Range: 150 feet
Frequency sharing: Wideband frequency hopping
Backers: Apple, Compaq, Dell, Intel, Motorola, Proxim
Status: In development
Cost: Low
Home RF Working Group (www.homerf.org)

Bluetooth Wireless (for peripherals only)
Speed: 30-400Kbps
Frequency band: 2.4Ghz
Configuration: Point-to-point or multiple devices per access point. Will be used primarily for peripheral connections to computer (like printers, keyboards, cell phones, digital cameras, etc.)
Range: 30 feet
Frequency sharing: Narrowband frequency hopping
Backers: Ericsson, Motorola, Nokia
Status: In development
Cost: Very low
Bluetooth Special Interest Group (www.bluetooth.com)

Home Phoneline Networking Alliance
Speed: 10 Mbps
Wiring: Uses existing phone wiring. Excellent choice.
Frequency: uses frequency space above phone baseband
Configuration: point-to-point or multiple devices per access point
Range: one contiguous phone line wiring system
Backers: 3Com, AMD, AT&T, HP, IBM, Intel, Lucent, Compaq, Epigram, Conexant, Tut Systems
Cost: Medium to Low
Status: Now shipping (3Com)
HPNA (www.homepna.org)

Broadband Radio Access Network (the next generation)
Speed: 54Mbps
Frequency: 5Ghz band
Support IEEE 802.11a Standard and HiperLan2 Standard
Configuration: point-to-point or multiple devices per access point. Will be designed to unify wireless networking and telecommunications standards. Will be compatible with WECA.
Range: TBD
Backers: Most cell phone companies
Status: In early development. 2001 release
BRAN (webapp.etsi.org/tbhomepage)

10baseT or 100baseT Wiring
Requires unshielded twisted pair
Use Category 5 cabling (do not use phone grade wires)
Makes sense for new construction
All wiring connected to a central point
Cost: Medium for new construction
Locate a hub or switch at this central point
Status: Mature technology

How can you share an Internet Connection? Top of Page
You must use a proxy server because you have multiple computers but only one Internet connection and IP address. If the proxy server also provides port filtering, it is called a firewall. Three excellent software packages are available.

WinProxy (www.winproxy.com) Reasonable firewall
BlackIce Firewall (www.networkice.com) Excellent firewall
Zone Alarm Firewall (www.zonelabs.com) Excellent firewall (and free)
Internet Connection Sharing (ICS) Very easy to use (and free)

Included in Windows 98 Second Edition (www.microsoft.com)
Uses Network Address Translation (NAT)
Does not provide firewall protection

After setting your network, you will want to check vulnerability to attack from the outside. Go the Gibson Research (www.grc.com) and clicking on Shields Up. This site will perform a port scan of your system and give you a security report.

How can you share a printer? Top of Page
Most secure way is to use a network printer, but that is expensive and complicated. You can use peer-to-peer sharing. First attach the printer to one of the computers on the network and install the local printer driver as you normally would. Next install Microsoft NetBEUI (NetBios Extended User Interface) Protocol under Networks in the Control Panel. On the same Network panel, press the File and Print Sharing button. Select Printer Sharing, but not File Sharing. Sharing only needs to be selected on the computer with the printer. Then select Printer Properties by highlighting the Printer icon in the Printer window and clicking the right mouse button. Select sharing for everyone. Then go to the other computers, and install NetBEUI on each. Make certain that each computer has a different NetBEUI name. Finally install a new Network (not local) printer on the other computers in the network. Now all computers can share one printer, as long as the computer with the printer is on turned on.

Top of Page

LoveBug Code Revealed
In order to cut through all the hype, we have gotten a copy of the LoveBug code, analyzed it, and will talk about the system vulnerabilities that it exploits. The latest variants have been developed by changing just a few lines of the original code.
The LoveBug worm program is a file that has been attached to an e-mail. The program is written in Visual Basic Script (VBScript). The program has a filename extension of vbs. The program uses the Windows Scripting Host (WSH) to execute the commands. The extension (vbs) tells Windows to send the contents of the file to the WSH. The program contains the line "On Error Resume Next." This means that it will continue running even if it encounters a runtime error.

Variants of the LoveBug Top of Page
     The first mutations simply changed a few lines of code and renamed the attachment and the subject of the e-mail All other features were the same, see CERT Advisory 2000-04 (www.cert.org/advisories/CA-2000-04.html)
     The latest mutation (VBS/NewLove.A) is far more damaging. It removes the "if, end if lines" in the infectfiles() subroutine so that ALL files on the hard drive are replaced. It also replaces the subject with a file from the Recent Documents lists in Windows. If Recent Documents is empty, it replaces the Subject with the last infected file. The subject line is "FW: Filename."   The attachment is "Filename.vbs." See FBI NIPC Alert (www.fbi.gov/nipc/alert00-043.htm)
     BubbleBoy (www.fbi.gov/nipc/bubbleboy.htm) is a harmless VBScript shell that is contained in the body of an HTML e-mail It is activated without opening an attachment as soon as the e-mail is show in the View Pane of Outlook. This is very dangerous. Tech Talk expects variants of the LoveBug script to be placed in this shell.
     Now that the cat is out of the bag. Expect variations to be written in JavaScript. Then both Microsoft and Netscape e-mail systems will be affected. None of this type have been encountered yet.
    Microsoft has announced that it will soon release a patch to prevent scripts from automatically transmitting e-mail to addresses in the Outlook address book. Information about this patch is available from Microsoft. This new patch will prevent users from accessing certain types of attachments (like vbs), requires permission to read address books, requires permission to send e-mail, and increases level of default security settings.

What Can You Do? Top of Page
First -- Install the latest patch for your antivirus software.
Second -- Install latest patches from Microsoft. (www.microsoft.com)
Third-- Deactivate the Windows Scripting Host until Microsoft can get suitable protection in place.
If you need the Host for specific automated tasks, simply turn it on for those tasks. Then remove it when finished. It takes less than a minute to activate and deactivate WSH.
To turn off the Windows Scripting Host, take the following steps for Windows.

Go to "Start/Settings/Control Panel" on Windows
In the Control Panel, select Add/Remove Programs"
In Add/Remove, select "Windows Startup" tab at top
In Windows Startup, double click on "Accessories"
In Accessories, scroll to bottom and unclick "Windows Scripting Host"
Click OK twice to exit and save your selection.
Repeat the process to verify that WSH is indeed unclicked

See May 6th and May 13th shows for further discussion.

How did Tech Talk Open this Code Safely? Top of Page
We first deactivated the Windows Scripting Host. Then we saved the attachment as file with a txt extension (making certain to delete the vbs extension that it came with). Finally, we opened the text file with WordPad and printed it.

Overview of Program Flow Top of Page
      We have decided not to include a copy of the program on this site. Rather we will give a quick description of how it works. The program contains the main program and eleven subroutines or functions. It includes 230 lines of code (some quite long).   It appears that more than one person wrote the code. Some routines are not as well written as others. A complete program printout uses six sheets of paper. One of the functions is never used (function folderexist).
     Program LoveLetter identifies the authors, provides an e-mail address, initializes a few variables, and then call the Subroutine Main().
     Subroutine Main() copies the virus to three locations on the hard drive and then calls four subroutines -- Regruns(), HTML(), Spreadtoemail(), and Listadrive().
     Subroutine Regruns() changes the startup page of Internet Explorer to one of four locations that contain a Trojan horse program that captures passwords. Regruns() then adjusts the registry to ensure that the virus will run the each time the computer started.
     Subroutine HTML() creates a web page for transmission to all members on the mIRC buddy list using a script created by Subroutine Infectfiles(). This web page transfers and saves copies of the virus on the hard drive of the targeted machine.
     Subroutine Spreadtoemail() creates an e-mail titled "ILOVEYOU," with a copy of the virus attached, and then sends it to every address in the Outlook address books.
     Subroutine Listadrive() locates all drives on the computer, calls Subroutine Folderlist() for each drive. Subroutine Folderlist() cycles through each folder of the drive and calls Subroutine Infectfiles() for each folder. Subroutine Infectiles overwrites files which have specific filename extensions. This is where the real damage occurs. Infectiles then writes an mIRC script that sends the page created by Subroutine HTML() to each name on the mIRC buddy list.
     The flow between subroutines is shown below.

Program Loveletter calls Main()
Subroutine Main calls Regruns, HTML, Spreadtoemail, Lisadrive
- Subrountine Reguns calls Regcreate, Regget, Fileexist

Subroutine Regcreate()
Function Regget()
Function Fileexist()

Subroutine HTML()
Subroutine Spreadtoemail()
Subroutine Lisadrive calls Folderlist
- Subroutine Folderlist call Infectfiles
  - Subroutine Infectfiles()

Detailed Summary of Program Code Top of Page
Program Loveletter
     9 lines of code
     Comment "barok-loveletter.vbe <I hate go to school>"
     Comment "by: spyder / ispyder@mail.com"
     Comment "@GRAMMERSoft Group / Manila, Philipines"
     Initializes variables (fso, file)
     Calls subroutine main()

Subroutine Main()
     19 lines of code
     Changes Windows Scripting Host timeout parameter
     Copies itself to three new files on the hard drive
         MSKernel32.vbs
         Win32DLL.vbs
         Love-Letter-for-You.Txt.vbs
     Calls four subroutines
         Regruns()
         Html()
         Spreadtoemail()
         Listadriv()

Subroutine Regruns()
     28 lines of code
     Changes registry so MSKernel32.vbs and Win32DLL.vbs will run.
     Changes Internet Explorer Startpage to one of four URLs
         www.skynet.net/~youngls
         www.skynet.net/~angelcat
         www.skynet.net/~koichi
         www.skynet.net/~chu
     Each URL asks for download of WIN-BUGSFix.exe program.
     WIN-BUGFix.exe is a password collection program.

Subroutine Listadrive()
     11 lines of code
     Locates all hard drives on system
     Calls folderlist() for each drive

Subroutine Infectfiles()
     57 lines of code
     Replaces selected files with copies of itself.
     Replaced files have the following extensions:
         vbs, vbe
         js, jse, css, ssh, sct, hta
         jpg, jpeg
         mp2, mp3
     Adds vbs extension to all replaced files (except vbs, vbe files).
     Hides originals of mp3, mp2 and destroys all other replaced files.
     All replaced files keep same name (except for added extension).
     Uses a simple if, else if, end if construct to select files destroyed.
     Creates script.ini file for mIRC
         Script send LOVE-LETTER-FOR-YOU.htm web page
         Receipients include the mIRC buddylist.

Subroutinge Folderslist()
    10 lines of code
     Scans all folders and subfolders on all hard drive
     Calls Infectfiles() for each subfolder

Subroutine Regcreate()
4 lines of code
Creates objects for editing the registry

Function Regget()
     4 lines of code
     Creates objects for reading registry
     Returns regget value

Function Fileexist()
     10 lines of code
     Tests for existence of file
      Returns value (0 or 1)

Function Folderexist()
    10 lines of code
     Never used or called
     Tests for existence of folder
     Returns value (0 or 1)

Subroutine Spreadtoemail()
     33 lines of code
     Reads all Outlook address books
     Reads all addresses in each book
     Send email to every found adresses
         Email Subject: ILOVEYOU
         Email Body: kindly check the attached loveletter coming from me
         Email attachment: LOVE-LETTER-FOR-YOU.TXT.vbs
     Interesting fact : Spells mail as male when defining objects.

Subroutine Html()
     36 lines of code
     Creates web page called "LOVE-LETTER-FOR-YOU.htm"
           Contains JScript program to control window
           Contains VBScript program which transfers and saves virus
           Places copies of virus in two files on target harddrive
               MSKernel32.vbs
               Win32DLL.vbs
           Page Descriptive Data -- "simple but i think this is good"
     Web page sent to mIRC buddy list
    Tech Talk Note: mIRC is an Internet Relay Chat client

Top of Page

IT Career Opportunities      Information technology careers span a wide range of activities. In total these jobs are designed to permit companies to use information to increase productivity and profits. Since this technology has been so effective at achieving both, business leaders recognize the value of these activities and that recognition is reflected in the salaries.
     The jobs can be divided generally into those that support the Communication Infrastructure (Network Management, Telecommunications) and those that support the Information Infrastructure (Application development, Application deployment). In addition, the emergence of the Internet as a communication standard has created many jobs in the areas web site development and maintenance. See Career Advice (an ongoing topic on this site) for additional information.
     These various categories of career opportunites can be summarized in the following way.

Enterprise Network Management Job Areas

Infrastructure and Routers & Switches

Enterprise Network Design and Optimization
Network Troubleshooting
Cisco Router/Switch Configuration for WAN
Telecommunications Technology

Security

Firewalls
Security Policy
Packet Filtering and VLANs
Intrusion Methods and Techniques for the Administrator

Network Operation and Services

Server Troubleshooting
Multiple Operating Systems (Microsoft, Novell, Unix)
Directory Services
Email and Messaging Architecture
Web Server Installation and Management

Computer Programming Job Area

Conventional Programming (C,C++, Unix, Visual Basic)

C, C++
Visual Basic
Unix

Web Programming

HTML
Dynamic Web Page Development
Graphics Design
Java, Javascript, ASP, XML
ActiveX, Linking to a Database

Distributed Databases and Application Development

Database Design using PL/SQL
Oracle Application Development
Oracle operating system optimization
Managing oracle database server , including backup
Integrating Oracle 8i into the Internet

Home Page

Top of Page