1. Abstract—Attacks on a computer system has become an area
of serious concern these days. Honey pots (sand boxes) are
being used to divert and study the behavior of an attacker.
Attacks using Trojans and other networking tools can be
detected and studied using hone pots. The use of anti-spyware
tools and the importance of backup and recovery is also
discussed in this document.
Index Terms—Anti-Spyware, Honeypots, Intrusions, Trojans,
Remote Access.
I.INTRODUCTION
HIS document is about the importance and use of
Honey pots, Anti-Spyware tools and the Backup and
recovery tools. The document has been divided into five parts.
In each part we have discussed about the working of different
tools. The tools include KF Sensor, NetBus, Internet
Explorer, Microsoft Anti-Spyware, Hijackthis and
NTBackup. Various features and capabilities have been
brought to light in the document. Illustrations and examples
make it easier to understand the working of the tools.
T
KFSensor is a Windows based honeypot Intrusion Detection
System (IDS).It acts as a honeypot to attract and detect
hackers and worms by simulating vulnerable system services
and trojans. By acting as a decoy server it can divert attacks
from critical systems and provide a higher level of
information than can be achieved by using firewalls and
NIDS alone. KFSensor is designed for use in a Windows
based corporate environment and contains many innovative
and unique features such as remote management, a Snort
compatible signature engine and emulations of Windows
networking protocols. With its GUI based management
console, extensive documentation and low maintenance,
KFSensor provides a cost effective way of improving an
organization's network security. [1]
Netbus is among those popular Trojans of 1998 and has been
very controversial for its potential of being used as a
backdoor. There are two components to the client-server
architecture. The server must be installed and run on the
computer that should be remotely controlled. It was a .exe file
with a file size of almost 500 KB. The name and icon varied a
lot from version to version. Common names were "Patch.exe"
and "SysEdit.exe". When started for the first time, the server
would install itself on the host computer, including modifying
the Windows registry so that it starts automatically on each
system startup. The server is a faceless process listening for
connections on port 12345 (in some versions, the port number
can be adjusted). Port 12346 is used for some tasks.
The client was a separate program presenting a graphical user
interface that allowed the user to perform a number of
activities on the remote computer. Examples of its
capabilities:
• Keystroke logging
• Keystroke injection
• Screen captures
• Program launching
• File browsing
• Shutting down the system
• Opening / closing CD-tray
• Tunneling a NetBus connections through a number
of systems
The NetBus client was designed to support the following
operating system versions:
• Windows 95
• Windows 98
• Windows NT 4.0
II.TROJANS
These are Windows applications designed to allow other
people to access your machine (generally for malicious
purposes) over the Internet.
In order for anyone to use a Trojan on your machine, the
server side of the application is to be installed on victim’s
computer. This is normally done by getting the victim to
download an application or by sending the server EXE to the
victim in an e-mail message and hoping to execute it. This is
why it is called a Trojan horse -- victim has to consciously or
unconsciously run the EXE to install the server -- it does not
propagate itself like a virus. Once the server EXE is executed,
the server is installed and will start running automatically
every time victim’s computer starts.
With the server installed, an evil-doer can run the Trojan
client program and control victim’s computer remotely,
running programs, erasing files... Obviously, this is not a
good thing. It is easy to detect popular Trojans like Netbus
and Back Orifice either manually or with software.
III. KFSENSOR HONEY POT
KFSensor is a system installed in a network in order to divert
and study an attacker’s behavior. This is a new technique that
is very effective in detecting attacks. The main feature of
KFSensor is that every connection it receives is a suspect
hence it results in very few false alerts.
At the heart of KFSensor sits a powerful internet daemon
service that is built to handle multiple ports and IP addresses.
It is written to resist denial of service and buffer overflow
attacks. Building on this flexibility KFSensor can respond to
connections in a variety of ways, from simple port listening
and basic services (such as echo), to complex simulations of
Preparing for and Detecting Attacks: Honey
Pots, Spyware, Backing Up and Restoring
Sai Kiran S. Kovvuri, Venkat Kalvala and Shanmugarajan Rathinakumar
1
2. standard system services. For the HTTP protocol KFSensor
accurately simulates the way Microsoft’s web server (IIS)
responds to both valid and invalid requests. As well as being
able to host a website it also handles complexities such as
range requests and client side cache negotiations. This makes
it extremely difficult for an attacker to fingerprint, or identify
KFSensor as a honeypot. [1]
KFSensor simulates the system services in the top level of the
OSI- layers. Hence it makes good use of the WINDOWS
security and the network libraries present. It acts as another
server on any network it’s installed on.
KFSensor’s effectiveness is evident from the immediate
response its gives when an attack is detected. The type and
quantity of attack is clearly stated by KFSensor that anyone
can understand the nature of attack. KFSensor does not rely
on the signature of older attacks hence can detect newer
attacks and alerts even when the attack is in progress.
The architecture of KFSensor can be extended by writing our
own scripts and customize the actions taken by the Honeypot.
Various scenarios can be defined according to our need.
“KFSensor appears to be the only virtual honeypot in this
review with a clear sense of what it takes to appear to be a
Windows host."
"This functionality puts KFSensor in the top echelon of
Windows honeypots."
"If you want a feature-packed Windows honeypot that's easy
to install and use, KFSensor is the clear choice for you." [2]
IV. ANTI-SPYWARE
PYWARE covers a broad category of malicious software
designed to intercept or take partial control of a
computer's operation without the informed consent of that
machine's owner or legitimate user. While the term taken
literally suggests software that surreptitiously monitors the
user, it has come to refer more broadly to software that
subverts the computer's operation for the benefit of a third
party.
S
First lets look at what the malware is, that helps us in
clearly differentiating between the different types of malware
and the spyware. The best way to differentiate between
malware and spyware is to define them.
Malware (a portmanteau of "malicious software") is a type
of software designed to take over and/ or damage a computer
user's operating system, without his or her knowledge or
approval. Once installed, it is often very difficult to remove,
and depending on the severity of the program installed, its
handiwork can range in degree from the slightly annoying
(such as unwanted pop up ads while a user is performing
regular computing tasks on or offline), to irreparable damage
requiring the reformatting of one's hard drive, since much of
malware is poorly written. Examples of malware include
viruses and trojan horses.
In computer security technology, a virus is a self-
replicating program that spreads by inserting copies of itself
into other executable code or documents. A computer virus
behaves in a way similar to a biological virus, which spreads
by inserting itself into living cells. Extending the analogy, the
insertion of the virus into a program is termed infection, and
the infected file (or executable code that is not part of a file)
is called a host. Viruses are one of the several types of
malware or malicious software. In common parlance, the
term virus is often extended to refer to computer worms and
other sorts of malware. This can confuse computer users,
since viruses in the narrow sense of the word are less
common than they used to be, compared to other forms of
malware such as worms. This confusion can have serious
consequences, because it may lead to a focus on preventing
one genre of malware over another, potentially leaving
computers vulnerable to future damage. However, a basic rule
is that computer viruses cannot directly damage hardware,
but only software.
While viruses can be intentionally destructive (for example,
by destroying data), many other viruses are fairly benign or
merely annoying. Some viruses have a delayed payload,
which is sometimes called a bomb. For example, a virus
might display a message on a specific day or wait until it has
infected a certain number of hosts. A time bomb occurs
during a particular date or time, and a logic bomb occurs
when the user of a computer takes an action that triggers the
bomb. However, the predominant negative effect of viruses is
their uncontrolled self-reproduction, which wastes or
overwhelms computer resources.
Computer worms are similar to viruses but are stand-alone
software and thus do not require host files (or other types of
host code) to spread themselves. They do modify their host
operating system, however, at least to the extent that they are
started as part of the boot process. To spread, worms either
exploit some vulnerability of the target system or use some
kind of social engineering to trick users into executing them
Spyware differs from viruses and worms in that it does not
usually self-replicate. Like many recent viruses, however,
spyware - by design - exploits infected computers for
commercial gain. Typical tactics furthering this goal include
delivery of unsolicited pop-up advertisements; theft of
personal information (including financial information such as
credit card numbers); monitoring of Web-browsing activity
for marketing purposes; or routing of HTTP requests to
advertising sites.
After getting familiar with all the terms such as Spyware,
Trojans and Worms etc, we now turn towards how we deal
with the problem of these Spyware getting installed in our
system without our consent. We use Microsoft Anti-Spyware
to remove these things, which if not taken care of are going to
seriously effect the system’s performance.
We concentrate on explaining how effectively Microsoft
Anti-Spyware removes the Spyware and other forms of
Malware restoring your system to the point where it was
2
3. perfect without any Viruses. For this we download the
HijackThisBrowser software on the system, which apart from
performing many other functions also does the system scan
and create a log file that lists all the processes running on our
system. We are going to make use of this log file to explain
how effectively Microsoft Anti-Spyware helps in removing
them.
There are three steps of doing this we first do a system scan
and save the log file using the HijackThisBrowser’s “Do a
system scan and save a log file” option. Then as a part of a
second step we open several WebPages, which you think, can
download Spyware. Now you do a system scan again and save
the log file. Compare both the first and second saved log files
you notice that there are more processes running in the
second log file than in the first one. This indicates Spyware
has been downloaded in the system running more processes
than usual.
As a part of the third operation we run the Anti-Spyware.
After the Initial scan is done we get a list of all the threats,
their names and the severity of the threat. We then remove all
of them. After we remove all of them we do a system scan
again and compare the third log file and the first one and
what we get to notice is that the Anti-Spyware restores the
system, bringing back to the safe mode.
V. BACKING UP AND RECOVERY IN WINDOWS
Backing up data is one of the most important security
measures that you can implement. Disasters may happen
even with an expertly configured firewall, up-to-date virus
signatures, and intrusion detection systems running. If the
data is destroyed or corrupted, the only hope you have of
retrieving the data is from a properly configured format. A
backup job is an instruction to the computer that identifies
the date, time, and files designated to be backed up. Files
will be backed up to the backup media. This can be a
network share, a tape device, or some other drive of
appropriate size.
Since data on a computer will change quite often
depending on the purpose and use of the computer system,
the backup files may become out of date. For this reason, a
backup should be performed on regular basis.
There are several types of backups that can be
performed:
Normal, differential, and incremental. Each type of
backup has some advantage or disadvantage with backing
up and restoring (restoring is the process of retrieving data
from a backup). A normal backup, also known as a full
backup, will copy all the designated files. This type of
backup takes the longest to complete, but is the quickest to
restore. Since there is usually only one media that contains
the full backup, only one is needed to restore and as such is
the quickest to restore. A differential backup will copy all
of the files that have changed since the last full backup.
This takes less time to back up, since not all of the files are
being copied, but takes longer to restore since there will be
two media to restore: the full backup media and the
differential media. It is important to note that each day that
passes between full backups, the differential backup will
take longer and longer, since the changes in data are
accumulating.
An incremental backup backs up the data since the last
backup, whether full or incremental. This means that if you
did an incremental backup each day, you would only back
up the files changed that day. As a result the backup times
are usually short. However, restoring can take much
longer. Depending on how many incremental backups were
done since the last full backup, the restore process will take
longer and be more tedious.
Backing up files is an important skill, but restoring files
is equally important. The time to test out the restore
process is not during a disaster recovery incident. Horror
stories abound of administrators who backed up regularly
but came to find out after disaster hits that some key data
was not being saved or that the restore process was
improperly configured. Also it is always important to
remember to write-protect the media when restoring the
data. You would not want to inadvertently erase data when
you are in a data recovery situation. As backups are
insurance against data loss, they should also be stored in a
remote location to protect them from fire and other local
environment issues near the computer.
Now as we know pretty much about the backup and the
importance of it incases of disasters (system crashes etc.), we
now move on to backing up and restoring in Windows XP
platform. We begin by creating a shared network drive for
storing all the backup files. Select the Tools options in the
folder and select Map Network Drive; you’ll be popped with a
window showing all the options for selecting the name of the
shared drive and the folder. After this you’ll click Finish,
which will create a network drive.
Then you will create a folder that stores all the files that
are to be backed up. Then we go to Start and in the Run we
type ntbackup. This will open the Windows backup utility
window where you select the backup tab. Explore the folder
and check all the files that are to be backed up, give the name
of the back up file. Now press the start backup button, which
will open, with a window showing advanced options. Select
the advanced options and then select the type of backup to be
normal and press ok. We are now created with fullbackup file
stored in the network share drive.
For the differential backup we modify some of the files and
then perform the differential backup with same set of steps
but in the advanced options of the start backup window we
select the type of the backup to be differential, this will create
a differential backup file in the network share drive. Now we
replicate the system crash by deleting all the files from the
folder containing files that needs to be backed up.
Restoring the files from the backup files is pretty
interesting and different than backing up. First we will
restore the fullbackup file then the differential restore. For
this we need to go to the Restore and Manage Media tab in
the backup utility window and then select from the list of the
3
4. files in the left. Before selecting the start restore button make
sure that the files are restored to the original location. On the
Confirm Restore screen, click OK. On the Confirm
Name/Location dialog box, click OK. On the Check Backup
File Location screen, ensure that the correct path of the file is
selected. After the restore will complete go to the folder and
we can see that the files at the first point are restored.
Differential restore is slightly different from full restore.
On the Restore and Manage Media tab select the
differential backup on the left and check the checkbox on the
right. Click Tools, Options. Select the Restore tab. We get to
notice that the selection is “Do not replace the file on my
computer.” This should be replaced with another check
options which says “ Replace the files on my computer” will
enable the backup utility to restore the files to the point when
the crash has occurred. Now on the Confirm Restore screen,
click OK. After the restore process is complete we can see
that the files are restored to the state before crash.
PROBLEMS ENCOUNTERED
As we were working in a firewall’ed network there were not
many problems that could stop us from performing our
experiments. But as this experiment was done on Windows
XP SP2, the built-in firewall caused minor problems. Also
Microsoft AntiSpyware unexpectedly removed the Trojan as
it has malicious content. So Antispyware had to be removed
for the experiment and firewall was turned off. Also, as a
suggestive measure while using the ServerEdit component of
the Netbus Trojan, do not set the server.exe to “invisible” as
this becomes hard to find or remove the server component
after the experiment. Nevertheless there are tools available
today on the internet that can gracefully remove the Netbus
trojan from the infected system.
FUTURE WORK
Future work can be done on this project using this report
either by enhancing the work and/or adding more security
related issues through discussing the anatomy of any
malicious software and how to secure a system infected by the
same.
ACKNOWLEDGMENTS
We would like to thank Dr.Leszek Lilien for the lab manual
and also for guiding us in completing this project
successfully. Also we thank SCST team of WMU for
providing us with the required environment safely firewall’ed
from other network.
REFERENCES
[1] Computer Security Lab Manual by Nestler Vincent
J., Conklin Wm. Arthur, White Gregory B and
Hirsch Matthew P.
[2] Video Demo. Available:
http://www.cs.wmich.edu/~llilien/teaching/Fall2005/
cs5950-6030/index.html
[3] KFSensor Honey Pot. Available:
http://www.keyfocus.net/kfsensor/
[4] Microsoft Antispyware. Available:
http://ww.microsoft.com/downloads
[5] More Information on related terms.
http://www.howstuffworks.com and
http://en.wikipedia.org/wiki.
4
![Abstract—Attacks on a computer system has become an area
of serious concern these days. Honey pots (sand boxes) are
being used to divert and study the behavior of an attacker.
Attacks using Trojans and other networking tools can be
detected and studied using hone pots. The use of anti-spyware
tools and the importance of backup and recovery is also
discussed in this document.
Index Terms—Anti-Spyware, Honeypots, Intrusions, Trojans,
Remote Access.
I.INTRODUCTION
HIS document is about the importance and use of
Honey pots, Anti-Spyware tools and the Backup and
recovery tools. The document has been divided into five parts.
In each part we have discussed about the working of different
tools. The tools include KF Sensor, NetBus, Internet
Explorer, Microsoft Anti-Spyware, Hijackthis and
NTBackup. Various features and capabilities have been
brought to light in the document. Illustrations and examples
make it easier to understand the working of the tools.
T
KFSensor is a Windows based honeypot Intrusion Detection
System (IDS).It acts as a honeypot to attract and detect
hackers and worms by simulating vulnerable system services
and trojans. By acting as a decoy server it can divert attacks
from critical systems and provide a higher level of
information than can be achieved by using firewalls and
NIDS alone. KFSensor is designed for use in a Windows
based corporate environment and contains many innovative
and unique features such as remote management, a Snort
compatible signature engine and emulations of Windows
networking protocols. With its GUI based management
console, extensive documentation and low maintenance,
KFSensor provides a cost effective way of improving an
organization's network security. [1]
Netbus is among those popular Trojans of 1998 and has been
very controversial for its potential of being used as a
backdoor. There are two components to the client-server
architecture. The server must be installed and run on the
computer that should be remotely controlled. It was a .exe file
with a file size of almost 500 KB. The name and icon varied a
lot from version to version. Common names were "Patch.exe"
and "SysEdit.exe". When started for the first time, the server
would install itself on the host computer, including modifying
the Windows registry so that it starts automatically on each
system startup. The server is a faceless process listening for
connections on port 12345 (in some versions, the port number
can be adjusted). Port 12346 is used for some tasks.
The client was a separate program presenting a graphical user
interface that allowed the user to perform a number of
activities on the remote computer. Examples of its
capabilities:
• Keystroke logging
• Keystroke injection
• Screen captures
• Program launching
• File browsing
• Shutting down the system
• Opening / closing CD-tray
• Tunneling a NetBus connections through a number
of systems
The NetBus client was designed to support the following
operating system versions:
• Windows 95
• Windows 98
• Windows NT 4.0
II.TROJANS
These are Windows applications designed to allow other
people to access your machine (generally for malicious
purposes) over the Internet.
In order for anyone to use a Trojan on your machine, the
server side of the application is to be installed on victim’s
computer. This is normally done by getting the victim to
download an application or by sending the server EXE to the
victim in an e-mail message and hoping to execute it. This is
why it is called a Trojan horse -- victim has to consciously or
unconsciously run the EXE to install the server -- it does not
propagate itself like a virus. Once the server EXE is executed,
the server is installed and will start running automatically
every time victim’s computer starts.
With the server installed, an evil-doer can run the Trojan
client program and control victim’s computer remotely,
running programs, erasing files... Obviously, this is not a
good thing. It is easy to detect popular Trojans like Netbus
and Back Orifice either manually or with software.
III. KFSENSOR HONEY POT
KFSensor is a system installed in a network in order to divert
and study an attacker’s behavior. This is a new technique that
is very effective in detecting attacks. The main feature of
KFSensor is that every connection it receives is a suspect
hence it results in very few false alerts.
At the heart of KFSensor sits a powerful internet daemon
service that is built to handle multiple ports and IP addresses.
It is written to resist denial of service and buffer overflow
attacks. Building on this flexibility KFSensor can respond to
connections in a variety of ways, from simple port listening
and basic services (such as echo), to complex simulations of
Preparing for and Detecting Attacks: Honey
Pots, Spyware, Backing Up and Restoring
Sai Kiran S. Kovvuri, Venkat Kalvala and Shanmugarajan Rathinakumar
1](https://image.slidesharecdn.com/e2aff530-c68a-4215-a380-ced01353432c-150907232936-lva1-app6892/85/reporthoneypotstrojansspyware-1-320.jpg)
![standard system services. For the HTTP protocol KFSensor
accurately simulates the way Microsoft’s web server (IIS)
responds to both valid and invalid requests. As well as being
able to host a website it also handles complexities such as
range requests and client side cache negotiations. This makes
it extremely difficult for an attacker to fingerprint, or identify
KFSensor as a honeypot. [1]
KFSensor simulates the system services in the top level of the
OSI- layers. Hence it makes good use of the WINDOWS
security and the network libraries present. It acts as another
server on any network it’s installed on.
KFSensor’s effectiveness is evident from the immediate
response its gives when an attack is detected. The type and
quantity of attack is clearly stated by KFSensor that anyone
can understand the nature of attack. KFSensor does not rely
on the signature of older attacks hence can detect newer
attacks and alerts even when the attack is in progress.
The architecture of KFSensor can be extended by writing our
own scripts and customize the actions taken by the Honeypot.
Various scenarios can be defined according to our need.
“KFSensor appears to be the only virtual honeypot in this
review with a clear sense of what it takes to appear to be a
Windows host."
"This functionality puts KFSensor in the top echelon of
Windows honeypots."
"If you want a feature-packed Windows honeypot that's easy
to install and use, KFSensor is the clear choice for you." [2]
IV. ANTI-SPYWARE
PYWARE covers a broad category of malicious software
designed to intercept or take partial control of a
computer's operation without the informed consent of that
machine's owner or legitimate user. While the term taken
literally suggests software that surreptitiously monitors the
user, it has come to refer more broadly to software that
subverts the computer's operation for the benefit of a third
party.
S
First lets look at what the malware is, that helps us in
clearly differentiating between the different types of malware
and the spyware. The best way to differentiate between
malware and spyware is to define them.
Malware (a portmanteau of "malicious software") is a type
of software designed to take over and/ or damage a computer
user's operating system, without his or her knowledge or
approval. Once installed, it is often very difficult to remove,
and depending on the severity of the program installed, its
handiwork can range in degree from the slightly annoying
(such as unwanted pop up ads while a user is performing
regular computing tasks on or offline), to irreparable damage
requiring the reformatting of one's hard drive, since much of
malware is poorly written. Examples of malware include
viruses and trojan horses.
In computer security technology, a virus is a self-
replicating program that spreads by inserting copies of itself
into other executable code or documents. A computer virus
behaves in a way similar to a biological virus, which spreads
by inserting itself into living cells. Extending the analogy, the
insertion of the virus into a program is termed infection, and
the infected file (or executable code that is not part of a file)
is called a host. Viruses are one of the several types of
malware or malicious software. In common parlance, the
term virus is often extended to refer to computer worms and
other sorts of malware. This can confuse computer users,
since viruses in the narrow sense of the word are less
common than they used to be, compared to other forms of
malware such as worms. This confusion can have serious
consequences, because it may lead to a focus on preventing
one genre of malware over another, potentially leaving
computers vulnerable to future damage. However, a basic rule
is that computer viruses cannot directly damage hardware,
but only software.
While viruses can be intentionally destructive (for example,
by destroying data), many other viruses are fairly benign or
merely annoying. Some viruses have a delayed payload,
which is sometimes called a bomb. For example, a virus
might display a message on a specific day or wait until it has
infected a certain number of hosts. A time bomb occurs
during a particular date or time, and a logic bomb occurs
when the user of a computer takes an action that triggers the
bomb. However, the predominant negative effect of viruses is
their uncontrolled self-reproduction, which wastes or
overwhelms computer resources.
Computer worms are similar to viruses but are stand-alone
software and thus do not require host files (or other types of
host code) to spread themselves. They do modify their host
operating system, however, at least to the extent that they are
started as part of the boot process. To spread, worms either
exploit some vulnerability of the target system or use some
kind of social engineering to trick users into executing them
Spyware differs from viruses and worms in that it does not
usually self-replicate. Like many recent viruses, however,
spyware - by design - exploits infected computers for
commercial gain. Typical tactics furthering this goal include
delivery of unsolicited pop-up advertisements; theft of
personal information (including financial information such as
credit card numbers); monitoring of Web-browsing activity
for marketing purposes; or routing of HTTP requests to
advertising sites.
After getting familiar with all the terms such as Spyware,
Trojans and Worms etc, we now turn towards how we deal
with the problem of these Spyware getting installed in our
system without our consent. We use Microsoft Anti-Spyware
to remove these things, which if not taken care of are going to
seriously effect the system’s performance.
We concentrate on explaining how effectively Microsoft
Anti-Spyware removes the Spyware and other forms of
Malware restoring your system to the point where it was
2](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)