OS/400 Alert: Spoofing and Demonstrations

January 14, 2004 Shannon O'Donnell

In this issue of “OS/400 Alert,” I’ll alert you to the concept of spoofing and offer suggestions on how to protect yourself from it. In addition, I’ll tell you know about some useful technology demonstrations made available by IBM for the iSeries Navigator tool. If you have been wanting to learn how to use iSeries Navigator for your operation but were not sure what it could offer you, you won’t want to miss out on these great demos. Finally, I’ll tell you about the viruses that are causing this week’s worries.

HAVE YOU BEEN SPOOFED?

Spoofing in our Internet-connected world has taken on many meanings. In the context of Internet browsing, spoofing means that the Web site you think you are visiting is in actuality a completely different Web site. Malicious Web masters use the technique of spoofing to lure you into their sites for a variety of reasons, not the least of which is to trick you into giving them personal information such as credit card numbers. E-mail spoofing means that the sender of an e-mail has modified the TCP/IP datagrams, or packets, that make up the header portion of the e-mail so that the senders actual e-mail address is swapped with a different one. There are other forms of spoofing as well:

• Man in the Middle: A TCP/IP packet sniffer captures the data between the sender and its destination and poses as one end or the other of the conversation.

• Routing Redirect: Packets are rerouted from the original host to a new host.

• Source Routing: In the course of normal Internet traffic (say, for instance, when sending an e-mail to someone), as the TCP/IP packets that make up the mail are sent across the Web, various routers examine the packet header information and decide how best to route it to its ultimate destination. In source routing spoofing, the sender makes all these decisions. In this manner, a hacker can send e-mail so that it becomes untraceable, because, for example, it started on a private computer, one not directly accessible to the Internet, and is therefore invisible to tracing programs.

• Blind Spoofing: This type of spoofing predicts responses from the host, allowing commands to be sent, but not allowing immediate feedback. In other words, blind spoofing allows a malicious host to route data to your computer, but you cannot get back to that host.

• Flooding: This form of spoofing, used extensively in denial-of-service attacks, modifies packet headers of e-mails and forwards those e-mails to various e-mail servers, flooding them with so much incoming mail that they eventually overload and shutdown. When combined with a virus program that automatically responds to these e-mails, you end up with a very dangerous and devastating program.

So what can you do to protect yourself from spoofing? With e-mail spoofing, the answer is “not much.” About the most you can do is not respond to e-mail from unknown senders and not to open e-mail attachments from anyone without first talking to that person to verify that he sent the e-mail and is aware that it contains an attachment.

To prevent Web browsing spoofing, there are a few things you can do to mitigate the danger. First, do not click links provided in e-mails. Those links could actually point to a URL that differs from the one shown in the e-mail link. Instead, type the URL directly into your browser’s Address bar. This will not give you 100 percent protection, as the Web site itself could be spoofing, but it will prevent your browser from being hijacked by clicking an e-mail link that is pointing to an unknown URL. Also, make sure that the browser’s status line and the Address bar are both visible when surfing. This will prevent someone from forwarding you from one Web page to another without your being aware of it. If the Address bar or the status bar is not shown, you can reenable it by changing the various Internet options, available for Internet Explorer, by clicking the Tools menu in the IE browser, then clicking Internet Options. For other browsers you will need to refer to that browser’s documentation to see how to enable and disable various features such as the status bar. Finally, you can always right-click a Web page, click the Properties context menu item, and view that page’s actual URL. If it does not match what you expect it to be, chances are you’re being spoofed.

IBM DEMONSTRATIONS FOR ISERIES NAVIGATOR

Sometimes the best way to learn something is by having an example to follow or watching a technology in action. IBM Rochester’s iSeries Navigator team has put together a Web site full of demonstrations of iSeries Navigator functions and features that you can download and run on your PC. These executable files are either Lotus ScreenCam files (which automatically start playing once you download them to your PC) or Flash animation files (which require a Flash viewer).

What kind of demonstrations are available? Check out this partial list for iSeries Navigator:

• System monitors: real-time graphical performance monitors
• System monitors: graph history
• Fixes: managing
• Fixes: compare and update
• Users and groups: create
• Users and groups: edit
• Run commands
• Inventory tracking of hardware, software, fixes, users and groups, and system values
• Work management
• Disk management
• LPAR management

If iSeries Navigator for Wireless is your thing, check out these demonstrations:

• System monitors
• File monitors
• Run commands
• Work with jobs and messages
• Manage integrated servers

For more information, including the complete list of available demonstrations, go to IBM’s Web site.

THIS WEEK’S NASTY WINDOWS WORRIES

Trojan.Xombe–Not every Windows security update warning you get should be acted upon. Case in point, the Trojan.Xombe virus, which pretends to be a Windows security update but is, in fact, a piece of malicious code that comes in two parts: a downloader utility and the virus files it downloads, if you are unlucky enough to open it.

Backdoor.Sdbot.S is a virus that uses an Internet Chat Relay (IRC) to gain access to an infected computer. You can check for the existence of this virus by searching your computer for a file named ntspcv.exe.

W32.Opaserv.AE.Worm–If you have mapped network drives to your iSeries or Windows PC, you may be vulnerable to becoming infected by this virus, which is network-aware.

W32.Mimail.P@mm— Do not open e-mail with the subject line “GREAT NEW YEAR OFFER FROM PAYPAL!” It will be the W32.Mimail.P@mm virus and will wreak all kinds of havoc on your PC such as installing files, modifying the Windows Registry, and capturing data from your hard drive and sending it to the virus creator.

W32.HLLW.Gaboot.FL is another network-aware virus that spreads itself across mapped drives and network shares.

W32.Bitzen is a fairly innocuous virus but is annoying because it will modify the Internet Explorer home page and add unwanted URLs to your “Favorites” list.