MIS 4850 Systems Security
In-Class Exercise 1
E1 Tuesday 1/19/2010
Student Name: ___________________________________
Visit the www.sophos.com web site in order to gather information about a malware called W32/Zafi-B (or just Zafi-B) and answer the following two questions.
1) Using bullets, list five specific malicious things that Zafi-B could do to potentially damage or
disturb a computer system.
2) What other names (or alias) does Zafi-B use?
3) What kind of malware is Zafi-B?
a) A Trojan horse
b) A spyware
c) A worm
d) None of the above
4) Use the following questionnaire (see below) to assess the potential risk posed by W32/Zafi-B.
The expected risk should be the average of your responses using the Likert scale provided in
the questionnaire. The average score must be converted into a severity index (i.e. a number
between 1 and 100) that represents the extent of the loss/damage caused by the malware to
the security of a computer system. Your assignment should include the completed
Based on the type of malicious actions that Zafi-B could take to potentially damage or disturb a computer system, give your assessment of the potential loss or damage that could be caused by that malware. Circle the number that represents your assessment with 1 being low loss/damage and 10 being high loss/damage.
1 2 3 4 5 6 7 8 9 10 1. Degree to which Zafi-B could modify critical corporate information
1 2 3 4 5 6 7 8 9 10 2. Degree to which Zafi-B could delete critical corporate information
1 2 3 4 5 6 7 8 9 10 3. Degree to which Zafi-B could allow intruders to access confidential info.
1 2 3 4 5 6 7 8 9 10 4. Degree to which Zafi-B could allow misdirection of critical corporate info.
1 2 3 4 5 6 7 8 9 10 5. Degree to which Zafi-B could allow the alteration of message being transmitted
1 2 3 4 5 6 7 8 9 10 6. Degree to which Zafi-B could lead to loss of customers’ private information
1 2 3 4 5 6 7 8 9 10 7. Degree to which Zafi-B could lead to violation of employees’ private information
1 2 3 4 5 6 7 8 9 10 8. Degree to which Zafi-B could slow down network services
1 2 3 4 5 6 7 8 9 10 9. Degree to which Zafi-B could shut down network services
1 2 3 4 5 6 7 8 9 10 10. Degree to which Zafi-B could lead to loss of customers’ faith and trust
Use the Windows Calculator (Start/Accessories/Calculator) to compute the average score (a
number between 1 and 10), and then convert that score into a severity index.
Average score: _______
Severity index: _______
5) Table 1 shows a severity analysis framework that is based on a survey conducted in 2006 in
order to collect data for assessing the potential damage caused by any of the 10-top malware
of the year 2006.
Table 1: Severity Analysis Framework
Malware Severity Average System Average cost for restoring
Index downtime infected system
Between 1 and 20 3 hours $1800.00
Between 21 and 40 7 hours $2300.00
Between 41 and 60 10 hours $3000.00
Between 61 and 80 15 hours $3500.00
Between 81 and 100 20 hours $5000.00
The following box defines the concept of system availability and explains how to compute the
availability of a system or a network device.
Availability: probability that a particular system or its components will be available
during a fixed time period. Availability is function of:
– Mean time between failures or MTBF (Given by manufacturer or
generated based on past performance)
– Mean time to repair or MTTR (Found in studies or in our archives)
The MTBF is the average time a device or system will operate before it fails.
The MTTR is the average time necessary to repair a failure.
Standard equation for calculating Availability
A(t) = a/(a+b) + b/(a+b) x e-(a+b)t
in which: a = 1/MTTR
b = 1/MTBF
e = natural log function
t = the time interval
(continues on next page )
Approximation equation for calculating Availability:
Availability% = (Total available time – Downtime)/Total available time
Example: A component has been operating continuously for three months. During
that time, it has failed twice, resulting in downtime of 4.5 hours. Calculate the
availability of the component during that three-month period using the
Total available time = 3 months = 3 x 30 x 24 = 2160 hours
Downtime = 4.5 hours
Availability% = (2160 – 4.5) / 2160 = 99%
Assume that the average system downtime mentioned in Table 1 above is the typical duration of a network’s downtime (or unavailability) during a 7-day week. Use the Approximation equation to calculate the availability of a network that has been affected by Zafi-B during a typical 7-day week.
Availability% = ________________________________________________________.
6) You have received an email on your Hotmail email account. In the email, the sender claims
to be China. How could you check the TCP/IP headers of the email message to determine
whether or not the claim is true? Visit http://aruljohn.com/info/howtofindipaddress and
explain, in details, the steps you will go through to check the TCP/IP headers and determine
the source IP address of the computer used to send the message you have received. Write
your answer in the following text box. Be concise.
7) Open your EIU email account and select the messages you have received from the class
instructor with Security 1 in the Subject field. Then, do the following:
a. Display the TCP/IP headers the selected message. Select the message headers.
Then, copy and paste the selected headers in the following text box. You may
need to adjust the size of the text box so that the whole headers you pasted appear. 112736649.doc 3
Make sure the formatting of the headers (like the line brakes, etc.) looks like the
headers in the EIU email window you copied the headers from.
Paste the TCP/IP headers in the box below
b. Provide the following information based on your reading of the TCP/IP headers.
IP address of the computer used to send the message: __________________
IP address of your email server (i.e. the server that received the
Domain name of your email server (i.e. the server that received the message):
c. Determine the location of the computer used to send the message by providing the
name of the city, state, and country. You can use any web-based IP locator to
answer this question. City: _____________________________________
8) Examine the printout provided in the Appendix of this assignment and determine: the sender’s IP address, as well as the host/domain mane of the sender’s email server and
corresponding IP address.
Sender’s IP address___________________________
Server’s host name: ______________________________________
Server’s IP Address: __________________________
9) The sender of the email shown in the Appendix claims to be in North Korea when he sent the message. Use the Internet and your investigative knowledge to determine the city and the country where the computer used to send the message is located.
Received: from barracuda.eiu.edu (barracuda1.eiu.edu [188.8.131.52]) by cupertino.eiu.edu (Postfix) with ESMTP id C20BF1773E23
for <email@example.com>; Tue, 18 Dec 2007 20:16:00 -0600 (CST) X-ASG-Debug-ID: 1198030560-3f7900540000-XywefX X-Barracuda-URL: http://184.108.40.206:8000/cgi-bin/mark.cgi
Received: from ismtp1.eiu.edu (localhost [127.0.0.1])
by barracuda.eiu.edu (Spam Firewall) with ESMTP id 35570E44C0F
for <firstname.lastname@example.org>; Tue, 18 Dec 2007 20:16:00 -0600 (CST) Received: from ismtp1.eiu.edu (ismtp1.eiu.edu [220.127.116.11]) by
barracuda.eiu.edu with ESMTP id rc74OtLhd0eTaawT for <email@example.com>; Tue,
18 Dec 2007 20:16:00 -0600 (CST)
X-IronPort-Anti-Spam-Result: AgAAAHINaEdEjslTn2dsb2JhbACCb40QAQEBAQcEBgkgmRk Received: from web82702.mail.mud.yahoo.com ([18.104.22.168])
by ismtp1.eiu.edu with SMTP; 18 Dec 2007 20:15:59 -0600
Received: (qmail 20044 invoked by uid 60001); 19 Dec 2007 02:15:59 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
Received: from [22.214.171.124] by web82702.mail.mud.yahoo.com via HTTP;
Tue, 18 Dec 2007 18:15:59 PST
Date: Tue, 18 Dec 2007 18:15:59 -0800 (PST)
From: Mohan Rao <firstname.lastname@example.org>
X-ASG-Orig-Subj: Re: Thank you for the phone interview -- MIS position Subject: Re: Thank you for the phone interview -- MIS position To: Abdou Illia <email@example.com>
In-Reply-To: <15490567.635261198001935544.JavaMail.firstname.lastname@example.org> MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-1431303504-
X-Barracuda-Virus-Scanned: by Barracuda Spam Firewall at eiu.edu X-Barracuda-Spam-Score: 0.45
X-Barracuda-Spam-Status: No, SCORE=0.45 using per-user scores of TAG_LEVEL=3.5 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=9.0 tests=HTML_FONT_FACE_BAD, HTML_MESSAGE
X-Barracuda-Spam-Report: Code version 3.1, rules version 3.1.37025