Hacked PC : I Don't Care attitude!!!!

If you feel that you are safe even with a hacked PC at home or office... because you think you don't have any thing to loose from your PC...or you feel that u simply share unclassified info on your PC..so even if it is lost there is nothing to worry.....please see this brief presentation....

  Hacked PC : I don't care by Anupam Tiwari

Operation b70 : Microsoft Disrupts the Emerging Nitol Botnet Being Spread through an Unsecure Supply Chain

In continuation with the last post, here is more from Microsoft.Please go through this brave but honest confession from Microsoft.......ummmm!!!!I would not say confession but actually Microsoft's attempt to save millions of innocent users...must read for info at

http://blogs.technet.com/b/microsoft_blog/archive/2012/09/13/microsoft-disrupts-the-emerging-nitol-botnet-being-spread-through-an-unsecure-supply-chain.aspx

9TH JULY 2012 : R u a Victim?

1. All the fuss about 9th July that says about the risk of "DNSChanger" malware, which will result in your computer getting disconnected from the Web on July 9 if you don't clean it up. You won't be able to go online, and you'll need to contact your service service provider for help getting the malware deleted before you can reconnect to the Internet....strange it may sound...but it is true...even the FBI has given a warning sort at its link here at https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS

2.  Just to check if u r a likely victim,McAfee has created a link at www.mcafee.com/dnscheck for you to find out if u r a likely victim or not ? I checked out the same on my PC....it showed the following screen shot.....

3.   Do check out urs....and rectify if need be....

FLAME : The new'EST Threat bigger then STUXNET

1.         Off late there has been the much talked FLAME Virus in the IT Sec community.Few clean shots about FLAME in a point wise crisp format :

 -          Flame was first detected back in 2010 by Kaspersky Labs completely by accident.

-           Flame is terribly complex for a piece of malware. 20 times bigger than Stuxnet.

-           Its about 20MB package and is still being analyzed.

-           The Stuxnet  attack that damaged Iranian nuclear facilities last year is barebones by 

comparison.

-           Kaspersky assumes it was built by government scientists, but no one knows which government.

-           Flame gathers a huge amount of data from infected systems, but it has been hard to sort out where it is all going.

-           Dozens of control servers have been located, but the domains associated with them are registered with fake identities.

-           Flame steals hard drive contents, screenshots, and keystrokes.

-           Can also use the system microphone and Bluetooth radio to suck in more data.

-           To save on bandwidth, Flame may delete itself from systems that have been fully exploited. This is part of what made the infection hard to detect.

-          

-           Has incredible abilities to monitor in-boxes, take screen grabs, even record audio of conversations happening near the computer.

-           The entire virus had been pieced together like a LEGO creation, one part building on another. Things could actually be added onto the spyware after it was already on an infected computer, giving the developer enormous freedom to tinker at will.

-           One specific example is with a Bluetooth module, which allowed the spyware to be spread to other devices.

-           The two most popular ways are to send you an e-mail with an attachment, and a Web-based or drive by download that gets you to a malware website.

-           Another favourite way to get you is through social media websites. Attackers are so savvy that they now troll your "friends" list and generate an e-mail that looks like it's coming from you, so what friend wouldn't click on it, right?

-           Microsoft has revealed that the virus gained a foothold by spoofing one of its own security certificates.

-           The computer virus is on the loose in Iran and other parts of the Middle East, infecting PCs and stealing sensitive data.

-           Flame is basically a backdoor and a Trojan with worm-like features.

-           Consider this: It took several months to analyze the 500K code of Stuxnet. It will probably take year to fully understand the 20MB of code of Flame.

2.Thanks http://news.cnet.com

The Brain Virus : Some thing I missed.....

This is about BRAIN virus...a name heard in the late 80S and early 90S and recognized as the first computer virus for MS-DOS that infects the boot sector of storage media formatted with the DOS File Allocation Table (FAT) file system....This was written by two brothers, Basit Farooq Alvi and Amjad Farooq Alvi who were from Lahore, Pakistan......so what makes a mention here is that I was recently watching a TED Video wherein the speaker Mikko Hypponen shares his interesting piece of interaction with these two brothers...do watch it...worth it for inviting a smile...

BACTERIA in COMPUTERS

1.  I had heard for so long about Virus'es,worms,trojans................but never heard and read about BACTERIA till recently.....even googled...could not find much except at http://docstore.mik.ua/orelly/networking/

2. Few points about BACTERIA :

- Makes copies of themselves to overwhelm a computer system's resources.

- Also known as rabbits, are programs that do not explicitly damage any files.

- Sole purpose is to replicate themselves.

- May do nothing more than execute two copies of itself simultaneously both of which may copy themselves twice, and so on.

- Reproduce exponentially, eventually taking up all the processor capacity, memory, or disk space, denying the user access to those resources.

- One of the oldest forms of programmed threats.

KOOBFACE guys CAUGHT : FACEBOOK

1. Koobface is not something new for the cybercrime followers.....some thing in brief for those reading about this first timehere :

- is a computer worm that targets users of the Facebook.

- koob is book spelled backwards, making the name koobface an anagram for the word Facebook.

- Koobface targets Facebook users via fake friend messages that encourages people to click on links that installs a malicious worm

- Messages like, "you look funny in this video" or "you look so stupid in this pic" are used to persuade somone to click on the link attached. Once the user clicks on them it takes you to a video which doesn't play and they ask you to download certain codecs which can be a fake 'flash_player.exe' file.

- If this file is downloaded, your computer becomes open to Koobface malware.

- It downloads a file 'tinyproxy.exe' which hijacks your PC.

- It even alters search results from Google, Yahoo etc and redirects to websites selling malicious softwares.

- Kaspersky Labs has estimated the network includes 400,000 to 800,000 PCs worldwide at its height in 2010.

- Victims are often unaware their machines have been compromised.

2. Facebook two days back unmasked the team behind the notorious Koobface virus that hit the social network for two years beginning in 2008.

ABOUT THE GANG

- Five men believed to be responsible for spreading this notorious computer worm on Facebook.

- Have pocketed several million dollars from online schemes.

- Are likely hiding in plain sight in St. Petersburg, Russia, according to investigators at Facebook.

- One member of the group has regularly broadcast the coordinates of its offices by checking in on Foursquare, a location-based social network, and posting the news to Twitter.

- Photographs on Foursquare also show other suspected members of the group working on Macs in a loftlike room that looks like offices used by tech start-ups in cities around the world.

- Ultimately, the Koobface gang was identified by the researchers as Anton Korotchenko, Alexander Koltyshev, Roman Koturbach, Syvatoslav Polinchuk, and Stanislav Avdeik.

3. Thanks http://www.pcmag.com

THE GOOD VIRUS : "CYBER WEAPON" BY FUJITSU,JAPAN

1.   Have u seen the epic movie SHOLAY.....where bad guys are hired to kill bad guys by the good people...its a must watch for those who have not seen this...on the same lines recently Japanese government has done some homework to counter cyber crime.....Outsourcing and working with Fujitsu to fight cyber crime with the help of developing a CYBER wEAPON VIRUS that automatically seeks out and destroys enemy viruses.Cyber Weapon almost acts like a human immune system tracking down and weeding out invading viruses. Systems like these are needed when facing the latest advanced threats.Few additional It is the culmination of a $2.3 million, three-year project to develop a virus and equipment to monitor and analyze attacks.  It is reported U.S and china have already put so-called cyber weapons into practical use.

2.   Tracing the source of cyber-attacks is notoriously difficult, mainly because attackers routinely hide behind botnets and anonymous proxies to launch attacks, such as denial of service assaults.Getting this right is a far from trivial process and the potential for collateral damage, even before hackers develop countermeasures, appears to be considerable. Few more points here about this good VIRUS :

- Currently, the virus is being tested in a “closed environment” to examine its applicable patterns. 

- The project is actually outsourced to Fujitsu Ltd. 

- It is capable to disable the incoming attack and record forensics data.

3.   It would actaully be interesting to know how would this be able to trace the source of cyber-attacks as claimed at times like today when the botnets and anonymous proxies are getting better and stronger by the day.

4.  Thanks http://www.airdemon.net/news2.html

DUQU's MICROSOFT LINK!!!

1.   While as on date the security and anti virus teams and experts across the globe are racing to find and unlock the details on DUQU,some useful information on the subject bug has been released by Microsoft,which says that hackers exploited a previously unknown bug in its Windows operating system to infect computers with the Duqu virus."We are working diligently to address this issue and will release a security update for customers," Microsoft said.But on the other hand the odds are that Microsoft won't patch the Windows kernel bug next week that the Duqu remote-access Trojan exploits to plant itself on targeted PCs.

2.   Meanwhile,Symantec researchers said they consider hackers sent the virus to targeted victims via emails with infected Microsoft Word documents attached. If a recipient opened the Word document and infected the PC, the attacker could take control of the machine and reach into an organization's network to propagate itself and hunt for data, Symantec researcher Kevin Haley told Reuters. 

3. Thanks http://itknowledgeexchange.techtarget.com and http://www.computerworld.com

SOME MORE ON DUQU

Some more good info and FAQs on DUQU.....AT
http://www.secureworks.com/research/threats/duqu/

DUQU : FROM THE GEN STUXNET????

1.  Do u remember the gr8 STUXNET...who hit the cyber theatres about a year back?....i call it gr8 since that was the first piece of trojan which the experts called with words like marvelous,the world's first 'open source weapon'.....the code which shocked the experts...though it was meant to target Siemens industrial software and equipment running Microsoft Windows....but the percentage affected was enough to do the early damage and show the trailor of what  can come ahead....now comes another in the offering which Researchers from Symantec say is likely written by the same authors and based on the same code.This is known as DUQU.....also coming to be known as “Son of Stuxnet” and a “precursor to a future Stuxnet-like attack.”

2. But another analyses by security researchers from Dell suggest Duqu and Stuxnet may not be closely related after all. That’s not to say Duqu isn’t serious, as attacks have been reported in Sudan and Iran. But Duqu may be an entirely new breed, with an ultimate objective that is still unknown.“Both Duqu and Stuxnet are highly complex programs with multiple components,” Dell says. “All of the similarities from a software point of view are in the ‘injection’ component implemented by the kernel driver. The ultimate payloads of Duqu and Stuxnet are significantly different and unrelated. 

3. The security vendor Bitdefender has also cast doubt on the supposed Duqu/Stuxnet link in its Malwarecity blog. “We believe that the team behind the Duqu incident are not related to the ones that released Stuxnet in 2010, for a number of reasons,” BitDefender’s Bogdan Botezatu writes. While a rootkit driver used in Duqu is similar to one identified in Stuxnet, that doesn’t mean it’s based on the Stuxnet source code.

4. Now till date,DUQU was reportedly seen infecting machines in and around IRAN......but now the Symantec version reported is that a server machine in aamchi Mumbai is effected by this new VIRUS!!!!!!!Indian authorities seized computer equipment from a data center in Mumbai as part of an investigation into the Duqu malicious software that some security experts warned could be the next big cyber threat. Two workers at a web-hosting company called Web Werks told Reuters that officials from India's Department of Information Technology last week took several hard drives and other components from a server that security firm Symantec Corp told them was communicating with computers infected with Duqu. 

5. So DUQU is here in INDIA.......and I m sure with the high percentage of pirated software users in India....we r the most vulnerable to such kinds of threat.....be updated...buy genuine....keep taking updates to avoid being EXPLOITED by EXPLOITS..................

6. Thanks http://arstechnica.com 

FLIRT BOTS

1.   I am sure most of you at at some point of time in your cyber surfing would have come across chat/messenging softwares like MSN or yahoo to mention a few....now although pretty old for the regular security guys, but thought of mentioning it here in my blog of how many of us succumb to the meanly desires of hackers via FLIRT BOTS.....u heard it correctly they are known as FLIRT BOTS.... 

2.  Here's how Flirt Bots work:

- The Bot strikes up a conversation in a chat room

- The Bots use a series of easily configurable "dialogue scenarios" with pre-programmed questions and discussion topics to compile a report on every person it meets

E.g.: ilovyou@yahoo.com says: "hey, whats up?" and further to this conversation they are invited to visit a website which could be used for any variety of malicious activity.

E.g.: ilovyou@yahoo.com says: "Ok go to http://??????.??/?????? and accept the invite on the page baby"

3.   In this case the victim is sent to a website "?????????.com" and is asked to provide personal information including credit card details in order to view the "webcam."

4.   The site can be used for many things - to host malicious downloads, or to try to sell you Fake AntiVirus software. The URL can do and host whatever the "bot master" specifies it to be .Frequently cyber-criminals collect a database of personal information and sell it to the highest bidder or anyone who will pay

5.   These "Flirt Bots", were first reported as a proof of concept(Evidence that demonstrates that a business model or idea is feasible.) by PC Tools in 2007.Thanks http://www.pctools.com

VIRUS in Boot Sector in Hard Disk fresh from OEM!!!!

Have recently heard of this in reputed makes and model of Top list hard disks OEMs.Would like to know if some has ever encountered this or has any form of info on this?

CaaS : CRIME WARE AS A SERVICE at offer now

1. Bhaigiri...Supari..khokha...and similar terms have been till date used in reference with the crime world...now come to terms like Software as a Service(SaaS), Hardware as a service(HaaS) ,Platform as a service(PaaS) etc and the list is all set to become endless with cloud computing...whats the relation here?????..it goes 2 merge these two separate worldsie CRIME & IT....the earlier terms mentioned pertain to the world of crime and the later once refer to the vast possibilities and power knocking the users....thus refers to Crimeware as a Service(CaaS)

2. The controverting side is the world of hackers & cyber criminals who seem to exploit their technical tools to great effect. However, even for newbie hackers eager to join this world don’t need to possess the required levels of technological expertise. CaaS (Crimeware-as-a-Service) pulled out of some distant Cloud can provision the necessary tools, be they Virus/Worm Creation Kits, Denial of Service (DoS) applications or more simply estabilishing a botnet.A recent research proved they can be just a mouse click away! Kits were easily located to build a variant of ‘Indra’ Malware, as well as a manifestation of Badboy , providing the user with the power to create their own version to send on to their targets.

3. Granted these are not examples of cutting-edge malware, but they do however still pose a threat to the unprepared and unsuspecting organisation. As amazing as it may seem, even today there are large organisations who permit access to sites, and allow the download of Malware Construction Kits – and even more worrying, there are still pockets of companies who do not maintain their anti-virus or patches in an up-to-dtate condition.

4. Crime is going to be a inherent part in the cyber world and the cause of worry is that unlike army and mil est in the real world...no concrete effort and source is there to resist these evil forces.We are still acting to a situtaion when need of the hour is to be more then PROACTIVE.....

5. Thanks http://www.infosecurity-magazine.com/

Root Kits : Hidden Undetected Threats

1. Malwares,trojans,adwares,spywares,virus,wormwares etc etc....protection vide Internet security editions by so many OEMs...and now rootkits(its not actually a recent development....)...has been in the threat making for about 10-12 years..but now the term is getting serious....so what actually are rootkits?

2. Rootkit is the term given to a group of utilities that hackers can misrepresent to keep access into a computer system once they have hacked into it. It gives them admission rights to find out usernames and passwords, allow strike against remote systems, remain hidden by erasing history from the system logs, and overabundance of various surreptitious tools.Rootkit is a combination of two words, “root” and “kit”. Root means supreme & Kit means a group of programs or utilities providing access to a user to retain a constant root-level contact to a terminal. The presence of rootkit ideally remains untraceable.

3. So more simply,they are a set of programs that can hide not only themselves but also other viruses, spyware, keyloggers and network traffic from normal antivirus and spyware removal software! Yes, a rootkit can infect your computer and take full control of it! You look inside a folder which contains rootkit files but you will see nothing. Why? Because the rootkit has told it to tell the user there are no files here. That is why, they are so dangerous and hard to detect......

4. BlackLight,RKDetector 2.0,RootkitBuster 1.6,RootkitRevealer 1.71 & Rootkit Unhooker 3.0A are few of the rootkit removal tools available...google for further details

5. Thanks http://www.rootkitonline.com/

SALAAMI ATTACK

1. Ever seen your account with minute details of each and every penny/cent/paise in your account...I m sure many of you wouldn't have....how does it matter if its Rs 22323.45 or Rs 22322.12.....a difference of some paise ...we generally account for it against rounding off....but now on be ware...u may just be a salaami target....better known as Saalami Attack

2. An example of this also known as penny shaving, is the mal practice of stealing money repeatedly in extremely small quantities, usually by taking advantage of rounding off to the nearest money unit viz cent or paisa in financial transactions. It would be done by always rounding down, and putting the fractions of a cent into another account. The idea is to make the change small enough that any single transaction will go undetected.

3. IT comes with a whole lot of things...u get some,u loose some.....be ware.For more info click here, here and here.

4. Thanks http://www.cyberpolicebangalore.nic.in and http://en.wikipedia.org

Securelist.com : Informative attempt by Kaspersky Labs

1. Kaspersky has come up with the launch of a veri informative site on IT security with lots of articles and updates on various types of viruses/malwares etc.You can access the same by clicking here.

2. One interesting section by the name of "Internal threats" is available which should prove popular in future and also "Kaspersky Security Bulletin".

SVCHOST.EXE vs SCVHOST.EXE

1. Two approximately similar names but with poles apart function and reason to exist.If ever you have tried cleaning or accessing an infected pen drive you must have come across these names in the file names list.I would just try and make the difference clear in brief below.

2. SCVHOST.EXE is a process which is registered as W32/Agobot-S virus. This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. This process is a security risk and should be removed from your system.

3. SVCHOST.EXE is located in the System32 folder and is an built-in part of Windows OS. It cannot be stopped or restarted manually. This process manages 32-bit DLLs and other services. At startup, Svchost.exe checks the services portion of the registry and constructs a list of services that it needs to load. Under normal conditions, multiple instances of Svchost.exe will be running simultaneously. Each Svchost.exe session can contain a grouping of services, so that many services can be run depending on how and where Svchost.exe is started. This allows for better control and debugging.

4. I hope this amply makes the difference clear

How to avoid an infected USB/PEN Drive?

1. The most common way for a virus to infect a healthy PC is through USB/Flash drives. Common viruses such as 'Ravmon' , 'New Folder.exe', etc spread through USB/flash drives . Invariably, anti virus programs are unable to detect them and even if they do, in most cases they are unable to delete the file, only quarantine it. Following are a step by step easy to do instruction

(a) A window appears similar to the one shown below…

(b) Don't click on Ok , just choose 'Cancel'.

(c) Open the Command Prompt by typing 'cmd' in the run box.

(d) In the command prompt type the drive letter: and press enter . Now type dir /w/a and press enter.

(e) This will display a list of the files in the Flash drive or Hardisk. Check whether the following files are there or not

(i) Autorun.inf

(ii) Ravmon.exe

(iii) New Folder.exe

(iv) svchost.exe

(v) Heap41a

(vi) or any other .exe which may be suspicious.

(f) If any of the above files are there, then probably the USB drive is infected.

(g) In command prompt type attrib -r -a -s -h *.* and press enter. This will remove the Read Only, Archive, System and hidden file attribute from all the files.

(h) Now just delete the files using the command del filename. example del Ravmon.exe. Delete all the files that are suspicious. To be on a safer side, just scan the USB drive with a latest anti-virus program like McAfee or TrendMicro's PCCillin to check whether it is free of virus or not. Now remove the drive and plug it again. In most of the cases, the real culprit turns out to be the "Autorun.inf" file which mostly gets executed when someone clicks Ok in the dialog window which appears above. Thus the infections invariably spreads...but not if u take these precautions as mentioned above.

2. Thanks http://www.howtodothings.com