Sunday, December 20, 2009
Thursday, December 10, 2009
Eset NOD32 Tricks
NOD32 provides well balanced, state-of-the-art protection against threats endangering your PC and enterprise systems running various platforms from Microsoft Windows through a number of UNIX/Linux, Novell, MS DOS operating systems to Microsoft Exchange Server, Lotus Domino and other mail servers.
The thing i like most about Nod32 is it's Heuristic base Powerful Scanning which some time detects zero day malwares. They dont heavily belive on Signature base detected which was usually used in past.
Now a question rises that what is Heuristic and signature base detection
1)-Signature Based Scan:
Traditionally, AV solutions have relied strongly on signature-based scanning, also referred to as scan string-based technologies. In signature based scanning antivirus program searches within given files for the presence of certain strings (also only in certain regions). If these predefined strings are found,then anti virus report A Threat detected.
According to Mcafee Lab, approximately 250 virus are released every day, so it's very difficult to catch all those viruses every day. So a new Heuristic based detected is used to detect unknown threats as explained below. Run-time packing is a technique malware writers employ to defeat signature-based detection of a know malwares. To solve this problem the AV ist unpack the file and then scan it.
2)-Heuristic Based Scan:
Heuristic (hyu-ˈris-tik) is an adjective for methods that help in problem solving. The first heuristic engines were introduced to detect DOS viruses in 1989.
A heuristic scan is used to detect new, unknown viruses in your system that have not yet been identified. Only some anti viruses can do this type of scan, the majority are only able to detect known viruses.
In this scanning, antivirus program searches instructions or commands within a file that are not found in typical good application programs. Lets take an example if a file's binary code contain an instruction of "Dont show hidden files ". As a result, a heuristic engine is able to detect potentially malicious files and report them as a virus and a variant in case of Nod32.
ThreatSense® Technology:-
In this technology, heuristic approach is also used but also when a certain files does specious activity in computer, Av program does not perform any action and keep eye on that file. Next, when you update your anti-virus these files are send to security experts of antivirus that you are using. Some time you have to submit that files manually by selecting those specious files and then clicking "Submit". Malware analysts analyze the file, if it is a virus then they make it's signatures. By this a virus is caught with in 3-4 days and less damage is done.
Ativirus Using these Technique:-
Eset Nod32 ( I think all versions)
Bitdefender 10
Norton Antivirus 2009
Installation :
During installation dont forget to enable this option!
Updates:-
Updates of Nod32 is very small in size. But first time when you update your Nod32 after installation, it takes little bit of time to update it's virus database but after that jsut 45 KB to 100 KB updates are downloaded on daily bases. Look at the update size soooooooo small
Update files:
The updates of nod32 are stored in"C:\Program Files\ESET\ESET NOD32 Antivirus\" with the extension of DAT. Take a look at the image.
Save these files to some other location and every time after installing nod32, instead of updating it for a long period of time just copy these files to the Installation Folder and then reboot. Reboot is necessary to take effect.
Programming of NOD32:-
Root Directory: C:\Program Files\ESET\ESET NOD32 Antivirus\
Deep Scan: Yes
File: callmsi.exe
Path: C:\Program Files\ESET\ESET NOD32 Antivirus
Signature: Microsoft Visual C++ 8
Matches: 6
File: ecls.exe
Path: C:\Program Files\ESET\ESET NOD32 Antivirus
Signature: Microsoft Visual C++ 8
Matches: 6
File: ecmd.exe
Path: C:\Program Files\ESET\ESET NOD32 Antivirus
Signature: Microsoft Visual C++ 8
Matches: 6
File: egui.exe
Path: C:\Program Files\ESET\ESET NOD32 Antivirus
Signature: Microsoft Visual C++ 8
Matches: 6
File: eguiAmon.dll
Path: C:\Program Files\ESET\ESET NOD32 Antivirus
Signature: No match found.
Matches: 0
File: eguiEmon.dll
Path: C:\Program Files\ESET\ESET NOD32 Antivirus
Signature: No match found.
Matches: 0
File: eguiEpfw.dll
Path: C:\Program Files\ESET\ESET NOD32 Antivirus
Signature: No match found.
Matches: 0
File: eguiScan.dll
Path: C:\Program Files\ESET\ESET NOD32 Antivirus
Signature: No match found.
Matches: 0
File: eguiUpdate.dll
Path: C:\Program Files\ESET\ESET NOD32 Antivirus
Signature: No match found.
Matches: 0
File: EHttpSrv.exe
Path: C:\Program Files\ESET\ESET NOD32 Antivirus
Signature: Free Pascal v1.06
Matches: 7
File: ekrn.exe
Path: C:\Program Files\ESET\ESET NOD32 Antivirus
Signature: Microsoft Visual C++ 8
Matches: 6
File: ekrnAmon.dll
Path: C:\Program Files\ESET\ESET NOD32 Antivirus
Signature: No match found.
Matches: 0
File: ekrnEmon.dll
Path: C:\Program Files\ESET\ESET NOD32 Antivirus
Signature: No match found.
Matches: 0
File: ekrnMailPlugins.dll
Path: C:\Program Files\ESET\ESET NOD32 Antivirus
Signature: No match found.
Matches: 0
File: ekrnScan.dll
Path: C:\Program Files\ESET\ESET NOD32 Antivirus
Signature: No match found.
Matches: 0
File: ekrnUpdate.dll
Path: C:\Program Files\ESET\ESET NOD32 Antivirus
Signature: No match found.
Matches: 0
File: eplgHooks.dll
Path: C:\Program Files\ESET\ESET NOD32 Antivirus
Signature: No match found.
Matches: 0
File: eplgOE.dll
Path: C:\Program Files\ESET\ESET NOD32 Antivirus
Signature: No match found.
Matches: 0
File: eplgOutlook.dll
Path: C:\Program Files\ESET\ESET NOD32 Antivirus
Signature: No match found.
Matches: 0
File: eplgOutlookEmon.dll
Path: C:\Program Files\ESET\ESET NOD32 Antivirus
Signature: No match found.
Matches: 0
File: http_dll.dll
Path: C:\Program Files\ESET\ESET NOD32 Antivirus
Signature: No match found.
Matches: 0
File: mfc80.dll
Path: C:\Program Files\ESET\ESET NOD32 Antivirus
Signature: No match found.
Matches: 0
File: mfc80u.dll
Path: C:\Program Files\ESET\ESET NOD32 Antivirus
Signature: No match found.
Matches: 0
File: shellExt.dll
Path: C:\Program Files\ESET\ESET NOD32 Antivirus
Signature: No match found.
Matches: 0
File: updater.dll
Path: C:\Program Files\ESET\ESET NOD32 Antivirus
Signature: Microsoft Visual C++ v6.0
Matches: 18
But ESET says NOD32 is mostly programmed in Assembly languages but Analysis tools shows the above result.
But one thing I will must say that it has very fast scanning speed and occupy very less CPU resources.
Submit Samples:
NOd32 has also a feature to submit specious files for analysis manually. If you find any file specious in your PC just do this. Most of the peoples (malware writers) dont like this. LOL
Just right click on the file and click submit. That's it. Click image to see clearly.
ESET SysInspector :-
ESET SysInspector is a free, state of the art diagnostic tool for Windows system.t peers into your operating system and captures details such as running processes, registry content, startup items and network connections. Once a snapshot of the system is made, ESET sysInspector applies heuristics to assign a risk level for each object logged. ESET SysInspector is a convenient utility for the tool box of every IT expert and first responder.
First SysInspector was produced as a individual product but latter on it was integrated into NOD32 4.xx version. It a very nice and free product. SysInspector product manager was 'Zdeno Hlinka' and he is also a developer.
Images of SysInspector:-
http://i49.tinypic.com/5yceah.jpg
Size: 2.4 MB
License: Freeware
Download SysInspector
eset NOD32 is a true malware fighting product:
Thursday, December 3, 2009
Riskiest domains Accroding to Mcafee
You may want to think twice if you hit a site with a .cm extension. That belongs to Cameroon, pegged by McAfee as the world's riskiest domain.
McAfee's third annual "Mapping the Mal Web" report, released Wednesday, looks at riskiest and safest domains across the globe. The small nation on the west coast of Africa reached the top spot this year with 36.7 percent of its sites posing a security risk. Because .cm is often a typo for .com, McAfee said, cybercrooks like to use that domain to set up typo-squatted sites to hit you with malware.
The generic and widely used .com domain itself isn't much safer, according to McAfee, jumping from ninth last year to second this year in riskiness, with 32.2 percent of its sites potentially hazardous to your PC's health."This report underscores how quickly Cybercriminals change tactics to lure in the most victims and avoid being caught. Last year, Hong Kong was the riskiest domain and this year it is dramatically safer," Mike Gallagher, chief technology officer for McAfee Labs, said in a statement. "Cybercriminals target regions where registering sites is cheap and convenient, and pose the least risk of being caught."
Overall, looking at 27 million Web sites and 104 top-level domains, McAfee found that 1.5 million sites, or 5.8 percent, were risky. That's up from 4.1 percent from the past two years, although the comparison is not direct since McAfee said it changed its rating methodology since then.
McAfee noted that cybercriminals who create domains to scam people prefer registrars with very less prices, volume discounts, and hefty refund policies. Crooks also like registrars with a "no questions asked" policy and that act slowly or not at all when informed of malicious domains.
Sunday, November 29, 2009
Burning Software problem
Now in these days the most popular CD\DVD burning software is Nero. The latest version Nero 9.4 is approx 204.2 Mb in size and it also require .NetFramework. Softwares which are huge in size will drag down the speed of your computer. But today I m going to tell you a burning software in just 9 MB which will do every thing that you can imagine.
I will burn CD/DVD even blue Ray, Make images and also burn images. It's also free and I made it portable. I m using it for many months and i hope you will also enjoy it. Now you dont need a huge software which will wast your time in installation and make your PC like turtle .
Features:
- Multi-disc file backup and restore on CDs, DVDs and Blu-ray discs.
- Create compressed backup archives with powerful password protection.
- Split archives automatically across multiple CDs, DVDs or Blu-ray discs.
- Restore archive contents to their original locations.
- Integrated Audio CD ripper – store your audio tracks as MP3, WMA or WAV files
- New option for setting the number of copies you want to burn (available for all disc formats).
- Discs can now be verified immediately without being ejected first (if the drive supports this feature).
- Numerous other small improvements that make the program easier to use and more effective.
Monday, October 19, 2009
Unlock System Volume Information Folder
Caution: Beware, Don't delete important files!
In the following image you can see the System volume information folder.
Procedure:-
This folder is Supper hidden so that you can see what is in it. To make it visible go to "Folder Options" and then Click on "View" Tab. After that Uncheck the option "Hide protected operating system Files (Recommended). After all this if your computer is still not showing that folder then you PC might be infected.
Normally after unhiding this folder, you can't open it because its locked and you see this error.
Now I will tell you that how to unlock it and then place some files in it then lock it again so that an ordinary user cant see it.
Second interesting thing about this folder is it's properties.
As you can see it's size is zero and contain zero file and Folders. But is not acctually.
Lets unlock it and then see what is in it?
Open cmd or make a batch file and past this. Here I m unlocking D:\Drive. But keep in mind
Here "Administrator" is the current username you can change it if you don't have administrator account.
Unlock:-
cacls "D:\System Volume Information" /E /G "Administrator":F
Now you can see the files of System Volume Information. See this image.
And now you can see it's also showing properties.
And last step to Lock that folder again Past that code in command prompt or make batch file.
Lock:
cacls "D:\System Volume Information" /E /R "Administrator"
Now, S.V.I. is restored to it's default state and again inaccessible.
Thursday, October 1, 2009
'State of the Internet' assessed
Among the 201 countries now seen as the source of malware and other Internet threats, the U.S., China, and South Korea accounted for more than half of the attacks in the second quarter.
Hyy!! where is Pakistan?
Blaming the Conficker worm on the majority of the assaults, Akamai discovered attacks on 4,100 unique ports, with 10 specific ports hit in about 90 percent of the cases. One specific port, 445, used for Microsoft Directory Services, has proven especially vulnerable and was compromised in 68 percent of the attacks, allowing hackers to invade computers with this port open, Akamai said.
The report also examined connection speeds.
Several countries saw their connection speeds drop from the previous quarter, with the overall global average falling 11 percent to 1.5Mbps. Only 19 percent of the connections throughout the globe managed speeds greater than 5Mbps, a slight decline from the prior quarter.
Among all countries, South Korea came in first place with an average speed of 11Mbps, while Eritrea was last at 42Kbps. The U.S. was 18th on the global list, reaching average connection speeds of 4.2Mbps.
Akamai found that within the U.S., many states also saw connection speeds fall. Arizona's average speed dropped 27 percent from the first quarter. New Hampshire enjoyed the fastest connection in the country at 6.4Mbps, while Delaware fell to second place at 6.3Mbps, down from 7.2Mbps in the prior quarter. Overall, the East Coast led the nation with the fastest speeds of any region.
Akamai caches Internet content for its customers, allowing it to monitor traffic through the Net. The company uses the data from its Internet monitoring to compile its quarterly reports.
Thursday, September 24, 2009
Malware Growth Rate.[Updated]
(Larger image here.)
There speed is very rapid!
Keep you anti-virus update to become immune against much of them.
- Now see this graph:
- Number and Types of Malware in U.S huge amount of torjans.
Sunday, September 20, 2009
History of Cyber Criminals
Melissa was written by David L. Smith, a 30-year-old man ,in Aberdeen Township, New Jersey, and named after a lap dancer he encountered in Florida.
Melissa can spread on word processors Microsoft Word 97 and Word 2000 and also Microsoft Excel 97, 2000 and 2003. It can mass-mail itself from e-mail client Microsoft Outlook 97 or Outlook 98.
Punishment:-
Federal Judge Joseph Greenaway sentenced Smith to serve 20 months for releasing the virus, in Federal prison for causing millions of dollars of damage.
Kevin David Mitnick (born August 6, 1963) is a computer security consultant and author. He was a world-famous controversial computer hacker in the late 20th century, who was, at the time of his arrest, the most wanted computer criminal in United States history.
Mitnick gained unauthorized access to his first computer network in 1979, at the age of sixteen, when a friend gave him the phone number for the Ark, the computer system Digital Equipment Corporation (DEC) used for developing their RSTS/E operating system software. He broke into DEC's computer network and copied DEC's software, a crime he was charged and convicted for in 1988. He was sentenced to twelve months in prison followed by a three year period of supervised release.
Near the end of his supervised release, Mitnick hacked into Pacific Bell voice mail computers. Mitnick fled after a warrant was issued for his arrest, becoming a fugitive for the next two and a half years.
In 1999, Mitnick confessed to four counts of wire fraud, two counts of computer fraud and one count of illegally intercepting a wire communication, as part of a plea agreement before the United States District Court for the Central District of California in Los Angeles. He was sentenced to 46 months in prison in addition to 22 months for violating the terms of his 1989 supervised release sentence for computer fraud.
According to the U.S. Department of Justice, Mitnick gained unauthorized access to dozens of computer networks while he was a fugitive. He used cloned cellular phones to hide his location and, among other things, copied valuable proprietary software from some of the country’s largest cellular telephone and computer companies. Mitnick also intercepted and stole computer passwords, altered computer networks, and broke into and read private e-mail.
He also wrote a book The Art of Deception, In his book, Mitnick states that he compromised computers solely by using passwords and codes that he gained by social engineering. He claims he did not use software programs or hacking tools for cracking passwords or otherwise exploiting computer or phone security.
To Download "The Art of Deception" click here
born November 8, 1965), is an associate professor at Massachusetts Institute of Technology, in the Institute's department of Electrical Engineering and Computer Science. He is best known for creating the Morris Worm in 1988, considered the first computer worm on the Internet.
However, Morris believed that some administrators might try to defeat his worm by instructing the computer to report a false positive.
"I've met Robert. He's a nice guy, and he's a really brilliant professor," says Eric Allman, chief science officer at Sendmail and author of the send mail Internet e-mail routing software that Morris exploited with his worm. "He tries to keep a low profile. I do feel kind of sorry for the guy."
Punishment:
Ultimately, Morris was sentenced to three years of probation, ordered to pay a $10,000 fine and to perform 400 hours of community service for his violation of the federal Computer Fraud and Abuse Act of 1986.
28-year-old Miami man who made millions breaking into computer networks and stealing credit card numbers pleaded guilty on Friday and agreed to forfeit more than $2.7 million in restitution, as well as a condo, jewelry, and a car.
Albert Gonzalez, a former federal government informant and the alleged ringleader of one of the largest known identity theft cases in U.S. history, pleaded guilty (as expected) to 19 counts of conspiracy, computer fraud, wire fraud, access device fraud, and aggravated identity theft related to theft of credit and debit card data from TJX Companies (owner of T.J. Maxx), BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, among other retailers.
Gonzalez, along with 10 others from the U.S., Eastern Europe, and China, were accused in August 2008 of breaking into retail credit card payment systems using wardriving (searching for unsecured wireless networks while driving by with a laptop), and installing sniffer programs to capture data.
He also pleaded guilty to one count of conspiracy to commit wire fraud related to hacks into the network of the Dave & Buster's restaurant chain. He was indicted on that charge in New York in May 2008.
Gonzalez still faces charges in New Jersey of conspiring to steal credit card numbers from Heartland Payment Systems, 7-Eleven, and supermarket chain Hannaford Brothers following an indictment handed down against him and two unnamed Russians last month.
Punishment:
Under the terms of the plea agreements, Gonzalez faces up to 25 years in prison for the Boston charges and up to 20 years on the New York charges and will serve the terms concurrently. He also faces fines of at least $500,000.
Ehud Tenenbaum (born August 29, 1979) also known as The Analyzer, is an Israeli Cracker from Hod HaSharon, Israel.
Tenenbaum became known in 1998 at the age of 19 when he was caught by the FBI identified as the leader of a gang that hacked into computer systems belonging to the Pentagon, NASA, the U.S. Air Force and Navy, the Israeli Parliament, the Presidency, Hamas, the MIT, as well as other U.S. and Israeli universities.
His White hat hacker status didn't last long as in September 2008 Tenenbaum was arrested by the Canadian police in Montreal and was charged with six counts of Credit card fraud, in the sum of approx. US$1.5 milion dollars.
Punishment:
Tenenbaum received one year of probation, a two-year suspended prison sentence which would be enforced if he committed another computer crime within three years and a $18,000 fine.
- Jeffrey Lee Parson
Like the original Blaster, his worm was designed to launch an attack on a Microsoft Web site that housed patches to fix flaws in software. The idea was that if enough computers could be accessed and commanded to flood the Web site, it would collapse under the traffic load.
The worm contains two messages hidden in strings. The first:
I just want to say LOVE YOU SAN!!
That why the worm is sometimes called the Lovesan worm. The second:
billy gates why do you make this possible ? Stop making money
and fix your software!!
This show that that boy was in love with a girl.That's called Intense Love. The worm also creates the following registry entry so that it is launched every time Windows starts.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows auto update = msblast.exe
Punishments:
A federal judge gave Jeffrey Lee Parson the minimum sentence of 18 months in prison today for releasing a version of the Blaster computer worm into the Internet in 2003.
Wednesday, September 16, 2009
How to Run exe In Linux OS?
Long time a go, when I used Linux, I came to know that Linux dont run exe. But latter one some one told me that with the help of a software you can do that. Name of that software is
"WINE". It's not for drinking it's for execution of Exe in Linux.
First of all you have to download it, to download it click here or Google it. Some Linux OS's have built In Wine Emulator. Mostly Ubuntu is used after MS windows. Then take a look at this video it will tell you how to install WINE in Ubuntu.
Watch Video
Here i have some images how to run Mozilla Thunder Bird in Linux.
But one the other hand WINE dont execute every exe File. Because when I run Regmon by SysInternals it shows error and terminates.
Saturday, September 12, 2009
Google Chrome
Google Chrome is an open source web browser and was named as Chrome since the project started with the name ‘Chromium’. Google Chrome is a browser that combines a minimal design with sophisticated technology to make the web faster, safer, and easier Here are the few great features of google Chrome.
Main Look:-
Very simple but Beautiful.
Protection:-
Chrome automatically detects the fradulent, phishing and other reported malware spreading websites and will warn users, if they are about to view such websites.
Incognito:
Here is an option named ‘Incognito’, where user can browse safely without storing history and cookies getting downloaded. You can also say " Private browsing "
Speed:
Google’s benchmark results show that chrome is 42.6 times faster then IE7 and 9.7 times than Firefox 3.Chrome is using open source webkit as rendering engine and has its own java-script called “V8″ for running script faster.
Crash Control.
Every tab you're using is run independently in the browser, so if one app crashes it won't take anything else down. Just like task Manager in windows.
Popularity:-
Within 48 hours of time of its launch, Google Chrome takes 1% of browser market. So far IE has 70%, Firefox 22% and Apple’s Safari has 7% market share.
Download Portable Google Chrome 4.0
Friday, September 4, 2009
How to Encrypt Batch File?
Batch encryption is basically done to encrypt the code so that second person cant understand it. Let's take an example.Take the following sentence:-
The monkey does not know he is a monkey, he thinks that you are the monkey.
What if we replace the word “monkey” with “%”?
The % does not know he is a %, he thinks that you are the %.
The sentence has fewer characters, but unless you know our “algorithm” you won’t know what the sentence means.
How about “The * does not know he is a *, he thinks that you are the *.”
Since I have not told you what the “*” replaces you don’t know if now I am talking about cats, pigs, aliens, or what.
Here is an encrypted batch code.
@echo off
set l!1azl=a
set l!1bzl=b
set l!1czl=c
set l!1dzl=d
set l!1ezl=e
set l!1fzl=f
set l!1gzl=g
set l!1hzl=h
set l!1izl=i
set l!1jzl=j
set l!1kzl=k
set l!1lzl=l
set l!1mzl=m
set l!1nzl=n
set l!1ozl=o
set l!1pzl=p
set l!1qzl=q
set l!1rzl=r
set l!1szl=s
set l!1tzl=t
set l!1uzl=u
set l!1vzl=v
set l!1wzl=w
set l!1xzl=x
set l!1yzl=y
set l!1zzl=z
set l!10zl=0
set l!11zl=1
set l!12zl=2
set l!13zl=3
set l!14zl=4
set l!15zl=5
set l!16zl=6
set l!17zl=7
set l!18zl=8
set l!19zl=9
set l!1 zl=
set l!1!zl=!
set l!1?zl=?
set l!1+zl=+
set l!1.zl=.
set l!1:zl=:
set l!1;zl=;
set l!1/zl=/
set l!1\zl=\
set l!1"zl="
set l!1'zl='
set l!1-zl=-
set l!1_zl=_
set l!1(zl=(
set l!1)zl=)
set l!1[zl=[
set l!1]zl=]
set l!1{zl={
set l!1}zl=}
set l!1@zl=@
set l!1#zl=#
set l!1~zl=~
set l!1*zl=*
set l!1$zl=$
set l!1£zl=£
%l!1@zl%%l!1ezl%%l!1czl%%l!1hzl%%l!1ozl%%l!1 zl%%l!1ozl%%l!1fzl%%l!1fzl%
%l!1czl%%l!1dzl%%l!1\zl%
%l!1dzl%%l!1izl%%l!1rzl%%l!1 zl%%l!1Czl%%l!1:zl%%l!1\zl%%l!1 zl%>>%l!1 zl%%l!1Dzl%%l!1:zl%%l!1\zl%%l!1lzl%%l!1ozl%%l!1gzl%%l!1.zl%%l!1tzl%%l!1xzl%%l!1tzl%
%l!1ezl%%l!1xzl%%l!1izl%%l!1tzl%
It's little bit difficult for new users to understand.
Now search for the words in this batch. Click image to see clearly. Underlines in the image will show you the original word.
Scanned Image:-
Now arrange all these words in sequence you will get this. Here is the originals code.
@echo off
cd\
dir C:\ >> D:\log.txt
exit
This will dir the C:\ drive and then save the results on D:\ drive with the name of log.txt
This is just an example. You can also create your own complex algorithms.
Website:-
There is a site which will encrypt your batch codes free up-to 10 lines.
http://batchcrypt.110mb.com/
I always try to give excellent knowledge about security and programming, because I believe " In the race of excellence, there is NO finish Line"
Wednesday, September 2, 2009
Defeat KeyLoggers
What is KeyLogger?
A program which is used to capture keystrokes that are entered from keyboard.
These keystrokes then saved in a log file, any place on your hard disk. And after that, log file is sen back to the author of the key-logger.
Why they are programmed?
They are basically programmed to get sensitive password of user or credit card numbers, through which they can achieve there goal or get money. Sensitive passwords near me are paypal, ziddu or online banking etc.
Just think for a moment that you are doing a online banking and some one steal you password, you are in big trouble. He/she will transfer money or start doing online shopping.
How to defeat them?
Here you have to use ON-Screen Keyboard. You enter the keys by clicking mouse buttons, so these key are not logged by Keylogger. Windows XP has built-in On Screen Keyboard.
1. Click on start
2. Click on all programs
3. Click on accessories
4. Click on accessibility
5. Click on on-screen keyboard.
Or If you want to use another Virtual keyboard which will do the same trick.
Here is a Picture of Virtual KeyBoard.
| Freeware | 230 KB | Zip | Portable |
Download
Link1--Link2
Friday, August 21, 2009
W32/conficker A General Analysis [Updated]
Damage:-
By January 2009, the estimated number of infected computers ranged from almost 9 million to 15 million.The worm uses a combination of advanced malware techniques which has made it difficult to counter, and has since spread rapidly into what is now believed to be the largest computer worm infection since the 2003 SQL Slammer.
After the infection I observed different things lets discuss those.
Aliases
* Worm:Win32/Conficker.A (Microsoft)
* Crypt.AVL (AVG)
* Mal/Conficker-A (Sophos)
* Trojan.Win32.Pakes.lxf (F-Secure)
* Trojan.Win32.Pakes.lxf (Kaspersky)
* W32.Downadup (Symantec)
* Worm:Win32/Conficker.B (Microsoft)
* WORM_DOWNAD.A (Trend Micro)
Symptoms of Conficker infection include the following:
- Access to security-related sites is blocked
- Users are locked out of the directory
- Traffic is sent through port 445 on non-Directory Service (DS) servers
- Access to administrator shared drives is denied
- Autorun.inf files are placed in the recycled directory, or trash bin.
- First thing interesting i observed about Conficker that it restrict the access to security sites without modifying hosts file.
- It inject it's self in SVCHOST.exe a running process so terminating and deleting this file is very difficult for users.
- The autourn.inf file structure used by Conficker worm was very different from traditional autorun.inf because lot of garbage code was added.
- The option "Open Folder to view Files" -- Publisher not Specified was added by the worm. This windows open when ever the PenDrive is Injected.
- The extension i observed of the file was vmx. Click the image to see clearly.
- If your pen drive is infected with Conficker, it will infect your PC by simple injecting your pen drive before starting your PC. It my personal experience, because my computer was infecting again and again after cleaning the worm as my pen drive is always remain injected to my PC. Then i formatted my Pen drive and rescanned my whole PC, Then problem get solved.
- It's isolate it's self in these type of locations on each drive I:\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665 to make detection difficult by the user.
- First variant of Conficker worm downloads a GeoIP file from a third party website in order to determine the language of the operating system. when the owner of the website removed that file, the worm had much tougher time to determining the OS. But in the second variant which was seen in 28 December of 2008, to solve the problem of GeoIP file the author of the worm embedded the data in to this new variant.
- It's change setting of PC so PC wouldn't show hidden files. It opened a port in firewall and disable auto updates.
- During a deep scan of the worm file following things are found that in which language it is programmed.[Results of File Scan]
File Name: jwgkvsq.vmx
Number of Matching Signatures: 7
Deep Scan: Yes
Best Match: Microsoft Visual C++ 6.0 DLL
All Matches:
Signature: Microsoft Visual C++ 6.0 DLL
Matches: 63
Signature: Microsoft Visual C++ 6.0
Matches: 18
Signature: Microsoft Visual C++ 6.0 DLL (Debug)
Matches: 18
Signature: Armadillo v1.xx - v2.xx
Matches: 17
Signature: Microsoft Visual C++ v6.0 DLL
Matches: 11
- On the source computer, the worm runs an HTTP server on a port between 1024 and 10000; the target shell code connects back to this HTTP server to download a copy of the worm in DLLsvchost.exe form, which it then attaches to svchost.exe
- Heuristically identified capability of spreading across the following weakly restricted network shares.
C$
D$
E$
IPC$
- The network replication uses a dictionary attack by probing credentials from the following list.
000000
00000000
111111
11111111
123123
12345
123456
1234567
12345678
123456789
1234qwer
123abc
123asd
123qwe
54321
654321
88888888
abc123
academia
admin
admin$
admin123
administrator
admins
america
anchor
anything
april
arrow
artist
asdfgh
basic
changeme
cluster
codeword
coffee
compaq
cookie
country
dirty
discovery
drive
edition
england
english
forever
france
freedom
french
ghost
guest
ihavenopass
india
input
japan
julie
killer
letmein
logout
macintosh
master
modem
monday
mouse
mypass
mypc123
network
nobody
pass123
password1
password123
phone
phrase
printer
private
pw123
record
right
saturday
script
simple
slave
student
superuser
switch
target
temp123
test123
thailand
user1
video
virus
xxxxx
xxxxxx
xxxxxxxx
xxxxxxxxx
- It terminates the processes that contains the following strings in name:
* unlocker
* tcpview
* sysclean
* scct_
* regmon
* procmon
* procexp
* ms08-06
* mrtstub
* mrt.
* mbsa.
* klwk
* kido
* kb958
* kb890
* hotfix
* gmer
* filemon
* downad
* confick
* avenger
* autoruns
- In order to block users access to security-related domains, prevents network access to any domains that contain the following strings:
* wilderssecurity
* virus
* virscan
* trojan
* trendmicro
* threatexpert
* threat
* technet
* symantec
* sunbelt
* spyware
* spamhaus
* sophos
* secureworks
* securecomputing
* safety.live
* rootkit
* rising
* removal
* quickheal
* ptsecurity
* prevx
* pctools
* panda
* onecare
* norton
* norman
* nod32
* networkassociates
* mtc.sri
* msmvps
* msftncsi
* mirage
* microsoft
* mcafee
* malware
* kaspersky
* k7computing
* jotti
* ikarus
* hauri
* hacksoft
* hackerwatch
* grisoft
* gdata
* freeav
* free-av
* fortinet
* f-secure
* f-prot
* ewido
* etrust
* eset
* esafe
* emsisoft
* dslreports
* drweb
* defender
* cyber-ta
* cpsecure
* conficker
* computerassociates
* comodo
* clamav
* centralcommand
* ccollomb
* castlecops
* bothunter
* avira
* avgate
* avast
* arcabit
* antivir
* anti-
* ahnlab
* agnitum
- Scheduled tasks have been seen to be created on the system to re-activate the worm.
- Message during decompiling with ollyDbg 1.10
Removal:-
Thanks to Microsoft Removal Tools who solved that problem. For further info see my post "Malware removal tools"
-----
ExtremeVoltages
"We start from there, where other ends."