Brainfoldb4u's Blog

Just another WordPress.com weblog

Archive for the ‘Hacking’ Category

Iphone Hack ban

Posted by brainfoldb4u on February 17, 2010

I guess apple have found their Iphone OS now frequently hacked. Almost like Windows, apple had trouble facing the sophisticated hacks and weekly patches are not enough to protect their OS. So apple seems to come up with a defensive idea of locking the hackers account. Just days after a scrappy young iPhone hacked discovered an unlock exploit for OS 3.1.3 baseband 05.12.01, Sherif Hashim received an ominous message on his iPhone after attempting to log into iTunes: “This Apple ID has been disabled for security reasons.” Proving that this is not an isolated incident, fellow hacker iH8sn0w responded to Hashim to let him know the very same thing happened to him after he released an exploit known as XEMN. Perhaps most puzzlingly, however, is the fact that Hasim’s exploit was never publicly released having only been given to the iPhone Dev-Team who plan to incorporate it into their next release. Obviously Apple could claim that its actions were in response to the violation of their intellectual property as well as a breach of the iPhone’s end-user license agreement, but one has to wonder just how far a notoriously heavy-handed company like Apple might go in the future if it is unable to gain the upper hand over hackers like Hashim.

iPhone developer and hacker, Sherif Hashim, claims to receive a warning showing he’d been denied access to the App Store for “security reasons”, see image above.
The move sparked concerns that Apple might ban all jailbroken iPhones was accessing the App Store. However, such a move would prevent Apple’s application developers from selling to the millions of users of jailbroken devices and would be especially bad politicsfollowing the launch of the Wholesale Applications Community at the Mobile World Congress conference earlier this week.

This seems to be a strong message indicating that known iPhone hackers may get into trouble but at the same time there is no indication that Apple are refusing access to the App Store for anyone who merely makes use of available software to jailbreak or unlock their iPhone or iPod Touch handsets, the message is clear: publicly release an exploit for the iPhone OS and expect to lose your App Store privileges.

Posted in Hacking, Information Security, Iphone | Tagged: , | Leave a Comment »

Zues, IM threats

Posted by brainfoldb4u on January 25, 2010

A new threat to instant Messaging (IM) has been identified with a previously well known trojan called Zues attacking users of AOL Instant Messaging and stealing passwords.Zues is one of the best-selling Trojan kit on the black market today  and become the popular choice among cybercriminals because it’s easy to set up and control, and can be used for a variety of purposes. And, like popular commercial software, Zeus comes in a standard version (costing a minimum of $1000) and a professional version with extra features such as a large library of target templates.

So What is Zues is?

Zues network of affected computers

Zues also known as Zbot is an threat organised by army of attackers (known as Zeus builders) who pay thousands for the latest zues builder to make sure they distribute the most up-to-date undetectable bot builds. But they are also available for free in various black market and web sites such as file sharing web sites.

Zeus/Zbot samples are distributed every day in alarming rate. It’s kind of an attack  where multiple modifications of the bot are being produced in-the-wild, packed and encrypted on top with all sorts of packers, including modified, hacked, or private packer builds. Before being released, every newly generated and protected bot is uploaded into popular multi-AV scanner services to make sure it is not detected by any antivirus vendor. Hence, quite a bit of a problem in terms of its distribution scale.

latest generation Zues are capable of using the rootkit techniques to hide its presence on a customer machine.

The bot uses covert methods of injecting additional fields into online Internet banking websites, asking users to answer questions that the authentic website would not ask. The collected details are then silently delivered to remote websites, and added into remote databases. The databases are then sold to other criminal elements down the chain who specialize in withdrawing the funds. The money laundering groups anonymously hire physical people to withdraw money from their personal accounts – in the criminal world these people are called “drops”, and their accounts are called “drop accounts”.

Current Threat to Instant Messengers (IM)

People using the popular instant messaging platform receive an email message announcing an update and are then prompted to click through to download what appears to be a legitimate file, aimupdate_7.1.6.475.exe. However, the so-called update is actually the Zeus installer, which can then transfer itself onto the victim’s machine, whether or not the AIM user clicks on the link to download the executable file.

“It opens an IFRAME to a site that attempts to use vulnerable versions of Adobe Reader to push the Zeus keylogger down to the victim’s computer, then executes it within a few moments of the page loading. The fake web page to which victims are brought appears to be an AOL site, but a close look reveals inconsistencies to an authentic web page. Notably,

  • a true AIM installer has a digital signature from parent company AOL attached. This one does not contain that signature.
  • Further, the URL used for the download begins with a legitimate-seeming address, “update.aol.com”,
  • but that is followed by a six- to seven random-character word followed by .com.pl.

“The exploit opens, in an IFRAME, a page hosted on the IP address in the Vishclub network, which in turn loads a fairly large (15,628 byte) blob of obfuscated JavaScript,” according to the Webroot blog post. “The script invokes the browser to load Adobe Reader, then pushes a file called ‘pdf.pdf’ down to the Reader. That file is built to attack the Collab overflow exploit, the util.printf overflow exploit, and the getIcon exploit in order to force the operating system to download and execute files.”

Webroot Advices
Webroot advises that to avoid this particular exploit focused on AIM, users turn off Adobe Reader’s embedded JavaScript. “There’s almost no circumstance where JavaScript is required,” Brandt said. Turning it off will give web users an extra prompt should they encounter a site that calls for Java, at which point they can make a choice.

Brandt also said that he recommends web surfers use the Firefox browser with the NoScript plug-in extension.

Known facts about Zues:

  • The ZEUS Trojan will commonly use names like below so search your PCs for files with this names:
  1. NTOS.EXE,
  2. SDRA64.exe
  3. LD08.EXE,
  4. LD12.EXE,
  5. PP06.EXE,
  6. PP08.EXE,
  7. LDnn.EXE
  8. PPnn.EXE
  • Typical size for Zues be 40KBytes and 150Kbytes .
  • Additionally look for folder with the name WSNPOEM, this is also a common sign of infection for the ZEUS Trojan.
  • Finally, check the Registry looking for RUN keys referencing any of these names.
  • Do not assume because your antivirus or internet security suite does not show any signs of infection that your PC does not have the ZEUS Trojan infection.

Sample Zues infection diagram from Trend Micro

Ways to remove Trojan manually

I found this information on Spyware techie’s blog as manual removal method for techie computer users. Unknown Trojan manual removal may be difficult and time consuming to remove. There’s no guarantee that Unknown Trojan will be removed completely. So read the Unknown Trojan removal steps carefully and good luck.

Before you start: Close all programs and Internet browsers and back up your computer incase if something goes wrong.

  1. Uninstall Unknown Trojan Program
    Click on StartSettingsControl Panel > Double-click on Add/Remove Programs. Search for and uninstall Unknown Trojan if found.
  2. To stop Unknown Trojan processes
    Go to StartRun > type taskmgr. The click the Processes tab and you’ll see a list of running processes.
    Search and stop these Unknown Trojan processes:
    There are no processes.
    For each unwanted process, right-click on it and then select “End task”.
  3. To Unregister Unknown Trojan DLLs .To find how to delete DLL files click here
    Search and unregister these Unknown Trojan DLLs: There are no dll’s.

    To locate the Unknown Trojan DLL path, go to StartSearchAll Files or Folders. Type Unknown Trojan and in the Look in: select either My Computer or Local Hard Drives. Click the Search button.
    Once you have the Unknown Trojan DLL path, go to Start and then click on Run. In theRun command box, type cmd, and then click on OK.
    To locate the exact DLL path, type cd in order to change the current directory. To display the contents of the directory, use the dir command. To remove the DLL file typeregsvr32 /u FILENAME.dll (FILENAME is the name of the file that you want to unregister).

  4. To unregister Unknown Trojan registry keys To know about how to remover register keys click here
    Go to StartRun > type regedit > press OK.
    Edit the value (on the right pane) by right-clicking on it and selecting the Modify option. Select the Delete option.
    Search and delete these Unknown Trojan registry keys:
    There are no registry keys.
  5. If your homepage has been changed, go to StartControl PanelInternet Options> click on the General > click Use Default under Home Page. Add the your desired default homepage, then click Apply > click OK. Open a new web browser to check that you have your desired default homepage.
  6. Remove Unknown Trojan Directories.
    To find Unknown Trojan directories, go to StartMy ComputerLocal Disk (C:) >Program FilesShow the contents of this folder.
    Search and delete the following Unknown Trojan directories:
    There are no directories.

    Right-click on the Unknown Trojan folder and select Delete.A message will appear saying ‘Are you sure you want to remove the folder Unknown Trojan and move all its contents to the Recycle Bin?’, click Yes.
    Another message will appear saying ‘Renaming, moving or deleting Unknown Trojan could make some programs not work. Are you sure you want to do this?’, click Yes.

  7. To remove Unknown Trojan icons on your Desktop, drag and drop them to the Recycle Bin.

Posted in Exploit, Hacking, Information Security, Passwords | Tagged: , , | Leave a Comment »

Google Chrome Forensic

Posted by brainfoldb4u on January 22, 2010

This post is actually posted in SANS computer forensic lab by Kristinn under Browser Forensics, Computer Forensics. This is pretty useful information about Google Chrome so i am linking it in here..

Google Chrome stores the browser history in a SQLite database, not unlike Firefox.  Yet the structure of the database file is quite different.

Chrome stores its files in the following locations:

  • Linux: /home/$USER/.config/google-chrome/
  • Linux: /home/$USER/.config/chromium/
  • Windows Vista (and Win 7): C:Users[USERNAME]AppDataLocalGoogleChrome
  • Windows XP: C:Documents and Settings[USERNAME]Local SettingsApplication DataGoogleChrome

There are two different versions of Google Chrome for Linux, the official packets distributed by Google, which stores its data in the google-chrome directory and the Linux distributions version Chromium.

The database file that contains the browsing history is stored under the Default folder as “History” and can be examined using any SQLlite browser there is (such as sqlite3).  The available tables are:

  • downloads
  • presentation
  • urls
  • keyword_search_terms
  • segment_usage
  • visits
  • meta
  • segments

The most relevant tables for browsing history are the “urls” table that contains all the visited URLs, the “visits” table that contains among other information about the type of visit and the timestamps and finally the “downloads” table that contains a list of downloaded files.

If we examine the urls table for instance by using sqlite3 we can see:

sqlite> .schema urls
CREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,
typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,
favicon_id INTEGER DEFAULT 0 NOT NULL);
CREATE INDEX urls_favicon_id_INDEX ON urls (favicon_id);
CREATE INDEX urls_url_index ON urls (url);

And the visits table

sqlite> .schema visits
CREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,is_indexed BOOLEAN);
CREATE INDEX visits_from_index ON visits (from_visit);
CREATE INDEX visits_time_index ON visits (visit_time);
CREATE INDEX visits_url_index ON visits (url);

So we can construct a SQL statement to get some information about user browser habit.

SELECT urls.url, urls.title, urls.visit_count, urls.typed_count, urls.last_visit_time, urls.hidden, visits.visit_time, visits.from_visit, visits.transition
FROM urls, visits
WHERE
 urls.id = visits.url

This SQL statement extracts all the URLs the user visited alongside the visit count, type and timestamps.

If we examine the timestamp information from the visits table we can see they are not constructed in an Epoch format.  The timestamp in the visit table is formatted as the number of microseconds since midnight UTC of 1 January 1601, which other have noticed as well, such as firefoxforensics.

If we take a look at the schema of the downloads table (.schema downloads) we see

CREATE TABLE downloads (id INTEGER PRIMARY KEY,full_path LONGVARCHAR NOT NULL,url LONGVARCHAR NOT NULL,
start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state

And examine the timestamp there (the start_time) we can see that it is stored in Epoch format.

There is one more interesting thing to mention in the “visits” table.  It is the row “transition”.  This value describes how the URL was loaded in the browser.  For full documentation see the source code of page_transition_types or in a shorter version the core parameters are the following:

  • LINK. User go to the page by clicking a link.
  • TYPED. User typed the URL in the URL bar.
  • AUTO_BOOKMARK. User got to this page through a suggestion in the UI, for example,through the destinations page
  • AUTO_SUBFRAME. Any content that is automatically loaded in a non-toplevel frame. User might not realize this is a separate frame so he might not know he browsed there.
  • MANUAL_SUBFRAME. For subframe navigations that are explicitly requested by the user and generate new navigation entries in the back/forward list.
  • GENERATED. User got to this page by typing in the URL bar and selecting an entry that did not look like a URL.
  • START_PAGE. The user’s start page or home page or URL passed along the command line (Chrome started with this URL from the command line)
  • FORM_SUBMIT. The user filled out values in a form and submitted it.
  • RELOAD.  The user reloaded the page, whether by hitting reload, enter in the URL bar or by restoring a session.
  • KEYWORD. The url was generated from a replaceable keyword other than the default search provider
  • KEYWORD_GENERATED. Corresponds to a visit generated for a keyword.

The transition variable contains more information than just the core parameters.  It also stores so called qualifiers such as whether or not this was a client or server redirect and if this a beginning or an end of a navigation chain.

When reading the transition from the database and extracting just the core parameter the variable CORE_MASK has to be used to AND with the value found inside the database.

CORE_MASK = 0xFF,

I’ve created an input module to log2timeline to make things a little bit easier by automating this.  At this time the input module is only available in the nightly builds, but it will be released in version 0.41 of the framework.

An example usage of the script is the following:

log2timeline -f chrome -z local History
0|[Chrome] User: kristinng URL visited: http://tools.google.com/chrome/intl/en/welcome.html (Get started with Google Chrome) [count: 1] Host: tools.google.com type: [START_PAGE - The start page of the browser] (URL not typed directly)|0|0|0|0|0|1261044829|1261044829|1261044829|1261044829

0|[Chrome] User: kristinng URL visited: http://isc.sans.org/ (SANS Internet Storm Center; Cooperative Network Security Community - Internet Security) [count: 1] Host: isc.sans.org type: [TYPED - User typed the URL in the URL bar] (directly typed)|0|0|0|0|0|1261044989|1261044989|1261044989|1261044989..
The script reads the user name from the directory path the history file was found and then reads the database structure from the History file and prints out the information in a human readable form (this output is in mactime format).  To convert the information found here in CSV using mactime

log2timeline -f chrome -z local History > bodyfile
mactime -b bodyfile -d > body.csv

And the same lines in the CSV file are then:
Thu Dec 17 2009 10:13:49,0,macb,0,0,0,0,[Chrome] User: kristinng URL visited: http://tools.google.com/chrome/intl/en/welcome.html (Get started with Google Chrome) [count: 1] Host: tools.google.com type: [START_PAGE - The start page of the browser] (URL not typed directly)
Thu Dec 17 2009 10:16:29,0,macb,0,0,0,0,[Chrome] User: kristinng URL visited: http://isc.sans.org/ (SANS Internet Storm Center; Cooperative Network Security Community - Internet Security) [count: 1] Host: isc.sans.org type: [TYPED - User typed the URL in the URL bar] (directly typed)
Original information is published in this link

Posted in Auditing, Browser Security, Hacking | Tagged: , | Leave a Comment »

Researcher Rates Mac OS X Vulnerability 'High

Posted by brainfoldb4u on January 12, 2010

Flaw in versions 10.5 and 10.6 can be exploited by a remote attacker, says SecurityReason

The proof of concept merely triggers a memory access error, but such buffer overflow conditions can sometimes be exploited to run arbitrary code.

Although the issue has apparently been fixed in FreeBSD and OpenBSD, the researchers imply that the changes have not filtered through to Mac OS X, where it is said to be present in Leopard (10.5) and Snow Leopard (10.6).

The issue is also said to have been present in NetBSD, Google Chrome, Firefox and other Mozilla projects, Opera, MatLab, and other pieces of software.

SecurityReason’s advisory describes a flaw in the libc/gdtoa code in OpenBSD, NetBSD, FreeBSD, and MacOS X, as well as Google Chrome, Mozilla Firefox and other Mozilla software, Opera, KDE, and K-Meleon. SecurityReason’s advisory rates the vulnerability’s risk as “high” and claims that the flaw can be exploited by a remote attacker.

Continue reading..

For security reasons advisory and proof of concept click here

Posted in Hacking, Information Security, Vulnerability | Tagged: , | Leave a Comment »

Adobe blacklisting framework

Posted by brainfoldb4u on January 11, 2010

As abode said it is not practically feasible to disable whole of javascript in adobe, it introduced a feature called black listing. This allows users to define any specific javascript API as a black list item, which then it wont be allow it to be called. Say we found a vulnerability in docmedia.newplayer, you can add this to black list and hence you can safeguard your system by doing so.
By putting that into the black list, then any PDF document that it attempts to call that, that call will be denied.  And so, it’ll deny valid calls as well as malicious calls that try to corrupt the call in order to create a crash. And this is something individual users can do, and also administrators for managed desktop environments can also do this using group policy objects to roll-out the change as a registry key. Below video should demonstrate on how to add a javascript function to blacklist item.

Given that Adobe currently has no automatic updates in place, my question is how will a normal user will get to know what needed to be blacklisted. This fix may help the technical users but for average user they have to wait for adobe’s next major update which is likely to be within next three months.

Posted in Exploit, Hacking, Information Security, Vulnerability | Tagged: , , | Leave a Comment »

Dlink router with HNAP vulnerability

Posted by brainfoldb4u on January 11, 2010

A flawed implementation of the Home Network Administration Protocol (HNAP) reportedly allows attackers to gain unauthorised admin access to numerous D-Link router models

SourceSec Security research webpages claims finding a flaw in D-Link’s CAPTCHA implementation, around a way to view and edit D-Link router settings without any administrative credentials.

Simply said,  D-Link routers have a second administrative interface, which uses the Home Network Administration Protocol. While HNAP does require basic authentication, the mere existence of HNAP on D-Link routers allows attackers and malware to bypass CAPTCHA “security”. Further, HNAP authentication is not properly implemented, allowing anyone to view and edit administrative settings on the router.

For detailed vulnerability summary click there pdf

Posted in Exploit, Hacking, Information Security, Vulnerability | Tagged: , | Leave a Comment »

4 Quick Sites That Let You Check if Links Are Safe

Posted by brainfoldb4u on January 10, 2010

Whether you’re accessing popular social networking sites or other communication apps such as your webmail portal and IM clients, the links let you dive into a world of new information. With one click, you may end up enjoying a great story, or on the other hand unfortunately trying to crawl your way out of a potentially harming website.

You may have your anti-virus and malware removal tools programs installed, but they will not prevent you from clicking any of those potentially-harmful-but-so-interestingly-looking Twitter, Facebook or email links. Even if you have security toolbars and add-ons installed, the following online tools may help you find out whether a website really is safe, especially if you would like to get a second opinion (e.g. you suspect the site’s review hasn’t been updated) or if you decide that you don’t need more add-ons slowing your browser’s performance. click the link below from makeuse.com

4 Quick Sites That Let You Check if Links Are Safe

Posted using ShareThis

Posted in Browser Security, Hacking, Information Security, Security tools | Tagged: , , | 1 Comment »

Phishing, how to stay safe!

Posted by brainfoldb4u on January 6, 2010

In response to one of the comment I received from a reader. How do we differentiate a legitimate email or website with a fake website. Here are some tips to share..

Basically, phishing is an attempt, either by email or sending you to a webpage , to trick people into revealing users personal details like username, passwords, bank details, credit card details or some other sensitive informations by pretending to be bank or some other legitimate entity. Phishing email will typically include a link to a website that appears exactly same as your legitimate bank asking you for information with some tricky questions or an attachment to fill out. Some of the recent example of phishing attacks are

  • A legitimate-looking face book email asks people to give information to help the social network update its log-in system. Clicking the “update” button in the e-mail takes users to a fake Facebook log-in screen where the user name is filled in and visitors are prompted to give their password. When the password is typed in, people end up on a page that offers an “Update Tool,” but which is actually the Zeus bank Trojan.
  • A recent e-mail scam asks PayPal customers to give more information or risk getting their account deleted because of changes in the service agreement. Recipients are urged to click on a hyperlink that says “Get Verified!”

Lets look at an example of how a fake paypal page may look like. It’s actually very similar to original one..

Say lets take Ebay as another example. Attacker can be more tricky and sneaky by, they will close the address bar in a pop-up and reproduce an address bar with the correct EBay website address.

phishing ebay one

As we look, our URL box is tricked to display some other address, but lets manually enable the address bar. For doing so, go to View-Tools-Address bar.

phishing ebay 2After carefully examining, we are not in signin.ebay.com (legitimate) we are in sing-in-sec.com(as per first screenshot, a fake page).

Phishers also are increasingly exploiting interest in news and other popular topics to trick people into clicking on links. One e-mail about swine flu asked people to give their name, address, phone number, and other information as part of a survey on the illness. And users of social networks are becoming popular targets. Many instance social networking sites like Myspace, face book and Twitter have been directed to fake log-in pages. Attackers are also turning to instant messaging to lure people into their traps. In one recent scam a  live chat was launched via the browser. The scammer communicated to victims via the chat window, pretending to be from a bank and asking for more information.

Identifying Phishing

  • Observe the sender information looking for legitimacy. There cannot be two address under same name, so there has to be some catch in the URL. Say for instance, alerts@Paypal.co.uk.” However, legitimate PayPal messages in the U.S. come from Service@paypal.com” and include a key icon. Most phishing e-mails come from outside the U.S. so an address ending in “.uk” or something other than “.com” could show it’s a phishing attempt.
  • Legitimate companies email will be more targeted than a more generic email from hackers. Legitimate companies will tend to use customer names or user names in the email, ad may also include part of account number. But a fake email will be more generic like “Dear Yahoo user”.
  • Make sure to look at the hyperlinks inside the body of the email. In most cases words in the links may be misspelled and they tend to use subdomains or letters or numbers before the company name.  Try mousing over the link you can see the real access on the bottom of the web browser.
  • If you are unsure about the legitimacy of the link that you bound to click, go to the company website to see the address listed. check your full email header to see the full email address and other information.
  • Deceptive website URL’s:  Secure websites start with https. Always confirm if website URL is correct. It is always good idea to type the website url directly in the browser and avoid following link from email. By checking the beginning of the Web address in your browsers address bar showing “https://” rather than just “http://” would make sure that you are using an encrypted secure website. A small chain will also show in your browser when you are using a secure website.

WARNING: Phishers can get you to enter their own website and create a “secure link” for you to give all the information they need. They can also spoof the windows explorer to show exactly what they want by putting a window in top of the other, covering the real internet URL

  • Sense of Urgency-Phishing emails generally use scare tactics. These emails try to force customers in taking action by stating that account is about to be closed if account information is not verified. Always suspect email that seems to generate a sense of urgency.
  • If the e-mail has an attachment, be wary of .exe files. Scammers like to hide viruses and other malware there so it executes when opened.
  • Do not be fooled by the look of the Web site you may be directed to. The Web site may look just like a real bank or PayPal page, including the use of the real logos and branding. It could be a good fake page or it could be a legitimate page with a phishing pop-up window on top.

Avoiding Phishing

  • Regarding emails: DO NOT trust emails urgently requesting personal financial information !
  • Be sure not to call any number or use any link in the suspected email as this may put you in the hands of those responsible for the phishing attack. Note: By using a trojan horse spyware, phishers can change your HOSTS file which thereby redirects specific URL’s to a page of their choosing. They could copy your banks webpage and redirect you to their fake bankpage even if you wrote the exact correct address into the address field. This means; You MUST have control over your HOSTS file.
  • Be suspicious of impersonal emails.
  • NEVER fill out forms in email messages that ask for personal financial information
  • Be suspicious of email links. Never trust it! There are ways to “spoof it” !
  • Always make sure that you’re using a secure website when submitting credit card or other sensitive information via your Web browser
  • Regularly log into your online accounts
  • Ensure that your browser is up to date and security patches applied

Posted in Information Security, Phishing | Tagged: | 1 Comment »

Conficker computer worm

Posted by brainfoldb4u on January 3, 2010

Decades biggest hackers innovation were Bots, and the biggest among was Conficker. Conficker was predicted by mian stream press as the work that would destroy the internet. But though it did not destroy the internet it with packing state-of-the-art encryption, and sophisticated peer-to-peer update mechanism, Conficker tantalized security researchers and resisted attempts at eradication, inhabiting at its peak as many as 15 million unpatched Windows boxes, mostly in China and Brazil.

The Conficker worm is a  computer worm that can infect your computer and spread itself to other computers across a network automatically, without human interaction.Experts thought it’s the work of an organized team of coders, and there are hints that it originated in Ukraine. And like most of the hacking out of Eastern Europe, the software has a profit motive: It’s been seen sending spam, and serving victims a fake anti-virus product that offers to remove malware for $49.95. Dude. It used to be about the mayhem.

Here are some information that worth to stay safe from the Downadup worm. I found these information on Norton website and thought worth sharing.

The Conficker worm, sometimes called Downadup or Kido has managed to infect a large number of computers. Specifics are hard to come by, but some researchers estimate that millions of computers have been infected with this threat since January 2009.  If you are unable to reach your Security suite web site, you may be infected. In that case you will need to get to a computer that is not infected, download specialized Conficker removal tool and run it on the infected machine before installing new antivirus software. Symantec has a detailed technical analysis of the threat.

What does the Conficker worm do?

The Conficker worm has created secure infrastructure for cybercrime. The worm allows its creators to remotely install software on infected machines. What will that software do? We don’t know. Most likely the worm will be used to create a botnet that will be rented out to criminals who want to send SPAM, steal IDs and direct users to online scams and phishing sites.

The Conficker worm mostly spreads across networks. If it finds a vulnerable computer, it turns off the automatic backup service, deletes previous restore points, disables many security services, blocks access to a number of security web sites and opens infected machines to receive additional programs from the malware’s creator. The worm then tries to spread itself to other computers on the same network.

How does the worm infect a computer?

The Downadup worm tries to take advantage of a problem with Windows (a vulnerability) called MS08-067 to quietly install itself. Users who automatically receive updates from Microsoft are already protected from this. The worm also tries to spread by copying itself into shared folders on networks and by infecting USB devices such as memory sticks.

Who is at risk?

Users whose computers are not configured to receive patches and updates from Microsoft and who are not running an up to date antivirus product are most at risk. Users who do not have a genuine version of Windows from Microsoft are most at risk since pirated system usually cannot get Microsoft updates and patches.

What to do if you are infected

If you are reading this page, your computer is probably not infected with Conficker as the worm blocks access to most security web sites.

If you have a computer that is infected, you will need to use an uninfected computer to download a specialized Conficker removal tool from. The tool is available here:

Or, you can restore access to security web sites on an infected machine by taking the following steps:

  1. Click Start > Run.
  2. In the Run box, type the following: cmd
  3. Click OK.
  4. Type the following and then press Enter. cd..
  5. Repeat the previous step until you get to the root level, or C:\>. Note that if your root drive is not C, the letter will be different.
  6. At C:\> type the following: net stop dnscache
  7. Press Enter. This disables the domain blocking feature of Conficker and you should now be able to reach security Web sites including ours. You should now be able to download the Conficker removal tool here.

Posted in Botnet, Hacking, Information Security, Worms | Tagged: , , | 1 Comment »

The Decade’s 10 Most Dastardly Cyber crimes

Posted by brainfoldb4u on January 3, 2010

It was the decade of the mega-heist, when stolen credit card magstripe tracks became the pork bellies of a new underground marketplace, Eastern European hackers turned malware writing into an art, and a nasty new crop of purpose-driven computer worms struck dread in the heart of America.

Now that the zero days are behind us, it’s time to reflect on the most ingenious, destructive or groundbreaking cybercrimes of the first 10 years of the new millennium.

Read the complete article by Kevin Poulsen from Wired  magazine

Posted in Hacking | Tagged: | Leave a Comment »