http://www.secarab.com/ Thu, 09 Apr 2026 01:32:18 +0000 MyBB http://www.secarab.com/thread-3739.html Sat, 04 Jun 2011 21:07:36 +0000 http://www.secarab.com/thread-3739.html Traveling? 10 tips to protect your laptop from theft


These days, it seems that just about everybody uses a laptop or notebook computer to get work done away from the office or on the road. Unfortunately, the pervasiveness of laptop computing has made portable systems an easy target for theft. If your laptop computer is stolen, or if someone gains access to your files while your back is turned, your company information—not to mention your personal and financial data—can be exposed.

Looking for information about security features you can use on your laptop to keep your data safe while you travel? This article covers some of the most pertinent. If you’d like more general security suggestions (whether on the road or at the office), check out 10 ways to work more securely.

Use these 10 tips to learn how you can help protect your laptop from theft when you're on the road.
1. Avoid using computer bags

Computer bags can make it obvious that you're carrying a laptop. Instead, try toting your laptop in something more common, like a padded briefcase or suitcase.
2. Use strong passwords, and do not keep them in your laptop bag

Strong passwords that are difficult to break or guess can thwart unauthorized access to individual files and even to the entire operating system. Learn how to create strong passwords:

Windows 7

Windows Vista

Windows XP

You can also check the strength of your password by typing it into a password checker like this free one offered by Microsoft Security.

Learn how to password-protect your files:

Office 2010

Office 2007

Office 2003

Of course, the strongest password in the world won’t help if you give it away to a thief. Keeping your password with your laptop is like leaving your keys in the car. Without your password or important access numbers, it will be more difficult for a thief to access your personal and corporate information.
3. Encrypt your data

If someone should get your laptop and gain access to your files, encryption can give you another layer of protection. With the Windows operating system, you can choose to encrypt files and folders. Then, even if someone gains access to an important file, they can't decrypt it and see your information. Learn more about how to encrypt your data:

Windows 7

Windows Vista

Windows XP

4. Use a screen guard

These guards help prevent someone from seeing your screen—even if he or she peeks over your shoulder. They can be very useful if you need to work on sensitive information in a public place, and they are especially helpful when you're traveling or need to work in a crowded area. The screen guard from Secure-It is just one example of a screen guard you could use.
5. Carry your laptop with you

Always take your laptop on the plane or train rather than checking it with your luggage. It's easy to lose luggage and it's just as easy to lose your laptop. If you're traveling by car, keep your laptop out of sight. For example, lock it in the trunk when you're not using it.
6. Keep your eye on your laptop

When you go through airport security, don't lose sight of your bag. Hold your bag until the person in front of you has gone through the screening process. Many bags look alike, and yours can easily be lost in the shuffle.
7. Avoid setting your laptop on the floor

Putting your laptop on the floor is an easy way to forget or lose track of it as you talk at a ticket counter or order your latte. If you have to set it down, try to place it between your feet or leaning against your leg, so you're always aware of it.
8. Buy a laptop security device or program

If you need to leave your laptop in a room or at your desk, use a laptop security cable to securely attach it to a heavy chair, table, or desk. The cable makes it more difficult for someone to take your laptop. There are also programs and devices that will report the location of a stolen laptop. These work when the laptop connects to the Internet and can report the laptop's exact physical location. Absolute Software’s LoJack and its line of Computrace products, for example, offer physical location tracing in addition to capabilities for remotely disabling a missing computer, retrieving or deleting data, and more. Search for more computer tracking and recovery solutions.
9. Try not to leave your laptop in your hotel room

Too many things have been lost in hotel rooms. These rooms may not be completely secure. If you must leave your laptop in your room, put the "Do not disturb" sign on the door to keep hotel staff out. Don’t leave your laptop at the front desk, either.
10. Affix your name and contact info to the laptop

Security experts advise that you affix your name and contact information, along with a promise of a "Reward if lost or stolen—no questions asked,” on the computer. These can help improve your odds of getting the computer back in the event of theft or a simple mix-up.
What to do if your laptop is stolen

Change your network password to help secure access to corporate servers.

Report the theft to local authorities (such as the police) and to your company's IT department.

If customer data was on the laptop, contact your account representative, legal representative, or appropriate person at your company so they can take the necessary actions]]> Traveling? 10 tips to protect your laptop from theft


These days, it seems that just about everybody uses a laptop or notebook computer to get work done away from the office or on the road. Unfortunately, the pervasiveness of laptop computing has made portable systems an easy target for theft. If your laptop computer is stolen, or if someone gains access to your files while your back is turned, your company information—not to mention your personal and financial data—can be exposed.

Looking for information about security features you can use on your laptop to keep your data safe while you travel? This article covers some of the most pertinent. If you’d like more general security suggestions (whether on the road or at the office), check out 10 ways to work more securely.

Use these 10 tips to learn how you can help protect your laptop from theft when you're on the road.
1. Avoid using computer bags

Computer bags can make it obvious that you're carrying a laptop. Instead, try toting your laptop in something more common, like a padded briefcase or suitcase.
2. Use strong passwords, and do not keep them in your laptop bag

Strong passwords that are difficult to break or guess can thwart unauthorized access to individual files and even to the entire operating system. Learn how to create strong passwords:

Windows 7

Windows Vista

Windows XP

You can also check the strength of your password by typing it into a password checker like this free one offered by Microsoft Security.

Learn how to password-protect your files:

Office 2010

Office 2007

Office 2003

Of course, the strongest password in the world won’t help if you give it away to a thief. Keeping your password with your laptop is like leaving your keys in the car. Without your password or important access numbers, it will be more difficult for a thief to access your personal and corporate information.
3. Encrypt your data

If someone should get your laptop and gain access to your files, encryption can give you another layer of protection. With the Windows operating system, you can choose to encrypt files and folders. Then, even if someone gains access to an important file, they can't decrypt it and see your information. Learn more about how to encrypt your data:

Windows 7

Windows Vista

Windows XP

4. Use a screen guard

These guards help prevent someone from seeing your screen—even if he or she peeks over your shoulder. They can be very useful if you need to work on sensitive information in a public place, and they are especially helpful when you're traveling or need to work in a crowded area. The screen guard from Secure-It is just one example of a screen guard you could use.
5. Carry your laptop with you

Always take your laptop on the plane or train rather than checking it with your luggage. It's easy to lose luggage and it's just as easy to lose your laptop. If you're traveling by car, keep your laptop out of sight. For example, lock it in the trunk when you're not using it.
6. Keep your eye on your laptop

When you go through airport security, don't lose sight of your bag. Hold your bag until the person in front of you has gone through the screening process. Many bags look alike, and yours can easily be lost in the shuffle.
7. Avoid setting your laptop on the floor

Putting your laptop on the floor is an easy way to forget or lose track of it as you talk at a ticket counter or order your latte. If you have to set it down, try to place it between your feet or leaning against your leg, so you're always aware of it.
8. Buy a laptop security device or program

If you need to leave your laptop in a room or at your desk, use a laptop security cable to securely attach it to a heavy chair, table, or desk. The cable makes it more difficult for someone to take your laptop. There are also programs and devices that will report the location of a stolen laptop. These work when the laptop connects to the Internet and can report the laptop's exact physical location. Absolute Software’s LoJack and its line of Computrace products, for example, offer physical location tracing in addition to capabilities for remotely disabling a missing computer, retrieving or deleting data, and more. Search for more computer tracking and recovery solutions.
9. Try not to leave your laptop in your hotel room

Too many things have been lost in hotel rooms. These rooms may not be completely secure. If you must leave your laptop in your room, put the "Do not disturb" sign on the door to keep hotel staff out. Don’t leave your laptop at the front desk, either.
10. Affix your name and contact info to the laptop

Security experts advise that you affix your name and contact information, along with a promise of a "Reward if lost or stolen—no questions asked,” on the computer. These can help improve your odds of getting the computer back in the event of theft or a simple mix-up.
What to do if your laptop is stolen

Change your network password to help secure access to corporate servers.

Report the theft to local authorities (such as the police) and to your company's IT department.

If customer data was on the laptop, contact your account representative, legal representative, or appropriate person at your company so they can take the necessary actions]]> http://www.secarab.com/thread-3738.html Sat, 04 Jun 2011 21:04:42 +0000 http://www.secarab.com/thread-3738.html Use Encryption to Safeguard Your Data


Encrypting your hard disk to protect your data doesn’t have to be a daunting task, thanks to a large number of practical tools.

By Robert Lemos, PCWorld Nov 13, 2008 10:00 pm

A discreetly tucked-away folder that contains your résumé, your tax returns, and other important files may be convenient for you, but it's also a gold mine for online crooks who steal and sell digital data on a thriving black market.

Even though encrypting data unquestionably helps protect it from thieves, many users in the past felt that using encryption programs wasn't worth the trouble. But times change: In the second half of 2007, thefts of laptops, hard drives, and computer accounted for 57 percent of sensitive data losses reported by companies, according to Symantec.

Luckily, as data theft has be­­come more common, encryption has gotten easier to use. An array of options today--both free and paid--can keep your information safe even if someone walks off with your laptop or breaks into your PC.
Encrypting Everything

Full-disk encryption protects everything on a hard drive--even if the drive departs in someone else's pocket.

BitLocker, a utility built in to Vista Enterprise and Vista Ultimate, provides such protection. You'll find it in the Windows Security Control Panel.

Other Windows users--and Mac and Linux aficionados--have options as well. TrueCrypt is a free, easy-to-use open-source encryption product maintained by an active development community. If you feel more comfortable working with commercially supported, full-featured software, consider PGP Desktop ($99).For encrypting USB thumb drives, Windows users can nab the free Rohos Mini Drive download.

File encryption protects only the files and folders you specify, of course. Typically you'll set up a folder or virtual drive to encrypt any files saved inside it automatically; as long as you haven't left the relevant folder or files open,the person won't be able to access the protected data. In contrast, if you set up your PC with full disk encryption enabled, you have no protection once you log in and unlock the drive.

File encryption can also protect against doh! moments such as accidentally sharing more than you meant to with a misconfigured file-sharing program, for example. The drawback, compared with full-disk protection, is that if you un­­thinkingly save a sensitive file outside an en­­crypted folder, it's fair game. If you want maximum protection, you can use both full-disk and file encryption on the same drive.
Setting It All Up

To set up up file or folder en­­cryption with a program like TrueCrypt or PGP Desktop, first open the program and elect to create a virtual disk (which gets its own drive letter in Explorer) or an encrypted folder. You'll have to choose a good password and a type of encryption (the default is usually fine).

After creating the virtual drive or folder, you can access it whenever you want: Simply double-click it, supply the password, and save data to it as if it were any other drive folder.

Mac OS X users can use the built-in FileVault to encrypt the home directory through the Security component of System Preferences. In addition, FileVault can also create encrypted virtual disks (which can be moved to a USB key or other storage device) via the Mac's Disk Utility.

BitLocker doesn't allow file encryption; but a file encrypted with third-party software in one operating system can be decrypted in others--convenient if your workplace runs multiple OSs.

E-mail encryption isn't widely used outside specific industries. It involves an extra key-exchange step with recipients. Both PGP and the open-source Gnu Privacy Guard project can handle e-mail encryption.
No Slowdown, But Drawbacks

A fast computer today can handle encryption and decryption processing without suffering a noticeable slowdown. But protecting data with encryption does require you to remember yet another crucial password, and losing the key is like losing the combination to an un­­breakable safe: You may never recover the encrypted data.

Another vulnerability arises if you copy or save unencrypted files to a USB drive or other backup media, and you don't encrypt your backup drive.
"A lot of us have drives beyond the computer," says John Dasher, a marketing director for encryption firm PGP. "It doesn't make much sense to encrypt your main drive, if all your important files are sitting on a USB thumb drive sitting in your desk drawer."

Finally, even the best encryption system doesn't protect against all data-theft threats. If an online intruder infects your PC with a keylogger, the malware can steal online banking data and passwords as you type, or even capture and transmit screen shots, regardless of how that data is saved or sent (though it wouldn't be able to get to your encrypted files without that password). Use a good antivirus program and keep all of your software--not just your OS--up-to-date to protect against malware threats.

Robert Lemos is a freelance technology and science journalist and acts as managing editor for SecurityFocus.com, a security news and information site.
]]> Use Encryption to Safeguard Your Data


Encrypting your hard disk to protect your data doesn’t have to be a daunting task, thanks to a large number of practical tools.

By Robert Lemos, PCWorld Nov 13, 2008 10:00 pm

A discreetly tucked-away folder that contains your résumé, your tax returns, and other important files may be convenient for you, but it's also a gold mine for online crooks who steal and sell digital data on a thriving black market.

Even though encrypting data unquestionably helps protect it from thieves, many users in the past felt that using encryption programs wasn't worth the trouble. But times change: In the second half of 2007, thefts of laptops, hard drives, and computer accounted for 57 percent of sensitive data losses reported by companies, according to Symantec.

Luckily, as data theft has be­­come more common, encryption has gotten easier to use. An array of options today--both free and paid--can keep your information safe even if someone walks off with your laptop or breaks into your PC.
Encrypting Everything

Full-disk encryption protects everything on a hard drive--even if the drive departs in someone else's pocket.

BitLocker, a utility built in to Vista Enterprise and Vista Ultimate, provides such protection. You'll find it in the Windows Security Control Panel.

Other Windows users--and Mac and Linux aficionados--have options as well. TrueCrypt is a free, easy-to-use open-source encryption product maintained by an active development community. If you feel more comfortable working with commercially supported, full-featured software, consider PGP Desktop ($99).For encrypting USB thumb drives, Windows users can nab the free Rohos Mini Drive download.

File encryption protects only the files and folders you specify, of course. Typically you'll set up a folder or virtual drive to encrypt any files saved inside it automatically; as long as you haven't left the relevant folder or files open,the person won't be able to access the protected data. In contrast, if you set up your PC with full disk encryption enabled, you have no protection once you log in and unlock the drive.

File encryption can also protect against doh! moments such as accidentally sharing more than you meant to with a misconfigured file-sharing program, for example. The drawback, compared with full-disk protection, is that if you un­­thinkingly save a sensitive file outside an en­­crypted folder, it's fair game. If you want maximum protection, you can use both full-disk and file encryption on the same drive.
Setting It All Up

To set up up file or folder en­­cryption with a program like TrueCrypt or PGP Desktop, first open the program and elect to create a virtual disk (which gets its own drive letter in Explorer) or an encrypted folder. You'll have to choose a good password and a type of encryption (the default is usually fine).

After creating the virtual drive or folder, you can access it whenever you want: Simply double-click it, supply the password, and save data to it as if it were any other drive folder.

Mac OS X users can use the built-in FileVault to encrypt the home directory through the Security component of System Preferences. In addition, FileVault can also create encrypted virtual disks (which can be moved to a USB key or other storage device) via the Mac's Disk Utility.

BitLocker doesn't allow file encryption; but a file encrypted with third-party software in one operating system can be decrypted in others--convenient if your workplace runs multiple OSs.

E-mail encryption isn't widely used outside specific industries. It involves an extra key-exchange step with recipients. Both PGP and the open-source Gnu Privacy Guard project can handle e-mail encryption.
No Slowdown, But Drawbacks

A fast computer today can handle encryption and decryption processing without suffering a noticeable slowdown. But protecting data with encryption does require you to remember yet another crucial password, and losing the key is like losing the combination to an un­­breakable safe: You may never recover the encrypted data.

Another vulnerability arises if you copy or save unencrypted files to a USB drive or other backup media, and you don't encrypt your backup drive.
"A lot of us have drives beyond the computer," says John Dasher, a marketing director for encryption firm PGP. "It doesn't make much sense to encrypt your main drive, if all your important files are sitting on a USB thumb drive sitting in your desk drawer."

Finally, even the best encryption system doesn't protect against all data-theft threats. If an online intruder infects your PC with a keylogger, the malware can steal online banking data and passwords as you type, or even capture and transmit screen shots, regardless of how that data is saved or sent (though it wouldn't be able to get to your encrypted files without that password). Use a good antivirus program and keep all of your software--not just your OS--up-to-date to protect against malware threats.

Robert Lemos is a freelance technology and science journalist and acts as managing editor for SecurityFocus.com, a security news and information site.
]]> http://www.secarab.com/thread-3735.html Sat, 04 Jun 2011 20:25:42 +0000 http://www.secarab.com/thread-3735.html How to protect the sensitive files on your computer


Unauthorised access to the information on your computer or portable storage devices can be carried out remotely, if the 'intruder' is able to read or modify your data over the Internet; or physically, if he manages to get hold of your hardware. You can protect yourself against either type of threat by improving the physical and network security of your data, as discussed in Chapter 1: How to protect your computer from malware and hackers and Chapter 2: How to protect your information from physical threats. It is always best to have several layers of defence, however, which is why you should also protect the files themselves. That way, your sensitive information is likely to remain safe even if your other security efforts prove inadequate.

There are two general approaches to the challenge of securing your data in this way. You can encrypt your files, making them unreadable to anyone but you, or you can hide them in the hope that an intruder will be unable to find your sensitive information. There are tools to help you with either approach, including a FOSS application called TrueCrypt, which can both encrypt and hide your file.
Background scenario

Claudia and Pablo work with a human rights NGO in a South American country. They have spent several months collecting testimonies from witnesses to the human rights violations that have been committed by the military in their region. If the details of who provided these testimonies were to become known, it would endanger both the courageous people who testified and members of the organisation in that region. This information is currently stored in a spreadsheet on the NGO's Windows XP computer, which is connected to the Internet. Being security conscious, Claudia has made sure to store a backup of the data on a CD, which she keeps outside the office.
What you can learn from this chapter

How to encrypt information on your computer
What risks you might face by keeping your data encrypted
How to protect data on USB memory sticks, in case they are lost or stolen
What steps you can take to hide information from physical or remote intruders

Encrypting your information

Pablo: But my computer is already protected by the Windows login password! Isn't that good enough?

Claudia: Actually, Windows login passwords are usually quite easy to break. Plus, anybody who gets his hands on your computer for long enough to restart it with a LiveCD in the drive can copy your data without even having to worry about the password. If they manage to take it away for a while, then you're in even worse trouble. It's not just Windows passwords you need to worry about, either. You shouldn't trust Microsoft Word or Adobe Acrobat passwords either.

Encrypting your information is a bit like keeping it in a locked safe. Only those who have a key or know the lock's combination (an encryption key or password, in this case) can access it. The analogy is particularly appropriate for TrueCrypt and tools like it, which create secure containers called 'encrypted volumes' rather than simply protecting one file at a time. You can put a large number of files into an encrypted volume, but these tools will not protect anything that is stored elsewhere on your computer or USB memory stick.

Hands-on: Get started with the TrueCrypt Guide

While other software can provide encryption that is equally strong, TrueCrypt was designed specifically to make this kind of secure file storage as simple as possible. Furthermore, its support for carrying encrypted volumes on portable storage devices, the fact that it is a [FOSS](/en/glossary#FOSS" title=) tool, and the 'deniability' features described in the Hiding your sensitive information section below, give TrueCrypt a distinct advantage over many built-in proprietary encryption tools, such as Windows XP's 'bitlocker'.

Pablo: Alright, now you have me worried. What about other users on the same computer? Does this mean they can read files in the 'My Documents' folder?

Claudia: I like the way you're thinking! If your Windows password doesn't protect you from intruders, how can it protect you from other people with accounts on the same computer? In fact, your My Documents folder is normally visible to anybody, so other users wouldn't even have to do anything clever to read your unencrypted files. You're right, though, even if the folder is made 'private,' you're still not safe unless you use some kind of encryption.
Tips on using file encryption safely

Storing confidential data can be a risk for you and for the people you work with. Encryption reduces this risk but does not eliminate it. The first step to protecting sensitive information is to reduce how much of it you keep around. Unless you have a good reason to store a particular file, or a particular category of information within a file, you should simply delete it (see Chapter 6: How to destroy sensitive information for more information about how to do this securely). The second step is to use a good file encryption tool, such as TrueCrypt.

Claudia: Well, maybe we don't actually need to store information that could identify the people who gave us these testimonies. What do you think?

Pablo: Agreed. We should probably write down as little of that as possible. Plus, we should think up a simple code we can use to protect names and locations that we absolutely have to record.

Returning to the analogy of a locked safe, there are a few things you should bear in mind when using TrueCrypt and tools like it. No matter how sturdy your safe is, it won't do you a whole lot of good if you leave the door open. When your TrueCrypt volume is 'mounted' (whenever you can access the contents yourself), your data may be vulnerable, so you should keep it closed except when you are actually reading or modifying the files inside it.

There are a few situations when it is especially important that you remember not to leave your encrypted volumes mounted:

Disconnect them when you walk away from your computer for any length of time. Even if you typically leave your computer running overnight, you need to ensure that you do not leave your sensitive files accessible to physical or remote intruders while you are gone.
Disconnect them before putting your computer to sleep. This applies to both 'suspend' and 'hibernation' features, which are typically used with laptops but may be present on desktop computers as well.
Disconnect them before allowing someone else to handle your computer. When taking a laptop through a security checkpoint or border crossing, it is important that you disconnect all encrypted volumes and shut your computer down completely.
Disconnect them before inserting an untrusted USB memory stick or other external storage device, including those belonging to friends and colleagues.
If you keep an encrypted volume on a USB memory stick, remember that just removing the device may not immediately disconnect the volume. Even if you need to secure your files in a hurry, you have to dismount the volume properly, then disconnect the external drive or memory stick, then remove the device. You might want to practice until you find the quickest way to do all of these things.

If you decide to keep your TrueCrypt volume on a USB memory stick, you can also keep a copy of the TrueCrypt program with it. This will allow you to access your data on other people's computers. The usual rules still apply, however: if you don't trust the machine to be free of malware, you probably shouldn't be typing in your passwords or accessing your sensitive data.
Hiding your sensitive information

One issue with keeping a safe in your home or office, to say nothing of carrying one in your pocket, is that it tends to be quite obvious. Many people have reasonable concerns about incriminating themselves by using encryption. Just because the legitimate reasons to encrypt data outnumber the illegitimate ones does not make this threat any less real. Essentially, there are two reasons why you might shy away from using a tool like TrueCrypt: the risk of self-incrimination and the risk of clearly identifying the location of your most sensitive information.
Considering the risk of self-incrimination

Encryption is illegal in some countries, which means that downloading, installing or using software of this sort might be a crime in its own right. And, if the police, military or intelligence services are among those groups from whom you are seeking to protect your information, then violating these laws can provide a pretext under which your activities might be investigated or your organisation might be persecuted. In fact, however, threats like this may have nothing to do with the legality of the tools in question. Any time that merely being associated with encryption software would be enough to expose you to accusations of criminal activity or espionage (regardless of what is actually inside your encrypted volumes), then you will have to think carefully about whether or not such tools are appropriate for your situation.

If that is the case, you have a few options:

You can avoid using data security software entirely, which would require that you store only non-confidential information or invent a system of code words to protect key elements of your sensitive files.
You can rely on a technique called steganography to hide your sensitive information, rather than encrypting it. There are tools that can help with this, but using them properly requires very careful preparation, and you still risk incriminating yourself in the eyes of anyone who learns what tool you have used.
You can try to store all of your sensitive information in a secure webmail account, but this demands a reliable network connection and a relatively sophisticated understanding of computers and Internet services. This technique also assumes that network encryption is less incriminating than file encryption and that you can avoid accidentally copying sensitive data onto your hard drive and leaving it there.
You can keep sensitive information off of your computer by storing it on a USB memory stick or portable hard drive. However, such devices are typically even more vulnerable than computers to loss and confiscation, so carrying around sensitive, unencrypted information on them is usually a very bad idea.

If necessary, you can employ a range of such tactics. However, even in circumstances where you are concerned about self-incrimination, it may be safest to use TrueCrypt anyway, while attempting to disguise your encrypted volume as best you can.

If want to make your encrypted volume less conspicuous, you can rename it to look like a different type of file. Using the '.iso' file extension, to disguise it as a CD image, is one option that works well for large volumes of around 700 MB. Other extensions would be more realistic for smaller volumes. This is a bit like hiding your safe behind a painting on the wall of your office. It might not hold up under close inspection, but it will offer some protection. You can also rename the TrueCrypt program itself, assuming you have stored it as you would a regular file on your hard drive or USB memory stick, rather than installing it as a program. The TrueCrypt Guide explains how to do this.
Considering the risk of identifying your sensitive information

Often, you may be less concerned about the consequences of 'getting caught' with encryption software on your computer or USB memory stick and more concerned that your encrypted volume will indicate precisely where you store the information that you most wish to protect. While it may be true that no one else can read it, an intruder will know that it is there, and that you have taken steps to protect it. This exposes you to various non-technical methods through which that intruder might attempt to gain access, such as intimidation, blackmail, interrogation and torture. It is in this context that TrueCrypt's deniability feature, which is discussed in more detail below, comes into play.

TrueCrypt's deniability feature is one of the ways in which it goes beyond what is typically offered by file encryption tools. This feature can be thought of as a peculiar form of steganography that disguises your most sensitive information as other, less sensitive, hidden data. It is analogous to installing a subtle 'false bottom' inside that not-so-subtle office safe. If an intruder steals your key, or intimidates you into giving her the safe's combination, she will find some convincing 'decoy' material, but not the information that you truly care about protecting.

Only you know that your safe contains a hidden compartment in the back. This allows you to 'deny' that you are keeping any secrets beyond what you have already given to the intruder, and might help protect you in situations where you must reveal a password for some reason. Such reasons might include legal or physical threats to your own safety, or that of your colleagues, associates, friends and family members. The purpose of deniability is to give you a chance of escaping from a potentially dangerous situation even if you choose to continue protecting your data. As discussed in the Considering the risk of self-incrimination section, however, this feature is much less useful if merely being caught with a safe in your office is enough to bring about unacceptable consequences.

TrueCrypt's deniability feature works by storing a 'hidden volume' inside your regular encrypted volume. You open this hidden volume by providing an alternate password that is different from the one you would normally use. Even if a technically sophisticated intruder gains access to the standard volume, he will be unable to prove that a hidden one exists. Of course, he may very well know that TrueCrypt is capable of hiding information in this way, so there is no guarantee that the threat will disappear as soon as you reveal your decoy password. Plenty of people use TrueCrypt without enabling its deniability feature, however, and it is generally considered impossible to determine, through analysis, whether or not a given encrypted volume contains this kind of 'false bottom'. That said, it is your job to make sure that you do not reveal your hidden volume through less technical means, such as leaving it open or allowing other applications to create shortcuts to the files that it contains. The Further reading section, below, can point you to more information about this.

Claudia: Alright, so let's toss some junk into the standard volume, and then we can move all our testimonies into the hidden one. Do you have some old PDFs or something we can use?

Pablo: Well, I was thinking about that. I mean, the idea is for us to give up the decoy password if we have no other choice, right? But, for that to be convincing, we need to make sure those files look kind of important, don't you think? Otherwise, why would we bother to encrypt them? Maybe we should use some unrelated financial documents or a list of website passwords or something.]]> How to protect the sensitive files on your computer


Unauthorised access to the information on your computer or portable storage devices can be carried out remotely, if the 'intruder' is able to read or modify your data over the Internet; or physically, if he manages to get hold of your hardware. You can protect yourself against either type of threat by improving the physical and network security of your data, as discussed in Chapter 1: How to protect your computer from malware and hackers and Chapter 2: How to protect your information from physical threats. It is always best to have several layers of defence, however, which is why you should also protect the files themselves. That way, your sensitive information is likely to remain safe even if your other security efforts prove inadequate.

There are two general approaches to the challenge of securing your data in this way. You can encrypt your files, making them unreadable to anyone but you, or you can hide them in the hope that an intruder will be unable to find your sensitive information. There are tools to help you with either approach, including a FOSS application called TrueCrypt, which can both encrypt and hide your file.
Background scenario

Claudia and Pablo work with a human rights NGO in a South American country. They have spent several months collecting testimonies from witnesses to the human rights violations that have been committed by the military in their region. If the details of who provided these testimonies were to become known, it would endanger both the courageous people who testified and members of the organisation in that region. This information is currently stored in a spreadsheet on the NGO's Windows XP computer, which is connected to the Internet. Being security conscious, Claudia has made sure to store a backup of the data on a CD, which she keeps outside the office.
What you can learn from this chapter

How to encrypt information on your computer
What risks you might face by keeping your data encrypted
How to protect data on USB memory sticks, in case they are lost or stolen
What steps you can take to hide information from physical or remote intruders

Encrypting your information

Pablo: But my computer is already protected by the Windows login password! Isn't that good enough?

Claudia: Actually, Windows login passwords are usually quite easy to break. Plus, anybody who gets his hands on your computer for long enough to restart it with a LiveCD in the drive can copy your data without even having to worry about the password. If they manage to take it away for a while, then you're in even worse trouble. It's not just Windows passwords you need to worry about, either. You shouldn't trust Microsoft Word or Adobe Acrobat passwords either.

Encrypting your information is a bit like keeping it in a locked safe. Only those who have a key or know the lock's combination (an encryption key or password, in this case) can access it. The analogy is particularly appropriate for TrueCrypt and tools like it, which create secure containers called 'encrypted volumes' rather than simply protecting one file at a time. You can put a large number of files into an encrypted volume, but these tools will not protect anything that is stored elsewhere on your computer or USB memory stick.

Hands-on: Get started with the TrueCrypt Guide

While other software can provide encryption that is equally strong, TrueCrypt was designed specifically to make this kind of secure file storage as simple as possible. Furthermore, its support for carrying encrypted volumes on portable storage devices, the fact that it is a [FOSS](/en/glossary#FOSS" title=) tool, and the 'deniability' features described in the Hiding your sensitive information section below, give TrueCrypt a distinct advantage over many built-in proprietary encryption tools, such as Windows XP's 'bitlocker'.

Pablo: Alright, now you have me worried. What about other users on the same computer? Does this mean they can read files in the 'My Documents' folder?

Claudia: I like the way you're thinking! If your Windows password doesn't protect you from intruders, how can it protect you from other people with accounts on the same computer? In fact, your My Documents folder is normally visible to anybody, so other users wouldn't even have to do anything clever to read your unencrypted files. You're right, though, even if the folder is made 'private,' you're still not safe unless you use some kind of encryption.
Tips on using file encryption safely

Storing confidential data can be a risk for you and for the people you work with. Encryption reduces this risk but does not eliminate it. The first step to protecting sensitive information is to reduce how much of it you keep around. Unless you have a good reason to store a particular file, or a particular category of information within a file, you should simply delete it (see Chapter 6: How to destroy sensitive information for more information about how to do this securely). The second step is to use a good file encryption tool, such as TrueCrypt.

Claudia: Well, maybe we don't actually need to store information that could identify the people who gave us these testimonies. What do you think?

Pablo: Agreed. We should probably write down as little of that as possible. Plus, we should think up a simple code we can use to protect names and locations that we absolutely have to record.

Returning to the analogy of a locked safe, there are a few things you should bear in mind when using TrueCrypt and tools like it. No matter how sturdy your safe is, it won't do you a whole lot of good if you leave the door open. When your TrueCrypt volume is 'mounted' (whenever you can access the contents yourself), your data may be vulnerable, so you should keep it closed except when you are actually reading or modifying the files inside it.

There are a few situations when it is especially important that you remember not to leave your encrypted volumes mounted:

Disconnect them when you walk away from your computer for any length of time. Even if you typically leave your computer running overnight, you need to ensure that you do not leave your sensitive files accessible to physical or remote intruders while you are gone.
Disconnect them before putting your computer to sleep. This applies to both 'suspend' and 'hibernation' features, which are typically used with laptops but may be present on desktop computers as well.
Disconnect them before allowing someone else to handle your computer. When taking a laptop through a security checkpoint or border crossing, it is important that you disconnect all encrypted volumes and shut your computer down completely.
Disconnect them before inserting an untrusted USB memory stick or other external storage device, including those belonging to friends and colleagues.
If you keep an encrypted volume on a USB memory stick, remember that just removing the device may not immediately disconnect the volume. Even if you need to secure your files in a hurry, you have to dismount the volume properly, then disconnect the external drive or memory stick, then remove the device. You might want to practice until you find the quickest way to do all of these things.

If you decide to keep your TrueCrypt volume on a USB memory stick, you can also keep a copy of the TrueCrypt program with it. This will allow you to access your data on other people's computers. The usual rules still apply, however: if you don't trust the machine to be free of malware, you probably shouldn't be typing in your passwords or accessing your sensitive data.
Hiding your sensitive information

One issue with keeping a safe in your home or office, to say nothing of carrying one in your pocket, is that it tends to be quite obvious. Many people have reasonable concerns about incriminating themselves by using encryption. Just because the legitimate reasons to encrypt data outnumber the illegitimate ones does not make this threat any less real. Essentially, there are two reasons why you might shy away from using a tool like TrueCrypt: the risk of self-incrimination and the risk of clearly identifying the location of your most sensitive information.
Considering the risk of self-incrimination

Encryption is illegal in some countries, which means that downloading, installing or using software of this sort might be a crime in its own right. And, if the police, military or intelligence services are among those groups from whom you are seeking to protect your information, then violating these laws can provide a pretext under which your activities might be investigated or your organisation might be persecuted. In fact, however, threats like this may have nothing to do with the legality of the tools in question. Any time that merely being associated with encryption software would be enough to expose you to accusations of criminal activity or espionage (regardless of what is actually inside your encrypted volumes), then you will have to think carefully about whether or not such tools are appropriate for your situation.

If that is the case, you have a few options:

You can avoid using data security software entirely, which would require that you store only non-confidential information or invent a system of code words to protect key elements of your sensitive files.
You can rely on a technique called steganography to hide your sensitive information, rather than encrypting it. There are tools that can help with this, but using them properly requires very careful preparation, and you still risk incriminating yourself in the eyes of anyone who learns what tool you have used.
You can try to store all of your sensitive information in a secure webmail account, but this demands a reliable network connection and a relatively sophisticated understanding of computers and Internet services. This technique also assumes that network encryption is less incriminating than file encryption and that you can avoid accidentally copying sensitive data onto your hard drive and leaving it there.
You can keep sensitive information off of your computer by storing it on a USB memory stick or portable hard drive. However, such devices are typically even more vulnerable than computers to loss and confiscation, so carrying around sensitive, unencrypted information on them is usually a very bad idea.

If necessary, you can employ a range of such tactics. However, even in circumstances where you are concerned about self-incrimination, it may be safest to use TrueCrypt anyway, while attempting to disguise your encrypted volume as best you can.

If want to make your encrypted volume less conspicuous, you can rename it to look like a different type of file. Using the '.iso' file extension, to disguise it as a CD image, is one option that works well for large volumes of around 700 MB. Other extensions would be more realistic for smaller volumes. This is a bit like hiding your safe behind a painting on the wall of your office. It might not hold up under close inspection, but it will offer some protection. You can also rename the TrueCrypt program itself, assuming you have stored it as you would a regular file on your hard drive or USB memory stick, rather than installing it as a program. The TrueCrypt Guide explains how to do this.
Considering the risk of identifying your sensitive information

Often, you may be less concerned about the consequences of 'getting caught' with encryption software on your computer or USB memory stick and more concerned that your encrypted volume will indicate precisely where you store the information that you most wish to protect. While it may be true that no one else can read it, an intruder will know that it is there, and that you have taken steps to protect it. This exposes you to various non-technical methods through which that intruder might attempt to gain access, such as intimidation, blackmail, interrogation and torture. It is in this context that TrueCrypt's deniability feature, which is discussed in more detail below, comes into play.

TrueCrypt's deniability feature is one of the ways in which it goes beyond what is typically offered by file encryption tools. This feature can be thought of as a peculiar form of steganography that disguises your most sensitive information as other, less sensitive, hidden data. It is analogous to installing a subtle 'false bottom' inside that not-so-subtle office safe. If an intruder steals your key, or intimidates you into giving her the safe's combination, she will find some convincing 'decoy' material, but not the information that you truly care about protecting.

Only you know that your safe contains a hidden compartment in the back. This allows you to 'deny' that you are keeping any secrets beyond what you have already given to the intruder, and might help protect you in situations where you must reveal a password for some reason. Such reasons might include legal or physical threats to your own safety, or that of your colleagues, associates, friends and family members. The purpose of deniability is to give you a chance of escaping from a potentially dangerous situation even if you choose to continue protecting your data. As discussed in the Considering the risk of self-incrimination section, however, this feature is much less useful if merely being caught with a safe in your office is enough to bring about unacceptable consequences.

TrueCrypt's deniability feature works by storing a 'hidden volume' inside your regular encrypted volume. You open this hidden volume by providing an alternate password that is different from the one you would normally use. Even if a technically sophisticated intruder gains access to the standard volume, he will be unable to prove that a hidden one exists. Of course, he may very well know that TrueCrypt is capable of hiding information in this way, so there is no guarantee that the threat will disappear as soon as you reveal your decoy password. Plenty of people use TrueCrypt without enabling its deniability feature, however, and it is generally considered impossible to determine, through analysis, whether or not a given encrypted volume contains this kind of 'false bottom'. That said, it is your job to make sure that you do not reveal your hidden volume through less technical means, such as leaving it open or allowing other applications to create shortcuts to the files that it contains. The Further reading section, below, can point you to more information about this.

Claudia: Alright, so let's toss some junk into the standard volume, and then we can move all our testimonies into the hidden one. Do you have some old PDFs or something we can use?

Pablo: Well, I was thinking about that. I mean, the idea is for us to give up the decoy password if we have no other choice, right? But, for that to be convincing, we need to make sure those files look kind of important, don't you think? Otherwise, why would we bother to encrypt them? Maybe we should use some unrelated financial documents or a list of website passwords or something.]]> http://www.secarab.com/thread-3728.html Fri, 03 Jun 2011 21:19:32 +0000 http://www.secarab.com/thread-3728.html ASSET PROTECTION

Intel® Anti-Theft Technology (Intel® AT) for Laptop Security
What is it?
Intel® Anti-Theft Technology

Intel® Anti-Theft Technology is an intelligent way for you to help secure the mobile assets of your workforce. This intelligent laptop security technology is built into select 2nd generation Intel® Core™ and 2nd generation Intel® Core™ vPro™ processor families. If a laptop is lost or stolen when the user is out of the office, the PC will be shut down and useless to thieves. It not only helps protect the intellectual property of your company at the pre-boot level, but also allows for fast reinstatement of a laptop without damage to information, should the laptop be recovered. Intel AT is available on select 2nd generation Intel Core and 2nd generation Intel Core vPro processor family–based laptops when activated with a service subscription from an Intel AT-enabled service.
Why it matters.

Laptop theft costs corporate America over USD 5.4 billion each year.1 In everyday life, this amounts to 12,000 laptops disappearing every week from U.S. airports alone, and a laptop being stolen every 53 seconds.1 The problem of data security becomes increasingly significant as employees are more mobile. Add to this the daunting challenges of healthcare privacy laws, and asset security can have a significant impact on your business.
How it works.
Intel Anti-Theft Technology

View the full image >
Protection for laptop users.

Intel Anti-Theft Technology (Intel AT) is built into the processor of your laptop, so it is active as soon as your machine is switched on—even before startup. If your laptop is lost or stolen, a local or remote “poison pill” can be activated that renders the PC inoperable by blocking the boot process. This means that predators cannot hack into your system at startup. It works even without Internet access and, unlike many other solutions, is hardware-based, so it is tamper-resistant.
Laptop Security for your company.

Intel® AT is designed to give IT administrators maximum flexibility and secure control of network assets. Since it is built-in at the processor level, the IT administrator has a range of options to help secure mobile assets, such as:

Disable access to encrypted data by deleting essential elements of the cryptographic materials that are required to access the encrypted data on the hard drive.
Disable the PC using a “poison pill” to block the boot process, even if the boot order is changed or the hard drive is replaced or reformatted. Regardless of the PC’s state, it will check as soon as it starts to wake up for any kill pill that has been sent, including via text message.
Customizable “Theft Mode” message allows the IT administrator to send a message to whoever starts up the laptop to notify them that it has been reported stolen.
Excessive login attempts trigger PC disable after an administrator-defined number of failed attempts. At this point, the Intel AT trigger is tripped and the system locks itself down.
Failure to check in with the central server can trigger PC disable when a check-in time is missed. The IT administrator can set system check-in intervals. Upon a missed check-in time, the system is locked down until the user or IT administrator reactivates the system.

Businesses now have built-in client-side intelligence to secure sensitive data, regardless of the state of the operating system, hard drive, boot order, or network connectivity. This hardware-based technology provides compelling tamper resistance and increased protection to extend your security capabilities anywhere, anytime—on or off the network.

For more detailed information on the advantages of Intel AT, and the full range of security features it offers to both the user and administrator, ]]> ASSET PROTECTION

Intel® Anti-Theft Technology (Intel® AT) for Laptop Security
What is it?
Intel® Anti-Theft Technology

Intel® Anti-Theft Technology is an intelligent way for you to help secure the mobile assets of your workforce. This intelligent laptop security technology is built into select 2nd generation Intel® Core™ and 2nd generation Intel® Core™ vPro™ processor families. If a laptop is lost or stolen when the user is out of the office, the PC will be shut down and useless to thieves. It not only helps protect the intellectual property of your company at the pre-boot level, but also allows for fast reinstatement of a laptop without damage to information, should the laptop be recovered. Intel AT is available on select 2nd generation Intel Core and 2nd generation Intel Core vPro processor family–based laptops when activated with a service subscription from an Intel AT-enabled service.
Why it matters.

Laptop theft costs corporate America over USD 5.4 billion each year.1 In everyday life, this amounts to 12,000 laptops disappearing every week from U.S. airports alone, and a laptop being stolen every 53 seconds.1 The problem of data security becomes increasingly significant as employees are more mobile. Add to this the daunting challenges of healthcare privacy laws, and asset security can have a significant impact on your business.
How it works.
Intel Anti-Theft Technology

View the full image >
Protection for laptop users.

Intel Anti-Theft Technology (Intel AT) is built into the processor of your laptop, so it is active as soon as your machine is switched on—even before startup. If your laptop is lost or stolen, a local or remote “poison pill” can be activated that renders the PC inoperable by blocking the boot process. This means that predators cannot hack into your system at startup. It works even without Internet access and, unlike many other solutions, is hardware-based, so it is tamper-resistant.
Laptop Security for your company.

Intel® AT is designed to give IT administrators maximum flexibility and secure control of network assets. Since it is built-in at the processor level, the IT administrator has a range of options to help secure mobile assets, such as:

Disable access to encrypted data by deleting essential elements of the cryptographic materials that are required to access the encrypted data on the hard drive.
Disable the PC using a “poison pill” to block the boot process, even if the boot order is changed or the hard drive is replaced or reformatted. Regardless of the PC’s state, it will check as soon as it starts to wake up for any kill pill that has been sent, including via text message.
Customizable “Theft Mode” message allows the IT administrator to send a message to whoever starts up the laptop to notify them that it has been reported stolen.
Excessive login attempts trigger PC disable after an administrator-defined number of failed attempts. At this point, the Intel AT trigger is tripped and the system locks itself down.
Failure to check in with the central server can trigger PC disable when a check-in time is missed. The IT administrator can set system check-in intervals. Upon a missed check-in time, the system is locked down until the user or IT administrator reactivates the system.

Businesses now have built-in client-side intelligence to secure sensitive data, regardless of the state of the operating system, hard drive, boot order, or network connectivity. This hardware-based technology provides compelling tamper resistance and increased protection to extend your security capabilities anywhere, anytime—on or off the network.

For more detailed information on the advantages of Intel AT, and the full range of security features it offers to both the user and administrator, ]]> http://www.secarab.com/thread-3425.html Thu, 19 May 2011 22:21:28 +0000 http://www.secarab.com/thread-3425.html Rootkit:W32/Zxshell.B



Name : Rootkit:W32/Zxshell.B
Category: Malware
Type: Rootkit
Platform: INF
Summary
Rootkit:W32/Zxshell.B is dropped by Backdoor:W32/Zxshell.A and basically functions as a protection mechanism for its main payload file.
Disinfection
Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.
Additional Details
Rootkit:W32/Zxshell.B tries to protect the main payload DLL file by:

Hiding files which contains underscore "_" by installing hooks to the file system driver
Attempting to hide the tcp port 443
Detect if the following security product exist:

NOD32
AVP
360Safe
AVG
Avast
AhnSD
McShield
IceSword

The driver can easily crash the system when it fails in its attempt to hook the kernel drivers, for example the ntfs.sys and tcpip.sys.
]]> Rootkit:W32/Zxshell.B



Name : Rootkit:W32/Zxshell.B
Category: Malware
Type: Rootkit
Platform: INF
Summary
Rootkit:W32/Zxshell.B is dropped by Backdoor:W32/Zxshell.A and basically functions as a protection mechanism for its main payload file.
Disinfection
Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.
Additional Details
Rootkit:W32/Zxshell.B tries to protect the main payload DLL file by:

Hiding files which contains underscore "_" by installing hooks to the file system driver
Attempting to hide the tcp port 443
Detect if the following security product exist:

NOD32
AVP
360Safe
AVG
Avast
AhnSD
McShield
IceSword

The driver can easily crash the system when it fails in its attempt to hook the kernel drivers, for example the ntfs.sys and tcpip.sys.
]]> http://www.secarab.com/thread-3424.html Thu, 19 May 2011 22:19:48 +0000 http://www.secarab.com/thread-3424.html Packed:W32/PeCan.A


Name : Packed:W32/PeCan.A
Category: Malware
Type: Packed
Platform: W32
Summary
This program is packed using a packer program associated with numerous other malware.
Additional Details
This program has been packed by the PeCancer packer program (hence the name of the detection).

Samples identified by the same detection perform one or more of the following activities:

Drop suspicious files or a copy of itself onto the system.
Set launch points to itself, or to the files it drops.
Some samples attempt to connect to and download from suspicious/malicious websites, for example:

- hxxp://downxml.[..].cn/iepop/list/[..]
- hxxp://downxml.[..].cn/iepop/update/[..]
- hxxp://soft.jajaca.com/[..]
- hxxp://news.huigezi.net/[..]]]> Packed:W32/PeCan.A


Name : Packed:W32/PeCan.A
Category: Malware
Type: Packed
Platform: W32
Summary
This program is packed using a packer program associated with numerous other malware.
Additional Details
This program has been packed by the PeCancer packer program (hence the name of the detection).

Samples identified by the same detection perform one or more of the following activities:

Drop suspicious files or a copy of itself onto the system.
Set launch points to itself, or to the files it drops.
Some samples attempt to connect to and download from suspicious/malicious websites, for example:

- hxxp://downxml.[..].cn/iepop/list/[..]
- hxxp://downxml.[..].cn/iepop/update/[..]
- hxxp://soft.jajaca.com/[..]
- hxxp://news.huigezi.net/[..]]]> http://www.secarab.com/thread-3423.html Thu, 19 May 2011 21:24:58 +0000 http://www.secarab.com/thread-3423.html Rogue:W32/SystemTool



Name : Rogue:W32/SystemTool
Detection Names : Gen.Variant.Kazy
Category: Malware
Type: Rogue
Platform: W32
Summary
This detection identifies a malicious rogueware program, typically used to deceive users into purchasing a fake application.
Disinfection
Manual Disinfection

- Boot into safe mode.
- Locate and delete the files below:

%appdata%\[random]\[random].exe
%appdata%\[random]\[random]

- Reboot and run "Full System Scan" with F-Secure Antivirus to make sure the system is clean.

For more general information on disinfection, please see Removal Instructions.
Additional Details
This malware may also be detected by generic detections using the following naming format:

gen.variant.kazy.[####]

Where [####] can be any number.


Activity

On execution, the malware hijacks the desktop and displays the wallpaper below:






It then displays a fake scanner program (System Tool) that displays bogus virus/trojan/spyware detections.


These actions are done to frighten the user into buying the fake application.

The malware also prevents execution of any other application. This disables applications like command prompt, regedit, Task Manager (including the keyboard shortcut Ctrl+Alt+Del), etc.



Installation

During installation, the malware adds the following files:

%appdata%\[random]\[random].exe - (malware executable)
%appdata%\[random]\[random] - (Data file)



Registry Changes

Launchpoint registry :

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
[random] = %appdata%\[random]\[random].exe
]]> Rogue:W32/SystemTool



Name : Rogue:W32/SystemTool
Detection Names : Gen.Variant.Kazy
Category: Malware
Type: Rogue
Platform: W32
Summary
This detection identifies a malicious rogueware program, typically used to deceive users into purchasing a fake application.
Disinfection
Manual Disinfection

- Boot into safe mode.
- Locate and delete the files below:

%appdata%\[random]\[random].exe
%appdata%\[random]\[random]

- Reboot and run "Full System Scan" with F-Secure Antivirus to make sure the system is clean.

For more general information on disinfection, please see Removal Instructions.
Additional Details
This malware may also be detected by generic detections using the following naming format:

gen.variant.kazy.[####]

Where [####] can be any number.


Activity

On execution, the malware hijacks the desktop and displays the wallpaper below:






It then displays a fake scanner program (System Tool) that displays bogus virus/trojan/spyware detections.


These actions are done to frighten the user into buying the fake application.

The malware also prevents execution of any other application. This disables applications like command prompt, regedit, Task Manager (including the keyboard shortcut Ctrl+Alt+Del), etc.



Installation

During installation, the malware adds the following files:

%appdata%\[random]\[random].exe - (malware executable)
%appdata%\[random]\[random] - (Data file)



Registry Changes

Launchpoint registry :

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
[random] = %appdata%\[random]\[random].exe
]]> http://www.secarab.com/thread-3422.html Thu, 19 May 2011 21:21:13 +0000 http://www.secarab.com/thread-3422.html Backdoor:W32/Spyrat.D



Name : Backdoor:W32/Spyrat.D
Detection Names : Backdoor:W32/Spyrat.D
Category: Malware
Type: Backdoor
Platform: W32
Summary
A remote administration utility that bypasses normal security mechanisms to secretly control a program, computer or network.
Additional Details

Installation

The malware creates a dummy winlogon.exe process where it runs its malicious threads and drops the following copy:

%appdata%\Winlogon\winlogon.exe



It also creates a legitimate winlogon.exe to %windir%\system32\install\Windows.exe.


Registry

The malware creates the following registry launch point:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
%path_of_executed_file% = %appdata%\Winlogon\winlogon.exe



The following registry entries would also be created:

HKEY_CURRENT_USER\Software\chuck norris
FirstExecution = %date_time%
NewIdentification = "chuck norris"
NewGroup = 2




Backdoor Functionality

The malware is a reverse connection remote administration tool. It connects to chucknorris.zapto.org at port 150 to get its command.]]> Backdoor:W32/Spyrat.D



Name : Backdoor:W32/Spyrat.D
Detection Names : Backdoor:W32/Spyrat.D
Category: Malware
Type: Backdoor
Platform: W32
Summary
A remote administration utility that bypasses normal security mechanisms to secretly control a program, computer or network.
Additional Details

Installation

The malware creates a dummy winlogon.exe process where it runs its malicious threads and drops the following copy:

%appdata%\Winlogon\winlogon.exe



It also creates a legitimate winlogon.exe to %windir%\system32\install\Windows.exe.


Registry

The malware creates the following registry launch point:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
%path_of_executed_file% = %appdata%\Winlogon\winlogon.exe



The following registry entries would also be created:

HKEY_CURRENT_USER\Software\chuck norris
FirstExecution = %date_time%
NewIdentification = "chuck norris"
NewGroup = 2




Backdoor Functionality

The malware is a reverse connection remote administration tool. It connects to chucknorris.zapto.org at port 150 to get its command.]]> http://www.secarab.com/thread-3421.html Thu, 19 May 2011 20:46:53 +0000 http://www.secarab.com/thread-3421.html Adware:W32/ClickPotato.A



Name : Adware:W32/ClickPotato.A
Aliases : Application.Generic.344399
Application.Generic.346725
Application.Generic.346219
WebToolbar.Win32.Zango
Category: Spyware
Type: Adware
Platform: W32
Summary
This program delivers advertising content to the user. It is usually annoying but harmless, unless it is combined with spyware or trackware.
Additional Details
ClickPotato is an adware program that will display pop-up advertisements based on the user's browsing activities or habits. It is distributed by Pinball Corporation via its free online streaming video.

The adware components are bundled with open source software, e.g., VLC media player and Xvid codec.

Upon execution, the adware attempts to connect to the following websites:.

hxxp://tei.clickpotato.tv
hxxp://cfgi.clickpotato.tv
hxxp://softparade.freelandmedia.com
]]> Adware:W32/ClickPotato.A



Name : Adware:W32/ClickPotato.A
Aliases : Application.Generic.344399
Application.Generic.346725
Application.Generic.346219
WebToolbar.Win32.Zango
Category: Spyware
Type: Adware
Platform: W32
Summary
This program delivers advertising content to the user. It is usually annoying but harmless, unless it is combined with spyware or trackware.
Additional Details
ClickPotato is an adware program that will display pop-up advertisements based on the user's browsing activities or habits. It is distributed by Pinball Corporation via its free online streaming video.

The adware components are bundled with open source software, e.g., VLC media player and Xvid codec.

Upon execution, the adware attempts to connect to the following websites:.

hxxp://tei.clickpotato.tv
hxxp://cfgi.clickpotato.tv
hxxp://softparade.freelandmedia.com
]]> http://www.secarab.com/thread-3420.html Thu, 19 May 2011 20:45:00 +0000 http://www.secarab.com/thread-3420.html Worm:ACAD/Kenilfe.A



Name : Worm:ACAD/Kenilfe.A
Detection Names : Worm:ACAD/Kenilfe.A
Kenife
Kenilfe.A
Aliases : Worm.Acad.Kenilfe.A
AutoCAD.Kenilfe
AL/Kenilfe
Category: Malware
Type: Worm
Platform: ACAD
Summary
A standalone malicious program which uses computer or network resources to make complete copies of itself. May include code or other malware to damage both the system and the network.
Disinfection
Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.
Additional Details
The worm is a malicious AutoCAD program that propagates via removable drives. It also attempts to download Visual Basic Scripts from remote servers, if certain conditions are met.

Installation

During installation, the malware creates the following registry entries:

HKEY_CURRENT_USER\Software\KenFiles\settings
TMN = %Random Name% or "Temp"
TMNL = %Random Name% or "TMNL"
SHXN = %Random Name% or "isoshfr"
CXBB = 102
GXBZ = 103
pth0 = %IP Address of updatebd.8800.org% (or "221223921023103" if cannot ping the host)
pth3 = %Current Date%
pth4 = %Current Date%
pth5 = %Current Date% basepth = %User Support Folder%
fontpth = %AutoCAD Fonts Folder%

It then creates copies of itself in the following locations:

%Folder of Current Drawing%\acad.fas
%User Support Folder%\acad.fas
%AutoCAD Fonts Folder%\%SHXN%.shx

Where %SHXN% is the same as the SHXN value found in the registry entry (above).

It also creates the following files:

%Windows Folder%\DivX.fin - possibly some sort of a infection marker
%Windows Folder%\system32\%TMN%.cmd - contains commands that will create copies of the malware (same as those mentioned earlier)

Where %TMN% is also the same as the TMN value found in the registry entry.

It enables the Windows Scripting Host by creating the following registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings Enabled = 1


Then deletes the registry key:

"HKEY_CURRENT_USER\Software\FileKen\settings"

It also deletes the following files:

isohztxt.shx
acad.fas1
logo.gif
isomianyi.shx



Payload

Once installed, Kenilfe downloads and executes Visual Basic Scripts based on the following conditons:

http://www.cadgs.com/[...]/gxcx.[...] - if the 3rd octect of the IP address of updatebd.8800.org > 102
http://www.cadgs.com/[...]/gxmz.[...] - if the 4th octect of the IP address of updatebd.8800.org > 103

Example: if the IP address of updatebd.8800.org is 221.239.103.104, both Visual Basic Scripts will be downloaded and executed.

These conditions are specified in the CXBB and GXBZ registry, respectively.


Propagation

The malware enumerates all folders in all removable drives. If it finds the file acad.fas, it replaces the file with a copy of

%AutoCAD Fonts Folder%\isomianyi.shx.

Alternatively, if the folder contains a drawing (.dwg) file, it will create the file acad.fas (which is really a copy of isomianyi.shx).

It then creates a file named pagefile in the same drive location, to mark that it is done infected the drive.

During the enumeration process, the malware also renames the following files to append a "_bak" in their filenames:

acad.lsp
acad.sys
acad.vlx
acadapp.lsp
acadappp.lsp
acadapq.lsp
acadiso.lsp
acadsmu.fas
dwgrun.bat
isohztxt.shx
lcm.fas
winfas.ini

]]> Worm:ACAD/Kenilfe.A



Name : Worm:ACAD/Kenilfe.A
Detection Names : Worm:ACAD/Kenilfe.A
Kenife
Kenilfe.A
Aliases : Worm.Acad.Kenilfe.A
AutoCAD.Kenilfe
AL/Kenilfe
Category: Malware
Type: Worm
Platform: ACAD
Summary
A standalone malicious program which uses computer or network resources to make complete copies of itself. May include code or other malware to damage both the system and the network.
Disinfection
Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.
Additional Details
The worm is a malicious AutoCAD program that propagates via removable drives. It also attempts to download Visual Basic Scripts from remote servers, if certain conditions are met.

Installation

During installation, the malware creates the following registry entries:

HKEY_CURRENT_USER\Software\KenFiles\settings
TMN = %Random Name% or "Temp"
TMNL = %Random Name% or "TMNL"
SHXN = %Random Name% or "isoshfr"
CXBB = 102
GXBZ = 103
pth0 = %IP Address of updatebd.8800.org% (or "221223921023103" if cannot ping the host)
pth3 = %Current Date%
pth4 = %Current Date%
pth5 = %Current Date% basepth = %User Support Folder%
fontpth = %AutoCAD Fonts Folder%

It then creates copies of itself in the following locations:

%Folder of Current Drawing%\acad.fas
%User Support Folder%\acad.fas
%AutoCAD Fonts Folder%\%SHXN%.shx

Where %SHXN% is the same as the SHXN value found in the registry entry (above).

It also creates the following files:

%Windows Folder%\DivX.fin - possibly some sort of a infection marker
%Windows Folder%\system32\%TMN%.cmd - contains commands that will create copies of the malware (same as those mentioned earlier)

Where %TMN% is also the same as the TMN value found in the registry entry.

It enables the Windows Scripting Host by creating the following registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings Enabled = 1


Then deletes the registry key:

"HKEY_CURRENT_USER\Software\FileKen\settings"

It also deletes the following files:

isohztxt.shx
acad.fas1
logo.gif
isomianyi.shx



Payload

Once installed, Kenilfe downloads and executes Visual Basic Scripts based on the following conditons:

http://www.cadgs.com/[...]/gxcx.[...] - if the 3rd octect of the IP address of updatebd.8800.org > 102
http://www.cadgs.com/[...]/gxmz.[...] - if the 4th octect of the IP address of updatebd.8800.org > 103

Example: if the IP address of updatebd.8800.org is 221.239.103.104, both Visual Basic Scripts will be downloaded and executed.

These conditions are specified in the CXBB and GXBZ registry, respectively.


Propagation

The malware enumerates all folders in all removable drives. If it finds the file acad.fas, it replaces the file with a copy of

%AutoCAD Fonts Folder%\isomianyi.shx.

Alternatively, if the folder contains a drawing (.dwg) file, it will create the file acad.fas (which is really a copy of isomianyi.shx).

It then creates a file named pagefile in the same drive location, to mark that it is done infected the drive.

During the enumeration process, the malware also renames the following files to append a "_bak" in their filenames:

acad.lsp
acad.sys
acad.vlx
acadapp.lsp
acadappp.lsp
acadapq.lsp
acadiso.lsp
acadsmu.fas
dwgrun.bat
isohztxt.shx
lcm.fas
winfas.ini

]]> http://www.secarab.com/thread-3419.html Thu, 19 May 2011 20:42:45 +0000 http://www.secarab.com/thread-3419.html Trojan:W32/AntiAV



Detection Names : Gen:Trojan.Heur.RP.Mq0@ayDoNAeb
Trojan.Win32.AntiAV.iup
Category: Malware
Type: Trojan
Platform: W32
Summary
A trojan, or trojan horse, is a seemingly legitimate program which secretly performs other, usually malicious, functions. It is usually user-initiated and does not replicate.
Disinfection
Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.
Additional Details
This malware is distributed in a RAR archive file attached to an e-mail message.

The archive file contains an executable file which may be detected as either Gen:Trojan.Heur.RP.Mq0@ayDoNAeb or Trojan.Win32.AntiAV.iup.


Installation

The executable file uses the icon of a Microsoft Word document to appear legitimate. On execution, the malware will drop a clean Word document and open it for viewing, to further deceive the user.

Meanwhile, the malware will create a registry launchpoint so that subsequently its file will be automatically run at every Windows startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
common = (path of the malware)


Network connections

Once its file is active, the malware will attempt to connect to:

tokyonews.edns.biz
tokyoIP.freewww.info

The malware may also send information to an external party by a POST to an info.php page on a remote server.
]]> Trojan:W32/AntiAV



Detection Names : Gen:Trojan.Heur.RP.Mq0@ayDoNAeb
Trojan.Win32.AntiAV.iup
Category: Malware
Type: Trojan
Platform: W32
Summary
A trojan, or trojan horse, is a seemingly legitimate program which secretly performs other, usually malicious, functions. It is usually user-initiated and does not replicate.
Disinfection
Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.
Additional Details
This malware is distributed in a RAR archive file attached to an e-mail message.

The archive file contains an executable file which may be detected as either Gen:Trojan.Heur.RP.Mq0@ayDoNAeb or Trojan.Win32.AntiAV.iup.


Installation

The executable file uses the icon of a Microsoft Word document to appear legitimate. On execution, the malware will drop a clean Word document and open it for viewing, to further deceive the user.

Meanwhile, the malware will create a registry launchpoint so that subsequently its file will be automatically run at every Windows startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
common = (path of the malware)


Network connections

Once its file is active, the malware will attempt to connect to:

tokyonews.edns.biz
tokyoIP.freewww.info

The malware may also send information to an external party by a POST to an info.php page on a remote server.
]]> http://www.secarab.com/thread-3418.html Thu, 19 May 2011 20:41:13 +0000 http://www.secarab.com/thread-3418.html Exploit:W32/D-Encrypted.Gen



Name : Exploit:W32/D-Encrypted.Gen
Detection Names : Exploit.D-Encrypted.Gen
Category: Malware
Type: Exploit
Platform: W32
Summary
A program or technique that takes advantage of a vulnerability to remotely access or attack a program, computer or server.
Disinfection
Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.
Additional Details
This malware is distributed as a malicious Microsoft Excel document attached to an e-mail message. The malicious Excel file itself is detected with the Generic Detection Exploit.D-Encrypted.Gen.

The Excel file contains an embedded encrypted executable file. It also contains an embedded Flash (.swf) file maliciously modified to exploit a known vulnerability (CVE-2011-0609) in certain older, unpatched versions of Adobe Flash player.

The Flash file decrypts the embedded executable file (detected as Trojan.Agent.ARKJ), which is the real payload for this malware.

Once decrypted, the trojan attempts to connect to and download additional files from:

http: // 12.40.112.141

At the time of writing, the malware appears unable to find the target files.


More

Further information on the exploit used is available at:

Security Advisory for Adobe Flash Player, Adobe Reader and Acrobat: http://www.adobe.com/support/security/ad...11-01.html

]]> Exploit:W32/D-Encrypted.Gen



Name : Exploit:W32/D-Encrypted.Gen
Detection Names : Exploit.D-Encrypted.Gen
Category: Malware
Type: Exploit
Platform: W32
Summary
A program or technique that takes advantage of a vulnerability to remotely access or attack a program, computer or server.
Disinfection
Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.
Additional Details
This malware is distributed as a malicious Microsoft Excel document attached to an e-mail message. The malicious Excel file itself is detected with the Generic Detection Exploit.D-Encrypted.Gen.

The Excel file contains an embedded encrypted executable file. It also contains an embedded Flash (.swf) file maliciously modified to exploit a known vulnerability (CVE-2011-0609) in certain older, unpatched versions of Adobe Flash player.

The Flash file decrypts the embedded executable file (detected as Trojan.Agent.ARKJ), which is the real payload for this malware.

Once decrypted, the trojan attempts to connect to and download additional files from:

http: // 12.40.112.141

At the time of writing, the malware appears unable to find the target files.


More

Further information on the exploit used is available at:

Security Advisory for Adobe Flash Player, Adobe Reader and Acrobat: http://www.adobe.com/support/security/ad...11-01.html

]]> http://www.secarab.com/thread-3417.html Thu, 19 May 2011 20:39:32 +0000 http://www.secarab.com/thread-3417.html Exploit:W32/MSWord6.Gen


Name : Exploit:W32/MSWord6.Gen
Detection Names : Exploit.msword.gen.6
Category: Malware
Type: Trojan
Platform: W32
Summary
The Generic Detection Exploit.msword.gen.6 identifies a Microsoft Word document that has been modified to perform an unauthorized, malicious action.
Disinfection
Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.
Additional Details
Execution

Upon execution, the malware creates malicious executables in the following directories on the infected system:

%temp%\[random].exe
%windir%\system32\[name].exe

The malware also attempts to connect to the following remote sites:

yahoo.onedumb.com
yahoo.servebbs.com
218.23.30.99
218.20.188.170
googleupdate2011.dyndns.org
]]> Exploit:W32/MSWord6.Gen


Name : Exploit:W32/MSWord6.Gen
Detection Names : Exploit.msword.gen.6
Category: Malware
Type: Trojan
Platform: W32
Summary
The Generic Detection Exploit.msword.gen.6 identifies a Microsoft Word document that has been modified to perform an unauthorized, malicious action.
Disinfection
Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.
Additional Details
Execution

Upon execution, the malware creates malicious executables in the following directories on the infected system:

%temp%\[random].exe
%windir%\system32\[name].exe

The malware also attempts to connect to the following remote sites:

yahoo.onedumb.com
yahoo.servebbs.com
218.23.30.99
218.20.188.170
googleupdate2011.dyndns.org
]]> http://www.secarab.com/thread-3416.html Thu, 19 May 2011 20:37:58 +0000 http://www.secarab.com/thread-3416.html Trojan-Downloader:W32/KDV-176347



Name : Trojan-Downloader:W32/KDV-176347
Detection Names : Trojan.generic.kdv.176347
Trojan-Downloader.Win32.Agent.gctp
Category: Malware
Type: Trojan-Downloader
Platform: W32
Summary
This type of trojan secretly downloads malicious files from a remote server, then installs and executes the files.
Disinfection
Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.
Additional Details

This trojan is disguised as a DOC file. Upon executing the trojan, it will download a document from a remote site (hxxp://www.epof.ru/[...]/document.doc) and display it, furthering the deception that the trojan is legitimate. Below is a screenshot of the document displayed:



In the meantime, the trojan will attempt to download malicious files from the following URLs:

hxxp://www.epof.ru/[...]/load.php?file=0
hxxp://www.epof.ru/[...]/load.php?file=1
hxxp://www.epof.ru/[...]/load.php?file=2
hxxp://www.epof.ru/[...]/load.php?file=3
hxxp://www.epof.ru/[...]/load.php?file=4
hxxp://www.epof.ru/[...]/load.php?file=5
hxxp://www.epof.ru/[...]/load.php?file=6
hxxp://www.epof.ru/[...]/load.php?file=7
hxxp://www.epof.ru/[...]/load.php?file=8
hxxp://www.epof.ru/[...]/load.php?file=9
hxxp://www.epof.ru/[...]/load.php?file=uploader
hxxp://www.epof.ru/[...]/load.php?file=grabbers

At the time of writing, the domain contacted by the malware is blocked by the Browsing Protection feature of our product.]]> Trojan-Downloader:W32/KDV-176347



Name : Trojan-Downloader:W32/KDV-176347
Detection Names : Trojan.generic.kdv.176347
Trojan-Downloader.Win32.Agent.gctp
Category: Malware
Type: Trojan-Downloader
Platform: W32
Summary
This type of trojan secretly downloads malicious files from a remote server, then installs and executes the files.
Disinfection
Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.
Additional Details

This trojan is disguised as a DOC file. Upon executing the trojan, it will download a document from a remote site (hxxp://www.epof.ru/[...]/document.doc) and display it, furthering the deception that the trojan is legitimate. Below is a screenshot of the document displayed:



In the meantime, the trojan will attempt to download malicious files from the following URLs:

hxxp://www.epof.ru/[...]/load.php?file=0
hxxp://www.epof.ru/[...]/load.php?file=1
hxxp://www.epof.ru/[...]/load.php?file=2
hxxp://www.epof.ru/[...]/load.php?file=3
hxxp://www.epof.ru/[...]/load.php?file=4
hxxp://www.epof.ru/[...]/load.php?file=5
hxxp://www.epof.ru/[...]/load.php?file=6
hxxp://www.epof.ru/[...]/load.php?file=7
hxxp://www.epof.ru/[...]/load.php?file=8
hxxp://www.epof.ru/[...]/load.php?file=9
hxxp://www.epof.ru/[...]/load.php?file=uploader
hxxp://www.epof.ru/[...]/load.php?file=grabbers

At the time of writing, the domain contacted by the malware is blocked by the Browsing Protection feature of our product.]]> http://www.secarab.com/thread-3415.html Thu, 19 May 2011 20:35:31 +0000 http://www.secarab.com/thread-3415.html Trojan-Downloader:W32/Kazy-17907


Name : Trojan-Downloader:W32/Kazy-17907
Detection Names : Gen:variant.kazy.17907
Category: Malware
Type: Trojan-Downloader
Platform: W32
Summary
This type of trojan secretly downloads malicious files from a remote server, then installs and executes the files.
Disinfection
Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.
Additional Details

This trojan-downloader appears to be related to a distribution of spam e-mails currently under way as of 5 April 2011, as hundreds of samples were submitted to our analysis systems in the last 24 hrs.

The spammed e-mail uses a social engineering attack to lure the recipient into clicking on an attached executable file. This attachment is actually the trojan-downloader, disguised as a legitimate document. The attachment uses a PDF file icon and the filename 'dhl.exe' to further disguise itself.

On clicking the file, the trojan-downloader is executed and creates a dummy svchost.exe process. It then injects a thread that downloads and executes a file from:

h t t p : / / puskovayaustanovka.ru/pusk[...].exe

At the time of writing, the domain is blocked by the Browsing Protection feature of our product.
]]> Trojan-Downloader:W32/Kazy-17907


Name : Trojan-Downloader:W32/Kazy-17907
Detection Names : Gen:variant.kazy.17907
Category: Malware
Type: Trojan-Downloader
Platform: W32
Summary
This type of trojan secretly downloads malicious files from a remote server, then installs and executes the files.
Disinfection
Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.
Additional Details

This trojan-downloader appears to be related to a distribution of spam e-mails currently under way as of 5 April 2011, as hundreds of samples were submitted to our analysis systems in the last 24 hrs.

The spammed e-mail uses a social engineering attack to lure the recipient into clicking on an attached executable file. This attachment is actually the trojan-downloader, disguised as a legitimate document. The attachment uses a PDF file icon and the filename 'dhl.exe' to further disguise itself.

On clicking the file, the trojan-downloader is executed and creates a dummy svchost.exe process. It then injects a thread that downloads and executes a file from:

h t t p : / / puskovayaustanovka.ru/pusk[...].exe

At the time of writing, the domain is blocked by the Browsing Protection feature of our product.
]]> http://www.secarab.com/thread-3376.html Wed, 18 May 2011 22:31:12 +0000 http://www.secarab.com/thread-3376.html Backdoor:W32/Knockex.A


Name: Backdoor:W32/Knockex.A
Detection Names : Spyware.14597
Dropped:Spyware.14597
Trojan-Dropper:W32/Knockex.A
Trojan-Downloader:W32/Knockex.A
Gen:Variant.Kazy.17250
Backdoor:W32/Knockex.A
Trojan.Generic.KDV.171682
Rootkit:W32/Knockex.A
Trojan.Downloader.Agent.ZBU
Spyware:W32/Inet.B
Adware:W32/MyWebSearch.AG
Adware:W32/MyWebSearch.AF
Adware:W32/MyWebSearch.AH
Spyware:W32/Inet.A
Adware:W32/Zwangi.O
Category: Malware
Type: Backdoor
Platform: W32
Summary
A remote administration utility that bypasses normal security mechanisms to secretly control a program, computer or network.
Disinfection

To remove the backdoor program and other malwares, allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions

To remove the installed adwares, uninstall the following programs from the Windows 'Add/Remove Programs' menu:

"Homepage Protection Service" - uninstaller of MYCLEARSEARCH-SETUP.EXE
"Inet Support Services" - uninstaller of INET.EXE
" BrowserSeek 1.0 build 171 powered by FIRST SEARCHBAR" - uninstaller of BRAND.EXE (as of this writing)

Additional Details

Backdoor:W32/Knockex.A is a backdoor program dropped as part of the payload of a Nullsoft installer (NSIS) program detected as Trojan-Dropper:W32/Knockex.A.

The Nullsoft installer contains the following sub-installers:

OfferApp-2529.exe - detected either as Trojan-Downloader:W32/Knockex.A or Gen:Variant.Kazy.17250
OfferApp-2526.exe - detected as Spyware:W32/Inet.B

These installers will themselves install multiple installers, which in turn install malware, adware and spyware programs. Among the installed programs is Backdoor:w32/Knockex.A.


First Installer Dropped - OfferApp-2529.exe

As of this writing, the first installer dropped by Trojan-Dropper:W32/Knockex.A, OfferApp-2529.exe, downloads and executes a backdoor with rootkit capabilities. The backdoor is detected either as Backdoor:W32/Knockex.A or Trojan.Generic.KDV.171682.

Upon execution, the backdoor program drops the following files:

%systemdir%\cssrss.exe
A copy of the downloaded backdoor program.
%systemdir%\nso12k.sys
A rookit driver (detected either as Rootkit:W32/Knockex.A or Trojan.Downloader.Agent.ZBU) that hides the backdoor program

The backdoor program uses the following launch points:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"WMDM PMSP Service" = %systemdir%\cssrss.exe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Driver - service launch point of nso12k.sys


Second Installer Dropped - OfferApp-2526.exe



At the same time the OfferApp-2529.exe file is downloading and executing the backdoor, the second installer file, OfferApp-2526.exe, is executing the following installers:

myclearsearch-setup.exe
Installer of MyWebSearch/CreativeToolbar Adware
Detected as Adware:W32/MyWebSearch.AG
inet.exe
Installer of iNetMedia Adware
Detected either as Spyware:W32/Inet.A or Spyware.14597
brand.exe
Web Installer/downloader of BrowserSeek/Zwangi Adware
Detected as Adware:W32/Zwangi.O

When the installers listed are executed, their payloads are installed as separate, independent programs.

Second level of installers from OfferApp-2526.exe

myclearsearch-setup.exe
The myclearsearch-setup.exe file drops the following components:
%programdir%\MyClearSearch\MyClearSearchSvc.exe - detected as Adware:W32/MyWebSearch.AF
%programdir%\MyClearSearch\ShowMsg.exe - detected as Adware:W32/MyWebSearch.AH
%programdir%\MyClearSearch\uninstall.exe - uninstaller component.

The myclearsearch-setup.exe file then creates the following service launch point:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MyClearSearch Helper Service

And also creates the following registry keys:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes
HKEY_LOCAL_MACHINE\SOFTWARE\MyClearSearch
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Homepage Protection Service

During installation, the program will also modify the start page for the Internet Explorer web browser:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
"Start Page" = "http://myclearsearch.com/"

inet.exe

When OfferApp-2526.exe is executed, it instructs the inet.exe file installer to download a file from a remote site and install it to the path "C:\Program". During this process, the installer creates the following service launch point:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\inetUpServ

It will also create a (functional) uninstallation setting:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\inet

Brand.exe

Brand.exe is an installer that downloads its own components from a remote site. At the time of writing, the file downloads the following components:
%programdir%\BrowserSeek\browserseek.dll
%programdir%\BrowserSeek\browserseek.exe
%programdir%\BrowserSeek\uninstall.exe

It creates the following service launch point:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BrowserSeek Service

And also creates the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\BrowserSeek
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BrowserSe​ek]]> Backdoor:W32/Knockex.A


Name: Backdoor:W32/Knockex.A
Detection Names : Spyware.14597
Dropped:Spyware.14597
Trojan-Dropper:W32/Knockex.A
Trojan-Downloader:W32/Knockex.A
Gen:Variant.Kazy.17250
Backdoor:W32/Knockex.A
Trojan.Generic.KDV.171682
Rootkit:W32/Knockex.A
Trojan.Downloader.Agent.ZBU
Spyware:W32/Inet.B
Adware:W32/MyWebSearch.AG
Adware:W32/MyWebSearch.AF
Adware:W32/MyWebSearch.AH
Spyware:W32/Inet.A
Adware:W32/Zwangi.O
Category: Malware
Type: Backdoor
Platform: W32
Summary
A remote administration utility that bypasses normal security mechanisms to secretly control a program, computer or network.
Disinfection

To remove the backdoor program and other malwares, allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions

To remove the installed adwares, uninstall the following programs from the Windows 'Add/Remove Programs' menu:

"Homepage Protection Service" - uninstaller of MYCLEARSEARCH-SETUP.EXE
"Inet Support Services" - uninstaller of INET.EXE
" BrowserSeek 1.0 build 171 powered by FIRST SEARCHBAR" - uninstaller of BRAND.EXE (as of this writing)

Additional Details

Backdoor:W32/Knockex.A is a backdoor program dropped as part of the payload of a Nullsoft installer (NSIS) program detected as Trojan-Dropper:W32/Knockex.A.

The Nullsoft installer contains the following sub-installers:

OfferApp-2529.exe - detected either as Trojan-Downloader:W32/Knockex.A or Gen:Variant.Kazy.17250
OfferApp-2526.exe - detected as Spyware:W32/Inet.B

These installers will themselves install multiple installers, which in turn install malware, adware and spyware programs. Among the installed programs is Backdoor:w32/Knockex.A.


First Installer Dropped - OfferApp-2529.exe

As of this writing, the first installer dropped by Trojan-Dropper:W32/Knockex.A, OfferApp-2529.exe, downloads and executes a backdoor with rootkit capabilities. The backdoor is detected either as Backdoor:W32/Knockex.A or Trojan.Generic.KDV.171682.

Upon execution, the backdoor program drops the following files:

%systemdir%\cssrss.exe
A copy of the downloaded backdoor program.
%systemdir%\nso12k.sys
A rookit driver (detected either as Rootkit:W32/Knockex.A or Trojan.Downloader.Agent.ZBU) that hides the backdoor program

The backdoor program uses the following launch points:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"WMDM PMSP Service" = %systemdir%\cssrss.exe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Driver - service launch point of nso12k.sys


Second Installer Dropped - OfferApp-2526.exe



At the same time the OfferApp-2529.exe file is downloading and executing the backdoor, the second installer file, OfferApp-2526.exe, is executing the following installers:

myclearsearch-setup.exe
Installer of MyWebSearch/CreativeToolbar Adware
Detected as Adware:W32/MyWebSearch.AG
inet.exe
Installer of iNetMedia Adware
Detected either as Spyware:W32/Inet.A or Spyware.14597
brand.exe
Web Installer/downloader of BrowserSeek/Zwangi Adware
Detected as Adware:W32/Zwangi.O

When the installers listed are executed, their payloads are installed as separate, independent programs.

Second level of installers from OfferApp-2526.exe

myclearsearch-setup.exe
The myclearsearch-setup.exe file drops the following components:
%programdir%\MyClearSearch\MyClearSearchSvc.exe - detected as Adware:W32/MyWebSearch.AF
%programdir%\MyClearSearch\ShowMsg.exe - detected as Adware:W32/MyWebSearch.AH
%programdir%\MyClearSearch\uninstall.exe - uninstaller component.

The myclearsearch-setup.exe file then creates the following service launch point:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MyClearSearch Helper Service

And also creates the following registry keys:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes
HKEY_LOCAL_MACHINE\SOFTWARE\MyClearSearch
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Homepage Protection Service

During installation, the program will also modify the start page for the Internet Explorer web browser:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
"Start Page" = "http://myclearsearch.com/"

inet.exe

When OfferApp-2526.exe is executed, it instructs the inet.exe file installer to download a file from a remote site and install it to the path "C:\Program". During this process, the installer creates the following service launch point:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\inetUpServ

It will also create a (functional) uninstallation setting:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\inet

Brand.exe

Brand.exe is an installer that downloads its own components from a remote site. At the time of writing, the file downloads the following components:
%programdir%\BrowserSeek\browserseek.dll
%programdir%\BrowserSeek\browserseek.exe
%programdir%\BrowserSeek\uninstall.exe

It creates the following service launch point:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BrowserSeek Service

And also creates the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\BrowserSeek
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BrowserSe​ek]]> http://www.secarab.com/thread-3375.html Wed, 18 May 2011 22:23:54 +0000 http://www.secarab.com/thread-3375.html Virus:W32/Ramnit.N


Name : Virus:W32/Ramnit.N
Detection Names : Win32.Ramnit.N
Virus:Win32/Ramnit.I
Category: Malware
Type: Virus
Platform: W32
Summary
A program that secretly and maliciously integrates itself into program or data files. It spreads by integrating itself into more files each time the host program is run.
Disinfection
Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.
Additional Details

Virus:W32/Ramnit.N is distributed in infected EXE, DLL and HTML files; it can also be distributed via removable drives.

Once active, the virus infects EXE, DLL and HTML files found on the computer. It will also drop a malicious file that attempts to connect to and download other files from a remote server.


Installation



When a Ramnit.N-infected file is first executed, it will drop a copy of itself to the following location:

%programfiles%\Microsoft\WaterMark.exe

It then create the following mutex, which is used to ensure only a single instance of the virus copy is running on the machine at any time:

{061D056A-EC07-92FD-CF39-0A93F1F304E3}

In order to automatically execute itself if the system is rebooted, the virus also creates the following registry launchpoint:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
= c:\windows\system32\userinit.exe,,c:\program files\microsoft\watermark.exe


Infection



Before proceeding to infect other files on the machine, the malware first determines whether a previous instance of its process is already running by checking for its unique mutex in this format:

{"8_hex_digits"-"4_hex_digits"-"4_hex_digits"-"4_hex_digits"-"4_hex_digits"-"8_hex_digits""4_hex_digits"}

If the mutex is not present, the virus will spawn a new process (a copy of itself) in the following folder:

%programfiles%\Microsoft\[infector].exe

The dropped process will then spawn other hidden processes (either the default web browser process or svchost.exe). The infection routine is injected into these new processes via a hook on Windows Native System Services, for example: ntdll.ZwWriteVirtualMemory.

Once the injection is done, the process from %programfiles\microsoft\[infector].exe terminates, leaving the subsequent infection routine running in the background.


Payload



Ramnit.N modifies EXE, DLL and HTML files by appending its own malicious code to the end of the file.

When the infected file is run, it drops another malicious file to the same directory where it was executed. The dropped file will be named using the format, "[original_filename]mgr.exe".

The dropped file might connect to and download other malicious files from a remote server.


Others



The malware writer also provides a method to protect a machine from infection, by setting the following registry key and value (this feature was probably needed during development of the file infector):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WASAntidot]
"disable" = "1"
]]> Virus:W32/Ramnit.N


Name : Virus:W32/Ramnit.N
Detection Names : Win32.Ramnit.N
Virus:Win32/Ramnit.I
Category: Malware
Type: Virus
Platform: W32
Summary
A program that secretly and maliciously integrates itself into program or data files. It spreads by integrating itself into more files each time the host program is run.
Disinfection
Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.
Additional Details

Virus:W32/Ramnit.N is distributed in infected EXE, DLL and HTML files; it can also be distributed via removable drives.

Once active, the virus infects EXE, DLL and HTML files found on the computer. It will also drop a malicious file that attempts to connect to and download other files from a remote server.


Installation



When a Ramnit.N-infected file is first executed, it will drop a copy of itself to the following location:

%programfiles%\Microsoft\WaterMark.exe

It then create the following mutex, which is used to ensure only a single instance of the virus copy is running on the machine at any time:

{061D056A-EC07-92FD-CF39-0A93F1F304E3}

In order to automatically execute itself if the system is rebooted, the virus also creates the following registry launchpoint:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit
= c:\windows\system32\userinit.exe,,c:\program files\microsoft\watermark.exe


Infection



Before proceeding to infect other files on the machine, the malware first determines whether a previous instance of its process is already running by checking for its unique mutex in this format:

{"8_hex_digits"-"4_hex_digits"-"4_hex_digits"-"4_hex_digits"-"4_hex_digits"-"8_hex_digits""4_hex_digits"}

If the mutex is not present, the virus will spawn a new process (a copy of itself) in the following folder:

%programfiles%\Microsoft\[infector].exe

The dropped process will then spawn other hidden processes (either the default web browser process or svchost.exe). The infection routine is injected into these new processes via a hook on Windows Native System Services, for example: ntdll.ZwWriteVirtualMemory.

Once the injection is done, the process from %programfiles\microsoft\[infector].exe terminates, leaving the subsequent infection routine running in the background.


Payload



Ramnit.N modifies EXE, DLL and HTML files by appending its own malicious code to the end of the file.

When the infected file is run, it drops another malicious file to the same directory where it was executed. The dropped file will be named using the format, "[original_filename]mgr.exe".

The dropped file might connect to and download other malicious files from a remote server.


Others



The malware writer also provides a method to protect a machine from infection, by setting the following registry key and value (this feature was probably needed during development of the file infector):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WASAntidot]
"disable" = "1"
]]> http://www.secarab.com/thread-3373.html Wed, 18 May 2011 21:36:46 +0000 http://www.secarab.com/thread-3373.html Data theft from firms topped a trillion dollars in 2008: study

SAN FRANCISCO (AFP) — Workers turned "cyber moles" and crime syndicates armed with malicious software are looting digital data from businesses as losses reportedly topped a trillion dollars in 2008.

California computer security firm McAfee presented the findings Thursday at the World Economic Forum in Davos, Switzerland, with a warning that the world's dismal financial straits are exacerbating data theft woes.

"Based on the survey findings McAfee conservatively estimates that the global damage from data loss to top one trillion dollars," said McAfee chief executive Dave DeWalt.

"This report is a wake-up call because the current economic crisis is poised to create a global meltdown in vital information."

Insights for the first-ever worldwide study "on the security of information economies" were gathered from more than 800 chief information officers in Japan, China, India, Brazil, Britain, Dubai, Germany and the United States.

The companies surveyed estimated they lost a combined 4.6 billion dollars worth of intellectual property last year, and spent approximately 600 million dollars repairing damage from data breaches.

"Companies are grossly underestimating the loss, and value, of their intellectual property," said Eugene Spafford, a US university computer science professor who is executive director of The Center for Education and Research in Information Assurance and Security (CERIAS).

"Just like gold, diamonds or crude oil, intellectual property is a form of currency that is traded internationally, and can have serious economic impact if it is stolen."

Pressure on firms to cut costs is resulting in weakened computer security measures, making them more tempting targets for information thieves, according to CERIAS, which analyzed responses in the study.

Thirty-nine percent of the CIOs in the study said they believe vital company information is more vulnerable because of current economic conditions.

There has been an increase in "cyber mafia gangs" breaking into corporate databases, according to the study.

"Cybercriminals are increasingly targeting executives using sophisticated phishing techniques," the study states.

"Phishing" refers to deceptive emails or other online ruses that trick people into revealing passwords, account numbers, or other sensitive information.

Such attacks customized to harpoon specific powerful executives are often referred to as "whaling."

The dour economy also raises the chances of companies being looted by employees out to supplement shrinking paychecks or improve job prospects with future employers.

"An increasing number of financially challenged employees are using their corporate data access to steal vital information," the study contends.

"As the global recession continues and legitimate work disappears, desperate job seekers or 'cyber moles' are stealing valuable corporate data to make themselves more valuable in the job market."

The study also pinpointed China, Pakistan, and Russia as data theft "trouble zones" because of legal, cultural or economic factors.]]> Data theft from firms topped a trillion dollars in 2008: study

SAN FRANCISCO (AFP) — Workers turned "cyber moles" and crime syndicates armed with malicious software are looting digital data from businesses as losses reportedly topped a trillion dollars in 2008.

California computer security firm McAfee presented the findings Thursday at the World Economic Forum in Davos, Switzerland, with a warning that the world's dismal financial straits are exacerbating data theft woes.

"Based on the survey findings McAfee conservatively estimates that the global damage from data loss to top one trillion dollars," said McAfee chief executive Dave DeWalt.

"This report is a wake-up call because the current economic crisis is poised to create a global meltdown in vital information."

Insights for the first-ever worldwide study "on the security of information economies" were gathered from more than 800 chief information officers in Japan, China, India, Brazil, Britain, Dubai, Germany and the United States.

The companies surveyed estimated they lost a combined 4.6 billion dollars worth of intellectual property last year, and spent approximately 600 million dollars repairing damage from data breaches.

"Companies are grossly underestimating the loss, and value, of their intellectual property," said Eugene Spafford, a US university computer science professor who is executive director of The Center for Education and Research in Information Assurance and Security (CERIAS).

"Just like gold, diamonds or crude oil, intellectual property is a form of currency that is traded internationally, and can have serious economic impact if it is stolen."

Pressure on firms to cut costs is resulting in weakened computer security measures, making them more tempting targets for information thieves, according to CERIAS, which analyzed responses in the study.

Thirty-nine percent of the CIOs in the study said they believe vital company information is more vulnerable because of current economic conditions.

There has been an increase in "cyber mafia gangs" breaking into corporate databases, according to the study.

"Cybercriminals are increasingly targeting executives using sophisticated phishing techniques," the study states.

"Phishing" refers to deceptive emails or other online ruses that trick people into revealing passwords, account numbers, or other sensitive information.

Such attacks customized to harpoon specific powerful executives are often referred to as "whaling."

The dour economy also raises the chances of companies being looted by employees out to supplement shrinking paychecks or improve job prospects with future employers.

"An increasing number of financially challenged employees are using their corporate data access to steal vital information," the study contends.

"As the global recession continues and legitimate work disappears, desperate job seekers or 'cyber moles' are stealing valuable corporate data to make themselves more valuable in the job market."

The study also pinpointed China, Pakistan, and Russia as data theft "trouble zones" because of legal, cultural or economic factors.]]> http://www.secarab.com/thread-3367.html Wed, 18 May 2011 19:32:28 +0000 http://www.secarab.com/thread-3367.html Malware

Malware, short for malicious software, consists of programming (code, scripts, active content, and other software) designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, gain unauthorized access to system resources, and other abusive behavior.[1] The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code.[2]

Software is considered to be malware based on the perceived intent of the creator rather than any particular features. Malware includes computer viruses, worms, trojan horses, spyware, dishonest adware, scareware, crimeware, most rootkits, and other malicious and unwanted software or program. In law, malware is sometimes known as a computer contaminant, for instance in the legal codes of several U.S. states, including California and West Virginia.[3][4]

Preliminary results from Symantec published in 2008 suggested that "the release rate of malicious code and other unwanted programs may be exceeding that of legitimate software applications."[5] According to F-Secure, "As much malware [was] produced in 2007 as in the previous 20 years altogether."[6] Malware's most common pathway from criminals to users is through the Internet: primarily by e-mail and the World Wide Web.[7]

The prevalence of malware as a vehicle for organized Internet crime, along with the general inability of traditional anti-malware protection platforms (products) to protect against the continuous stream of unique and newly produced malware, has seen the adoption of a new mindset for businesses operating on the Internet: the acknowledgment that some sizable percentage of Internet customers will always be infected for some reason or another, and that they need to continue doing business with infected customers. The result is a greater emphasis on back-office systems designed to spot fraudulent activities associated with advanced malware operating on customers' computers.[8]

On March 29, 2010, Symantec Corporation named Shaoxing, China, as the world's malware capital.[9]

Malware is not the same as defective software, that is, software that has a legitimate purpose but contains harmful bugs. Sometimes, malware is disguised as genuine software, and may come from an official site. Therefore, some security programs, such as McAfee may call malware "potentially unwanted programs" or "PUP". Though a computer virus is malware that can reproduce itself, the term is often used erroneously to refer to the entire category.

Many early infectious programs, including the first Internet Worm and a number of MS-DOS viruses, were written as experiments or pranks. They were generally intended to be harmless or merely annoying, rather than to cause serious damage to computer systems. In some cases, the perpetrator did not realize how much harm his or her creations would do. Young programmers learning about viruses and their techniques wrote them simply for practice, or to see how far they could spread. As late as 1999, widespread viruses such as the Melissa virus and the David virus appear to have been written chiefly as pranks. The first mobile phone virus, Cabir, appeared in 2004.

Hostile intent related to vandalism can be found in programs designed to cause harm or data loss. Many DOS viruses, and the Windows ExploreZip worm, were designed to destroy files on a hard disk, or to corrupt the file system by writing invalid data to them. Network-borne worms such as the 2001 Code Red worm or the Ramen worm fall into the same category. Designed to vandalize web pages, worms may seem like the online equivalent to graffiti tagging, with the author's alias or affinity group appearing everywhere the worm goes.[citation needed]

Since the rise of widespread broadband Internet access, malicious software has been designed for a profit, for examples forced advertising. For instance, since 2003, the majority of widespread viruses and worms have been designed to take control of users' computers for black-market exploitation.[10] Infected "zombie computers" are used to send email spam, to host contraband data such as child pornography,[11] or to engage in distributed denial-of-service attacks as a form of extortion.[12]

Another strictly for-profit category of malware has emerged in spyware -- programs designed to monitor users' web browsing, display unsolicited advertisements, or redirect affiliate marketing revenues to the spyware creator. Spyware programs do not spread like viruses; they are, in general, installed by exploiting security holes or are packaged with user-installed software, such as peer-to-peer applications

Main articles: Computer virus and Computer worm

The best-known types of malware, viruses and worms, are known for the manner in which they spread, rather than any other particular behavior. The term computer virus is used for a program that has infected some executable software and, when run, causes the virus to spread to other executables. Viruses may also contain a payload that performs other actions, often malicious. On the other hand, a worm is a program that actively transmits itself over a network to infect other computers. It too may carry a payload.

These definitions lead to the observation that a virus requires user intervention to spread, whereas a worm spreads itself automatically. Using this distinction, infections transmitted by email or Microsoft Word documents, which rely on the recipient opening a file or email to infect the system, would be classified as viruses rather than worms.

Some writers in the trade and popular press misunderstand this distinction and use the terms interchangeably.

Capsule history of viruses and worms

Before Internet access became widespread, viruses spread on personal computers by infecting the executable boot sectors of floppy disks. By inserting a copy of itself into the machine code instructions in these executables, a virus causes itself to be run whenever a program is run or the disk is booted. Early computer viruses were written for the Apple II and Macintosh, but they became more widespread with the dominance of the IBM PC and MS-DOS system. Executable-infecting viruses are dependent on users exchanging software or boot-able floppies, so they spread rapidly in computer hobbyist circles.

The first worms, network-borne infectious programs, originated not on personal computers, but on multitasking Unix systems. The first well-known worm was the Internet Worm of 1988, which infected SunOS and VAX BSD systems. Unlike a virus, this worm did not insert itself into other programs. Instead, it exploited security holes (vulnerabilities) in network server programs and started itself running as a separate process. This same behaviour is used by today's worms as well.

With the rise of the Microsoft Windows platform in the 1990s, and the flexible macros of its applications, it became possible to write infectious code in the macro language of Microsoft Word and similar programs. These macro viruses infect documents and templates rather than applications (executables), but rely on the fact that macros in a Word document are a form of executable code.

Today, worms are most commonly written for the Windows OS, although a few like Mare-D[13] and the Lion worm[14] are also written for Linux and Unix systems. Worms today work in the same basic way as 1988's Internet Worm: they scan the network and leverage vulnerable computers to replicate. Because they need no human intervention, worms can spread with incredible speed. The SQL Slammer infected thousands of computers in a few minutes.[15]

Trojan horses

For a malicious program to accomplish its goals, it must be able to run without being shut down, or deleted by the user or administrator of the computer system on which it is running. Concealment can also help get the malware installed in the first place. When a malicious program is disguised as something innocuous or desirable, users may be tempted to install it without knowing what it does. This is the technique of the Trojan horse or trojan.

In broad terms, a Trojan horse is any program that invites the user to run it, concealing a harmful or malicious payload. The payload may take effect immediately and can lead to many undesirable effects, such as deleting the user's files or further installing malicious or undesirable software. Trojan horses known as droppers are used to start off a worm outbreak, by injecting the worm into users' local network.

One of the most common ways that spyware is distributed is as a Trojan horse, bundled with a piece of desirable software that the user downloads from the Internet. When the user installs the software, the spyware is installed alongside. Spyware authors who attempt to act in a legal fashion may include an end-user license agreement that states the behavior of the spyware in loose terms, which the users are unlikely to read or understand.
[edit] Rootkits

Once a malicious program is installed on a system, it is essential that it stays concealed, to avoid detection and disinfection. The same is true when a human attacker breaks into a computer directly. Techniques known as rootkits allow this concealment, by modifying the host's operating system so that the malware is hidden from the user. Rootkits can prevent a malicious process from being visible in the system's list of processes, or keep its files from being read. Originally, a rootkit was a set of tools installed by a human attacker on a Unix system, allowing the attacker to gain administrator (root) access. Today, the term is used more generally for concealment routines in a malicious program.

Some malicious programs contain routines to defend against removal, not merely to hide themselves, but to repel attempts to remove them. An early example of this behavior is recorded in the Jargon File tale of a pair of programs infesting a Xerox CP-V time sharing system:

Each ghost-job would detect the fact that the other had been killed, and would start a new copy of the recently slain program within a few milliseconds. The only way to kill both ghosts was to kill them simultaneously (very difficult) or to deliberately crash the system.[16]

Similar techniques are used by some modern malware, wherein the malware starts a number of processes that monitor and restore one another as needed. In the event a user running Microsoft Windows is infected with such malware, if they wish to manually stop it, they could use Task Manager's 'processes' tab to find the main process (the one that spawned the "resurrector process(es)"), and use the 'end process tree' function, which would kill not only the main process, but the "resurrector(s)" as well, since they were started by the main process. Some malware programs use other techniques, such as naming the infected file similar to a legitimate or trustworthy file (expl0rer.exe VS explorer.exe).
[edit] Backdoors

A backdoor is a method of bypassing normal authentication procedures. Once a system has been compromised (by one of the above methods, or in some other way), one or more backdoors may be installed in order to allow easier access in the future. Backdoors may also be installed prior to malicious software, to allow attackers entry.

The idea has often been suggested that computer manufacturers preinstall backdoors on their systems to provide technical support for customers, but this has never been reliably verified. Crackers typically use backdoors to secure remote access to a computer, while attempting to remain hidden from casual inspection. To install backdoors crackers may use Trojan horses, worms, or other methods.

Dialer

During the 1980s and 1990s, it was usually taken for granted that malicious programs were created as a form of vandalism or prank. More recently, the greater share of malware programs have been written with a profit motive (financial or otherwise) in mind. This can be taken as the malware authors' choice to monetize their control over infected systems: to turn that control into a source of revenue.

Spyware programs are commercially produced for the purpose of gathering information about computer users, showing them pop-up ads, or altering web-browser behavior for the financial benefit of the spyware creator. For instance, some spyware programs redirect search engine results to paid advertisements. Others, often called "stealware" by the media, overwrite affiliate marketing codes so that revenue is redirected to the spyware creator rather than the intended recipient.

Spyware programs are sometimes installed as Trojan horses of one sort or another. They differ in that their creators present themselves openly as businesses, for instance by selling advertising space on the pop-ups created by the malware. Most such programs present the user with an end-user license agreement that purportedly protects the creator from prosecution under computer contaminant laws. However, spyware EULAs have not yet been upheld in court.

Another way that financially motivated malware creators can profit from their infections is to directly use the infected computers to do work for the creator. The infected computers are used as proxies to send out spam messages. A computer left in this state is often known as a zombie computer. The advantage to spammers of using infected computers is they provide anonymity, protecting the spammer from prosecution. Spammers have also used infected PCs to target anti-spam organizations with distributed denial-of-service attacks.

In order to coordinate the activity of many infected computers, attackers have used coordinating systems known as botnets. In a botnet, the malware or malbot logs in to an Internet Relay Chat channel or other chat system. The attacker can then give instructions to all the infected systems simultaneously. Botnets can also be used to push upgraded malware to the infected systems, keeping them resistant to antivirus software or other security measures.

It is possible for a malware creator to profit by stealing sensitive information from a victim. Some malware programs install a key logger, which intercepts the user's keystrokes when entering a password, credit card number, or other information that may be exploited. This is then transmitted to the malware creator automatically, enabling credit card fraud and other theft. Similarly, malware may copy the CD key or password for online games, allowing the creator to steal accounts or virtual items.

Another way of stealing money from the infected PC owner is to take control of a dial-up modem and dial an expensive toll call. Dialer (or porn dialer) software dials up a premium-rate telephone number such as a U.S. "900 number" and leave the line open, charging the toll to the infected user.

]]> Malware

Malware, short for malicious software, consists of programming (code, scripts, active content, and other software) designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, gain unauthorized access to system resources, and other abusive behavior.[1] The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code.[2]

Software is considered to be malware based on the perceived intent of the creator rather than any particular features. Malware includes computer viruses, worms, trojan horses, spyware, dishonest adware, scareware, crimeware, most rootkits, and other malicious and unwanted software or program. In law, malware is sometimes known as a computer contaminant, for instance in the legal codes of several U.S. states, including California and West Virginia.[3][4]

Preliminary results from Symantec published in 2008 suggested that "the release rate of malicious code and other unwanted programs may be exceeding that of legitimate software applications."[5] According to F-Secure, "As much malware [was] produced in 2007 as in the previous 20 years altogether."[6] Malware's most common pathway from criminals to users is through the Internet: primarily by e-mail and the World Wide Web.[7]

The prevalence of malware as a vehicle for organized Internet crime, along with the general inability of traditional anti-malware protection platforms (products) to protect against the continuous stream of unique and newly produced malware, has seen the adoption of a new mindset for businesses operating on the Internet: the acknowledgment that some sizable percentage of Internet customers will always be infected for some reason or another, and that they need to continue doing business with infected customers. The result is a greater emphasis on back-office systems designed to spot fraudulent activities associated with advanced malware operating on customers' computers.[8]

On March 29, 2010, Symantec Corporation named Shaoxing, China, as the world's malware capital.[9]

Malware is not the same as defective software, that is, software that has a legitimate purpose but contains harmful bugs. Sometimes, malware is disguised as genuine software, and may come from an official site. Therefore, some security programs, such as McAfee may call malware "potentially unwanted programs" or "PUP". Though a computer virus is malware that can reproduce itself, the term is often used erroneously to refer to the entire category.

Many early infectious programs, including the first Internet Worm and a number of MS-DOS viruses, were written as experiments or pranks. They were generally intended to be harmless or merely annoying, rather than to cause serious damage to computer systems. In some cases, the perpetrator did not realize how much harm his or her creations would do. Young programmers learning about viruses and their techniques wrote them simply for practice, or to see how far they could spread. As late as 1999, widespread viruses such as the Melissa virus and the David virus appear to have been written chiefly as pranks. The first mobile phone virus, Cabir, appeared in 2004.

Hostile intent related to vandalism can be found in programs designed to cause harm or data loss. Many DOS viruses, and the Windows ExploreZip worm, were designed to destroy files on a hard disk, or to corrupt the file system by writing invalid data to them. Network-borne worms such as the 2001 Code Red worm or the Ramen worm fall into the same category. Designed to vandalize web pages, worms may seem like the online equivalent to graffiti tagging, with the author's alias or affinity group appearing everywhere the worm goes.[citation needed]

Since the rise of widespread broadband Internet access, malicious software has been designed for a profit, for examples forced advertising. For instance, since 2003, the majority of widespread viruses and worms have been designed to take control of users' computers for black-market exploitation.[10] Infected "zombie computers" are used to send email spam, to host contraband data such as child pornography,[11] or to engage in distributed denial-of-service attacks as a form of extortion.[12]

Another strictly for-profit category of malware has emerged in spyware -- programs designed to monitor users' web browsing, display unsolicited advertisements, or redirect affiliate marketing revenues to the spyware creator. Spyware programs do not spread like viruses; they are, in general, installed by exploiting security holes or are packaged with user-installed software, such as peer-to-peer applications

Main articles: Computer virus and Computer worm

The best-known types of malware, viruses and worms, are known for the manner in which they spread, rather than any other particular behavior. The term computer virus is used for a program that has infected some executable software and, when run, causes the virus to spread to other executables. Viruses may also contain a payload that performs other actions, often malicious. On the other hand, a worm is a program that actively transmits itself over a network to infect other computers. It too may carry a payload.

These definitions lead to the observation that a virus requires user intervention to spread, whereas a worm spreads itself automatically. Using this distinction, infections transmitted by email or Microsoft Word documents, which rely on the recipient opening a file or email to infect the system, would be classified as viruses rather than worms.

Some writers in the trade and popular press misunderstand this distinction and use the terms interchangeably.

Capsule history of viruses and worms

Before Internet access became widespread, viruses spread on personal computers by infecting the executable boot sectors of floppy disks. By inserting a copy of itself into the machine code instructions in these executables, a virus causes itself to be run whenever a program is run or the disk is booted. Early computer viruses were written for the Apple II and Macintosh, but they became more widespread with the dominance of the IBM PC and MS-DOS system. Executable-infecting viruses are dependent on users exchanging software or boot-able floppies, so they spread rapidly in computer hobbyist circles.

The first worms, network-borne infectious programs, originated not on personal computers, but on multitasking Unix systems. The first well-known worm was the Internet Worm of 1988, which infected SunOS and VAX BSD systems. Unlike a virus, this worm did not insert itself into other programs. Instead, it exploited security holes (vulnerabilities) in network server programs and started itself running as a separate process. This same behaviour is used by today's worms as well.

With the rise of the Microsoft Windows platform in the 1990s, and the flexible macros of its applications, it became possible to write infectious code in the macro language of Microsoft Word and similar programs. These macro viruses infect documents and templates rather than applications (executables), but rely on the fact that macros in a Word document are a form of executable code.

Today, worms are most commonly written for the Windows OS, although a few like Mare-D[13] and the Lion worm[14] are also written for Linux and Unix systems. Worms today work in the same basic way as 1988's Internet Worm: they scan the network and leverage vulnerable computers to replicate. Because they need no human intervention, worms can spread with incredible speed. The SQL Slammer infected thousands of computers in a few minutes.[15]

Trojan horses

For a malicious program to accomplish its goals, it must be able to run without being shut down, or deleted by the user or administrator of the computer system on which it is running. Concealment can also help get the malware installed in the first place. When a malicious program is disguised as something innocuous or desirable, users may be tempted to install it without knowing what it does. This is the technique of the Trojan horse or trojan.

In broad terms, a Trojan horse is any program that invites the user to run it, concealing a harmful or malicious payload. The payload may take effect immediately and can lead to many undesirable effects, such as deleting the user's files or further installing malicious or undesirable software. Trojan horses known as droppers are used to start off a worm outbreak, by injecting the worm into users' local network.

One of the most common ways that spyware is distributed is as a Trojan horse, bundled with a piece of desirable software that the user downloads from the Internet. When the user installs the software, the spyware is installed alongside. Spyware authors who attempt to act in a legal fashion may include an end-user license agreement that states the behavior of the spyware in loose terms, which the users are unlikely to read or understand.
[edit] Rootkits

Once a malicious program is installed on a system, it is essential that it stays concealed, to avoid detection and disinfection. The same is true when a human attacker breaks into a computer directly. Techniques known as rootkits allow this concealment, by modifying the host's operating system so that the malware is hidden from the user. Rootkits can prevent a malicious process from being visible in the system's list of processes, or keep its files from being read. Originally, a rootkit was a set of tools installed by a human attacker on a Unix system, allowing the attacker to gain administrator (root) access. Today, the term is used more generally for concealment routines in a malicious program.

Some malicious programs contain routines to defend against removal, not merely to hide themselves, but to repel attempts to remove them. An early example of this behavior is recorded in the Jargon File tale of a pair of programs infesting a Xerox CP-V time sharing system:

Each ghost-job would detect the fact that the other had been killed, and would start a new copy of the recently slain program within a few milliseconds. The only way to kill both ghosts was to kill them simultaneously (very difficult) or to deliberately crash the system.[16]

Similar techniques are used by some modern malware, wherein the malware starts a number of processes that monitor and restore one another as needed. In the event a user running Microsoft Windows is infected with such malware, if they wish to manually stop it, they could use Task Manager's 'processes' tab to find the main process (the one that spawned the "resurrector process(es)"), and use the 'end process tree' function, which would kill not only the main process, but the "resurrector(s)" as well, since they were started by the main process. Some malware programs use other techniques, such as naming the infected file similar to a legitimate or trustworthy file (expl0rer.exe VS explorer.exe).
[edit] Backdoors

A backdoor is a method of bypassing normal authentication procedures. Once a system has been compromised (by one of the above methods, or in some other way), one or more backdoors may be installed in order to allow easier access in the future. Backdoors may also be installed prior to malicious software, to allow attackers entry.

The idea has often been suggested that computer manufacturers preinstall backdoors on their systems to provide technical support for customers, but this has never been reliably verified. Crackers typically use backdoors to secure remote access to a computer, while attempting to remain hidden from casual inspection. To install backdoors crackers may use Trojan horses, worms, or other methods.

Dialer

During the 1980s and 1990s, it was usually taken for granted that malicious programs were created as a form of vandalism or prank. More recently, the greater share of malware programs have been written with a profit motive (financial or otherwise) in mind. This can be taken as the malware authors' choice to monetize their control over infected systems: to turn that control into a source of revenue.

Spyware programs are commercially produced for the purpose of gathering information about computer users, showing them pop-up ads, or altering web-browser behavior for the financial benefit of the spyware creator. For instance, some spyware programs redirect search engine results to paid advertisements. Others, often called "stealware" by the media, overwrite affiliate marketing codes so that revenue is redirected to the spyware creator rather than the intended recipient.

Spyware programs are sometimes installed as Trojan horses of one sort or another. They differ in that their creators present themselves openly as businesses, for instance by selling advertising space on the pop-ups created by the malware. Most such programs present the user with an end-user license agreement that purportedly protects the creator from prosecution under computer contaminant laws. However, spyware EULAs have not yet been upheld in court.

Another way that financially motivated malware creators can profit from their infections is to directly use the infected computers to do work for the creator. The infected computers are used as proxies to send out spam messages. A computer left in this state is often known as a zombie computer. The advantage to spammers of using infected computers is they provide anonymity, protecting the spammer from prosecution. Spammers have also used infected PCs to target anti-spam organizations with distributed denial-of-service attacks.

In order to coordinate the activity of many infected computers, attackers have used coordinating systems known as botnets. In a botnet, the malware or malbot logs in to an Internet Relay Chat channel or other chat system. The attacker can then give instructions to all the infected systems simultaneously. Botnets can also be used to push upgraded malware to the infected systems, keeping them resistant to antivirus software or other security measures.

It is possible for a malware creator to profit by stealing sensitive information from a victim. Some malware programs install a key logger, which intercepts the user's keystrokes when entering a password, credit card number, or other information that may be exploited. This is then transmitted to the malware creator automatically, enabling credit card fraud and other theft. Similarly, malware may copy the CD key or password for online games, allowing the creator to steal accounts or virtual items.

Another way of stealing money from the infected PC owner is to take control of a dial-up modem and dial an expensive toll call. Dialer (or porn dialer) software dials up a premium-rate telephone number such as a U.S. "900 number" and leave the line open, charging the toll to the infected user.

]]> http://www.secarab.com/thread-3365.html Wed, 18 May 2011 19:11:12 +0000 http://www.secarab.com/thread-3365.html السلام عليكم ورحمة الله وبركاته :

Top 10 Security Nightmares of the Decade


1. Cyberwar

What started out small ended up pretty big. Back in February 2000, a Canadian teenager named Mafiaboy used automated floods of incomplete Internet traffic to cause several sites--including Amazon, CNN, Dell, eBay, and Yahoo--to grind to a halt, in what is called a distributed denial of service (DDoS) attack.

Michael Calce, aka Mafiaboy, pleaded guilty to 55 of 66 counts of mischief and was sentenced to eight months detention. Calce later wrote a book about his experience, entitled Mafiaboy: How I Cracked the Internet and Why It's Still Broken. Some experts say that all security threats progress through a cycle that moves from fun to profit to politics, and DDoS attacks were no different: Opportunist criminals next started using DDoS to hold various gambling sites for ransom.

In May 2007, DDoS attacks turned political, with hundreds of online Russian sympathizers blocking Estonian government Websites, all because a World War II memorial had been relocated. The attacks continued through the summer until Computer Emergency Response Teams (CERT) from various nations mitigated them. The following year, Russian organized crime targeted the government of Georgia with a DDoS attack.

While some people think the United States might not be ready for the upcoming cyberwars, experts from CERT are now advising the U.S. government on how better to protect its infrastructure based on the attacks we've seen thus far.

2. Malware Makes Strange Bedfellows

Viruses and worms have always been around, but in the summer of 2001 one aggressive worm threatened to shut down the official White House Website. Code Red, so named because the discoverer was drinking "Code Red" cola from Mountain Dew at the time, warranted an unprecedented joint press conference with the FBI's National Infrastructure Protection Center, the U.S. CERT, the Federal Computer Incident Response Center (FedCIRC), the Information Technology Association of America (ITAA), the SANS Institute, and Microsoft.

Two years later, Microsoft again teamed with the U.S. Secret Service, the FBI, and later Interpol to offer a $250,000 reward for information leading to the arrest of those responsible for SoBig, MSBlast, and other major viruses at the time.

Such public-private cooperation is rare, but it happened again in early 2009 when Conficker was poised to wreak havoc on the Internet at midnight on April 1. That didn't happen, thanks in part to a unique coalition of rival antivirus companies that collaborated with government agencies under the Conficker Working Group name. To this day, this group continues to monitor the worm. Organizations are stronger when they team up against a common enemy, and even security companies can put aside their differences for the common good.

3. MySpace, Facebook, and Twitter Attacks

At the beginning of the decade, security experts at businesses had to struggle with employees' use of instant messaging from AOL, Webmail from Yahoo, and peer-to-peer networks. These applications poked holes in corporate firewalls, opening various ports that created new vectors for malware.

The battle initally focused on server port 80; but by the end of the decade, the top concerns were Facebook, Twitter, and other Web 2.0 applications.

In 2005, a teenager authored the Samy worm on MySpace, which highlighted a central problem of Web 2.0--that user-contributed content could contain malware. Even as Facebook endured a few privacy snafus, it also had its own worm, called Koobface.

In 2009, Twitter came of age, too, attracting its own malware and highlighting the dangers of shortened URLs--with them, you can't see what's waiting on the other side. Twitter also suffered from spam...or did Guy Kawasaki really send you that porn link?

4. Organized Viruses and Organized Crime

After the Melissa virus struck in 1999, e-mail-borne viruses peaked the following year with ILOVEYOU, which clogged e-mail servers worldwide within 5 hours. (See "The World's Worst Viruses" for more about a clutch of the decade's early offenders.)

As e-mail spam filters improved to block bulk mailings, malicious coders looked elsewhere, turning to self-propagating worms like MSBlast, which exploited a flaw in Remote Procedure Call messages, and Sasser, which exploited a flaw in Internet Information Services (IIS). About this time, viruses and worms began using Simple Mail Transfer Protocol (SMTP) to bypass e-mail filters so that the compromised machines could spew pharmaceutical spam to random addresses on the Net.

Shortly after Microsoft's Reward program netted Sven Jaschen, author of Netsky and Sasser, in 2004, the image of a single author creating viruses in a parents' basement fell out of favor, replaced by organized crime operations with financial ties to porn and bulk pharmaceutical companies. (In 2005, PCWorld wrote a series on the problem, "Web of Crime.") Groups such as the Russian Business Network (RBN) ran sophisticated spam campaigns, including pump-and-dump penny-stock spam.

5. Botnets

With the financial backing of organized crime syndicates came widespread and clever innovations in malware.

In 2007, the Storm worm--which began like any other virus--started talking to other Storm-compromised computers, forming a network of compromised computers all using the Overnet peer-to-peer protocol. This protocol allowed the operator to send out a spam campaign or to use the compromised computers to launch a DDoS attack.

Storm was not alone. Nugache, another virus, was building a botnet, too. And there were others. Today, botnets have spread to the Mac OS and Linux operating systems. The chances are approaching 50/50 that you might have at least one bot on one of your computers now.

6. Albert Gonzalez

It wasn't organized crime but rather a confederacy of criminals that caused some of the largest data breaches over the last few years--attacks that victimized Dave & Busters, Hannaford Brothers, Heartland Payment Systems, and TJX, to name just a few. One man, Albert Gonzalez, pleaded guilty for most of these heists, and was implicated in others. Gonzalez and his crew entered malicious code through the Web-facing sites of these major companies. In turn, the malware infiltrated the internal network, where it could look for unencrypted credit card data.

To combat such data breaches, in 2005 the Payment Card Industry (PCI) produced 12 requirements that all of its member merchants must follow; the PCI Security Council updates those requirements every two years. What lies ahead is end-to-end encryption of the credit card data, so that your personal information is never in the clear from cash register to card brand.

7. Gone Phishing

More effective than spam, yet short of a full-blown data breach, is phishing. The idea here is that a creatively designed e-mail can lure you into visiting a believable-looking site designed solely to steal your personal information. Often these sites use "fast flux," the ability to switch domains quickly so that you can't lead law enforcement back to the site.

Using logos and designs from banks and e-commerce sites, some phishing sites seem entirely realistic, a vast improvement over the crude pages full of misspellings of a few years ago. The best defense? Don't click!

8. Old Protocol, New Problem

Behind the Internet are protocols, some of which today perform functions far beyond what they were originally designed to do. Perhaps the most well-known of the overextended protocols is the Domain Name System (DNS), which, as IOActive researcher Dan Kaminisky explained in 2008, could be vulnerable to various forms of attack, including DNS cache poisoning.

DNS converts a Website's common name (for example, http://www.pcworld.com) into its numerical server address (for example, 123.12.123.123). Cache poisoning means that the stored address for a common name could be incorrect, thus leading a user to a compromised site rather than to the intended site--and the user had no way to know. Kaminsky managed to keep the flaw known to a limited group of companies for about six months, and then rolled out a coordinated series of patches that seemed to address many of the more serious vulnerabilities.

Similarly, researcher Marsh Ray of PhoneFactor discovered a hole within SSL/TLS, one that allows for man-in-the-middle attacks while authenticating the two parties. This wasn't a vendor-specific problem, but a protocol-level flaw. Ray, like Kaminsky, also set about coordinating a ***** among affected vendors. However, a second researcher stumbled upon roughly the same thing, so Ray felt compelled to come forward with his vulnerability, even though some of the patches are still to come.

Disclosures such as these have hastened the move to newer standards, such as DNSSEC, which authenticates data in the DNS system, and a newer version of SSL/TLS. Look for the replacement of existing protocols to continue in the coming years.

9. Microsoft ***** Tuesdays

A decade ago, Microsoft released its patches only as needed. Sometimes that was late on a Friday afternoon, which meant that bad guys had all weekend to reverse-engineer the ***** and exploit the vulnerability before system administrators showed up for work on Monday.

Starting in the fall of 2003, Microsoft released its patches on a simple schedule: the second Tuesday of every month. What has become known as "***** Tuesday" has, over the last six years, produced a crop of fresh patches every month, except for four. Oracle patches quarterly, and Adobe recently announced that it would ***** quarterly, on or near Microsoft's ***** Tuesday. Apple remains the only major vendor that doesn't adhere to a regular cycle for its patches.

10. Paid Vulnerability Disclosure

Independent researchers have debated for years whether to go public with a newly found flaw or to stay with the vendor until a ***** is created. In some cases the vendor doesn't get back to the researcher, or doesn't make publication of the flaw enough of a priority, so the researcher goes public. On the other side of the fence, criminals certainly don't go public, knowing that such vulnerability information is worth serious money on the black market.

After years of back and forth, in recent times one or two security companies have decided to pay researchers to stay quiet; in exchange, the company works with the necessary vendor to see that the ***** is produced in a timely fashion and that clients of the company get details of the flaw sooner than the general public.

For instance, at the CanSecWest Applied Security Conference, Tipping Point Technologies annually awards $10,000 to the researcher who can hack a given system. And payment-for-vulnerabilities programs have matured in recent years. For example, in Microsoft's December 2009 ***** Tuesday release, all five of the Internet Explorer vulnerabilities patched can be attributed to the iDefense Zero Day Initiative program.

Robert Vamosi is an award-winning computer-virus and security columnist, and a security analyst. ]]> السلام عليكم ورحمة الله وبركاته :

Top 10 Security Nightmares of the Decade


1. Cyberwar

What started out small ended up pretty big. Back in February 2000, a Canadian teenager named Mafiaboy used automated floods of incomplete Internet traffic to cause several sites--including Amazon, CNN, Dell, eBay, and Yahoo--to grind to a halt, in what is called a distributed denial of service (DDoS) attack.

Michael Calce, aka Mafiaboy, pleaded guilty to 55 of 66 counts of mischief and was sentenced to eight months detention. Calce later wrote a book about his experience, entitled Mafiaboy: How I Cracked the Internet and Why It's Still Broken. Some experts say that all security threats progress through a cycle that moves from fun to profit to politics, and DDoS attacks were no different: Opportunist criminals next started using DDoS to hold various gambling sites for ransom.

In May 2007, DDoS attacks turned political, with hundreds of online Russian sympathizers blocking Estonian government Websites, all because a World War II memorial had been relocated. The attacks continued through the summer until Computer Emergency Response Teams (CERT) from various nations mitigated them. The following year, Russian organized crime targeted the government of Georgia with a DDoS attack.

While some people think the United States might not be ready for the upcoming cyberwars, experts from CERT are now advising the U.S. government on how better to protect its infrastructure based on the attacks we've seen thus far.

2. Malware Makes Strange Bedfellows

Viruses and worms have always been around, but in the summer of 2001 one aggressive worm threatened to shut down the official White House Website. Code Red, so named because the discoverer was drinking "Code Red" cola from Mountain Dew at the time, warranted an unprecedented joint press conference with the FBI's National Infrastructure Protection Center, the U.S. CERT, the Federal Computer Incident Response Center (FedCIRC), the Information Technology Association of America (ITAA), the SANS Institute, and Microsoft.

Two years later, Microsoft again teamed with the U.S. Secret Service, the FBI, and later Interpol to offer a $250,000 reward for information leading to the arrest of those responsible for SoBig, MSBlast, and other major viruses at the time.

Such public-private cooperation is rare, but it happened again in early 2009 when Conficker was poised to wreak havoc on the Internet at midnight on April 1. That didn't happen, thanks in part to a unique coalition of rival antivirus companies that collaborated with government agencies under the Conficker Working Group name. To this day, this group continues to monitor the worm. Organizations are stronger when they team up against a common enemy, and even security companies can put aside their differences for the common good.

3. MySpace, Facebook, and Twitter Attacks

At the beginning of the decade, security experts at businesses had to struggle with employees' use of instant messaging from AOL, Webmail from Yahoo, and peer-to-peer networks. These applications poked holes in corporate firewalls, opening various ports that created new vectors for malware.

The battle initally focused on server port 80; but by the end of the decade, the top concerns were Facebook, Twitter, and other Web 2.0 applications.

In 2005, a teenager authored the Samy worm on MySpace, which highlighted a central problem of Web 2.0--that user-contributed content could contain malware. Even as Facebook endured a few privacy snafus, it also had its own worm, called Koobface.

In 2009, Twitter came of age, too, attracting its own malware and highlighting the dangers of shortened URLs--with them, you can't see what's waiting on the other side. Twitter also suffered from spam...or did Guy Kawasaki really send you that porn link?

4. Organized Viruses and Organized Crime

After the Melissa virus struck in 1999, e-mail-borne viruses peaked the following year with ILOVEYOU, which clogged e-mail servers worldwide within 5 hours. (See "The World's Worst Viruses" for more about a clutch of the decade's early offenders.)

As e-mail spam filters improved to block bulk mailings, malicious coders looked elsewhere, turning to self-propagating worms like MSBlast, which exploited a flaw in Remote Procedure Call messages, and Sasser, which exploited a flaw in Internet Information Services (IIS). About this time, viruses and worms began using Simple Mail Transfer Protocol (SMTP) to bypass e-mail filters so that the compromised machines could spew pharmaceutical spam to random addresses on the Net.

Shortly after Microsoft's Reward program netted Sven Jaschen, author of Netsky and Sasser, in 2004, the image of a single author creating viruses in a parents' basement fell out of favor, replaced by organized crime operations with financial ties to porn and bulk pharmaceutical companies. (In 2005, PCWorld wrote a series on the problem, "Web of Crime.") Groups such as the Russian Business Network (RBN) ran sophisticated spam campaigns, including pump-and-dump penny-stock spam.

5. Botnets

With the financial backing of organized crime syndicates came widespread and clever innovations in malware.

In 2007, the Storm worm--which began like any other virus--started talking to other Storm-compromised computers, forming a network of compromised computers all using the Overnet peer-to-peer protocol. This protocol allowed the operator to send out a spam campaign or to use the compromised computers to launch a DDoS attack.

Storm was not alone. Nugache, another virus, was building a botnet, too. And there were others. Today, botnets have spread to the Mac OS and Linux operating systems. The chances are approaching 50/50 that you might have at least one bot on one of your computers now.

6. Albert Gonzalez

It wasn't organized crime but rather a confederacy of criminals that caused some of the largest data breaches over the last few years--attacks that victimized Dave & Busters, Hannaford Brothers, Heartland Payment Systems, and TJX, to name just a few. One man, Albert Gonzalez, pleaded guilty for most of these heists, and was implicated in others. Gonzalez and his crew entered malicious code through the Web-facing sites of these major companies. In turn, the malware infiltrated the internal network, where it could look for unencrypted credit card data.

To combat such data breaches, in 2005 the Payment Card Industry (PCI) produced 12 requirements that all of its member merchants must follow; the PCI Security Council updates those requirements every two years. What lies ahead is end-to-end encryption of the credit card data, so that your personal information is never in the clear from cash register to card brand.

7. Gone Phishing

More effective than spam, yet short of a full-blown data breach, is phishing. The idea here is that a creatively designed e-mail can lure you into visiting a believable-looking site designed solely to steal your personal information. Often these sites use "fast flux," the ability to switch domains quickly so that you can't lead law enforcement back to the site.

Using logos and designs from banks and e-commerce sites, some phishing sites seem entirely realistic, a vast improvement over the crude pages full of misspellings of a few years ago. The best defense? Don't click!

8. Old Protocol, New Problem

Behind the Internet are protocols, some of which today perform functions far beyond what they were originally designed to do. Perhaps the most well-known of the overextended protocols is the Domain Name System (DNS), which, as IOActive researcher Dan Kaminisky explained in 2008, could be vulnerable to various forms of attack, including DNS cache poisoning.

DNS converts a Website's common name (for example, http://www.pcworld.com) into its numerical server address (for example, 123.12.123.123). Cache poisoning means that the stored address for a common name could be incorrect, thus leading a user to a compromised site rather than to the intended site--and the user had no way to know. Kaminsky managed to keep the flaw known to a limited group of companies for about six months, and then rolled out a coordinated series of patches that seemed to address many of the more serious vulnerabilities.

Similarly, researcher Marsh Ray of PhoneFactor discovered a hole within SSL/TLS, one that allows for man-in-the-middle attacks while authenticating the two parties. This wasn't a vendor-specific problem, but a protocol-level flaw. Ray, like Kaminsky, also set about coordinating a ***** among affected vendors. However, a second researcher stumbled upon roughly the same thing, so Ray felt compelled to come forward with his vulnerability, even though some of the patches are still to come.

Disclosures such as these have hastened the move to newer standards, such as DNSSEC, which authenticates data in the DNS system, and a newer version of SSL/TLS. Look for the replacement of existing protocols to continue in the coming years.

9. Microsoft ***** Tuesdays

A decade ago, Microsoft released its patches only as needed. Sometimes that was late on a Friday afternoon, which meant that bad guys had all weekend to reverse-engineer the ***** and exploit the vulnerability before system administrators showed up for work on Monday.

Starting in the fall of 2003, Microsoft released its patches on a simple schedule: the second Tuesday of every month. What has become known as "***** Tuesday" has, over the last six years, produced a crop of fresh patches every month, except for four. Oracle patches quarterly, and Adobe recently announced that it would ***** quarterly, on or near Microsoft's ***** Tuesday. Apple remains the only major vendor that doesn't adhere to a regular cycle for its patches.

10. Paid Vulnerability Disclosure

Independent researchers have debated for years whether to go public with a newly found flaw or to stay with the vendor until a ***** is created. In some cases the vendor doesn't get back to the researcher, or doesn't make publication of the flaw enough of a priority, so the researcher goes public. On the other side of the fence, criminals certainly don't go public, knowing that such vulnerability information is worth serious money on the black market.

After years of back and forth, in recent times one or two security companies have decided to pay researchers to stay quiet; in exchange, the company works with the necessary vendor to see that the ***** is produced in a timely fashion and that clients of the company get details of the flaw sooner than the general public.

For instance, at the CanSecWest Applied Security Conference, Tipping Point Technologies annually awards $10,000 to the researcher who can hack a given system. And payment-for-vulnerabilities programs have matured in recent years. For example, in Microsoft's December 2009 ***** Tuesday release, all five of the Internet Explorer vulnerabilities patched can be attributed to the iDefense Zero Day Initiative program.

Robert Vamosi is an award-winning computer-virus and security columnist, and a security analyst. ]]>