NETWORK SECURITY AND THREATS

GHOST ADWARE

firazahmed@gmail.com (SHEIK FIRAZ) — Sat, 28 Feb 2009 18:13:00 +0000

Name: Adware.Win32.Ghost Keylogger

Risklevel: Severe Risk

Company: Sureshot Software - http://keylogger.net/

Description:

Ghost Keylogger is a keylogger that is an invisible that records every keystroke. It monitors the Internet activity by logging the addresses of visited homepages.

Characteristics:

It is an invisible that records every keystroke.
It monitors the Internet activity by logging the addresses of visited homepages.

Installation: Installed through EXE

Process: syncconfig.exe

Used folders:

C:\Program Files\Sync Manager Demo\agent
C:\Program Files\Sync Manager Demo

Used files:

C:\Program Files\Sync Manager Demo\manual.html
[30026 Bytes] HTML Document
C:\Program Files\Sync Manager Demo\agent\syncagent.exe
[626688 Bytes] Application
C:\Program Files\Sync Manager Demo\agent\syncagent.dll
[258048 Bytes] Application Extension
C:\Program Files\Sync Manager Demo\syncconfig.exe
[663552 Bytes] Application
C:\Program Files\Sync Manager Demo\faq.html
[29722 Bytes] HTML Document
C:\Program Files\Sync Manager Demo\agent\syncagent.cfg
[2641 Bytes] Microsoft Office Outlook Configuration File

PRESENT SITUATION

firazahmed@gmail.com (SHEIK FIRAZ) — Wed, 25 Feb 2009 07:55:00 +0000

PRESENT SITUATION

As the volume of financial and other data transactions increase over the Internet, the potential for harm from network threats also increases. As a consequence, complex security measures that were once required by only Fortune 500 companies such as regular security audits are increasingly a necessity even for the smallest of companies.

As we continue to become an ever more networked society, the financial benefits attainable by hacking a network increase. As a result, it should come as no surprise that the number of attacks and the creativity spent in trying to breach a network continue to increase. Consequently, those that are tasked with defending networks must continue to educate themselves and their workforce on the newest types of attacks and make the necessary preparations to prevent against them.

ZOMBIE COMPUTERS AND BOTNETS

firazahmed@gmail.com (SHEIK FIRAZ) — Wed, 25 Feb 2009 07:54:00 +0000

Zombie Computers and Botnets
If you've ever wondered who is sitting around sending out all those spam emails, the answer may be you. A recent New York Times article estimates that as much as 80 percent of spam messages are sent out by the computers of ordinary individuals who have no idea their computers have been converted into 'zombies'. A 'zombie' computer is simply a computer infected with malware that causes it to act as a tool of a spammer by silently sending out thousands of emails from the owner's email address.

Infected 'zombie' computers, are organized by spammers into small groups called 'botnets'. These 'botnets' then send out spam that may include phishing attempts, viruses and worms. Unfortunately for network managers and business owners, the 'zombie' malware threat is expected to continue to grow both in number and variety over the next few years. Currently, 'zombies' are used to send out the following types of malware:

Spamming and phishing attacks. This classic form of 'Zombie' computers is still the most common.

Click fraud in advertising networks. Using a hidden program, zombie computers emulate human clicking on ads at a website or weblog. While Google said in Dec 2006 that click fraud for their AdSense contextual ad network is less than 2 percent, some advertisers have much higher estimates. Whatever the actual figure, creating click fraud zombies is currently a multi-million dollar industry, so do not expect it to stop soon.

DoS attacks. Your company may have malicious competitors, or spiteful former employees who will stoop to any level to bring your company down. In this instance, your enemy might launch a Denial-of-Service attack (DoS) which is an attack designed to make the hosted pages of a website or network become unavailable to customers or employees. For instance, a spiteful former employee may launch a Dos attack on your biggest selling day of the year. Consequently, your company will lose all the business it might have had that day as customers are unable to access your Web site.

Pump and dump stock schemes. In this scheme, spammers buy up a large block of a penny stock (especially sub-$1 per share), then use their 'Zombies' to spam millions of people with emails about the stock in the hopes that a few fools will take the bait and buy a few thousand shares, thus raising the price. After the price spike, the spammer then sells off his holdings and makes a quick buck.

Prevention
Because ‘botnets’ typically work silently on ‘zombie’ computers and are often enabled by the secret installation of Trojan horses, it is very difficult to tell whether a computer has been infected. Preventing ‘botnets’ from turning your network computers into 'zombies' requires that you educate your employees to keep all forms of security software up to date, and to run a virus scan regularly, preferably nightly. In addition to nightly scanning, train your employees to look for sudden unusual behavior of your computer(s), such as persistent slowdowns, crashing, as a sign that they may be infected. If, despite your best efforts, a network computer becomes infected, treatment can vary wildly, from a simple scanning for and deleting the botnet, to a reformatting of the computer's hard drive.

SHARED COMPUTERS

firazahmed@gmail.com (SHEIK FIRAZ) — Wed, 25 Feb 2009 07:54:00 +0000

Shared Computers
In the IT community, it is often said that shared computers are like public bathrooms, they may appear clean, but are usually chock full of viruses. Thankfully, the danger of shared computers is one network threat that you can largely render harmless by limiting the activities that you and your employees perform.

Prevention
If you or your employees use public computers, don't permit them to log into important online accounts, especially those containing financial details. You never know when a keylogger might be lying in wait, ready to steal your password and then your company’s money. Going beyond just avoiding accessing sensitive data through public computers, if you can avoid it, forbid your employees from logging into any network accounts at all on any public computers. While enforcement of this policy is difficult, simply educating your staff on the dangers of using public computers is often sufficient to eliminate most of these incidents.

HARDWARE LOSS AND RESIDUAL DATA FRAGMENTS

firazahmed@gmail.com (SHEIK FIRAZ) — Wed, 25 Feb 2009 07:53:00 +0000

Hardware Loss and Residual Data Fragments

Over the past few months, a number of government laptops have been stolen and the story has made national news. The government is so concerned, not because of the cost of replacing a few laptops, but from the network vulnerabilities that the loss of this hardware threatens to cause. In fact, hardware loss is a large cause of the more than 10 million cases of identity theft suffered by Americans each year.

These types of problems are not what we commonly think of as network security threats, but stolen or sold laptops and computers pose one of the biggest threats for networks. Businesses often sell older computers without completely wiping the drives clean of data, including system passwords. Just as with stolen computers, this information can then be easily used to gain access to the network and compromise the security of the entire system.

Prevention
Thankfully, the threat of hardware loss and residual data fragments can be minimized by taking a few rather straightforward steps:
Encrypt sensitive company data, especially the laptops and files of executives who are most likely to be targeted. When traveling through foreign airports the problem can be especially acute, as laptops of prominent individuals are sometimes taken aside under the guise of "security", and their hard drives are quickly mirrored and used to blackmail the company. Despite the obvious benefits of securing data, however, a recent survey found that 64 percent of companies were more concerned about data loss than the cost of replacing hardware, however, only 12 percent were actually using encyrption.

Wipe/shred files on old hard drives before they leave your organization. This is as much an issue of data compliance regulations as it is of network security. No matter what your motivation, however, failing to clean discarded hardware can leave your entire network vulnerable.

Develop a policy for keeping track of employees use of smartphones and USB memory cards around sensitive data. Simply letting employees know that you have such a policy and are monitoring the use of these devices will go a long way to preventing their misuse and protecting the network.

Use an RFID-based Asset Management system for computers, laptops, and other sensitive hardware to keep tabs on their whereabouts in your premises.

PASSWORD ATTACKS

firazahmed@gmail.com (SHEIK FIRAZ) — Wed, 25 Feb 2009 07:52:00 +0000

Password Protection
Passwords are undeniably a huge part of your online security. You'll find that almost every website that you visit that deals with online transactions, emailing, and shopping use passwords to verify you are who you say you are. This means that you not only need to choose a password that cannot easily be figured out, but you should also keep it safe and secure and not share it with anyone. Do not use the same password for all of your accounts and attempt to come up with a password that contains letters, numbers, and special characters.

Password Attacks

A 'Password Attack' is a general term that describes a variety of techniques used to steal passwords to accounts.

Brute-force. One of the most labor intensive and unsophisticated methods hackers use to steal passwords is to try to guess a password by repeatedly entering in new combinations of words and phrases compiled from a dictionary. This 'dictionary attack' can also be used to try to guess usernames as well, so developing difficult to guess usernames and passwords is increasingly vital to network security.

Packet sniffers. As discussed above, Packet Sniffers glean data electronically from a compromised network.

IP-spoofing. Similar to 'Honeypots', this attack involves the interception of data packets by a computer successfully pretending to be a trusted server/ resource.

Trojans. Trojans are actually invasive, as discussed above, and of these methods, are the most likely to be successful, especially if they install keyloggers.

Prevention
Automated testing (e.g., dictionary scanning), human behavior (e.g., lack of diversity in usernames and passwords), and other security flaws make it easier for password attackers to succeed. Unfortunately, there is no one single method to prevent against password attacks, though combining network traffic analysis along with the old stalwarts of email scanning, virus protection, firewalls and an educated work force can all together form a strong defense for any network.

MALICIOUSLY CODED WEB SITES

firazahmed@gmail.com (SHEIK FIRAZ) — Wed, 25 Feb 2009 07:52:00 +0000

Maliciously-Coded Web sites

Maliciously-coded Web sites can take many different forms, from installing Trojan horses to redirecting you to an unrequested site. But one of the most threatening forms of maliciously-coded websites, those that are designed to steal passwords, are on the rise [4]. A very common form of these Web sites takes advantage of human's charitable instincts by setting up traps in what appear to be sites that allow you to make donations to victims of natural disasters such as Hurricane Katrina. Hackers set up a fake sign-in page, and then encourage unsuspecting victims to enter their credit card number and other personal information.

In addition to stealing personal information, maliciously-coded websites are also often designed for the following purposes:
installation of keyloggers
adware/ spyware/ reading cookies
drive-by downloads
XSS - cross--site scripting to utilize web browser flaws for other intentions.

Prevention
In order to protect your network, you should encourage your employees to purchase information only from security certified sites, and to use PayPal instead of a credit card whenever possible, since by doing so they will not have to reveal their credit card information to another site. In addition to limiting the number of times credit card information is typed into a website, paying by PayPal is also helpful because maliciously-coded sites are less likely to accept PayPal payments since the owners of that PayPal account are easier to trace to an address or bank account.

Further, you should instruct your employees to never sign up for new Web 2.0 applications without using a different username and password than they ordinarily use for sensitive data. Creating a regular browser patch and plugin update schedule will also ensure that your virus and email protections are up to date. Finally, you should systematically set the browser security settings of all your network computers to a higher than default setting. While this step will not eliminate the possibility that your employees will stumble upon maliciously-coded sites, it will reduce the incidence of that occurrence.

PACKET SNIFFERS

firazahmed@gmail.com (SHEIK FIRAZ) — Wed, 25 Feb 2009 07:50:00 +0000

Packet Sniffers

Packet sniffers capture data streams over a network, thus allowing for the capture of sensitive data like usernames, passwords and credit card numbers. The result, unsurprisingly, is the loss of data, trade secrets, or online account balances. For network managers specifically, even bigger losses can come from lawsuits due to noncompliance of data protection regulations.

While Packet sniffers have been used in rather harmless ways, such as by law enforcement and by corporations for data protection compliance purposes (HIPAA, SOX/ Sarbox, Gramm-Leach-Bliley Act), the real concern for network owners is packet sniffers more malicious forms.

Packet sniffers work by monitoring and recording all the information that comes from and goes to your computer over a compromised network. So in order to be effective, the packet sniffer must first have access to the network you are using. The most common way to do this, is through using something called honeypots. Honeypots are simply unsecured wifi access points that hackers setup and trap people into using them. Typically, these honeypots are setup in public places such as airports, and the wifi network is titled something like "Free Public Wi-Fi". Unsuspecting individuals then sign onto the corrupted network and the packet sniffer then grabs their personal information when they enter things like their credit card info into a site.

Prevention
Education is simply the best policy to deal with the threat of packet sniffers. Once your employees know to never access the internet through an unsecured connection, and are made aware of the fact that packet sniffers exist, they are much less likely to fall victim to this hacking technique. Because a single victim of packet sniffing among any employee can compromise sensitive network data, it is important that everyone learn how to identify honeypots and how to secure their own home wifi networks. In addition, make sure that your employees use a variety of different sign on names and passwords to access various levels of network security. That way, if login information is compromised, the damage can at least be limited in scope.

PHISHING

firazahmed@gmail.com (SHEIK FIRAZ) — Wed, 25 Feb 2009 07:50:00 +0000

Phishing

Anyone who has ever used PayPal or does their banking online has probably received dozens of emails with titles such as, "URGENT: Update Account Status". These emails are all attempts by a spammer to "phish" your account information. Phishing refers to spam emails designed to trick recipients into clicking on a link to an insecure website. Typically, phishing attempts are executed to steal account information for e-commerce sites such as eBay, payments processors such as PayPal, or regular financial institutions' websites. A phishing email supplies you with a link to click on, which will take you to a page where you can re-enter all your account details, including credit card number(s) and/or passwords. Of course, these sites aren't the actual bank's site, even though they look like it.

Your company's mobile phones may not be safe either, as SMS messaging is now frequently used as a new type of phishing called SMiShing. Once the SMiShing, is successful, other malware such as Trojans are sometimes released onto the mobile phone. These Trojans then make silent high cost text messages which go onto the sender's bill.

Some criminals are also using VoIP or VoIM software to send vishing messages. These try to confuse people into calling the provided number - usually an automated VoIP Call-In number - and revealing credit card details, which are recorded in audio form.

Prevention
Phishing in all its varieties is a huge and growing problem for network security managers and business owners. As we all become more interconnected and access more and more personal information through networks, there become more and more opportunities for phishers to attack. To protect one's network, it is becoming increasingly vital that you educate your employees about the most common ways in which hackers try to phish your account information. Even though simplistic phishing attempts like the PayPal scam now seem obvious to regular internet users, a single phishing attack can compromise an entire network's security if the employee is tricked into giving his network account information. Even after educating your work force, you should consider adding a header to your network browser that reminds users never to enter personal information solicited through an email, and you should certainly use a sophisticated email filter to limit the number of phishing attacks that your employees must navigate around.

SPAM

firazahmed@gmail.com (SHEIK FIRAZ) — Wed, 25 Feb 2009 07:49:00 +0000

Spam

Depending on the source cited, spam makes up 70 to 84 percent of daily emails sent throughout the world. All that spam results in billions of dollars in lost productivity and creates an ever increasing need for IT resources to filter out this irritating and potentially malicious menace.

Spam email takes a variety of forms, ranging from unsolicited emails promoting products like Viagra, to coordinated spam attacks designed to take up so much bandwidth on a network so as to cause it to crash. A more recent trend is image spam, which eats up even more bandwidth than its textual cousin, and often circumvents contextual spam filters which analyze the message text to look for indications that the email is spam. Another brand new technique that spammers are using is called "news service" spam, which uses legitimate headlines such as "Howard Stern Earns $83M Bonus" to trick recipients into opening spam emails that are filled with spammy drug advertisements. These and other new spam trends constantly threaten the productivity of email and the security of IT networks.

Prevention
When it comes to fighting spam, fortunately, a great deal of spam can be filtered out by a good email filter. And much of what slips through can be avoided by staying current on the latest techniques that spammers use. In addition, however, you should protect your network from email spam by requiring your employees to use separate accounts for their personal internet use, and demand that company accounts not be used to sign up for any online service or freebie. In addition, when creating company email accounts make sure to use a naming system which is not easily guessable (e.g., JSmith@domain.com), as spammers are increasingly going through common name lists in order to harvest emails to spam.

TROJAN HORSES

firazahmed@gmail.com (SHEIK FIRAZ) — Wed, 25 Feb 2009 07:47:00 +0000

Trojan Horses

A Trojan horse is a malware attack that disguises itself as something innocent, such as a computer game, or a YouTube search results page. A recent example of a devastating Trojan horse used an email with a link that supposedly connected the reader to a video of the Saddam Hussein hanging, but instead just infected them with malware. Once installed on a computer, the 'Saddam' Trojan horse then downloaded and installed a keylogger onto the infected computer. This keylogger was used to record every keystroke by a computer’s user, thus stealing financial account information and passwords.

The 'Saddam' Trojan horse is noteworthy only because it was so successful, but the actual methods that it used to infect computer networks are not unique. In fact, Trojans are particularly dangerous because they all appear so innocuous on the surface. Often Ttrojans imbed themselves on a particular website (usually adult, gaming, or gambling), hide in downloaded free software, or, as in the "Saddam" Trojan horse, a person might be infected by clicking on a link sent to them in an email.

Prevention
Because hackers are so creative in coming up with new and different types of Trojan horses, training employees on what to look for will not prevent Trojan horses from infecting your network. Instead, you may want to consider blocking users from downloading freeware, blocking links imbedded in emails, and using a whitelist to create a list of approved websites that employees may visit. Because Trojans are much easier to prevent than they are to cure, with an infected computer sometimes requiring a complete reformatting of the hard drive, taking these drastic preventative measures may be warranted for some companies.The methods for dealing with Trojans are generally the same as for those for dealing with viruses. Most virus scanners attempt to deal with some of the common Trojans with varying degrees of success, there are also specific "anti-Trojan" scanners available, and your best weapon is common sense yet again. Score another point for safe computing!

A Trojan Horse meets the definition of virus that most people use, in the sense that it attempts to infiltrate a computer without the user’s knowledge or consent. A Trojan horse, similar to its Greek mythological counterpart, often presents itself as one form while it is actually another. A recent example of malware acting as a Trojan horse is the recent e-mail version of the “Swen” virus, which falsely claimed to be a Microsoft update application.
Trojans typically do one of two things: they either destroy or modify data the moment they launch, such as erase a hard drive, or they attempt to ferret out and steal passwords, credit card numbers, and other such confidential information.

Trojan Horses can be a bigger problem than other types of viruses as they are design to be destructive or disruptive, as opposed to viruses and worms where the coder may not intend to do any harm at all. Essentially this distinction does not matter in the real world. You can lump viruses, Trojans and worms together as "things I don't want on my computer or my network".

GAME.EXE

firazahmed@gmail.com (SHEIK FIRAZ) — Sat, 21 Feb 2009 17:15:00 +0000

game.exe (Game Dialler) - Details

The game.exe process will take over your modem and attempt to 'dial out' to (potentially overseas or toll-rate) telephone numbers in order to download adult content and store it on your computer.

game.exe is considered to be a security risk, not only because antivirus programs flag Game Dialler as a virus, but also because a number of users have complained about its performance.

Game Dialler is likely a virus and as such, presents a serious vulnerability which should be fixed immediately! Delaying the removal of game.exe may cause serious harm to your system and will likely cause a number of problems, such as slow performance, loss of data or leaking private information to websites.

game.exe is considered to be a security risk, not only because spyware removal programs flag Game Dialler as spyware, but also because a number of users have complained about its performance.

game.exe is considered to be a security risk, not only because Adware Removal programs flag Game Dialler as Adware, but also because there can be privacy issues associated with this product.

Game Dialler is likely adware and as such, presents an unnecessary risk which should be eliminated! Removing game.exe may cause a number of problems, such as slow performance, loss of data or leaking private information.

Removing Game Dialler may be difficult.

game.exe is related to aconti.exe, arr.exe, dvdkeyauth.exe, fastdown.exe, infus.exe, movieplace.exe, sws.exe, win32us.exe,

You should visit our Anonymous Surfing section to make sure your system is not giving away information like that of game.exe.
GAME.EXE - Disclaimer

Every attempt has been made to provide you with the correct information for game.exe or GAME DIALLER. Many spyware / malware programs use filenames of usual, non-malware programs. If we have included information about game.exe that is inaccurate, we would greatly appreciate your help by updating the Process Information database and we will do our best to correct it.

You should verify the accuracy of information we provided about game.exe. Game Dialler may have had a status change since this page was published.

HACKING IN LINUX

firazahmed@gmail.com (SHEIK FIRAZ) — Thu, 19 Feb 2009 11:03:00 +0000

Hack attacks on Linux on the rise

Hackers are increasingly targeting Web servers based on the Linux operating system, while the number of successful attacks on Windows systems decreases, according to a new report from a U.K. systems integrator.

The study by Mi2g also found that successful attacks on U.K. and U.S. government sites have decreased, which may be due to tougher laws and improved security.

In the past, hackers and virus writers have largely focused their efforts on the Windows platform, as its dominance on desktop PCs makes it a ready target. However, Linux has a large share of the Web server market, and Linux server applications are often vulnerable to attack because of mismanagement, according to the study.

Mi2g has recorded 7,630 successful attacks on Linux systems in the first six months of this year, up sharply from last year's 5,736 attacks. In the meantime, successful attacks on Windows systems running Microsoft's Internet Information Server (IIS) have fallen by 20 percent from 11,828 in the first half of 2001 to 9,404 in the first half of this year.

The total number of successful attacks for the first six months of the year rose by 27 percent, from 16,007 on 2001 to 20,371 in 2002.

The information is based on Mi2g's own research, which includes information on more than 6,000 hacker groups and records of more than 60,000 hacking events since 1995. The database includes the Computer Security Issues and Trends Survey from the Computer Security Institute and the FBI.

The firm urged Linux system administrators to be more vigilant about patching known security bugs. "A quick response in addressing all weaknesses as soon as they are known has now become critical," D.K. Matai, Mi2g's chairman and chief executive, said in a statement.

Mi2g said that successful attacks on U.S. government systems were down sharply, from 204 in the first half of last year to 54 in the first half of 2002. In the United Kingdom, government sites were hit 12 times in the first half of this year, compared with 38 times for the first six months of 2001.

The security firm attributed this drop partly to improved security in the wake of last September's terrorist attacks and partly to an amendment to the Cyber Security Enhancement Act passed in February 2002. The amendment gives a life imprisonment sentence to hackers who put lives at risk.

Mi2g is a systems integrator focused on security. The firm is based in London and mostly deals with companies in the banking and insurance sectors.

ZDNet U.K.'s Matthew Broersma reported from London.

ATTACKS IN LINUX

firazahmed@gmail.com (SHEIK FIRAZ) — Thu, 19 Feb 2009 10:54:00 +0000

Attacker attempts to plant Trojan in Linux

An unknown intruder attempted to insert a Trojan horse program into the code of the next version of the Linux kernel, which is stored in a publicly accessible database.

Security features of the source-code repository, known as BitKeeper, detected the illicit change within 24 hours, and the public database was shut down, a key developer said on Thursday. The public database was used only to provide the latest beta, or test version, of the Linux kernel to users of the Concurrent Versions System (CVS), which is a program designed to manage source code.

The changes, which would have introduced a security flaw to the kernel, never became a part of the Linux code and, thus, were never a threat, said Larry McVoy, founder of software company BitMover and primary architect of the source-code database BitKeeper.

"This never got close to the development tree," he said. "BitKeeper is really paranoid about integrity, and it turns out that was key to finding this Trojan horse."

Linus Torvalds, the original creator of Linux and the lead developer of the kernel, uses BitKeeper to keep track of changes in the core software for the operating system. On a daily basis, the software exports those changes to public and private databases other developers use.

An intruder apparently compromised one server earlier, and the attacker used his access to make a small change to one of the source code files, McVoy said. The change created a flaw that could have elevated a person's privileges on any Linux machine that runs a kernel compiled with the modified source code. However, only developers who used that database were affected -- and only during a 24-hour period, he added.

"The first thing we did was fix the difference," he said. "It took me five minutes to find the change."

When BitKeeper exports the source code to other servers, it checks the integrity of every file, matching a digital fingerprint of its official version of the file with the version on the remote machine. That comparison caught the change to the code stored on the server.

The changes looked like they were made by another developer, but that programmer said he hadn't submitted them, McVoy said.

The recent incident raises questions about the security of open-source development methods, particularly how well a development team can guarantee that any changes are not introducing intentional security flaws. While Microsoft code has had similar problems, closed development is widely considered to be harder to exploit in that way.

Linus Torvalds addressed the issue in a post to the Linux kernel mailing list.

"A few things do make the current system fairly secure," he stated. "One of them is that if somebody were to actually access the (BitKeeper) trees (software repositories) directly, that would be noticed immediately."

A critical security flaw was found in CVS in January, but it's unknown whether the attacker used the vulnerability to gain access to the CVS database.

BitKeeper's McVoy hopes the current incident will quash objections raised by some members of the development who don't want to add a new feature that would require all changes to be digitally signed.

Even so, he said, the open-source development model is likely to have quickly turned up any security flaws.

"A Trojan horse is just a bug that a person has put into the system deliberately," he said. "The open-source security model is that everyone is using this stuff, so bugs get found and get fixed. That's one of the reasons that you are not hearing me freak about this."

McVoy said the disk from the compromised server has been saved for later analysis, but any decision to contact law enforcement belongs to Torvalds and others. Torvalds could not be immediately reached for comment.

KHATRA.EXE

firazahmed@gmail.com (SHEIK FIRAZ) — Thu, 19 Feb 2009 10:46:00 +0000

Khatra.exe (Khatra) Trojan Virus File Information

	Khatra.exe is a dangerous file which creates activities on a user’s computer which may be highly undesirable. This file is unsafe.

Type: Trojan Virus
Location: C:\WINDOWS\system32\khatra.exe
Risk Level: Moderate
IT CAN MAKE UNEXPECTED CHANGES TO UR SYSTEM.
IT CAN DISABLE CONTROL PANEL AND CREATES A FILE IN EACH FOLDER OF UR DRIVE.
THIS FILE MAY BE OF SIZE 600 KB THUS FILLING HALF OF UR HARD DISK.
IT ALSO RUNS IN UR TASK MANAGER AND USES UR MEMORY.
IT SPREADS MAINLY THROUGH PEN DRIVES.

It is recommended that you remove any malicious software such as Khatra.exe from your computer immediately.

The file "khatra.exe" is known to be created under the following filenames:

%AllUsersProfile%\desktop.exe

%AllUsersProfile%\favorites.exe

%AppData%\microsoft\cd burning\khatra.exe

%CommonDesktopDir%\desktop.exe

%CommonFavorites%\favorites.exe

%DesktopDir%\desktop.exe

%System%\khatra.exe

%UserProfile%\desktop.exe

%Windir%\khatarnakh.exe

%Windir%\system\ghost.exe

%Windir%\xplorer.exe

c:\inetpub.exe

c:\inetpub\inetpub.exe

c:\inetpub\wwwroot\wwwroot.exe

c:\khatra.exe

Notes:

%AllUsersProfile% is a variable that specifies the all users' profile folder. By default, this is C:\Documents and Settings\All Users (Windows NT/2000/XP).
%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
%CommonDesktopDir% is a variable that refers to the file system directory that contains files and folders that appear on the desktop for all users. A typical path is C:\Documents and Settings\All Users\Desktop (Windows NT/2000/XP).
%CommonFavorites% is a variable that refers to the file system directory that serves as a common repository for all users' favorite items. A typical path is C:\Documents and Settings\All Users\Favorites (Windows NT/2000/XP).
%DesktopDir% is a variable that refers to the file system directory used to physically store file objects on the desktop. A typical path is C:\Documents and Settings\[UserName]\Desktop.
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
%UserProfile% is a variable that specifies the current user's profile folder. By default, this is C:\Documents and Settings\[UserName] (Windows NT/2000/XP).
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

The file "khatra.exe" has the following possible country of origin:

Origin		Number of Incidents
	United Kingdom	63

The following threats are known to be associated with the file "khatra.exe":

Threat Alias	Number of Incidents
Generic.dx [McAfee]	60
Trojan-Dropper.Win32.Autoit.k [Kaspersky Lab]	60
Trojan-Dropper.Win32.Autoit [Ikarus]	42
W32.SillyFDC [Symantec]	21
Virus.Win32.Sality [Ikarus]	15
Trojan Horse [Symantec]	12
W32/Autoit-BP [Sophos]	12
Email-Worm.Win32.Agent.kd [Kaspersky Lab]	9
Trojan:Win32/Malagent [Microsoft]	9
W32.Harakit [Symantec]	9
Mal/Generic-A [Sophos]	6
Email-Worm.Agent!sd6 [PC Tools]	3
Email-Worm.Win32.Runouce.b [Kaspersky Lab]	3
Mal/Inet-Fam [Sophos]	3
PE_Chir.B [Trend Micro]	3
Trojan-Dropper.Autoit!sd6 [PC Tools]	3
Virus.Win32.VB.bb [Ikarus]	3
Virus:Win32/Virut.L [Microsoft]	3
W32/Chir.b@MM [McAfee]	3
W32/Chir-B [Sophos]	3
Win32.Virut.Gen.5 [PC Tools]	3
Win32/ChiHack.6652 [AhnLab]	3

How to remove KHATRA.EXE

KHATRA.EXE removal

KHATRA.EXE and detail of KHATRA.EXE:
KHATRA.EXE description :The filename KHATRA.EXE was last seen on 02.13.2009, and it is considered unsafe. This threat is associated with the malware group Win32.Autoit.BP. Threat name Win32.Autoit.BP Filename [System32Root]\khatra.exe Filesize Unknown Last seen 02.13.2009 Status Known to RemoveIT Pro as unsafe. This file can perform following behavior. - File is created as process on the disk. - This process can create, delete or modify files on the disk.
KHATRA.EXE remove instruction
1. Temporarily Disable System Restore, Reboot computer in SafeMode;
2. Locate KHATRA.EXE virus files and uninstall KHATRA.EXE files program. Follow the screen step-by-step screen instructions to complete uninstallation of KHATRA.EXE.
3. Delete/Modify any values added to the registry related with KHATRA.EXE,Exit registry editor and restart the computer;
4.Clean/delete all KHATRA.EXEinfected file(s):KHATRA.EXE and related,or rename KHATRA.EXE virus files;
5.Please delete all your IE temp files with KHATRA.EXE manually,run a whole scan with antivirus program ;
enable 'show all hidden files..' option in windows explorer view menu and
6.Search all your harddrive files and folders for '*.exe' with size<1mb and delete only '.exe' files having folder symbol(name of the folder).
THEN FORMAT UR OS DRIVE.USE NOD32 OR AVAST FOR BETTER RESULTS.

Need help for remove KHATRA.EXE? Post you problem on Free Virus Remove Help forum URL:http://help.antiviruses123.com.

HOAXES

firazahmed@gmail.com (SHEIK FIRAZ) — Wed, 18 Feb 2009 16:30:00 +0000

Hoax	Brief description
PIN1234	It generates a false alarm by reporting the existence of a trick...
Xato100	It generates a false alarm by reporting that a virus that does not...
Ericsson	It tries to get users to forward the message with the false promise...
Copa del Mundo 2006	It generates a false alarm by reporting that a virus that does not...
Invitacion	It generates a false alarm by reporting that a virus that does not...
Hoax/Tsunami in South Asia	It appeals to well-meaning users trying to get them to forward the...
ICE hoax	It generates a false alarm by reporting the existence of threats...
Athens2004	It generates a false alarm by reporting that a virus that does not...
Llamadas Perdidas	It generates a false alarm by reporting that several telecom...
Frog and Fish warnings	It generates a false alarm by reporting that there are two jokes...
Bonsai Kittens	It attempts to trick users into forwarding the message to as many...
Girls of Playboy	It generates a false alarm by reporting that a virus that does not...

W32 THREATS

firazahmed@gmail.com (SHEIK FIRAZ) — Tue, 17 Feb 2009 16:38:00 +0000

W32.HLLW.Cebe: This worm spreads through the KaZaa and iMesh file-sharing networks.

W32.Swen.A@mm: This mass-mailing worm uses its own SMTP engine to spread.

W32.Sobig.A@mm: This worm sends itself to all the addresses it finds in the .txt, .eml, .html, .htm, .dbx, and .wab files.

W32.Blaster.Worm: This worm exploits a DCOM RPC vulnerability using TCP port 135.

INSIDE THREATS

firazahmed@gmail.com (SHEIK FIRAZ) — Mon, 16 Feb 2009 16:18:00 +0000

Security threats that originate from inside a network can be more harmful than outside threats. Inside threats are especially dangerous and can often be overlooked by network administrators. Computers that reside on the inside network typically have a high degree of access to inside resources. Also, employees and trusted users are likely to have critical information about the network, including passwords.

High profile inside threats include disloyal and disgruntled employees who use their inside access to destroy, steal, or tamper with data. These types of attacks cannot be completely protected against. However, well defined security policies can minimize the risks from this type of threat. For example, organizations should avoid using just a handful of passwords to protect all computer resources. Large companies should establish clear procedures for removing employee accounts and passwords in the event that an employee leaves the company.

The most harmful inside threat is a typical end user of a network. Unaware end users can crash a network by carelessly opening e-mail attachments, installing unauthorized software, mounting disks from home, or even browsing the web. The typical cause of inside attacks is an end user who opens an e-mail attachment only to copy a virus to the computer. Many viruses thrive on the corporate network. E-mail viruses typically mail themselves to accounts listed in e-mail address books. Many corporations keep staff e-mail lists loaded on every computer, where a virus can quickly spread to all members of a company. Viruses can also seek out and infect shared files and folders, which are common on corporate networks.

A growing problem for corporate networks is the widespread popularity of instant messaging and peer-to-peer file sharing. Employees may download instant message software, such as Microsoft Messenger or America Online (AOL) Instant Messenger. The instant message software is used to chat in real time with co workers, friends, and family. Other users may download peer-to-peer file sharing software based on Gnutella or some other technology. Both instant messaging and peer-to-peer file sharing programs can be used to transfer virus-infected files to the local computer. Both of these types of programs listen for connections originating from the Internet. Chat and file sharing applications may be vulnerable to other forms of exploitation.

PICTURES

firazahmed@gmail.com (SHEIK FIRAZ) — Sun, 15 Feb 2009 10:43:00 +0000

SPYWARE

firazahmed@gmail.com (SHEIK FIRAZ) — Fri, 13 Feb 2009 19:31:00 +0000

Spyware
Threat Type First appeared
1 Gator Adware Sep 11, 2003
2 Virtumonde Spyware Oct 08, 2004
3 SaveNow Adware Sep 11, 2003
4 ClientMan Spyware Jul 27, 2004
5 WUpd Adware Sep 03, 2004
6 ActiveSearch Adware Oct 28, 2004
7 BaiduBar Adware May 02, 2005
8 MarketScore Spyware Sep 17, 2004

SPYWARE EXPLOIT USER INFORMATION
The spyware problem is an invasion of privacy, although different from cookies, technically speaking. Spyware is a program that runs on your computer and again, tracks your habits, tailors these patterns for advertisements, etc. Because it is a computer program, rather than just a bit of text in a cookie, spyware can also do some nasty things to ensure that the spyware keeps running and keeps influencing what you see.

HOW DO I KNOW IF SPYWARE IS RUNNING ON THE COMPUTER?
You can use detection programs such as Ad Aware and others. Similar to anti-virus software, these programs compare a list of known spyware with files on your computer and can remove any that it detects, but again, what some consider unacceptable is perfectly acceptable to others.

HOW DOES SPYWARE INSTALL ITSELF ON COMPUTERS?
Common tactics for surreptitious installation include rolling up advertising programs into "free" shareware program downloads, and once the spyware is installed it can download advertisements 24 hours a day and overlay them on Web sites and programs you are using. Anti-spyware programs can combat spyware from being installed, but the best strategy is to discriminate what you choose to download and install.

CAN SPYWARE SEND TRACKED INFORMATION TO OTHER PEOPLE?
Some forms of spyware monitor a target’s Web use or even general computer use and sends this information back to the spyware program's authors for use as they see fit. To fight this kind of problem, a spyware removal tool is obviously helpful, as is a firewall that monitors outgoing connections from your computer. Other forms of spyware take over parts of your Web browsing interface, forcing you to use their own search engines where they can track your browsing habits and send pop-up advertisements to you at will.
The biggest concern regarding spyware is that most of them are poorly written or designed. Many people first realize their computer is running when it noticeably slows down or stops responding, especially when doing certain tasks such as browsing Web sites or retrieving email. In addition, poorly written spyware can often cause your computer to function incorrectly even after it has been removed.

Are Spyware Threats Taking Over Your Computer?

Are you fed up with the amount of spyware that roams onto your computer? Most of the time you can't really do anything about the threats but deal with them. Furthermore, most people do not realize that most of the simple things they do while on their computer is what makes their computer becomes affected with various spyware threats.

For instance have you ever downloaded a type of program off the internet whether it was from a secured website or from another person? Most of the time people may not know that when they download something of interest off the internet whether it is free or paid for, it may include spyware threats that are attached within the program. Usually, when the spyware threats are included in these programs they are stated within the license agreement that most people are too lazy to read. They are more quick to install the program that they dont take the time to read the license agreement to find out if any type of threat will be included with the program.

If you are a big fan of downloading off of the internet then you may have some experience with spyware threats being on your computer from some files that you may have downloaded. Have you ever experienced those continuous pop-ups that may appear while you are on the internet? Again, your computer has been infected with spyware. This can be very frustrating to deal with because as you surf the internet the pop-ups just keep on rolling and rolling whenever you click on something new.

Spyware threats can be a pain to deal with and they just make your computer slower and slower to the point where you don't even want to get onto your computer anymore. Most people compensate this problem by shelling out hundreds of dollars just to get their computer cleaned.

MOST ACTIVE VIRUSES

firazahmed@gmail.com (SHEIK FIRAZ) — Fri, 13 Feb 2009 19:23:00 +0000

Virus	PCs infected	Threat Level	First appeared
1 MaliciousP	7.34%		Sep 06, 2007
2 Conficker.C	5.39%		Dec 31, 2008
3 Lineage.KMF	3.69%		Jan 29, 2009
4 AdsRevenue	3.57%		Mar 10, 2008
5 Virtumonde	3.14%		Oct 08, 2004
6 MyWay	2.34%		Sep 11, 2003
7 Downloader.MDW	2.32%		Jan 02, 2007
8 Xor-encoded.A	1.76%		Jun 02, 2008
9 Lineage.BZE	1.59%		Jan 02, 2007
10 Autorun.INF	1.47%		Feb 04, 2009

Most Active Viruses
Virus PCsinfected First appeared
1 AdsRevenue 5.91% Mar 10, 2008
2 Virtumonde 5.14% Oct 08, 2004
3 AutoRun.DJ 1.52% Oct 24, 2007
4 Downloader.MDW 1.34% Jan 02, 2007
5 Xor-encoded.A 1.30% Jun 02, 2008
6 Antivirus2009 1.24% Jul 19, 2008
7 GetaCodec.A 0.96% Nov 06, 2008
8 HideWindow.S 0.88% Jun 25, 2006
9 MaliciousP 0.85% Sep 06, 2007
10 Lineage.BZE 0.84% Jan 02, 2007

LATEST THREATS

firazahmed@gmail.com (SHEIK FIRAZ) — Fri, 13 Feb 2009 19:00:00 +0000

Threat	Type	Threat level	First appeared
1 MS09-005	Vulnerability		Feb 11, 2009
2 MS09-004	Vulnerability		Feb 11, 2009
3 MS09-003	Vulnerability		Feb 11, 2009
4 MS09-002	Vulnerability		Feb 11, 2009
5 Waledac.J	Worm		Feb 10, 2009
6 NoVideo.A	Trojan		Feb 08, 2009
7 Autorun.INJ	Worm		Feb 06, 2009
8 Sinowal.VZR	Trojan		Feb 05, 2009
9 Sality.AO	Virus		Feb 05, 2009
10 MSNWorm.FU	Worm		Jan 30, 2009

PACKET ATTACK

firazahmed@gmail.com (SHEIK FIRAZ) — Sun, 08 Feb 2009 12:58:00 +0000

The Packet Fragmentation Attack
Packet fragmentation can be utilized to get around blocking rules on some firewalls.
This is done by cheating with the value of the Fragment Offset. The trick is to set the value of the Fragment Offset on the second packet so low that instead of appending the second packet to the first packet, it actually overwrites the data and part of the TCP header of the first packet.
Let's say you want to `telnet` into a network where TCP port 23 is blocked by a packet filtering firewall. However, SMTP port 25 is allowed into that network.
What you would do is to send two packets:
The first packet would:
• Have a Fragmentation Offset of 0.
• Have the DF bit equal to 0 to mean "May Fragment" and the MF bit equal to 1 to mean "More Fragments."
• Have a Destination Port in the TCP header of 25. TCP port 25 is allowed, so the firewall would allow that packet to enter the network.
The second packet would:
• Have a Fragmentation Offset of 1. This means that the second packet would actually overwrite everything but the first 8 bits of the first packet.
• Have the DF bit equal to 0 to mean "May Fragment" and the MF bit equal to 0 to mean "Last Fragment."
• Have a Destination Port in the TCP header of 23. This would normally be blocked, but will not be in this case!
The packet filtering firewall will see that the Fragment Offset is greater than zero on the second packet. From this data, it will deduce that the second packet is a fragment of another packet and it will not check the second packet against the rule set.
When the two packets arrive at the target host, they will be reassembled. The second packet will overwrite most of the first packet and the contents of the combined packet will go to port 23.

TCP ATTACKS

firazahmed@gmail.com (SHEIK FIRAZ) — Sun, 08 Feb 2009 12:57:00 +0000

The TCP Sequence Prediction Attack
TCP is a reliable connection-oriented layer 4 (Transport Layer) protocol. Packet transfer between hosts is accomplished by the layers below layer 4 and TCP takes responsibility to making certain the packets are delivered to higher layers in the protocol stack in the correct order. To accomplish this reordering task, TCP uses the sequence number field.
To successfully mount a TCP sequence prediction attack, you must first listen to communications between two systems, one of which is your target system. Then, you issue packets from your system to the target system with the source IP address of the trusted system that is communicating with the target system.
The packets you issue must have the sequence numbers that the target system is expecting. In addition, your packets must arrive before the packets from the trusted system whose connection you are hijacking. To accomplish this, it is often necessary to flood the trusted system off of the network with some form of denial of service attack.
Once you have taken over the connection, you can send data to allow you to access the target host using a normal TCP/IP connection. The most simple way to do this is:
echo "+ +" > /.rhosts
This specific technique relies upon inherent weaknesses in the BSD Unix `r` services. However, SunRPC, NFS, X-Windows, and many other services which rely upon IP address authentication can be exploited with a TCP sequence prediction attack.
Why are TCP Sequence Prediction Attacks Possible?
An excerpt from RFC 793 (Transmission Control Protocol) concerning the generation of TCP sequence numbers:
When new connections are created, an initial sequence number (ISN) generator is employed which selects a new 32 bit ISN. The generator is bound to a (possibly fictitious) 32 bit clock whose low order bit is incremented roughly every 4 microseconds. Thus, the ISN cycles approximately every 4.55 hours. Since we assume that segments will stay in the network no more than the Maximum Segment Lifetime (MSL) and that the MSL is less than 4.55 hours we can reasonably assume that ISN's will be unique.
The developers of the BSD Unix TCP/IP stack did not follow these recommendations. TCP/IP stacks based upon BSD Unix increase the sequence number by 128,000 every second and by 64,000 for every new TCP connection. This is significantly more predictable than the algorithm specified in the RFC.
Defending Against TCP Sequence Prediction Attacks
TCP sequence prediction attacks can be effectively stopped by any router or firewall that is configured not to allow packets from an internal IP address to originate from an external interface.
These does not fix the TCP sequence prediction vulnerability, it simply prevents TCP sequence prediction attacks from being able to reach their targets.
Diagram of the TCP Header
TCP Header Format
-----------------

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Port | Destination Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sequence Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Acknowledgment Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Data | |U|A|P|R|S|F| |
| Offset| Reserved |R|C|S|S|Y|I| Window |
| | |G|K|H|T|N|N| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum | Urgent Pointer |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Options | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| data |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Every packet-based network has an MTU (Maximum Transmission Unit) size. The MTU is the size of the largest packet which that network can transmit.

Packets larger than the allowable MTU must be divided into multiple smaller packets, or fragments, to enable them to traverse the network.
Network Standard MTU
Ethernet
1500
Token Ring 4096

DOS ATTACKS

firazahmed@gmail.com (SHEIK FIRAZ) — Sun, 08 Feb 2009 12:51:00 +0000

Types of Denial of Service (DoS) attacks
These are a few of the classic denial of service attacks. Most of these rely upon weaknesses in the TCP/IP protocol. Vendor patches and proper network configuration have made most of these denial of service attacks difficult or impossible to accomplish.
Flood Attack
The earliest form of denial of service attack was the flood attack. The attacker simply sends more traffic than the victim could handle. This requires the attacker to have a faster network connection than the victim. This is the lowest-tech of the denial of service attacks, and also the most difficult to completely prevent.
Ping of Death Attack
The Ping of Death attack relied on a bug in the Berkeley TCP/IP stack which also existed on most systems which copied the Berkeley network code. The ping of death was simply sending ping packets larger than 65,535 bytes to the victim. This denial of service attack was as simple as:
ping -l 86600 victim.org
SYN Attack
In the TCP protocol, handshaking of network connections is done with SYN and ACK messages. The system that wishes to communicate sends a SYN message to the target system. The target system then responds with an ACK message. In a SYN attack, the attacker floods the target with SYN messages spoofed to appear to be from unreachable Internet addresses. This fills up the buffer space for SYN messages on the target machine, preventing other systems on the network from communicating with the target machine.
Teardrop Attack
The Teardrop Attack uses IP's packet fragmentation algorithm to send corrupted packets to the victim machine. This confuses the victim machine and may hang it.
Smurf Attack
In the Smurf Attack, the attacker sends a ping request to a broadcast address at a third-party on the network. This ping request is spoofed to appear to come from the victims network address . Every system within the broadcast domain of the third-party will then send ping responses to the victim.

Distributed Denial of Service (DDoS) attacks
A Distributed Denial of Service (DDoS) attack is a denial of service attack which is mounted from a large number of locations across the network.
DDoS attacks are usually mounted from a large number of compromised systems. These systems may have been compromised by a trojan horse or a worm, or they might have been compromised by being hacked manually.
These compromised systems are usually controlled with a fairly sophisticated piece of client-server software such as Trinoo, Tribe Flood Network, Stacheldraht, TFN2K, Shaft, and Mstream.
The Mydoom worm attempted DDoS attacks against SCO and Microsoft from the systems which it infected.
DDoS attacks can be very difficult to defend against.
IP address spoofing denotes the action of generating IP packets with fake source IP addresses in order to impersonate other systems or to protect the identity of the sender. Spoofing can also refer to forging or using fake headers on emails or netnews to - again - protect the identity of the sender and to mislead the receiver or the network as to the origin and validity of sent data.