NETWORK SECURITY AND THREATS

HOW TO FIND AN INFECTED COMPUTER

2009-02-28T18:25:00.000-08:00

Here r the symptoms of an infected computer

slow system starting
high cpu usage
high ram usage
system hangs

The first thing u should do is to open the task manager.U can open it by right clicking on the task bar and select it or press ctrl+alt+del.

In the task manager u can see the performance,process etc.

My XP task manager looks like this

Now u can see the CPU and RAM usage. Initially XP has less CPU usage.The RAM usage is only 200mb.If the cpu usage is constantly 100% or the ram usage is high then it is infected.

We can find the virus easily by checking the processes.If any process is using high cpu or ram then that is a virus.

Sometimes svchost.exe may be using high cpu and ram.This is not a virus.

Some common process in XP are csrss.exe, ctfmon.exe, explorer.exe, lsass.exe.

services.exe, smss.exe, spoolsv.exe, svchost.exe, system ,system idle process ,taskmgr.exe ,

winlogon.exe.

If we start an application then its process also runs.EG:chrome.exe, firefox.exe, hitman.exe etc

Any process except this using high cpu or ram can be a virus.

We can end this process by rt clicking.A warning msg will open,select yes.

After this we have to end the start up of virus.For this click start->run->type msconfig

Search for the process, that is virus.Disable it by clicking it.then click ok.Restart ur system.

If this does not stop the virus we have to find the virus file.It is located in the c:\ or system drive.

In C:\WINDOWS or C:\WINDOWS\system32 we can find the virus file.

GHOST ADWARE

2009-02-28T10:13:00.000-08:00

Name: Adware.Win32.Ghost Keylogger

Risklevel: Severe Risk

Company: Sureshot Software - http://keylogger.net/

Description:

Ghost Keylogger is a keylogger that is an invisible that records every keystroke. It monitors the Internet activity by logging the addresses of visited homepages.

Characteristics:

It is an invisible that records every keystroke.
It monitors the Internet activity by logging the addresses of visited homepages.

Installation: Installed through EXE

Process: syncconfig.exe

Used folders:

C:\Program Files\Sync Manager Demo\agent
C:\Program Files\Sync Manager Demo

Used files:

C:\Program Files\Sync Manager Demo\manual.html
[30026 Bytes] HTML Document
C:\Program Files\Sync Manager Demo\agent\syncagent.exe
[626688 Bytes] Application
C:\Program Files\Sync Manager Demo\agent\syncagent.dll
[258048 Bytes] Application Extension
C:\Program Files\Sync Manager Demo\syncconfig.exe
[663552 Bytes] Application
C:\Program Files\Sync Manager Demo\faq.html
[29722 Bytes] HTML Document
C:\Program Files\Sync Manager Demo\agent\syncagent.cfg
[2641 Bytes] Microsoft Office Outlook Configuration File

PRESENT SITUATION

2009-02-24T23:55:00.000-08:00

PRESENT SITUATION

As the volume of financial and other data transactions increase over the Internet, the potential for harm from network threats also increases. As a consequence, complex security measures that were once required by only Fortune 500 companies such as regular security audits are increasingly a necessity even for the smallest of companies.

As we continue to become an ever more networked society, the financial benefits attainable by hacking a network increase. As a result, it should come as no surprise that the number of attacks and the creativity spent in trying to breach a network continue to increase. Consequently, those that are tasked with defending networks must continue to educate themselves and their workforce on the newest types of attacks and make the necessary preparations to prevent against them.

ZOMBIE COMPUTERS AND BOTNETS

2009-02-24T23:54:00.001-08:00

Zombie Computers and Botnets
If you've ever wondered who is sitting around sending out all those spam emails, the answer may be you. A recent New York Times article estimates that as much as 80 percent of spam messages are sent out by the computers of ordinary individuals who have no idea their computers have been converted into 'zombies'. A 'zombie' computer is simply a computer infected with malware that causes it to act as a tool of a spammer by silently sending out thousands of emails from the owner's email address.

Infected 'zombie' computers, are organized by spammers into small groups called 'botnets'. These 'botnets' then send out spam that may include phishing attempts, viruses and worms. Unfortunately for network managers and business owners, the 'zombie' malware threat is expected to continue to grow both in number and variety over the next few years. Currently, 'zombies' are used to send out the following types of malware:

Spamming and phishing attacks. This classic form of 'Zombie' computers is still the most common.

Click fraud in advertising networks. Using a hidden program, zombie computers emulate human clicking on ads at a website or weblog. While Google said in Dec 2006 that click fraud for their AdSense contextual ad network is less than 2 percent, some advertisers have much higher estimates. Whatever the actual figure, creating click fraud zombies is currently a multi-million dollar industry, so do not expect it to stop soon.

DoS attacks. Your company may have malicious competitors, or spiteful former employees who will stoop to any level to bring your company down. In this instance, your enemy might launch a Denial-of-Service attack (DoS) which is an attack designed to make the hosted pages of a website or network become unavailable to customers or employees. For instance, a spiteful former employee may launch a Dos attack on your biggest selling day of the year. Consequently, your company will lose all the business it might have had that day as customers are unable to access your Web site.

Pump and dump stock schemes. In this scheme, spammers buy up a large block of a penny stock (especially sub-$1 per share), then use their 'Zombies' to spam millions of people with emails about the stock in the hopes that a few fools will take the bait and buy a few thousand shares, thus raising the price. After the price spike, the spammer then sells off his holdings and makes a quick buck.

Prevention
Because ‘botnets’ typically work silently on ‘zombie’ computers and are often enabled by the secret installation of Trojan horses, it is very difficult to tell whether a computer has been infected. Preventing ‘botnets’ from turning your network computers into 'zombies' requires that you educate your employees to keep all forms of security software up to date, and to run a virus scan regularly, preferably nightly. In addition to nightly scanning, train your employees to look for sudden unusual behavior of your computer(s), such as persistent slowdowns, crashing, as a sign that they may be infected. If, despite your best efforts, a network computer becomes infected, treatment can vary wildly, from a simple scanning for and deleting the botnet, to a reformatting of the computer's hard drive.

SHARED COMPUTERS

2009-02-24T23:54:00.000-08:00

Shared Computers
In the IT community, it is often said that shared computers are like public bathrooms, they may appear clean, but are usually chock full of viruses. Thankfully, the danger of shared computers is one network threat that you can largely render harmless by limiting the activities that you and your employees perform.

Prevention
If you or your employees use public computers, don't permit them to log into important online accounts, especially those containing financial details. You never know when a keylogger might be lying in wait, ready to steal your password and then your company’s money. Going beyond just avoiding accessing sensitive data through public computers, if you can avoid it, forbid your employees from logging into any network accounts at all on any public computers. While enforcement of this policy is difficult, simply educating your staff on the dangers of using public computers is often sufficient to eliminate most of these incidents.

HARDWARE LOSS AND RESIDUAL DATA FRAGMENTS

2009-02-24T23:53:00.000-08:00

Hardware Loss and Residual Data Fragments

Over the past few months, a number of government laptops have been stolen and the story has made national news. The government is so concerned, not because of the cost of replacing a few laptops, but from the network vulnerabilities that the loss of this hardware threatens to cause. In fact, hardware loss is a large cause of the more than 10 million cases of identity theft suffered by Americans each year.

These types of problems are not what we commonly think of as network security threats, but stolen or sold laptops and computers pose one of the biggest threats for networks. Businesses often sell older computers without completely wiping the drives clean of data, including system passwords. Just as with stolen computers, this information can then be easily used to gain access to the network and compromise the security of the entire system.

Prevention
Thankfully, the threat of hardware loss and residual data fragments can be minimized by taking a few rather straightforward steps:
Encrypt sensitive company data, especially the laptops and files of executives who are most likely to be targeted. When traveling through foreign airports the problem can be especially acute, as laptops of prominent individuals are sometimes taken aside under the guise of "security", and their hard drives are quickly mirrored and used to blackmail the company. Despite the obvious benefits of securing data, however, a recent survey found that 64 percent of companies were more concerned about data loss than the cost of replacing hardware, however, only 12 percent were actually using encyrption.

Wipe/shred files on old hard drives before they leave your organization. This is as much an issue of data compliance regulations as it is of network security. No matter what your motivation, however, failing to clean discarded hardware can leave your entire network vulnerable.

Develop a policy for keeping track of employees use of smartphones and USB memory cards around sensitive data. Simply letting employees know that you have such a policy and are monitoring the use of these devices will go a long way to preventing their misuse and protecting the network.

Use an RFID-based Asset Management system for computers, laptops, and other sensitive hardware to keep tabs on their whereabouts in your premises.

PASSWORD ATTACKS

2009-02-24T23:52:00.001-08:00

Password Protection
Passwords are undeniably a huge part of your online security. You'll find that almost every website that you visit that deals with online transactions, emailing, and shopping use passwords to verify you are who you say you are. This means that you not only need to choose a password that cannot easily be figured out, but you should also keep it safe and secure and not share it with anyone. Do not use the same password for all of your accounts and attempt to come up with a password that contains letters, numbers, and special characters.

Password Attacks

A 'Password Attack' is a general term that describes a variety of techniques used to steal passwords to accounts.

Brute-force. One of the most labor intensive and unsophisticated methods hackers use to steal passwords is to try to guess a password by repeatedly entering in new combinations of words and phrases compiled from a dictionary. This 'dictionary attack' can also be used to try to guess usernames as well, so developing difficult to guess usernames and passwords is increasingly vital to network security.

Packet sniffers. As discussed above, Packet Sniffers glean data electronically from a compromised network.

IP-spoofing. Similar to 'Honeypots', this attack involves the interception of data packets by a computer successfully pretending to be a trusted server/ resource.

Trojans. Trojans are actually invasive, as discussed above, and of these methods, are the most likely to be successful, especially if they install keyloggers.

Prevention
Automated testing (e.g., dictionary scanning), human behavior (e.g., lack of diversity in usernames and passwords), and other security flaws make it easier for password attackers to succeed. Unfortunately, there is no one single method to prevent against password attacks, though combining network traffic analysis along with the old stalwarts of email scanning, virus protection, firewalls and an educated work force can all together form a strong defense for any network.

MALICIOUSLY CODED WEB SITES

2009-02-24T23:52:00.000-08:00

Maliciously-Coded Web sites

Maliciously-coded Web sites can take many different forms, from installing Trojan horses to redirecting you to an unrequested site. But one of the most threatening forms of maliciously-coded websites, those that are designed to steal passwords, are on the rise [4]. A very common form of these Web sites takes advantage of human's charitable instincts by setting up traps in what appear to be sites that allow you to make donations to victims of natural disasters such as Hurricane Katrina. Hackers set up a fake sign-in page, and then encourage unsuspecting victims to enter their credit card number and other personal information.

In addition to stealing personal information, maliciously-coded websites are also often designed for the following purposes:
installation of keyloggers
adware/ spyware/ reading cookies
drive-by downloads
XSS - cross--site scripting to utilize web browser flaws for other intentions.

Prevention
In order to protect your network, you should encourage your employees to purchase information only from security certified sites, and to use PayPal instead of a credit card whenever possible, since by doing so they will not have to reveal their credit card information to another site. In addition to limiting the number of times credit card information is typed into a website, paying by PayPal is also helpful because maliciously-coded sites are less likely to accept PayPal payments since the owners of that PayPal account are easier to trace to an address or bank account.

Further, you should instruct your employees to never sign up for new Web 2.0 applications without using a different username and password than they ordinarily use for sensitive data. Creating a regular browser patch and plugin update schedule will also ensure that your virus and email protections are up to date. Finally, you should systematically set the browser security settings of all your network computers to a higher than default setting. While this step will not eliminate the possibility that your employees will stumble upon maliciously-coded sites, it will reduce the incidence of that occurrence.

PACKET SNIFFERS

2009-02-24T23:50:00.001-08:00

Packet Sniffers

Packet sniffers capture data streams over a network, thus allowing for the capture of sensitive data like usernames, passwords and credit card numbers. The result, unsurprisingly, is the loss of data, trade secrets, or online account balances. For network managers specifically, even bigger losses can come from lawsuits due to noncompliance of data protection regulations.

While Packet sniffers have been used in rather harmless ways, such as by law enforcement and by corporations for data protection compliance purposes (HIPAA, SOX/ Sarbox, Gramm-Leach-Bliley Act), the real concern for network owners is packet sniffers more malicious forms.

Packet sniffers work by monitoring and recording all the information that comes from and goes to your computer over a compromised network. So in order to be effective, the packet sniffer must first have access to the network you are using. The most common way to do this, is through using something called honeypots. Honeypots are simply unsecured wifi access points that hackers setup and trap people into using them. Typically, these honeypots are setup in public places such as airports, and the wifi network is titled something like "Free Public Wi-Fi". Unsuspecting individuals then sign onto the corrupted network and the packet sniffer then grabs their personal information when they enter things like their credit card info into a site.

Prevention
Education is simply the best policy to deal with the threat of packet sniffers. Once your employees know to never access the internet through an unsecured connection, and are made aware of the fact that packet sniffers exist, they are much less likely to fall victim to this hacking technique. Because a single victim of packet sniffing among any employee can compromise sensitive network data, it is important that everyone learn how to identify honeypots and how to secure their own home wifi networks. In addition, make sure that your employees use a variety of different sign on names and passwords to access various levels of network security. That way, if login information is compromised, the damage can at least be limited in scope.

PHISHING

2009-02-24T23:50:00.000-08:00

Phishing

Anyone who has ever used PayPal or does their banking online has probably received dozens of emails with titles such as, "URGENT: Update Account Status". These emails are all attempts by a spammer to "phish" your account information. Phishing refers to spam emails designed to trick recipients into clicking on a link to an insecure website. Typically, phishing attempts are executed to steal account information for e-commerce sites such as eBay, payments processors such as PayPal, or regular financial institutions' websites. A phishing email supplies you with a link to click on, which will take you to a page where you can re-enter all your account details, including credit card number(s) and/or passwords. Of course, these sites aren't the actual bank's site, even though they look like it.

Your company's mobile phones may not be safe either, as SMS messaging is now frequently used as a new type of phishing called SMiShing. Once the SMiShing, is successful, other malware such as Trojans are sometimes released onto the mobile phone. These Trojans then make silent high cost text messages which go onto the sender's bill.

Some criminals are also using VoIP or VoIM software to send vishing messages. These try to confuse people into calling the provided number - usually an automated VoIP Call-In number - and revealing credit card details, which are recorded in audio form.

Prevention
Phishing in all its varieties is a huge and growing problem for network security managers and business owners. As we all become more interconnected and access more and more personal information through networks, there become more and more opportunities for phishers to attack. To protect one's network, it is becoming increasingly vital that you educate your employees about the most common ways in which hackers try to phish your account information. Even though simplistic phishing attempts like the PayPal scam now seem obvious to regular internet users, a single phishing attack can compromise an entire network's security if the employee is tricked into giving his network account information. Even after educating your work force, you should consider adding a header to your network browser that reminds users never to enter personal information solicited through an email, and you should certainly use a sophisticated email filter to limit the number of phishing attacks that your employees must navigate around.

SPAM

2009-02-24T23:49:00.000-08:00

Spam

Depending on the source cited, spam makes up 70 to 84 percent of daily emails sent throughout the world. All that spam results in billions of dollars in lost productivity and creates an ever increasing need for IT resources to filter out this irritating and potentially malicious menace.

Spam email takes a variety of forms, ranging from unsolicited emails promoting products like Viagra, to coordinated spam attacks designed to take up so much bandwidth on a network so as to cause it to crash. A more recent trend is image spam, which eats up even more bandwidth than its textual cousin, and often circumvents contextual spam filters which analyze the message text to look for indications that the email is spam. Another brand new technique that spammers are using is called "news service" spam, which uses legitimate headlines such as "Howard Stern Earns $83M Bonus" to trick recipients into opening spam emails that are filled with spammy drug advertisements. These and other new spam trends constantly threaten the productivity of email and the security of IT networks.

Prevention
When it comes to fighting spam, fortunately, a great deal of spam can be filtered out by a good email filter. And much of what slips through can be avoided by staying current on the latest techniques that spammers use. In addition, however, you should protect your network from email spam by requiring your employees to use separate accounts for their personal internet use, and demand that company accounts not be used to sign up for any online service or freebie. In addition, when creating company email accounts make sure to use a naming system which is not easily guessable (e.g., JSmith@domain.com), as spammers are increasingly going through common name lists in order to harvest emails to spam.

TROJAN HORSES

2009-02-24T23:47:00.000-08:00

Trojan Horses

A Trojan horse is a malware attack that disguises itself as something innocent, such as a computer game, or a YouTube search results page. A recent example of a devastating Trojan horse used an email with a link that supposedly connected the reader to a video of the Saddam Hussein hanging, but instead just infected them with malware. Once installed on a computer, the 'Saddam' Trojan horse then downloaded and installed a keylogger onto the infected computer. This keylogger was used to record every keystroke by a computer’s user, thus stealing financial account information and passwords.

The 'Saddam' Trojan horse is noteworthy only because it was so successful, but the actual methods that it used to infect computer networks are not unique. In fact, Trojans are particularly dangerous because they all appear so innocuous on the surface. Often Ttrojans imbed themselves on a particular website (usually adult, gaming, or gambling), hide in downloaded free software, or, as in the "Saddam" Trojan horse, a person might be infected by clicking on a link sent to them in an email.

Prevention
Because hackers are so creative in coming up with new and different types of Trojan horses, training employees on what to look for will not prevent Trojan horses from infecting your network. Instead, you may want to consider blocking users from downloading freeware, blocking links imbedded in emails, and using a whitelist to create a list of approved websites that employees may visit. Because Trojans are much easier to prevent than they are to cure, with an infected computer sometimes requiring a complete reformatting of the hard drive, taking these drastic preventative measures may be warranted for some companies.The methods for dealing with Trojans are generally the same as for those for dealing with viruses. Most virus scanners attempt to deal with some of the common Trojans with varying degrees of success, there are also specific "anti-Trojan" scanners available, and your best weapon is common sense yet again. Score another point for safe computing!

A Trojan Horse meets the definition of virus that most people use, in the sense that it attempts to infiltrate a computer without the user’s knowledge or consent. A Trojan horse, similar to its Greek mythological counterpart, often presents itself as one form while it is actually another. A recent example of malware acting as a Trojan horse is the recent e-mail version of the “Swen” virus, which falsely claimed to be a Microsoft update application.
Trojans typically do one of two things: they either destroy or modify data the moment they launch, such as erase a hard drive, or they attempt to ferret out and steal passwords, credit card numbers, and other such confidential information.

Trojan Horses can be a bigger problem than other types of viruses as they are design to be destructive or disruptive, as opposed to viruses and worms where the coder may not intend to do any harm at all. Essentially this distinction does not matter in the real world. You can lump viruses, Trojans and worms together as "things I don't want on my computer or my network".

GAME.EXE

2009-02-21T09:15:00.000-08:00

game.exe (Game Dialler) - Details

The game.exe process will take over your modem and attempt to 'dial out' to (potentially overseas or toll-rate) telephone numbers in order to download adult content and store it on your computer.

game.exe is considered to be a security risk, not only because antivirus programs flag Game Dialler as a virus, but also because a number of users have complained about its performance.

Game Dialler is likely a virus and as such, presents a serious vulnerability which should be fixed immediately! Delaying the removal of game.exe may cause serious harm to your system and will likely cause a number of problems, such as slow performance, loss of data or leaking private information to websites.

game.exe is considered to be a security risk, not only because spyware removal programs flag Game Dialler as spyware, but also because a number of users have complained about its performance.

game.exe is considered to be a security risk, not only because Adware Removal programs flag Game Dialler as Adware, but also because there can be privacy issues associated with this product.

Game Dialler is likely adware and as such, presents an unnecessary risk which should be eliminated! Removing game.exe may cause a number of problems, such as slow performance, loss of data or leaking private information.

Removing Game Dialler may be difficult.

game.exe is related to aconti.exe, arr.exe, dvdkeyauth.exe, fastdown.exe, infus.exe, movieplace.exe, sws.exe, win32us.exe,

You should visit our Anonymous Surfing section to make sure your system is not giving away information like that of game.exe.
GAME.EXE - Disclaimer

Every attempt has been made to provide you with the correct information for game.exe or GAME DIALLER. Many spyware / malware programs use filenames of usual, non-malware programs. If we have included information about game.exe that is inaccurate, we would greatly appreciate your help by updating the Process Information database and we will do our best to correct it.

You should verify the accuracy of information we provided about game.exe. Game Dialler may have had a status change since this page was published.

HACKING IN LINUX

2009-02-19T03:03:00.000-08:00

Hack attacks on Linux on the rise

Hackers are increasingly targeting Web servers based on the Linux operating system, while the number of successful attacks on Windows systems decreases, according to a new report from a U.K. systems integrator.

The study by Mi2g also found that successful attacks on U.K. and U.S. government sites have decreased, which may be due to tougher laws and improved security.

In the past, hackers and virus writers have largely focused their efforts on the Windows platform, as its dominance on desktop PCs makes it a ready target. However, Linux has a large share of the Web server market, and Linux server applications are often vulnerable to attack because of mismanagement, according to the study.

Mi2g has recorded 7,630 successful attacks on Linux systems in the first six months of this year, up sharply from last year's 5,736 attacks. In the meantime, successful attacks on Windows systems running Microsoft's Internet Information Server (IIS) have fallen by 20 percent from 11,828 in the first half of 2001 to 9,404 in the first half of this year.

The total number of successful attacks for the first six months of the year rose by 27 percent, from 16,007 on 2001 to 20,371 in 2002.

The information is based on Mi2g's own research, which includes information on more than 6,000 hacker groups and records of more than 60,000 hacking events since 1995. The database includes the Computer Security Issues and Trends Survey from the Computer Security Institute and the FBI.

The firm urged Linux system administrators to be more vigilant about patching known security bugs. "A quick response in addressing all weaknesses as soon as they are known has now become critical," D.K. Matai, Mi2g's chairman and chief executive, said in a statement.

Mi2g said that successful attacks on U.S. government systems were down sharply, from 204 in the first half of last year to 54 in the first half of 2002. In the United Kingdom, government sites were hit 12 times in the first half of this year, compared with 38 times for the first six months of 2001.

The security firm attributed this drop partly to improved security in the wake of last September's terrorist attacks and partly to an amendment to the Cyber Security Enhancement Act passed in February 2002. The amendment gives a life imprisonment sentence to hackers who put lives at risk.

Mi2g is a systems integrator focused on security. The firm is based in London and mostly deals with companies in the banking and insurance sectors.

ZDNet U.K.'s Matthew Broersma reported from London.

ATTACKS IN LINUX

2009-02-19T02:54:00.000-08:00

Attacker attempts to plant Trojan in Linux

An unknown intruder attempted to insert a Trojan horse program into the code of the next version of the Linux kernel, which is stored in a publicly accessible database.

Security features of the source-code repository, known as BitKeeper, detected the illicit change within 24 hours, and the public database was shut down, a key developer said on Thursday. The public database was used only to provide the latest beta, or test version, of the Linux kernel to users of the Concurrent Versions System (CVS), which is a program designed to manage source code.

The changes, which would have introduced a security flaw to the kernel, never became a part of the Linux code and, thus, were never a threat, said Larry McVoy, founder of software company BitMover and primary architect of the source-code database BitKeeper.

"This never got close to the development tree," he said. "BitKeeper is really paranoid about integrity, and it turns out that was key to finding this Trojan horse."

Linus Torvalds, the original creator of Linux and the lead developer of the kernel, uses BitKeeper to keep track of changes in the core software for the operating system. On a daily basis, the software exports those changes to public and private databases other developers use.

An intruder apparently compromised one server earlier, and the attacker used his access to make a small change to one of the source code files, McVoy said. The change created a flaw that could have elevated a person's privileges on any Linux machine that runs a kernel compiled with the modified source code. However, only developers who used that database were affected -- and only during a 24-hour period, he added.

"The first thing we did was fix the difference," he said. "It took me five minutes to find the change."

When BitKeeper exports the source code to other servers, it checks the integrity of every file, matching a digital fingerprint of its official version of the file with the version on the remote machine. That comparison caught the change to the code stored on the server.

The changes looked like they were made by another developer, but that programmer said he hadn't submitted them, McVoy said.

The recent incident raises questions about the security of open-source development methods, particularly how well a development team can guarantee that any changes are not introducing intentional security flaws. While Microsoft code has had similar problems, closed development is widely considered to be harder to exploit in that way.

Linus Torvalds addressed the issue in a post to the Linux kernel mailing list.

"A few things do make the current system fairly secure," he stated. "One of them is that if somebody were to actually access the (BitKeeper) trees (software repositories) directly, that would be noticed immediately."

A critical security flaw was found in CVS in January, but it's unknown whether the attacker used the vulnerability to gain access to the CVS database.

BitKeeper's McVoy hopes the current incident will quash objections raised by some members of the development who don't want to add a new feature that would require all changes to be digitally signed.

Even so, he said, the open-source development model is likely to have quickly turned up any security flaws.

"A Trojan horse is just a bug that a person has put into the system deliberately," he said. "The open-source security model is that everyone is using this stuff, so bugs get found and get fixed. That's one of the reasons that you are not hearing me freak about this."

McVoy said the disk from the compromised server has been saved for later analysis, but any decision to contact law enforcement belongs to Torvalds and others. Torvalds could not be immediately reached for comment.

KHATRA.EXE

2009-02-19T02:46:00.000-08:00

Khatra.exe (Khatra) Trojan Virus File Information

	Khatra.exe is a dangerous file which creates activities on a user’s computer which may be highly undesirable. This file is unsafe.

Type: Trojan Virus
Location: C:\WINDOWS\system32\khatra.exe
Risk Level: Moderate

IT CAN MAKE UNEXPECTED CHANGES TO UR SYSTEM.
IT CAN DISABLE CONTROL PANEL AND CREATES A FILE IN EACH FOLDER OF UR DRIVE.
THIS FILE MAY BE OF SIZE 600 KB THUS FILLING HALF OF UR HARD DISK.
IT ALSO RUNS IN UR TASK MANAGER AND USES UR MEMORY.
IT SPREADS MAINLY THROUGH PEN DRIVES.

It is recommended that you remove any malicious software such as Khatra.exe from your computer immediately.

The file "khatra.exe" is known to be created under the following filenames:

%AllUsersProfile%\desktop.exe

%AllUsersProfile%\favorites.exe

%AppData%\microsoft\cd burning\khatra.exe

%CommonDesktopDir%\desktop.exe

%CommonFavorites%\favorites.exe

%DesktopDir%\desktop.exe

%System%\khatra.exe

%UserProfile%\desktop.exe

%Windir%\khatarnakh.exe

%Windir%\system\ghost.exe

%Windir%\xplorer.exe

c:\inetpub.exe

c:\inetpub\inetpub.exe

c:\inetpub\wwwroot\wwwroot.exe

c:\khatra.exe

Notes:

%AllUsersProfile% is a variable that specifies the all users' profile folder. By default, this is C:\Documents and Settings\All Users (Windows NT/2000/XP).
%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
%CommonDesktopDir% is a variable that refers to the file system directory that contains files and folders that appear on the desktop for all users. A typical path is C:\Documents and Settings\All Users\Desktop (Windows NT/2000/XP).
%CommonFavorites% is a variable that refers to the file system directory that serves as a common repository for all users' favorite items. A typical path is C:\Documents and Settings\All Users\Favorites (Windows NT/2000/XP).
%DesktopDir% is a variable that refers to the file system directory used to physically store file objects on the desktop. A typical path is C:\Documents and Settings\[UserName]\Desktop.
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
%UserProfile% is a variable that specifies the current user's profile folder. By default, this is C:\Documents and Settings\[UserName] (Windows NT/2000/XP).
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

The file "khatra.exe" has the following possible country of origin:

Origin		Number of Incidents
	United Kingdom	63

The following threats are known to be associated with the file "khatra.exe":

Threat Alias	Number of Incidents
Generic.dx [McAfee]	60
Trojan-Dropper.Win32.Autoit.k [Kaspersky Lab]	60
Trojan-Dropper.Win32.Autoit [Ikarus]	42
W32.SillyFDC [Symantec]	21
Virus.Win32.Sality [Ikarus]	15
Trojan Horse [Symantec]	12
W32/Autoit-BP [Sophos]	12
Email-Worm.Win32.Agent.kd [Kaspersky Lab]	9
Trojan:Win32/Malagent [Microsoft]	9
W32.Harakit [Symantec]	9
Mal/Generic-A [Sophos]	6
Email-Worm.Agent!sd6 [PC Tools]	3
Email-Worm.Win32.Runouce.b [Kaspersky Lab]	3
Mal/Inet-Fam [Sophos]	3
PE_Chir.B [Trend Micro]	3
Trojan-Dropper.Autoit!sd6 [PC Tools]	3
Virus.Win32.VB.bb [Ikarus]	3
Virus:Win32/Virut.L [Microsoft]	3
W32/Chir.b@MM [McAfee]	3
W32/Chir-B [Sophos]	3
Win32.Virut.Gen.5 [PC Tools]	3
Win32/ChiHack.6652 [AhnLab]	3

How to remove KHATRA.EXE

KHATRA.EXE removal

KHATRA.EXE and detail of KHATRA.EXE:
KHATRA.EXE description :The filename KHATRA.EXE was last seen on 02.13.2009, and it is considered unsafe. This threat is associated with the malware group Win32.Autoit.BP. Threat name Win32.Autoit.BP Filename [System32Root]\khatra.exe Filesize Unknown Last seen 02.13.2009 Status Known to RemoveIT Pro as unsafe. This file can perform following behavior. - File is created as process on the disk. - This process can create, delete or modify files on the disk.
KHATRA.EXE remove instruction
1. Temporarily Disable System Restore, Reboot computer in SafeMode;

2. Locate KHATRA.EXE virus files and uninstall KHATRA.EXE files program. Follow the screen step-by-step screen instructions to complete uninstallation of KHATRA.EXE.

3. Delete/Modify any values added to the registry related with KHATRA.EXE,Exit registry editor and restart the computer;

4.Clean/delete all KHATRA.EXEinfected file(s):KHATRA.EXE and related,or rename KHATRA.EXE virus files;

5.Please delete all your IE temp files with KHATRA.EXE manually,run a whole scan with antivirus program ;
enable 'show all hidden files..' option in windows explorer view menu and

6.Search all your harddrive files and folders for '*.exe' with size<1mb and delete only '.exe' files having folder symbol(name of the folder).

THEN FORMAT UR OS DRIVE.USE NOD32 OR AVAST FOR BETTER RESULTS.

Need help for remove KHATRA.EXE? Post you problem on Free Virus Remove Help forum URL:http://help.antiviruses123.com.

HOAXES

2009-02-18T08:30:00.001-08:00

Hoax	Brief description
PIN1234	It generates a false alarm by reporting the existence of a trick...
Xato100	It generates a false alarm by reporting that a virus that does not...
Ericsson	It tries to get users to forward the message with the false promise...
Copa del Mundo 2006	It generates a false alarm by reporting that a virus that does not...
Invitacion	It generates a false alarm by reporting that a virus that does not...
Hoax/Tsunami in South Asia	It appeals to well-meaning users trying to get them to forward the...
ICE hoax	It generates a false alarm by reporting the existence of threats...
Athens2004	It generates a false alarm by reporting that a virus that does not...
Llamadas Perdidas	It generates a false alarm by reporting that several telecom...
Frog and Fish warnings	It generates a false alarm by reporting that there are two jokes...
Bonsai Kittens	It attempts to trick users into forwarding the message to as many...
Girls of Playboy	It generates a false alarm by reporting that a virus that does not...

W32 THREATS

2009-02-17T08:38:00.000-08:00

W32.HLLW.Cebe: This worm spreads through the KaZaa and iMesh file-sharing networks.

W32.Swen.A@mm: This mass-mailing worm uses its own SMTP engine to spread.

W32.Sobig.A@mm: This worm sends itself to all the addresses it finds in the .txt, .eml, .html, .htm, .dbx, and .wab files.

W32.Blaster.Worm: This worm exploits a DCOM RPC vulnerability using TCP port 135.

INSIDE THREATS

2009-02-16T08:18:00.000-08:00

Security threats that originate from inside a network can be more harmful than outside threats. Inside threats are especially dangerous and can often be overlooked by network administrators. Computers that reside on the inside network typically have a high degree of access to inside resources. Also, employees and trusted users are likely to have critical information about the network, including passwords.

High profile inside threats include disloyal and disgruntled employees who use their inside access to destroy, steal, or tamper with data. These types of attacks cannot be completely protected against. However, well defined security policies can minimize the risks from this type of threat. For example, organizations should avoid using just a handful of passwords to protect all computer resources. Large companies should establish clear procedures for removing employee accounts and passwords in the event that an employee leaves the company.

The most harmful inside threat is a typical end user of a network. Unaware end users can crash a network by carelessly opening e-mail attachments, installing unauthorized software, mounting disks from home, or even browsing the web. The typical cause of inside attacks is an end user who opens an e-mail attachment only to copy a virus to the computer. Many viruses thrive on the corporate network. E-mail viruses typically mail themselves to accounts listed in e-mail address books. Many corporations keep staff e-mail lists loaded on every computer, where a virus can quickly spread to all members of a company. Viruses can also seek out and infect shared files and folders, which are common on corporate networks.

A growing problem for corporate networks is the widespread popularity of instant messaging and peer-to-peer file sharing. Employees may download instant message software, such as Microsoft Messenger or America Online (AOL) Instant Messenger. The instant message software is used to chat in real time with co workers, friends, and family. Other users may download peer-to-peer file sharing software based on Gnutella or some other technology. Both instant messaging and peer-to-peer file sharing programs can be used to transfer virus-infected files to the local computer. Both of these types of programs listen for connections originating from the Internet. Chat and file sharing applications may be vulnerable to other forms of exploitation.

PICTURES

2009-02-15T02:43:00.000-08:00

SPYWARE

2009-02-13T11:31:00.000-08:00

Spyware
Threat Type First appeared
1 Gator Adware Sep 11, 2003
2 Virtumonde Spyware Oct 08, 2004
3 SaveNow Adware Sep 11, 2003
4 ClientMan Spyware Jul 27, 2004
5 WUpd Adware Sep 03, 2004
6 ActiveSearch Adware Oct 28, 2004
7 BaiduBar Adware May 02, 2005
8 MarketScore Spyware Sep 17, 2004

SPYWARE EXPLOIT USER INFORMATION
The spyware problem is an invasion of privacy, although different from cookies, technically speaking. Spyware is a program that runs on your computer and again, tracks your habits, tailors these patterns for advertisements, etc. Because it is a computer program, rather than just a bit of text in a cookie, spyware can also do some nasty things to ensure that the spyware keeps running and keeps influencing what you see.

HOW DO I KNOW IF SPYWARE IS RUNNING ON THE COMPUTER?
You can use detection programs such as Ad Aware and others. Similar to anti-virus software, these programs compare a list of known spyware with files on your computer and can remove any that it detects, but again, what some consider unacceptable is perfectly acceptable to others.

HOW DOES SPYWARE INSTALL ITSELF ON COMPUTERS?
Common tactics for surreptitious installation include rolling up advertising programs into "free" shareware program downloads, and once the spyware is installed it can download advertisements 24 hours a day and overlay them on Web sites and programs you are using. Anti-spyware programs can combat spyware from being installed, but the best strategy is to discriminate what you choose to download and install.

CAN SPYWARE SEND TRACKED INFORMATION TO OTHER PEOPLE?
Some forms of spyware monitor a target’s Web use or even general computer use and sends this information back to the spyware program's authors for use as they see fit. To fight this kind of problem, a spyware removal tool is obviously helpful, as is a firewall that monitors outgoing connections from your computer. Other forms of spyware take over parts of your Web browsing interface, forcing you to use their own search engines where they can track your browsing habits and send pop-up advertisements to you at will.
The biggest concern regarding spyware is that most of them are poorly written or designed. Many people first realize their computer is running when it noticeably slows down or stops responding, especially when doing certain tasks such as browsing Web sites or retrieving email. In addition, poorly written spyware can often cause your computer to function incorrectly even after it has been removed.

Are Spyware Threats Taking Over Your Computer?

Are you fed up with the amount of spyware that roams onto your computer? Most of the time you can't really do anything about the threats but deal with them. Furthermore, most people do not realize that most of the simple things they do while on their computer is what makes their computer becomes affected with various spyware threats.

For instance have you ever downloaded a type of program off the internet whether it was from a secured website or from another person? Most of the time people may not know that when they download something of interest off the internet whether it is free or paid for, it may include spyware threats that are attached within the program. Usually, when the spyware threats are included in these programs they are stated within the license agreement that most people are too lazy to read. They are more quick to install the program that they dont take the time to read the license agreement to find out if any type of threat will be included with the program.

If you are a big fan of downloading off of the internet then you may have some experience with spyware threats being on your computer from some files that you may have downloaded. Have you ever experienced those continuous pop-ups that may appear while you are on the internet? Again, your computer has been infected with spyware. This can be very frustrating to deal with because as you surf the internet the pop-ups just keep on rolling and rolling whenever you click on something new.

Spyware threats can be a pain to deal with and they just make your computer slower and slower to the point where you don't even want to get onto your computer anymore. Most people compensate this problem by shelling out hundreds of dollars just to get their computer cleaned.

MOST ACTIVE VIRUSES

2009-02-13T11:23:00.000-08:00

Virus	PCs infected	Threat Level	First appeared
1 MaliciousP	7.34%		Sep 06, 2007
2 Conficker.C	5.39%		Dec 31, 2008
3 Lineage.KMF	3.69%		Jan 29, 2009
4 AdsRevenue	3.57%		Mar 10, 2008
5 Virtumonde	3.14%		Oct 08, 2004
6 MyWay	2.34%		Sep 11, 2003
7 Downloader.MDW	2.32%		Jan 02, 2007
8 Xor-encoded.A	1.76%		Jun 02, 2008
9 Lineage.BZE	1.59%		Jan 02, 2007
10 Autorun.INF	1.47%		Feb 04, 2009

Most Active Viruses
Virus PCsinfected First appeared
1 AdsRevenue 5.91% Mar 10, 2008
2 Virtumonde 5.14% Oct 08, 2004
3 AutoRun.DJ 1.52% Oct 24, 2007
4 Downloader.MDW 1.34% Jan 02, 2007
5 Xor-encoded.A 1.30% Jun 02, 2008
6 Antivirus2009 1.24% Jul 19, 2008
7 GetaCodec.A 0.96% Nov 06, 2008
8 HideWindow.S 0.88% Jun 25, 2006
9 MaliciousP 0.85% Sep 06, 2007
10 Lineage.BZE 0.84% Jan 02, 2007

LATEST THREATS

2009-02-13T11:00:00.000-08:00

Threat	Type	Threat level	First appeared
1 MS09-005	Vulnerability		Feb 11, 2009
2 MS09-004	Vulnerability		Feb 11, 2009
3 MS09-003	Vulnerability		Feb 11, 2009
4 MS09-002	Vulnerability		Feb 11, 2009
5 Waledac.J	Worm		Feb 10, 2009
6 NoVideo.A	Trojan		Feb 08, 2009
7 Autorun.INJ	Worm		Feb 06, 2009
8 Sinowal.VZR	Trojan		Feb 05, 2009
9 Sality.AO	Virus		Feb 05, 2009
10 MSNWorm.FU	Worm		Jan 30, 2009

PACKET ATTACK

2009-02-08T04:58:00.000-08:00

The Packet Fragmentation Attack
Packet fragmentation can be utilized to get around blocking rules on some firewalls.
This is done by cheating with the value of the Fragment Offset. The trick is to set the value of the Fragment Offset on the second packet so low that instead of appending the second packet to the first packet, it actually overwrites the data and part of the TCP header of the first packet.
Let's say you want to `telnet` into a network where TCP port 23 is blocked by a packet filtering firewall. However, SMTP port 25 is allowed into that network.
What you would do is to send two packets:
The first packet would:
• Have a Fragmentation Offset of 0.
• Have the DF bit equal to 0 to mean "May Fragment" and the MF bit equal to 1 to mean "More Fragments."
• Have a Destination Port in the TCP header of 25. TCP port 25 is allowed, so the firewall would allow that packet to enter the network.
The second packet would:
• Have a Fragmentation Offset of 1. This means that the second packet would actually overwrite everything but the first 8 bits of the first packet.
• Have the DF bit equal to 0 to mean "May Fragment" and the MF bit equal to 0 to mean "Last Fragment."
• Have a Destination Port in the TCP header of 23. This would normally be blocked, but will not be in this case!
The packet filtering firewall will see that the Fragment Offset is greater than zero on the second packet. From this data, it will deduce that the second packet is a fragment of another packet and it will not check the second packet against the rule set.
When the two packets arrive at the target host, they will be reassembled. The second packet will overwrite most of the first packet and the contents of the combined packet will go to port 23.

TCP ATTACKS

2009-02-08T04:57:00.000-08:00

The TCP Sequence Prediction Attack
TCP is a reliable connection-oriented layer 4 (Transport Layer) protocol. Packet transfer between hosts is accomplished by the layers below layer 4 and TCP takes responsibility to making certain the packets are delivered to higher layers in the protocol stack in the correct order. To accomplish this reordering task, TCP uses the sequence number field.
To successfully mount a TCP sequence prediction attack, you must first listen to communications between two systems, one of which is your target system. Then, you issue packets from your system to the target system with the source IP address of the trusted system that is communicating with the target system.
The packets you issue must have the sequence numbers that the target system is expecting. In addition, your packets must arrive before the packets from the trusted system whose connection you are hijacking. To accomplish this, it is often necessary to flood the trusted system off of the network with some form of denial of service attack.
Once you have taken over the connection, you can send data to allow you to access the target host using a normal TCP/IP connection. The most simple way to do this is:
echo "+ +" > /.rhosts
This specific technique relies upon inherent weaknesses in the BSD Unix `r` services. However, SunRPC, NFS, X-Windows, and many other services which rely upon IP address authentication can be exploited with a TCP sequence prediction attack.
Why are TCP Sequence Prediction Attacks Possible?
An excerpt from RFC 793 (Transmission Control Protocol) concerning the generation of TCP sequence numbers:
When new connections are created, an initial sequence number (ISN) generator is employed which selects a new 32 bit ISN. The generator is bound to a (possibly fictitious) 32 bit clock whose low order bit is incremented roughly every 4 microseconds. Thus, the ISN cycles approximately every 4.55 hours. Since we assume that segments will stay in the network no more than the Maximum Segment Lifetime (MSL) and that the MSL is less than 4.55 hours we can reasonably assume that ISN's will be unique.
The developers of the BSD Unix TCP/IP stack did not follow these recommendations. TCP/IP stacks based upon BSD Unix increase the sequence number by 128,000 every second and by 64,000 for every new TCP connection. This is significantly more predictable than the algorithm specified in the RFC.
Defending Against TCP Sequence Prediction Attacks
TCP sequence prediction attacks can be effectively stopped by any router or firewall that is configured not to allow packets from an internal IP address to originate from an external interface.
These does not fix the TCP sequence prediction vulnerability, it simply prevents TCP sequence prediction attacks from being able to reach their targets.
Diagram of the TCP Header
TCP Header Format
-----------------

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Port | Destination Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sequence Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Acknowledgment Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Data | |U|A|P|R|S|F| |
| Offset| Reserved |R|C|S|S|Y|I| Window |
| | |G|K|H|T|N|N| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum | Urgent Pointer |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Options | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| data |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Every packet-based network has an MTU (Maximum Transmission Unit) size. The MTU is the size of the largest packet which that network can transmit.

Packets larger than the allowable MTU must be divided into multiple smaller packets, or fragments, to enable them to traverse the network.
Network Standard MTU
Ethernet
1500
Token Ring 4096

DOS ATTACKS

2009-02-08T04:51:00.000-08:00

Types of Denial of Service (DoS) attacks
These are a few of the classic denial of service attacks. Most of these rely upon weaknesses in the TCP/IP protocol. Vendor patches and proper network configuration have made most of these denial of service attacks difficult or impossible to accomplish.
Flood Attack
The earliest form of denial of service attack was the flood attack. The attacker simply sends more traffic than the victim could handle. This requires the attacker to have a faster network connection than the victim. This is the lowest-tech of the denial of service attacks, and also the most difficult to completely prevent.
Ping of Death Attack
The Ping of Death attack relied on a bug in the Berkeley TCP/IP stack which also existed on most systems which copied the Berkeley network code. The ping of death was simply sending ping packets larger than 65,535 bytes to the victim. This denial of service attack was as simple as:
ping -l 86600 victim.org
SYN Attack
In the TCP protocol, handshaking of network connections is done with SYN and ACK messages. The system that wishes to communicate sends a SYN message to the target system. The target system then responds with an ACK message. In a SYN attack, the attacker floods the target with SYN messages spoofed to appear to be from unreachable Internet addresses. This fills up the buffer space for SYN messages on the target machine, preventing other systems on the network from communicating with the target machine.
Teardrop Attack
The Teardrop Attack uses IP's packet fragmentation algorithm to send corrupted packets to the victim machine. This confuses the victim machine and may hang it.
Smurf Attack
In the Smurf Attack, the attacker sends a ping request to a broadcast address at a third-party on the network. This ping request is spoofed to appear to come from the victims network address . Every system within the broadcast domain of the third-party will then send ping responses to the victim.

Distributed Denial of Service (DDoS) attacks
A Distributed Denial of Service (DDoS) attack is a denial of service attack which is mounted from a large number of locations across the network.
DDoS attacks are usually mounted from a large number of compromised systems. These systems may have been compromised by a trojan horse or a worm, or they might have been compromised by being hacked manually.
These compromised systems are usually controlled with a fairly sophisticated piece of client-server software such as Trinoo, Tribe Flood Network, Stacheldraht, TFN2K, Shaft, and Mstream.
The Mydoom worm attempted DDoS attacks against SCO and Microsoft from the systems which it infected.
DDoS attacks can be very difficult to defend against.
IP address spoofing denotes the action of generating IP packets with fake source IP addresses in order to impersonate other systems or to protect the identity of the sender. Spoofing can also refer to forging or using fake headers on emails or netnews to - again - protect the identity of the sender and to mislead the receiver or the network as to the origin and validity of sent data.

POP UP MALWARE

2009-02-08T04:47:00.000-08:00

Dirty tricks
Imagine this: You visit a website and up pops a message, "Your computer is not secure -- click here for a free spyware scan." Anxious, if not alarmed, you click the link. You approve a "small download", the program starts, and you're told you have 87 spyware programs on your computer.
Little do you know that it's a scammer's dirty trick -- the download included spyware that now reports everything you do on your computer, including account numbers and passwords that you enter. To top it off, there is an offer to remove the 87 infected items for just $39.95. That's just one example of the kind of scams you run into on the Internet these days.
Blocking popups
Just clicking the "No" button, or even the "X" in the upper-right corner of some popups can trigger an attack. The easiest and safest way to close unwanted popups is by using "Ctrl-W". [Hold down the "Ctrl" key and then press the "W" key]. That should close the popup safely. The best thing to do is block them in the first place though. :-)
The Firefox popup blocker does a superb job blocking undesired popups. It also allows the ones you want in response to links that you click. The latest version of Internet Explorer in SP2 for Windows XP does nearly as well as Firefox. Pop-Up Sentry is a very effective stand-alone popup blocker.
More online
Test your popup blocker, as well as find links to free popup software. (Which you won't need if you switch to Firefox.) If you like to play, turn off your popup blocker and experience how bad popups can be. The tests are brought to you by WebAttack -- now called SnapFiles.
PC Today has a comprehensive and easy to read report on popup blockers, including the blockers that are included in Firefox and Internet Explorer.

HACKERS

2009-02-08T04:45:00.000-08:00

Hackers
To hack (maliciously) is to use your skill and knowledge to trespass in other computers. Hackers have easy access to hacking tools and heuristic methods from the Internet underground. They often use "social engineering" rather than technology to insinuate their way into computers and computer networks.
Social engineering is the skill of getting passwords or other information about systems from people who should know better. The hacker poses as someone with a legitimate purpose for getting in and many people fall for it.
Hacking is largely a social malignancy -- not a technical problem. Don Parker, a seasoned security expert put it this way:
"Remote computing freed criminals from the historic requirement of proximity to their crimes. Anonymity and freedom from personal victim confrontation increased the emotional ease of crime, i.e., the victim was only an inanimate computer, not a real person or enterprise. Timid people could become criminals..."
The most common hacks
"The majority of the successful operating system attacks come from only a few software vulnerabilities. This can be attributed to the fact that attackers are opportunistic, take the easiest and most convenient route, and exploit the best-known flaws with the most effective and widely available attack tools." -- quote from SANS Institute
You're exposed to hackers every time you're on the Internet. When you're online you PC has an Internet address assigned to it. Crackers can easily find your PC and break in. They do that while you're busy surfing, or reading your e-mail.
You wouldn't know they're trying and probably won't know if they succeed until later if ever. For example, they might make off with your bank account number and PIN. You wouldn't know until the money was gone. Your bank would be dubious about your protest though.
Most hackers aren't out to get you personally. They want to use your computer for their own nefarious purposes, but they'll usually go away if yours is well protected. Some of the things they want your computer for:
1. Hide their intrusion to sensitive computers by going through yours.
2. Store and distribute spam, porn, pirated music, and warez (bogus software).
3. Attack their enemies.

DOWNLOADING SAFELY

2009-02-08T04:41:00.000-08:00

How to Download Software (Safely)
There are two kinds of people who download software -- those who have picked up a virus or other computer infection, and those who will. You need to be very careful to put it off as long as possible. I've downloaded and installed scores of programs but so far none have bit me.
First things first: software categories
Commercial: Mainstream software offered for download by big companies. Some is even free or free for home use. Most of it is priced in the "boxed software" range. The same software is usually available in stores as well as online.
Freeware: Some freeware rivals the capability of commercial software, but usually it's smaller programs developed by individuals or shareware developers. Warning: freeware can be addictive -- it's free -- easy to download -- often excellent -- and there are thousands of programs to try. :-)
Many freeware programs are superb, but a few are written poorly. Freeware can also conceal "spyware", viruses or Trojans and other parasites. Avoid problems by using your common sense and by following the rules for safe downloading listed below.
Shareware: Usually modestly priced, intermediate in size and closer to commercial software in features. Some shareware is the best software written. The usual price range is $10 to $30. Often there's both a freeware and shareware version of the same software. The freeware version may run ads and/or limit functions. Shareware can often be used for 30 days or so on a free trial basis. After that time it will shut down unless you buy a registration code to keep it working.
Updates & Extensions: "Filters", "codecs", "modules", updates, etc., that augment or revise the capabilities of Windows and other programs, mostly browsers. They're usually free, and they are often offered when you click a link that won't work without the new software. They're often needed by Multimedia programs like Windows Media Player and RealPlayer. Be very sure the site is trustworthy before you proceed though.
Imperatives for downloading :-)
1. Use your common sense: Be very, very suspicious of any unsolicited invitation to download something wonderful or urgently important. These offers often appear as a flashy ad or popup window. Some will arrive as spam, some of it very clever, and often with an attachment.
2. Never download a file -- including pictures and music -- unless you know the source is trustworthy. Download software only from well-known companies (Microsoft, Symantec, Intuit, etc.) or from other trustworthy sources, such as those listed in the section below.
3. Never download a file via BitTorrent or other file-sharing networks. Period.
4. "Google" it: Let's say the program is called Spyban. Go to Google and enter "Spyban spyware" (without the quotes) and see what you get.
5. Read the description and recommendations at the download site, or at the program's website. You don't want to install something that won't be compatible with your needs or your computer.
6. Before you install any software you download, make sure that you have a current backup of your documents and system.
7. Take precautions against viruses, Trojans, adware and the like. It's no longer a sure thing, but it's still good practice to scan files for viruses, worms and other malware before you open them -- no matter what the source. [see handling files safely]
Safe places to download software from
SiteAdvisor is a new service that checks websites for suspicious activity. SiteAdvisor helps protect you from all kinds of Web-based security threats -- spyware, adware, spam, viruses, browser-based attacks, phishing, online fraud and identity theft. Note: SiteAdvisor does not protect against Phishing, as that is a different kind of attack.
These major download sources are trustworthy. They usually have ratings of the programs (often written by the supplier however). Check a with a couple of them to compare notes.
Tucows :: MajorGeeks.com :: WebAttack :: NoNags :: Jumbo! :: Pricelessware :: WinPlanet :: ZDNet Downloads :: CNET
Gizmo's community-based (I'm an editor there) Best-ever Freeware Utilities site features the "best of the best" freeware. Gizmo also maintains a list of the best freeware/shareware download sites.
I created some special search engines that you can use to find programs at trustworthy sources.
You'll find over 5000 programs at Microsoft's Free Downloads Center. Lots of games, but many other programs as well. The Ultimate List of Windows Software from Microsoft may make it easief to find what you want.
Download managers
Warning: Download managers, Zip programs, and of all things, anti-spyware programs are often used as bait for adware and spyware. Don't forget the "rules to download by" when you're considering one of them.
I no longer use a special download manager. Firefox has a built-in download manager. It lets you save the files where you want (set up in options), download multiple files at the same time, and easily pause and resume any download. That's good enough for me. :-) I also follow a process to keep my downloads well organized. ;-)
Ed Bott suggests a simple but effective way to keep track of not only downloads, but the essential information that goes with them.
http://www.edbott.com/weblog/?p=693 -- getting them organized
http://www.edbott.com/weblog/?p=1254 -- keeping them organized
If you do a lot of downloading, especially on dial-up, you might appreciate a download manager. They let you pause downloads, and resume interrupted ones without losing the part you've already downloaded. They'll also help you keep track of the files you download.

EMAIL ATTACHMENTS

2009-02-08T04:39:00.000-08:00

The Perils of Email Attachments
Synopsis
Email attachments are one of the easiest ways to vandalize or invade a computer. The human element is often the weakest part of the system. Amazingly, many previous victims continue to open dodgy attachments.
1. Be suspicious of any attachment you were not expecting -- even though it's from someone you know.
2. Be doubly suspicious of attachments that have been forwarded to you -- even by someone you know.
3. Be paranoid about attachments from anyone you don't know.
A worm could have sent the message in the first case. Here's how: The message came from an infected PC -- one belonging to them or someone who has their address. Your friends address was used in the "From:" field to disarm you. In the 2nd case, you clearly have no idea where the file came from originally. In the 3rd case, it's spam or more likely an attack.
Attachments, and the messages that carry them, get more diabolical all the time. Finding new ways to fool people is a collective obsession. Even seasoned computer users get taken in. Now there are even ways to include hostile code in digital music, images or videos.
Examples
1. A reasonable sounding message informs you that your computer is infected with the latest worm in the news, and offers to remove it. When you open the attachment, it disables your antivirus program and firewall. Then it installs the worm it claimed to be scanning for. Finally it reports that your computer is free of the worm. Now the worm uses your computer to send bogus messages to more victims. Nice!
2. Your friend emails you a cute attachment with the file name "kitty.exe". In their message, they tell you they've tried it themselves, it's really cute, and it's "OK to open". You check with your friend, and yes indeed, he or she did send it, and they assure you "it doesn't have a virus."
Trouble is, it contains a delayed action Trojan-horse along with the cute kitty. When you open it, the kitty does something cute, but the Trojan is installed on your computer too. You and your friend will not find out about the Trojan until later, if ever.
3. An email arrives that appears to come from Microsoft. The Microsoft heading and icons are genuine. The message contains a sincere and urgent plea for you to patch your copy of Windows immediately. The patch is conveniently attached to the message.
Trouble is, the attachment terminates your antivirus program and firewall, and does other things so that you can't remove it. Now you have a nice new Trojan horse in your PC. Microsoft provides a guideline for determining if a message "from" Microsoft is genuine.
4. Attackers often disguise malicious attachments by using double extensions, for example, "message.txt.lnk" or "picture.gif.vbe". Unless you've changed your Windows configuration though, *.lnk, *.vbe and several other extensions are always hidden. The file names that you see are just "message.txt" or "picture.gif".
Those files -- *.txt and *.gif files -- seem safe enough. Windows knows they are *.lnk or *.vbe files though, not text or picture files at all. When you "open" them though, Windows blindly does exactly what the attacker had in mind, and the damage is done.
5. Demonstration: It's a myth that non-executable files are always safe. It's easy to hide malicious content in music or video files. Download and run example.mp3 to see a convincing but perfectly safe demonstration of this. (*.mp3 is a popular music file format.) That is... if you trust me.
Nothing dramatic happens, but there's more going on than just the music, eh? You'll need to have Windows Media Player installed, and be online to see the results. This is just an example. I'm sure there's a lot of brigands and bandits figuring out how to plant hostile content in more file types.

FAKE EMAILS

2009-02-08T04:35:00.000-08:00

Key facts about fake email messages
1. A sensible business will *never* ask you to reply to an email with your date of birth, credit card data, password, or other personal data. Never reply to one that does. If an email provides a link to a Web site to supply the information, don't use it. Open your browser and go there by your usual route.
2. Almost anything in the headers of an email message can be "spoofed", including the "From" and "Reply To" addresses. A bogus message may appear to come from a legitimate business, or from someone you know. Be a little paranoid about any message you wouldn't have expected to see.
3. You will never get email warnings about viruses and worms unless you have subscribed to an alert service or a newsletter. Bogus warnings often direct you to do something that damages your computer. Other's have attachments that are supposed to protect you against the threat, but install Trojan-horses instead.
4. Many bogus email messages are disguised as solutions to problems that are plausible or in the news -- charge account problems, investigations, loss of benefits, identity theft, anthrax, computer viruses, etc. They usually call for urgent action. Of course, they don't have your best interest in mind.

Master counterfeiters
Criminals have adopted the tricks of spammers and worm writers. In some cases joined with spammers directly. It's easy to send out millions of fake email messages using that technology. They try to make the messages look just like one you'd expect.
The "From" address is invariably "spoofed". That's trivially easy to do. You can probably do it yourself. The messages are sometimes very skillfully written. Stealing the graphics and images from a real webpage, say Homeland Security, and composing a message in HTML format can produce an even more convincing counterfeit. It looks just like what you'd expect.
It's very hard to tell some fake email messages from a real ones. But your instincts, along with safe email practices can help.
Email defense
1. Configure your email client correctly.
2. Know what to watch out for. Especially phish hooks.
3. Never click a link in a spam message -- even to "opt-out" of future email.
4. Handle your email safely.
5. Install anti-virus and anti-malware software.

MALWARE IN MUSIC OR VIDEO FILES

2009-02-08T04:29:00.000-08:00

There's a simple way to include malicious content in music or video files. The file can then be simply linked from a webpage. The link can even be hidden. To see a demo, download and run example.mp3 -- you can trust me, I'm a grandfather -- to see a convincing but perfectly safe demonstration. (*.mp3 is a popular compressed file format used for music.)
You'll need Windows Media Player to play the sound and see the results. In addition to the music, three more browser windows will open -- unless you have your security settings set too high. These windows will just display some perfectly safe content. If this little file can do that, just imagine what a crook or malcontent could do with a file they concoct.

McAfee is warning file-sharers that they may be at risk due to a Trojan horse posing as an MP3 or MPEG file.

The security firm said Tuesday that it had detected a half million instances of the malware since Friday, dubbed "Downloader-UA.h." It is calling the incident the most significant malware outbreak in three years.
A check of McAfee's virus map showed the majority of infections have occurred in the US during the past 24 hours, although high rates of infection are being reported in Mexico, Venezuela, Brazil, Australia, and much of Western Europe.

It appears as if the files are located on Gnutella and Limewire under a variety of names. When loaded, the file redirects through the player to a download of a file called PLAY_MP3.exe.

Once this file loads, it shows up a EULA, and if accepted, the files "FBrowsingAdvisor" and "SurfingEnhancer" are installed. The file PlayMP3.exe is also installed, but instead of it being an actual local MP3 player, the application loads up a webpage with the Wimpy Flash MP3 player with several dozen songs available.

The two previous files are believed to load some type of adware, which instead of blocking popups like the EULA claims deliver them to the end user.

McAfee rated the issue a "medium" risk, the first time its given any piece of malware such a high rating since 2005.

FEW TIPS

2009-02-08T04:22:00.000-08:00

Don't get hooked

· A sensible business should never send a message asking for personal details. Never follow links in an email message that directs you to take some action -- even if the message looks perfectly legitimate.

· If the message has a general salutation like "Dear Valued Customer" or "Please Confirm" instead of being specifically addressed to you by name, do not click any links.

· If there are spelling or grammar mistakes -- if the email just doesn't look professional, do not click any links.

· Hover your mouse pointer over links in the body of the email. The real destination of the links should be displayed. If the address looks strange or unlikely, do not click any of the links.

· If you just can't resist checking out an urgent request or warning use your browser go directly to the proported Web site directly, or contact the organization by phone.

FAKERY

2009-02-08T03:35:00.000-08:00

Fakery

It's easy to get used to taking email at face value. Much of spam you see is obviously of no value. However, well designed counterfeit email looks very legitimate. Almost anything about an email message can be faked. Who it's "To:", who it's "From:", where it originated, The "Reply To:" address, etc.

Usually the Subject, To, and From addresses and the content is plausible.

Some worms even generate convincing fake messages automatically. Most of the time there is something slightly "off" about the message. The subject may not match what you'd expect from the sender for example. But some of them will fool you.

["bad" email messages]

You can learn more about rip-offs at the counterfeit email and bogus website pages. You're up against organized criminals and skillful con artists, who know all the tricks of the trade. You'll need to be more astute than they are cunning.

Examples

"Toll free" scams are vicious. A bogus message announces an unclaimed prize, a vacation offer or whatnot. All you need to do to take advantage of it is to call what looks like a toll free number. Trouble is, it's not really a toll-free number. The call goes to an offshore location, and can cost hundreds if not thousands of dollars in just a few minutes.

The "Nigerian" scam is both amusing and a serious ripoff. This and other "419" scams have fleeced victims of more than $150 Million so far. Update: The perpetrator, or at least one perpetrator of this scam was recently nabbed in Southeast Asia. [more]

SECURITY IN WIRELESS NETWORK

2009-02-07T11:16:00.000-08:00

Computer users looking for convenience and mobility switch to high speed Internet. This includes going wireless which allows business travelers to use wireless blackberries to check their emails, vacationers to upload snapshots on their wireless laptops to show friends at home, consumers to make online payments from the comfort of their bed, and much more.

A wireless network can link up computers in different parts of your home, without a the need of a cord or a physical medium. To find out what you need to go wireless read our article What is Wireless Network?

Although, accessing the Internet wireless, proves convenient it also has its downside of being susceptible to hackers, particularly if you don't take the steps to secure your wireless network. So, learn some easy and quick steps to secure your network and about information systems security.

With the convenience of wireless Internet, satellite Internet or any Internet connection for your family, comes the issue of child security. Make sure you know what websites you're children are accessing to keep them safe from predators lurking around in chat rooms, social networking sites, and to prevent them from surfing sites with adult conduct.

10 Tips for Wireless Home Network Security

Many folks setting up wireless home networks rush through the job to get their Internet connectivity working as quickly as possible. That's totally understandable. It's also quite risky as numerous security problems can result. Today's Wi-Fi networking products don't always help the situation as configuring their security features can be time-consuming and non-intuitive. The recommendations below summarize the steps you should take to improve the security of your home wireless network.

1. Change Default Administrator Passwords (and Usernames)

At the core of most Wi-Fi home networks is an access point or router. To set up these pieces of equipment, manufacturers provide Web pages that allow owners to enter their network address and account information. These Web tools are protected with a login screen (username and password) so that only the rightful owner can do this. However, for any given piece of equipment, the logins provided are simple and very well-known to hackers on the Internet. Change these settings immediately.

2. Turn on (Compatible) WPA / WEP Encryption

All Wi-Fi equipment supports some form of encryption. Encryption technology scrambles messages sent over wireless networks so that they cannot be easily read by humans. Several encryption technologies exist for Wi-Fi today. Naturally you will want to pick the strongest form of encryption that works with your wireless network. However, the way these technologies work, all Wi-Fi devices on your network must share the identical encryption settings. Therefore you may need to find a "lowest common demoninator" setting.

3. Change the Default SSID

Access points and routers all use a network name called the SSID. Manufacturers normally ship their products with the same SSID set. For example, the SSID for Linksys devices is normally "linksys." True, knowing the SSID does not by itself allow your neighbors to break into your network, but it is a start. More importantly, when someone finds a default SSID, they see it is a poorly configured network and are much more likely to attack it. Change the default SSID immediately when configuring wireless security on your network.

4. Enable MAC Address Filtering

Each piece of Wi-Fi gear possesses a unique identifier called the physical address or MAC address. Access points and routers keep track of the MAC addresses of all devices that connect to them. Many such products offer the owner an option to key in the MAC addresses of their home equipment, that restricts the network to only allow connections from those devices. Do this, but also know that the feature is not so powerful as it may seem. Hackers and their software programs can fake MAC addresses easily.

5. Disable SSID Broadcast

In Wi-Fi networking, the wireless access point or router typically broadcasts the network name (SSID) over the air at regular intervals. This feature was designed for businesses and mobile hotspots where Wi-Fi clients may roam in and out of range. In the home, this roaming feature is unnecessary, and it increases the likelihood someone will try to log in to your home network. Fortunately, most Wi-Fi access points allow the SSID broadcast feature to be disabled by the network administrator.

6. Do Not Auto-Connect to Open Wi-Fi Networks

Connecting to an open Wi-Fi network such as a free wireless hotspot or your neighbor's router exposes your computer to security risks. Although not normally enabled, most computers have a setting available allowing these connections to happen automatically without notifying you (the user). This setting should not be enabled except in temporary situations.

7. Assign Static IP Addresses to Devices

Most home networkers gravitate toward using dynamic IP addresses. DHCP technology is indeed easy to set up. Unfortunately, this convenience also works to the advantage of network attackers, who can easily obtain valid IP addresses from your network's DHCP pool. Turn off DHCP on the router or access point, set a fixed IP address range instead, then configure each connected device to match. Use a private IP address range (like 10.0.0.x) to prevent computers from being directly reached from the Internet.

8. Enable Firewalls On Each Computer and the Router

Modern network routers contain built-in firewall capability, but the option also exists to disable them. Ensure that your router's firewall is turned on. For extra protection, consider installing and running personal firewall software on each computer connected to the router.

9. Position the Router or Access Point Safely

Wi-Fi signals normally reach to the exterior of a home. A small amount of signal leakage outdoors is not a problem, but the further this signal reaches, the easier it is for others to detect and exploit. Wi-Fi signals often reach through neighboring homes and into streets, for example. When installing a wireless home network, the position of the access point or router determines its reach. Try to position these devices near the center of the home rather than near windows to minimize leakage.

10. Turn Off the Network During Extended Periods of Non-Use

The ultimate in wireless security measures, shutting down your network will most certainly prevent outside hackers from breaking in! While impractical to turn off and on the devices frequently, at least consider doing so during travel or extended periods offline. Computer disk drives have been known to suffer from power cycle wear-and-tear, but this is a secondary concern for broadband modems and routers.

If you own a wireless router but are only using it wired (Ethernet) connections, you can also sometimes turn off Wi-Fi on a broadband router without powering down the entire network.

FIRST VIRUS IN LINUX

2009-02-07T11:14:00.000-08:00

The First Linux Virus

From the outside looking in, one would believe that viruses were an equal threat to all computer users. While this is true in a sense, some users are much more vulnerable than others. For years, Linux has been known as the more secure option for an operating system. Although the Windows platform is designed with many useful features, Linux was designed with security in mind, making the system superior in the minds of its users.

Even though Linux isn't a prime target for malicious coders, it has been successfully exploited by a few computer infections. Staog was the first virus ever scripted for the Linux operating system. It was initially detected in the fall of 1996, with the exploited vulnerabilities being discovered shortly thereafter. Considering the system's strong design, experts in the software security industry were stunned.

Staog was able to exploit Linux despite the system's design which calls for users and applications to login before any questionable operations can occur. The virus functioned by exploiting vulnerabilities in the kernel, which enabled it to stay resident in the memory. From there, it infected executable binary files. Because it mainly relied on bugs, software upgrades made the system immune to the virus. This factor, along with its weak method of distributing itself, made Staog fairly easy to manage.

Staog was written by VLAD, a well known group from the hacking community. This Australian-based group is also responsible for scripting Boza, the first virus written for Windows 95. The first Linux virus has not been listed in the wild since the initial outbreak. Despite that brief threat of Staog, viruses typically have limited ability to change or severely impact the system.

The Truth about Linux Viruses

One the biggest vulnerabilities of the Linux system are the users who have the misconception that it cannot be infected by computer viruses. Several people believe that any non-Windows system is secure and doesn't need the aid of additional software to ward off viruses. This is far from the truth and a major reason why more viruses are being written for the system.

Many security experts believe that the growth in Linux malware is the result of its evolution and popularity, particularly as a desktop system. Shane Coursen, a senior technical consultant for Kasperky Lab, believes that more users are turning to Linux because of the interest in learning how to write malware for the system.

Most viruses written for Linux pose a potential, yet minimal threat to the system. If a virus infected binary file is run, the entire system could be infected. The distribution of the infection depends on which particular user with what level of privileges executed the binary. A binary run under the systems root account would have the ability to infect the entire system.

There are many other solutions for protecting Linux other than anti-virus software. For instance, software repositories greatly reduces the chance of viruses and other malware. These repositories are throughly checked before distribution to ensure that they are malware free.

Just like with any system, the best protection against common threats is prevention. This includes carefully surfing the web and handling emails on your Linux computer.

GOOD VIRUSES

2009-02-07T11:10:00.000-08:00

Good Computer Viruses: The Future?

Even with all the damage viruses have inflicted over the years, a handful of experts believe that computer viruses could actually be used for good one day. How is this possible? Similar to the ethical worm, these viruses would mainly be used to distribute network patches to repair vulnerabilities. Here is a bit more on the theory.

The Function of a "Good" Computer Virus

First of all, the virus would have to exclude the primary function of a typical virus, which is running on a victimized machine without authorization. The propagation would be similar to the one used for malicious purposes, but instead deliver a good payload, opposed to one that is destructive. Because of this, experts believe that anyone found guilty of distributing a good virus should be charged with the same offense as someone distributing malicious code, though with reduced penalties, as the damage is liable to be not as severe.

However, this supposed good virus would not only spread and execute itself without permission, but also consume bandwidth, disk space, memory and processor cycles. All of these factors could possibly result in the denial of the those resources to system administrators, a condition more commonly termed as a DoS (denial-of-service) attack.

Good vs. Malicious Viruses

Another problem would be distinguishing the good virus from malicious programs. While identifying a known virus is fairly easy with the right technology, separating it from the unknown good code may be difficult. Since a good number of legitimate programs have been known to damage and mistakenly remove files, this ability alone isn't enough to truly identify malware. Perhaps this good virus would be limited to removing programs, as it can combine its code with an individual program. However, this would certainly be an inconvenience for those developing self-extracting archive software. Assuming this as the major obstacle, how would a good virus distinguish another from a malicious program? Both would behave similarly with the tendency to damage or destroy other files. One would only hope that creators of these viruses carefully script their codes to identify other good variants, a task that seems difficult or next to impossible when considering polymorphism.

Good viruses would have to be written to near perfection for a number of reasons. If they happen to mistakenly delete software and operating system patches, they would essentially be just as much trouble as malicious viruses. There is also the strong possibly of unscrupulous characters mutating the good virus with evil strains. These new strains are likely to be identified as good viruses, even though they contain a destructive payload, one capable of destroying all other identifiable good viruses.

With so much still in the air, we may find ourselves reflecting on the day when good viruses first invaded our systems, strengthening the malicious epidemic. If these viruses of the future aren't written properly, they could inevitably improve the breed of destructive programs just before being wiped out by variants of their own code. While this is certainly a hot topic, many security experts believe that spreading good viruses could eventually end up causing more harm than good.

TYPES OF VIRUS

2009-02-07T11:08:00.000-08:00

Types of Viruses

But what are the types of computer viruses and worms that you're computer can come into contact with? The list of viruses is quiet long and complex. So, we simplified the list by mentioning few broad categories of viruses that can put your computer and all your personal data on it, in danger. These computer viruses include:

Computer Viruses

Boot Sector viruses: A boot sector virus infects diskettes and hard drives. All disks and hard drives contain smaller sections called sectors. The first sector is called the boot. The boot carries the Mater Boot Record (MBR). MBR functions to read and load the operating system. So, if a virus infects the boot or MBR of a disk, such as a floppy disk, your hard drive can become infected, if you re-boot your computer while the infected disk is in the drive. Once your hard drive is infected all diskettes that you use in your computer will be infected. Boot sector viruses often spread to other computers by the use of shared infected disks and pirated software applications. The best way to disinfect your computer of the boot sector virus is by using antivirus software.

Program viruses: A program virus becomes active when the program file (usually with extensions .BIN, .COM, .EXE, .OVL, .DRV) carrying the virus is opened. Once active, the virus will make copies of itself and will infect other programs on the computer.

Multipartite viruses: A multipartite virus is a hybrid of a Boot Sector and Program viruses. It infects program files and when the infected program is active it will affect the boot record. So the next time you start up your computer it'll infect your local drive and other programs on your computer.

Stealth viruses: A stealth virus can disguise itself by using certain tactics to prevent being detected by antivirus software. These tactics include altering its file size, concealing itself in memory, and so on. This type of virus is nothing new, in fact, the first computer virus, dubbed Brain, was a stealth virus. A good antivirus should be able to detect a stealth virus lurking on your hard drive by checking the areas the virus infected and evidence in memory.

Polymorphic viruses: A polymorphic virus acts like a chameleon, changing its virus signature (also known as binary pattern) every time it multiples and infects a new file. By changing binary patterns, a polymorphic virus becomes hard to detect by an antivirus program.

Macro Viruses: A macro virus is programmed as a macro embedded in a document. Many applications, such as Microsoft Word and Excel, support macro languages. Once a macro virus gets on to your computer, every document you produce will become infected. This type of virus is relatively new and may slip by your antivirus software if you don't have the most recent version installed on your computer. .

Active X and Java Control: Some users do not know how to manage and control their web browser to allow or prohibit certain functions to work, such as enabling or disabling sound, pop ups, and so on. Leaving your computer in danger of being targeted by unwanted software or adware floating in cyberspace.

COMMON THREATS

2009-02-07T09:51:00.000-08:00

Common Threats:

Viruses: A virus is a software program which attaches itself to another piece of software. The virus inserts its code into a file which when executed, runs the virus. A boot virus is a program which runs when the computer starts.

Spyware: Spyware is software which works in the background to gather a user's information and behavior. This information is then transmitted to another party. Spyware works in the background without a user's knowledge. Some of the information can include the operating system of the computer, the type of browser, the computer IP address and where a user browses to.

Trojan: A Trojan is a software program which runs in a computer as a secret agent of the attacker. Trojans do not replicate themselves like worms or viruses.

Worm: A worm is a program which replaces files. They can be as destructive as viruses, and like a virus can replicate itself.

Browser Hijacking: A browser hijacking occurs when a browser gets set to a website which is not the user's choosing. Sometimes information gets rerouted to another site without the user's knowledge and makes the Internet connection run slower. Hijacks cna change a user's homepage.

Spoofing: Spoofing if when an identity gets forged. The attackers forge their IP address with the person they want to attack, overloading the victim's Internet connection.

Phishing: Phishing happens when a person send out email masquerading as a trusted company or person. Typically the email states the user's account information needs to be updated and provides a link to do so. The link redirects the person to a webpage which looks legitimate, but is not, and actually captures confidential information such as credit card number, bank accounts and social security numbers.

Adware: Adware is software which directs specific ads to your computer. This typically happens after you consent to loading some free software program or browser helper. Some Adware also tracks your Internet browsing and reports this information back to a central server.

Popup: A popup happens when a new browser window opens up on it's own. Sometimes so many popup windows can open, it renders the computer useless.

Hoax: A hoax is an email stating something untrue. Common hoaxes include virus hoaxes which have the user delete an important file located on their computer.

Spam: Junk email which is usually unsolicited, typically sent to hundreds or thousands of people. Usually attempting to sell items such as drugs or containing pornographic material.

REGSVR VIRUS

2009-02-07T08:11:00.000-08:00

How to remove new folder exe or regsvr exe or autorun inf virus

This virus is know popularly as regsvr.exe virus, or as new folder.exe virus and most people identify this one by seeing autorun.inf file on their pen drives, But trend micro identified it as WORM_DELF.FKZ. It is spreading mostly using pen drives as the medium.

Cut The Supply Line

Search for autorun.inf file. It is a read only file so you will have to change it to normal by right clicking the file , selecting the properties and un-check the read only option
Open the file in notepad and delete everything and save the file.
Now change the file status back to read only mode so that the virus could not get access again.
Click start->run and type msconfig and click ok
Go to startup tab look for regsvr and uncheck the option click OK.
Click on Exit without Restart, cause there are still few things we need to do before we can restart the PC.
Now go to control panel -> scheduled tasks, and delete the At1 task listed their.

Open The Gates Of Castle

Click on start -> run and type gpedit.msc and click Ok.
If you are Windows XP Home Edition user you might not have gpedit.msc in that case download and install it from Windows XP Home Edition: gpedit.msc and then follow these steps.
Go to users configuration->Administrative templates->system
Find “prevent access to registry editing tools” and change the option to disable.
Once you do this you have registry access back.

Launch The Attack At Heart Of Castle

Click on start->run and type regedit and click ok
Go to edit->find and start the search for regsvr.exe,
Delete all the occurrence of regsvr.exe; remember to take a backup before deleting. KEEP IN MIND regsvr32.exe is not to be deleted. Delete regsvr.exe occurrences only.
At one ore two places you will find it after explorer.exe in theses cases only delete the regsvr.exe part and not the whole part. E.g. Shell = “Explorer.exe regsvr.exe” the just delete the regsvr.exe and leave the explorer.exe

Seek And Destroy the enemy soldiers, no one should be left behind

Click on start->search->for files and folders.
Their click all files and folders
Type “*.exe” as filename to search for
Click on ‘when was it modified ‘ option and select the specify date option
Type from date as 1/31/2008 and also type To date as 1/31/2008
Now hit search and wait for all the exe’s to show up.
Once search is over select all the exe files and shift+delete the files, caution must be taken so that you don’t delete the legitimate exe file that you have installed on 31^st January.
Also selecting lot of files together might make your computer unresponsive so delete them in small bunches.
Also find and delete regsvr.exe, svchost .exe( notice an extra space between the svchost and .exe)

Time For Celebrations

1. Now do a cold reboot (ie press the reboot button instead) and you are done.

XPLORER.EXE

2009-02-07T03:14:00.000-08:00

XPLORER.EXE
xplorer.exe Xplorer.exe is W32.Romariory@mm.
W32.Romariory@mm is a mass-mailing worm that spreads through removable devices and network shares. It masquerades as the Super Mario Brothers game.
Related files:
%Windir%\winlogon.exe
%System%\msvbvm60.dll.exe
C:\explorer.exe
%UserProfile%\Application Data\Emma.exe
%UserProfile%\Application Data\Alisa.exe
%UserProfile%\My Documents\Mario Bross.exe
%UserProfile%\My Documents\Solitaire Card.exe
%UserProfile%\My Documents\Minesweeper.exe
%System%\PANGKALP1NANG.EXE
%System%\SMUNSA_PKP_GAME.EXE
C:\Documents and Settings\All Users\Documents\Bola Pantul.exe
C:\Documents and Settings\All Users\Documents\MyHearts.exe
C:\Documents and Settings\All Users\Documents\FreeCard.exe
%SystemDrive%\Game\Minesweeper.exe
%SystemDrive%\Game\My Heart.exe
%SystemDrive%\Game\Bola.exe
%SystemDrive%\Game\Kartu.exe
%SystemDrive%\Game\Legend.exe
%SystemDrive%\Game\Smart.exe
%SystemDrive%\Game\Crazy Mouse.exe
%SystemDrive%\Game\Text Animation.exe
%SystemDrive%\Game\Pink Panther.exe
%SystemDrive%\Game\Start Hide.exe
%SystemDrive%\Game\XP Button.exe
%SystemDrive%\Game\Goncang.exe
%SystemDrive%\Game\Kelap Kelip.exe
%SystemDrive%\Game\Layar Jatuh.exe
%SystemDrive%\Game\Dark Screen.exe
%SystemDrive%\Mario.exe
%UserProfile%\Application Data\Emira.ini
%UserProfile%\Application Data\Aliciana.htt
%Windir%\Tasks\At1.job (a scheduled task to run the worm everyday at a specified time)
%Temp%\inf[RANDOM].tmp (a clean copy of the Super Mario Brothers game)
C:\Program Files\mario.exe (clean copy of the Super Mario Brothers game)
%SystemDrive%\xplorer.exe
%SystemDrive%\desktop.ini
%SystemDrive%\Alicia.htt
Read more: http://www.symantec.com/enterprise/secur...
Kill the process xplorer.exe and remove xplorer.exe from Windows startup using RegRun Reanimator.
http://www.regrun.com

Removal: xplorer.exe is removed by RegRun.

PREVENTING WORM INFECTIONS

2009-02-07T00:53:00.000-08:00

Preventing Worm Infections

In order prevent the infection of worms, viruses and other malicious programs, we strongly suggest the following the tips below:

- Avoid opening emails originating from unknown senders. Beware of emails containing holiday themes, relating to money or any of your accounts.

- Never click on links in an email message, even if they appear to come from a reliable source. Your best bet would be to copy and paste them into your address bar.

- Never open email attachments from unknown senders.

- Be careful of the sites you visit online as many of them are designed to deliver malware

- Install a firewall application to prevent intruders from loading malicious content on your computer.

- Defend you computer with security software with the ability to detect known and evolving strains of malware.

VALENTIN E WORM

2009-02-07T00:50:00.000-08:00

Valentin E Worm

Similar to the Nuware Worm, Valentin E is distributed via email. It contains subjects like "True Love," "Searching for True Love," and "Love Of My Life." The worm also includes an attached file titled "FRIENDS4U." When the targeted user opens the attachment, a copy of the worm is downloaded onto their computer. Its malicious code is installed onto the machine as a file with an SCR extension. If the user runs the file, Valentin E. displays a new desktop background to distract them, all while it propagates itself on the host machine. It then distributes email messages with copies of itself attached to further spread the infection to other computers.

Both Nuware and Valentin E are basically employing the same techniques used in may forms of malware, particularly worms and viruses. They send emails with attractive subjects, colorful Valentine's Day e-Cards, romantic desktop themes and more. This is all done to bait the user into running the attachment and unknowingly launching malware onto their systems.

NUWAR OL WORM

2009-02-07T00:48:00.000-08:00

Nuwar OL Worm

Nuwar OL is delivered to a user's inbox with subjects like "You Are In My Dreams," "I Love You So Much," "Inside My Heart Is You," etc. The contents of the message contains a website link, which downloads the malicious code when accessed. To disguises its activity, the worm redirects you to simple web page with the theme of a romantic greeting card. Once the computer is infected, the infection spreads by sending messages to names in the user's contact folder. The most severe impact of the Nuwar OL is slowing down the performance of a single computer or a network. Once detected, it is generally easy to remove.

AUTORUN.INF

2009-02-07T00:33:00.000-08:00

Autorun.inf, What is it?

Autorun.inf is the primary instruction file associated with the Autorun function. Autorun.inf itself is a simple text-based configuration file that tells the operating system which executable to start, which icon to use, and which additional menu commands to make available. In other words, autorun.inf tells Windows how to deal open the presentation and treat the contents of the CD.

The entire sequence is initiated when the "disk change notifcation" polling discovers a new disk in the CD or DVD ROM drive. Then, if the "Auto insert notification" feature is enabled (it is by default), Windows checks in the new disk's root directory for the existence of an "autorun.inf" file. If found, Windows then reads and follows the specific instructions this file defines. If no autorun.inf file is found, then Windows refers to the new disk by its serial number and executes the default actions associated with the (data or audio) content on the disk.

The Autorun.inf file defines the following:

	The process or application that will automatically run when a disk is inserted
	Optionally, one can define the process or application that will run for specific Operating environments.
	The icon that will represent your application's CD or DVD when the drive is viewed with My Computer or Explorer.
	Menu commands displayed when the user right-clicks the CD-ROM icon from My Computer or Explorer.

How to Test Autorun.inf Without Burning to a CD

It is possible to test an Autorun.inf file without burning all the necessary files onto CD-ROM, as long as the computer has autorun enabled on at least one of its removeable devices. More information on such procedures to enable autorun can be found here.

By utilizing the following methods, constant refining of the Autorun.inf file is possible without the need to burn multiple CDs.

Using removable media (Floppy/Zip/etc...)

1. Enable autorun on the desired removable media drive.

2. Copy the autorun.inf and all dependant files onto the removable media.

3. Remove and insert the media.

Using a Virtual Drive

1. Download and install a virtual CD/DVD-ROM emulator, such as the tool available from Daemon-Tools.

2. Using CD-Burning software, such as provided by Nero or Roxio, create a CD project with the Autorun.inf file inserted into the root directory of the CD.

3. Save the project to a CD project file, usually with a .bin or .iso or .cdi extension, with the CD-Burning software.

4. Using the CD/DVD-ROM emulator, load the project file into the virtual drive. This has the same effect as physically inserting the CD with the Autorun.inf into the CD/DVD-ROM.

A simple Autorun.inf example:
	[autorun]
	open=autorun.exe
	icon=autorun.ico

A complex Autorun.inf example:
This example is used in the following section for complete definition and descriptions.
	[autorun]
	open=filename.exe /argument1
	icon=\foldername\filename.dll,5
	[autorun.mips]
	open=filenam2.exe
	icon=filename.ico
	[autorun.alpha]
	open=filenam3.exe
	icon=filename.ico
	[autorun.ppc]
	open=filenam4.exe
	icon=filename.ico
	shell\install = &Install
	shell\install\command = setup.exe
	shell\uninstall = &UnInstall
	shell\uninstall\command = Uninstall.exe
	shell\readme = &Read Me
	shell\readme\command = notepad readme.txt
	shell\help = &Help
	shell\help\command = helpfilename.hlp

This section describes the configuration of the Autorun.inf file and each of the potential items.

Example Autorun File:	Description:
[autorun]	[autorun] is the primary, required section name.
open=filename.exe /argument1	Open is the keyword to determine what action to take upon insert notification.
	filename.exe is the value defining the application that will be automatically started.
	/argument1 is the argument, parameter or switch passed to the application being run. Logically, any command line parameters used must be supported by the application.
icon=\foldername\filename.dll,5	Icon is the keyword to determine the icon used for the disk.
	filename.dll is the value defining the file containing the icon.
	,5 is the argument to the icon resource defining which icon to display.
Note: By default, the system looks for the file in the root directory of the inserted disk. If you want to access a file located in a specific folder or subdirectory, specify a path relative to the root. Example: open = foldername\filename.exe This will not change the current directory. Although AutoPlay is the default menu item, you can define a different command to be the default by including the following line. shell = verb When the user double-clicks on the icon, the command associated with this entry will be carried out. Note: a more common method of defining the icon resouce is an explicit reference to a .ico file. Example: icon=autorun.ico Note: The icon defined representing your application's CD or DVD is the drive icon as viewed with My Computer or Explorer. Valid file types containing icons include .ICO .BMP .EXE .DLL If the file includes more than one icon, by default, the second icon in the files icon resource will be displayed.

Example Autorun File:	Description:
[autorun.mips]	Defining the autorun items for a mips machine
open=filenam2.exe	The platform specific application to run
icon=filename2.ico	The platform specific autorun icon
[autorun.alpha]	Defining the autorun items for a DEC Alphamachine
open=filenam3.exe	The platform specific application to run
icon=filename3.ico	The platform specific autorun icon
[autorun.ppc]	Defining the autorun items for a Power PC
open=filenam4.exe	The platform specific application to run
icon=filename4.ico	The platform specific autorun icon
shell\install = &Install	The Keyword defining a menu item and the Hot key for that item
shell\install\command = setup.exe	The keyword defining the operation to perform when the user selects this item
shell\uninstall = &UnInstall	Additional menu item example
shell\uninstall\command = Uninstall.exe	Additional menu item example
shell\readme = &Read Me	Additional menu item example
shell\readme\command = notepad readme.txt	Additional menu item example
shell\help = &Help	Additional menu item example
shell\help\command = helpfilename.hlp	Additional menu item example

KEYLOGGER

2009-02-03T23:09:00.000-08:00

Remote Keylogger - Is Your Computer Completely Safe?
Attention! Your computer may not be as safe as you think it is at this moment. There are programs out there designed to keep track of what you do on your computer and access confidential information that you have entered on your computer. These programs are referred to as remote keyloggers in which they are usually sent through e-mail with an executable file attached to them.

When the receiver of these executable attachments runs the .exe file, the keylogger is then released into the computer just like that and now you basically have no privacy on your computer. The sender of this keylogger can now monitor your activities and just about anything that you do on your computer.

They can monitor anything from internet activity, documents you have viewed, online chats, any information that you enter in your computer, and applications that you run. Sometimes you are not able to detect when a keylogger enters your computer and viola! Just like that you could be giving away any confidential information or documents that you may have.

Once one of these suckers hits your computer you really can't keep anything confidential anymore. If you find that someone has been logging or viewing your private information then you should seek o have your computer sweeped and cleaned immediately. If your anti-virus/spyware software does not detect the material then you should have your computer cleaned and back up any important files that you may need in the future.

There are people out looking for a way to make the quick dollar and they will sometimes do whatever it takes to make it. Even if it means hacking into your computer system and stealing any information that you may have. Whether it is a credit card number or a bank account.

WINDOWS VISTA PROTECTION

2009-02-03T22:45:00.000-08:00

Tips to Protect Windows Vista Operating System
So far, Windows Vista can be considered the safest operating system but not most perfect one. In its early configuration, Vista still uncovers the possibility of leaking out the user's data to Internet through Windows Firewall, or some bots which can change settings without letting you know.

Consult the WINDOWS SECURITY CENTER

In order to have an overview of security settings, come to Windows Security Center where you can see the status of firewall system, automatic updating, malware protection and other security settings. Press "Start" - "Control Panel" - "Security Center", or simply click the shield-shaped icon on the taskbar.

If there are any red or yellow entries, it means that you are not completely protected. If you have not installed antivirus software, for example, or the existing antivirus program is expired, the "Malware" entry in Security Center will be marked yellow. Windows does not integrate any antivirus software so that you have to install yourself.

Use WINDOWS DEFENDER as a diagnosis device

Malware entry in Security Center is also supposed to report the anti-spyware capacity, and Vista depends on Windows Defender to do this job. Although anti-spyware capacity in security or anti-virus utilities is usually better than that of Windows, there are some good reasons to maintain the existence of Windows Defender. One of those is that each spyware utility uses a different definition to identify the spyware. Therefore, an abundant protection sometimes brings about practical benefit.

Another reason to keep Windows Defender in standby status is diagnosis capacity. Click "Tools", select "Software Explorer". Here you will find a list of all programs by category: Currently Running Programs, Network Connected Programs and Winsock Service Providers, but Startup Programs seems to be the most useful. Click ant names in the left window, the full details will display on the right. By checking any listed program, you can uninstall, deactivate or reactivate that one.

Deactivate the Start Up

Windows Vista monitors all documents and programs you generate in Start Up. This is convenient for some users, but on the other hands, it can be harmful for your privacy if the computer is shared in office or family. Fortunately, Window Vista provides a simple way to change this setting. The steps should be taken as follow:

Right-click the taskbar and select Properties, then select "Start Menu" tab
Uncheck "Store and Display a list of recently opened files"
Uncheck "Store and Display a list of recently opened programs"
Press OK.

2-way Firewall

Almost every PC is equipped with Firewall software, currently. However, even when Security Center states that you are protected, you might not be protected at all.

The Windows Firewall function in Vista is able to "block" any input data which can endanger system, and that is really a good thing. Nevertheless, the off-line security function is not activated by default, so that this may be a dangerous situation if some new harmful software finds a way to break into your PC.

Microsoft has equipped Windows Vista with tools to deploy 2-way firewall feature, but finding these settings is a little complicated. In order to activate 2-way firewall feature of Windows Vista, press "Start", select "Run", then type "wf.msc", then press "Enter". Click the icon of "Windows Firewall with Advanced Security". This interface will display the principles of monitoring system inbound/outbound information. Select "Windows Firewalls Properties". You can see a dialog box containing some tabs. For the profiles: Domain, Private and Public, you should change the settings of "Block", then press "OK".

However, 2-way firewall activation can prevent all the applications from connecting to Internet. Therefore, before getting out of "Windows Firewall with Advanced Security", scroll down, select "Outbound Rules" and "New Rules" on the top right of the screen. Select "Program", on the next screen. Then select the path for Internet Explorer, iTunes or some of your applications requesting to connect to Internet. For each program, on the next screen, select "Allow the Connection", then name each principle/rule created. You will have to set a new rule for all applications which have access to the Internet.

Besides, you can use a firewall utility of third party such as Comodo Firewall Pro or ZoneAlarm, which are all free and able to offer other features in addition to firewall.

Close the doors to unexpected guests

If you share your computer with others (even if you don't), Windows Vista provides a good way to prevent unexpected guests from guessing your password of admin account. When you create a new user and assign someone to be admin (with full rights and authority), Windows Vista allows other users to guess your selected password. The following steps are to restrain the penetration of strangers:

Select "Start", type "Local Security Policy".
Press "Account Lockout Policy"
Select "Account Lockout Threshold"
At the prompt, fill the maximum allowed invalid log-on attempts (e.g.: 3).
Press "OK" and close the window.

Verify the attackers

With proper Account Lockout policy, you can activate the feature of verifying attempts to attack your account. In order to start verify the invalid log-on, the steps are as follow:

Select "Start", type "secpol.msc, click "secpol" icon.
Press Local Policies then press "Audit Policy"
Right-click "Audit account logon events policy" option and select "Properties".
Check the dialog box "Failure" and press OK
Close "Local Security Policy" window.
Now, you can use Event Viewer feature (by typing the command: eventvwr.msc) to view the log-on history recorded in Windows Logs and Security.

INTERNET EXPLORER settings security

Windows Security Center also has function of reporting if security status of Internet Explorer 7 and Internet Explorer 8 is as required or not. If the status is marked red, you should rapidly modify the IE settings

In the menu, select Tools, then select Internet Options
Select Security tab
Select Custom Level

Now you will see a window containing all options relating to IE's security issue. If the options are lower than required (can be changed by some malwares), those will be marked red. To modify a setting, click the corresponding one. In order to reset the original settings, press "Reset" button at the bottom of the tab. If you want, you can change the general security settings of the browser from Medium - High (by default) to High or Medium as required. Press "OK" to save these changes

Use OPEN DNS

DNS (Domain Name System) servers play the role of a telephone directory. When you type a domain name dantri.com.vn, for example, in the address bar, Internet Explorer will send the requirement of common domain name to DNS servers of the your ISP, then these servers are supposed to transform the character sequence to a string of numbers or an IP address. The DNS servers have been attacked over the past few years because the hackers have tried every possible way to redirect the common DNSs to the servers which they can control. A solution to prevent this abuse is to use Open DNS.

Click "Start" à "Control Panel" à "Network and Internet"
Select "Network and Sharing Center". Under the taskbars listed on the left, select "Manage Network Connections". In the window of "Manage Network Connections", follow these steps:
Right-click the icon of your network card
Select Properties.
Then select "Internet Protocol Version 4".
Click "Properties" in the next displayed screen.
Select "Use the following DNS server addresses".
Input 208.67.222.222 into the primary address
Input 208.67.220.220 into the secondary address
Press OK

Cohabit with USER ACCOUNT CONTROL

There is a setting status that some users want it marked red. That is Vista's User Account Control (UAC) - the controversial security function of Vista operating system.

Designed to prevent the remote malware/spyware from automatically installing or modifying system settings, UAC tends to block legal installations by stopping the ongoing process with unnecessary error messages. In Windows 7, you can set up UAC as you want. Up to then, you will have more options.

There is an option of invalidating UAC. However, you should consider this risky choice because UAC can warn you of potential dangers. Instead, install Tweak UAC - a free utility that allows you to turn on or turn off UAC and simultaneously provides an intermediate "quiet" mode (this mode keeps UAC on but suppresses administration elevation prompts). With TweakUAC in "quiet" mode, UAC seem to be turned off to those who use administration accounts, but those who use standard account will still receive the warning messages.

Verify the results

By modifying the security settings of Windows Vista, now you can monitor the safety of system via System Health Report. This diagnosis tool receives the input date from Performance and Reliability Monitor and transforms them into a report with general information. To some extent, this report can provides you with information of potential security issues.

Open Control Panel.
Click System.
In Tasks list, select Performance (near the bottom of the list).
In resulting Tasks list, click Advanced tools (near the top of the list).
Click the last item on the resulting Task list: Generate a system health report.
This report will list any missing drivers which can cause errors, reporting to you if the antivirus protection is installed or not, or if the UAC is on or off. To make sure of the best condition of your Pc, run this report monthly.

SVRCHOST.EXE

2009-02-02T23:10:00.000-08:00

Summary : Trojan.SVRCHost/SystemSavior.Process

Description : Trojan.SVRCHost/SystemSavior.Process

Trojans are programs that can appear to serve a legitimate purpose but actually have an unwanted or harmful effect.

A large segment of trojan programs download other harmful software components to a user's PC without his/her knowledge.

This application is most likely downloaded and installed by another application that is considered to be adware or spyware.

Company : Unknown

Threat Level : Threat Level : 8
Category : TROJAN

The following threats are known to be associated with the file "svrchost.exe":
Threat Alias Number of Incidents
Mal/Generic-A [Sophos] 2
W32.Imaut.CN [Symantec] 2
W32/YahLover.worm [McAfee] 2
Worm.AutoIt.s [PC Tools] 2
Worm.Win32.AutoIt [Ikarus] 2
Worm.Win32.AutoIt.bh [Kaspersky Lab] 2
WORM_IMAUT.AT [Trend Micro] 2

Processes : SVRCHOST.EXE

IP SPOOFING ATTACKS: DESCRIPTION

2009-02-02T02:29:00.000-08:00

The first vulnerability, spoofing IP packets, allows an intruder on the Internet to effectively impersonate a local system's IP address. If other local systems perform session authentication based on the IP address of a connection (e.g. rlogin with .rhosts or /etc/hosts.equiv files under Unix), they will believe incoming connections from the intruder actually originate from a local "trusted host" and will not require a password. This technique is especially damaging when root connections are permitted with no password.
Services that are vulnerable to forged IP packets include:
• SunRPC & NFS
• BSD Unix "r" commands, including rlogin
• Services secured by TCP Wrappers using source address access control
• X Windows

It is possible for forged packets to penetrate firewalls based on filtering routers if the router is not configured to block incoming packets with source addresses in the local domain. It is important to note that this attack is possible even if no session packets can be routed back to the attacker. Note also that this attack is not based on the source routing option of the IP protocol.
How did they get my address?
Most spammers get your address by buying lists from other spammers. But how did someone get it in the first place? Often when you give your address to websites that you visit. Some of these sites pass your address on to other sites, who pass it on in turn. More often, your address is "scraped" form the webpage where it appears. For example, in your user profile. If you can see it online, so can the spammers.
They can also get it by harvesting your address from chain messages -- you know -- the ones that have Fw: Fwd: Cute Joke (or whatever) as their Subject. Some people don't know how to forward messages without sending the whole "To:" list to everybody on the list. Eventually one of those messages lands in the web (pun intended) of some spammer. Tell your friend please take me off your humor distribution list, of at least please follow the advice below:
"If you want to forward jokes and stuff properly, put all the "Fwd" addresses in the "Blind Copy" (BCC) line, not in the "To" line so that each recipient gets their own private message, with none of the other addresses in it. Also, it would be polite to edit the original message so that all the previous addresses are removed." See the tutorial by Somewhere in Time to learn more about how to "forward" properly using "BCC".
Spammers also simply guess email addresses. How hard would it be to guess Robert87639@aol.com? It simply follows Robert 87638. Spammers can easily try all these common combinations. It doesn't take much effort with high speed computers doing the work. If you respond in anger, or even to "unsubscribe", they know they've hooked a live one.
Some spam that doesn't even need your email address. This spam uses the Messenger "service" in Windows (not to be confused with Windows Messenger). It just pops up without warning in the middle of what you're doing. You can use a firewall to stop Messenger spam in Windows 98, or you can reconfigure your NetBIOS networking -- something you should do for security anyway. You can disable Windows Messenger in Windows XP, 2000 and NT to stop it.

PACKET FILTER:

2009-02-02T02:25:00.000-08:00

A packet-filtering firewall is a router or computer running software that has been configured to screen incoming and outgoing packets. A packet-filtering firewall accepts or denies packets based on information contained in the packets' TCP and IP headers. For example, most packet-filtering firewalls can accept or deny a packet based on the packet's full association, which consists of the following:
• Source address
• Destination address
• Application or protocol
• Source port number
• Destination port number
A packet-filtering firewall scans these rules until it finds one that agrees with the information in a packet's full association. If the firewall encounters a packet that does not meet one of the rules, the firewall will apply the default rule. A default rule should be explicitly defined in the firewall's table and, for strict security, should instruct the firewall to drop a packet that meets none of the other rules.

The primary advantage of using a packet-filtering firewall is that it provides some measure of protection for relatively low cost and causes little to no delay in network performance. If you already have an IP router with packet-filtering capabilities, setting up a packet-filtering firewall will cost no more than the time it takes to create packet-filtering rules. Most IP routers, including those manufactured by Novell, Cisco Systems, and Bay Networks, can filter incoming and outgoing packets.

FIREWALL:

2009-02-02T02:21:00.000-08:00

A system designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.
There are several types of firewall techniques:
• Packet filters: Looks at each packet entering or leaving the network and accepts or rejects it based on user-defined rules.
Packet filtering is fairly effective and transparent to users, but it is difficult to configure. In addition, it is susceptible to IP spoofing.
• Application gateway: Applies security mechanisms to specific applications, such as FTP and Telnet servers. This is very effective, but can impose performance degradation.
• Circuit-level gateway: Applies security mechanisms when a TCP or UDPconnection is established.
Once the connection has been made, packets can flow between the hosts without further checking.
• Proxy server: Intercepts all messages entering and leaving the network. The proxy server effectively hides the true network addresses.

Network security usually is thought of in terms of securing your network against threats that originate from the Internet. Attacks that come from the Internet are common and relatively easy. The Internet was designed to be an open, free flowing system that encourages the unrestricted exchange of information. The Internet was not designed as a secure system that regulates information exchange. On top of the security problem inherent to the Internet is the fact that most TCP/IP based services are also not designed to provide their own security. In order to secure Internet services such as FTP or HTTP, administrators must put into place additional security methods. Despite these risks, the Internet is not the most common source for network attacks. The widespread distribution of hacking information on the Internet has allowed disgruntled or malicious employees to exploit the same vulnerabilities mentioned above on their own networks with little or no security in their way. That's the bad news. The good news is that the same methods used to protect your network from the Internet can be used to protect your network from itself. Implementing multiple DMZ's, strong authentication and digital certificates can help you protect your network (from within and without) as well as provide a more secure opportunity to increase your level of service. With strong authentication, for example, you can make sure that a user authentication attempt originates from a valid source. This also gives you a more secure opportunity to offer remote access into your network from business partners and/or remote employees. The first step toward network security starts with a firewall. After the firewall has been properly installed then other security measures can be more suitably put into place. There are no guarantees in any type of security (network or otherwise). So, if you have extremely sensitive information to protect, then the system storing that information should not be connected to any network (a pair of wire cutters is your best bet for network security). In all other cases, implementing a firewall (or multiple firewalls) is essential to protecting your network. In non-computer industries, a firewall is a specially designed wall that controls the spreading of a fire. In networking, a firewall could be described as a specially designed device that controls the spreading of a network threat. The most commonly talked about source of network threats is the Internet. The Internet is the home of many unknown people that we cannot trust. There are hackers on the Internet that may want to do our networks harm. We can use a firewall to impede an untrusted person from doing damage to our networks.
A more textbook definition of a computer firewall is that it is a method or device that regulates the level of trust between two or more networks. A firewall can consist of software, hardware or a combination of both. A firewall can protect your network from the Internet as well as regulate the traffic between networks within the same company.

For instance, a firewall can allow the legal department's network to have access to the marketing file server but the marketing department can be refused access to legal. In this example the firewall is positioned between the marketing and legal networks so that all communication must pass through the firewall. The firewall is then able to ensure that only authorized packets are allowed.

STATEFUL INSPECTION FIREWALL
A stateful inspection firewall combines aspects of a packet-filtering firewall, a circuit-level gateway, and an application-level gateway. Like a packet-filtering firewall, a stateful inspection firewall operates at the network layer of the OSI model, filtering all incoming and outgoing packets based on source and destination IP addresses and port numbers. A stateful inspection firewall also functions as a circuit-level gateway, determining whether the packets in a session are appropriate. For example, a stateful inspection firewall verifies that SYN and ACK flags and sequence numbers are logical.

stateful inspection firewalls, like all firewalls are not 100 percent effective. So why bother implementing a firewall at all? You should implement a firewall for the same reason you protect your home by locking your doors, despite the fact that this safely measure does not guarantee that an intruder cannot enter your house. Leaving an Internet or intranet connection without a firewall is a careless, open invitation to would-be intruders.

COOKIES

2009-02-02T02:18:00.001-08:00

A cookie is just a bit of text in a file on your computer, containing a small amount of information that identifies you to a particular Web site, and whatever information that site wanted to retain about the user when they are visiting.
Cookies are a legitimate tool used by many Web sites to track visitor information. As an example, one might go to an online computer store and place an item in the basket, but decide not to buy it right away because he/she want to compare prices. The store can choose to put the information about what products he/she put into the basket in a cookie stored in the computer. This is an example of a good use of cookies to help the user experience.

The only Web sites who are supposed to be able to retrieve the information stored in a cookie are the Web sites who wrote the information in that particular cookie. This should ensure your privacy by stopping anyone other than the site you are visiting from being able to read any cookies left by that site.

ANTIVIRUS SOFTWARE

2009-02-02T02:06:00.001-08:00

Top 20 Antivirus rankings. Tested using 174,770 virus samples.

This is the list of the top 20 antivirus applications

To Download any of these software, type the name of the anti-virus in google and you will get it.

1. Kaspersky version 7.0.0.43 beta - 99.23%
2. Kaspersky version 6.0.2.614 - 99.13%
3. Active Virus Shield by AOL version 6.0.0.308 - 99.13%
4. ZoneAlarm with KAV Antivirus version 7.0.337.000 - 99.13%
5. F-Secure 2007 version 7.01.128 - 98.56%
6. BitDefender Professional version 10 - 97.70%
7. BullGuard version 7.0.0.23 - 96.59%
8. Ashampoo version 1.30 - 95.80%
9. eScan version 8.0.671.1 - 94.43%
10. Nod32 version 2.70.32 - 94.00%
11. CyberScrub version 1.0 - 93.27%
12. Avast Professional version 4.7.986 - 92.82%
13. AVG Anti-Malware version 7.5.465 - 92.14%
14. F-Prot version 6.0.6.4 - 91.35%
15. McAfee Enterprise version 8.5.0i+AntiSpyware module - 90.65%
16. Panda 2007 version 2.01.00 - 90.06%
17. Norman version 5.90.37 - 88.47%
18. ArcaVir 2007 - 88.24%
19. McAfee version 11.0.213 - 86.13%
20. Norton Professional 2007 - 86.08%

Followed by:
21. Rising AV version 19.19.42 - 85.46%
22. Dr. Web version 4.33.2 - 85.09%
23. PC-Cillin 2007 version 15.00.1450 - 84.96%
24. Iolo version 1.1.8 - 83.35%
25. Virus Chaser version 5.0a - 79.51%
26. VBA32 version 3.11.4 - 77.66%
27. Sophos Sweep version 6.5.1 - 69.79%
28. ViRobot Expert version 5.0 - 69.53%
29. Antiy Ghostbusters version 5.2.1 - 65.95%
30. Zondex Guard version 5.4.2 - 63.79%
31. Vexira 2006 version 5.002.62 - 60.07%
32. V3 Internet Security version 2007.04.21.00 - 55.09%
33. Comodo version 2.0.12.47 beta - 53.94%
34. Comodo version 1.1.0.3 - 53.39%
35. A-Squared Anti-Malware version 2.1 - 52.69%
36. Ikarus version 5.19 - 50.56%
37. Digital Patrol version 5.00.37 - 49.80%
38. ClamWin version 0.90.1 - 47.95%
39. Quick Heal version 9.00 - 38.64%
40. Solo version 5.1 build 5.7.3 - 34.52%
41. Protector Plus version 8.0.A02 - 33.13%
42. PcClear version 1.0.4.3 - 27.14%
43. AntiTrojan Shield version 2.1.0.14 - 20.25%
44. PC Door Guard version 4.2.0.35- 19.95%
45. Trojan Hunter version 4.6.930 - 19.20%
46. VirIT version 6.1.75 - 18.78%
47. E-Trust PestPatrol version 8.0.0.6 - 11.80%
48. Trojan Remover version 6.6.0 - 10.44%
49. The Cleaner version 4.2.4319 - 7.26%
50. True Sword version 4.2 - 2.20%
51. Hacker Eliminator version 1.2 - 1.43%
52. Abacre version 1.4 - 0.00%

Antivirus software consists of computer programs that attempt to identify, thwart and eliminate computer viruses and other malicious software (malware).

Antivirus software typically uses two different techniques to accomplish this:
• Examining (scanning) files to look for known viruses matching definitions in a virus dictionary
• Identifying suspicious behavior from any computer program which might indicate infection. Such analysis may include data captures, port monitoring and other methods.
Most commercial antivirus software uses both of these approaches, with an emphasis on the virus dictionary approach.
Usually, the term antivirus has also been used for benign computer viruses that spread and combated malicious viruses. This was common on the Amiga computer platform.

There are competing claims for the innovator of the first antivirus product. Perhaps the first publicly known neutralization of a wild PC virus was performed by European Bernt Fix (also Bernd) in early 1987. Fix neutralized an infection of the Vienna virus. First edition of Polish antivirus software mks_vir starten in 1987. Program was only available in Polish language version. Fall 1988 also saw antivirus software Dr. Solomon's Anti-Virus Toolkit released by Briton Alan Solomon. By December 1990 the market had matured to the point of nineteen separate antivirus products being on sale including Norton AntiVirus and ViruScan from McAfee.
Tippett made a number of contributions to the budding field of virus detection. He was an emergency room doctor who also ran a computer software company. He had read an article about the Lehigh viruses were the first viruses to be developed, but it was Lehigh that Tippett read about and he questioned whether they would have similar characteristics to viruses that attack humans. From an epidemiological viewpoint, he was able to determine how these viruses were affecting systems within the computer (the boot-sector was affected by the Brain virus, the .com files were affected by the Lehigh virus, and both .com and .exe files were affected by the Jerusalem virus). Tippett’s company Certus International Corp. then began to create anti-virus software programs. The company was sold in 1992 to Symantec Corp, and Tippett went to work for them, incorporating the software he had developed into Symantec’s product, Norton AntiVirus.

Some antivirus-software use other types of heuristic analysis. For example, it could try to emulate the beginning of the code of each new executable that the system invokes before transferring control to that executable. If the program seems to use self-modifying code or otherwise appears as a virus (if it immediately tries to find other executables, for example), one could assume that a virus has infected the executable. However, this method could result in a lot of false positives.
Yet another detection method involves using a sandbox. A sandbox emulates the operating system and runs the executable in this simulation. After the program has terminated, software analyzes the sandbox for any changes which might indicate a virus. Because of performance issues, this type of detection normally only takes place during on-demand scans. Also this method may fail as viruses can be nondeterministic and result in different actions or no actions at all done when run - so it will be impossible to detect it from one run.
An emerging technique to deal with malware in general is whitelisting. Rather than looking for only known bad software, this technique prevents execution of all computer code except that which has been previously identified as trustworthy by the system administrator. By following this default deny approach, the limitations inherent in keeping virus signatures up to date are avoided. Additionally, computer applications that are unwanted by the system administrator are prevented from executing since they are not on the whitelist. Since modern enterprise organizations have large quantities of trusted applications, the limitations of adopting this technique rest with the system administrators' ability to properly inventory and maintain the whitelist of trusted applications. As such, viable implementations of this technique include tools for automating the inventory and whitelist maintenance processes.

• User education can effectively supplement antivirus software. Simply training users in safe computing practices (such as not downloading and executing unknown programs from the Internet) would slow the spread of viruses and obviate the need of much antivirus software. The ongoing writing and spreading of viruses and of panic about them gives the vendors of commercial antivirus software a financial interest in the ongoing existence of viruses. Some theorize that antivirus companies have financial ties to virus writers, to generate their own market, though there is currently no evidence for this. Some antivirus software can considerably reduce performance. Users may disable the antivirus protection to overcome the performance loss, thus increasing the risk of infection. For maximum protection the antivirus software needs to be enabled all the time — often at the cost of slower performance (see also software bloat).
• It is important to note that one should not have more than one antivirus software installed on a single computer at any given time. This can seriously cripple the computer and cause further damage. This is not always obviously stated in terms of usage for these programs.
• It is sometimes necessary to temporarily disable virus protection when installing major updates such as Windows Service Packs or updating graphics card drivers. Having antivirus protection running at the same time as installing a major update may prevent the update installing properly or at all.
• When purchasing antivirus software, the agreement may include a clause that your subscription will be automatically renewed, and your credit card automatically billed at the renewal time without your approval. For example, McAfee requires one to unsubscribe at least 60 days before the expiration of the present subscription, yet it does not provide phone access nor a way to unsubscribe directly through their website. In that case, the subscriber's recourse is to contest the charges with the credit card issuer.

PREVENT A VIRUS FROM INFECTING MY COMPUTER.

2009-02-02T02:05:00.000-08:00

A virus scanner is the most common tool for prevention. This utility attempts to scan a computer program before it runs, and if it recognizes the signature of a malicious code, it shuts it down. Many scanners also evaluate programs to determine if it contains any virus-related characteristics.

The best way to stop viruses is to use common sense. If an executable computer program is attached to your e-mail and you are unsure of the source, then it should be deleted immediately. Do not download any applications or executable files from unknown sources, and be careful when trading files with other users.

• Two of the biggest concerns for computer users today are viruses and spyware. In both cases, we have seen that while these can be a problem you can defend yourself against them easily enough with just a little bit of planning:

• Keep your computer’s software patched and current. Both your operating system and your anti- virus application must be updated on a regular basis.

• Only download updates from reputable sources. For Windows operating systems, always go to http://windowsupdate.microsoft.com and for other software always use the legitimate Web sites of the company or person who produces it.

• Always think before you install something, weigh the risks and benefits, and be aware of the fine print. Does the lengthy license agreement that you don’t want to read conceal a warning that you are about to install spyware?

• Install and use a firewall. If you are running Windows XP you can use the built-in software firewall under Control Panel, and there are free versions of firewalls that work on all versions of Windows.

• Prevention is always better than cure.

WHAT EXACTLY IS A VIRUS? IS A “WORM” ALSO A VIRUS?

2009-02-02T02:04:00.000-08:00

Viruses are computer programs or scripts that attempt to spread from one file to another on a single computer and/or from one computer to another, using a variety of methods, without the knowledge and consent of the computer user. A worm is a specific type of virus that propagates itself across many computers, usually by creating copies of itself in each computer’s memory.
Many users define viruses simply as trick programs designed to delete or move hard drive data, which, strictly speaking, is not correct. From a technical viewpoint, what makes a virus a virus is that it spreads itself. The damage it does is often incidental when making a diagnosis.

Obviously, any incidental damage is important, even when authors do not intend to create problems with their viruses; they can still cause harm unintentionally because the author did not anticipate the full effect or unintentional side effects. The most common method used for spreading a virus is through e-mail attachment. Sending a virus, even if designed to be harmless, can cause unforeseen damage.

Viruses and Worms

The term virus has long been used generically to describe any computer threat, but in actuality it refers specifically to malware that inserts malicious code into existing documents or programs, and then spreads itself by various means.

The reason people often call every computer threat a "virus", is because viruses are the original type of malware, actually predating the public Internet. Today, viruses are still by far the most common type of network security threat, and over 90 percent of viruses are spread through attachments on emails. Often the attacker will combine a virus with a "zombie" attack (discussed below) so that you will receive an email with an attachment from a friend that actually contains a virus.

Prevention
The good news about viruses, is that they require a user action to insert themselves onto your computer. So, training your office staff to never open an email attachment that they weren't expecting, no matter who the sender is, will go a very long way to keeping your network free of viruses. Unfortunately, educating your staff about what attachments to open will do little to stop worms from infecting your network. That is because although worms are also often initially delivered in email, they don't need a host file (i.e., no attachment is needed for an email to be infected) and they can propagate themselves. Worms, unlike viruses, spread on their own. So once a computer is infected, the worm can often make quick copies of itself and infect an entire network within a few hours. Because of this unique opportunity to multiply themselves quickly across a network, worms are responsible for a good number of companies’ widespread network failures.

Both viruses and worms often work to open up new holes in your network security in order to allow even more dangerous security threats to infect your network. Consequently, it should be an essential priority of every company and individual to use virus protection software to limit the incoming malware, and then to educate employees to make sure those worms and viruses that slip through never get opened.

MALWARE

2009-02-02T02:03:00.000-08:00

"Malware" is short for malicious software and is typically used as a catch-all term to refer to any software designed to cause damage to a single computer, server, or computer network, whether it's a virus, spyware, etc.

Malware, a portmanteau from the words malicious and software, is software designed to infiltrate or damage a computer system without the owner's informed consent. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code.[1] The term "computer virus" is sometimes used as a catch-all phrase to include all types of malware, including true viruses.

Software is considered malware based on the perceived intent of the creator rather than any particular features. Malware includes computer viruses, worms, trojan horses, most rootkits, spyware, dishonest adware, crimeware and other malicious and unwanted software. In law, malware is sometimes known as a computer contaminant, for instance in the legal codes of several American states, including California and West Virginia.[2] [3]

Malware is not the same as defective software, that is, software which has a legitimate purpose but contains harmful bugs.

NETWORK SECURITY

2009-02-02T01:58:00.000-08:00

Computer security protects your computer and everything related with it. Most importantly, the protection of the information you have stored in your system That`s why computer security is sometimes called as “information security’ or network security. It is defined as the prevention of network resources against unauthorized users or any user on network can access the data, modify or destruct if proper security is not provided. In a network data is safe only when restrictions are placed for unauthorized access.

Protection of information safely in the computer, under the operating system`s control can be implemented efficiently. Usually physically securing the computer system, providing authentication mechanisms to perform log-ins and managing resource access based on authentication is enough when there is just one computer. But, in the world of networks, multi-vendor configurations and open systems, information is increasingly on the move and being shared by different users on different systems. Information that`s protected securely by an operating system becomes much more vulnerable when it is being transmitted and shared via network connections. Instead of being available to only a relatively small population of users within your own organization, your computer system potentially open to attack by anyone. The number of possible users, the ease of access from remote and sometimes anonymous locations and the oppurtunity for error intruduced by the incresing complexity of networked systems all contribute to this vulnerability.

IE SECURITY THREAT

2009-02-01T05:50:00.000-08:00

Gopher Attacks Are Latest IE Security Threat

The Gopher protocol has been forced underground since the advent of the World Wide Web. But the original Internet surfing technology can still put a nasty bite on users of Microsoft's Internet Explorer browser, a security researcher warned today.

A Gopher client nestled in the darkest corners of IE's code contains an exploitable buffer overflow bug that could allow a malicious server to run arbitrary code on a victim's computer, according to an advisory issued today by Jouko Pynnonen of Finland's Online Solutions.

The Web's Latest Threat: Smarter 'Zombies'

As if zombie PCs -- computers taken over by hackers and used to distribute spam and malware -- weren't already bad enough, they are now harder to prevent than ever before.

That's because they're getting smarter and harder to track down, according to security software vendor Commtouch. New zombies now routinely request new IP addresses from their ISPs, so anti-spam software that works by blocking spam based the originating IP addresses can no longer effectively halt them, the company said in its most recent quarterly Internet Threats Trend Report.

While some ISPs deny their request to change IP address, others accede, giving them new IP addresses in real time, Amir Lev, chief technology officer at Commtouch (NASDAQ: CTCH), told InternetNews.com. The result is that zombies can change addresses much faster than most security services and software can respond, which means their users are not protected, Lev said.

Commtouch's findings signal the latest setbacks in the war on spam and botnets -- networks of zombie PCs. Spam and botnet activity fell sharply late last year after major spam host McColo was shut down in November.