Feb 28, 2009

Ghost Adware

Name: Adware.Win32.Ghost Keylogger

Risklevel: Severe Risk
Company: Sureshot Software - http://keylogger.net/

Characteristics:
  • It is an invisible that records every keystroke.
  • It monitors the Internet activity by logging the addresses of visited homepages.
Installation: Installed through EXE
Process: syncconfig.exe
Used folders:
  • C:\Program Files\Sync Manager Demo\agent
  • C:\Program Files\Sync Manager Demo
Used files:
  • C:\Program Files\Sync Manager Demo\manual.html
    [30026 Bytes] HTML Document
  • C:\Program Files\Sync Manager Demo\agent\syncagent.exe
    [626688 Bytes] Application
  • C:\Program Files\Sync Manager Demo\agent\syncagent.dll
    [258048 Bytes] Application Extension
  • C:\Program Files\Sync Manager Demo\syncconfig.exe
    [663552 Bytes] Application
  • C:\Program Files\Sync Manager Demo\faq.html
    [29722 Bytes] HTML Document
  • C:\Program Files\Sync Manager Demo\agent\syncagent.cfg
    [2641 Bytes] Microsoft Office Outlook Configuration File

Feb 24, 2009

Current Scenario


As the volume of financial and other data transactions increase over the Internet, the potential for harm from network threats also increases. As a consequence, complex security measures that were once required by only Fortune 500 companies such as regular security audits are increasingly a necessity even for the smallest of companies.

As we continue to become an ever more networked society, the financial benefits attainable by hacking a network increase. As a result, it should come as no surprise that the number of attacks and the creativity spent in trying to breach a network continue to increase. Consequently, those that are tasked with defending networks must continue to educate themselves and their workforce on the newest types of attacks and make the necessary preparations to prevent against them.

Zombie Computers and Botnets


If you've ever wondered who is sitting around sending out all those spam emails, the answer may be you. A recent New York Times article estimates that as much as 80 percent of spam messages are sent out by the computers of ordinary individuals who have no idea their computers have been converted into 'zombies'. A 'zombie' computer is simply a computer infected with malware that causes it to act as a tool of a spammer by silently sending out thousands of emails from the owner's email address.

Infected 'zombie' computers, are organized by spammers into small groups called 'botnets'. These 'botnets' then send out spam that may include phishing attempts, viruses and worms. Unfortunately for network managers and business owners, the 'zombie' malware threat is expected to continue to grow both in number and variety over the next few years. Currently, 'zombies' are used to send out the following types of malware:Spamming and phishing attacks.

This classic form of 'Zombie' computers is still the most common. Using a hidden program, zombie computers emulate human clicking on ads at a website or weblog. While Google said in Dec 2006 that click fraud for their AdSense contextual ad network is less than 2 percent, some advertisers have much higher estimates. Whatever the actual figure, creating click fraud zombies is currently a multi-million dollar industry, so do not expect it to stop soon.

DoS attacks:- Your company may have malicious competitors, or spiteful former employees who will stoop to any level to bring your company down. In this instance, your enemy might launch a Denial-of-Service attack (DoS) which is an attack designed to make the hosted pages of a website or network become unavailable to customers or employees. For instance, a spiteful former employee may launch a Dos attack on your biggest selling day of the year. Consequently, your company will lose all the business it might have had that day as customers are unable to access your Web site.

Pump and dump stock schemes:- In this scheme, spammers buy up a large block of a penny stock (especially sub-$1 per share), then use their 'Zombies' to spam millions of people with emails about the stock in the hopes that a few fools will take the bait and buy a few thousand shares, thus raising the price. After the price spike, the spammer then sells off his holdings and makes a quick buck.

Prevention
Because ‘botnets’ typically work silently on ‘zombie’ computers and are often enabled by the secret installation of Trojan horses, it is very difficult to tell whether a computer has been infected. Preventing ‘botnets’ from turning your network computers into 'zombies' requires that you educate your employees to keep all forms of security software up to date, and to run a virus scan regularly, preferably nightly. In addition to nightly scanning, train your employees to look for sudden unusual behavior of your computer(s), such as persistent slowdowns, crashing, as a sign that they may be infected. If, despite your best efforts, a network computer becomes infected, treatment can vary wildly, from a simple scanning for and deleting the botnet, to a reformatting of the computer's hard drive.

Security in shared computers


In the IT community, it is often said that shared computers are like public bathrooms, they may appear clean, but are usually chock full of viruses. Thankfully, the danger of shared computers is one network threat that you can largely render harmless by limiting the activities that you and your employees perform.

Prevention
If you or your employees use public computers, don't permit them to log into important online accounts, especially those containing financial details. You never know when a keylogger might be lying in wait, ready to steal your password and then your company’s money. Going beyond just avoiding accessing sensitive data through public computers, if you can avoid it, forbid your employees from logging into any network accounts at all on any public computers. While enforcement of this policy is difficult, simply educating your staff on the dangers of using public computers is often sufficient to eliminate most of these incidents.

Hardware Loss and Residual Data Fragments


   Over the past few months, a number of government laptops have been stolen and the story has made national news. The government is so concerned, not because of the cost of replacing a few laptops, but from the network vulnerabilities that the loss of this hardware threatens to cause. In fact, hardware loss is a large cause of the more than 10 million cases of identity theft suffered by Americans each year.

   These types of problems are not what we commonly think of as network security threats, but stolen or sold laptops and computers pose one of the biggest threats for networks. Businesses often sell older computers without completely wiping the drives clean of data, including system passwords. Just as with stolen computers, this information can then be easily used to gain access to the network and compromise the security of the entire system.

Prevention
     Thankfully, the threat of hardware loss and residual data fragments can be minimized by taking a few rather straightforward steps:
     Encrypt sensitive company data, especially the laptops and files of executives who are most likely to be targeted. When traveling through foreign airports the problem can be especially acute, as laptops of prominent individuals are sometimes taken aside under the guise of "security", and their hard drives are quickly mirrored and used to blackmail the company. Despite the obvious benefits of securing data, however, a recent survey found that 64 percent of companies were more concerned about data loss than the cost of replacing hardware. However only 12 percent were actually using encryption.

    Wipe/shred files on old hard drives before they leave your organization. This is as much an issue of data compliance regulations as it is of network security. No matter what your motivation, however, failing to clean discarded hardware can leave your entire network vulnerable.

    Develop a policy for keeping track of employees use of smartphones and USB memory cards around sensitive data. Simply letting employees know that you have such a policy and are monitoring the use of these devices will go a long way to preventing their misuse and protecting the network.

     Use an RFID-based Asset Management system for computers, laptops, and other sensitive hardware to keep tabs on their whereabouts in your premises.

Password Attacks

Password Protection
Passwords are undeniably a huge part of your online security. You'll find that almost every website that you visit that deals with online transactions, emailing and shopping use passwords to verify you. This means that you not only need to choose a password that cannot easily be figured out, but you should also keep it safe and secure and not share it with anyone. Do not use the same password for all of your accounts and attempt to come up with a password that contains letters, numbers, and special characters.

Password Attacks

A 'Password Attack' is a general term that describes a variety of techniques used to steal passwords to accounts.

Brute-force:- One of the most labor intensive and unsophisticated methods hackers use to steal passwords is to try to guess a password by repeatedly entering in new combinations of words and phrases compiled from a dictionary. This 'dictionary attack' can also be used to try to guess usernames as well, so developing difficult to guess usernames and passwords is increasingly vital to network security.

Packet sniffers:- Packet Sniffers glean data electronically from a compromised network.

IP-spoofing:- Similar to 'Honeypots', this attack involves the interception of data packets by a computer successfully pretending to be a trusted server/ resource.

Trojans:- Trojans are actually invasive and of these methods, are the most likely to be successful, especially if they install keyloggers.

Prevention
Automated testing (e.g., dictionary scanning), human behavior (e.g., lack of diversity in usernames and passwords), and other security flaws make it easier for password attackers to succeed. Unfortunately, there is no one single method to prevent against password attacks, though combining network traffic analysis along with the old stalwarts of email scanning, virus protection, firewalls and an educated work force can all together form a strong defense for any network.

Maliciously-Coded Web sites


    Maliciously-coded Web sites can take many different forms, from installing Trojan horses to redirecting you to an unrequested site. But one of the most threatening forms of maliciously-coded websites are designed to steal passwords which are on the rise. A very common form of these Web sites takes advantage of human's charitable instincts by setting up traps in what appear to be sites that allow you to make donations to victims of natural disasters such as Hurricane Katrina. Hackers set up a fake sign-in page, and then encourage unsuspecting victims to enter their credit card number and other personal information.

   In addition to stealing personal information, maliciously-coded websites are also often designed for the following purposes:

  1. Installation of keyloggers
  2. Adware/ spyware/ reading cookies
  3. Drive-by downloads
  4. XSS - cross--site scripting to utilize web browser flaws for other intentions.

Prevention
     In order to protect your network, you should encourage your employees to purchase information only from security certified sites, and to use PayPal instead of a credit card whenever possible, since by doing so they will not have to reveal their credit card information to another site. In addition to limiting the number of times credit card information is typed into a website, paying by PayPal is also helpful because maliciously-coded sites are less likely to accept PayPal payments since the owners of that PayPal account are easier to trace to an address or bank account.

     Further, you should instruct your employees to never sign up for new Web 2.0 applications without using a different username and password than they ordinarily use for sensitive data. Creating a regular browser patch and plugin update schedule will also ensure that your virus and email protections are up to date. Finally, you should systematically set the browser security settings of all your network computers to a higher than default setting. While this step will not eliminate the possibility that your employees will stumble upon maliciously-coded sites, it will reduce the incidence of that occurrence.

Packet Sniffers


Packet sniffers capture data streams over a network, thus allowing for the capture of sensitive data like usernames, passwords and credit card numbers. The result, unsurprisingly, is the loss of data, trade secrets, or online account balances. For network managers specifically, even bigger losses can come from lawsuits due to noncompliance of data protection regulations.

While Packet sniffers have been used in rather harmless ways, such as by law enforcement and by corporations for data protection compliance purposes (HIPAA, SOX/ Sarbox, Gramm-Leach-Bliley Act), the real concern for network owners is packet sniffers more malicious forms.

Packet sniffers work by monitoring and recording all the information that comes from and goes to your computer over a compromised network. So in order to be effective, the packet sniffer must first have access to the network you are using. The most common way to do this, is through using something called honeypots. Honeypots are simply unsecured wifi access points that hackers setup and trap people into using them. Typically, these honeypots are setup in public places such as airports, and the wifi network is titled something like "Free Public Wi-Fi". Unsuspecting individuals then sign onto the corrupted network and the packet sniffer then grabs their personal information when they enter things like their credit card info into a site.

Prevention
Education is simply the best policy to deal with the threat of packet sniffers. Once your employees know to never access the internet through an unsecured connection, and are made aware of the fact that packet sniffers exist, they are much less likely to fall victim to this hacking technique. Because a single victim of packet sniffing among any employee can compromise sensitive network data, it is important that everyone learn how to identify honeypots and how to secure their own home wifi networks. In addition, make sure that your employees use a variety of different sign on names and passwords to access various levels of network security. That way, if login information is compromised, the damage can at least be limited in scope.

PHISHING

Phishing

Anyone who has ever used PayPal or does their banking online has probably received dozens of emails with titles such as, "URGENT: Update Account Status". These emails are all attempts by a spammer to "phish" your account information. Phishing refers to spam emails designed to trick recipients into clicking on a link to an insecure website. Typically, phishing attempts are executed to steal account information for e-commerce sites such as eBay, payments processors such as PayPal, or regular financial institutions' websites. A phishing email supplies you with a link to click on, which will take you to a page where you can re-enter all your account details, including credit card number(s) and/or passwords. Of course, these sites aren't the actual bank's site, even though they look like it.

Your company's mobile phones may not be safe either, as SMS messaging is now frequently used as a new type of phishing called SMiShing. Once the SMiShing, is successful, other malware such as Trojans are sometimes released onto the mobile phone. These Trojans then make silent high cost text messages which go onto the sender's bill.

Some criminals are also using VoIP or VoIM software to send vishing messages. These try to confuse people into calling the provided number - usually an automated VoIP Call-In number - and revealing credit card details, which are recorded in audio form.

Prevention
Phishing in all its varieties is a huge and growing problem for network security managers and business owners. As we all become more interconnected and access more and more personal information through networks, there become more and more opportunities for phishers to attack. To protect one's network, it is becoming increasingly vital that you educate your employees about the most common ways in which hackers try to phish your account information. Even though simplistic phishing attempts like the PayPal scam now seem obvious to regular internet users, a single phishing attack can compromise an entire network's security if the employee is tricked into giving his network account information. Even after educating your work force, you should consider adding a header to your network browser that reminds users never to enter personal information solicited through an email, and you should certainly use a sophisticated email filter to limit the number of phishing attacks that your employees must navigate around.

SPAM

Spam

Depending on the source cited, spam makes up 70 to 84 percent of daily emails sent throughout the world. All that spam results in billions of dollars in lost productivity and creates an ever increasing need for IT resources to filter out this irritating and potentially malicious menace.

Spam email takes a variety of forms, ranging from unsolicited emails promoting products like Viagra, to coordinated spam attacks designed to take up so much bandwidth on a network so as to cause it to crash. A more recent trend is image spam, which eats up even more bandwidth than its textual cousin, and often circumvents contextual spam filters which analyze the message text to look for indications that the email is spam. Another brand new technique that spammers are using is called "news service" spam, which uses legitimate headlines such as "Howard Stern Earns $83M Bonus" to trick recipients into opening spam emails that are filled with spammy drug advertisements. These and other new spam trends constantly threaten the productivity of email and the security of IT networks.

Prevention
When it comes to fighting spam, fortunately, a great deal of spam can be filtered out by a good email filter. And much of what slips through can be avoided by staying current on the latest techniques that spammers use. In addition, however, you should protect your network from email spam by requiring your employees to use separate accounts for their personal internet use, and demand that company accounts not be used to sign up for any online service or freebie. In addition, when creating company email accounts make sure to use a naming system which is not easily guessable (e.g., JSmith@domain.com), as spammers are increasingly going through common name lists in order to harvest emails to spam.

Trojan Horses


A Trojan horse is a malware attack that disguises itself as something innocent, such as a computer game, or a YouTube search results page. A recent example of a devastating Trojan horse used an email with a link that supposedly connected the reader to a video of the Saddam Hussein hanging, but instead just infected them with malware. Once installed on a computer, the 'Saddam' Trojan horse then downloaded and installed a keylogger onto the infected computer. This keylogger was used to record every keystroke by a computer’s user, thus stealing financial account information and passwords.

The 'Saddam' Trojan horse is noteworthy only because it was so successful, but the actual methods that it used to infect computer networks are not unique. In fact, Trojans are particularly dangerous because they all appear so innocuous on the surface. Often trojans imbed themselves on a particular website (usually adult, gaming, or gambling), hide in downloaded free software, or, as in the "Saddam" Trojan horse, a person might be infected by clicking on a link sent to them in an email.

A Trojan Horse meets the definition of virus that most people use, in the sense that it attempts to infiltrate a computer without the user’s knowledge or consent. A Trojan horse, similar to its Greek mythological counterpart, often presents itself as one form while it is actually another. A recent example of malware acting as a Trojan horse is the recent e-mail version of the “Swen” virus, which falsely claimed to be a Microsoft update application.

Trojans typically do one of two things: they either destroy or modify data the moment they launch, such as erase a hard drive, or they attempt to ferret out and steal passwords, credit card numbers, and other such confidential information.

Trojan Horses can be a bigger problem than other types of viruses as they are designed to be destructive or disruptive, as opposed to viruses and worms where the coder may not intend to do any harm at all. Essentially this distinction does not matter in the real world. You can lump viruses, Trojans and worms together as "things I don't want on my computer or my network".
Prevention
Because hackers are so creative in coming up with new and different types of Trojan horses, training employees on what to look for will not prevent Trojan horses from infecting your network. Instead, you may want to consider blocking users from downloading freeware, blocking links embedded in emails, and using a whitelist to create a list of approved websites that employees may visit. Because Trojans are much easier to prevent than they are to cure, with an infected computer sometimes requiring a complete reformatting of the hard drive, taking these drastic preventative measures may be warranted for some companies.The methods for dealing with Trojans are generally the same as for those for dealing with viruses. Most virus scanners attempt to deal with some of the common Trojans with varying degrees of success, there are also specific "anti-Trojan" scanners available, and your best weapon is common sense yet again. Score another point for safe computing!


Feb 21, 2009

GAME.EXE

game.exe (Game Dialler) - Details

The game.exe process will take over your modem and attempt to 'dial out' to (potentially overseas or toll-rate) telephone numbers in order to download adult content and store it on your computer.

game.exe is considered to be a security risk, not only because antivirus programs flag Game Dialler as a virus, but also because a number of users have complained about its performance.

Game Dialler is likely a virus and as such, presents a serious vulnerability which should be fixed immediately! Delaying the removal of game.exe may cause serious harm to your system and will likely cause a number of problems, such as slow performance, loss of data or leaking private information to websites.

game.exe is considered to be a security risk, not only because spyware removal programs flag Game Dialler as spyware, but also because a number of users have complained about its performance.



game.exe is considered to be a security risk, not only because Adware Removal programs flag Game Dialler as Adware, but also because there can be privacy issues associated with this product.

Game Dialler is likely adware and as such, presents an unnecessary risk which should be eliminated! Removing game.exe may cause a number of problems, such as slow performance, loss of data or leaking private information.

Removing Game Dialler may be difficult.



game.exe is related to aconti.exe, arr.exe, dvdkeyauth.exe, fastdown.exe, infus.exe, movieplace.exe, sws.exe, win32us.exe,

You should visit our Anonymous Surfing section to make sure your system is not giving away information like that of game.exe.
GAME.EXE - Disclaimer

Every attempt has been made to provide you with the correct information for game.exe or GAME DIALLER. Many spyware / malware programs use filenames of usual, non-malware programs. If we have included information about game.exe that is inaccurate, we would greatly appreciate your help by updating the Process Information database and we will do our best to correct it.

You should verify the accuracy of information we provided about game.exe. Game Dialler may have had a status change since this page was published.

Feb 19, 2009

HACKING IN LINUX

Hack attacks on Linux on the rise

Hackers are increasingly targeting Web servers based on the Linux operating system, while the number of successful attacks on Windows systems decreases, according to a new report from a U.K. systems integrator.

The study by Mi2g also found that successful attacks on U.K. and U.S. government sites have decreased, which may be due to tougher laws and improved security.

In the past, hackers and virus writers have largely focused their efforts on the Windows platform, as its dominance on desktop PCs makes it a ready target. However, Linux has a large share of the Web server market, and Linux server applications are often vulnerable to attack because of mismanagement, according to the study.

Mi2g has recorded 7,630 successful attacks on Linux systems in the first six months of this year, up sharply from last year's 5,736 attacks. In the meantime, successful attacks on Windows systems running Microsoft's Internet Information Server (IIS) have fallen by 20 percent from 11,828 in the first half of 2001 to 9,404 in the first half of this year.

The total number of successful attacks for the first six months of the year rose by 27 percent, from 16,007 on 2001 to 20,371 in 2002.

The information is based on Mi2g's own research, which includes information on more than 6,000 hacker groups and records of more than 60,000 hacking events since 1995. The database includes the Computer Security Issues and Trends Survey from the Computer Security Institute and the FBI.

The firm urged Linux system administrators to be more vigilant about patching known security bugs. "A quick response in addressing all weaknesses as soon as they are known has now become critical," D.K. Matai, Mi2g's chairman and chief executive, said in a statement.

Mi2g said that successful attacks on U.S. government systems were down sharply, from 204 in the first half of last year to 54 in the first half of 2002. In the United Kingdom, government sites were hit 12 times in the first half of this year, compared with 38 times for the first six months of 2001.

The security firm attributed this drop partly to improved security in the wake of last September's terrorist attacks and partly to an amendment to the Cyber Security Enhancement Act passed in February 2002. The amendment gives a life imprisonment sentence to hackers who put lives at risk.

Mi2g is a systems integrator focused on security. The firm is based in London and mostly deals with companies in the banking and insurance sectors.

ZDNet U.K.'s Matthew Broersma reported from London.

ATTACKS IN LINUX

Attacker attempts to plant Trojan in Linux


An unknown intruder attempted to insert a Trojan horse program into the code of the next version of the Linux kernel, which is stored in a publicly accessible database.

Security features of the source-code repository, known as BitKeeper, detected the illicit change within 24 hours, and the public database was shut down, a key developer said on Thursday. The public database was used only to provide the latest beta, or test version, of the Linux kernel to users of the Concurrent Versions System (CVS), which is a program designed to manage source code.

The changes, which would have introduced a security flaw to the kernel, never became a part of the Linux code and, thus, were never a threat, said Larry McVoy, founder of software company BitMover and primary architect of the source-code database BitKeeper.

"This never got close to the development tree," he said. "BitKeeper is really paranoid about integrity, and it turns out that was key to finding this Trojan horse."

Linus Torvalds, the original creator of Linux and the lead developer of the kernel, uses BitKeeper to keep track of changes in the core software for the operating system. On a daily basis, the software exports those changes to public and private databases other developers use.

An intruder apparently compromised one server earlier, and the attacker used his access to make a small change to one of the source code files, McVoy said. The change created a flaw that could have elevated a person's privileges on any Linux machine that runs a kernel compiled with the modified source code. However, only developers who used that database were affected -- and only during a 24-hour period, he added.

"The first thing we did was fix the difference," he said. "It took me five minutes to find the change."

When BitKeeper exports the source code to other servers, it checks the integrity of every file, matching a digital fingerprint of its official version of the file with the version on the remote machine. That comparison caught the change to the code stored on the server.

The changes looked like they were made by another developer, but that programmer said he hadn't submitted them, McVoy said.

The recent incident raises questions about the security of open-source development methods, particularly how well a development team can guarantee that any changes are not introducing intentional security flaws. While Microsoft code has had similar problems, closed development is widely considered to be harder to exploit in that way.

Linus Torvalds addressed the issue in a post to the Linux kernel mailing list.

"A few things do make the current system fairly secure," he stated. "One of them is that if somebody were to actually access the (BitKeeper) trees (software repositories) directly, that would be noticed immediately."

A critical security flaw was found in CVS in January, but it's unknown whether the attacker used the vulnerability to gain access to the CVS database.

BitKeeper's McVoy hopes the current incident will quash objections raised by some members of the development who don't want to add a new feature that would require all changes to be digitally signed.

Even so, he said, the open-source development model is likely to have quickly turned up any security flaws.

"A Trojan horse is just a bug that a person has put into the system deliberately," he said. "The open-source security model is that everyone is using this stuff, so bugs get found and get fixed. That's one of the reasons that you are not hearing me freak about this."

McVoy said the disk from the compromised server has been saved for later analysis, but any decision to contact law enforcement belongs to Torvalds and others. Torvalds could not be immediately reached for comment.

Malware - Khatra.exe

Khatra.exe (Khatra) Trojan Virus File Information

Danger Khatra.exe is a dangerous file which creates activities on a user’s computer which may be highly undesirable. This file is unsafe.
Type: Trojan Virus
Location: C:\WINDOWS\system32\khatra.exe
Threat name Win32.Autoit.BP 
Filename [System32Root]\khatra.exe 
Filesize : Unknown
The filename KHATRA.EXE was last seen on 02.13.2009, and it is considered unsafe. This threat is associated with the malware group Win32.Autoit.BP.

Characteristics 

1.     It can make unexpected changes to your system.
2.     It can disable control panel and creates a file in each folder of your drive.
3.     This file may be of size 600 kb thus filling half of your hard disk.
4.     It also runs as process and will use your CPU/Memory.
5.     It spreads mainly through Pen/USB/Flash drives.

It is recommended that you remove any malicious software such as Khatra.exe from your computer immediately.

The file "khatra.exe" is known to be created under the following filenames:
AllUsersProfile:- C:\Users\HP\desktop.exe
AllUsersProfile:- C:\Users\HP\favorites.exe
C:\Users\HP\AppData\microsoft\cd burning\khatra.exe
C:\Users\HP\Desktop\desktop.exe
C:\Users\HP\Favorites\favorites.exe
C:\Windows\khatarnakh.exe or khatra.exe
C:\Windows\system\ghost.exe
C:\Windows\xplorer.exe
C:\inetpub.exe
C:\inetpub\inetpub.exe
C:\inetpub\wwwroot\wwwroot.exe
C:\khatra.exe
Here C:\ is the drive in which OS is installed. HP is the user name.
OriginNumber of Incidents
United Kingdom63

The following threats are known to be associated with the file "khatra.exe":
Threat AliasNumber of Incidents
Generic.dx [McAfee]60
Trojan-Dropper.Win32.Autoit.k [Kaspersky Lab]60
Trojan-Dropper.Win32.Autoit [Ikarus]42
W32.SillyFDC [Symantec]21
Virus.Win32.Sality [Ikarus]15
Trojan Horse [Symantec]12
W32/Autoit-BP [Sophos]12

How to remove Khatra.exe ?

Mostly when your computer is infected with khatra.exe, you will not be able to perform any normal operations. In this situation the only option is to format your OS drive. After OS installation, install a good antivirus and perform a full scan. I would recommend Nod32. Be careful not to double-click any files with the folder name. It's mostly a virus file created by khatra.exe.
Please follow these instructions:

1. Reboot computer in SafeMode.

2.  Delete any values added to the registry related with KHATRA.EXE.

3. Clean/delete all KHATRA.EXE related file(s).

4. Please delete all your IE temp files with KHATRA.EXE manually and run a whole scan with antivirus program.

5. Enable 'show all hidden files..' option in Windows explorer view menu. Search all your hard drive files and folders for '*.exe' with size less than 1mb and delete only '.exe' files having folder symbol(name of the folder). The file type will be shown as an application. 

Feb 17, 2009

W32 THREATS

W32.HLLW.Cebe: This worm spreads through the KaZaa and iMesh file-sharing networks.

W32.Swen.A@mm: This mass-mailing worm uses its own SMTP engine to spread.

W32.Sobig.A@mm: This worm sends itself to all the addresses it finds in the .txt, .eml, .html, .htm, .dbx, and .wab files.

W32.Blaster.Worm: This worm exploits a DCOM RPC vulnerability using TCP port 135.

Feb 16, 2009

Inside Threats

Security threats that originate from inside a network can be more harmful than outside threats. Inside threats are especially dangerous and can often be overlooked by network administrators. Computers that reside on the inside network typically have a high degree of access to inside resources. Also, employees and trusted users are likely to have critical information about the network, including passwords.

High profile inside threats include disloyal and disgruntled employees who use their inside access to destroy, steal, or tamper with data. These types of attacks cannot be completely protected against. However, well defined security policies can minimize the risks from this type of threat. For example, organizations should avoid using just a handful of passwords to protect all computer resources. Large companies should establish clear procedures for removing employee accounts and passwords in the event that an employee leaves the company.

The most harmful inside threat is a typical end user of a network. Unaware end users can crash a network by carelessly opening e-mail attachments, installing unauthorized software, mounting disks from home, or even browsing the web. The typical cause of inside attacks is an end user who opens an e-mail attachment only to copy a virus to the computer. Many viruses thrive on the corporate network. E-mail viruses typically mail themselves to accounts listed in e-mail address books. Many corporations keep staff e-mail lists loaded on every computer, where a virus can quickly spread to all members of a company. Viruses can also seek out and infect shared files and folders, which are common on corporate networks.

A growing problem for corporate networks is the widespread popularity of instant messaging and peer-to-peer file sharing. Employees may download instant message software, such as Microsoft Messenger or America Online (AOL) Instant Messenger. The instant message software is used to chat in real time with co workers, friends, and family. Other users may download peer-to-peer file sharing software based on Gnutella or some other technology. Both instant messaging and peer-to-peer file sharing programs can be used to transfer virus-infected files to the local computer. Both of these types of programs listen for connections originating from the Internet. Chat and file sharing applications may be vulnerable to other forms of exploitation.

Feb 13, 2009

SPYWARE

Spyware
Threat Type First appeared
1 Gator Adware Sep 11, 2003
2 Virtumonde Spyware Oct 08, 2004
3 SaveNow Adware Sep 11, 2003
4 ClientMan Spyware Jul 27, 2004
5 WUpd Adware Sep 03, 2004
6 ActiveSearch Adware Oct 28, 2004
7 BaiduBar Adware May 02, 2005
8 MarketScore Spyware Sep 17, 2004



SPYWARE EXPLOIT USER INFORMATION
The spyware problem is an invasion of privacy, although different from cookies, technically speaking. Spyware is a program that runs on your computer and again, tracks your habits, tailors these patterns for advertisements, etc. Because it is a computer program, rather than just a bit of text in a cookie, spyware can also do some nasty things to ensure that the spyware keeps running and keeps influencing what you see.

HOW DO I KNOW IF SPYWARE IS RUNNING ON THE COMPUTER?
You can use detection programs such as Ad Aware and others. Similar to anti-virus software, these programs compare a list of known spyware with files on your computer and can remove any that it detects, but again, what some consider unacceptable is perfectly acceptable to others.

HOW DOES SPYWARE INSTALL ITSELF ON COMPUTERS?
Common tactics for surreptitious installation include rolling up advertising programs into "free" shareware program downloads, and once the spyware is installed it can download advertisements 24 hours a day and overlay them on Web sites and programs you are using. Anti-spyware programs can combat spyware from being installed, but the best strategy is to discriminate what you choose to download and install.

CAN SPYWARE SEND TRACKED INFORMATION TO OTHER PEOPLE?
Some forms of spyware monitor a target’s Web use or even general computer use and sends this information back to the spyware program's authors for use as they see fit. To fight this kind of problem, a spyware removal tool is obviously helpful, as is a firewall that monitors outgoing connections from your computer. Other forms of spyware take over parts of your Web browsing interface, forcing you to use their own search engines where they can track your browsing habits and send pop-up advertisements to you at will.
The biggest concern regarding spyware is that most of them are poorly written or designed. Many people first realize their computer is running when it noticeably slows down or stops responding, especially when doing certain tasks such as browsing Web sites or retrieving email. In addition, poorly written spyware can often cause your computer to function incorrectly even after it has been removed.

Are Spyware Threats Taking Over Your Computer?

Are you fed up with the amount of spyware that roams onto your computer? Most of the time you can't really do anything about the threats but deal with them. Furthermore, most people do not realize that most of the simple things they do while on their computer is what makes their computer becomes affected with various spyware threats.

For instance have you ever downloaded a type of program off the internet whether it was from a secured website or from another person? Most of the time people may not know that when they download something of interest off the internet whether it is free or paid for, it may include spyware threats that are attached within the program. Usually, when the spyware threats are included in these programs they are stated within the license agreement that most people are too lazy to read. They are more quick to install the program that they dont take the time to read the license agreement to find out if any type of threat will be included with the program.

If you are a big fan of downloading off of the internet then you may have some experience with spyware threats being on your computer from some files that you may have downloaded. Have you ever experienced those continuous pop-ups that may appear while you are on the internet? Again, your computer has been infected with spyware. This can be very frustrating to deal with because as you surf the internet the pop-ups just keep on rolling and rolling whenever you click on something new.

Spyware threats can be a pain to deal with and they just make your computer slower and slower to the point where you don't even want to get onto your computer anymore. Most people compensate this problem by shelling out hundreds of dollars just to get their computer cleaned.



Most Active Virus

LATEST THREATS



Feb 8, 2009

Packet Attack

The Packet Fragmentation Attack
Packet fragmentation can be utilized to get around blocking rules on some firewalls.
This is done by cheating with the value of the Fragment Offset. The trick is to set the value of the Fragment Offset on the second packet so low that instead of appending the second packet to the first packet, it actually overwrites the data and part of the TCP header of the first packet.
Let's say you want to `telnet` into a network where TCP port 23 is blocked by a packet filtering firewall. However, SMTP port 25 is allowed into that network.What you would do is to send two packets:

The first packet would:
• Have a Fragmentation Offset of 0.
• Have the DF bit equal to 0 to mean "May Fragment" and the MF bit equal to 1 to mean "More Fragments."
• Have a Destination Port in the TCP header of 25. TCP port 25 is allowed, so the firewall would allow that packet to enter the network.

The second packet would:
• Have a Fragmentation Offset of 1. This means that the second packet would actually overwrite everything but the first 8 bits of the first packet.
• Have the DF bit equal to 0 to mean "May Fragment" and the MF bit equal to 0 to mean "Last Fragment."
• Have a Destination Port in the TCP header of 23. This would normally be blocked, but will not be in this case!

The packet filtering firewall will see that the Fragment Offset is greater than zero on the second packet. From this data, it will deduce that the second packet is a fragment of another packet and it will not check the second packet against the rule set.
When the two packets arrive at the target host, they will be reassembled. The second packet will overwrite most of the first packet and the contents of the combined packet will go to port 23.

TCP Attacks

TCP Sequence Prediction Attack
TCP is a reliable connection-oriented layer 4 (Transport Layer) protocol. Packet transfer between hosts is accomplished by the layers below layer 4 and TCP takes responsibility to making certain the packets are delivered to higher layers in the protocol stack in the correct order. To accomplish this reordering task, TCP uses the sequence number field.

To successfully mount a TCP sequence prediction attack, you must first listen to communications between two systems, one of which is your target system. Then, you issue packets from your system to the target system with the source IP address of the trusted system that is communicating with the target system.

The packets you issue must have the sequence numbers that the target system is expecting. In addition, your packets must arrive before the packets from the trusted system whose connection you are hijacking. To accomplish this, it is often necessary to flood the trusted system off of the network with some form of denial of service attack.
Once you have taken over the connection, you can send data to allow you to access the target host using a normal TCP/IP connection. The most simple way to do this is:
> echo "+ +" > /.rhosts 

This specific technique relies upon inherent weaknesses in the BSD Unix `r` services. However, SunRPC, NFS, X-Windows, and many other services which rely upon IP address authentication can be exploited with a TCP sequence prediction attack.


Why are TCP Sequence Prediction Attacks Possible?

An excerpt from RFC 793 (Transmission Control Protocol) concerning the generation of TCP sequence numbers:
When new connections are created, an initial sequence number (ISN) generator is employed which selects a new 32 bit ISN. The generator is bound to a (possibly fictitious) 32 bit clock whose low order bit is incremented roughly every 4 microseconds. Thus, the ISN cycles approximately every 4.55 hours. Since we assume that segments will stay in the network no more than the Maximum Segment Lifetime (MSL) and that the MSL is less than 4.55 hours we can reasonably assume that ISN's will be unique.

The developers of the BSD Unix TCP/IP stack did not follow these recommendations. 

TCP/IP stacks based upon BSD Unix increase the sequence number by 128,000 every second and by 64,000 for every new TCP connection. This is significantly more predictable than the algorithm specified in the RFC.


Defending Against TCP Sequence Prediction Attacks
TCP sequence prediction attacks can be effectively stopped by any router or firewall that is configured not to allow packets from an internal IP address to originate from an external interface.
These does not fix the TCP sequence prediction vulnerability, it simply prevents TCP sequence prediction attacks from being able to reach their targets.
Diagram of the TCP Header
TCP Header Format
-----------------

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Port | Destination Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sequence Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Acknowledgment Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Data | |U|A|P|R|S|F| |
| Offset| Reserved |R|C|S|S|Y|I| Window |
| | |G|K|H|T|N|N| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum | Urgent Pointer |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Options | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| data |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Every packet-based network has an MTU (Maximum Transmission Unit) size. The MTU is the size of the largest packet which that network can transmit.Packets larger than the allowable MTU must be divided into multiple smaller packets, or fragments, to enable them to traverse the network.

Network Standard MTU
Ethernet -1500
Token Ring - 4096

DOS ATTACKS

Types of Denial of Service (DoS) attacks
These are a few of the classic denial of service attacks. Most of these rely upon weaknesses in the TCP/IP protocol. Vendor patches and proper network configuration have made most of these denial of service attacks difficult or impossible to accomplish.
Flood Attack
The earliest form of denial of service attack was the flood attack. The attacker simply sends more traffic than the victim could handle. This requires the attacker to have a faster network connection than the victim. This is the lowest-tech of the denial of service attacks, and also the most difficult to completely prevent.
Ping of Death Attack
The Ping of Death attack relied on a bug in the Berkeley TCP/IP stack which also existed on most systems which copied the Berkeley network code. The ping of death was simply sending ping packets larger than 65,535 bytes to the victim. This denial of service attack was as simple as:
ping -l 86600 victim.org
SYN Attack
In the TCP protocol, handshaking of network connections is done with SYN and ACK messages. The system that wishes to communicate sends a SYN message to the target system. The target system then responds with an ACK message. In a SYN attack, the attacker floods the target with SYN messages spoofed to appear to be from unreachable Internet addresses. This fills up the buffer space for SYN messages on the target machine, preventing other systems on the network from communicating with the target machine.
Teardrop Attack
The Teardrop Attack uses IP's packet fragmentation algorithm to send corrupted packets to the victim machine. This confuses the victim machine and may hang it.
Smurf Attack
In the Smurf Attack, the attacker sends a ping request to a broadcast address at a third-party on the network. This ping request is spoofed to appear to come from the victims network address . Every system within the broadcast domain of the third-party will then send ping responses to the victim.

Distributed Denial of Service (DDoS) attacks
A Distributed Denial of Service (DDoS) attack is a denial of service attack which is mounted from a large number of locations across the network.
DDoS attacks are usually mounted from a large number of compromised systems. These systems may have been compromised by a trojan horse or a worm, or they might have been compromised by being hacked manually.
These compromised systems are usually controlled with a fairly sophisticated piece of client-server software such as Trinoo, Tribe Flood Network, Stacheldraht, TFN2K, Shaft, and Mstream.
The Mydoom worm attempted DDoS attacks against SCO and Microsoft from the systems which it infected.
DDoS attacks can be very difficult to defend against.
IP address spoofing denotes the action of generating IP packets with fake source IP addresses in order to impersonate other systems or to protect the identity of the sender. Spoofing can also refer to forging or using fake headers on emails or netnews to - again - protect the identity of the sender and to mislead the receiver or the network as to the origin and validity of sent data.

POP UP MALWARE

Dirty tricks
Imagine this: You visit a website and up pops a message, "Your computer is not secure -- click here for a free spyware scan." Anxious, if not alarmed, you click the link. You approve a "small download", the program starts, and you're told you have 87 spyware programs on your computer.
Little do you know that it's a scammer's dirty trick -- the download included spyware that now reports everything you do on your computer, including account numbers and passwords that you enter. To top it off, there is an offer to remove the 87 infected items for just $39.95. That's just one example of the kind of scams you run into on the Internet these days.
Blocking popups
Just clicking the "No" button, or even the "X" in the upper-right corner of some popups can trigger an attack. The easiest and safest way to close unwanted popups is by using "Ctrl-W". [Hold down the "Ctrl" key and then press the "W" key]. That should close the popup safely. The best thing to do is block them in the first place though. :-)
The Firefox popup blocker does a superb job blocking undesired popups. It also allows the ones you want in response to links that you click. The latest version of Internet Explorer in SP2 for Windows XP does nearly as well as Firefox. Pop-Up Sentry is a very effective stand-alone popup blocker.
More online
Test your popup blocker, as well as find links to free popup software. (Which you won't need if you switch to Firefox.) If you like to play, turn off your popup blocker and experience how bad popups can be. The tests are brought to you by WebAttack -- now called SnapFiles.
PC Today has a comprehensive and easy to read report on popup blockers, including the blockers that are included in Firefox and Internet Explorer.

HACKERS

Hackers
To hack (maliciously) is to use your skill and knowledge to trespass in other computers. Hackers have easy access to hacking tools and heuristic methods from the Internet underground. They often use "social engineering" rather than technology to insinuate their way into computers and computer networks.
Social engineering is the skill of getting passwords or other information about systems from people who should know better. The hacker poses as someone with a legitimate purpose for getting in and many people fall for it.
Hacking is largely a social malignancy -- not a technical problem. Don Parker, a seasoned security expert put it this way:
"Remote computing freed criminals from the historic requirement of proximity to their crimes. Anonymity and freedom from personal victim confrontation increased the emotional ease of crime, i.e., the victim was only an inanimate computer, not a real person or enterprise. Timid people could become criminals..."
The most common hacks
"The majority of the successful operating system attacks come from only a few software vulnerabilities. This can be attributed to the fact that attackers are opportunistic, take the easiest and most convenient route, and exploit the best-known flaws with the most effective and widely available attack tools." -- quote from SANS Institute
You're exposed to hackers every time you're on the Internet. When you're online you PC has an Internet address assigned to it. Crackers can easily find your PC and break in. They do that while you're busy surfing, or reading your e-mail.
You wouldn't know they're trying and probably won't know if they succeed until later if ever. For example, they might make off with your bank account number and PIN. You wouldn't know until the money was gone. Your bank would be dubious about your protest though.
Most hackers aren't out to get you personally. They want to use your computer for their own nefarious purposes, but they'll usually go away if yours is well protected. Some of the things they want your computer for:
1. Hide their intrusion to sensitive computers by going through yours.
2. Store and distribute spam, porn, pirated music, and warez (bogus software).
3. Attack their enemies.

DOWNLOADING SAFELY

How to Download Software (Safely)
There are two kinds of people who download software -- those who have picked up a virus or other computer infection, and those who will. You need to be very careful to put it off as long as possible. I've downloaded and installed scores of programs but so far none have bit me.
First things first: software categories
Commercial: Mainstream software offered for download by big companies. Some is even free or free for home use. Most of it is priced in the "boxed software" range. The same software is usually available in stores as well as online.
Freeware: Some freeware rivals the capability of commercial software, but usually it's smaller programs developed by individuals or shareware developers. Warning: freeware can be addictive -- it's free -- easy to download -- often excellent -- and there are thousands of programs to try. :-)
Many freeware programs are superb, but a few are written poorly. Freeware can also conceal "spyware", viruses or Trojans and other parasites. Avoid problems by using your common sense and by following the rules for safe downloading listed below.
Shareware: Usually modestly priced, intermediate in size and closer to commercial software in features. Some shareware is the best software written. The usual price range is $10 to $30. Often there's both a freeware and shareware version of the same software. The freeware version may run ads and/or limit functions. Shareware can often be used for 30 days or so on a free trial basis. After that time it will shut down unless you buy a registration code to keep it working.
Updates & Extensions: "Filters", "codecs", "modules", updates, etc., that augment or revise the capabilities of Windows and other programs, mostly browsers. They're usually free, and they are often offered when you click a link that won't work without the new software. They're often needed by Multimedia programs like Windows Media Player and RealPlayer. Be very sure the site is trustworthy before you proceed though.
Imperatives for downloading :-)
1. Use your common sense: Be very, very suspicious of any unsolicited invitation to download something wonderful or urgently important. These offers often appear as a flashy ad or popup window. Some will arrive as spam, some of it very clever, and often with an attachment.
2. Never download a file -- including pictures and music -- unless you know the source is trustworthy. Download software only from well-known companies (Microsoft, Symantec, Intuit, etc.) or from other trustworthy sources, such as those listed in the section below.
3. Never download a file via BitTorrent or other file-sharing networks. Period.
4. "Google" it: Let's say the program is called Spyban. Go to Google and enter "Spyban spyware" (without the quotes) and see what you get.
5. Read the description and recommendations at the download site, or at the program's website. You don't want to install something that won't be compatible with your needs or your computer.
6. Before you install any software you download, make sure that you have a current backup of your documents and system.
7. Take precautions against viruses, Trojans, adware and the like. It's no longer a sure thing, but it's still good practice to scan files for viruses, worms and other malware before you open them -- no matter what the source. [see handling files safely]
Safe places to download software from
SiteAdvisor is a new service that checks websites for suspicious activity. SiteAdvisor helps protect you from all kinds of Web-based security threats -- spyware, adware, spam, viruses, browser-based attacks, phishing, online fraud and identity theft. Note: SiteAdvisor does not protect against Phishing, as that is a different kind of attack.
These major download sources are trustworthy. They usually have ratings of the programs (often written by the supplier however). Check a with a couple of them to compare notes.
Tucows :: MajorGeeks.com :: WebAttack :: NoNags :: Jumbo! :: Pricelessware :: WinPlanet :: ZDNet Downloads :: CNET
Gizmo's community-based (I'm an editor there) Best-ever Freeware Utilities site features the "best of the best" freeware. Gizmo also maintains a list of the best freeware/shareware download sites.
I created some special search engines that you can use to find programs at trustworthy sources.
You'll find over 5000 programs at Microsoft's Free Downloads Center. Lots of games, but many other programs as well. The Ultimate List of Windows Software from Microsoft may make it easief to find what you want.
Download managers
Warning: Download managers, Zip programs, and of all things, anti-spyware programs are often used as bait for adware and spyware. Don't forget the "rules to download by" when you're considering one of them.
I no longer use a special download manager. Firefox has a built-in download manager. It lets you save the files where you want (set up in options), download multiple files at the same time, and easily pause and resume any download. That's good enough for me. :-) I also follow a process to keep my downloads well organized. ;-)
Ed Bott suggests a simple but effective way to keep track of not only downloads, but the essential information that goes with them.
http://www.edbott.com/weblog/?p=693 -- getting them organized
http://www.edbott.com/weblog/?p=1254 -- keeping them organized
If you do a lot of downloading, especially on dial-up, you might appreciate a download manager. They let you pause downloads, and resume interrupted ones without losing the part you've already downloaded. They'll also help you keep track of the files you download.

EMAIL ATTACHMENTS

The Perils of Email Attachments
Synopsis
Email attachments are one of the easiest ways to vandalize or invade a computer. The human element is often the weakest part of the system. Amazingly, many previous victims continue to open dodgy attachments.
1. Be suspicious of any attachment you were not expecting -- even though it's from someone you know.
2. Be doubly suspicious of attachments that have been forwarded to you -- even by someone you know.
3. Be paranoid about attachments from anyone you don't know.
A worm could have sent the message in the first case. Here's how: The message came from an infected PC -- one belonging to them or someone who has their address. Your friends address was used in the "From:" field to disarm you. In the 2nd case, you clearly have no idea where the file came from originally. In the 3rd case, it's spam or more likely an attack.
Attachments, and the messages that carry them, get more diabolical all the time. Finding new ways to fool people is a collective obsession. Even seasoned computer users get taken in. Now there are even ways to include hostile code in digital music, images or videos.
Examples
1. A reasonable sounding message informs you that your computer is infected with the latest worm in the news, and offers to remove it. When you open the attachment, it disables your antivirus program and firewall. Then it installs the worm it claimed to be scanning for. Finally it reports that your computer is free of the worm. Now the worm uses your computer to send bogus messages to more victims. Nice!
2. Your friend emails you a cute attachment with the file name "kitty.exe". In their message, they tell you they've tried it themselves, it's really cute, and it's "OK to open". You check with your friend, and yes indeed, he or she did send it, and they assure you "it doesn't have a virus."
Trouble is, it contains a delayed action Trojan-horse along with the cute kitty. When you open it, the kitty does something cute, but the Trojan is installed on your computer too. You and your friend will not find out about the Trojan until later, if ever.
3. An email arrives that appears to come from Microsoft. The Microsoft heading and icons are genuine. The message contains a sincere and urgent plea for you to patch your copy of Windows immediately. The patch is conveniently attached to the message.
Trouble is, the attachment terminates your antivirus program and firewall, and does other things so that you can't remove it. Now you have a nice new Trojan horse in your PC. Microsoft provides a guideline for determining if a message "from" Microsoft is genuine.
4. Attackers often disguise malicious attachments by using double extensions, for example, "message.txt.lnk" or "picture.gif.vbe". Unless you've changed your Windows configuration though, *.lnk, *.vbe and several other extensions are always hidden. The file names that you see are just "message.txt" or "picture.gif".
Those files -- *.txt and *.gif files -- seem safe enough. Windows knows they are *.lnk or *.vbe files though, not text or picture files at all. When you "open" them though, Windows blindly does exactly what the attacker had in mind, and the damage is done.
5. Demonstration: It's a myth that non-executable files are always safe. It's easy to hide malicious content in music or video files. Download and run example.mp3 to see a convincing but perfectly safe demonstration of this. (*.mp3 is a popular music file format.) That is... if you trust me.
Nothing dramatic happens, but there's more going on than just the music, eh? You'll need to have Windows Media Player installed, and be online to see the results. This is just an example. I'm sure there's a lot of brigands and bandits figuring out how to plant hostile content in more file types.