Wednesday, October 6, 2010

D [KHATRA] VIRUS**

khatra.exe is a worm.It Make a lot of files ,links and folder in infected system
as below:
--------------------------------------------
Creates copies of itself in addresses below by different names (I suppose windows
is installed in C:\):

C:\KHATRA.exe
C:\Windows\K.Backup
C:\Windows\KHATARNAKH.exe
C:\Windows\Xplorer.exe
C:\Windows\inf\Autoplay.inF
C:\Windows\system\gHost.exe
C:\Windows\Tasks\At1.job
C:\Windows\Tasks\At2.job
C:\Windows\System32\KHATRA.exe
C:\Documents and Settings\{user name}\Local Settings\Application Data\Microsoft\CD Burning\KHATRA.exe
C:\Documents and Settings\{user name}\Local Settings\Application Data\Microsoft\CD Burning\New Folder(3).exe
C:\Documents and Settings\{user name}\Local Settings\Application Data\Microsoft\CD Burning\winxp.exe
C:\Documents and Settings\{user name}\Local Settings\Application Data\Microsoft\CD Burning\AUTORUN.inF
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\(Empty).LNK
--------------------------------------------

It adds keys below in registry:

HKEY_CURRENT_USER\Software\Nico Mak Computing
HKEY_LOCAL_MACHINE\SOFTWARE\KHATRA

Makes entries below on registry (for automatic startup any time system starts):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Taskman = "%System%\KHATRA.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\R
un
G_Host = "%Windows%\system\gHost.exe" /Reproduce"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Xplorer = "%Windows%\Xplorer.exe" /Windows"

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
load = "%System%\KHATRA.exe"

--------------------------------------------
And make changes in many places of registry for example:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Window Title = "Internet Exploiter"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoControlPanel = "1"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools = "1"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule
AtTaskMaxHours = "0"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Fir
ewallPolicy\StandardProfile\Author

izedApplications\
List
%System%\KHATRA.exe = "%System%\KHATRA.exe:*:Enabled:System"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden = "0"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoDriveTypeAutoRun = "dword:000000ff"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ExplorerAdvanced\Fo
lder\Hidden\SHOWALL
CheckedValue = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
------------------------------------------------

It scans the folders in removable drives, then drop copies of itself using the file names of
the folders located, as {folder name}.exe.

It drops copies of itself in all removable drives.

It drops an AUTORUN.INF file to automatically execute dropped copies when the drives are accessed.

The said .INF file contains the following strings:

[Autorun]
Open=KHATRA.exe /OpenDrive
ShellExecute=KHATRA.exe /OpenDrive
Shell\Open\Command=KHATRA.exe /OpenDrive
Shell\Open\Default=1
Shell\Explore\Command=KHATRA.exe /ExploreDrive
Shell\Scan for viruses=KHATRA.exe
Shell=Open

----------------------------------------
Cleaning the infected system by user is a litle bit difficult but any way you can do as below:


_ Disable System Restore in your computer.


_ Boot by 3rd party tool and Delete files i said above.

_ Delelet the entries made by worm in registry.

_ Change the changed registry values to difult value.

Tuesday, October 5, 2010

D ZERO-DAY ATTACK & Exploits!!


A zero day attack, also known as a zero hour attack, takes advantage of computer vulnerabilities that do not currently have a solution. Typically, a software company will discover a bug or problem with a piece of software after it has been released and will offer a patch — another piece of software meant to fix the original issue. A zero day attack will take advantage of that problem before a patch has been created. It is named zero day because it occurs before the first day the vulnerability is known.
A zero day exploit is a piece of malicious code which takes advantage of a vulnerability in a piece of software which has not yet been discovered by the vendor. This code can do a great deal of damage before the vendor realizes the problem and develops a patch or a new version of the software, and many vendors test their programs rigorously before release with zero day exploits in mind. Because this type of malicious code relies on vulnerabilities which aren't widely known yet, it can be difficult for computer users to protect themselves from it.
In a simple example of a zero day exploit, a hacker might realize that the new version of an Internet browser has a security flaw which could potentially allow a hacker to insert malicious software onto the user's computer. He or she would write the code to install the software, and plant it on websites or in email, so that when users came into contact with the code, they would be infected with it. Eventually, the software vendor would realize that there was a problem, and issue a patch to fix the problem and address the zero day exploit.
The general rule of thumb in the computing community is that if someone notices a security vulnerability or flaw which could be an issue, he or she should report it to the vendor. Most ethical computer scientists and people who work with computers do just that. However,hackers, producers of malware, and other less friendly members of the community usually do not, because they want to take advantage of the vulnerability before the vendor realizes it exists. In fact, some people specialize in uncovering vulnerabilities and selling them.
From a hacker's point of view, the best zero day exploit is deployed before the vendor sees a problem. In other cases, the exploit may be released during the vulnerability window, the period of time between the discovery of the issue and the development of a patch to address it. Vulnerability windows can vary in length, depending on the vendor, the program, and the nature of the problem. The term "zero day exploit" references the idea that the code is released on "day zero," before the vendor has recognized an issue

Wednesday, October 7, 2009

Cyber crime generates more money than drug trafficking


Bangalore: With more and more people going online and social networking becoming pervasive, cyber crime now generates more money than drug trafficking, says global cyber security solutions provider Symantec."Cyber crime has surpassed drug trafficking as a criminal money-maker. Every three seconds, an identity is stolen worldwide," Symantec Consumer Business Unit Vice-President for Asia-Pacific David Freer told IANS. Cyber crime is perpetrated by hackers through a spate of attacks in the form of malware, spam, virus and bots when computers are connected to the Internet.Hackers use spyware, fake anti-virus applications, e-mail and phishing to trick netizens into parting with their personal data and even money."Phony e-mails, fake websites and online advertisements trick netizens into divulging personal data such as social security and credit card numbers," Freer said at a demo of Symantec's Norton anti-virus 2010 product here.The company's latest Internet security product equips computers to fight cyber crime with new detection technology.Symantec's data showed cyber criminals not only steal personal information such as identity, profile and credit card numbers but also sell it to the highest bidder on the online black market.During the beta testing of Norton 2010, Symantec detected and blocked a whopping 245 million attempted malicious code attacks every month the world over in 2008."The increasing use of Internet and web for a plethora of services and applications has made computers vulnerable to malicious attacks," Freer said.Convergence of information and communication technologies (ICT), globalisation and exponential growth of information have enabled transacting goods and services in the form of e-commerce and mobile commerce."The phenomenal growth of Internet traffic for mailing, surfing, browsing, social networking, buying or selling expose netizens to online thieves who will stop at nothing to steal anything, be it money, identity, signature and even names," Symantec Marketing Head in Asia-Pacific David Hall said

Wednesday, September 16, 2009

Mobile & Network Security Tips!!








*SECURITY TIPS !!
How to achieve smartphone, mobile security in the enterprise
ttWriteMboxDiv('searchSecurityUK_Tip_Content_Body');
ttWriteMboxContent('searchSecurityUK_Tip_Content_Body');


Smartphones have quickly become yet another indispensable part of modern business. Features such as wireless email, Web browsing, personal information management and network access to corporate resources allow for quicker and better decision making and greater productivity.
However, according to a 2008 survey conducted by marketing research provider Decipher Inc., 70% of respondents said they accessed sensitive information on their smartphone device when away from the office, and therefore outside the confines of their organisation's secure environment.
This latest extension of the enterprise IT infrastructure has quickly turned from asset to risk. To make the most of the smartphone's undoubted benefits, it is important to address smartphone and mobile security, safeguarding the information stored on any mobile device, just as you would with a laptop.
The essentials of a smartphone, mobile security policyThis means your mobile security policy needs to mandate:
Device passwords with a minimum length, complexity and update frequency.
Data encryption, depending on its sensitivity or classification level.
Password-protected inactivity timeouts.
No access to read-only parameters.
Limited access to riskier features, such as Bluetooth and instant messaging.
I would also recommend only allowing voice calls on any device that is locked. And before allowing smartphones within the enterprise, ensure they can be wiped remotely if lost or stolen.
And if you're concerned about shoulder surfers figuring out access PINs by watching which keys are pressed, consider using an authentication technology like PINoptic, which offers a picture-based passcode claimed to be 37 times more secure than a four-digit PIN.
How to secure enterprise instant messaging
IM in the enterprise is more popular than ever. Michael Cobb reviews the best ways to keep instant messaging under control.
Although the actual number of software-based attacks on smartphones and PDAs is still low, the total is likely to change as the user base grows. Interestingly, the relatively few vulnerabilities discovered on smartphone operating systems have all been fixed very quickly. At the time of this writing, mobile OSes such as Symbian, iPhone, RIM's BlackBerry, Windows Mobile, Linux, Palm WebOS and Android have all been patched according to Secunia's vulnerability reports. (This may be due to the intense competition amongst vendors in the enterprise market where device security is a key issue.)
It's not just the smartphone OS that can be attacked, however. Running only IT-vetted applications is key to avoiding mobile malware. Security products aimed at the enterprise smartphone can therefore play a vital role in mobile security policy, letting organisations control custom and third-party applications installed on the device and the resources they are permitted to access.
For example, an application could be permitted to reach internal and/or external domains, or prohibited from using Bluetooth or GPS. Controls like these can dramatically reduce risk.
For organisations that need to control a variety of smartphones, there are now products that provide consolidated reporting across different mobile OSes on the status and the compliance posture of all monitored devices. GuardianEdge Technologies Inc.'s Smartphone Protection, for example, supports the Apple iPhone, Windows Mobile and Palm OS devices. It can prevent untrusted applications from being installed or used while allowing trusted applications to run and access encrypted data.
There are plenty of smartphone and mobile security products for large and small business smartphone users, such as the eWallet from Ilium Software Inc., Splash Data Inc.'s SplashID, mSafe from smartphone software developer MotionApps, Symantec Corp.'s Norton Smartphone Security and Mobile Anti-Virus from F-Secure Corp.
Don't miss need-to-know info!
Security pros can't afford to be the last to know. Sign up for email updates from SearchSecurity.co.uk and you'll never be behind the curve!
However, overloading devices with too many security tools can drain the batteries very quickly and strain CPU performance. It's important, therefore, to maintain some sense of balance between mobile security and usability –-- always consider how difficult it will be for users to follow your security procedures; otherwise they'll try to find ways to circumvent them.
One area that has been seen as frustrating and complex by users and administrators alike has been setting up a VPN connection on a smartphone. End-to-end encryption from the smartphone, over the transport medium, to corporate resources is essential to prevent over-the-air data leakage, and thankfully vendors are upgrading products to make the whole process far easier.
Network security company Astaro Corp. claims its users can now set up and use the iPhone's IPsec VPN capabilities with no technical knowledge, while SSL VPNs from SonicWALL Inc. offer clientless remote access for smartphones.
The Mobile VPN in Microsoft's System Center Mobile Device Manager also adds additional protection by authenticating both the device and user. If your mobile users, however, only need to access the odd application, such as Pocket Outlook and Microsoft Exchange, then you could look at encrypting the communication by sending POP and SMTP mail protocols over TLS without a full-blown VPN.
Depending on the nature of your mobile workers' voice calls, you may want to consider using devices developed for the National Security Agency's Secure Mobile Environment Portable Electronic Device (SME PED) program, like Sectéra Edge, a combination phone-PDA. Such devices are certified to protect wireless voice communications classified "Top Secret," as well as restrict access to "Secret" email and websites. If this type of product is beyond your budget, Cellcrypt Mobile, from voice security provider Cellcrypt Ltd., offers end-to-end real-time encryption for BlackBerry smartphones without the need for specialised equipment. It operates on all major wireless networks, including 2G, 3G and Wi-Fi.
The key to a strong smartphone and mobile security policy is to make sure that any sensitive data that is accessed is protected in all forms. There are many places where it might be intercepted, so you need to have them all covered.
If data is encrypted on your database server, does it remain encrypted when it is transmitted to a smartphone, either through synchronisation, email or a Web app? If the user makes a call to discuss the data, does the conversation need to be encrypted? Can you execute a remote wipe if the device and its data are lost or stolen?
Smartphones are here to stay, so you have to commit to endpoint data protection. The mobile devices may be small, but they're still Internet-connected computers, so don't let them become a double-edged sword.

Thursday, September 3, 2009

B@ware of PhlashingAttacks!!


A new type of security attacks, codenamed phlashing, could bring more damages than any other attack launched over the web: the need of hardware replacement.
google_protectAndRun("ads_core.google_render_ad", google_handleError, google_render_ad);
According to various sources, security researchers have found that phlashing attacks, which could hit the hardware components of computers, may damage them and force owners to replace them. Rich Smith, head of research for offensive technologies and threats at HP Systems Security Lab, has already demonstrated such an attack at EUSecWest, a security conference which took place in London, The Register informs.The attacks, which are also named permanent denial-of-service (PDOS) attacks, are said to be more efficient yet cheaper than the traditional attacks in which hackers attempt to drop malware on certain computers, mostly thanks to the fact that it does not require botnets or other expensive resources."We aren't seeing the PDOS attack as a way to mask another attack, such as malware insertion, but [as] a logical and highly destructive extension of the DDOS criminal extortion tactics seen in use today," Rich Smith told Dark Reading. "Phlashing attacks can achieve the goal of disrupting service without ongoing expense to the attacker; once the firmware has been corrupted, no further action is required for the DOS condition to continue."However, there are many reasons to hope that such attacks won't become too popular among hackers, especially thanks to the fact that attackers are usually interested in getting some revenues, no matter if we're talking about money or data access. For instance, attackers who attempt to drop malware on vulnerable computers sometimes look for private financial information which could be then re-sold or used for their own illegal activities.

Wednesday, September 2, 2009

PinOptics-TheLatestInnovation!


What is PINoptic
How PINoptic Works
Instead of having a PIN or password, you have a series of pictures or icons that make up your 'picture story password'. When you come to enter your picture story password, multiple pictures or icons are displayed beside discrete symbols (alphanumeric characters for instance). You enter the symbols that are related to your picture story password to gain access. Each time you are asked for your picture story password the pictures, icons or symbols will be in a different place meaning that you will be entering a one-time-password each time. This means that you are protected from hacking and/or 'shoulder surfing'.
By increasing the number of symbols required for entry, security can be radically increased. For example a military grade application would require five sets of symbols to be entered.
Initial research and confirmation of concept has been completed by cognitive psychologists at the University of Sunderland which suggests very little additional cognitive load is placed on the end-user over existing alpha-numeric PIN and password systems.

Monday, August 31, 2009