Wednesday, October 30, 2013

Why they are using Hello world program?

 When you enroll yourself to any modern computer programming classes. They will taught you a program which gives the result as "Hello World"! (program result in the displaying the text as hello world).
why it show, is it any tradition to do so.

 Its all start with a book in 1970's on C program. Yes, 'THE C PROGRAMMING LANGUAGE', one of the bible of c program language. In that book, lot of example programs to describe the programming concepts and illustration on 'C', they used 'hello, world' in most of the time. That's the point in time where HELLO WORLD is become traditional in programming world.

(the authors of the book-Dennis Ritchie and Brian Kernighan)

Let see some of the hello world examples in popular programming language:

// in c program
        printf("hello, world");

//in c++ program
main ()
  cout << "Hello World!";

//in java program
 public class HelloWorld {
        public static void main(String [] args) {
            System.out.println("Hello World!");

//in python
   print("Hello World!")

//in java script
console.log("Hello world!");

//in ruby
 puts "Hello World!"

//in c#
 System.Console.WriteLine("Hello World!");

Plan to see more on programmings in general as well as deeper in upcoming posts.

Post made by

Monday, October 28, 2013

phishing banker by Changing the proxy config Url!

Malware sample which i came across recently. Its phising banker category.
Details of my research as follows:
Malware sample:
MD5: 466688E7B5849F4BED92F98B4F99042A
SHA1: 46167CBB9D1C37497B1C0CF87877D945D9D26C83
VT results for the file-

This malware change the automatic proxy config url withoutuser consent in all browsers (IE9, Firefox latest version, google chrome,etc.). HXXP://

The link is not active. But previously visited recordsstates that script which redirect to fake banking site instead of legit one (sitesmentioned in the script).

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\InternetSettings "AutoConfigURL"

Post made by

My session on sinowal!

Long back i prepared a presentation sinowal trojan from pdf files found in the net.
It will be more interesting to share this to you all!


•Researchers had an idea that it was theoretically possible but there were no solutions seen yet. But in 2005, researchers Derek Soeder and Ryan Permeh of eEye Digital Security showed the idea was possible by producing proof-of-concept code, called “BootRoot”•
Before 2005 there were no known rootkits for Windows (any 32 bit version of that operation system) which infected the master boot record (MBR).

   Sinowal (also known as Mebroot or Torpig) trojan
•It was first reported in 2006 as harmless Bootkit•Bootkit means “A kernel-mode rootkit variant called a bootkit “. bootkit replaces the legitimate boot loader with one controlled by an attacker.•its own modifications which•makes this trojan dangerous for a common user. •Sinowal steals bank credentials, credit and debit card details
•New wave of news about Sinowal shocks the world (of course there were news about this trojan and its modifications throughout 2006-2008 period but now they have made a huge discovery on the stolen data). According to the RSA FraudAction Research Laboratory, this trojan has stolen and compromised login credentials from about 500,000 online bank accounts and credit and debit cards over the course of nearly three years
   Detailed analysis of Sinowal trojan
•Sinowal is the combination of bootkit and backdoor.•bootkit which makes this trojan almost invisible on your system.•backdoor which attempts to steal as much user data as possible (most effort done on collecting user data to a range of online banking systems).

•The hardest part for trojan here is to gain access to MBR. According to Microsoft, Sinowal is trying to modify MBR using the CreateFile API attempting to open “\Device\Harddisk0\DR0” for write access.•Using the CreateFile API in this way (for direct/raw disk access) requires administrative privileges.
•when this trojan succeeds in infecting the MBR, instructions pass control to the main part of the rootkit which is placed on several hard disk sectors and which is not represented as files in the system. This part monitors the already loaded Windows operating system and when reading, it hides the infected MBR and the “dirty” sectors by presenting clean ones instead. It does this by intercepting and substituting system functions.
Figure 2: Infected (with Sinowal) system startup

•In addition to hiding its presence in the system, the malicious code installs a backdoor in Windows. Upon execution, it drops some files into the system•• %programfiles%\common files\microsoft shared\web folders•\ibm<5-digit randrom number>.dll -•• %programfiles%\common files\microsoft shared\web folders•\ibm<5-digit randrom number>.dll -•• %windir%\temp\$_2341233.tmp•• %windir%\temp\$_2341234.tmp•• %windir%\temp\$_2341235.tmp•• %windir%\temp\$b17a2e8.tmp
•It installs itself as a service and adds this Registry key launch point•Key:HKLM\System\ControlSet001\Services\gb•File: %programfiles%\common files\microsoft shared\web folders•\ibm<5-digit random number>.dll
•This trojan steals system and account information.•Stolen information may be :•IMAP/POP3/SMTP username, passwords, server information from mail clients•Bookmarks•E-mail addresses from the Windows Address Book•Passwords and other data stored from FTP clients
•It also monitors web browser such as Internet Explorer, Firefox, Opera for online banking information upon access on the banking sites.•While user accessing on the banking site, it will redirect to fake page and collects the information.
Figure 3: Sinowal modifications since its first version

Figure 4: Number of stolen bank accounts since first version of Sinowal

Information Stealing Activity

•        This Trojan family steals information from browsers,immediately uploading data to a remote server.
•        VeriSign iDefense attempted to prompt the Trojan tosteal information and play man in the middle to get
•        additional data by infecting a lab computer andvisiting several sites.
•        This Trojan does target multiple ABN ANBRO servers forinformation theft. In limited lab tests, VeriSign
•        iDefense confirmed that the Trojan does attempt tocommunicate with a remote command and control
•        (C&C) server, but did not perform anyman-in-the-middle phishing attacks when attempting to log on with
•        invalid credentials to the banking site. A list oftrigger strings found in the configuration files does not
•        contain ABN AMRO strings. However, multiple domainsaffiliated with ABN AMRO do exist in the
•        configuration file for the Trojan. It is likely thatthe Trojan is designed to steal information or interact with a
•        legitimate session following authentication to thesite.
•        A decryption of the Trojan configuration files showsthe following targeted ABN AMRO and subsidiary sites:
•        1.
•        2.
•        3.
•        4.
•        5.
•        6.
•        7.
•        8.
•        9.
•        10. abnamro
•        11.
•        12.
•        13.
•        14.
•        15. lasallefederal
•        16.
•        17.
•        18.
•        19.
•        20.
•        21. cashproweb
•        The Trojan contains several strings related topotential trigger words for information theft:
•        • login
•        • pswd
•        • userid
•        • accountnumber
•        • passwd
•        • username
•        • pop3


•        1. Mebroot proves to be a tough rootkit to crack. [WWW]
•        2. RSA Unravels Sinowal Trojan. [WWW]
•        3. Sinowal Trojan Stealing Banking Information. [WWW]
•        18302/sinowal-trojan-stealing-banking-information
•        4. – Malware evolution: January – March2008. [WWW]
•        5. Anti-Malware Engineering Team : MBR rootkit:VirTool:WinNT/Sinowal.A report. [WWW]
•        aspx
•        6. Russian Business Network Study. / David Bizeul [WWW]
•        7. F-Secure Malware Information Pages:Trojan-PSW:W32/Sinowal.CP. [WWW] http://www.fsecure.
•        com/v-descs/trojan-psw_w32_sinowal_cp.shtml

Thanks to the authors of pdf where refered it!
Faculty of Information Technology
Department of Computer Science
Chair of Network Software-
Student: Konstantin Saveljev
Student code: 030548IAPM
Supervisor: Toomas Lepik)
(Ken Dunham, Director of the Rapid Response Team              

 Post made by

Small write up on Worm-KoobFace:

Koobface is the anagram of facebook. Koobface is a computer worm which targets facebook user and the infection leads to gain the access code of users FTP, facebook , but not any banking details! Using the infected computer as botnet, i.e. act as peer to peer fashion to get the instruction from other compromised or infected computer. In addition, it do browser hijack to display ads on search queries. It was first detected in 2008. Symantec mentioned that recent variants found on august of 2012.
worm- koobface spreads through facebook messages to people. From the facebook friend’s compromised computer sending that message. Once the message reaches the user, he certainly opens the message of the facebook friend. Once the opens the message, it redirects to other compromised computer that leads to download of executable file. After that executable gets executed, now koobface starts redirect your search queries to ads and infected sites which lead to make your computer as part of the koobface connection. It become like a host computer.
Variants and detection naming by antivirus vendor:
Net-Worm.Win32.Koobface.b [Kaspersky], W32/Koobface.worm [McAfee], Boface.A [Panda Software], WORM_KOOBFACE.V [Trend], W32/Koobface-AS [Sophos], W32/Koobface-AL [Sophos], W32/Koobface-AD [Sophos], Koobface.GQ [Panda Software], Koobface.FU [Panda Software], W32/Koobface-N [Sophos], WORM_KOOBFACE.JG [Trend], WORM_KOOBFACE.EX [Trend], WORM_KOOBFACE.EY [Trend], WORM_KOOBFACE.BX [Trend], W32/Koobface.CZ [F-Secure], WORM_KOOBFACE.AZ [Trend], Net-Worm:W32/Koobface.ES [F-Secure], Win32/Koobface.AC [Computer Associates], W32/Koobface.CY [F-Secure], W32/Koobface.BM [F-Secure], WORM_KOOBFACE.F [Trend], WORM_KOOBFACE.E [Trend], Kbface [Panda Software], WORM_KOOBFACE.D [Trend], Troj/Mdrop-CMW [Sophos]

Let we see a sample of worm-koobface:
I executed this file in secured environment:
File found self-deleted or rootkit and in process explorer showing a file “ld08.exe – from c:\windows\”. Yeah, my target file is copy itself in windows folder and running. Ld08.exe is our target file. I saved the memory strings of our target file.

It creates the run entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "sysldtray"
Type: REG_SZ
Data: c:\windows\ld08.exe
If you search that run entry in google: you found tons of results stating that it belongs to koobface:
Memory strings:
%s%sm/ 23441235gfht22ssg%d
REM 4sdff4
del "%s"
%s "%s" goto TG3
del "%s"
if exist
tion: close
Us%sent: Mozilla/4.0 (compatible; MSIE 7.0; %s; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Unknown OS
Windows NT %d.%d.%d %s
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 00 /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 00 /f
Software\Microsoft\Windows\CurrentVersion\Internet Settings
These memory strings give you the idea what koobface is doing. The batch file found the root drive contains :
REM ********
del "c:\windows\temp\********.exe"
if exist "c:\windows\temp\******.exe" goto *****
del "c:\ 34dfg45434.bat"

This batch doesn’t much just deleting the target file and deleting itself. The strings shows how it redirects the search.
Koobface warning:
Using the name of the koobface, hoax warning messages are designed for the users to believe and spread the messages as post. These messages are to fool the facebook users and make them bit worried about the security in online.
Still, people thinks that hackers in our friendlist might indulge in such activities, but it is not true. Spreading of these hoax messages create panic in the people mind and they might deactivate their account. In recent studies says people of UK, deactivating their FB accounts due to this hoax message that their account might be compromised. In this digital age, people need to learn about the security risk in cyber world is a must one.
The following image taken from Sophos blog:

This image shows how the koobface-actors works .

Format of Hoax message on koobface:
“ Message spreading via Facebook warns about a "Trojan worm" called Knob Face and advisers recipients to avoid adding a user called "Smartgirl 15". It also warns users to watch out for links labelled "Barack Obama Clinton scandal". “
In nutshell, users get confused of these kinds of message.
Nowadays, most of the social networking sites improved their security by knowing the malicious traits and overcome them. But, still people need to be skeptic and more sense when accessing the social network sites.

Practical Joke:
Few weeks back, one of a group in facebook shared a fancy image and claimed that type “like**” and type your facebook password in the comment. It will show your password as ******. This is really a magic. I opened the comment section and checked what it is. I seen plenty of users typed “like**” and their password. I can’t control my laugh that plenty of idiots living in this planet  :lol::lol::lol:


Some of the pictures were got from top av write ups...  


Its my own analysis of worm koobface.

Practical Joke:

Based on my real experience

(Note: Worm Koobface is not an active one now days. These are bit older)

Post made by


How to hide the files in the folder using commands in windows:

Hiding the files in windows easy by selecting the option as hide the file in its properties.  But we can see the files by selecting the option: show hidden files

There is one more way to hide the folder. So files insides the folder also not visible even if you select the show hidden file option.

Steps to follow:

- create a folder which you want to hide it. copy the files in to that folder which you want to hide.
- open command window
- Go to the folder directory.
- type attrib +s +h <folder name> and press enter
(that's it, folder gets hidden now. ) If you know the exact path, then you can open it in windows explorer or by using run window. 

- if you want reverse the hidden folder to be shown: 
then, type attrib -s -h <folder name> and press enter. That's all.
In these image, i used the folder dev-cpp to be hidden using command and again changed the hidden status using the cmd. I copied that folder in 'c:\' directory. So, i m directly go for the command. But suppose if i copied that folder in some other location, then i have to go for that location in command prompt and then only we have use these commands to hide the folder which we want to do.

I copied the same dev-cpp folder in to system32 location. Then i open the cmd: C:\cd windows (press enter)
C:\windows\cd system 32 (press enter)
now we are in the system 32 location. Now go and type attrib +s +h <folder name which i want to hide>

I hope this information is useful. If you really like the post, please share with your friends- post it in your walls: share it in any social network sites. And moreover, you can follow my blog for interesting post. Even you can request me to post which you really want to know... Feedback and comments are welcome :)

Post by

One of the good animation which i watched recently!

I hope there is nothing harm in sharing this good animation video to my blog readers...

The video is named as Warriors dream! It was about dream fight between Donnie yen and Bruce Lee.

Lets watch this video :

Enjoy the show :)

Post by

Steps to overcome failure:

Remember one thing in life:
If you didn't had any failure, you didn't try anything new in life.

Remember the above quotes:
Yes, it will make you to feel the failure in different dimension.

All successful personalities in the history of mankind have faced so many failures.

Well, after reading the above statements the readers perspective over life and failure might changed a bit. The famous saying- Failure is the stepping stone of the success. But it is wrong. Failure is the stepping stone success only who assess the cause for the failure and redo the things in spectacular way, for them failure is stepping stone of the success. I can go on to give you 100's of people in the history who made it with failure and go on to become successful person in the history of man kind. Believe me, the list is very long and hard.

One of the greatest icon who influenced more than any one else in the history is none other than Bruce Lee.

Just imagine, he acted in 4 chinese movies and 1 hollywood movie as lead actor. He died at the age of 32, but achieved the greatest feet in movie world and martial arts. He made several guest appearance in TV serials and movies, but no ready to take risk by putting him as lead. Because in those days, orientals are shown in bad ways (hollywood movies). It is tough for him after so lot of failure to exploit the hollywood screen but he never lost his hope. Finally, he got one big project- which is Enter the Dragon (Greatest martial artist movie ever made).
He made it out of nothing. Imagine your obstacles with bruce lee's situation. He came from Hong Kong to USA. Being a minority, he made himself very popular with his powerful willpower. Just substitute yourself in that situation. Can i do like that? Some people felt scary. But truth is, our conditions are not worse like Bruce faced.

So take a deep breath and get relaxed... start your journey to success...

Post made by,

what is 64 bit?

Processors which have 64 bit word size is referred as 64 bits. In other terms, the processor have the size of the address is 64 bits or 8 octets or 2^64 bytes. In early 2000's, 64 bits personal computers started lining up in the market. But 64 bit machines are existed in the early 70's, i.e. during super computers dawn. In recent times, even 64 bit based smart phones going to be hit in the market. It is already initiated by apple for its latest iphone series (good move).

If you calculate the value 2^64= 18446744073709551616.
i.e.   18 quintillion 446 quadrillion 744 trillions 73 billions 709 millions 551 thousands 616

64 bit - That is the value. Seems very huge.
Check out my other post on 32 bit and 64 bit

Posted by

How to find the windows file is 32 bit pe file or 64 pe file?

32 bit based system and 64 bit based system :
 I want to share you that how to find the file is 32 bit or 64 bit file.

You need any of these tools to find out this:


Open the file with this tool, you will find the tab as PE Header: then you will find term as Magic in the list. It might be '010B' or '020B'.

010B is 32 bit file.
020B is 64 bit file.

(010B is 32 bit file)

This is the easiest way to find this difference. will see lot in the future!

Post by newworld

Sunday, October 27, 2013

10 for 10 publisher stories: Northlight Images develops a successful photography business!

Meet Keith Cooper, a commercial photographer based in Leicester, England. He runs Northlight Images, a site that was originally intended to promote his business, but which has grown to include hundreds of photography-related articles and reviews. The site has now become one of the world’s top 40 photography sites, receiving over five million unique visitors a year.

Keith signed up for AdSense in 2005 after exploring a number of options. The income from the program has enabled him to focus on the areas of photography he’s interested in. “AdSense is solid and dependable,” he says, “and it earns me 80 to 90 percent of my advertising revenue.”

To maximize the site’s effectiveness, Keith also uses a variety of other Google products. “Google+ is the one that really does it,” he says. “It brings in people who are interested in the topic and looking for specific information, so they spend more time on the site and ultimately increase my revenue.”

If you’d like to read more of Keith’s story after watching the video above, check out the full case study. There’s only one more post left in our ‘10 for 10’ series -- be sure to join us back here next week for our final story!

Posted by Arlene Lee - Inside AdSense Team


Saturday, October 26, 2013

Who is billionaire?

Who is billionaire?

First of all, we need to understand who is billionaire?!
Because, play the game after you clear with the rules...!

The person who have the wealth or business which values more or equal to 1000 million USD or 1 billion USD or 100 crore American Dollar (Not 1 billion Zimbabwe dollar).

If you read forbes list of billionaires and their wealth... you will get the idea about how their business and how they earned such a name as billionaire!

They don't store their money in locker or save their money in savings account. They are the people who don't allow their money to sleep in the locker and they made it to work for them!

Thanks to the inflation. In the past decade, we seen the billionaire list is growing! Half decade before, it was just 600-700 billionaires in our planet!
But now, it was 1K billionaries!
In next post, we will see about some bench mark billionaires!

- Newworld
Posted by

Think like a billionaire!

 What it means…! If you want to become an billionaire, you first need to think like them!

How to think like a billionaire?
Simple, you need to think about the future and think every moment as opportunity. There is no rule like everyone can’t be a billionaire, but people never tried.
In a TV show, anchor posted a question as follows:
If God comes before you and ask a wish then what will be your wish?
80 percentage of People replied: I will ask him $10k to 50k.
Remaining people said: luxury cars and houses.
If you asked the same question to a billionaire:
They will reply: Give me a thousand wishes. Pretty cool !
And even some asks market predicators of the future or future prices for all the stocks for next 50 years.

Now you might understand my point. Billionaires think differently, and not like ordinary. Suppose if an ordinary person start think like a billionaire… He would ask the price list of stocks for the future and invested successfully- which leads him billionaire status easily!
Billionaires always make themselves in positive approach. They are always looking every moment as opportunity. (Please try to think like them, you will find new ways in the path).
In the coming posts, I will give you the details about the approach called “Think outside the box”.
Post by- Newworld

Setting up breakpoints in VirtualAlloc and VirtualProtect during malware analysis:

 Malware analysts add breakpoints in functions like `VirtualProtect` and `VirtualAlloc` for several key reasons: Understanding Malware Behav...