When you enroll yourself to any modern computer programming classes. They will taught you a program which gives the result as "Hello World"! (program result in the displaying the text as hello world).
why it show, is it any tradition to do so.
Its all start with a book in 1970's on C program. Yes, 'THE C PROGRAMMING LANGUAGE', one of the bible of c program language. In that book, lot of example programs to describe the programming concepts and illustration on 'C', they used 'hello, world' in most of the time. That's the point in time where HELLO WORLD is become traditional in programming world.
(the authors of the book-Dennis Ritchie and Brian Kernighan)
This
malware change the automatic proxy config url withoutuser consent in
all browsers (IE9, Firefox latest version, google chrome,etc.). HXXP://micro.asfsecure.com/kb971033.php
The
link is not active. But previously visited recordsstates that script
which redirect to fake banking site instead of legit one (sitesmentioned
in the script).
Long back i prepared a presentation sinowal trojan from pdf files found in the net.
It will be more interesting to share this to you all!
Sinowal
Introduction
•Researchers
had an idea that it was theoretically possible but there were no
solutions seen yet. But in 2005, researchers Derek Soeder and Ryan
Permeh of eEye Digital Security showed the idea was possible by
producing proof-of-concept code, called “BootRoot”•
Before 2005
there were no known rootkits for Windows (any 32 bit version of that
operation system) which infected the master boot record (MBR).
Sinowal (also known as Mebroot or Torpig) trojan
•It
was first reported in 2006 as harmless Bootkit•Bootkit means “A
kernel-mode rootkit variant called a bootkit “. bootkit replaces the
legitimate boot loader with one controlled by an attacker.•its own
modifications which•makes this trojan dangerous for a common user.
•Sinowal steals bank credentials, credit and debit card details
•New
wave of news about Sinowal shocks the world (of course there were news
about this trojan and its modifications throughout 2006-2008 period but
now they have made a huge discovery on the stolen data). According to
the RSA FraudAction Research Laboratory, this trojan has stolen and
compromised login credentials from about 500,000 online bank accounts
and credit and debit cards over the course of nearly three years Detailed analysis of Sinowal trojan
•Sinowal
is the combination of bootkit and backdoor.•bootkit which makes this
trojan almost invisible on your system.•backdoor which attempts to steal
as much user data as possible (most effort done on collecting user data
to a range of online banking systems). Bootkit
•The
hardest part for trojan here is to gain access to MBR. According to
Microsoft, Sinowal is trying to modify MBR using the CreateFile API
attempting to open “\Device\Harddisk0\DR0” for write access.•Using the
CreateFile API in this way (for direct/raw disk access) requires
administrative privileges.
•when this trojan succeeds in infecting
the MBR, instructions pass control to the main part of the rootkit
which is placed on several hard disk sectors and which is not
represented as files in the system. This part monitors the already
loaded Windows operating system and when reading, it hides the infected
MBR and the “dirty” sectors by presenting clean ones instead. It does
this by intercepting and substituting system functions. Figure 2: Infected (with Sinowal) system startup Backdoor
•In
addition to hiding its presence in the system, the malicious code
installs a backdoor in Windows. Upon execution, it drops some files into
the system•• %programfiles%\common files\microsoft shared\web
folders•\ibm<5-digit randrom number>.dll -
Trojan-PSW.Win32.Sinowal.co•• %programfiles%\common files\microsoft
shared\web folders•\ibm<5-digit randrom number>.dll -
Trojan-PSW.Win32.Sinowal.co•• %windir%\temp\$_2341233.tmp••
%windir%\temp\$_2341234.tmp•• %windir%\temp\$_2341235.tmp••
%windir%\temp\$b17a2e8.tmp
•It installs itself as a service and
adds this Registry key launch
point•Key:HKLM\System\ControlSet001\Services\gb•File:
%programfiles%\common files\microsoft shared\web folders•\ibm<5-digit
random number>.dll
•This trojan steals system and account
information.•Stolen information may be :•IMAP/POP3/SMTP username,
passwords, server information from mail clients•Bookmarks•E-mail
addresses from the Windows Address Book•Passwords and other data stored
from FTP clients
•It also monitors web browser such as Internet
Explorer, Firefox, Opera for online banking information upon access on
the banking sites.•While user accessing on the banking site, it will
redirect to fake page and collects the information. Figure 3: Sinowal modifications since its first version Figure 4: Number of stolen bank accounts since first version of Sinowal Information Stealing Activity
• This Trojan family steals information from browsers,immediately uploading data to a remote server.
• VeriSign iDefense attempted to prompt the Trojan tosteal information and play man in the middle to get
• additional data by infecting a lab computer andvisiting several sites.
• This Trojan does target multiple ABN ANBRO servers forinformation theft. In limited lab tests, VeriSign
• iDefense confirmed that the Trojan does attempt tocommunicate with a remote command and control
• (C&C) server, but did not perform anyman-in-the-middle phishing attacks when attempting to log on with
• invalid credentials to the banking site. A list oftrigger strings found in the configuration files does not
• contain ABN AMRO strings. However, multiple domainsaffiliated with ABN AMRO do exist in the
• configuration file for the Trojan. It is likely thatthe Trojan is designed to steal information or interact with a
• legitimate session following authentication to thesite.
• A decryption of the Trojan configuration files showsthe following targeted ABN AMRO and subsidiary sites:
• 1. abnamro.an
• 2. abnamro.be
• 3. abnamro.ch
• 4. abnamro.com
• 5. abnamro.com.sg
• 6. abnamro.lu
• 7. abnamro.nl
• 8. abnamroprivatebanking.com
• 9. www.singapore.insight.abnamroprivatebanking.com
• 10. abnamro
• 11. abnamro.com
• 12. lasallebank.com
• 13. vip.lasallebank.com
• 14. onlinebanking.lasallebank.com
• 15. lasallefederal
• 16. mybank.bybank.it
• 17. wwws.bancoreal.com.br
• 18. bancoreal.com.br
• 19. cashproweb.com
• 20. cashproweb.com
• 21. cashproweb
• The Trojan contains several strings related topotential trigger words for information theft:
• • login
• • pswd
• • userid
• • accountnumber
• • passwd
• • username
• • pop3
Bibliography
• 1. Mebroot proves to be a tough rootkit to crack. [WWW]http://www.computerworld.com/action/
• article.do?command=viewArticleBasic&articleId=9066585
• 2. RSA Unravels Sinowal Trojan. [WWW]
• http://www.enterpriseitplanet.com/security/news/article.php/3783641
• 3. Sinowal Trojan Stealing Banking Information. [WWW]http://news.digitaltrends.com/newsarticle/
• 18302/sinowal-trojan-stealing-banking-information
• 4. Viruslist.com – Malware evolution: January – March2008. [WWW]
• http://www.viruslist.com/en/analysis?pubid=204792002
• 5. Anti-Malware Engineering Team : MBR rootkit:VirTool:WinNT/Sinowal.A report. [WWW]
• http://blogs.technet.com/antimalware/archive/2008/01/10/mbr-rootkit-virtool-winnt-sinowal-areport.
• aspx
• 6. Russian Business Network Study. / David Bizeul [WWW]
• http://www.bizeul.org/files/RBN_study.pdf
• 7. F-Secure Malware Information Pages:Trojan-PSW:W32/Sinowal.CP. [WWW] http://www.fsecure.
• com/v-descs/trojan-psw_w32_sinowal_cp.shtml
Thanks to the authors of pdf where refered it!
(TALLINN UNIVERSITY OF TECHNOLOGY
Faculty of Information Technology
Department of Computer Science
Chair of Network Software-
Student: Konstantin Saveljev
Student code: 030548IAPM
Supervisor: Toomas Lepik)
(Ken Dunham, Director of the Rapid Response Team
kdunham@verisign.com)
Koobface is the anagram of facebook.
Koobface is a computer worm which targets facebook user and the
infection leads to gain the access code of users FTP, facebook , but not
any banking details! Using the infected computer as botnet, i.e. act as
peer to peer fashion to get the instruction from other compromised or
infected computer. In addition, it do browser hijack to display ads on
search queries. It was first detected in 2008. Symantec mentioned that
recent variants found on august of 2012.
Infection:
worm-
koobface spreads through facebook messages to people. From the facebook
friend’s compromised computer sending that message. Once the message
reaches the user, he certainly opens the message of the facebook friend.
Once the opens the message, it redirects to other compromised computer
that leads to download of executable file. After that executable gets
executed, now koobface starts redirect your search queries to ads and
infected sites which lead to make your computer as part of the koobface
connection. It become like a host computer.
Variants and detection naming by antivirus vendor:
Net-Worm.Win32.Koobface.b
[Kaspersky], W32/Koobface.worm [McAfee], Boface.A [Panda Software],
WORM_KOOBFACE.V [Trend], W32/Koobface-AS [Sophos], W32/Koobface-AL
[Sophos], W32/Koobface-AD [Sophos], Koobface.GQ [Panda Software],
Koobface.FU [Panda Software], W32/Koobface-N [Sophos], WORM_KOOBFACE.JG
[Trend], WORM_KOOBFACE.EX [Trend], WORM_KOOBFACE.EY [Trend],
WORM_KOOBFACE.BX [Trend], W32/Koobface.CZ [F-Secure], WORM_KOOBFACE.AZ
[Trend], Net-Worm:W32/Koobface.ES [F-Secure], Win32/Koobface.AC
[Computer Associates], W32/Koobface.CY [F-Secure], W32/Koobface.BM
[F-Secure], WORM_KOOBFACE.F [Trend], WORM_KOOBFACE.E [Trend], Kbface
[Panda Software], WORM_KOOBFACE.D [Trend], Troj/Mdrop-CMW [Sophos]
Let we see a sample of worm-koobface: https://www.virustotal.com/en/file/31e594913eb8a3bd0f94dd73d8aaea33190724d4b06fefd5352c754616882a53/analysis/
I executed this file in secured environment:
File
found self-deleted or rootkit and in process explorer showing a file
“ld08.exe – from c:\windows\”. Yeah, my target file is copy itself in
windows folder and running. Ld08.exe is our target file. I saved the
memory strings of our target file.
It creates the run entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "sysldtray"
Type: REG_SZ
Data: c:\windows\ld08.exe
If you search that run entry in google: you found tons of results stating that it belongs to koobface: http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name=Worm%3aWin32%2fKoobface.I
Memory strings:
ADVAPI32.dll
%s%so%som
etl
e%sil
t%s%scom
agg
m%s%som/
yspac
%s%sm/
bo.co 23441235gfht22ssg%d
c:\dfd555ff.thd
%sa%sse260320%som
stshan
s%ss%s0090%som
uper
earch2
wn%s40%sm
ames1
%sm0%s09.biz
%sn%s9.info
s6mar0
%s%s009.biz
REM 4sdff4
del "%s"
%s "%s" goto TG3
del "%s"
if exist
c:\353454543.bat
POST
coded
urlen
w-form-
on/x-ww
ati
appl
ent
%s%ld
tent-Length:
Con
tion: close
Connec
Us%sent: Mozilla/4.0 (compatible; MSIE 7.0; %s; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
er-Ag
Host:
HTTP
http://%s%s
sdfs23r32r
s%set
ock
%s%sd
WS%s2.DLL
Unknown OS
Windows NT %d.%d.%d %s
234234g34dsdfg
%sc%sok.com/
%s%sw.g%som
oogle.c
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 00 /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 00 /f
google
www.google.com
GET
ProxyServer
Software\Microsoft\Windows\CurrentVersion\Internet Settings
AC%sK
%s%seck.php
chch
%st%srlA
ernetCrackU
%s%st
nine
c:\34dfg45434.bat
These memory strings give you the idea what koobface is doing. The batch file found the root drive contains :
REM ********
*****
del "c:\windows\temp\********.exe"
if exist "c:\windows\temp\******.exe" goto *****
del "c:\ 34dfg45434.bat"
This batch doesn’t much just deleting the target file and deleting itself. The strings shows how it redirects the search.
Koobface warning:
Using
the name of the koobface, hoax warning messages are designed for the
users to believe and spread the messages as post. These messages are to
fool the facebook users and make them bit worried about the security in
online.
Still, people thinks that hackers in our friendlist might
indulge in such activities, but it is not true. Spreading of these hoax
messages create panic in the people mind and they might deactivate their
account. In recent studies says people of UK, deactivating their FB
accounts due to this hoax message that their account might be
compromised. In this digital age, people need to learn about the
security risk in cyber world is a must one.
The following image taken from Sophos blog:
This image shows how the koobface-actors works .
Format of Hoax message on koobface:
“
Message spreading via Facebook warns about a "Trojan worm" called Knob
Face and advisers recipients to avoid adding a user called "Smartgirl
15". It also warns users to watch out for links labelled "Barack Obama
Clinton scandal". “
In nutshell, users get confused of these kinds of message.
Conclusion:
Nowadays,
most of the social networking sites improved their security by knowing
the malicious traits and overcome them. But, still people need to be
skeptic and more sense when accessing the social network sites.
Practical Joke:
Few
weeks back, one of a group in facebook shared a fancy image and claimed
that type “like**” and type your facebook password in the comment. It
will show your password as ******. This is really a magic. I opened the
comment section and checked what it is. I seen plenty of users typed
“like**” and their password. I can’t control my laugh that plenty of
idiots living in this planet
Reference:
Some of the pictures were got from top av write ups...
Analysis:
Its my own analysis of worm koobface.
Practical Joke:
Based on my real experience
(Note: Worm Koobface is not an active one now days. These are bit older)
Hiding the files in windows easy by selecting the option as hide the file in its properties. But we can see the files by selecting the option: show hidden files
There is one more way to hide the folder. So files insides the folder also not visible even if you select the show hidden file option.
Steps to follow:
- create a folder which you want to hide it. copy the files in to that folder which you want to hide. - open command window - Go to the folder directory. - type attrib +s +h <folder name> and press enter (that's it, folder gets hidden now. ) If you know the exact path, then you can open it in windows explorer or by using run window.
- if you want reverse the hidden folder to be shown: then, type attrib -s -h <folder name> and press enter. That's all.
In these image, i used the folder dev-cpp to be hidden using command and again changed the hidden status using the cmd. I copied that folder in 'c:\' directory. So, i m directly go for the command. But suppose if i copied that folder in some other location, then i have to go for that location in command prompt and then only we have use these commands to hide the folder which we want to do.
Eg:
I copied the same dev-cpp folder in to system32 location. Then i open the cmd: C:\cd windows (press enter)
C:\windows\cd system 32 (press enter)
now we are in the system 32 location. Now go and type attrib +s +h <folder name which i want to hide>
I hope this information is useful. If you really like the post, please share with your friends- post it in your walls: share it in any social network sites. And moreover, you can follow my blog for interesting post. Even you can request me to post which you really want to know... Feedback and comments are welcome :)
Remember one thing in life: If you didn't had any failure, you didn't try anything new in life.
Remember the above quotes:
Yes, it will make you to feel the failure in different dimension.
Think: All successful personalities in the history of mankind have faced so many failures.
Well, after reading the above statements the readers perspective over life and failure might changed a bit. The famous saying- Failure is the stepping stone of the success. But it is wrong. Failure is the stepping stone success only who assess the cause for the failure and redo the things in spectacular way, for them failure is stepping stone of the success. I can go on to give you 100's of people in the history who made it with failure and go on to become successful person in the history of man kind. Believe me, the list is very long and hard.
One of the greatest icon who influenced more than any one else in the history is none other than Bruce Lee.
Just imagine, he acted in 4 chinese movies and 1 hollywood movie as lead actor. He died at the age of 32, but achieved the greatest feet in movie world and martial arts. He made several guest appearance in TV serials and movies, but no ready to take risk by putting him as lead. Because in those days, orientals are shown in bad ways (hollywood movies). It is tough for him after so lot of failure to exploit the hollywood screen but he never lost his hope. Finally, he got one big project- which is Enter the Dragon (Greatest martial artist movie ever made).
He made it out of nothing. Imagine your obstacles with bruce lee's situation. He came from Hong Kong to USA. Being a minority, he made himself very popular with his powerful willpower. Just substitute yourself in that situation. Can i do like that? Some people felt scary. But truth is, our conditions are not worse like Bruce faced.
So take a deep breath and get relaxed... start your journey to success...
Processors which have 64 bit word size is referred as 64 bits. In other terms, the processor have the size of the address is 64 bits or 8 octets or 2^64 bytes. In early 2000's, 64 bits personal computers started lining up in the market. But 64 bit machines are existed in the early 70's, i.e. during super computers dawn. In recent times, even 64 bit based smart phones going to be hit in the market. It is already initiated by apple for its latest iphone series (good move).
32 bit based system and 64 bit based system :
I want to share you that how to find the file is 32 bit or 64 bit file.
You need any of these tools to find out this:
*Filealyzer:
Open the file with this tool, you will find the tab as PE Header: then you will find term as Magic in the list. It might be '010B' or '020B'.
Meet Keith Cooper, a commercial photographer based in Leicester, England. He runs Northlight Images,
a site that was originally intended to promote his business, but which
has grown to include hundreds of photography-related articles and
reviews. The site has now become one of the world’s top 40 photography
sites, receiving over five million unique visitors a year.
Keith signed up for AdSense in 2005 after exploring a number of options.
The income from the program has enabled him to focus on the areas of
photography he’s interested in. “AdSense is solid and dependable,” he
says, “and it earns me 80 to 90 percent of my advertising revenue.”
To maximize the site’s effectiveness, Keith also uses a variety of other
Google products. “Google+ is the one that really does it,” he says. “It
brings in people who are interested in the topic and looking for
specific information, so they spend more time on the site and ultimately
increase my revenue.”
If you’d like to read more of Keith’s story after watching the video above, check out the full case study. There’s only one more post left in our ‘10 for 10’ series -- be sure to join us back here next week for our final story!
If you read forbes list of billionaires and their wealth... you will get
the idea about how their business and how they earned such a name as billionaire!
They don't store their money in locker or save their money in savings
account. They are the people who don't allow their money to sleep in the
locker and they made it to work for them!
Thanks to the inflation. In the past decade, we seen the billionaire
list is growing! Half decade before, it was just 600-700 billionaires in
our planet!
But now, it was 1K billionaries!
In next post, we will see about some bench mark billionaires!
Simple, you need to think about the future and think every
moment as opportunity. There is no rule like everyone can’t be a billionaire,
but people never tried.
In a TV show, anchor posted a question as follows:
If God comes before
you and ask a wish then what will be your wish?
80 percentage of People replied: I will ask him $10k to 50k.
They will reply: Give me a thousand wishes. Pretty cool !
And even some asks market predicators of the future or
future prices for all the stocks for next 50 years.
Now you might understand my point. Billionaires think
differently, and not like ordinary. Suppose if an ordinary person start think
like a billionaire… He would ask the price list of stocks for the future and
invested successfully- which leads him billionaire status easily!
Billionaires always make themselves in positive approach.
They are always looking every moment as opportunity. (Please try to think like
them, you will find new ways in the path).
In the coming posts, I will give you the details about the
approach called “Think outside the box”.
