June 29, 2007

BRONTOK - Computer Worm



It affects computers which runs Windows operating system. It is also known as mass-mailing e-mail Worm. It spreads via e-mail attachments, file transfer, USB and flash drives etc.

Attacks:

When the infected e-mail attachment is opened, the worm may use various methods to run automatically each time Windows starts. Automatic startup methods that the worm employs may include:
  • Placing a copy of itself in the user's startup folder, i.e. %homepath%\Start Menu\Programs\Startup\Empty.pif
  • Adding a scheduled task to run %homepath%\Templates\A.kotnorB.com each day at 5:08 p.m.
  • Adding registry value: "Tok-Cirrhatus"
  • with data: <path to Win32/Brontok worm>
    in subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • Adding registry value: "Bron-Spizaetus"
  • with data: <path to Win32/Brontok worm>
    in subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  • Adding registry value: Shell
    with data: "explorer.exe " <path to Win32/Brontok worm>
  • in registry subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WinLogon
  • Modifies registry value: AlternateShell
    with data: <Win32/Brontok file name>
    in registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
    Note: the default setting for this key is "AlternateShell"="cmd.exe"
Brontok may attempt to lower security settings by making the following changes:
  • Prevents the user from accessing the Registry Editor by making the following registry edit:
  • Adds value: DisableRegistryTools
    With data: 1
    In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
  • Prevents the display of files and folders with the 'hidden' attribute set:
  • Adds value: Hidden
    With data: 0
    In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
  • Prevents the display of Windows system files:
  • Adds value: ShowSuperHidden
    With data: 0
    In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
  • Prevents the display of executable file extensions:
    Adds value: HideFileExt
    With data: 1
    In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
  • Prevents access to the Folder Options menu:
  • Adds value: NoFolderOptions
    With data: 1
    In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
  • Modifies the Windows HOSTS file to prevent access to certain Internet sites, the majority of which are antivirus or security-related.
  • Attempts ping attacks against certain Web sites, presumably to launch a form of denial of service (DoS) attack.
  • Terminates applications or restarts Windows when the title of the active window contains certain strings, many of which may be representative of antivirus or system tools that might ordinarily be used to detect or remove the worm.
  • Overwrites the autoexec.bat file with the word "pause", causing systems that employ the autoexec.bat file to pause on bootup. Some variants of Win32/Brontok may modify the autoexec.bat in order to display a message during bootup.

Countermeasures:
  • Patch and update your operating system on daily basis
  • Enable firewall protection
  • Don't download unauthorizes email attachments
  • Please scan downloaded attachments, USB pen drives, CDs, Floppy
  • Use antivirus and updates it on daily basis

June 28, 2007

Computer Ports

There are two types of port in computer world.
(1) Physical Port: They are Hardware ports. They are located exact behind your CPU (computer tower). For example: Ports like Keyboard, Mouse, COM1, COM2, etc...
(2) Virtual Port: They also known as software ports. They are virtual pipes through which information flows. Every open software port has a service or daemon running on it. A service or daemon is a term used to describe the software running on these ports. It is just like doors. They are classified as following.
  • Well-known Ports: Port number 0 to 1023
  • Registered Ports: Port number 1024 to 49151
  • Dynamic/Private Ports: Port number 49152 to 65535
Some popular ports are described as follows..

Ports->Description
0(TCP/UDP)->Reserved
1(TCP/UDP)->TCPMUX
5(TCP/UDP)->RJE(Remote Job Entry)
7(TCP/UDP)->ECHO Protocol
9(TCP/UDP)->DISCARD Protocol
11(TCP/UDP)->SYSTAT Protocol
13(TCP/UDP)->DAYTIME Protocol
17(TCP/UDP)->QOTD(Quote of the Day) Protocol
18(TCP/UDP)->Message Send Protocol
19(TCP/UDP)->CHARGEN (Character Generator) Protocol
20(TCP)->FTP - Data port
21(TCP)->FTP Control (command) Port
22(TCP/UDP)->SSH (Secure Shell) Secure logins
23(TCP/UDP)->TELNET Protocol
25(TCP/UDP)->SMTP (Simple Mail Transfer Protocol)
26(TCP/UDP)->RSFTP (simple FTP)
35(TCP/UDP)->QMS Megicolor Printer
37(TCP/UDP)->TIME Protocol
38(TCP/UDP)->Route Access Protocol
39(TCP/UDP)->Resource Location Protocol
41(TCP/UDP)->Graphics
42(TCP/UDP)->Host Name Server
43(TCP)->WHOIS Protocol
53(TCP/UDP)->DNS (Domain Name System)
57(TCP)->MTP (Mail Transfer Protocol)
69(UDP)->TFTP(Trivial File Transfer Protocol)
70(TCP)->Gopher Protocol
79(TCP)->Finger Protocol
80(TCP)->HTTP (Hyper Text Transfer Protocol)
109(TCP)->POP2 (Post Office Protocol version 2)
110(TCP)->POP3 (Post Office Protocol version 3)
118(TCP)->SQL Services
143(TCP/UDP)->IMAP4 (Internet Message Access Protocol 4)
156(TCP/UDP)->SQL Service
194(TCP)->IRC (Internet Relay Chat)
401(TCP/UDP)->UPS (Uninterruptible Power Supply)
443(TCP)->HTTPS/HTTP, TLS/SSL (encrypted transmission)

June 27, 2007

Viruses_Worms_Trojans

Viruses, worms and Trojans are all malicious programs/ software that can cause crash or damage to your computer.

A computer virus attaches itself to a program or file so it can spread from one computer to another, leaving infections as it travels. Much like human viruses, computer viruses can range in severity: Some viruses cause only mildly annoying effects while others can damage your hardware, software or files. Almost all viruses are attached to an executable file, which means the virus may exist on your computer but it cannot infect your computer unless you run or open the malicious program. It is important to note that a virus cannot be spread without a human action, (such as running an infected program) to keep it going. People continue the spread of a computer virus, mostly unknowingly, by sharing infecting files or sending e-mails with viruses as attachments in the e-mail.


A worm is similar to a virus by its design, and is considered to be a sub-class of a virus. Worms spread from computer to computer, but unlike a virus, it has the capability to travel without any help from a person. A worm takes advantage of file or information transport features on your system, which allows it to travel unaided. The biggest danger with a worm is its capability to replicate itself on your system, so rather than your computer sending out a single worm, it could send out hundreds or thousands of copies of itself, creating a huge devastating effect. One example would be for a worm to send a copy of itself to everyone listed in your e-mail address book. Then, the worm replicates and sends itself out to everyone listed in each of the receiver's address book, and the manifest continues on down the line. Due to the copying nature of a worm and its capability to travel across networks the end result in most cases is that the worm consumes too much system memory (or network bandwidth), causing Web servers, network servers and individual computers to stop responding. In more recent worm attacks such as the much talked about. Blaster Worm, the worm has been designed to tunnel into your system and allow malicious users to control your computer remotely.


A Trojan Horse is full of as much trickery as the mythological Trojan Horse it was named after. The Trojan Horse, at first glance will appear to be useful software but will actually do damage once installed or run on your computer. Those on the receiving end of a Trojan Horse are usually tricked into opening them because they appear to be receiving legitimate software or files from a legitimate source. When a Trojan is activated on your computer, the results can vary. Some Trojans are designed to be more annoying than malicious (like changing your desktop, adding silly active desktop icons) or they can cause serious damage by deleting files and destroying information on your system. Trojans are also known to create a backdoor on your computer that gives malicious users access to your system, possibly allowing confidential or personal information to be compromised. Unlike viruses and worms, Trojans do not reproduce by infecting other files nor do they self-replicate.

June 23, 2007

TCP/IP 3-way handshake connection

There are two important word in Internet Protocol suite. They are Transmission Control Protocol and Internet Protocol known as TCP/IP. The TCP/IP suite deal with Five layers where data transfer from one layer to other layer.

Fun_Mailer