Tools you need to protect yourself..........

Before I begin, allow me to share a few of my thoughts with you (This is simply my opinion and nothing more...)

1 - There is no such thing as a secure OS (operating system), or web browser. If you want true security (read something like this somewhere at some time); disconnect your network card, turn off/unplug your computer, take out the hard drive and smash it to bits, take computer to a construction site and ask the bulldozer operator to run over it.

2 - In the real world, Windows operating systems are less secure than the newest versions of Linux (distro) and Mac OS X. We'll leave the argument over why that is and the advantages of one OS over another to internet forums/discussion boards.

3 - A fully patched Windows XP and to a lesser degree Windows 2000 are the only non-server Microsoft OS's that are even remotely secure. If you care about security you shouldn't be running any other Microsoft OS's. If you have machines on your home network that run anything less than a fully patched XP, 2k, Linux (distro), OS X then the security of any machine on your network is lessened.

To give you a feel for how dangerous some of these threats can be, let us talk about port scans. A "port" is the doorway by which computers communicate with each other. A "port scan" often takes place with the use of programs called "port scanners". Crackers use port scanners to identify open ports on your system. Once an open port is found they attempt to enter your system to collect data or place malicious programs on it. Scary, isn't it? But, is this threat real or imagined? DShield.org tracks port scans in real time. Reports on attempted port scans from participating companies and individuals are sent to DShield on a real time basis. At the time of writing, the number of reported entry attempts is averaging over 1.1 BILLION attempts per month. Remember that this only represents a small percentage of the actual number of port scan attacks, those that are reported by participants.

In fact, the current "survival time" (the average time for an unprotected system to be attacked and compromised) is only 27 minutes. This means that a newly installed unprotected operating system connecting to the Internet for the first time will, on average, be attacked within 27 minutes and compromised in some way. That further implies that there is insufficient time for a new system to connect to the Windows Update site and download the latest security and critical updates from Microsoft before the system is attacked and compromised. Yes, the Internet is a dangerous place for the unwary.

Let us describe another, far more subtle form of attack. Recently it was discovered that viruses, Trojans and other executable files could be embedded within a simple .jpg (picture) file. If an infected .jpg is downloaded by your browser or email client, the embedded executable could run and install a Trojan or virus. Microsoft, software and anti virus developers have been working hard to close this vulnerability.

Another, more recent and far more dangerous threat, is crackers' use of "rootkits", "dll injection" and "global hooks" to take over systems "invisibly". These threats are difficult to prevent, detect and almost impossible to remove once they have successfully been deployed on your system. Prevention is the best way to stop these threats, as removal tools are only now being developed to clean a system after infection from one of these new threats. Removal tools for this type of threat are in their early infancy, and cannot be relied upon to clean a system once it has been compromised. Once infected, the only way to dependably remove one of these threats is to either restore a backup known to be made prior infection, or to completely reformat all your hard drives and reinstall your operating system and hardware.

One cannot depend on others to protect your system and valuable data. It is our responsibility to make our systems as resistant as possible to these kinds of threats. That requires a combination of protections. At a minimum, we recommend the following protective measures be taken by all users who connect to the Internet for any purpose:

1. Protect the gateway to your systems with a good hardware firewall/router with at least port blocking (stealthing is even better) and Stateful Packet Inspection ("SPI").
2. Install a good software firewall on your system. At a minimum a good software firewall should have application control, i.e., the ability to set permissions for Internet access on a program-by-program basis.
3. Install a good Anti-Virus package.
4. Install a good Anti-Spyware package, or two or more, if they are compatible and handle spyware in different ways.
5. Install protective software that prevents the execution of unknown software on your system, and requires user permission (at the administrative level) to install services and drivers, global hooks, and dll injections.
6. Install Web Filtering Package.

Note, I strongly recommend that these protections should be in place before connecting to the Internet for the first time on newly installed operating systems.

Tools you need to protect yourself:

1. Security Tool (Microsoft Baseline Security Analyzer 2.0):

MBSA Is a software tool released by Microsoft to help analyze security problems in Microsoft products, namely, Windows, Windows components such as the IIS web server application, Microsoft SQL Server, and Microsoft Office. One example of an issue might be that permissions for one of the directories in the wwwroot folder of IIS could be set at too low a level, allowing unwanted modification of files from outsiders.

2. Browser ( FireFox):

Firefox includes many features designed to improve security. Key features include a sandbox security model, same origin policy, external protocol whitelisting, a phishing detector, and an option to clear all private data, such as browser history and cookies.

is open source software, and thus, its source code is visible to everyone. This allows anyone to review the code for security vulnerabilities, whether their intentions are good or malicious.

3. Anti-Spyware (Ad-Aware 2008 Free):

• Improved Threat Detection
• Spyware, Adware, Trojans & Hijackers
• Fraud Tools & Rogue Applications
• Password Stealers & Keyloggers
• Enhanced Rootkit removal system
• Faster Updates & Faster Scans
• Less Resource Usage for optimal computer performance
• Easy to Download, Install and Use
• Lavasoft ThreatWork submission tool
• Compatible with Windows Vista (32- and 64-bit)

4. Personal Firewall (ZoneAlarm Free):

ZoneAlarm Free Firewall blocks hackers from infiltrating your home PC by hiding your computer from unsolicited network traffic. By detecting and preventing intrusions, ZoneAlarm Free Firewall keeps your PC free from viruses that slow down performance, and spyware that steals your personal information, passwords, and financial data.

• Essential firewall protection
• Be invisible to others online
• New interface makes it even easier—smaller size keeps it light

5. Anti Virus (Mcafee/Symantec/Trend Micro)

This is critical. Virus and Trojan outbreaks are a daily occurrence, and statistics show that an unprotected system will become infected by a virus or Trojan in an average of 16 minutes. So spending decent amount of Rs 1500/- to protect your PC is not a big amount, after all you are getting the above said tools for free.

You can purchase Anti Virus software’s at local Software/IT Security vendors like MIEL e-Security Pvt Ltd

6. Web Filtering (K9 Web Protection Free):

Blue Coat® K9 Web Protection is a content filtering solution for your home computer. Its job is to provide you with a family-safe Internet experience, where YOU control the Internet content that enters your home. K9 Web Protection implements the same enterprise-class Web filtering technology used by Blue Coat's Fortune 500 customers around the world, wrapped in simple, friendly, and reliable software for your Windows 2000, Windows XP or Windows Vista computer.

Please leave your feedback.

RSS Feed hijacking

As the name implies, this evolving technology is a method to get “Real

Simple Syndication.” Web pages can update their contents, and their RSS subscribers will get

them as soon as they are published by means of an RSS-feed client, which frequently looks for

new content. The easy way of taking advantage of the popularity of this rising technology is to

hijack the existing configured feed clients to automatically download new copies of worms and

other threats to the infected computers. This is accomplished by pointing the already-configured

client to different and malicious Web content. The way this would work is checking if the system

has any automatic feed download configured. If it does, it would just add or change an existing

one to point to the malicious Web site. This kind of attack would have two direct outcomes:

1. It would serve as a passive download point, starting connections from a legitimate point.

Since the source of the connection is already “allowed,” it would bypass personal

firewalls and other barriers.

2. The download would still be working even if the worm is detected/deleted. To get rid of

this properly, there should be a cleaning tool that deletes the configuration in the feed

client.

As a mitigating factor, there is no standard in the current use of these programs, so the attack

would have to choose specific software. This form of attack is not highly dangerous right now.

However, all this may change when the new Internet Explorer 7 is finally released. Microsoft is

already announcing that the new version of the popular browser will have built-in support for RSS

feeds. This will open some interesting possibilities to worm creators.

To fight this, companies should deploy, if they haven’t already, a method to scan HTTP traffic, as

this will likely be a very popular method of spreading near-future malware.

Future of Bot Worms

The Future of Bot Worms

The current trend in worms seems to go the bot route. Bots—programs that operate as an agent

for a user or another program—are most often seen as malware and keep attacking unsuspected

users in surprisingly high numbers. Nowadays all bots worms are built in a modular fashion. This means that the creator of the program can choose among a number of different attack methods, including vulnerability exploitation, mass-mailing, P2P (peer-to-peer). The result is a worm ad hoc, specially engineered to accomplish its objectives: stealing information and keeping control of the infected computer.

The idea of modularity in these types of worms has been confirmed in WORM_RBOT.CBQ and WORM_ZOTOB, two network worms that grabbed headlines globally. Network vulnerabilities can be used as a propagation method as soon as the exploit is available. When a piece of code is written to exploit a certain vulnerability in an operating system and is published on the Internet, the creators of these worms can just attach it to the old code of the worm, recompile it and voilà—a new dangerous worm is ready to be unleashed.

Thus, this means shorter times to achieve network exploitation in the very near future.Below is a list of network vulnerability exploitation times for some prominent worms:

WORM_NIMDA: 366 days

WORM_SLAMMER: 185 days

WORM_BLASTER: 26 days

WORM_SASSER: 18 days

WORM_ZOTOB: 4 days

The end result: Because worms nowadays can be created at such rapid speeds, PC users worldwide face even greater threats. The possible ways we can fight against this are:

1. Patching home systems immediately as the updates are made available on the Microsoft Web site. Automatic updates are just not an option anymore. The security of our home systems is at stake just by being connected to the Internet.

2. In corporate settings, deploying software and hardware systems that specifically defend against these threats. Detecting and blocking the network packets that the worm uses to exploit the vulnerability is by large the best prevention to not get hit by this kind of malware. These systems include IDS (intrusion detection systems), specific network antivirus systems like Network VirusWall or Personal Firewall, which can block the reception of shellcode packets even if the underlying system is still vulnerable.

Virus History

Virus Timeline

1949
Theories for self-replicating programs are first developed.

1981
Apple Viruses 1, 2, and 3 are some of the first viruses "in the wild" or public domain. Found on the Apple II operating system, the viruses spread through Texas A&M via pirated computer games.

1983
Fred Cohen, while working on his dissertation, formally defines a computer virus as "a computer program that can affect other computer programs by modifying them in such a way as to include a (possibly evolved) copy of itself". The name 'virus' was thought of by Len Adleman.

1986
"Brain" & "PC-Write Trojan": The common story is that two brothers from Pakistan named Basit and Amjad analysed the boot sector of a floppy disk and developed a method of infecting it with a virus dubbed "Brain" (the origin is generally accepted but not absolute). Because it spread widely on the popular MS-DOS PC system this is typically called the first computer virus; even though it was predated by Cohen's experiments and the Apple II virus. That same year the first PC-based Trojan was released in the form of the popular shareware program PC-Write.

1987
"Stoned" is the first virus to infect the master boot record preventing it from starting up.

1988
One of the most common viruses, "Jerusalem", is unleashed. Activated every Friday the 13th, the virus affects both .EXE and .COM files and deletes any programs run on that day. An Indonesian programmer releases the first anti-virus software for the brain virus. The "Internet Worm" is released and crashed 5000 computers.

1989
IBM releases the first commercial anti-virus products. Intensive anti-virus research commences. The "Dark Avenger" virus appears.

1990
Symantec launches Norton AntiVirus, one of the first anti-virus programs developed by a large company. Bulletin Boards (BBS) become a common way for virus writers to share code.

1991
"Tequila" is the first widespread polymorphic virus found in the wild. Polymorphic viruses make detection difficult for virus scanners by changing their appearance with each new infection. Virus construction kits can be downloaded from virus bulletin boards enabling almost anyone to write a virus. 9% in early 1991 reported they had experienced a virus attack. By the end of the year that figure increased to 63%.

1992
1300 viruses are in existence, an increase of 420% from December of 1990. The Michelangelo scare predicts 5 million computers will crash on March 6. Only 5,000-10,000 actually go down.

1994
Good Times email hoax tears through the computer community. The hoax warns of a malicious virus that will erase an entire hard drive just by opening an email with the subject line "Good Times". Though disproved, the hoax resurfaces every six to twelve months. In England, the writer if the "Pathogen" virus is found by Scotland Yard and sentenced to 18 months in jail. This is the first prosecution.

1995
The "Concept" macro virus appears. Written in Microsoft's WordBasic it can run on PCs and Macs running Microsoft Word. Being so easy to write, macro viruses become extensively widespread.

1998
Currently harmless and yet to be found in the wild, StrangeBrew is the first virus to infect Java files. The virus modifies CLASS files to contain a copy of itself within the middle of the file's code and to begin execution from the virus section.

1999
The Melissa virus, W97M/Melissa, executes a macro in a document attached to an email, which forwards the document to 50 people in the user's Outlook address book. The virus also infects other Word documents and subsequently mails them out as attachments. Melissa spread faster than any other previous virus and infected hundreds of thousands of PCs.

The "Chernobyl" virus hit in April making the hard drvie inaccessible causing wide spread damage.

Tristate is the first multi-program macro virus; it infects Word, Excel, and PowerPoint files.

Bubbleboy is the first worm that would activate when a user simply opened and E-mail message in Microsoft Outlook (or previewed the message in Outlook Express). No attachment is necessary. Bubbleboy was the proof of concept; Kak spread widely using this technique.

2000
The "Love Bug", also known as the "ILoveYou" and "LoveLetter" virus, sends itself out via Outlook, much like Melissa. From the Phillipines, the virus comes as a VBS attachment and deletes files, including MP3, MP2, and JPG. It also sends usernames and passwords to the virus' author. "LoveLetter" spread over the US and Europe in 6 hours and infected 2.5 million PCs causing an estimated $8.7 billion in damage.

"W97M.Resume.A", a new variation of the "Melissa" virus, is determined to be in the wild. The "resume" virus acts much like "Melissa", using a Word macro to infect Outlook and spread itself.

The "Stages" virus, disguised as a joke email about the stages of life, spreads across the Internet. Unlike previous viruses, "Stages" is hidden in an attachment with a false ".txt" extension, making it easier to lure recipients into opening it. Until now, it has generally been safe to assume the text files are safe.

August 2000 saw the first Trojan developed for the Palm PDA. Called "Liberty" and developed by Aaron Ardiri the co-developer of the Palm Game Boy emulator Liberty, the Trojan was developed as an uninstall program and was distributed to a few people to help foil those who would steal the actual software. When it was accidentally released to the wider public Ardiri helped contain its spread.

2001
The Anna Kournikova virus, also known as VBS/SST, which masquerades as a picture of Tennis Star Anna Kournikova, operates in a similar manner to Melissa and The Love Bug. It spreads by sending copies of itself to the entire address book in Microsoft Outlook. It is believed that this virus was created with a so-called virus creation kit, a program which can enable even a novice programmer to create these malicious programs.

In May, the HomePage email virus hit no more than 10,000 users of Microsoft Outlook. When opened, the virus redirected users to sexually explicit Web pages. Technically known as VBSWG.X, the virus spread quickly through Asia and Europe, but was mostly prevented in the U.S. because of lessons learned in earlier time zones. The author of the virus is said to live in Argentina, and have authored the Kournikova virus earlier in the year.

The Code Red I and II worms attacked computer networks in July and August. According to Computer Economics they affected over 700,000 computers and caused upwards of 2 billion in damages. A worm spreads through external and (then) internal computer networks, as opposed to a virus which infects computers via email and certain websites. Code Red took advantage of a vulnerability in Microsoft's Windows 2000 and Windows NT server software. Microsoft developed a patch to protect networks against the worm, and admits that they too were attacked. Other major companies affected include AT&T, and the AP.

On July 25, W32/Sircam Malicious Code appears, spreading through e-mail and unprotected network shares. The code affects both the infected computer as well as all those in its e-mail address book.

The W32/Nimda worm, taking advantage of back doors left behind by the Code Red II worm, is the first to propagate itself via several methods, including e-mail, network shares and an infected Web site. The worm spreads from client to Web server by scanning for back doors.

Computer Associates International, Inc. (CA), the world's leading provider of eBusiness management solutions, released its "2001 Top 10 Virus Threats" list. The list is based on reports tracked by the company's eTrust Global Antivirus Research Centers. The list, in order of frequency, is as follows:

1. Win32.Badtrans.B, 2. Win32.Sircam.137216, 3. Win32.Magistr, 4. Win32.Badtrans.13312, 5. Win32.Magistr.B, 6. Win32.Hybris.B, 7. Win95.MTX, 8. Win32.Nimda.A, 9. VBS.VBSWG.Generic, 10. Win32.Goner.A

2002
The Klezworm infects executables by creating a hidden copy of the original host file and then overwriting the original file with itself. The hidden copy is encrypted, but contains no viral data. The name of the hidden file is the same as the original file, but with a random extension.

Nimda is a mass-mailing worm that utilizes multiple methods to spread itself. The name of the virus came from the reversed spelling of "admin". The worm sends itself out by email, searches for open network shares, attempts to copy itself to unpatched or already vulnerable Microsoft IIS web servers, and is a virus infecting both local files and files on remote network shares.

2003

After it infects a PC, the Bugbear virus searches the machine for e-mail addresses and sends a message out to each address, with a copy of itself attached. Bugbear also grabs a random address from those found in the e-mail program on the computer and uses it in the "From:" line of the messages it sends - disguising where the actual e-mails are coming from. it maskerades an someone elase known to the user of the computer causing great confusion to innocent virus free users.

The Klez.H virus randomly chooses a document from an infected computer and attaches it to the e-mails it sends out to spread itself. In addition, Klez.H spoofs the sender's address to make it look like a random person from the infected PC's address book is actually sending the email. Nasty! Extremely prolific thoughout the entire year. The Klez worm has been pushed to second place on the infamous list, causing $13.9 billion worth of damage. The Love Bug is now in the third position, accounting for $8.75 billion in damages.

Sobig is a mass-mailing worm incorporating its own SMTP engine. It arrives from the e-mail address "big@boss.com. Sobig has become the most damaging virus on record, overtaking malicious rivals Klez, Love Bug and Yaha.

In August 2003, viruses, along with overt and covert hacker attacks, caused $32.8 billion in economic damages, according to a report from mi2g, a digital risk assessment company based in London. Mi2g also notes that the Sobig virus alone accounted for $29.7 billion of economic damages worldwide.

Blaster worm - The flaw is in a component of the operating system that allows other computers to request the Windows system perform an action or service. The component, known as the remote procedure call (RPC) process, facilitates such activities such as sharing files and allowing others to use the computer's printer. During 12 hours, Symantec detected from 420 to nearly 4,000 infections per hour, with an average of about 2,500 new computer compromised hourly. Federal law enforcement got on the trail of Blaster-B's author by tracking down ownership of an Internet domain, t33kid.com, that the Blaster-B worm used to download instructions and report on infected hosts. That chase led from a San Diego wholesale ISP to a small Web hosting provider in Watauga, Texas, and, from there, to ISP Time Warner Cable, which provided Parson's father's home broadband account in Minnesota. Federal agents raided that home on Aug. 19, seizing seven computers from the house. Blaster-A first appeared on Aug. 11 and exploited a widespread vulnerability in Microsoft's Windows operating system.

2004

MyDoom: The speed with which MyDoom spread across the world was what made it so destructive. In a matter of a few hours, the MyDoom worm spread so rapidly that antivirus companies rated it as a 'high' outbreak risk. It was rated as the first serious outbreak of 2004, and within a few days had surpassed the damage caused by Sobig.F and Welchia. MyDoom.A accounted for approximately 30 percent of all e-mail traffic globally and generated in excess of 100 million infected e-mails in its first 36 hours, blocking networks and overloading servers. Only two days after MyDoom was released, a second version of the virus, MyDoom.B, was spreading across the world. MyDoom.B released distributed denial of service (DDoS) attacks on the SCO and Microsoft Web sites, and also prevented machines infected with MyDoom.A from accessing antivirus sites.

MS Office Deployment using BigFix

Microsoft Office Deployment using Bigfix

1. Open BigFix console.

2. Click on Wizards à Windows Software Distribution Wizard.

3. Type a task
   

4. Select the folder (Enable “Include Subfolders”).

5. Select required Operating System .

6. Leave the next window default and click next.

7. Type the following command for silent installation:

setup.exe /qb property= PIDKEY=" without hyphen" ALLUSERS="1" COMPANYNAME="Test" INSTALLLOCATION="c:\program files\MS OFFICE" USERNAME="Test"

* Note: /qb switch will display installation windows, if you want to run the setup in background use /qn switch.

8. Click Next.

9. Click Create.

Once the package is created you can find the above task in “Task à Custom Task” and deploy it to the required clients.

*Note: Client may take some time to download the files from BES server as the package will be more than 300 Mb and Installation folder should be on BES server.

What is Malware/Virus/Worm ?

What is Malware?

A malware is a program that performs unexpected or unauthorized, but always malicious, actions. It is a general term used to refer to viruses, Trojans, and worms. Malware, depending on their type, may or may not include replicating and non-replicating malicious code.

Due to the many facets of malicious code or a malicious program, referring to it as malware helps to avoid confusion. For example, a virus that also has Trojan-like capabilities may be called malware.

What is a virus?

A computer virus is a program – a piece of executable code – that has the unique ability to replicate. Like biological viruses, computer viruses can spread quickly and are often difficult to eradicate. They can attach themselves to just about any type of executable file and are spread as files that are copied and sent from individual to individual.

In addition to replication, some computer viruses share another commonality: a damage routine that delivers the virus payload. While payloads may only display messages or images, they can also destroy files, reformat your hard drive, or cause other damage. If the virus does not contain a damage routine, it can cause trouble by consuming storage space and memory, and degrading the overall performance of your computer.

What is a Trojan?

A Trojan is a malware that performs a malicious action, but has no replication abilities. Coined from Greek mythology's Trojan horse, a Trojan may arrive as a seemingly harmless file or application, but actually has some hidden malicious intent within its code.

Trojan malware usually have a payload. When a Trojan is executed, you may experience unwanted system problems in operation, and sometimes loss of valuable data.

What is a worm?

A computer worm is a self-contained program (or set of programs) that is able to spread functional copies of itself or its segments to other computer systems. The propagation usually takes place via network connections or email attachments.

More recent worms have also discovered ways to propagate using Instant Messengers, via file sharing applications, and by collaborating with other malware such as Trojans or other worm variants. WORM_BAGLE.BE, for example, forms a vicious worm-Trojan cycle with TROJ_BAGLE.BE, in which the worm mass-mails copies of the Trojan, and the Trojan downloads copies of the worm. Additionally, the FATSO family is a family of worms that propagate via an instant messaging application and a popular peer-to-peer file sharing application.

Some worms may have an additional payload, such as preventing a user from accessing antivirus Web sites, or stealing the licenses of installed games and applications.

Mcafee CMD Scanning

Are you facing any issues with Virus/Worm and do not have an Anti-Virus program ???

Well the solution is to use Mcafee SDAT (Super DAT) to completely scan you machine. This is not an Active Anti-Virus scanned but can be used in critical scenarios.

How To:

1. Create a folder “cmdscan” in C:\ and Download Latest SDAT (SDATXXXX.exe) to that folder from the below given URL.
http://www.mcafee.com/apps/downloads/security_updates/superdat.asp?region=us&segment=enterprise

2. Extract SDATXXXX.exe using the following command from the command prompt
“sdat5258.exe/e” (Leave it for 2-3 mins to extract fully, there should be around 19 files in the folder)

3. Now create a batch file scan.bat in the same folder and add the following command and save the file.
“scan /adl/all/unzip/clean/report rep.html”

4. Now restart the machine in safe mode and run “scan.bat” from the folder.

5. You can view the report after the scanning, to do so please go to “C:\cmdscan” and view “Rep.html” file.

This will solve most of the Virus/Worm issue...

All the Best.