Tuesday, December 29, 2009

Linux

The Linux Login Process



After the system boots, at serial terminals or virtual terminals, the user will see a login prompt similar to:

machinename login:

This prompt is being generated by a program, usually getty or mingetty, which is regenerated by the init process every time a user ends a session on the console. The getty program will call login, and login, if successful will call the users shell. The steps of the process are:

  1. The init process spawns the getty process.
  2. The getty process invokes the login process when the user enters their name and passes the user name to login.
  3. The login process prompts the user for a password, checks it, then if there is success, the user's shell is started. On failure the program displays an error message, ends and then init will respawn getty.
  4. The user will run their session and eventually logout. On logout, the shell program exits and we return to step 1.

Note: This process is what happens for runlevel 3, but runlevel 5 uses some different programs to perform similar functions. These X programs are called X clients.

The init process revisited

Recall that in /etc/inittab file there were lines like this:

1:2345:respawn:/sbin/mingetty tty1

These lines cause init to spawn the mingetty process on runlevels 2 through 5 for tty1 and other terminals. To do this init will use the "fork" function to make a new copy of itself and use an "exec" function to run the mingetty program. Getty will wait for the user, then read the username. Then mingetty will invoke login with the user's name as an argument. If the password entered does not match for the user, init will load and run mingetty again. If the login is successful, init will use the "exec" function to run the user's shell program. When the shell exits through the "logout" command, init will load and run the mingetty program again (the reason for the "respawn" command in the /etc/inittab file). The file "/etc/passwd" determines the shell to be used for the user who is logging in. This version of Linux uses the mingetty program which is a minimum getty program used for virtual terminals. On some systems and normally Unix systems traditionally the getty program is used which has more capabilities. In this section, the getty program is described, but you should be aware that many of the special features of getty will not apply to mingetty.

Note that network logins are handled differently than console logins since it is impractical to have a getty provided for each potential network login. Network logins are normally handled through the internet super daemon, inetd using either the telnet or rlogin communication protocol. The telnet daemon will invoke the login program when a session starts, then if successful, the login program will invoke the user's shell.

Getty

Getty performs the following functions:

  1. Open tty lines and set their modes
  2. Print the login prompt and get the user's name
  3. Begin a login process for the user

A detailed analysis:

  1. At startup, it parses its command line, then reads it's default file, usually "/etc/conf.getty" to determine runtime values. After setting up the "line" or virtual line, getty outputs the contents of the "/etc/issue" file. Then getty reads the user's name and invokes login with the user's name as an argument. While reading the user's name, getty attempts to adapt the system to the speed of the terminal being used, and also sets certain terminal parameters to conform with the user's login procedure. See the termio man page.
  2. The tty device used by getty is determined by the argument on the command line. This argument is normally determined by the entry in /etc/inittab. The speed argument is a label to an entry in the "/etc/gettydefs" file. this entry defines the initial speed and tty settings, the login prompt to be used, the final speed and tty settings and a pointer to another entry to try if the user indicates that the speed is not correct. This is done by sending a break character.
  3. Getty scans the gettydefs file looking for a matching entry to the speed. The first entry is used if no speed was given or no match was found.
  4. The type argument names the type of terminal attached to the line such as 3101. The type should be a valid name listed in the termcap database. Getty uses this value to determine how to clear the video display and sets the environment variable "TERM" to the contents of this value. On most Linux systems, this value will be "linux".
  5. The lined argument describes the line discipline to use on the line. The default is "LDISC0".

During its startup, getty looks for the file "/etc/conf.getty.line" or "/etc/conf.getty". It reads the contents for lines with the form "NAME=value". The name strings are listed below:

  • SYSTEM=name - Sets the nodename value. The default is the value returned by uname(3) which returns your system information, usually "Linux".
  • VERSION=string - Sets the @V parameter to the value of the string or the contents of the file (if the string begins with "/") pointed to by the string.
  • LOGIN=name - The name of the login program to be run when the user enters their name. The default is /bin/login.
  • INIT=string - A string used to initialize the line before being used by getty
  • ISSUE=string - This string is typed rather than the contents of the /etc/issue file.
  • CLEAR=value
  • HANGUP=value
  • WAITCHAR=value
  • DELAY=seconds
  • TIMEOUT=number
  • CONNECT=string
  • WAITFOR=string
  • ALTLOCK=line
  • ALTLINE=line
  • RINGBACK=value
  • SCHED=range1 range2 range3
  • OFF=string
  • FIDO=string
  • EMSI=value

These commands are explained better in the getty(1m) man page.

Login

The login program will prompt for the user name if no argument is given on the command line.

If the file "/etc/nologin" exists and the user is not root, the contents of the "/etc/nologin" file are printed to the screen and the login is terminated. If special access restrictions are specified for the user logging in in the file "etc/usertty", the restrictions must be met or the log in will be denied and the program syslog will log the attempt. If the user is root the login must be on a terminal listed in the file "etc/securetty".

If the above conditions are met, the user password will be requested and then it will be checked (If a password is required for this username). After three unsuccessful attempts to login the response gets very slow, and after 10 attempts, login dies. As usual all login failures will be reported by the syslog facility. If the file ".hushlogin" exists in the user's home directory then a "quiet" login is performed which disables checking of mail and the printing of the last login time and the message of the day. Otherwise if the file "var/log/lastlog" exists the last login time is printed and then the current login is recorded in this file. Is the current login recorded in this file if it does not already exist or if the file ".hushlogin" exists? I think it does but have found no documentation that says.

At this point the login program will perform standard administrative tasks. These include:

  1. Setting the UID and GID of the tty
  2. Preserving the TERM environment variable if it exists.
  3. Preserving other environment variables if the –p option is used
  4. The HOME, PATH, SHELL, TERM, MAIL, and LOGNAME environment variables are set.
  5. The default path is set to "/usr/local/bin:/bin:/usr/bin:." for normal users and "/sbin:/bin:/usr/sbin" for root.
  6. If this is not a "quiet" login, the message of the day is printed and the file with the user's name in "/usr/spool/mail" will be checked and a message will be printed if it has non-zero length.
  7. The users shell is started. The shell is specified in the file "/etc/passwd". If it is not specified, login will use "/bin/sh" as a default shell. This shell will be run with the user's privileges rather than root privileges as login was run.
  8. If there is no directory specified for the user in "/etc/passwd", login will use "/" by default for the user's home directory.

Another function that login will perform is to update the user accounting login files which are "/var/run/utmp" and "var/log/wtmp" which hold information about the amount of time users have been on the system along with when they logged on and off. Also the init program and getty may write to these files.

How login uses the /etc/passwd file:

Once the user has successfully logged in, the login program will invoke the user's shell. The login program will look in the /etc/passwd file to determine which shell program to run. The /etc/passwd file contains entries containing the complete path of the shell. A sample /etc/passwd file is listed below:

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:
news:x:9:13:news:/var/spool/news:
uucp:x:10:14:uucp:/var/spool/uucp:
operator:x:11:0:operator:/root:
games:x:12:100:games:/usr/games:
gopher:x:13:30:gopher:/usr/lib/gopher-data:
ftp:x:14:50:FTP User:/home/ftp:
nobody:x:99:99:Nobody:/:
xfs:x:100:101:X Font Server:/etc/X11/fs:/bin/false
gdm:x:42:42::/home/gdm:/bin/bash
postgres:x:40:233:PostgreSQL Server:/var/lib/pgsql:/bin/bash
squid:x:23:23::/var/spool/squid:/dev/null
mark:x:500:500::/home/mark:/bin/bash
george:x:501:501::/home/george:/bin/bash

the syntax is:

account:password:UID,GID,GECOS:directory:shell

where the fields are defined as:

  • account - The user's name.
  • password - The users encrypted passwrod or a place holding character if the system is using shadow passwords and storing the password in the /etc/shadow file which is readable only by root.
  • UID - The users numerical identification.
  • GID - The number of the primary group for the user.
  • GECOS - Usually has the full user name. This field is only for information purposes and is optional. This information is sometimes called the user's finger information.
  • directory - The full path of the user's home directory.
  • shell - The full path and filename of the user's shell. If no value is here /bin/sh is assumed. This value can be changed with the chsh command.

The login program will use the account field to find the username and therefore get the UID of the user. Login will also use the password (or the /etc/shadow file) to be sure the entered password is a match. Login will look up the user's home directory and use that to set the $HOME environment variable. Login will use the shell field to determine what shell program (such as bash, sh, tsh, etc) to run for that user. then login will pass program control to the shell program. There is an important difference in the control passed at this point, however! The shell program will run with the user's privileges and not with root privileges. The programs to this point (init, getty, login) have all run with root privileges.

Files used by the login program:

  • /etc/nologin - This file is used to prevent users who are not root from logging into the system.
  • /etc/usertty - This file is used to impose special access restrictions on users.
  • /etc/securetty - Controls the terminals that the root user can login on.
  • .hushlogin - When this file exists in the user's home directory, it will prevent check for mail, printing of the last login time, and the message of the day when the user logs in.
  • /var/log/lastlog - Contains information about the last time a login was done on the system.
  • /etc/passwd - Contains information about the user including the ID, name, home directory, and the path to the preferred shell program. If not using shadow passwords, this file may also contain user passwords.

Thursday, December 24, 2009

Mobile Phone


Methods of Hacking GSM Network

Note: This document is provided only for Educational use and for better understanding of GSM security concern.Donot use this information for any unlaw ful activity.

Introduction to GSM Security

The GSM standard was designed to be a secure mobile phone system with strong subscriber authentication and encryption. The security model and algorithms were developed in secrecy and were never published. Eventually some of the algorithms and specifications were found out using reverse engineering. The algorithms have been studied since and critical errors have been found. Thus, after a closer look at the GSM standard, one can see that the security model is not all that good. An attacker can go through the security model or even around it, and attack other parts of a GSM network, instead of the actual phone call. Although the GSM standard was supposed to prevent phone cloning and over-the-air eavesdropping, both of these are possible with little additional work compared to the analog mobile phone systems and can be implemented through various attacks.

Weaknesses of GSM

  • The authentication process in GSM technology considers only a one-sided authentication. The Mobile Station has to prove, that it is permitted to access the network, but there is no verification of the Base Station
  • It is necessary for a Mobile Station to transmit thecurrent location in short periods to the Base Station. This can be abused to track and record the movement profile of a subscriber.
  • GSM was designed to be only as secure as the fixed network to which they connect.
  • GSM provides only access security , but the security part of fixed network portion aren't protected.
  • In GSM there is no Explict confirmation to the Home network that authentication is properly used when customer roam in different network.
  • Lack of confidence in cryptographic algorithms.
    Example:
    The GSM encryption ciphers were kept secret until 1999, when Marc Briceno of the University of California at Berkeley managed to reconstruct the algorithms used.
    Researchers at the Technion-Israel Institute of Technology in Haifa found a way to defeat the GSM security system(A5/2), exploiting a flaw in the way the encryption is applied.

GSM Security Model

The GSM Security Model is based on a shared secret between the subscriber's home network's HLR and the subscriber's SIM. The shared secret, called Ki, is a 128-bit key used to generate a 32-bit signed response, called SRES, to a Random Challenge, called RAND, made by the MSC, and a 64-bit session key, called Kc, used for the encryption of the over-the-air channel. When a MS first signs on to a network, the HLR provides the MSC with five triples containing a RAND, a SRES to that particular RAND based on the Ki and a Kc based again on the same Ki. Each of the triples are used for one authentication of the specific MS. When all triples have been used the HLR provides a new set of five triples for the MSC.

When the MS first comes to the the area of a particular MSC, the MSC sends the Challenge of the first triple to the MS. The MS calculates a SRES with the A3 algorithm using the given Challenge and the Ki residing in the SIM. The MS then sends the SRES to the MSC, which can confirm that the SRES really corresponds to the Challenge sent by comparing the SRES from the MS and the SRES in the triple from the HLR. Thus, the MS has authenticated itself to the MSC. The MS then generates a Session Key, Kc, with the A8 algorithm using, again, the Challenge from the MSC and the Ki from the SIM. The BTS, which is used to communicate with the MS, receives the same Kc from the MSC, which has received it in the triple from the HLR. Now the over-the-air communication channel between the BTS and MS can be encrypted Each frame in the over-the-air traffic is encrypted with a different keystream. This keystream is generated with the A5 algorithm. The A5 algorithm is initialized with the Kc and the number of the frame to be encrypted, thus generating a different keystream for every frame.

This means that one call can be decrypted when the attacker knows the Kc and the frame numbers. The frame numbers are generated implicitly, which means that anybody can find out the frame number at hand. The same Kc is used as long as the MSC does not authenticate the MS again, in which case a new Kc is generated. In practice, the same Kc may be in use for days. Only the over-the-air traffic is encrypted in a GSM network. Once the frames have been received by the BTS, it decrypts them and send them in plaintext to the operator's backbone network.

Hacking The Signalling Network

The air waves between the MS and the BTS are not the only vulnerable point in the GSM system.As stated earlier, the transmissions are encrypted only between the MS and the BTS. After the BTS, the traffic is transmitted in plain text within the operators network.This opens up new possibilities. If the attacker can access the operator's signaling network, he will be able to listen to everything that is transmitted, including the actual phone call as well as the RAND, SRES and Kc.

Accessing the signaling network is not very difficult. Although the BTSs are usually connected to the BSC through a cable, some of them are connected to the BSC through a microwave . This link would be relatively easy to access with the right kind of equipment. The microwave link might be encrypted, however, depending on the hardware manufacturer, thus making it slightly more difficult to monitor it . It is really a question about whether the attacker wants to crack the A5 encryption protecting the session of a specific MS or the encryption between the BTS and the BSC and gaining access to the backbone network. The ability to tap on to the data transmitted between the BTS and BSC would enable the attacker to either monitor the call by eavesdropping on the channel throughout the call or he could retrieve the session key, Kc, by monitoring the channel, intercept the call over the air and decrypt it on the fly.

Read this link for more info about GSM A5 encryption algorithm
http://jya.com/crack-a5.htm

Hacking a Mobile Fone User Through IMSI-CATCHER

The GSM specification requires the handset to authenticate to the network, but does NOT require the network to authenticate to the handset. This well-known security hole can be exploited by an IMSI-catcher.Even the service provider cannot notice the use of IMSI-catcher.
An IMSI-catcher is a device for forcing the transmission of the IMSI and intercepting GSM mobile phone calls.The IMSI-catcher acts as a base station and logs the IMSI numbers of all the mobile stations in the area, as they attempt to attach to the IMSI-catcher. It allows forcing the mobile phone connected to it to use no call encryption ( A5/0 mode), making the call data easy to intercept and convert to audio.

IMSI catcher

Working OF IMSI-CATCHER

The basic principle of GSM is, a mobile station always connects to the base station which provides the best reception. An attacker can easily enforce this kind of a setting, i.e., make a victim device connect to him instead of a real base station by drowning the real base stations that are present by sending its beacons with higher transmitting power.
Thus the IMSI-CATCHER creates the same senario and acts as a fake basestation,so the the victim's mobile attaches with the hackers IMSI-CATCHER assuming it as the real base station.
Now During the connection setup the attacker sends the security capabilities of the victim mobile station to the attached visitor network.
The attacker sends the TMSI of the victim mobile station to the visited network,which he obtained during the connection setup.If the current TMSI is unknown to the attacker, he sends a faked TMSI.
If the network cannot resolve the fake TMSI, it sends an identity request to the attacker. The attacker replies with the IMSI of the victim.
The visited network requests the authentication information about the victim device from its home network. The home network provides the authentication information to the visited network.The network sends RAND and AUTN to the attacker. The attacker disconnects from the visited network.Thus attacker obtains an authentication token.


Read this article about tracking a suspect by mobile phone.
http://news.bbc.co.uk/2/hi/technology/4738219.stm

Friday, December 18, 2009

Keyloggers

Keyloggers: How they work and how to detect them...




In February 2005, Joe Lopez, a businessman from Florida, filed a suit against Bank of America after unknown hackers stole $90,000 from his Bank of America account. The money had been transferred to Latvia.

An investigation showed that Mr. Lopez’s computer was infected with a malicious program, Backdoor.Coreflood, which records every keystroke and sends this information to malicious users via the Internet. This is how the hackers got hold of Joe Lopez’s user name and password, since Mr. Lopez often used the Internet to manage his Bank of America account.

However the court did not rule in favor of the plaintiff, saying that Mr. Lopez had neglected to take basic precautions when managing his bank account on the Internet: a signature for the malicious code that was found on his system had been added to nearly all antivirus product databases back in 2003.

Joe Lopez’s losses were caused by a combination of overall carelessness and an ordinary keylogging program.

About Keyloggers

The term ‘keylogger’ itself is neutral, and the word describes the program’s function. Most sources define a keylogger as a software program designed to secretly monitor and log all keystrokes. This definition is not altogether correct, since a keylogger doesn’t have to be software – it can also be a device. Keylogging devices are much rarer than keylogging software, but it is important to keep their existence in mind when thinking about information security.

Legitimate programs may have a keylogging function which can be used to call certain program functions using “hotkeys,” or to toggle between keyboard layouts (e.g. Keyboard Ninja). There is a lot of legitimate software which is designed to allow administrators to track what employees do throughout the day, or to allow users to track the activity of third parties on their computers. However, the ethical boundary between justified monitoring and espionage is a fine line. Legitimate software is often used deliberately to steal confidential user information such as passwords.

Most modern keyloggers are considered to be legitimate software or hardware and are sold on the open market. Developers and vendors offer a long list of cases in which it would be legal and appropriate to use keyloggers, including:

  • Parental control: parents can track what their children do on the Internet, and can opt to be notified if there are any attempts to access websites containing adult or otherwise inappropriate content;
  • Jealous spouses or partners can use a keylogger to track the actions of their better half on the Internet if they suspect them of “virtual cheating”;
  • Company security: tracking the use of computers for non-work-related purposes, or the use of workstations after hours;
  • Company security: using keyloggers to track the input of key words and phrases associated with commercial information which could damage the company (materially or otherwise) if disclosed;
  • Other security (e.g. law enforcement): using keylogger records to analyze and track incidents linked to the use of personal computers;
  • Other reasons.

However, the justifications listed above are more subjective than objective; the situations can all be resolved using other methods. Additionally, any legitimate keylogging program can still be used with malicious or criminal intent. Today, keyloggers are mainly used to steal user data relating to various online payment systems, and virus writers are constantly writing new keylogger Trojans for this very purpose.

Furthermore, many keyloggers hide themselves in the system (i.e. they have rootkit functionality), which makes them fully-fledged Trojan programs.

As such programs are extensively used by cyber criminals, detecting them is a priority for antivirus companies. Kaspersky Lab’s malware classification system has a dedicated category for malicious programs with keylogging functionality: Trojan-Spy. Trojan-Spy programs, as the name suggests, track user activity, save the information to the user’s hard disk and then forward it to the author or ‘master’ of the Trojan. The information collected includes keystrokes and screen-shots, used in the theft of banking data to support online fraud.

Why keyloggers are a threat

Unlike other types of malicious program, keyloggers present no threat to the system itself. Nevertheless, they can pose a serious threat to users, as they can be used to intercept passwords and other confidential information entered via the keyboard. As a result, cyber criminals can get PIN codes and account numbers for e-payment systems, passwords to online gaming accounts, email addresses, user names, email passwords etc.

Once a cyber criminal has got hold of confidential user data, s/he can easily transfer money from the user’s account or access the user’s online gaming account. Unfortunately access to confidential data can sometimes have consequences which are far more serious than an individual’s loss of a few dollars. Keyloggers can be used as tools in both industrial and political espionage, accessing data which may include proprietary commercial information and classified government material which could compromise the security of commercial and state-owned organizations (for example, by stealing private encryption keys).

Keyloggers, phishing and social engineering (see 'Computers, Networks and Theft') are currently the main methods being used in cyber fraud. Users who are aware of security issues can easily protect themselves against phishing by ignoring phishing emails and by not entering any personal information on suspicious websites. It is more difficult, however, for users to combat keyloggers; the only possible method is to use an appropriate security solution, as it's usually impossible for a user to tell that a keylogger has been installed on his/ her machine.

According to Cristine Hoepers, the manager of Brazil’s Computer Emergency Response Team, which works under the aegis of the country’s Internet Steering Committee, keyloggers have pushed phishing out of first place as the most-used method in the theft of confidential information. What’s more, keyloggers are becoming more sophisticated – they track websites visited by the user and only log keystrokes entered on websites of particular interest to the cyber criminal.

In recent years, we have seen a considerable increase in the number of different kinds of malicious programs which have keylogging functionality. No Internet user is immune to cyber criminals, no matter where in the world s/he is located and no matter what organization s/he works for.

How cyber criminals use keyloggers

One of the most publicized keylogging incidents recently was the theft of over $1million from client accounts at the major Scandinavian bank Nordea. In August 2006 Nordea clients started to receive emails, allegedly from the bank, suggesting that they install an antispam product, which was supposedly attached to the message. When a user opened the file and downloaded it to his/ her computer, the machine would be infected with a well known Trojan called Haxdoor. This would be activated when the victim registered at Nordea’s online service, and the Trojan would display an error notification with a request to re-enter the registration information. The keylogger incorporated in the Trojan would record data entered by the bank’s clients, and later send this data to the cyber criminals’ server. This was how cyber criminals were able to access client accounts, and transfer money from them. According to Haxdoor's author, the Trojan has also been used in attacks against Australian banks and many others.

On January 24, 2004 the notorious Mydoom worm caused a major epidemic. MyDoom broke the record previously set by Sobig, provoking the largest epidemic in Internet history to date. The worm used social engineering methods and organized a DoS attack on www.sco.com; the site was either unreachable or unstable for several months as a consequence. The worm left a Trojan on infected computers which was subsequently used to infect the victim machines with new modifications of the worm. The fact that MyDoom had a keylogging function to harvest credit card numbers was not widely publicized in the media.

In early 2005 the London police prevented a serious attempt to steal banking data. After attacking a banking system, the cyber criminals had planned to steal $423 million from Sumitomo Mitsui’s London-based offices. The main component of the Trojan used, which was created by the 32-year-old Yeron Bolondi, was a keylogger that allowed the criminals to track all the keystrokes entered when victims used the bank’s client interface.

In May 2005 in London the Israeli police arrested a married couple who were charged with developing malicious programs that were used by some Israeli companies in industrial espionage. The scale of the espionage was shocking: the companies named by the Israeli authorities in investigative reports included cellular providers like Cellcom and Pelephone, and satellite television provider YES. According to reports, the Trojan was used to access information relating to the PR agency Rani Rahav, whose clients included Partner Communications (Israel’s second leading cellular services provider) and the HOT cable television group. The Mayer company, which imports Volvo and Honda cars to Israel, was suspected of committing industrial espionage against Champion Motors, which imports Audi and Volkswagen cars to the country. Ruth Brier-Haephrati, who sold the keylogging Trojan that her husband Michael Haephrati created, was sentenced to four years in jail, and Michael received a two-year sentence.

In February 2006, the Brazilian police arrested 55 people involved in spreading malicious programs which were used to steal user information and passwords to banking systems. The keyloggers were activated when the users visited their banks’ websites, and secretly tracked and subsequently sent all data entered on these pages to cyber criminals. The total amount of money stolen from 200 client accounts at six of the country’s banks totaled $4.7million.

At approximately the same time, a similar criminal grouping made up of young (20 – 30 year old) Russians and Ukrainians was arrested. In late 2004, the group began sending banking clients in France and a number of other countries email messages that contained a malicious program – namely, a keylogger. Furthermore, these spy programs were placed on specially created websites; users were lured to these sites using classic social engineering methods. In the same way as in the cases described above, the program was activated when users visited their banks’ websites, and the keylogger harvested all the information entered by the user and sent it to the cyber criminals. In the course of eleven months over one million dollars was stolen.

There are many more examples of cyber criminals using keyloggers – most financial cybercrime is committed using keyloggers, since these programs are the most comprehensive and reliable tool for tracking electronic information.

Increased use of keyloggers by cyber criminals

The fact that cyber criminals choose to use keyloggers time and again is confirmed by IT security companies.

One of VeriSign's recent reports notes that in recent years, the company has seen a rapid growth in the number of malicious programs that have keylogging functionality.


Source: iDefense, a VeriSign Company

One report issued by Symantec shows that almost 50% of malicious programs detected by the company’s analysts during the past year do not pose a direct threat to computers, but instead are used by cyber criminals to harvest personal user data.

According to research conducted by John Bambenek, an analyst at the SANS Institute, approximately 10 million computers in the US alone are currently infected with a malicious program which has a keylogging function. Using these figures, together with the total number of American users of e-payment systems, possible losses are estimated to be $24.3 million.

Kaspersky Lab is constantly detecting new malicious programs which have a keylogging function. One of the first virus alerts on www.viruslist.com, Kaspersky Lab’s dedicated malware information site, was published on 15th June 2001. The warning related to TROJ_LATINUS.SVR, a Trojan with a keylogging function. Since then, there has been a steady stream of new keyloggers and new modifications. Kaspersky antivirus database currently contain records for more than 300 families of keyloggers. This number does not include keyloggers that are part of complex threats (i.e. in which the spy component provides additional functionality).

Most modern malicious programs are hybrids which implement many different technologies. Due to this, any category of malicious program may include programs with keylogger (sub)functionality. The number of spy programs detected by Kaspersky Lab each month is on the increase, and most of these programs use keylogging technology.

Keylogger construction

The main idea behind keyloggers is to get in between any two links in the chain of events between when a key is pressed and when information about that keystroke is displayed on the monitor. This can be achieved using video surveillance, a hardware bug in the keyboard, wiring or the computer itself, intercepting input/ output, substituting the keyboard driver, the filter driver in the keyboard stack, intercepting kernel functions by any means possible (substituting addresses in system tables, splicing function code, etc.), intercepting DLL functions in user mode, and, finally, requesting information from the keyboard using standard documented methods.

Experience shows that the more complex the approach, the less likely it is to be used in common Trojan programs and the more likely it is to be used in specially designed Trojan programs which are designed to steal financial data from a specific company.

Keyloggers can be divided into two categories: keylogging devices and keylogging software. Keyloggers which fall into the first category are usually small devices that can be fixed to the keyboard, or placed within a cable or the computer itself. The keylogging software category is made up of dedicated programs designed to track and log keystrokes.

The most common methods used to construct keylogging software are as follows:

  • a system hook which intercepts notification that a key has been pressed (installed using WinAPI SetWindowsHook for messages sent by the window procedure. It is most often written in C);
  • a cyclical information keyboard request from the keyboard (using WinAPI Get(Async)KeyState or GetKeyboardState – most often written in Visual Basic, sometimes in Borland Delphi);
  • using a filter driver (requires specialized knowledge and is written in C).

We will provide a detailed explanation of the different ways keyloggers are constructed in the second half of this article (to be published in the near future). But first, here are some statistics.

A rough breakdown of the different types of keyloggers is shown in the pie chart below:

Recently, keyloggers that disguise their files to keep them from being found manually or by an antivirus program have become more numerous. These stealth techniques are called rootkit technologies. There are two main rootkit technologies used by keyloggers:

  • masking in user mode;
  • masking in kernel mode.

A rough breakdown of the techniques used by keyloggers to mask their activity is shown in the pie chart below:

How keyloggers spread

Keyloggers spread in much the same way that other malicious programs spread. Excluding cases where keyloggers are purchased and installed by a jealous spouse or partner, and the use of keyloggers by security services, keyloggers are mostly spread using the following methods):

  • a keylogger can be installed when a user opens a file attached to an email;
  • a keylogger can be installed when a file is launched from an open-access directory on a P2P network;
  • a keylogger can be installed via a web page script which exploits a browser vulnerability. The program will automatically be launched when a user visits a infected site;
  • a keylogger can be installed by another malicious program already present on the victim machine, if the program is capable of downloading and installing other malware to the system.

How to protect yourself from keyloggers

Most antivirus companies have already added known keyloggers to their databases, making protecting against keyloggers no different from protecting against other types of malicious program: install an antivirus product and keep its database up to date. However, since most antivirus products classify keyloggers as potentially malicious, or potentially undesirable programs, users should ensure that their antivirus product will, with default settings, detect this type of malware. If not, then the product should be configured accordingly, to ensure protection against most common keyloggers.

Let’s take a closer look at the methods that can be used to protect against unknown keyloggers or a keylogger designed to target a specific system.

Since the chief purpose of keyloggers is to get confidential data (bank card numbers, passwords, etc.), the most logical ways to protect against unknown keyloggers are as follows:

  1. using one-time passwords or two-step authentication,
  2. using a system with proactive protection designed to detect keylogging software,
  3. using a virtual keyboard.

Using a one-time password can help minimize losses if the password you enter is intercepted, as the password generated can be used one time only, and the period of time during which the password can be used is limited. Even if a one-time password is intercepted, a cyber criminal will not be able to use it in order to obtain access to confidential information.

In order to get one-time passwords, you can use a special device such as:

  1. a USB key (such as Aladdin eToken NG OTP):
  2. a ‘calculator’ (such as RSA SecurID 900 Signing Token):

In order to generate one-time passwords, you can also use mobile phone text messaging systems that are registered with the banking system and receive a PIN-code as a reply. The PIN is then used together with the personal code for authentication.

If either of the above devices is used to generate passwords, the procedure is as described below:

  1. the user connects to the Internet and opens a dialogue box where personal data should be entered;
  2. the user then presses a button on the device to generate a one-time password, and a password will appear on the device’s LCD display for 15 seconds;
  3. the user enters his user name, personal PIN code and the generated one-time password in the dialogue box (usually the PIN code and the key are entered one after the other in a single pass code field);
  4. the codes that are entered are verified by the server, and a decision is made whether or not the user may access confidential data.

When using a calculator device to generate a password, the user will enter his PIN code on the device 'keyboard' and press the ">" button.

One-time password generators are widely used by banking systems in Europe, Asia, the US and Australia. For example, Lloyds TSB, a leading bank, decided to use password generators back in November 2005.

In this case, however, the company has to spend a considerable amount of money as it had to acquire and distribute password generators to its clients, and develop/ purchase the accompanying software.

A more cost efficient solution is proactive protection on the client side, which can warn a user if an attempt is made to install or activate keylogging software.


Proactive protection against keyloggers in Kaspersky Internet Security

The main drawback of this method is that the user is actively involved and has to decide what action should be taken. If a user is not very technically experienced, s/he might make the wrong decision, resulting in a keylogger being allowed to bypass the antivirus solution. However, if developers minimize user involvement, then keyloggers will be able to evade detection due to an insufficiently rigorous security policy. However, if settings are too stringent, then other, useful programs which contain legitimate keylogging functions might also be blocked.

The final method which can be used to protect against both keylogging software and hardware is using a virtual keyboard. A virtual keyboard is a program that shows a keyboard on the screen, and the keys can be 'pressed' by using a mouse.

The idea of an on-screen keyboard is nothing new - the Windows operating system has a built-in on-screen keyboard that can be launched as follows: Start > Programs > Accessories > Accessibility > On-Screen Keyboard.


An example of the Windows on-screen keyboard

However, on-screen keyboards aren’t a very popular method of outsmarting keyloggers. They were not designed to protect against cyber threats, but as an accessibility tool for disabled users. Information entered using an on-screen keyboard can easily be intercepted by a malicious program. In order to be used to protect against keyloggers, on-screen keyboards have to be specially designed in order to ensure that information entered or transmitted via the on-screen keyboard cannot be intercepted.

Conclusions

This article has provided an overview of how keyloggers – both keylogging software and hardware - function and are used.

  • Even though keylogger developers market their products as legitimate software, most keyloggers can be used to steal personal user data and in political and industrial espionage.
  • At present, keyloggers – together with phishing and social engineering methods – are one of the most commonly used methods of cyber fraud.
  • IT security companies have recorded a steady increase in the number of malicious programs that have keylogging functionality.
  • Reports show that there is an increased tendency to use rootkit technologies in keylogging software, to help the keylogger evade manual detection and detection by antivirus solutions.
  • Only dedicated protection can detect that a keylogger is being used for spy purposes.
  • The following measures can be taken to protect against keyloggers:
    • use a standard antivirus that can be adjusted to detect potentially malicious software (default settings for many products);
    • proactive protection will protect the system against new ,modifications of existing keyloggers;
    • use a virtual keyboard or a system to generate one-time passwords to protect against keylogging software and hardware.
Source:
Kaspersky Lab

Saturday, December 12, 2009

Root User in Windows


Login to the System account on Windows
same as Root account in Nix system....


just click on the link and run the program....

windows root login.....

No Virus / Trojan....




Tuesday, December 8, 2009

IPV4 VS IPV6


IPv4

IPv6

Addresses are 32 bits (4 bytes) in length. Addresses are 128 bits (16 bytes) in length
Address (A) resource records in DNS to map host names to IPv4 addresses. Address (AAAA) resource records in DNS to map host names to IPv6 addresses.
Pointer (PTR) resource records in the IN-ADDR.ARPA DNS domain to map IPv4 addresses to host names. Pointer (PTR) resource records in the IP6.ARPA DNS domain to map IPv6 addresses to host names.
IPSec is optional and should be supported externally IPSec support is not optional
Header does not identify packet flow for QoS handling by routers Header contains Flow Label field, which Identifies packet flow for QoS handling by router.
Both routers and the sending host fragment packets. Routers do not support packet fragmentation. Sending host fragments packets
Header includes a checksum. Header does not include a checksum.
Header includes options. Optional data is supported as extension headers.
ARP uses broadcast ARP request to resolve IP to MAC/Hardware address. Multicast Neighbor Solicitation messages resolve IP addresses to MAC addresses.
Internet Group Management Protocol (IGMP) manages membership in local subnet groups. Multicast Listener Discovery (MLD) messages manage membership in local subnet groups.
Broadcast addresses are used to send traffic to all nodes on a subnet. IPv6 uses a link-local scope all-nodes multicast address.
Configured either manually or through DHCP. Does not require manual configuration or DHCP.
Must support a 576-byte packet size (possibly fragmented). Must support a 1280-byte packet size (without fragmentation).

What is VOiP?


What is VoIP?

What is VoIP and What Can it Do for Your Business?

VoIP and IP telephony are becoming increasingly popular with large corporations and consumers alike. For many people, Internet Protocol (IP) is more than just a way to transport data, it's also a tool that simplifies and streamlines a wide range of business applications. Telephony is the most obvious example. VoIP—or voice over IP—is also the foundation for more advanced unified communications applications—including Web and video conferencing—that can transform the way you do business.

What is VoIP: Useful Terms

Understanding the terms is a first step toward learning the potential of this technology:
  • VoIP refers to a way to carry phone calls over an IP data network, whether on the Internet or your own internal network. A primary attraction of VoIP is its ability to help reduce expenses because telephone calls travel over the data network rather than the phone company's network.
  • IP telephony encompasses the full suite of VoIP enabled services including the interconnection of phones for communications; related services such as billing and dialing plans; and basic features such as conferencing, transfer, forward, and hold. These services might previously have been provided by a PBX.
  • IP communications includes business applications that enhance communications to enable features such as unified messaging, integrated contact centers, and rich-media conferencing with voice, data, and video.
  • Unified communications takes IP communications a step further by using such technologies as Session Initiation Protocol (SIP) and presence along with mobility solutions to unify and simply all forms of communications, independent of location, time, or device.

What is VoIP: Service Quality

Public Internet phone calling uses the Internet for connecting phone calls, especially for consumers. But most businesses are using IP telephony across their own managed private networks because it allows them to better handle security and service quality. Using their own networks, companies have more control in ensuring that voice quality is as good as, if not better than, the services they would have previously experienced with their traditional phone system.

Friday, December 4, 2009

Tojans : Removal Part 1

SMC.EXE

Symantec: Infostealer.Ebod:


Seen very recently in September 2009, this Trojan proved that it could affect almost any Windows platform and can be run in every environment. However, it doesn't damage the target's system much. It opens a backdoor in the computer from where all the information is sent to a http. The Trojan enters the computer when the User downloads applications from unknown websites. Once executed, the Trojan creates a copy of itself in the "C:\WINDOWS\System" folder and a registry entry is also created in order to execute this copy at every system startup. The Trojan also creates a copy of itself in the %temp% folder. Here, the name of the Trojan can possibly be anything. When connected to the Internet, the Trojan sends the saved log file consisting of the Administrator information and passwords to the http. A heavy network activity can be detected during this part of execution of the virus. When the attacker has the Administrator information, he can operate any directory in the computer. The Trojan is also capable of stealing the cookies of the Internet Explorer and Mozilla Firefox. An update of this Trojan can be expected very shortly and thus it should be removed as soon as possible. Here are the removal instructions of the Backdoor.

Manual instructions to remove smc.exe:

  1. Lets begin with the Registry modification. To do this, the computer should be restarted in the Safe Mode first. When you're running in the Safe Mode, go to Start --> Run and type "regedit" to enter the Windows Registry Tools.
  2. In the Registry, navigate to the following key

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\

    On your right-hand side, search for the following item and delete it
    "smc = %System%\smc.exe"
  3. Once it is removed, you're almost done. Reboot your system again in the Safe Mode and delete the file "C:\WINDOWS\System\smc.exe". The file can also be present in your "C:\WINDOWS\System32" folder depending on the Operating System that you are running. It could also be hidden. So open the Command Prompt, type "attrib -r -a -s -h C:\WINDOWS\System\smc.exe" in it and press Enter. You'll unlock the file. This way you can delete the Trojan directly.
  4. The Trojan will never run on your computer unless you download it once again and execute it or if you'll run any suspicious application from your %temp% folder. Go to Start --> Run and type "%temp%" in the box. Delete all the files and folders in that directory.
  5. You're now completely free from the Trojan. Just remember not to download any suspicious files from unknown https again.
Posts that might help you here:

Enabling Safe Mode booting, enabling the Registry, enable hidden files and folders option and enabling the Command Prompt.


NTOS.EXE

McAfee: PWS-Zbot:

This is a Trojan program that was first seen in the year 2007. But recently, an update of this program was found spreading widely. When executed, it immediately drops a file named "ntos.exe" in the "C:\WINDOWS\System32" folder along with a few dlls. These are added to the registry such that the Trojan is run at every start-up of the system and a separate item is also added in the registry in order to connect the Trojan to the internet using a separate User profile due to which it even escapes the clutches of the Firewall. Registry keys are added to Network, Explorer and the Internet settings in order to achieve this. It is also capable of recording the keystrokes that is input in the computer and once a set of keystrokes are collected, it connects itself to the server and sends this log to the server. This way, the computer becomes insecure in order to open and manage any personal information such as online banking. The Trojan is also said to stop several applications from running. These applications may include Anti-virus programs and Firewalls or a few other programs that might create a difficulty for the Trojan to execute in its usual fashion. By updating this Trojan further, it may also get the capability of taking screenshots. So it is better to get rid of it before it is updated. Lets have a look at its removal instructions.

Manual instructions to remove ntos.exe:

  1. Lets begin by starting the system in Safe mode. Once you're done, go to Start-->Run and type "regedit". The Windows registry editor will open where you need to navigate to the following point and modify this key

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

    On your right-hand side, look for the string with the name "Userint". Open the key and remove “C:\%WINDIR%\system32\ntos.exe” from it. The string should look like this


  2. Now go to this key and delete the following string values

    o [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network]
    + UID = "%ComputerName%"

    o [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer]
    + {F710FA10-2031-3106-8872-93A2B5C5C620} = F7 09 F2 0D

    o [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
    + ProxyEnable = 0x00000000

  3. After that, reboot your system once again in the Safe mode and using the Windows Explorer, delete the file "C:\WINDOWS\System32\ntos.exe".
  4. Unregister the following dlls
    C:\WINDOWS\Ssystem32\wsnpoem\audio.dll
    C:\WINDOWS\Ssystem32\wsnpoem\video.dll

  5. Now restart your computer and enjoy. You have successfully delete the Trojan.


USB_MAGR.EXE

Bit Defender: Backdoor.IRCBot.ACTN:

Discovered in the August of 2009, this is a Backdoor Trojan that enters the Computer with the help of the Removable drives or through the Internet when you download unknown programs. This one fools the User by assuring that it is a Serial Bus service and disables the Anti-virus or the Firewall immediately so that the User wouldn't know what the system is actually going through. Like several other viruses, this one also drops a copy of it in the "C:\WINDOWS\" directory from where it is run on every startup. To make sure this is done without fail, a registry key is created by the Trojan itself when it is first run in the system. The Trojan names itself as "usb_magr.exe so that it cannot be recognized among the several Bus related services present. The virus may also inject itself into other processes such as the Services.exe which is a very easy target. However, to be sure of not getting detected by the Anti-viruses, the Trojan is being encrypted due to which the real code inside the virus cannot be over-looked. Once any removable disk is connected to the computer, a copy of "usb_magr.exe" is created inside the "Recycler" folder of the Disk in order to prevent itself from being detected easily. Like the other Pen-drive viruses, this one also creates an autorun.inf which consists of the code that points to the virus in the Recycler folder. It creates an opening in the system by pinging to a server or a web address from where it can be controlled and the personal information of that system can be updated. This virus also uses this server to update itself and hence it needs to be removed immediately to avoid any danger to your computer. The damage this Trojan can give is unpredictable and can even cause your computer to crash (if updated with interest). Here are the removal instructions for this Backdoor Trojan.

Manual instructions to remove usb_magr.exe:

  1. Lets get started with the registry editing in order to stop the virus from launching at the startups. To do this, better reboot your system in the Safe Mode.
  2. Go to Start-->Run and type "regedit". Navigate to the following registry key and delete it from there

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    On your right, look for the service with the name "Universal Serial Bus device" consisting of the value "usb_magr.exe". If you find it, delete it immediately.

  3. Just to be sure that it is removed from the registry, press Ctrl+F and type the value "usb_magr.exe" in the box. If you find any entry, remove the path of the virus from it and close the registry.
  4. Now again go to Start-->Run and type "Services.msc" and search for the service name "Universal Serial Bus device" having the value "usb_magr.exe". Stop it if you find it running. Open your Task Manager and in the processes tab, check for the process "usb_magr.exe". End the process immediately if you find it.
  5. Reboot your computer for the changes to take effect and using the Windows explorer, navigate to the "C:\WINDOWS\" folder and delete the file "usb_magr.exe". Also go to the "C:\RECYCLER\{directory}" and delete any file that you think is associated with the Trojan.
  6. Restart your computer once again for the sake of the new changes. When the computer starts again, you can enable your Anti-virus and Firewall. Congratulations! you just got rid of the virus.

Posts that might help you:
Enable Safe mode booting, enable Registry