Social Icons

Showing posts with label backdoor. Show all posts
Showing posts with label backdoor. Show all posts

Thursday, November 24, 2011

THREATS TERMINOLOGY & GLOSSARY : PART 1

1. The term VIRUS is still used in talks amongst the victims of so many threats which are relatively unknown to the normal user.Here I am putting down the commonly known present day threat terminology.I am missing out on the regular ones that include Malware,adware,spyware,spam etc....

BACKDOOR 

2. A remote administration utility which bypasses normal security mechanisms to secretly control a program, computer or network. These utilities may be legitimate, and may be used for legitimate reasons by authorized administrators, but they may also be misused by attackers. A backdoor is usually able to gain control of a system because it exploits vulnerabilities, bugs or undocumented processes in the system's code. 

A Variation: The IRC Backdoor 

3. There also exist IRC backdoors, which are controlled via bots hidden in specific invite-only IRC channels accessible only to the attacker; these bots serve as the client component of the traditional client-server backdoor arrangement. 

BLUE TOOTH WORM 

4.  A platform-specific type of worm that propagates primarily over a Bluetooth network. This type of worm is almost always designed to function on mobile devices, which make more use of Bluetooth connectivity than computers. 

BOT 

5. A malicious program that, on being installed onto a computer system, allows the attacker to enslave the system into a network of similarly affected systems known as a botnet. The individual computers in a botnet may also be referred to as a bot or a zombie. 

BOTNET 

6.  A portmanteau formed from the words robot and network, a 'botnet' is a network of infected computers that can be remotely controlled by an attacker, usually via a command-and-control (C&C) server. Each infected computer may be known as a bot , a zombie computer , or a zombie . 

BROWSER HELPER OBJECT (BHO) 

7.   A type of web browser plug-in specifically designed for use with the Microsoft Internet Explorer browser. A Browser Helper Object (BHO) executes automatically every time the browser is launched and provides functionality that is not built-in to the browser. 

CROSS SITE SCRIPTING 

8.   A type of attack in which malicious scripts are injected into a legitimate website in oder to be served to subsequent site visitors. Cross site scripting (XSS) attacks can result in a variety of effects, including hijacked web browsing sessions, stolen session cookies, information theft and more. As more people become increasingly dependent on web-based services, XSS attacks are becoming increasingly common. 

DENIAL OF SERVICE

9.   A type of Internet-based attack that aims to deny legitimate users access to a service (for example, a website or a network) by overloading a relevant computer resource or network device. The most common type of Denial of Service (DoS) attack takes the form of a massive amount of requests being sent from a host machine to the target, for example, a government website server. 

ICMP Flood

10.   The attackers sends out a flood of ICMP_ECHO packets to the target, swamping CPU usage and effectively rendering the target unusable until the flood is ended or the target is reset or restarted. 

Peer to Peer attack

11.   Attacker exploit bugs in peer-to-peer servers and redirect clients from the peer-to-peer server to the target server instead, flooding the target with thousands of connections and overwhelming its resources. 
Application level floods: A DoS attack carried out via particular applications, most commonly Internet chat systems. The most common kind of flood is an IRC flood, which is carried out on the popular IRC chat system. 

DISTRIBUTED DENIAL OF SERVICE (DDOS)

12.   A type of attack conducted over the Internet, using the combined resources of many computers to bombard, and frequently crash, a targeted computer system or resource (e.g., a program, website or network). 

GENERIC DETECTION

13.   A new type of sophisticated detection that is being increasingly used by antivirus programs to identify programs with malicious characteristics. Unlike more traditional detections (also known as signature-based or single-file detections) a Generic Detection does not identify a unique or individual malicious program. Instead, a Generic Detection looks for broadly applicable code or behavior characteristics that indicate a file as potentially malicious, so that a single Generic Detection can efficiently identify dozens, or even hundreds of malware. 

POLYMORPHIC VIRUS

14.   A virus that mutates, or modifies, its own code at various intervals. The changes in code typically occur each time the virus replicates, or infects a new machine. Detection and disinfection of a polymorphic virus can be very challenging, as mutating code makes traditional signature-based detection methods ineffective. Nowadays, many antivirus programs instead use heuristic analysis to identify polymorphic viruses.

POLYMORPHISM

15.   The act of a virus 'mutating' parts of its code at various intervals in order to evade detections. By constantly changing its code, a virus ensures that each iteration of its code looks different from the preceding one, making it impossible for traditional signature-based antivirus programs to identify the two iterations as one and the same virus. These so-called 'mutating viruses' can be divided into polymorphic and metamorphic viruses. 

Polymorphic Versus Metamorphic 

16.   A metamorphic virus works performs its mutation routine differently. Rather than using encryption to obfuscate its virus body, a metamorphic virus 'rearranges' entire chunks of actual code between iterations in order to create a seemingly different virus. The changes in code are directed by a metamorphic engine and despite the alterations, do not affect function - that is, the virus is still able to perform the same malicious actions through each iteration. Fortunately, the major code changes performed by a metamorphic virus require a high degree of technical skill from the virus author, and there are very few such viruses in the wild so far.

ZERO DAY

17.   A type of attack that exploits a recently publicized vulnerability or security loophole, before program vendors or the security community are able to develop a patch for the vulnerability. The period between the public announcement of a vulnerability and the first release of a patch fixing the vulnerability is also sometimes referred to as "zero hour" – even if the actual timespan is longer than an hour. Dealing With Zero-Day attacks A zero-day attack can be very destructive, as vulnerable systems generally have few defenses against it. 

Saturday, January 29, 2011

Trojan.Spy.YEK : The Corporate Spying Tool


1. The Stuxnet trembles and quakes are still not over and unlikely to be forgotten for some years.After the stuxnet storm ,each one from the corporate sector IT bosses to IT admins in individual capacities,every one was trying to be careful of any sign of outside intrusion . These days when some e-threat comes along and sniffs for critical data, it could mean billions & trillions of money IN/OUT in seconds. 

2. Trojan.Spy.YEK is unlike a regular Spying Trojan that looks for documents and archives that may hold private information but also sends it back to the attacker.

3. Trojan.Spy.YEK has both spying & backdoor features with an encrypted dll in its overlay, this Trojan is easily saved in windows\system32\netconf32.dll and once injected in explorer.exe nothing can stop it from connecting (whenever necessary) to a couple of easy pings & sharing all with the attacker.

4. The backdoor component helps it register itself as a service so as to receive and follow instructions from a command and control center, while the spyware component sends away data about files, operating system, while also making screenshots(trying to make a user freindly hand guide for later action...isn't it so caring?????) of the ongoing processes.

5. Some of the commands it is supposed to execute are: sending the collected files using a GET request, sending info regarding the operating system and computer, taking screenshots and sending the results, listing the processes that run on the system and sends them away, finding files with a certain extension. Shortly put, it uploads all the interesting data on a FTP server without the user’s consent.

6. The fact that it looks for all that it is linked to archives, e-mails (.eml, .dbx), address books (.wab), database and documents (.doc, .odt, .pdf etc) makes Trojan.Spy.YEKa prime suspect of corporate espionage as it seems to target the private data of the companies.

7. This infection will change the registry settings and other important windows system files. If Trojan.Spy.YEK is not removed it can cause a complete computer crash.Some Trojan.Spy.YEK infections contain trojan and keyloggers which can be used to steal sensitive data like passwords, credit card, bank account information etc. 

8. On top of that, the Trojan can run without problems on all versions of Windows® from Win 95® to Seven®. 
Powered By Blogger