Threats Frequently Asked Questions
Notes: Adware is NOT a separate category threat – adware is a Spyware category threat. Antispyware products do NOT remove antivirus category threats
such as viruses and worms. Antivirus products do NOT remove antispyware category threats such as adware and spyware threats. Rootkits are a SEPERATE
threat – though most antivirus companies have added anti-rootkit scanning in the antivirus product since the middle of the past decade (2000-2010). Traditionally and ongoing, there are many anti-rootkit scanners for detection and removal available.
SEE Forensics (reverse engineered malicious encapsulation example – full payload delivered instantly past top defense products).
How can I reset the Hosts file back to the default?
MICROSOFT FIX IT TOOL ***** HOSTS FILES….
How to reset Internet Protocol (TCP/IP)
SPYWARE CATAGORY THREATS / Glossary
a-squared Process List
CA Spyware Encyclopedia
F-Secure Malware Code Glossary
Glossary of Malware
Security Threat Glossary
The Difference Between Adware & Spyware
(antispyware products used to detect/remove)
Malware (malware means all)
Browser Hi-Jackers BHO
Keyloggers – Introduction to Spyware Keyloggers
data miner (spyware)
The Web Bug FAQ
Web Bug Report
E-mail web bugs
Web Beacons – Opt Out at Yahoo
Clickjacking is a malicious technique of tricking Web users into revealing confidential information or taking control of their computer while clicking on …
BLOG: How Secure is the Windows Clipboard? Clipboard Hijacking
What is ransomware?
Trend Micro Ransomware removal tool
How to rescue your PC from ransomware
NOTE TROJANS ARE BLOCKED – DETECTED – REMOVED BY BOTH
ANTIVIRUS AND ANTISPYWARE PRODUCTS – both needed !
Trojan horse (computing)
From Wikipedia, the free encyclopedia
Trojans – myths & facts
Security software disabler Trojan
Data Sending Trojan
Remote Access Trojan
How to Remove a Backdoor Trojan Computer Virus
Typical back door capabilities may allow a remote attacker to:
any storage device attached to it
* Terminate tasks and processes
* Run tasks and processes
* Download additional files
* Upload files and other content
* Report on status
* Open remote command line shells
* Perform denial of service attacks on other computers
* Change computer settings
* Shut down or restart the computer
Backdoor.Trojan | Symantec
Trojan Downloader Featured Articles
Trojan-Downloader.Zlob.Media-Codec (fs) Information and Removal
http://www.sunbeltsecurity.com/ThreatDisplay.aspx?tid=44478&cs=D4312A93E13E09C94EB75A1F9E6481ACList of Trojan Downloader Parasites:
DNS cache poisoning
TCP reset attack
Tunneling to circumvent firewall policy
What is script kiddie?
Toxic blogs: Uploading links to malicious Web sites, or when blogs support HTML or scripts, uploading malicious code or using iFrames.Cross-site scripting
Invisible frames capable of executing malware.
Pretending to be a legitimate entity to lure people to malicious sites.
Social engineering (security) / Pretexting
Search Engine Optimization (SEO)
Cyber criminals pump up search engines all ways they can to bump up their malicious sites to top results in search engines (SEO) for key phrases, news events, celebrity, etc etc etc.
Typosquatting is a form of cybersquatting which relies on mistakes such as typographical errors made by Internet users when inputting a website address into a web browser address bar or search engine for example. Should a user accidentally enter an incorrect website address, they may be led to that alternative website owned by a cybersquatter which may infect the computer or lead to ID Theft or capture passwords or any data typed at the site in forms etc.
EXAMPLE – instead of http : // MSN.Com — the mistake = MSM.Com , which for the example is owned by cyber criminals. Logging into email, financial accounts, etc. would have been intercepted and abused by the
Disposable email addresses
A trick by spammers who when caught would only loose the free email account shut down by the email provider for violation of terms of service.
“Disposable Domians” use by spammers was born shortly after the “disposable email accounts” growth. Easy cheap website hosting was purchased which often include up to 200 free email accounts from the domain name. After the spamming campaign – which may include contact addresses elsewhere – the spammer/cyberthief would simply close the website, thus terminating the email addresses as well. Also, the website hosting may have terminated the website domain for violations of terms of services.
Spammers Step Up Use Of Disposable Domains
September 14, 2006 12:00 AM
“According to trend research conducted by security software vendor McAfee, spammers have increased the number of disposable domains that they use and are cycling through new domains faster than in the past. While this trend is certainly a boon for domain name registrars it is in fact a bain for recipients of email as well as mail system administrators. …..”
Cybersquatting (also known as domain squatting), according to the United States federal law known as the Anticybersquatting Consumer Protection Act, is registering, trafficking in, or using a domain name with bad faith intent to profit from the goodwill of a trademark belonging to someone else. The cybersquatter then offers to sell the domain to the person or company who owns a trademark contained within the name at an inflated price
ADVANCED / FROM OUR FORENSICS PAGE
APPARENT ATTEMPT TO INFECT PLASMA SERVERS….
NON Sample –
There is incidence of data files or .DAT translated into media image files to hide by crimeware files. Infected Media Players….
DAT file manipulation
Reading and writing Isis image buffers. The objects defined below may be used to read and write images to and from two-dimensional DAT files. …
REFERENCE (Symantec above)
“….Blubster is a peer-to-peer filesharing client which is based on MP2P – a propietary UDP transport protocol…
User Datagram Protocol
User Datagram Protocol (UDP) is one of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer applications can send messages, in this case referred to as datagrams, to other hosts on an Internet Protocol (IP) network without requiring prior communications to set up special transmission channels or data paths. UDP is sometimes called the Universal Datagram Protocol
Time-sensitive applications often use UDP because dropping packets is preferable to waiting for delayed packets, which may not be an option in a real-time system. If error correction facilities are needed at the network interface level, an application may use the Transmission Control Protocol (TCP) or Stream Control Transmission Protocol (SCTP) which are designed for this purpose.
BBB Consumer News and Opinion blog (Tab napping)
Tab napping is more sophisticated than phishing scams and it doesn’t rely on persuading you to click on a link to a scammers Web page. Instead it targets
internet users who open lots of tabs on their browser at the same time. How does it work? By replacing an inactive browser tab with a fake page set up
specifically to obtain your personal data – without you even realizing it has happened….
Mozilla warns of new phishing scam (Tab napping)
Aza Raskin, a well-known US interface design expert and creative lead on Mozilla’s Firefox browser software, has revealed a new type of phishing attack
known as `tab napping.’ …
Most of us know that we should keep our passwords and other credentials a secret. However, it’s easy for cybercriminals to create a “spoof”, a copy of a familiar website. You might think you’re entering your credentials into your web-based email accounts, social networking sites, or bank websites, but you’re really typing them into a phishing website that was created to steal this information. Cybercriminals have been using this ploy on websites and in pop-up windows for some time, but there are reports of a new phishing technique that takes \advantage of the increased use of browser tabs.
Read more | Open in browser
SCAM, HOAX, CYBER URBAN LEGENDS ….
snopes.com: Urban Legends Reference Pages
The definitive Internet reference source for urban legends, folklore, myths, rumors, and misinformation.
“Internet Scams, Identity Theft, and Urban Legends: Are You at Risk?”
Mission Statement: The goal of the Hoax-Slayer Website is to help make the Internet a safer, more pleasant and more productive environment by: Debunking email and Internet hoaxes, Thwarting Internet scammers, Combating spam, Educating web users about email and Internet security issues.
What does it mean?
ROOTKITS WORST THREAT TO COMPUTERS BEFORE BOTNETS
Rootkit FAQ’s (chkrootkit — locally checks for signs of a rootkit)
WORLD WIDE WEB CRIMEWARE / CYBER CRIME EVENTS
FTC.Gov- Phishing Scams and How to Spot Them
Rogue security software
E-mail address harvesting
E-mail harvesting is the process of obtaining lists of e-mail addresses for use in bulk mail or other purposes
usually grouped as spam. Methods range from purchasing lists of e-mail addresses from other spammers to
the more common use of special software, known as “harvesting software”, “harvesting bots” or “harvesters”,
which scan web pages, postings on Usenet, mailing list archives and other online sources to obtain e-mail addresses.
Malicious Active Content
Scams and Hoaxes
Avoid Work at Home Scams – Job Searching – About.com
BOT = payload of infection or single infected computer – BOTNET = network of infected computers controlled by botmaster,
botherder, Comand and Control. (NOTE a botnet infection can be built by several installations secretly by viruses, worms, trojans
and downloader trojans, rootkits, spyware kits, virus kits, etc and various other probable instant full payload infections via reverse
engineering of many security devices/wares/appliances etc.
SEE http://bluecollarpc.us/forensics-2/ (reverese engineered encapsulation example – full payload delivered instantly
Botnet – Wikipedia, the free encyclopedia
botnet Definition: TechEncyclopedia
Botnet : Definition From Webopedia
Article: Battling the Botnet Pandemic
Lavasoft News – March 2007
Battling the Botnet Pandemic. Your home computer may be among the millions of PCs that are under the control of criminals, and worse yet, you may not even
be aware of it.
Article: Botnet – CNET News.com
Security from A to Z: Botnet | These armies of zombie PCs are used by cybercriminals for sending spam .. These armies of zombie PCs are used by cybercriminals
for sending spam. Part of a series on …
Article: Botnet Basics
Bots are software applications that run automated tasks over the Internet. A network of bots working under
a central command and control center is a botnet. This eVideo seminar looks at the basic …
Article: Botnet Battle Already Lost?
Botnets have become a big underground business, and the security industry has few answers.
eWEEK … It’s dress-down Friday at Sunbelt Software’s Clearwater, Fla., headquarters. In a bland cubicle on ..
MSNBC: The lowdown on ‘Bots’
The lowdown on ‘Bots’
What are ‘bots’?
“Bots” – short for robots – are hijacked computers that are infected by computer viruses and then used by criminals
and pranksters for a variety of criminal and malicious purposes.
Who controls ‘bots’?
The criminals behind “bots,” known as “bot herders,” assemble armies of infected computers — often between 50,000
and 70,000 PCs strong — that they can then charge customers for the use of. The going rate for sending spam is $5,000
a day or more, according to Howard Schmidt, former White House cyberczar.
What are ‘bots’ used for?
“Bots” are used to spread malicious programs, send spam, fuel “pump-and-dump stock schemes and launch
denial-of-service attacks, among other things.
How many ‘bots” are there?
Internet founding father Vint Cerf recently estimated that 150 million computers have been hijacked. Most other experts
believe that figure is too high, but there is general agreement that “bots” number in the millions, if not the tens of millions.
How can I tell if my computer is a ‘bot’?
You can’t necessarily. Antivirus software will catch most known viruses, but new ones are being created all the time.
It used to be that poor performance often tipped off users that their computers had been infected, but “bot herders” now
distribute tasks among thousands of computers to avoid tell-tale crashes.
How big is the botnet problem?
Feature By Julie Bort, Network World, 07/06/07
Types of attacks: Botnets
DNS cache poisoning: Hacking a DNS so that it directs people who enter legitimate URLs to the hacker’s malicious Web site.
iFrames: Invisible frames capable of executing malware.
Pharming: Creating an illegitimate copy of a real Web site and redirecting traffic to the phony site to obtain information or
download malicious code.
Pretexting: Pretending to be a legitimate entity to lure people to malicious sites.
Toxic blogs: Uploading links to malicious Web sites, or when blogs support HTML or scripts, uploading malicious code or
using iFrames.VIRUS CATAGORY THREATS
(Antivirus products block, detect, remove)
http://threatinfo.trendmicro.com/vinfo/Virus Encyclopedia Search
Microsoft: What is a computer virus?
Microsoft: 5 steps to help avoid instant message viruses
Published: September 15, 2006
Microsoft JPEG Vulnerability and the Six New Content Security Requirements
In November 2004, a critical Microsoft security vulnerability (MS04-028) was discovered which could allow attackers to embed malicious code inside JPEG image
files. Until that time, JPEG image files were considered immune to attack. To effectively deal with this vulnerability, security and IT professionals need to
incorporate six new and critical content security requirements into their networks.
(One of first Computer Worms)
From Wikipedia, the free encyclopedia
“The Morris worm or Internet worm of November 2, 1988 was one of the first computer worms distributed via the Internet. It is considered the first worm and was certainly the first to gain significant mainstream media attention. It also resulted in the first conviction in the US under the 1986 Computer Fraud and Abuse Act. It was written by a student at Cornell University, Robert Tappan Morris, and launched on November 2, 1988 from MIT. ….”continued
Virus that changes its own code with each infection
“A metamorphic virus is one that is capable of rewriting its own code with each infection, or generation of infections, while maintaining the same functionality. The rewriting process allows each infection to appear different from others, but the changes are not supposed to affect the functionality of the code. This is intended to avoid detection by anti-malware software, but can usually be overcome via emulation or other techniques, and in many cases is deployed in a flawed manner leading to large numbers of misinfections. The complex technology required to do the rewriting is known as a metamorphic engine, and the same such engine may be implemented in several different virus variants.
The term is often used interchangeably with polymorphic virus.”
(Real Time Protection products detect/block/quarantine threats)
From Wikipedia, the free encyclopedia
SEE – “Resident viruses”
“….If the virus scanner fails to notice that such a virus is present in memory the virus can “piggy-back” on the virus scanner and in this way infect all files that are scanned. ….”
Glossary of Malware
Security Threat Glossary:
Method by which malware attempts to enter a system. This generally refers to a protocol such as HTTP, SMTP, FTP, IRC, IM, etc. Anti-Malware – A term
generally applied to a software application which combats malicious code through detection and/or removal.
This technique is used to surreptitiously download malware onto a user’s machine. The attack generally includes exploits to browser or OS vulnerabilities, and
may be separated into several pieces so that a user may be directed to several websites or domains to avoid detection by anti-malware programs.
Malware which uses FTP as an attack vector.
URLs which direct a user to a Web Threat
Malware which uses email as an attack vector Application-specific attacks – Exploits or hacking attempts which seek to use a vulnerability in a particular software
program to gain entrance onto a user’s system
Socially Engineered Attack
Exploits or hacking attempts which seek to use a user’s susceptibility to fear, trust or titillation to gain entrance onto a user’s system or information. Phishing and
trojans are two types of attacks which rely almost exclusively on social engineering.
URLs which direct a user to content which may be considered inappropriate for certain contexts, such as “adult” or violent content, or network tools which could
be used to compromise a network
This is a category of threats delivered by HTTP which intend to perform actions which harm a user or their system. Phishing, drive-by downloads and sites which
host malware can be considered to fall into this category.
The term Bot (short for robot) is a type of program, which has evolved from RATs (see Spyware definitions). A bot usually leverages an internet facing port to
deliver a program that awaits a further command upon which it can take remote control of the system. Bots are often combined with other infected machines to
form a botnet (a network of bot-infected machines). Bots are used to turn an individual machine into a “zombie” that can then be used for actions such as
co-ordinated DoS attacks on websites, spamming, or hired/sold to others for such use
An Exploit is a piece of code designed to attack a vulnerability on a computer system, or such an attack. Hackers and writers of Malware look for announcements
of such vulnerabilities by manufacturers and other sources and then attack machines, which have not been patched against the vulnerability. The code is designed
to enable an activity that otherwise could not take place, or to avoid system restrictions preventing such an activity. Various payloads attached to the exploits may
provide the attacker with a number of ways into the compromised system
Although the term referred originally to Unix systems, the term has come to more widely mean a set of tools or programs that are used on a host system, often
in conjunction with malware, to allow attackers to exploit said system or a network. Rootkits can be used to hide applications from third party scanners and the
term is also coming to mean more generalized cloaking utilities that mask the attacker’s activities. Recently the term rootkit has become more publicly known after
the anti-copy security software on several Sony-BMG audio CDs displayed rootkit-like tendencies as part of their Digital Rights Management strategy
Spyware is a form of software that makes use of a user’s internet connection without his or her knowledge, usually in order to covertly gather information about
the user. Once installed, the Spyware may monitor user activity on the Internet and transmit that information in the background to someone else. Spyware can
also gather information about addresses and even passwords and credit card numbers. Spyware is often unwittingly installed when users install another program,
but can also be installed when a user simply visits a malicious website
Types of Spyware used in the West Coast Labs Test Suite
Backdoor – A Backdoor is a secret or undocumented way of gaining access to a program, online service, computer or an entire computer network. Most Backdoors
are designed to exploit a vulnerability in a system and open it to future access by an attacker. A Backdoor is a potential security risk in that it allows an attacker to
gain unauthorized access to a computer and the files stored thereon.
Key Loggers – A Key Logger is a type of surveillance software that has the capability to record every keystroke to a log file (usually encrypted). A Key Logger
recorder can record instant messages; email and any information typed using the keyboard. The log file created by the Key Logger can then be sent to a specified
receiver. Some Key Logger programs will also record any e-mail addresses used and Web Sites visited.
Financials – A Financial is a program that has the capability of scanning a PC or network for information relating to financial transactions and then transmitting the
data to a remote user.
Proxies – Proxies are designed to enable an external user to use a computer for their own purposes, for example, to launch DDoS attacks or send spam, so that
the true originator of the attack cannot be traced.
Password Stealers and Crackers – A Password Stealer is a program resident on a computer, which is designed to intercept and report to an external person any
passwords, held on that machine. A Password Cracker has the ability to decode any encrypted passwords.
Downloaders – A downloader is a file which when activated, downloads other files on to the system without the knowledge or consent of the user, those other
files then carrying out malicious functions on the system.
Hijacker – A Hijacker is a file with the ability to change your default Internet home page and/or to create or alter other Web browser settings such as bookmarks
and redirection of Internet searches or Internet browsing to commercial sites that could offend the user or breach corporate policies on inappropriate or illegal
RATs – A Remote Access Trojan (RAT) is a piece of malware designed to run and gain access to a remote computer across a network or the Internet in order to
carry out a particular purpose on that remote computer, that purpose being malicious and without the consent of the remote system’s owner or user. Access is
usually gained by use of a backdoor, either already installed or included in the code of the RAT.
Trojan Horses or Trojans are destructive programs that pretend to be benign applications. Unlike Viruses or Worms, Trojan Horses do not replicate themselves;
they can be damaging to networks by delivering other types of Malware.
A Virus is a program or piece of code attached to a file or diskette’s boot sector; it is loaded onto a computer without the user’s knowledge. Viruses are manmade
(though they can be corrupted in use to form new variants of the virus) and replicate themselves by attaching themselves to files or diskettes, often soaking up
memory or hard disk space and bringing networks to a halt. Most recent viruses are internet-borne and capable of transmitting themselves across and bypassing
security systems. Minor variants of the same virus are classed as families of viruses.
A Worm is an insidious program or algorithm that replicates itself over a computer network or by email system and usually performs malicious actions, such as using
up the computer’s resources or distributing pornography and possibly shutting the system down. Unlike Viruses, Worms copy themselves as standalone programs
and do not attach themselves to other objects.
Eavesdropping, Data Modification, Identity Spoofing (IP Address Spoofing), Password-Based Attacks, Denial-of-Service Attack, Man-in-the-Middle Attack, Compromised-Key Attack, Sniffer Attack, Application-Layer Attack
FULL DESCRIPTIONS: http://technet.microsoft.com/en-us/library/cc959354.aspx
By Antone Gonsalves, CRN
An Austrian security analyst has built the first known bootkit that bypasses Windows 8â€²s defenses against installing malware while the operating system is booting.
Peter Kleissner, an independent programmer and recognized …
A kernel-mode rootkit variant called a bootkit is used predominantly to attack full disk encryption systems, for example as in the “Evil Maid Attack”, in which a bootkit replaces the legitimate boot loader with one controlled by an attacker; typically the malware loader persists through the transition to protected mode when the kernel has loaded. For example, the “Stoned Bootkit” subverts the system by using a compromised boot loader to intercept encryption keys and passwords. More recently, the Alureon rootkit has successfully subverted the requirement for 64-bit kernel-mode driver signing in Windows 7 by modifying the master boot record.
Windows 8 Spells Trouble for Linux, Hackintosh Users and Malware Victims
Windows 8 won’t dual-boot Linux?
Microsoft, Red Hat Spar Over Secure Boot-loading Tech
Windows 8 Dual Boot Possible If ‘Secure Boot’ Disabled
How to change the boot order of a dual-boot Linux PC
Linux Licensing in Conflict with Secure Boot Support
FSF warns of Windows 8 Secure Boot (Sign Petition)
Linux Foundation, Canonical and Red Hat Weigh In On Secure Boot
The right to dual-boot: Linux groups plead case prior to Windows 8
Linux Foundation: Secure Boot Need Not Be a Problem
Linux Community Offers Secure Boot Ideas
Leading PC makers confirm: no Windows 8 plot to lock out Linux
Linux Advocates protest ‘Designed for Windows 8â€² secure boot policy
Linux Community Counters Microsoft’s Windows 8 Secure Boot Mandate
Hardware Design and Development for Windows 8
Unified Extensible Firmware Interface
Windows 8 “Secure Boot”
Comprimised already by bootkit:
(This is a great debate and many, many articles already )