Saturday, September 25, 2010

Bom Sabado! Orkut Worm!!

Blog moved. I have a new home now at Do update your bookmarks :)
Today I have been getting many scraps from friends (in Orkut!!!) with just the text "Bom Sabado!". Google translator tells me that it means "Good Saturday!", well seems like its going to be not so good Saturday for many!!.As time passes by more and more people seems to sends this scraps, indicating clearly that this is  some kind of a worm.
So I thought of digging into it a bit deeper, I created a dummy account so that my normal account will not be affected.Then added myself as friend in the dummy account, so that I can monitor it.Then I opened the scrap I got from the dummy account.While inspecting the source code, I found that the suspicion is true, it in needs is the work of a worm!!.I found following iframe  code injected along with the message into scrap.
This injected iframe loads "worm.js"  script from tptoolsorg which apparently causes all the problems.

Downloading the worm.js from the source and decoding it gives me following observations.
  1.  It uses standard JS Objects and XMLHttpRequest to all sorts trouble.
  2.  Code is obfuscated by using octal representation for objects and weird names  (eg: _0x7c2bx4) for variables. 
  3. It does the following if you opens a scrap page.  
  • Makes you join 5 communities.
  • Sends Scraps to all your friends.

Following shows the part of the code that is responsible for the problems.

The main sign of infection is that, your browser will be hanged for a while if you open such a page.if you find it happens to you, close the browser immediately. It will prevent the worm from spreading.

Recovery Methods
  1. Clean all the cookies and private data stored in the browser. 
  2. Install Firefox and NoScript addon, it will block all the scripts. Allow only those you wanted. But be careful not to allow scripts from tptoolsorg.
  3. Remove all those "Bom Sabado!" scraps from your Scrapbook.
  4. Be careful not to visit any of the infected pages until Google fix this injection vulnerability.

Thursday, September 9, 2010


Blog moved. I have a new home now at Do update your bookmarks :)
If you are a regular user of FB, there is a high chance that you must have seen something like this in your Newsfeed.
 The title will create such a curiosity in one's mind that, you will be forced to click on it. On clicking the link, you will be taken into a website with a "Like" button and with with texts asking you to click on the like button to proceed.
If you click on the Like button, it will be added to your likes and interests [ As per FB documentation, a page you Like will have capability to publish content to your News Feed whenever it pleases to, till you manually remove it ] Once you Liked the page, it will again ask you to share it with your friends as Step2 to view the "Amazing Content".

If you click the Share button, a popup window will come up asking you to Share the content with your friends.If you try to Skip it, an alert window will come saying unless you share this, you won't be able to see the content.
Driven by curiosity and unaware of the consequences, many people will actually share it!!, leading to further propagation of the scam. The result of all these so called "Steps" is that you will be presented with page asking you to perform "Human Verification" by completing a survey!!.Each time someone does a survey, the Scammer get money!! and free publicity, what an amazing marketing strategy!!.
How it is done?

By checking the source code of the page, it can be seen that Scammers are exploiting FB's own social plugin APIs!!.
They have added few Javascript of their own to detect using pressing 'Like' button, also to create an alert if the person refuses to Publish it to friends .

In this particular case, FB's own APIs are being used, and no password stealing code/malware download code has been found.But since 'liked' page has the capability to push content into the user, its very much possible to do worm/Trojan spreading using similar tactics.
Digging deep into the code, the final destination to which user will taken after Liking and Publishing is found.
If you visit this page directly, you will be treated with a page asking to complete the survey.If you act fast enough to hit the 'Escape' key as soon the page is getting loaded to stop the advertisement from getting loaded, you will be able to see the "Actual Amazing Content".

This just one of the hundreds if not thousands SCAMS that being propagated over FB, most of them uses the same tactics.If you have already fallen for one, go to Likes and Interests in your profile and remove the particular page.If you haven't , be careful not be a victim.Happy Facebooking!! :)

Friday, July 2, 2010

"rememberthistime" New Malware In the Wild

Blog moved. I have a new home now at Do update your bookmarks :)
Today morning I got a mail from a friend of mine with the following content.

"I ran into some of your old friends the other day, they wanted me to
send you this."
The email contained an attachement named "rememberthistime.rar"
It seemed a legitimate mail in first glance, opening the rar file, I have found a an application seemed to be a screen saver named "rememberthistime.scr". Though it is highly possible that the friend would have compiled a screen saver with old photos, I have the policy of not opening executable file from emails, no matter what it claims to be, so didn't bother to open it.Soon he send another mail saying that,it is a virus.He accidentally opened the attachement, which made his firefox to crash.And later only realised that email has been send to all the contacts in his account.

Google search about the file confirmed the suspicion, with reports from many people saying that they had the same problem.It seems to be a new virus as it is not detected by many antivirus products. (See the report from Virustotal) only 17 out 41 product detects it.Especially Avast and AVG, commonly used free antivirus products couldn't detect it, which leads to the wide spread.
As of now I couldn't find much information about the behavior and removal of this particular malware.
I have done a quick analysis of the binary.For the exact details go through the links ( Anubis,ThreatExpert)

To summarize the findings

1. It creates a startup registry entry as well as following executable  are copied into Windows directory "services.exe" and "UNSTALVTB16.exe"
2. Following process were created by the it "errdlg.exe","SoundMan16.exe", SoundMan32.exe","services.exe"

Removal Instructions

1. If you have accidentally clicked on the file, immediately logg off from all the signed in accounts, as it seems the malware uses  signed in credentials to send mails to all your contacts like gmail,yahoo etc..

2.Open the task manager and end the above processes if exists.

3.Open regedit, find and delete the following entries "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}", "HKEY_LOCAL_MACHINE\SOFTWARE\Application.exe","HKEY_LOCAL_MACHINE\SOFTWARE\Application.exe\Application"

4.Delete the files "services.exe" and "UNSTALVTB16.exe" inthe Windows directory

5.Update the antivirus you currently uses and do a full system scan.

6.Its a good idea to install BitDefender/SpyBot S&D/Kaspersky and do a full system scan as it is known to detect and remove this malware.

Hope this will help someone to remove the malware in time before it does further damages.

[Update just now got the analysis from Joebox, upon execution the malware seems to produce an error like this]

Sunday, June 27, 2010

Stay Safe Online: Strong and easy passwords

Blog moved. I have a new home now at Do update your bookmarks :)
Passwords are the most critical part of security, it keeps everything from your emails,social networks  to your financial transactions, safe. No matter how secure the systems are, or how much money  was spend to buy the latest security software, you are totally vulnerable if the chosen password is your second name or date of birth.

Most difficult question is, how to make easy-yet strong passwords????.I have came across an interesting article in this topic, you can read it here.

My favorite method is to use a long phrase or a sentence  as password.For example "youwillneverhackmyaccount" will be a very strong password, very easy to remember also.

If you want to have separate passwords for different websites you can customize the phrase to suit it.For example "ihaveastrongpasswordfororkut" can be used for orkut and for facebook change the name to FB :)

To create passwords with numbers and alphabets, form a statement containing numbers.Example "mydobis28june2010".There is very little chance that, anyone will be able to guess this password even if he/she knows your DOB.

For even more security, you can include special characters also in the password. The key to remembering them is to apply the fact that, those characters  can be typed by pressing shift and pressing the corresponding number.You can remember "mycarsnumberis12#$" as 'mycarsnumberis12shift34'.

Hope this info help you to create a strong password next time you decide to have one.

Wednesday, June 16, 2010

Stay Safe on Gmail : Recovering from a password hack

Blog moved. I have a new home now at Do update your bookmarks :)
Ever had the nightmare of someone hacking into your mail account?Losing all the contacts you had in a moment....unable to access important mails, or even worse someone is taking advantage financially?Well these are common scenarios theses days, with the increased number of malware infections,increased online presence and reused passwords.If you depending gmail as your main email address you may want follow some precautions to ensure that you can recover your account without much loss and in time, in the event of an incident.

Have a separate secondary email address ready: The first step in recovering your gmail(or google account in general ) password is through the secondary email id.  If the hacker haven't changed your secondary email address,then you can reset the password, hence regain access. If are not sure about your secondary email or haven't set it yet, go to google account settings.There select change password recovery option. Then set your secondary email, security question and update your phone number also. Its better to have a dedicated email account separately to be used as the secondary email for various services you use.Make a point to set a different password to this account, and also do not enable email forwarding.For added security,do not disclose this address to anyone or use it for any other purpose.

Try your luck with security question: If you lost access to your secondary email address or couldn't remember the id itself now, you can try password recovery using the security question you have set.But if the the hacker is smart, he will immediately change these details once he have access.So the only option left with you is to use the password recovery form and prove that you are the rightful owner of the account by entering few details.

Proving your ownership: If all the recovery methods specified above is failed, then the only option left is to prove to the google  that you are the rightful owner of that account.The recovery form can be found here.So take a sheet of paper and write down the following details( you can also use your mobile for easier access).Even if you can't find the exact details,get the closest data.

 Account Creation date:Go to the oldest emails in your Inbox.There will be a welcome email with the subject "Gmail is different. Here's what you need to know" from the Gmail Team upon creation of your account.If you have deleted that email,take the date from the first email you have received.

Orkut and blog creation date:Most likely you will be having these two enabled(if you don't have it,create it and note down the dates).For getting the approx creation date of orkut account, take the date of the first scrap you received.For blogger, go to your profile and note down "On blogger Since" date.

Also note down the account creation date for any two of the google services like analytics,adsense etc.[If you don't have any of these services activated, now is the time :) ]. For Analytics, look at the first date when it started collecting stats for your website(s). For AdSense, you may take the help of your AdSense account manager.(I don't know how to get the creation date for services other than these,if you have any idea kindly let me know, I uses these only.)

Noting down some more details like, most emailed contacts,custom labels created, email address of the person invited you to gmail may also help you in some cases.

Once you have recovered your account, reset your password,secondary email,phone and security question immediately. Also do check the "Forwarding and POP/IMAP" tab in the settings page for any forwarding rules added.The hacker could have added a forwarding rule so that he will be able to read all your mails, even if he lost control of the account.You may also check the activity history by clicking the "Details" link at the bottom of the page.It will give you the IP address of the hacker, by which you can pinpoint(may not be possible always) the attacker.

But always prevention is better than cure, do take precautions while browsing on a public system,un-secure wireless connection.Be cautious about the links/files you get in mails etc.You can create a backup copy of your inbox locally using  an email client like Evolution/Outlook etc for better security.

[Update: Friend of mine suggested another idea for archiving, create a separate gmail account and add an email forward to this account from your normal mail.Also add send email as u r original email in this secondary email.So even if your email is compromised you will have all your mails and still will be able to send emails.  ]

Thursday, June 10, 2010

Tabnabbing : All your tabs belongs to me!!

Blog moved. I have a new home now at Do update your bookmarks :)

Ever heard of the word "tabnabbing"??? well I haven't until a few days back. Guess what, a new word to the  community and new method of attack to the bad guys!!. Its a new method of attack, that can be used for phishing, unveiled by Aza Raski, Creative Lead of Firefox, exploiting the weakest element in the chain Humans!!.

Well since the introduction of tabbed browsing, most of us surf the web with multiple tabs open, since its very convenient, and keep switching between them.You read news,chat with friends,update your FB status, all in different tabs. Here comes the problem, since all the tabs are open by us, we tends to trust them!!. Its not possible that the webpage in one tab might have changed while we are browsing in another right??.

Wrong!! as demonstrated by Aza, its possible for an attacker to detect that your viewing another tab and change the content of a particular tab to a phishing page.It happens relatively fast so that users won't normally see the page getting reloaded.

How Exactly the Hack Happens?
1. Someone is sending you a link to a web page say an article about present job market to your gmail id.
2.You open that page in a tab, which seems like a legitimate article.
3.After giving it a quick read, you navigate to another tab to check the cricket score.
4.Attacker's page detect that you have navigated away and haven't interacted to it for a while.It replaces the favicon icon with that of gmail's,the title with “Gmail: Email from Google”,  and change the page contents to look like the login page.
5.As the user scans through the open tabs, he/she will see the familiar looking Gmail favicon and title, without much doubt he/she will be ready to enter the username and password in the page thinking that it might have been automatically signed out, which is a normal situation.
6.The credentials goes to the attacker and you will be redirected back to gmail's page.

Well the attacker got what we wanted,and you have no clue!!.If the same password/username combination is re-used in a bank OR if the attack is performed with a bank's login page then the loss of the victim will be much more.

Still not convinced!!!??? See the video and you will understand.

[The video is taken from aza's original post which you can see here]

So How Do We Fix It?
The attack is based on human psychology,rather than any vulnerability in the software, which makes it difficult to prevent.Firefox is coming up with Firefox Account Manager which will protect users from these kind of attacks and makes logging into websites easier, at least they claim it that way.Another method is to use NoScript to block all the un-necessary scripts/flash/java in a webpage, which will block not only this attack but a bunch of others too.

Sunday, May 30, 2010

Stay safe on Facebook

Blog moved. I have a new home now at Do update your bookmarks :)
There has been so many talks about FB privacy recently, so I thought of putting my thoughts and tricks found on the net to stay as safe as possible on FB while connecting with the friends,[ the safest thing will be not to have an account and you can live without any fear of leaking your personal data ;) But since now FB has become part of our life for the most that is not entirely possible ]

Still not convinced the need to lock down your account!!! visit Its a website that lets people search through the content posted by other people, who didn't bother to keep their updates private!!. A quick look at the recent searches will give you a glimpse of real danger!!.

So hope that site will make you understand the need for privacy [:P]. But unfortunately the privacy settings in FB are not that simple, even if you master it today it will definitely changed in few days!!. To add to the complexity, FB follows the "opt-out" policy than the "opt-in",which will make the profile public by default and gives you an option to opt-out!!.It should have been the other way around!.

Anyways, there are few apps/sites that will let you check the privacy level of your FB profile.
Privacy Check App

This is a FB application that will let you rate your profile privacy out of 21.It seems its impossible to hit a score of 21.I have found that a score of 15 will ensure you a profile with enough privacy. Mine was 14 before I changed the settings.
As a foot note, you can in-fact lock down your account to 100%, but then there won't be any point in having such an account. So have look at your score and decide on your self what to expose and what not to.
Another good tool is Reclaim Privacy but it was not working at the time of writing of this blog, hopefully soon it will be back in action.

What made FB so popular is the huge collection of apps it had.Which has now become the most serious threat to the users, because of the fact that once you let an application access  your profile,by default it will have access to all your personal information until you manually revoke it!!!. So far I haven't found any easy way to say which all applications are harmful and which are not!!. The best thing to do now if you are serious about privacy is go to Application Settings by clicking the Account tab on your top right side and remove all applications that you are not using now.You may have to check this list often to make sure that  no apps have sneaked in.

Wednesday, May 5, 2010

Facebook SCAMS

Blog moved. I have a new home now at Do update your bookmarks :)
As Facebook is growing in popularity,its increasingly becoming the target for various kinds of malicious attacks.I have spotted one such scam couple of days back, which will trick people into copy pasting javascript code into their browser's address bar.The code in the scam which I spotted did nothing but to invite all FB friends to view this particular scam page by sending out suggestions.Though it seems a harmless( irritating though) trick, one could some malicious intend ( say fetching the contacts personal details or session cookie) to it.
It started with the suggestion I received from a friend that I should become the fan of the page "WORST STATUS UPDATE ON THIS PLANET".Clicking this particular invitation will bring you into a page like this.

According to this page it is a two step process(!!) to reveal the WORST STATUS UPDATE EVER, first of which is to click the [LIKE] button.  

One you click the button, it will redirect you to another page, which will ask you to copy paste the given code into the browser's address bar and wait for the content to load.
While you wait, the code running in the background will send out suggestions to your FB friends, to become the fan of this page( which explains the suggestion I got).This page is no longer accessible now(thankfully), it might have taken down by the FB.

Googling parts of the javascript code showed that its a readily available piece of code to invite all your friends.Which shows this is not the only attempt made.( google revealed same tricks were used by scammers for long time, but still 2000+ people fell for this!!!).Its really disturbing to see that people blindly believe everything they see in the social networking sites( esp if it's supported/suggested by a friend). We really need to realize that not everything  we see needs to be true. So the best practice from my point of view is to think before you do something online.

Sunday, April 18, 2010

How to Stay safe on public Wi-Fi

Blog moved. I have a new home now at Do update your bookmarks :)

I have found an interesting article about staying safe on public wifi, so thought putting some points of my own. You can read the article here.

What are the safety concerns associated with public Wifi?
         Public Wi-Fi networks will be mostly un-encrypted, which means anyone with a wireless card and a laptop will be able to see the pages you are visiting, you emails etc.People hesitate to turn on the encryption on a public network inorder to avoid the hassle of key management.Every encyptd network needs a key( like a password) for decypting the traffic, how do you share the key among the users, say in an airport where people come and go very fast. Thats not the case in your home network where you once setup the network, set the passkey and tell all of your family members.
         Even if the network in encrypted, still all the people in the network will be able to see the traffic you are generating. Yet another problem ( its not exactly with public wifi, but with windows wifi implementation) is that if a default access point is set in your XP machine, it will automatically try to connect that SSID. If it didn't find such a AP, it will create an ad-hoc network with that particular SSID. An attacker can listen for the broadcast signals from your machine for the SSID and can create a fake wireless network with that SSID, allowing them to connect to your PC.
So some one else can see my traffic, whats the big deal??
         Well, eavesdropping in the traffic won't do any harm if you are using the net for only, say seeing the cricket score or checking the weather or any other activity which does not require a login or some other kind of authentication. If you are checking mails, or logging into a social networking site, then there is a chance that your password might get compromised, as your login information will be send over the network which could be read by an attacker.Most site has an option to use SSL(Secure Sockets Layer ) to protect its users from such attacks.But most of them may not use this by default( use of SSL can be recognized by looking at the URL, SSL uses https:// instead of the normal http:// )
or some even donot have such an option!!!. 
        Another problem is the usage of email clients like Microsoft outlook or Thunderbird. These softwares will not use any encryption for mail transfer, which basically means if you use you laptop in a public wifi to dowload your work mail using Outlook, its almost like printing the mails and giving it all the people around you!!.

What are the precautions that can be taken??
       Whenever possible try not to use a public wifi, especially for financial transactions or offcial purpose. The best thing to do is to switch off your wireless card when in a public place.Even if you are not using the network, malicious softwares can still sneak in, if your system is just connected to the network, through the bugs in your installed softwares using what is know as remote exploits.
       It may not be always possible to stay away, especially if you have to kill hours or have to send some urgent mails etc. You can do the following things to keep you secure as much as possible.
  •        Keep your softwares and OS up to date, that means windows updates as well.If you are having a pirated OS, your are in trouble. Either buy an original version or switch to a linux flavor.
  •        Install and keep  updating  an antivirus and firewall software
  •        Always use SSL ( URLs  beginning with https:// ) for the whole session,by default most sites protect its login pages with SSL, but not after that, you are still at risk as some one can steel your authentication tokens send with each request or read your mails.( Its worth mentioning that gmail now by default uses SSL for all the communications.).How to do that, use https:// always. For example instead of going to goto
  •      Never open Outlook while in a public wifi, as it will automatically download the mails through an unencrypted channel. Always use the webmail, as most of the standard installations protect all the communication with SSL by default.
  •      If you have VPN access to your company network, use it. It will not only protect your mail transactions,also it will protect your all other traffic. If you are using VPN, then it will be OK to use Outlook, since the communication will be happening over the encrypted VPN tunnel.In fact if you are under a VPN, you are protected from most the above described threats.  
  •    Never use a website that does not offer SSL for during any serious transactions. A good example will IRCTC website. They donot offer any SSL. So its best NOT to use it while on a public Wifi.

Tuesday, April 6, 2010

"Shadows in the cloud" - Is indian defence secrets are at risk?

Blog moved. I have a new home now at Do update your bookmarks :)
The recent news in the Indian media about Indian defense documents being stolen by Chinese hackers is a pretty disturbing one. The news is based upon the research report published by the Information Warfare Monitor and Shadowserver Foundation, titled "SHADOWS IN THE CLOUD: Investigating Cyber Espionage 2.0". You can read the actual report here

The most interesting observation from this report is the shift in the focus and the nature of the attackers, the face of attackers are changing from lonely kids in their parents basements trying to impress their friends to well knowledgeable professional doing organized crimes for financial benefits. There has been incidents in the recent times that even state actors are promoting hacking for there own profit.

The research is started on the lines of earlier research works done, which revealed that computers of His Holiness Dalai lama was compromised along with that of several others to form a eave dropping network that they called 'GhostNet'. The findings given in the report is shocking as far as Indian Computer Security is concerned. There has been clear evidence that, its a cleverly plotted one tailored to compromise Indian defense systems and to steal sensitive data.

It has been confirmed by them that the malware used in these attacks have uploaded a number of documents from the compromised systems to few Central servers controlled by the attackers.They were able to recover documents( mainly in pdf ) from one of these control servers, few of them are marked SECRET, CONFIDENTIAL etc.The recovered documents also include 1,500 letters sent from the Dalai Lama’s office between January and November 2009. The profile of documents recovered suggests that the attackers targeted specific systems and profiles of users.

Compromised systems includes that of National Security Council Secretariat India, Diplomatic Missions ( Indian Embassys ), Institute for Defence Studies and Analysis,
Defence-oriented publications like FORCE and United Nations. From the nature of the targets selected, it is clear that the attack was indeed intended to collect intelligence on India military and related organizations.

Researchers identify the attackers to hail from PRC.Evidence of links between the Shadow network and two individuals living in Chengdu, PRC to the underground hacking community in the PRC. Though there are no evidence to suggest a tie between the hackers and PLA, considering the mode of operations of PLA and the patriotic hacking activities in PRC, there is a high probability that the documents that were siphoned from the compromised systems can end up in with PLA.

They were not able to clearly identify the exact method used by the attackers to infect the target machines, but the evidence suggested that exploits are used against PDF and MS office files which will install a trojan leading to first level infection. Attackers have used a well know services like google groups and twitter to control the infected systems.This attack is the latest example of using trusted sites for malicious purpose in order to circumvent easy detection.

It can be concluded that this incident should not be seen as an isolated one, but should seen in connection with previous attacks. The underground hacking community has become a well organized crime unit. In order to combat the terror mutual co operation between various governmental/non-govt agencies and even between counties are required.

Viruses Simplified

Blog moved. I have a new home now at Do update your bookmarks :)
3 types of "viruses" demystified

In the anti-malware business we often quibble over details the general public does not care about. To us these differences are important, though, as classifying a piece of malware helps us define and understand its nature and helps those of us stuck with detecting or cleaning up an infection.

Many people, especially journalists and Mac users, try to use their understanding of these terms to defend their poor choices in security practices. I thought it might be a good time for a little review over the Easter weekend to explain the differences between these types of malware, and unblur the lines between them.

Read the rest of the story...

Thursday, March 18, 2010


Blog moved. I have a new home now at Do update your bookmarks :)
hi all..

Welcome to the world of computer security. There are so many blogs out there dealing with the topic of Computer Security.. But most of them are highly technical, the aim of this blog, as the name suggests is to provide a simplified picture of the computer security field. How various events in the computer security realm affects a normal computer user. What all precautions one needs to take to overcome the new threats etc.. I will try to put in as simple as possible. But if you have any doubts feel free to ask in the comments...