Top 15 Malicious Spyware Actions

Spyware authors have ramped up their malicious code to invade users’ privacy at unprecedented levels. The following list describes some of the most malicious activities of today’s spyware, illustrating the need for solid antispyware defenses.

Changing network settings: To prevent signature updates for antivirus and antispyware tools, some spyware alters the infected machine’s network settings. This type of attack could edit the infected machine’s hosts file, apply outbound IP filters or alter the system’s DNS server so that all names are resolved by an attacker-controlled DNS server.

Disabling antivirus and antispyware tools: To prevent disinfection, some spyware disables antivirus and antispyware tools to lengthen the time the attacker can control the victim machine.

Turning off the Microsoft Security Center and/or Automatic Updates: Some spyware disables the Microsoft Security Center because its warnings about an inactive firewall or antivirus program could alert the user. Also, a few spyware specimens disable automatic updates to prevent the installation of patches.

Installing rogue certificates: Web browsers are configured by default to trust a small number of certificate authorities to vouch for SSL certificates from Web sites and code-signing certificates for software distribution firms. Some spyware extends the browser’s trust by adding the attacker.s own SSL and/or code-signing certificate to the browser’s trusted store.

Cascading file droppers: Once an attacker gets one spyware program installed on a machine, that sentinel program can grab other programs on a periodic basis, with each new program, in turn, grabbing others in a cascade. By spreading this cascade over several days, the attackers can stay ahead of antispyware signatures.

Keystroke Logging: Some spyware grabs keystrokes from the machine when a user visits a financial services or e-commerce Web site. To address this threat, some organizations use virtual keyboards, where an image of a keyboard on a screen prompts the user to click on-screen buttons to enter a password. Attackers have responded by using malicious code that grabs small screenshots around the mouse pointer to capture the user’s password even with a virtual keyboard.

URL monitoring, form scraping, and screen scraping: Some spyware monitors all of the URLs a user visits. When sensitive sites are accessed, this spyware grabs a copy of all form elements submitted to the site, in an attempt to gather account and authentication information, a technique called form scraping. Screen scraping spyware grabs a screen image with sensitive data on it.

Turning on the microphone and/or camera: Some malicious code can turn on a microphone or even a video camera attached to a system, thereby substantially invading the users’ privacy.

Pretending to be an antispyware or antivirus tool: Some particularly nefarious spyware pretends to be an antispyware, antivirus or other security tool. These programs tell the user that they are defending against attack, while actually attacking the user, in a classic Trojan horse scenario.

Editing search results: A few spyware specimens locally edit the results of a user’s search, injecting ads into the search pages. The user thinks the ads came from the search engine itself, unaware that they are generated by locally installed spyware.

Acting as a spam relay: Some malicious code turns the victim machine into an e-mail spam relay, so an attacker can spew millions of messages through a group of controlled systems. Blacklisting and tracking down the attacker become far more difficult with an onslaught of spam-relay systems.

Planting a rootkit or otherwise altering the system to prevent removal: The most pernicious spyware alters the operating system in very subtle yet powerful ways to prevent its detection and removal. Uninstalling some spyware is so onerous that users are sometimes faced with complete reinstallation of their operating system and applications.

Installing a bot for attacker remote control: Some spyware comes bundled with a bot, a tool attackers user for remote control of large numbers of systems, in ranges from tens of thousands to millions of infected systems.

Intercepting sensitive documents and exfiltrating them, or encrypting them for ransom: Some targeted spyware, especially that associated with spear phishing attacks, is designed to steal sensitive documents from a specific organization. Other variants encrypt the data, letting the attacker offer the decryption key in exchange for a ransom payment.

Planting a sniffer: A few spyware specimens include sniffers to grab network traffic, including user IDs and passwords from other systems near the infected machine.

Source :
http://www.sans.org/resources/top15_mal_spyware.php?ref=3726

Netbeans PHP Code Template List

I have just tried NetBeans again. Last time I tried, it didn’t caught my intention much. May be that day, Eclipse serve me enough. But last night I tried the NetBeans again, and I quite impressed with the software.

There is code templates for PHP language, I tried to search on Internet for the code templates lists but I can’t found anything that can helped. It will really helpful if we have a cheat sheet for that.

So I listed the code templates here. Maybe someone will found it helpful.

Abbrevation	Expanded Text
cln	$$${new_obj} = clone $$${variable}; ${cursor}
cls	class ${class_name} { function ${class_name}() { ${cursor}; } }
eco	echo(“${message}”); ${cursor}
elif	elseif (${condition}) { ${cursor}; }
els	else { ${cursor}; }
fnc	function ${function_name}() { ${cursor}; }
fore	foreach ($$${array_variable} as $$${variable}) { ${cursor}; }
forek	foreach ($$${array_variable} as $$${number_variable} => $$${variable}) { ${cursor}; }
if	if (${condition}) { ${cursor}; }
inst	if ($$${variable} instanceof ${class}) { ${cursor}; }
itdir	$$${dirh} = opendir(${dirname}); if ($$${dirh}) { while ($$${dir_element} = readdir($$${dirh})) { ${cursor}; } unset($$${dir_element}); closedir($$${dirh}); }
iter	for ($$${number_variable} = 0 ; $$${number_variable} < count($$${array_variable}) ; $$${number_variable}++) { ${cursor}; }
my_fa	while ($$${row} = mysql_fetch_array($$${query})) { ${cursor}; }
My_fo	while ($$${row} = mysql_fetch_object($$${query})) { ${cursor}; }
My_fr	while ($$${row} = mysql_fetch_row($$${query})) { ${cursor}; }
My_gc	ob_start(); ${cursor}; $$${contents} = ob_get_contents(); ob_end_clean();
pclon	parent::__clone();
pcon	parent::__construct(); ${cursor}
pr	print ${message}; ${cursor}
prln	print ${message}.”\n”; ${cursor}
prs	print “${message}”; ${cursor}
prv	print(“\$$${variable} = “. $$${variable}); ${cursor}
swi	switch ($$${variable}) { case ${value}: ${cursor}; break; default: break; }
while	while (${condition}) { ${cursor}; }

Pidgin failed to connect to yahoo behind firewall

I am running my Pidgin behind a firewall that is blocking Yahoo port 5050. It is keep me annoyed and made me to use Meebo to keep connecting. I can just use official Yahoo IM client to connect but well…… I just preferred OSS applications to prop’s apps.

Currently, Pidgin  do not support Firewall with no proxy option which make the connection to yahoo is painful. However I stumbled upon this page that give me an idea how to make it posibble.

http://developer.pidgin.im/wiki/Protocol%20Specific%20Questions#WhycantIconnecttoYahoofrombehindafirewallorNAT

I have change the default port from 5050 to 80 and alhamdulillah! It is connecting!

Change the default port! then lets pray.....

OpenDNS – Filter the Web

Ketika sedang troubleshoot network (DNS server problem) kat tempat aku, aku terjumpa tool ni. Very good and quite easy to deploy. First time tengok laman web dia dah terasa ada something interesting la.

OpenDNS ialah public DNS server yang turut tawarkan web content filtering. Senang citer dns server yang ble prevent orang dari pi kat laman2 web yang tak senonoh tu. haaa tu dia. nak guna dia senang je.

1. create satu akaun untuk manage content filterer
2. setkan ip yang korang selalu guna, ada option static ip and dynamic ip kat sini
3. kat internet browser tu setkan dns server untuk guna server OpenDNS ni
   (208.67.222.222 and 208.67.220.220)

Lepas tu bila orang nak pi ke laman tak sepatutnya, ia akan blok site tu dari dilayari. contoh macam bawah ni:

Untuk network kat tempat aku, oleh sebab dah ada dns server sendiri dan perlu hos domainname company maka aku tak ble guna cara yang straight forward untuk block users. jadi aku setkan forwarders kat setting dns server aku (kira macam set dns proxy la ni). senang je oooiiii. dua line je dah jalan.

Macam ni, kat file /etc/init.d/named.conf atau /var/named/chroot/etc/init.d/named.conf tu appendkan dua line ni kat bahagian options. macam gambar ni:

Lines yang perlu ditambah dalam config file

Ok! dah settle. reload semula server tu. tak yah restart la, buang masa je.

/etc/init.d/named reload

ok, dah reload tu. lps tu korang akan dapat result yang sama dengan bila korang terus adjust setting web browsers. tapi lebih mudah untuk buat deployment sebab tak ada perubahan lain korang buat pada komponen lain dalam network korang atau setiap browsers pengguna.

Sekarang dah web filter dah jalan dah tapi aku nasihatkan korang untuk ketatkan security firewall, setkan semua connection ke dns server ke luar harus melalui dns server korang. jangan bagi diorang bypass dns server tu. ala guna iptables command je.

Good Morning Friends