From their site: UWA (Universal Widget API) is the next generation of the Netvibes wigdet API, the successor of the Netvibes Mini Module API. With this new release, our API becomes a powerful framework for Web widgets development - not only for Netvibes widgets, but also for many other environments, among which are Apple�s Dashboard and the Google Homepage. With the UWA, you only need one API to build widgets for a host of environments.
Netvibes: Highlights
Summary
Personalized home page with widgets
Category
Widgets
Tags
widgets opensocial
Protocols
JavaScript
Data Formats
XML, JSON, JSONP
API home
http://dev.netvibes.com
Saturday, December 31, 2011
I'm Human API
The I'm Human API is "where humanity wins the fight against machines," according to elxsy.com, the provider of the service. I'm Human is a visual CAPTCHA service which responds with a word, a grid of up to 25 images and the grid numbers which correspond to the correct answers. Humans must select the images that match the words and your application compares the results to the correct answer from the I'm Human API.
I'm Human: Highlights
Summary
Visual CAPTCHA service
Category
Security
Tags
captcha security
Protocols
REST
Data Formats
JSON
API home
http://www.elxsy.com/imhuman/api/
I'm Human: Highlights
Summary
Visual CAPTCHA service
Category
Security
Tags
captcha security
Protocols
REST
Data Formats
JSON
API home
http://www.elxsy.com/imhuman/api/
Google OpenID API
The Google OpenID API lets third-party web sites and applications let visitors sign in using their Google user accounts. The OpenID standard allows users to nor have to set up separate login accounts for different web sites, and conversely, frees web site developers from the task of managing login information and security measures. OpenID achieves this goal by providing a framework in which users can establish an account with an OpenID provider, such as Google, and use that account to sign into any web site that accepts OpenIDs. This page describes how to enable a web site or application to accept a Google user account for federated login.
Google OpenID: Highlights
Summary
OpenID login for Google account users
Category
Security
Tags
OpenID security identity
Protocols
REST
Data Formats
XML
API home
http://code.google.com/apis/accounts/docs/OpenID.html
Google OpenID: Highlights
Summary
OpenID login for Google account users
Category
Security
Tags
OpenID security identity
Protocols
REST
Data Formats
XML
API home
http://code.google.com/apis/accounts/docs/OpenID.html
OneLogin Api
The OneLogin API allows developers to interact with the OneLogin service. OneLogin provides an easy-to-use single sign-on solution for businesses that embrace cloud computing. OneLogin eliminates the need for employees to remember strong passwords and saves them time because they can log into applications with a single click. OneLogin's API supports five basic operations for each entity: read, list, create, update and delete. It uses RESTful protocol and responses are formatted in XML.
OneLogin: Highlights
Summary
Single sign-on solution
Category
Security
Tags
security enterprise cloud sbweb
Protocols
REST
Data Formats
XML
API home
http://support.onelogin.com/entries/113327-introduction
OneLogin: Highlights
Summary
Single sign-on solution
Category
Security
Tags
security enterprise cloud sbweb
Protocols
REST
Data Formats
XML
API home
http://support.onelogin.com/entries/113327-introduction
Waves
Ebys Multimedia had launched Waves!.This is a social network that connects people with friends and others.Why waiting for???
Keep on move!
Keep on move!
MySpace Api
The MySpace Developer Platform (MDP) allows developers to create applications that interact with MySpace members and their social data. With MDP you will be able to create compelling new products that integrate directly into MySpace pages and get exposure to millions of people around the world
MySpace: Highlights
Summary
Social networking service
Category
Social
Tags
social opensocial
Protocols
REST, OAuth, JavaScript, PubSubHubbub
Data Formats
XML, JSON, ATOM
API home
http://wiki.developer.myspace.com/index.php?title=Category:RESTful_API
MySpace: Highlights
Summary
Social networking service
Category
Social
Tags
social opensocial
Protocols
REST, OAuth, JavaScript, PubSubHubbub
Data Formats
XML, JSON, ATOM
API home
http://wiki.developer.myspace.com/index.php?title=Category:RESTful_API
Google Plus Api
Google Plus is a service to share links, photos and other content. The Google Plus API allows developers to access publicly-available Google Plus content, including user information and publicly shared items.
Google Plus: Highlights
Summary
Content sharing service
Category
Social
Tags
microblogging social
Protocols
REST
Data Formats
JSON
API home
https://developers.google.com/+/api/
Google Plus: Highlights
Summary
Content sharing service
Category
Social
Tags
microblogging social
Protocols
REST
Data Formats
JSON
API home
https://developers.google.com/+/api/
Facebook API
The Facebook API is a platform for building applications that are available to the members of the social network of Facebook. The API allows applications to use the social connections and profile information to make applications more involving, and to publish activities to the news feed and profile pages of Facebook, subject to individual users privacy settings. With the API, users can add social context to their applications by utilizing profile, friend, Page, group, photo, and event data. The API uses RESTful protocol and responses are localized and in XML format.
Facebook: Highlights
Summary
Social networking service
Category
Social
Tags
social webhooks
Protocols
REST
Data Formats
XML
API home
http://developers.facebook.com/
Facebook: Highlights
Summary
Social networking service
Category
Social
Tags
social webhooks
Protocols
REST
Data Formats
XML
API home
http://developers.facebook.com/
Facebook Social Plugins Api
Facebook Social Plugins Api
Facebook Social Plugins make a user's friend's social activity available via API. You can see what your friends have liked, commented on or shared on sites across the web. Social Plugins are a basic method of accessing data on Facebook and are specifically designed so none of your data is shared with the sites on which they appear.
All plugins use the Facebook JavaScript SDK.
Dashboard > Directory > Facebook Social Plugins API Profile
Facebook Social Plugins API
* Summary
* Mashups (13)
* How-To
* Developers (13)
* Comments
Facebook Social PluginsTrack this API
Facebook Social Plugins make a user's friend's social activity available via API. You can see what your friends have liked, commented on or shared on sites across the web. Social Plugins are a basic method of accessing data on Facebook and are specifically designed so none of your data is shared with the sites on which they appear.
All plugins use the Facebook JavaScript SDK.
*
* 1
* 2
* 3
* 4
* 5
facebook Social Plugins: Highlights
Summary
Facebook extensions
Category
Social
Tags
widgets social
Protocols
JavaScript
Data Formats
API home
http://developers.facebook.com/docs/plugins
Facebook Social Plugins make a user's friend's social activity available via API. You can see what your friends have liked, commented on or shared on sites across the web. Social Plugins are a basic method of accessing data on Facebook and are specifically designed so none of your data is shared with the sites on which they appear.
All plugins use the Facebook JavaScript SDK.
Dashboard > Directory > Facebook Social Plugins API Profile
Facebook Social Plugins API
* Summary
* Mashups (13)
* How-To
* Developers (13)
* Comments
Facebook Social PluginsTrack this API
Facebook Social Plugins make a user's friend's social activity available via API. You can see what your friends have liked, commented on or shared on sites across the web. Social Plugins are a basic method of accessing data on Facebook and are specifically designed so none of your data is shared with the sites on which they appear.
All plugins use the Facebook JavaScript SDK.
*
* 1
* 2
* 3
* 4
* 5
facebook Social Plugins: Highlights
Summary
Facebook extensions
Category
Social
Tags
widgets social
Protocols
JavaScript
Data Formats
API home
http://developers.facebook.com/docs/plugins
Twitter API
The Twitter micro-blogging service includes two RESTful APIs. The Twitter REST API methods allow developers to access core Twitter data. This includes update timelines, status data, and user information. The Search API methods give developers methods to interact with Twitter Search and trends data. The API presently supports the following data formats: XML, JSON, and the RSS and Atom syndication formats, with some methods only accepting a subset of these formats.
Twitter: Highlights
Summary
Microblogging service
Category
Social
Tags
social microblogging
Protocols
REST
Data Formats
XML, JSON, RSS, Atom
API home
https://dev.twitter.com/docs
Twitter: Highlights
Summary
Microblogging service
Category
Social
Tags
social microblogging
Protocols
REST
Data Formats
XML, JSON, RSS, Atom
API home
https://dev.twitter.com/docs
Flicker Api
Flickr is a photo-sharing community that enables users to upload, tag and comment on their photos and other users photos. The Flickr API provides the ability to view, manipulate, and search photo tags, display photos from a specific user or group, retrieve tags to construct URLs to particular photos or photo group. Flickr also provides an Authentication API for applications that need to perform restricted actions.
You can find more information about the Flickr developer community at code.flickr, including detailed API documentation.
You can find more information about the Flickr developer community at code.flickr, including detailed API documentation.
Lizamoon SQL Injection Campaign Compared
Malware infections such as SQL injection are a well known security problem. Over the past two years we have seen several large-scale infections on the web, e.g. Gumblar.cn and Martuz.cn. Recently, a new SQL injection campaign called Lizamoon has gained a lot of attention. I had expected web sites would become more secure over time and less susceptible to simple security problems, so it is surprising that SQL injection is still a prevalent problem. That let me to wonder: Was Lizamoon as successful as previous infections? In a discussion about this problem, my colleague Panayiotis Mavrommatis suggested that comparing the size of campaigns via search engine result estimates might not be very accurate measurement.
That begs the question of how to assess the impact of infections. While the number of infected URLs is one possible measure, it is skewed by many different factors, e.g. a single vulnerable site contributes a large fraction of the infected URLs and overstates the impact. Instead, counting the number of infected sites might be a better metric. Even so, to judge the relative scale of an infection campaign, it might be helpful to compare it to previous incidents.
Below is a comparison of the Gumblar.cn/, Martuz.cn/ and Lizamoon infections based on Google's Safe Browsing data. The graph shows the number of unique infected sites over a 30 day sliding window.
That begs the question of how to assess the impact of infections. While the number of infected URLs is one possible measure, it is skewed by many different factors, e.g. a single vulnerable site contributes a large fraction of the infected URLs and overstates the impact. Instead, counting the number of infected sites might be a better metric. Even so, to judge the relative scale of an infection campaign, it might be helpful to compare it to previous incidents.
Below is a comparison of the Gumblar.cn/, Martuz.cn/ and Lizamoon infections based on Google's Safe Browsing data. The graph shows the number of unique infected sites over a 30 day sliding window.
Cybercrime 2.0
Cybercrime 2.0: When the Cloud Turns Dark
We recently published an article on web-based malware in ACM's Queue Magazine. It provides a short overview of some of the challenges with detecting malicious web sites such as social engineering and examples of techniques for compromising web sites, e.g. htaccess redirection on Apache, etc. This is the article on which my recent ISSNet talk was based.
We recently published an article on web-based malware in ACM's Queue Magazine. It provides a short overview of some of the challenges with detecting malicious web sites such as social engineering and examples of techniques for compromising web sites, e.g. htaccess redirection on Apache, etc. This is the article on which my recent ISSNet talk was based.
Adobe PDF Vulnerability
Adobe PDF Vulnerability: Stack overflow in Font File parsing
Thursday, September 9. 2010
Metasploit has a great write up on new vulnerability in PDF. The basic problem is a stack overflow when parsing OpenType fonts. In particular, SING Glyphlet tables contain a 27 byte long unique name that is expected to be NUL-terminated and stored in a 28-byte buffer. The vulnerable code is using strcat and lacks bounds checking resulting in a stack overflow.
The PDF in the wild prepares the heap via Javascript and contains multiple different font files that are selected by navigating to a specific page in the PDF based on the viewer version. Each font files has slightly different shell code. It was amusing to see that the attackers after modifying the head and SING tables did not fix up their respective checksums. According to Metasploit, this exploit works under Windows 7 with both DEP and ASLR turned on. Fun Fun. As of now, no patched version is available. The SecBrowsing blog contains instructions with temporary remedies.
Thursday, September 9. 2010
Metasploit has a great write up on new vulnerability in PDF. The basic problem is a stack overflow when parsing OpenType fonts. In particular, SING Glyphlet tables contain a 27 byte long unique name that is expected to be NUL-terminated and stored in a 28-byte buffer. The vulnerable code is using strcat and lacks bounds checking resulting in a stack overflow.
The PDF in the wild prepares the heap via Javascript and contains multiple different font files that are selected by navigating to a specific page in the PDF based on the viewer version. Each font files has slightly different shell code. It was amusing to see that the attackers after modifying the head and SING tables did not fix up their respective checksums. According to Metasploit, this exploit works under Windows 7 with both DEP and ASLR turned on. Fun Fun. As of now, no patched version is available. The SecBrowsing blog contains instructions with temporary remedies.
Google safe browsing API
Reminder: Safe Browsing version 1 API turning down December 1
In May Google announced that Google are ending support for the Safe Browsing protocol version 1 on December 1 in order to focus our resources on the new version 2 API and the lookup service. These new APIs provide simpler and more efficient access to the same data, and they use significantly less bandwidth. If you haven't yet migrated off of the version 1 API, Google encourage you to do so as soon as possible. Our earlier post contains links to documentation for the new protocol version and other resources to help you make the transition smoothly.
After December 1, Google will remove all data from the version 1 API list to ensure that any remaining clients do not have false positives in their database. After January 1, 2012, Google will turn off the version 1 service completely, and all requests will return a 404 error.
Thanks for your cooperation, and enjoy using the next generation of Safe Browsing.
In May Google announced that Google are ending support for the Safe Browsing protocol version 1 on December 1 in order to focus our resources on the new version 2 API and the lookup service. These new APIs provide simpler and more efficient access to the same data, and they use significantly less bandwidth. If you haven't yet migrated off of the version 1 API, Google encourage you to do so as soon as possible. Our earlier post contains links to documentation for the new protocol version and other resources to help you make the transition smoothly.
After December 1, Google will remove all data from the version 1 API list to ensure that any remaining clients do not have false positives in their database. After January 1, 2012, Google will turn off the version 1 service completely, and all requests will return a 404 error.
Thanks for your cooperation, and enjoy using the next generation of Safe Browsing.
Friday, December 30, 2011
most-useful-firefox-addons-for-web-designers-and-developers/
fireBug
Firebug integrates with Firefox to put a wealth of development tools at your fingertips while you browse. You can edit, debug, and monitor CSS, HTML, and JavaScript live in any web page...
FireShot
FireShot creates screenshots of web pages entirely.
The captures can be quickly annotated and:
✓ Uploaded to Facebook, Picasa, Flickr, ..
✓ Saved to disk as PNG/GIF/JPEG/BMP
✓ Copied to clipboard
✓ Printed
✓ E-Mailed
✓ Exported to external editor.
CSS-Validator
Validates a page using the W3C CSS Validator.
Therefore, Screengrab is EOL. Sorry.
Browser-Window-Resizer
Resize your browser to various standard resolution sizes...
*UPDATE - June, 9 2010: The development of this add-on is suspended for lack of time. No new update is planned. Developers wanting to take over, contact us via www.yellowpipe.com
Thursday, December 29, 2011
Jithin Sha M.A
About me
Industry Internet
Occupation developer
Location Changanacherry, Kerala, India
Introduction Studying in 10th Standard St.BERCHMAN'S H.S.S Changanacherry
Industry Internet
Occupation developer
Location Changanacherry, Kerala, India
Introduction Studying in 10th Standard St.BERCHMAN'S H.S.S Changanacherry
Sircam-worm
Sircam is a computer worm that propagates by e-mail from Microsoft Windows systems. It begins with one of the following lines of text and has an attachment consisting of the worm's executable with some file from the infected computer appended.
I send you this file in order to have your advice
I hope you like the file that I send you
I hope you can help me with this file that I send
This is the file with the information you ask for
Te mando este archivo para que me des tu punto de vista
Espero te guste este archivo que te mando
Espero me puedas ayudar con el archivo que te mando
Este es el archivo con la informacion que me pediste
Due to a bug in the worm, the message was rarely sent in any form other than "I send you this file in order to have your advice." This subsequently became an in-joke among those who were using the Internet at the time, and were spammed with e-mails containing this string sent by the worm.
Sircam was notable during its outbreak for the way it distributed itself. Document files (usually .doc or .xls) on the infected computer were chosen at random, infected with the virus and emailed out to email addresses in the host's address book. Opening the infected file resulted in infection of the target computer. During the outbreak, many personal or private files were emailed to people who otherwise should not have gotten them.
It also spreads via open shares on a network. Sircam scans the network for computers with shared drives and copy itself to a machine with an open (non-password protected) drive or directory. A simple RPC (Remote Procedure Call) is then executed to start the process on the target machine, usually unknown to the owner of the now-compromised computer.
Over a year after the initial outbreak, Sircam was still in the top 10 on virus charts.
similer
home
I send you this file in order to have your advice
I hope you like the file that I send you
I hope you can help me with this file that I send
This is the file with the information you ask for
Te mando este archivo para que me des tu punto de vista
Espero te guste este archivo que te mando
Espero me puedas ayudar con el archivo que te mando
Este es el archivo con la informacion que me pediste
Due to a bug in the worm, the message was rarely sent in any form other than "I send you this file in order to have your advice." This subsequently became an in-joke among those who were using the Internet at the time, and were spammed with e-mails containing this string sent by the worm.
Sircam was notable during its outbreak for the way it distributed itself. Document files (usually .doc or .xls) on the infected computer were chosen at random, infected with the virus and emailed out to email addresses in the host's address book. Opening the infected file resulted in infection of the target computer. During the outbreak, many personal or private files were emailed to people who otherwise should not have gotten them.
It also spreads via open shares on a network. Sircam scans the network for computers with shared drives and copy itself to a machine with an open (non-password protected) drive or directory. A simple RPC (Remote Procedure Call) is then executed to start the process on the target machine, usually unknown to the owner of the now-compromised computer.
Over a year after the initial outbreak, Sircam was still in the top 10 on virus charts.
similer
home
Mydoom-worm
Mydoom, also known as W32.MyDoom@mm, Novarg, Mimail.R and Shimgapi, is a computer worm affecting Microsoft Windows. It was first sighted on 26 January 2004. It became the fastest-spreading e-mail worm ever (as of January 2004), exceeding previous records set by the Sobig worm and ILOVEYOU.
Mydoom appears to have been commissioned by e-mail spammers so as to send junk e-mail through infected computers. The worm contains the text message "andy; I'm just doing my job, nothing personal, sorry," leading many to believe that the worm's creator was paid. Early on, several security firms expressed their belief that the worm originated from a programmer in Russia. The actual author of the worm is unknown.
Speculative early coverage held that the sole purpose of the worm was to perpetrate a distributed denial-of-service attack against SCO Group. 25 percent of Mydoom.A-infected hosts targeted www.sco.com with a flood of traffic. Trade press conjecture, spurred on by SCO Group's own claims, held that this meant the worm was created by a Linux or open source supporter in retaliation for SCO Group's controversial legal actions and public statements against Linux. This theory was rejected immediately by security researchers. Since then, it has been likewise rejected by law enforcement agents investigating the virus, who attribute it to organized online crime gangs.
Initial analysis of Mydoom suggested that it was a variant of the Mimail worm—hence the alternate name Mimail.R—prompting speculation that the same persons were responsible for both worms. Later analyses were less conclusive as to the link between the two worms.
Mydoom was named by Craig Schmugar, an employee of computer security firm McAfee and one of the earliest discoverers of the worm. Schmugar chose the name after noticing the text "mydom" within a line of the program's code. He noted: "It was evident early on that this would be very big. I thought having 'doom' in the name would be appropriate."
similer
home
Mydoom appears to have been commissioned by e-mail spammers so as to send junk e-mail through infected computers. The worm contains the text message "andy; I'm just doing my job, nothing personal, sorry," leading many to believe that the worm's creator was paid. Early on, several security firms expressed their belief that the worm originated from a programmer in Russia. The actual author of the worm is unknown.
Speculative early coverage held that the sole purpose of the worm was to perpetrate a distributed denial-of-service attack against SCO Group. 25 percent of Mydoom.A-infected hosts targeted www.sco.com with a flood of traffic. Trade press conjecture, spurred on by SCO Group's own claims, held that this meant the worm was created by a Linux or open source supporter in retaliation for SCO Group's controversial legal actions and public statements against Linux. This theory was rejected immediately by security researchers. Since then, it has been likewise rejected by law enforcement agents investigating the virus, who attribute it to organized online crime gangs.
Initial analysis of Mydoom suggested that it was a variant of the Mimail worm—hence the alternate name Mimail.R—prompting speculation that the same persons were responsible for both worms. Later analyses were less conclusive as to the link between the two worms.
Mydoom was named by Craig Schmugar, an employee of computer security firm McAfee and one of the earliest discoverers of the worm. Schmugar chose the name after noticing the text "mydom" within a line of the program's code. He noted: "It was evident early on that this would be very big. I thought having 'doom' in the name would be appropriate."
similer
home
Koobface-worm
Koobface is a computer worm that targets users of the social networking websites Facebook (its name is an anagram of "Facebook"), MySpace, hi5, Bebo, Friendster and Twitter. Koobface is designed to infect Microsoft Windows and Mac OS X, but also works on Linux (in a limited fashion). Koobface ultimately attempts, upon successful infection, to gather login information for FTP sites, Facebook, and other social media platforms, but not any sensitive financial data.[6] It then uses compromised computers to build a peer-to-peer botnet. A compromised computer contacts other compromised computers to receive commands in a peer-to-peer fashion. The botnet is used to install additional pay-per-install malware on the compromised computer as well as hijack search queries to display advertisements. It was first detected in December 2008 and a more potent version appeared in March 2009. A study by the Information Warfare Monitor, a joint collaboration from SecDev Group and the Citizen Lab in the Munk School of Global Affairs at the University Toronto, has revealed that the operators of this scheme have generated over $2 million in revenue from June 2009 to June 2010.
Koobface spreads by delivering Facebook messages to people who are 'friends' of a Facebook user whose computer has already been infected. Upon receipt, the message directs the recipients to a third-party website, where they are prompted to download what is purported to be an update of the Adobe Flash player. If they download and execute the file, Koobface is able to infect their system. It can then commandeer the computer's search engine use and direct it to contaminated websites. There can also be links to the third-party website on the Facebook wall of the friend the message came from sometimes having comments like LOL or YOUTUBE. If the link is opened the trojan virus will infect the computer and the PC will become a Zombie or Host Computer.
Among the components downloaded by Koobface are a DNS filter program that blocks access to well known security websites and a proxy tool that enables the attackers to abuse the infected PC.
Several variants of the worm have been identified:
Worm:Win32/Koobface.gen!F
Net-Worm.Win32.Koobface.a, which attacks MySpace
Net-Worm.Win32.Koobface.b, which attacks Facebook
WORM_KOOBFACE.DC, which attacks Twitter
W32/Koobfa-Gen, which attacks Facebook, MySpace, hi5, Bebo, Friendster, myYearbook, Tagged, Netlog, Badoo and fubar
W32.Koobface.D
[edit]Hoax Warnings
The Koobface threat is also the subject of many hoax warnings designed to trick social networking users into spreading misinformation across the Internet. Various anti-scam websites such as Snopes.com and ThatsNonsense.com have recorded many instances where alarmist messages designed to fool and panic Facebook users have begun to circulate prolifically using the widely publicized Koobface threat as bait. Popular examples are the "Barack Obama-Clinton Scandal" hoax which was popular in 2010.
Other misconceptions have spread regarding the Koobface threat, including the false assertion that accepting "hackers" as Facebook friends will infect a victim's computer with Koobface, or that Facebook applications are themselves Koobface threats. These claims are untrue. Other rumours assert that Koobface is much more dangerous than other examples of malware and has the ability to delete all of your computer files and "burn your hard disk." However, these rumours are inspired by earlier fake virus warning hoaxes and remain false.
similer
home
Koobface spreads by delivering Facebook messages to people who are 'friends' of a Facebook user whose computer has already been infected. Upon receipt, the message directs the recipients to a third-party website, where they are prompted to download what is purported to be an update of the Adobe Flash player. If they download and execute the file, Koobface is able to infect their system. It can then commandeer the computer's search engine use and direct it to contaminated websites. There can also be links to the third-party website on the Facebook wall of the friend the message came from sometimes having comments like LOL or YOUTUBE. If the link is opened the trojan virus will infect the computer and the PC will become a Zombie or Host Computer.
Among the components downloaded by Koobface are a DNS filter program that blocks access to well known security websites and a proxy tool that enables the attackers to abuse the infected PC.
Several variants of the worm have been identified:
Worm:Win32/Koobface.gen!F
Net-Worm.Win32.Koobface.a, which attacks MySpace
Net-Worm.Win32.Koobface.b, which attacks Facebook
WORM_KOOBFACE.DC, which attacks Twitter
W32/Koobfa-Gen, which attacks Facebook, MySpace, hi5, Bebo, Friendster, myYearbook, Tagged, Netlog, Badoo and fubar
W32.Koobface.D
[edit]Hoax Warnings
The Koobface threat is also the subject of many hoax warnings designed to trick social networking users into spreading misinformation across the Internet. Various anti-scam websites such as Snopes.com and ThatsNonsense.com have recorded many instances where alarmist messages designed to fool and panic Facebook users have begun to circulate prolifically using the widely publicized Koobface threat as bait. Popular examples are the "Barack Obama-Clinton Scandal" hoax which was popular in 2010.
Other misconceptions have spread regarding the Koobface threat, including the false assertion that accepting "hackers" as Facebook friends will infect a victim's computer with Koobface, or that Facebook applications are themselves Koobface threats. These claims are untrue. Other rumours assert that Koobface is much more dangerous than other examples of malware and has the ability to delete all of your computer files and "burn your hard disk." However, these rumours are inspired by earlier fake virus warning hoaxes and remain false.
similer
home
Hybris-Worm
The Hybris Worm is a piece of malicious code that propagates through email messages and newsgroup postings, specifically targeting Windows machines. To become infected a user must execute an attachment received in email or a posting; no special mail or news reader program is required to become infected.
This worm infects the Windows networking library WSOCK32.DLL file, thereby subverting "normal" email behavior. Whenever a user sends an email on an infected machine, the malicious code sends out another email to the same recipient with a copy of itself as an attachment. Based on reports the CERT/CC has received, Hybris only affects Win32 systems and does not contain a destructive payload. However, the malicious code appears to contain code modules that can be upgraded from the web to give it a destructive payload. There are several variants, although all variants have the same behavior with very minor differences.
Versions of Hybris reported to the CERT/CC have these characteristics:
From: Hahaha
Subject: Snowhite and the Seven Dwarfs - The REAL story!
Body: Today, Snowhite was turning 18. The 7 Dwarfs always where very educated and
polite with Snowhite. When they go out work at mornign, they promissed a
*huge* surprise. Snowhite was anxious. Suddlently, the door open, and the Seven
Dwarfs enter...
Attachment: .SCR or .EXE file (name randomly chosen from a predefined list)
Or...
From: Hahaha
Subject: Enanito si, pero con que pedazo!
Body: Faltaba apenas un dia para su aniversario de de 18 a?ños. Blanca de Nieve fuera
siempre muy bien cuidada por los enanitos. Ellos le prometieron una *grande*
sorpresa para su fiesta de complea?ños. Al entardecer, llegaron. Tenian un brillo
incomun en los ojos...
Attachment: .SCR or .EXE file (name randomly chosen from a predefined list)
While these characteristics are the most common in reports we have received, it is possible for any mail message to contain Hybris as a file attachment.
Intruders are using open mail relays to propagate Hybris. An "open" mail relay is a mail transport agent (MTA) that is configured to forward mail between senders and recipients who are not a part of the MTA's operational domain."Open mail relays" are sometimes called "open mail servers," "mail relays," "third-party mail servers," or similar names. Intruders who wish to obscure their identity often send mail through an open mail relay. Using an open mail relay from another site is attractive to the intruder because accountability is far less enforceable. For more information on open mail relays, please see
http://maps.vix.com/tsi/ar-what.html
For more details about Hybris, please check an antivirus vendor database. A sample collection is listed on the CERT/CC's Computer Virus Resources page:
http://www.cert.org/other_sources/viruses.html#III
Impact
Sites with open mail relays may be used to send mail to arbitrary third parties with possible malicious payloads such as Hybris. The use of the mail server's cycles and bandwidth can degrade the quality of service.
Solution
It may be possible for an organization to be an open mail relay without knowing it. Generally speaking, there are few circumstances under which a network should have an open mail relay. We encourage sites to review their mail server configuration and evaluate their exposure to this type of abuse.
As good security practice, users should always exercise caution when receiving email with attachments. Disable auto-opening or previewing of email attachments in your mail program. Do not open attachments from an untrusted origins or those that appear suspicious in any way. Finally cryptographic checksums can be used to validate the integrity of the file.
Authors: Ian Finlay, Brian King, Shawn Hernan
similer
home
This worm infects the Windows networking library WSOCK32.DLL file, thereby subverting "normal" email behavior. Whenever a user sends an email on an infected machine, the malicious code sends out another email to the same recipient with a copy of itself as an attachment. Based on reports the CERT/CC has received, Hybris only affects Win32 systems and does not contain a destructive payload. However, the malicious code appears to contain code modules that can be upgraded from the web to give it a destructive payload. There are several variants, although all variants have the same behavior with very minor differences.
Versions of Hybris reported to the CERT/CC have these characteristics:
From: Hahaha
Subject: Snowhite and the Seven Dwarfs - The REAL story!
Body: Today, Snowhite was turning 18. The 7 Dwarfs always where very educated and
polite with Snowhite. When they go out work at mornign, they promissed a
*huge* surprise. Snowhite was anxious. Suddlently, the door open, and the Seven
Dwarfs enter...
Attachment: .SCR or .EXE file (name randomly chosen from a predefined list)
Or...
From: Hahaha
Subject: Enanito si, pero con que pedazo!
Body: Faltaba apenas un dia para su aniversario de de 18 a?ños. Blanca de Nieve fuera
siempre muy bien cuidada por los enanitos. Ellos le prometieron una *grande*
sorpresa para su fiesta de complea?ños. Al entardecer, llegaron. Tenian un brillo
incomun en los ojos...
Attachment: .SCR or .EXE file (name randomly chosen from a predefined list)
While these characteristics are the most common in reports we have received, it is possible for any mail message to contain Hybris as a file attachment.
Intruders are using open mail relays to propagate Hybris. An "open" mail relay is a mail transport agent (MTA) that is configured to forward mail between senders and recipients who are not a part of the MTA's operational domain."Open mail relays" are sometimes called "open mail servers," "mail relays," "third-party mail servers," or similar names. Intruders who wish to obscure their identity often send mail through an open mail relay. Using an open mail relay from another site is attractive to the intruder because accountability is far less enforceable. For more information on open mail relays, please see
http://maps.vix.com/tsi/ar-what.html
For more details about Hybris, please check an antivirus vendor database. A sample collection is listed on the CERT/CC's Computer Virus Resources page:
http://www.cert.org/other_sources/viruses.html#III
Impact
Sites with open mail relays may be used to send mail to arbitrary third parties with possible malicious payloads such as Hybris. The use of the mail server's cycles and bandwidth can degrade the quality of service.
Solution
It may be possible for an organization to be an open mail relay without knowing it. Generally speaking, there are few circumstances under which a network should have an open mail relay. We encourage sites to review their mail server configuration and evaluate their exposure to this type of abuse.
As good security practice, users should always exercise caution when receiving email with attachments. Disable auto-opening or previewing of email attachments in your mail program. Do not open attachments from an untrusted origins or those that appear suspicious in any way. Finally cryptographic checksums can be used to validate the integrity of the file.
Authors: Ian Finlay, Brian King, Shawn Hernan
similer
home
Father_Christmas-worm
Worms were first used as a legitimate mechanism for performing tasks in a distributed environment. Network worms were considered promising for the performance of network management tasks in a series of experiments at the Xerox Palo Alto Research Center in 1982. The key problem noted was ``worm management;'' controlling the number of copies executing at a single time. This would be experienced later by authors of malicious worms.
Worms were first noticed as a potential computer security threat when the Christmas Tree Exec [Den90] attacked IBM mainframes in December 1987. It brought down both the world-wide IBM network and BITNET. The Christmas Tree Exec wasn't a true worm. It was a trojan horse with a replicating mechanism. A user would receive an e-mail Christmas card that included executable (REXX) code. If executed the program claimed to draw a Xmas tree on the display. That much was true, but it also sent a copy to everyone on the user's address lists.
The Internet Worm [Spa89] was a true worm. It was released on November 2, 1988. It attacked Sun and DEC UNIX systems attached to the Internet (it included two sets of binaries, one for each system). It utilized the TCP/IP protocols, common application layer protocols, operating system bugs, and a variety of system administration flaws to propagate. Various problems with worm management resulted in extremely poor system performance and a denial of network service.
The Father Christmas worm was also a true worm. It was first released onto the worldwide DECnet Internet in December of 1988. This worm attacked VAX/VMS systems on SPAN and HEPNET. It utilized the DECnet protocols and a variety of system administration flaws to propagate. The worm exploited TASK0, which allows outsiders to perform tasks on the system. This worm added an additional feature; it reported successful system penetration to a specific site.
This worm made no attempt at secrecy; it was not encrypted and sent mail to every user on the system. About a month later another worm, apparently a variant of Father Christmas, was released on a private network. This variant searched for accounts with ``industry standard'' or ``easily guessed'' passwords.
The history of worms displays the same increasing complexity found in the development of PC viruses. The Christmas Tree Exec wasn't a true worm. It was a trojan horse with a replicating mechanism. The Internet Worm was a true worm; it exploited both operating system flaws and common system management problems. The DECnet worms attacked system management problems, and reported information about successful system penetration to a central site.
Several conclusions can be drawn from this information:
worms exploit flaws (i.e, bugs) in the operating system or inadequate system management to replicate.
release of a worm usually results in brief but spectacular outbreaks, shutting down entire networks.
similer
home
Worms were first noticed as a potential computer security threat when the Christmas Tree Exec [Den90] attacked IBM mainframes in December 1987. It brought down both the world-wide IBM network and BITNET. The Christmas Tree Exec wasn't a true worm. It was a trojan horse with a replicating mechanism. A user would receive an e-mail Christmas card that included executable (REXX) code. If executed the program claimed to draw a Xmas tree on the display. That much was true, but it also sent a copy to everyone on the user's address lists.
The Internet Worm [Spa89] was a true worm. It was released on November 2, 1988. It attacked Sun and DEC UNIX systems attached to the Internet (it included two sets of binaries, one for each system). It utilized the TCP/IP protocols, common application layer protocols, operating system bugs, and a variety of system administration flaws to propagate. Various problems with worm management resulted in extremely poor system performance and a denial of network service.
The Father Christmas worm was also a true worm. It was first released onto the worldwide DECnet Internet in December of 1988. This worm attacked VAX/VMS systems on SPAN and HEPNET. It utilized the DECnet protocols and a variety of system administration flaws to propagate. The worm exploited TASK0, which allows outsiders to perform tasks on the system. This worm added an additional feature; it reported successful system penetration to a specific site.
This worm made no attempt at secrecy; it was not encrypted and sent mail to every user on the system. About a month later another worm, apparently a variant of Father Christmas, was released on a private network. This variant searched for accounts with ``industry standard'' or ``easily guessed'' passwords.
The history of worms displays the same increasing complexity found in the development of PC viruses. The Christmas Tree Exec wasn't a true worm. It was a trojan horse with a replicating mechanism. The Internet Worm was a true worm; it exploited both operating system flaws and common system management problems. The DECnet worms attacked system management problems, and reported information about successful system penetration to a central site.
Several conclusions can be drawn from this information:
worms exploit flaws (i.e, bugs) in the operating system or inadequate system management to replicate.
release of a worm usually results in brief but spectacular outbreaks, shutting down entire networks.
similer
home
ExploreZip-worm
ExploreZip, also known as I-Worm.ZippedFiles, is a destructive computer worm which attacks machines running Microsoft Windows. It was first discovered in Israel on June 6, 1999.Worm.ExploreZip is a worm that contains a malicious payload. The worm utilizes Microsoft Outlook, Outlook Express, or Exchange to mail itself out by replying to unread messages in your Inbox. The email attachment is Zipped_files.exe.The worm also searches mapped drives and networked computers for Windows installations. If found, it copies itself to the \Windows folder of the remote computer and then modifies the Win.ini file of the infected computer.On January 8, 2003, Security Response discovered a packed variant of this threat which exhibits the same characteristics. Protection will be available for this new variant in virus definitions dated 1/8/2003 with a version number of 50108q (20030108.017) or greater.
similer
home
similer
home
Daprosy-worm
Daprosy worm is a malicious computer program that spreads via local area network (LAN) connections, spammed e-mails and USB mass storage devices. Infection comes from a single read1st.exe file where several dozen clones are created at once bearing the names of compromised folders. The most obvious symptom of Daprosy infection is the presence of Classified.exe or Do not open - secrets!.exe files from infected folders.
Although first observed in early May 2009,[1] the worm was first announced to the public as Daprosy trojan[2] worm by Symantec on July 2009 and was later identified as Autorun-AMS, Autorun-AMW and Autorun-APL by Sophos.[3] It acquired additional aliases from antivirus companies and others tag it as an incarnation or variation of the Autorun.H.[4][5]
The worm belongs to the “slow” mass mailer category where copies of which are attached and sent to addresses intercepted from the keyboard. The e-mail consists of a promotion of and installation instruction for an imaginary antivirus product purported to remove unknown infections from the computer. While infection cannot occur until the attached worm is renamed and opened, it could spread to system folders in a matter of seconds. It is known to shut down or hang Windows Vista and Windows 7 when attempts to write on the system drive are denied by said operating systems. Also, the worm hides folders and makes them "super hidden" so that data contained in them are not easily accessed.
Precision key logging is the main threat associated with Daprosy infection. Logged keystrokes containing sensitive data could be sent to its author using the worm’s improvised mailing system. Early strains are known to destabilize, corrupt and even stall the operating system due to programming bugs. Said strains appear to be incomplete and were probably created by students or amateur Visual Basic programmers as evidenced by using VB decompilers. Final or later releases of Daprosy worm are prolific online game password stealers. They also pose great threats to banking and other e-commerce establishments.
Daprosy worm is rampant in public Internet cafés with LAN connections and exposed USB mass storage drives. As of October 2009 special scripts are available to remove it from infected computers. Many Windows system were stalled last November 13, 2009. An initial investigation points to the older versions of Daprosy Worm, viz. Sophos Autorun-AMS and Autorun-AMW, which appear to be "Friday the Thirteenth" malwares.
More recent and persistent variants of Daprosy worm are still in circulation. A notable variant, Win32/Kashu.B as identified by Ahnlab, can be removed only by using live CD. Usually, such variants of Daprosy worm are infected by Sality viruses and usually have file size greater than 100 kilobytes. It now appears that Daprosy worm is a natural host to file-infecting viruses since the former is well distributed on all drives. Viral Daprosy exists in many variants which again requires special scripts to remove. Manual removal of worms infected with viruses requires knowledge usually belonging to individuals associated with AV companies.
Daprosy is "active" even in Safe Mode which makes it difficult to manually remove. Its key logging mechanism is so precise that it captures almost everything typed on the keyboard. This ranks Daprosy as one of the most dangerous worm of the last decade.
similer
home
Although first observed in early May 2009,[1] the worm was first announced to the public as Daprosy trojan[2] worm by Symantec on July 2009 and was later identified as Autorun-AMS, Autorun-AMW and Autorun-APL by Sophos.[3] It acquired additional aliases from antivirus companies and others tag it as an incarnation or variation of the Autorun.H.[4][5]
The worm belongs to the “slow” mass mailer category where copies of which are attached and sent to addresses intercepted from the keyboard. The e-mail consists of a promotion of and installation instruction for an imaginary antivirus product purported to remove unknown infections from the computer. While infection cannot occur until the attached worm is renamed and opened, it could spread to system folders in a matter of seconds. It is known to shut down or hang Windows Vista and Windows 7 when attempts to write on the system drive are denied by said operating systems. Also, the worm hides folders and makes them "super hidden" so that data contained in them are not easily accessed.
Precision key logging is the main threat associated with Daprosy infection. Logged keystrokes containing sensitive data could be sent to its author using the worm’s improvised mailing system. Early strains are known to destabilize, corrupt and even stall the operating system due to programming bugs. Said strains appear to be incomplete and were probably created by students or amateur Visual Basic programmers as evidenced by using VB decompilers. Final or later releases of Daprosy worm are prolific online game password stealers. They also pose great threats to banking and other e-commerce establishments.
Daprosy worm is rampant in public Internet cafés with LAN connections and exposed USB mass storage drives. As of October 2009 special scripts are available to remove it from infected computers. Many Windows system were stalled last November 13, 2009. An initial investigation points to the older versions of Daprosy Worm, viz. Sophos Autorun-AMS and Autorun-AMW, which appear to be "Friday the Thirteenth" malwares.
More recent and persistent variants of Daprosy worm are still in circulation. A notable variant, Win32/Kashu.B as identified by Ahnlab, can be removed only by using live CD. Usually, such variants of Daprosy worm are infected by Sality viruses and usually have file size greater than 100 kilobytes. It now appears that Daprosy worm is a natural host to file-infecting viruses since the former is well distributed on all drives. Viral Daprosy exists in many variants which again requires special scripts to remove. Manual removal of worms infected with viruses requires knowledge usually belonging to individuals associated with AV companies.
Daprosy is "active" even in Safe Mode which makes it difficult to manually remove. Its key logging mechanism is so precise that it captures almost everything typed on the keyboard. This ranks Daprosy as one of the most dangerous worm of the last decade.
similer
home
Blaster-worm
The Blaster Worm (also known as Lovsan, Lovesan or MSBlast) was a computer worm that spread on computers running the Microsoft operating systems: Windows XP and Windows 2000, during August 2003.
The worm was first noticed and started spreading on August 11, 2003. The rate that it spread increased until the number of infections peaked on August 13, 2003. Filtering by ISPs and widespread publicity about the worm curbed the spread of Blaster.
On August 29, 2003, Jeffrey Lee Parson, an 18-year-old from Hopkins, Minnesota was arrested for creating the B variant of the Blaster worm; he admitted responsibility and was sentenced to an 18-month prison term in January 2005
According to court papers, the original Blaster was created after a Chinese cracking collective called Xfocus reverse engineered the original Microsoft patch that allowed for execution of the attack.
The worm spread by exploiting a buffer overflow discovered by the Polish cracking group Last Stage of Delirium
in the DCOM RPC service on the affected operating systems, for which a patch had been released one month earlier in MS03-026 and later in MS03-039. This allowed the worm to spread without users opening attachments simply by spamming itself to large numbers of random IP addresses. Four versions have been detected in the wild.
The worm was programmed to start a SYN flood on August 15, 2003[citation needed] against port 80 of windowsupdate.com, thereby creating a distributed denial of service attack (DDoS) against the site. The damage to Microsoft was minimal as the site targeted was windowsupdate.com instead of windowsupdate.microsoft.com to which it was redirected. Microsoft temporarily shut down the targeted site to minimize potential effects from the worm.
The worm contains two messages in its source code. The first:
I just want to say LOVE YOU SAN!!
is why the worm is sometimes called the Lovesan worm. The second:
billy gates why do you make this possible ? Stop making money
and fix your software!!
is a message to Bill Gates, the co-founder of Microsoft and the target of the worm.
The worm also creates the following registry entry so that it is launched every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows auto update=msblast.exe
Although the worm can only spread on systems running Windows 2000 or Windows XP (32 bit) it can cause instability in the RPC service on systems running Windows NT, Windows XP (64 bit), and Windows Server 2003. In particular, the worm does not spread in Windows Server 2003 because it was compiled with the /GS switch, which detected the buffer overflow and shut the RPCSS process down.When infection occurs, buffer overflow makes RPC service crash, leading Windows to display following message and then automatically reboot, usually after 60 seconds. (default RPC service failure behaviour)
Although the worm can only spread on systems running Windows 2000 or Windows XP (32 bit) it can cause instability in the RPC service on systems running Windows NT, Windows XP (64 bit), and Windows Server 2003. In particular, the worm does not spread in Windows Server 2003 because it was compiled with the /GS switch, which detected the buffer overflow and shut the RPCSS process down.When infection occurs, buffer overflow makes RPC service crash, leading Windows to display following message and then automatically reboot, usually after 60 seconds. (default RPC service failure behaviour)
System Shutdown:
This system is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. This shutdown was initiated by NT AUTHORITY\SYSTEM
Time before shutdown: hh:mm:ss
Message:
Windows must now restart because the Remote Procedure Call (RPC) Service terminated unexpectedly.
"System Shutdown:
This system is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. This shutdown was initiated by NT AUTHORITY\SYSTEM
Time before shutdown: hh:mm:ss
Message:
Windows must now restart because the Remote Procedure Call (RPC) Service terminated unexpectedly."
This was the first indication many users had an infection; it often occurred a few minutes after every startup on compromised machines. A simple resolution to stop countdown is to run the "shutdown -a" command in the Windows command line, causing some side effects such as an empty (without users) Welcome Screen.[citation needed] The Welchia worm had a similar effect. No more than a year later, the Sasser worm surfaced, which caused a similar message to appear.
similer
home
The worm was first noticed and started spreading on August 11, 2003. The rate that it spread increased until the number of infections peaked on August 13, 2003. Filtering by ISPs and widespread publicity about the worm curbed the spread of Blaster.
On August 29, 2003, Jeffrey Lee Parson, an 18-year-old from Hopkins, Minnesota was arrested for creating the B variant of the Blaster worm; he admitted responsibility and was sentenced to an 18-month prison term in January 2005
According to court papers, the original Blaster was created after a Chinese cracking collective called Xfocus reverse engineered the original Microsoft patch that allowed for execution of the attack.
The worm spread by exploiting a buffer overflow discovered by the Polish cracking group Last Stage of Delirium
in the DCOM RPC service on the affected operating systems, for which a patch had been released one month earlier in MS03-026 and later in MS03-039. This allowed the worm to spread without users opening attachments simply by spamming itself to large numbers of random IP addresses. Four versions have been detected in the wild.
The worm was programmed to start a SYN flood on August 15, 2003[citation needed] against port 80 of windowsupdate.com, thereby creating a distributed denial of service attack (DDoS) against the site. The damage to Microsoft was minimal as the site targeted was windowsupdate.com instead of windowsupdate.microsoft.com to which it was redirected. Microsoft temporarily shut down the targeted site to minimize potential effects from the worm.
The worm contains two messages in its source code. The first:
I just want to say LOVE YOU SAN!!
is why the worm is sometimes called the Lovesan worm. The second:
billy gates why do you make this possible ? Stop making money
and fix your software!!
is a message to Bill Gates, the co-founder of Microsoft and the target of the worm.
The worm also creates the following registry entry so that it is launched every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows auto update=msblast.exe
Although the worm can only spread on systems running Windows 2000 or Windows XP (32 bit) it can cause instability in the RPC service on systems running Windows NT, Windows XP (64 bit), and Windows Server 2003. In particular, the worm does not spread in Windows Server 2003 because it was compiled with the /GS switch, which detected the buffer overflow and shut the RPCSS process down.When infection occurs, buffer overflow makes RPC service crash, leading Windows to display following message and then automatically reboot, usually after 60 seconds. (default RPC service failure behaviour)
Although the worm can only spread on systems running Windows 2000 or Windows XP (32 bit) it can cause instability in the RPC service on systems running Windows NT, Windows XP (64 bit), and Windows Server 2003. In particular, the worm does not spread in Windows Server 2003 because it was compiled with the /GS switch, which detected the buffer overflow and shut the RPCSS process down.When infection occurs, buffer overflow makes RPC service crash, leading Windows to display following message and then automatically reboot, usually after 60 seconds. (default RPC service failure behaviour)
System Shutdown:
This system is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. This shutdown was initiated by NT AUTHORITY\SYSTEM
Time before shutdown: hh:mm:ss
Message:
Windows must now restart because the Remote Procedure Call (RPC) Service terminated unexpectedly.
"System Shutdown:
This system is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. This shutdown was initiated by NT AUTHORITY\SYSTEM
Time before shutdown: hh:mm:ss
Message:
Windows must now restart because the Remote Procedure Call (RPC) Service terminated unexpectedly."
This was the first indication many users had an infection; it often occurred a few minutes after every startup on compromised machines. A simple resolution to stop countdown is to run the "shutdown -a" command in the Windows command line, causing some side effects such as an empty (without users) Welcome Screen.[citation needed] The Welchia worm had a similar effect. No more than a year later, the Sasser worm surfaced, which caused a similar message to appear.
similer
home
Bagle-worm
Bagle (also known as Beagle) is a mass-mailing computer worm affecting all versions of Microsoft Windows. The first strain, Bagle.A, did not propagate widely. A second variant, Bagle.B, is considerably more virulent.
Bagle uses its own SMTP engine to mass-mail itself as an attachment to recipients gathered from the infected computer. It copies itself to the Windows system directory (Bagle.A as bbeagle.exe, Bagle.B as au.exe) and opens a backdoor on TCP port 6777 (Bagle.A) or 8866 (Bagle.B). It does not mail itself to addresses containing certain strings such as "@hotmail.com", "@msn.com", "@microsoft" or "@avp".
The initial strain, Bagle.A, was first sighted on January 18, 2004. It was not widespread and stopped spreading after January 28, 2004.
The second strain, Bagle.B, was first sighted on February 17, 2004. It was much more widespread and appeared in large numbers; Network Associates rated it a "medium" threat. It is designed to stop spreading after February 25, 2004.
Subsequent variants have later been discovered. Although they have not all been successful, a number remain notable threats.
similer
home
Bagle uses its own SMTP engine to mass-mail itself as an attachment to recipients gathered from the infected computer. It copies itself to the Windows system directory (Bagle.A as bbeagle.exe, Bagle.B as au.exe) and opens a backdoor on TCP port 6777 (Bagle.A) or 8866 (Bagle.B). It does not mail itself to addresses containing certain strings such as "@hotmail.com", "@msn.com", "@microsoft" or "@avp".
The initial strain, Bagle.A, was first sighted on January 18, 2004. It was not widespread and stopped spreading after January 28, 2004.
The second strain, Bagle.B, was first sighted on February 17, 2004. It was much more widespread and appeared in large numbers; Network Associates rated it a "medium" threat. It is designed to stop spreading after February 25, 2004.
Subsequent variants have later been discovered. Although they have not all been successful, a number remain notable threats.
similer
home
BadTrans-worm
BadTrans is a malicious Microsoft Windows computer worm distributed by e-mail. Because of a known vulnerability in older versions of Internet Explorer, some e-mail programs, such as Microsoft's Outlook Express and Microsoft Outlook programs, may install and execute the worm as soon as the e-mail message is viewed.
Once executed, the worm replicates by sending copies of itself to other e-mail addresses found on the host's machine, and installs a keystroke logger, which then captures everything typed on the affected computer. Badtrans then transmits the data to one of several e-mail addresses.
Among the e-mail addresses that received the keyloggers were free addresses at Excite, Yahoo, and IJustGotFired.com. IJustGotFired is a free service of MonkeyBrains, a San Francisco-based Internet service provider. The target address at IJustGotFired began receiving e-mails at 3:23pm on November 24, 2001. Once the account exceeded its quotas, it was automatically disabled, but the messages were still saved as they arrived. The address received over 100,000 keylogs in the first day alone.
In mid-December, the FBI contacted Rudy Rucker, Jr., owner of MonkeyBrains, and requested a copy of the keylogged data. All of that data was stolen from the victims of the worm; it includes no information about the creator of Badtrans. Instead of complying with the FBI request, MonkeyBrains published a database website http://badtrans.monkeybrains.net for the public to determine if a given address has been compromised. The database does not reveal the actual passwords or keylogged data
Once executed, the worm replicates by sending copies of itself to other e-mail addresses found on the host's machine, and installs a keystroke logger, which then captures everything typed on the affected computer. Badtrans then transmits the data to one of several e-mail addresses.
Among the e-mail addresses that received the keyloggers were free addresses at Excite, Yahoo, and IJustGotFired.com. IJustGotFired is a free service of MonkeyBrains, a San Francisco-based Internet service provider. The target address at IJustGotFired began receiving e-mails at 3:23pm on November 24, 2001. Once the account exceeded its quotas, it was automatically disabled, but the messages were still saved as they arrived. The address received over 100,000 keylogs in the first day alone.
In mid-December, the FBI contacted Rudy Rucker, Jr., owner of MonkeyBrains, and requested a copy of the keylogged data. All of that data was stolen from the victims of the worm; it includes no information about the creator of Badtrans. Instead of complying with the FBI request, MonkeyBrains published a database website http://badtrans.monkeybrains.net for the public to determine if a given address has been compromised. The database does not reveal the actual passwords or keylogged data
Abraxas-VIRUS
VARIANT: Abraxas, Alien, ARCV-1, Bamestra, Cinco, Eclypse, Gold
VARIANT: Jo, Kersplat, McWhale, Mimic, Page, Schrunch, Small-ARCV
VARIANT: Swansong, Tim, Walkabout, Warez, Z10
and approximately 200 other variants
VARIANT: Math-Test
The PS-MPC.Math-test virus was found from the CD-ROM disk "Software Vault, Collection 2" in October 1993. The infection was discovered when a private person from Helsinki, Finland, contacted F-Secure Ltd at the end of October. This person's computer was almost completely infected by the virus.
PS-MPC.Math-test is one of the viruses created with Phalcon/Skism Mass Produced Code Generator. The virus stays resident in memory and infects practically all executed COM and EXE programs. It activates every day between 9 and 10 a.m., displays some simple summing problems and demands that the user solve them. If the user doesn't get the answer right, the virus won't execute the requested program.
The infected file is located in the directory 18 of the CD-ROM, and it is contained inside the packet 64BLAZER.ZIP. The same directory contains also a clean version of the program, by the name 64BLAZE.ZIP.
similer
home
VARIANT: Jo, Kersplat, McWhale, Mimic, Page, Schrunch, Small-ARCV
VARIANT: Swansong, Tim, Walkabout, Warez, Z10
and approximately 200 other variants
VARIANT: Math-Test
The PS-MPC.Math-test virus was found from the CD-ROM disk "Software Vault, Collection 2" in October 1993. The infection was discovered when a private person from Helsinki, Finland, contacted F-Secure Ltd at the end of October. This person's computer was almost completely infected by the virus.
PS-MPC.Math-test is one of the viruses created with Phalcon/Skism Mass Produced Code Generator. The virus stays resident in memory and infects practically all executed COM and EXE programs. It activates every day between 9 and 10 a.m., displays some simple summing problems and demands that the user solve them. If the user doesn't get the answer right, the virus won't execute the requested program.
The infected file is located in the directory 18 of the CD-ROM, and it is contained inside the packet 64BLAZER.ZIP. The same directory contains also a clean version of the program, by the name 64BLAZE.ZIP.
similer
home
Wednesday, December 28, 2011
Jerusalem virus
1.2 The 1813 ("Jerusalem") Virus
One of the oldest PC-DOS viruses, and probably the most common, is the 1813 virus, also called (among other things) the Jerusalem, the Jerusalem-B, the Friday the 13th, the Black Friday, the Black Hole, the Morbus Waiblingen, and the sUMsDos. When a file infected with the 1813 virus is executed, the virus is loaded into memory, and any file executed via the DOS "execute program" function thereafter (until the next power-off or reboot) will be infected. This includes EXE and COM programs invoked from the DOS command line, as well as overlays (1) that are called by other programs. This technique of infecting things as they are used is one of the features that most of the currently-common viruses share. When an infected program is executed on Friday the 13th (any month, any year but 1987), it will erase programs that are executed, rather than infecting them.
1.2.1 Spread
The 1813 virus spreads from machine to machine by way of infected files; when an infected program travels (on diskette, over a LAN, by download from a host computer or bulletin board system, or otherwise) from one computer to another, the destination computer will become infected as soon as the infected program is executed. The virus has no power to spread between machines itself; it relies on people intentionally sharing software or machines in order to spread. Some common spread scenarios include:
Shared machines - If a computer is used by many different people, it can serve as a center of infection. If someone has run an infected program on the machine, the infection has probably spread to programs on the machine's hard disk; if other users bring their own programs on diskette and run them on the machine, those programs are likely to become infected, and the infection will be spread on diskette to other machines. Shared machines are therefore one important place to apply virus protection programs.
Shared diskettes - There are many diskettes that are routinely carried from machine to machine; these include diagnostic diskettes, product demos, and so on. If such a diskette becomes infected, the infection can quickly spread to many machines. Shared diskettes should therefore be protected; the most effective protection is a write-protect tab!
Popular programs - There are some programs (games, demos, animations, and so on) that are very popular; anyone who gets a copy of one of these programs is likely to want to pass it on (or at least show it off) to other people. If one of these programs becomes infected, the infection can spread quickly to many machines; users should therefore be educated in the dangers of running such programs without first employing virus detectors or other anti-virus measures.
LAN servers - If a program on a LAN server that is used by many workstations on the LAN becomes infected, a large percentage of workstations on the LAN can become infected very quickly (sometimes within an hour or two). Programs on LAN servers should be carefully checked for viruses, and LAN access controls for shared programs should be set up correctly. One common mistake is to have the LAN "logon" program in a place where anyone on the LAN can write to it; this setup means that if any workstation on the LAN becomes infected, the logon program will quickly become infected, and then every workstation that logs onto the LAN will immediately be infected. Properly maintained, LAN servers can be a good way to make virus-free programs available to many machines; set up incorrectly, they can be just the opposite!
1.2.2 Symptoms
In general, the most reliable symptom of a computer virus is an alert from a good anti-virus program. Machines properly protected by an anti-virus program should never experience the more serious symptoms of the virus! In any large organization or community, though, there will be at least a few machines not properly protected, and support people (Help Desks, Information Centers, repair groups, and so on) should be aware of symptoms that might mean a virus has infected an unprotected system. The 1813 virus is actually one of the more obvious of the common PC-DOS viruses. It has a number of intentional effects, and a number of bugs, which can cause infected systems to behave oddly even before the virus "activates" on Friday the 13th. The likely symptoms include:
Shortage of disk space and/or growth in size of programs (when the virus infects a file, it adds approximately 1813 bytes to the size of the file),
An occasional decrease in the apparent speed of the infected computer (users have described this as, for instance, "the machine suddenly started typing at 1200 baud"),
The scrolling or blanking of a small rectangular area in the upper left quadrant of the screen (the "black hole" effect),
The message "Program too big to fit in memory" when certain often-used EXE programs are run (due to a bug in the virus, it will continually re-infect most EXE programs, eventually causing them to be too large to run),
Malfunctioning of a few infected EXE programs: programs "lock up", or report unexpected error conditions or inability to load functions. (This is due to another bug in the virus that sometimes destroys part of the infected program.)
The first three of these symptoms are reasonably reliable signs of an infection; the last two can be from any of various causes. But in any case, checking a malfunctioning computer for known viruses with an anti-virus tool is generally a quick and easy process, and a useful addition to a support person's toolkit. Machines infected with the 1813 virus are often misdiagnosed as having software or hardware problems, leading to wasted time (as parts are replaced and tests run), and to the risk of spreading the infection via diagnostic diskettes.
1.2.3 Damage
The 1813 is not a particularly destructive virus. At the time it loads itself into memory, it asks DOS for the current date. If the day of the week is a Friday, the day of the month is 13, and the year is not 1987, the virus "activates". Once the virus has activated, any program executed via the DOS "execute program" call, described above, is erased. Users will generally notice this quite quickly (as all the programs they try to use turn out not to exist!), and it is not generally hard to recover from (programs can be re-installed from their original distribution diskettes, or re-created from source files). The fact that the virus is not intentionally very destructive does not mean that protection against it isn't cost-effective. Systems infected with the virus do not work very well, and are capable of spreading the infection beyond the immediate business or community. Cleanup is therefore necessary; the earlier the virus was detected, the simpler cleanup will be. Erasing a few infected files from one diskette is cheap; scanning and cleaning up hundreds of unprotected systems after the fact can be very expensive. When cleaning up after a memory-resident virus like the 1813 (and the other viruses discussed in this paper), it is vital to make sure that the virus is not in memory during the cleanup process! Otherwise the virus is likely to re-infect objects as they are cleaned up, and cleanup will not be successful. To ensure that no virus is active in memory, power off the infected system and reboot it from a write-protected diskette that is known to be free of viruses; then during cleanup use only programs that are known not to be infected.
1.2.4 Protection
The 1813 virus is relatively easy to detect and prevent, and virtually every commercial anti-virus product can deal with it. The virus makes no attempt to hide itself, and infected files are easily recognized as such by even the simplest known-virus scanner. Products which load into memory and block unauthorized attempts to alter programs are also generally successful against it. The fact that the virus is still so common is a sign that all too many machines still lack even the simplest protection against computer viruses.
similer
home
One of the oldest PC-DOS viruses, and probably the most common, is the 1813 virus, also called (among other things) the Jerusalem, the Jerusalem-B, the Friday the 13th, the Black Friday, the Black Hole, the Morbus Waiblingen, and the sUMsDos. When a file infected with the 1813 virus is executed, the virus is loaded into memory, and any file executed via the DOS "execute program" function thereafter (until the next power-off or reboot) will be infected. This includes EXE and COM programs invoked from the DOS command line, as well as overlays (1) that are called by other programs. This technique of infecting things as they are used is one of the features that most of the currently-common viruses share. When an infected program is executed on Friday the 13th (any month, any year but 1987), it will erase programs that are executed, rather than infecting them.
1.2.1 Spread
The 1813 virus spreads from machine to machine by way of infected files; when an infected program travels (on diskette, over a LAN, by download from a host computer or bulletin board system, or otherwise) from one computer to another, the destination computer will become infected as soon as the infected program is executed. The virus has no power to spread between machines itself; it relies on people intentionally sharing software or machines in order to spread. Some common spread scenarios include:
Shared machines - If a computer is used by many different people, it can serve as a center of infection. If someone has run an infected program on the machine, the infection has probably spread to programs on the machine's hard disk; if other users bring their own programs on diskette and run them on the machine, those programs are likely to become infected, and the infection will be spread on diskette to other machines. Shared machines are therefore one important place to apply virus protection programs.
Shared diskettes - There are many diskettes that are routinely carried from machine to machine; these include diagnostic diskettes, product demos, and so on. If such a diskette becomes infected, the infection can quickly spread to many machines. Shared diskettes should therefore be protected; the most effective protection is a write-protect tab!
Popular programs - There are some programs (games, demos, animations, and so on) that are very popular; anyone who gets a copy of one of these programs is likely to want to pass it on (or at least show it off) to other people. If one of these programs becomes infected, the infection can spread quickly to many machines; users should therefore be educated in the dangers of running such programs without first employing virus detectors or other anti-virus measures.
LAN servers - If a program on a LAN server that is used by many workstations on the LAN becomes infected, a large percentage of workstations on the LAN can become infected very quickly (sometimes within an hour or two). Programs on LAN servers should be carefully checked for viruses, and LAN access controls for shared programs should be set up correctly. One common mistake is to have the LAN "logon" program in a place where anyone on the LAN can write to it; this setup means that if any workstation on the LAN becomes infected, the logon program will quickly become infected, and then every workstation that logs onto the LAN will immediately be infected. Properly maintained, LAN servers can be a good way to make virus-free programs available to many machines; set up incorrectly, they can be just the opposite!
1.2.2 Symptoms
In general, the most reliable symptom of a computer virus is an alert from a good anti-virus program. Machines properly protected by an anti-virus program should never experience the more serious symptoms of the virus! In any large organization or community, though, there will be at least a few machines not properly protected, and support people (Help Desks, Information Centers, repair groups, and so on) should be aware of symptoms that might mean a virus has infected an unprotected system. The 1813 virus is actually one of the more obvious of the common PC-DOS viruses. It has a number of intentional effects, and a number of bugs, which can cause infected systems to behave oddly even before the virus "activates" on Friday the 13th. The likely symptoms include:
Shortage of disk space and/or growth in size of programs (when the virus infects a file, it adds approximately 1813 bytes to the size of the file),
An occasional decrease in the apparent speed of the infected computer (users have described this as, for instance, "the machine suddenly started typing at 1200 baud"),
The scrolling or blanking of a small rectangular area in the upper left quadrant of the screen (the "black hole" effect),
The message "Program too big to fit in memory" when certain often-used EXE programs are run (due to a bug in the virus, it will continually re-infect most EXE programs, eventually causing them to be too large to run),
Malfunctioning of a few infected EXE programs: programs "lock up", or report unexpected error conditions or inability to load functions. (This is due to another bug in the virus that sometimes destroys part of the infected program.)
The first three of these symptoms are reasonably reliable signs of an infection; the last two can be from any of various causes. But in any case, checking a malfunctioning computer for known viruses with an anti-virus tool is generally a quick and easy process, and a useful addition to a support person's toolkit. Machines infected with the 1813 virus are often misdiagnosed as having software or hardware problems, leading to wasted time (as parts are replaced and tests run), and to the risk of spreading the infection via diagnostic diskettes.
1.2.3 Damage
The 1813 is not a particularly destructive virus. At the time it loads itself into memory, it asks DOS for the current date. If the day of the week is a Friday, the day of the month is 13, and the year is not 1987, the virus "activates". Once the virus has activated, any program executed via the DOS "execute program" call, described above, is erased. Users will generally notice this quite quickly (as all the programs they try to use turn out not to exist!), and it is not generally hard to recover from (programs can be re-installed from their original distribution diskettes, or re-created from source files). The fact that the virus is not intentionally very destructive does not mean that protection against it isn't cost-effective. Systems infected with the virus do not work very well, and are capable of spreading the infection beyond the immediate business or community. Cleanup is therefore necessary; the earlier the virus was detected, the simpler cleanup will be. Erasing a few infected files from one diskette is cheap; scanning and cleaning up hundreds of unprotected systems after the fact can be very expensive. When cleaning up after a memory-resident virus like the 1813 (and the other viruses discussed in this paper), it is vital to make sure that the virus is not in memory during the cleanup process! Otherwise the virus is likely to re-infect objects as they are cleaned up, and cleanup will not be successful. To ensure that no virus is active in memory, power off the infected system and reboot it from a write-protected diskette that is known to be free of viruses; then during cleanup use only programs that are known not to be infected.
1.2.4 Protection
The 1813 virus is relatively easy to detect and prevent, and virtually every commercial anti-virus product can deal with it. The virus makes no attempt to hide itself, and infected files are easily recognized as such by even the simplest known-virus scanner. Products which load into memory and block unauthorized attempts to alter programs are also generally successful against it. The fact that the virus is still so common is a sign that all too many machines still lack even the simplest protection against computer viruses.
similer
home
Melissa worm
First found on March 26, 1999, Melissa came to be one of the most infamous computer worms the world has ever seen. It shut down Internet mail systems that became clogged with infected e-mails propagating the worm.
Melissa was first distributed in the Usenet discussion group alt.sex. The virus was inside a file called "List.DOC", which contained passwords that allow access into 80 pornographic websites. The worm's original form was sent via e-mail to many people.
Melissa was written by David L. Smith in Eatontown, New Jersey, and named after a lap-dancer he encountered in Florida. The creator of the virus called himself Kwyjibo, but was shown to be identical to macrovirus writers VicodinES and Alt-F11 who had several Word-files with the same characteristic Globally Unique Identifier (GUID), a serial number that was earlier generated with the network card MAC address as a component.
Worm Specifications
Melissa can spread on word processor Microsoft Word 97 and Word 2000. It can mass mail itself from e-mail client (MUA) Microsoft Outlook 97 or Outlook 98. The worm does not work on any other versions of Word, including Word 95. The worm cannot mass mail itself by any other mail client, even Outlook Express.
If a Word Document containing the virus, either LIST.DOC or another file infected, is downloaded and opened, then the macro in the document, which had the virus, runs and attempts to mass mail itself.
When the virus mass mails, it collects the first 50 entries from the alias list, or address book, and sends it to the e-mail addresses from those names.
Melissa.A/Original Version
This is what infected e-mails say:
From:
Subject: Important message from
To:
Attachment: LIST.DOC
Body: Here is that document you asked for ... don't show anyone else ;-)
If the worm already has sent itself, or cannot spread that way due to a lack of an internet connection or a lack of Outlook, the worm spreads to other Word Documents on the computer. Other infected documents can also be mailed. If confidential data is inside the document, the recipient of the e-mail containing the document can view it.
The worm's activation routine inserts quotes from "The Simpsons" into other documents. If the minutes of the hour of the computer's clock match the day of the month (I.E. 7:09 on the 9th day of the 7th month). Quotes include phrases like "Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here." The alias of the author, "Kwyjibo", is also a Simpsons reference.
Melissa.I/Empirical
This variant can send using any of these subject line and body combinations, all of which are different from Melissa's original form.
1. Subject: Question for you...
Body: It's fairly complicated so I've attached it.
2. Subject: Check this!!
Body: This is some wicked stuff!
3. Subject: Cool Web Sites
Body: Check out the Attached Document for a list of some of the best Sites on the Web
4. Subject: 80mb Free Web Space!
Body: Check out the Attached Document for details on how to obtain the free space. It's cool, I've now got heaps of room.
5. Subject: Cheap Software
Body: The attached document contains a list of web sites where you can obtain Cheap Software
6. Subject: Cheap Hardware
Body: I've attached a list of web sites where you can obtain Cheap Hardware"
7. Subject: Free Music
Body: Here is a list of places where you can obtain Free Music.
8. Subject: * Free Downloads
Body: Here is a list of sites where you can obtain Free Downloads.
NOTE: The asterisk "*" in the 8th subject can be any random character that the worm specifies in the e-mail.
This version uses a different registry key, named "Empirical", to check if the worm had already mass mailed itself.
This version has another payload; if the number of minutes equals the number of hours, the worm will insert the phrase "All empires fall, you just have to know where to push." The virus then clears the flag that it had mass mailed itself from the registry. As soon as Word is restarted, a new document is created, a document is opened, or a document is closed, the worm will mass mail itself again.
Melissa.O
This version sends itself to 100 people in the alias list instead of 50. This is the e-mail message it sends:
Subject:Duhalde Presidente
Body: Programa de gobierno 1999 - 2004.
Melissa.U
This version is like Melissa.A, but it has several notable differences. The module name it uses is named "Mmmmmmm". This version only sends itself to 4 recipients instead of 50. This is what the infected e-mail looks like:
Subject: Pictures (Username)
Body: what's up ?
The worm puts the name that the sender's copy of Word is registered to where it says Username in the Subject.
The following strings can be placed in documents: "Loading... No", and ">>>>Please check Outlook Inbox Mail<<<<".
The virus also deletes critical files. Before deleting the files, it strips them of their archive, hidden, and read-only attributes, which make them fair game for deletion.
C:\\Command.com
C:\\Io.sys
C:\\Ntdetect.com
C:\\Suhdlog.dat
D:\\Command.com
D:\\Io.sys
D:\\Suhdlog.dat
Melissa.V
This variant is akin to Melissa.U. However, this variant sends itself to 40 different e-mail addresses in the address book. This is the subject line of the infected e-mail that it sends. There is no body.
Subject: My Pictures (Username)
The worm puts the name that the sender's copy of Word is registered to where it says Username in the Subject.
After this variant has mailed itself, it deletes all files from the root of the following drives: F, H, I, L-Q, S, X, and Z.
After that, the virus shows a message box. It has the text: "Hint: Get Norton 2000 not McAfee 4.02".
Melissa.W
This is the same as Melissa.A, except that it does not lower macro security settings in Word 2000.
Melissa.AO
This is what the e-mails from this version contain:
Subject: Extremely URGENT: To All E-Mail User -
Attachment: Infected Active Document
Body: This announcement is for all E-MAIL user. Please take note that our E-Mail Server will down and we recommended you to read the document which attached with this E-Mail.
Melissa.AO's payload occurs on the 10am on the 10th day of each month. The payload consists of the worm inserts the following string into the document: "Worm! Let's We Enjoy."
similer
home
Melissa was first distributed in the Usenet discussion group alt.sex. The virus was inside a file called "List.DOC", which contained passwords that allow access into 80 pornographic websites. The worm's original form was sent via e-mail to many people.
Melissa was written by David L. Smith in Eatontown, New Jersey, and named after a lap-dancer he encountered in Florida. The creator of the virus called himself Kwyjibo, but was shown to be identical to macrovirus writers VicodinES and Alt-F11 who had several Word-files with the same characteristic Globally Unique Identifier (GUID), a serial number that was earlier generated with the network card MAC address as a component.
Worm Specifications
Melissa can spread on word processor Microsoft Word 97 and Word 2000. It can mass mail itself from e-mail client (MUA) Microsoft Outlook 97 or Outlook 98. The worm does not work on any other versions of Word, including Word 95. The worm cannot mass mail itself by any other mail client, even Outlook Express.
If a Word Document containing the virus, either LIST.DOC or another file infected, is downloaded and opened, then the macro in the document, which had the virus, runs and attempts to mass mail itself.
When the virus mass mails, it collects the first 50 entries from the alias list, or address book, and sends it to the e-mail addresses from those names.
Melissa.A/Original Version
This is what infected e-mails say:
From:
Subject: Important message from
To:
Attachment: LIST.DOC
Body: Here is that document you asked for ... don't show anyone else ;-)
If the worm already has sent itself, or cannot spread that way due to a lack of an internet connection or a lack of Outlook, the worm spreads to other Word Documents on the computer. Other infected documents can also be mailed. If confidential data is inside the document, the recipient of the e-mail containing the document can view it.
The worm's activation routine inserts quotes from "The Simpsons" into other documents. If the minutes of the hour of the computer's clock match the day of the month (I.E. 7:09 on the 9th day of the 7th month). Quotes include phrases like "Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here." The alias of the author, "Kwyjibo", is also a Simpsons reference.
Melissa.I/Empirical
This variant can send using any of these subject line and body combinations, all of which are different from Melissa's original form.
1. Subject: Question for you...
Body: It's fairly complicated so I've attached it.
2. Subject: Check this!!
Body: This is some wicked stuff!
3. Subject: Cool Web Sites
Body: Check out the Attached Document for a list of some of the best Sites on the Web
4. Subject: 80mb Free Web Space!
Body: Check out the Attached Document for details on how to obtain the free space. It's cool, I've now got heaps of room.
5. Subject: Cheap Software
Body: The attached document contains a list of web sites where you can obtain Cheap Software
6. Subject: Cheap Hardware
Body: I've attached a list of web sites where you can obtain Cheap Hardware"
7. Subject: Free Music
Body: Here is a list of places where you can obtain Free Music.
8. Subject: * Free Downloads
Body: Here is a list of sites where you can obtain Free Downloads.
NOTE: The asterisk "*" in the 8th subject can be any random character that the worm specifies in the e-mail.
This version uses a different registry key, named "Empirical", to check if the worm had already mass mailed itself.
This version has another payload; if the number of minutes equals the number of hours, the worm will insert the phrase "All empires fall, you just have to know where to push." The virus then clears the flag that it had mass mailed itself from the registry. As soon as Word is restarted, a new document is created, a document is opened, or a document is closed, the worm will mass mail itself again.
Melissa.O
This version sends itself to 100 people in the alias list instead of 50. This is the e-mail message it sends:
Subject:Duhalde Presidente
Body: Programa de gobierno 1999 - 2004.
Melissa.U
This version is like Melissa.A, but it has several notable differences. The module name it uses is named "Mmmmmmm". This version only sends itself to 4 recipients instead of 50. This is what the infected e-mail looks like:
Subject: Pictures (Username)
Body: what's up ?
The worm puts the name that the sender's copy of Word is registered to where it says Username in the Subject.
The following strings can be placed in documents: "Loading... No", and ">>>>Please check Outlook Inbox Mail<<<<".
The virus also deletes critical files. Before deleting the files, it strips them of their archive, hidden, and read-only attributes, which make them fair game for deletion.
C:\\Command.com
C:\\Io.sys
C:\\Ntdetect.com
C:\\Suhdlog.dat
D:\\Command.com
D:\\Io.sys
D:\\Suhdlog.dat
Melissa.V
This variant is akin to Melissa.U. However, this variant sends itself to 40 different e-mail addresses in the address book. This is the subject line of the infected e-mail that it sends. There is no body.
Subject: My Pictures (Username)
The worm puts the name that the sender's copy of Word is registered to where it says Username in the Subject.
After this variant has mailed itself, it deletes all files from the root of the following drives: F, H, I, L-Q, S, X, and Z.
After that, the virus shows a message box. It has the text: "Hint: Get Norton 2000 not McAfee 4.02".
Melissa.W
This is the same as Melissa.A, except that it does not lower macro security settings in Word 2000.
Melissa.AO
This is what the e-mails from this version contain:
Subject: Extremely URGENT: To All E-Mail User -
Attachment: Infected Active Document
Body: This announcement is for all E-MAIL user. Please take note that our E-Mail Server will down and we recommended you to read the document which attached with this E-Mail.
Melissa.AO's payload occurs on the 10am on the 10th day of each month. The payload consists of the worm inserts the following string into the document: "Worm! Let's We Enjoy."
similer
home
code red worm
Computers that were infected by CodeRed have stopped propagating this worm as of July 28, 2001, due to its logic of going into infinite sleep mode. Although there was much speculation as to whether this worm would wake up again on August 1, 2001, Symantec Security Response's analysis of the CodeRed worm indicates that a re-infection will not re-awaken already infected computers.
If the worm is once again injected into the Internet, it can only affect computers that still have the vulnerability on the Web server. Previously infected computers can be re-infected if they have not been patched. Symantec Security Response advises users of IIS4.0 and 5.0 to apply the Microsoft patch before August 1. Security Response will continue to monitor CodeRed activities on the Internet and will post updates to this page when available.
The CodeRed Worm affects Microsoft Index Server 2.0 and the Windows 2000 Indexing service on computers running Microsoft Windows NT 4.0 and Windows 2000, which run IIS 4.0 and 5.0 Web servers. The worm uses a known buffer overflow vulnerability contained in the Idq.dll file. Information about this vulnerability and a Microsoft patch is located at: http://www.microsoft.com/technet/security/bulletin/MS01-033.asp.
A Cumulative Patch for IIS that includes the four patches released to date is available at: http://www.microsoft.com/technet/security/bulletin/MS01-044.asp.
System administrators are encouraged to apply the Microsoft patch to prevent infection of this worm and other unauthorized access.
For information on the various ways to check for this threat and the underlying vulnerability, or if you are using Symantec Enterprise Firewall, refer to the Additional Information section below.
similer
home
If the worm is once again injected into the Internet, it can only affect computers that still have the vulnerability on the Web server. Previously infected computers can be re-infected if they have not been patched. Symantec Security Response advises users of IIS4.0 and 5.0 to apply the Microsoft patch before August 1. Security Response will continue to monitor CodeRed activities on the Internet and will post updates to this page when available.
The CodeRed Worm affects Microsoft Index Server 2.0 and the Windows 2000 Indexing service on computers running Microsoft Windows NT 4.0 and Windows 2000, which run IIS 4.0 and 5.0 Web servers. The worm uses a known buffer overflow vulnerability contained in the Idq.dll file. Information about this vulnerability and a Microsoft patch is located at: http://www.microsoft.com/technet/security/bulletin/MS01-033.asp.
A Cumulative Patch for IIS that includes the four patches released to date is available at: http://www.microsoft.com/technet/security/bulletin/MS01-044.asp.
System administrators are encouraged to apply the Microsoft patch to prevent infection of this worm and other unauthorized access.
For information on the various ways to check for this threat and the underlying vulnerability, or if you are using Symantec Enterprise Firewall, refer to the Additional Information section below.
similer
home
autorun-inf-virus
There is a much simple way to remove the Autorun.inf file. Genreally when you refresh the windows explorer view a bounded virus process recreates this file. This file is attached to many events of windows explorer including OPEN, REFRESH, etc. Simple stept to remove the virus activation:
You must close opened explorer windows.
1. open up a command prompt (i.e. cmd.exe) >> to load it go to Run, type cmd, enter.
2. Now to remove virus's attributes (in order to delete it type following line by line and execute them pressing enter.
e.g.
F:\
F:\attrib -s -r -h *.* If there are any malicious EXE files those are now visible so if unnecessary delete them too.
F:\del autorun.inf
3. After finishing above, quickly remove the pen as soon as posible (just after executing del command).
4. Now your pen is without virus activation config. file. Now you can safely delete unnecessary EXE files on it.
similer
home
You must close opened explorer windows.
1. open up a command prompt (i.e. cmd.exe) >> to load it go to Run, type cmd, enter.
2. Now to remove virus's attributes (in order to delete it type following line by line and execute them pressing enter.
e.g.
F:\
F:\attrib -s -r -h *.* If there are any malicious EXE files those are now visible so if unnecessary delete them too.
F:\del autorun.inf
3. After finishing above, quickly remove the pen as soon as posible (just after executing del command).
4. Now your pen is without virus activation config. file. Now you can safely delete unnecessary EXE files on it.
similer
home
Tuesday, December 27, 2011
Monday, November 21, 2011
top 10 web browsers
Google Chrome
Google Chrome is a web browser developed by Google that uses the WebKit layout engine. It was first released as a beta version for Microsoft Windows on September 2, 2008, and the public stable release was on December 11, 2008. The name is derived from the graphical user interface frame, or "chrome", of web browsers. As of October 2011, Chrome is the third most widely used browser with 25% worldwide usage share of web browsers and the most popular browser in South America, according to StatCounter.
In September 2008, Google released a large portion of Chrome's source code, including its V8 JavaScript engine, as an open source project entitled Chromium. This move enabled third-party developers to study the underlying source code and to help port the browser to the Mac OS X and Linux operating systems. Google also expressed hope that other browsers would adopt V8 to improve web application performance. The Google-authored portion of Chromium is released under the permissive BSD license,which allows portions to be incorporated into both open source and closed source software programs. Other portions of the source code are subject to a variety of open source licenses. Chromium implements a similar feature set as Chrome, but lacks built-in automatic updates, built-in PDF reader and Google branding, and most noticeably has a blue-colored logo in place of the multicolored Google logo.
Features
Acid tests
Web standards conformance tests
Security
Security vulnerabilities
Malware blocking
Speed
Stability
User interface
Desktop shortcuts and apps
Chrome Web Store
Aero peek capability
Extensions
Themes
Automatic web page translation
Release channels and updates
Usage tracking
home page
Wednesday, November 9, 2011
DDos attack|http://www.schoolkalolsavam.in not responding|database error
a ddos attack was detected on the site http://www.schoolkalolsavam.in/
the webpage shows "I cannot connect to the database because: Too many connections"
the webpage shows "I cannot connect to the database because: Too many connections"
Monday, October 31, 2011
OpFake|opera fake malware
Trojan:SymbOS/OpFake.A Posted by Jithin @ 17:35 GMT | Comments
Here's the technical analysis related to Trojan:SymbOS/OpFake.A.
OpFake.A arrives as a supposed Opera Mini updater using file names such as OperaUpdater.sisx and Update6.1.sisx. The malware installer adds an Opera icon to the application menu. When run, it will show a menu and a fake download progress bar.
Progress bar displayed… even though this installer was run inside of a Faraday room.
The malware also has a "license" which can be displayed. When the trojan is started, and before the victim advances through any of the menus, the trojan is already sending text messages to Russian premium rate numbers. The numbers and the content of the messages come from an encrypted configuration file (sms.xml).
The Symbian version of OpFake.A will also monitor SMS messages for the short while it is active and deletes incoming messages and messages moved to the sent messages folder based on the phone numbers and content of the messages. The code that handles the interception of incoming SMS messages is largely identical to that in Trojan:SymbOS/Spitmo.A. That part of OpFAke.A clearly shares source code with Spitmo.A.
OpFake.A tracks whether it has been run before and won't do anything except for the first time it is executed.
OpFake trojans have been self-signed using a certificate created by the attackers themselves. The owner of the certificate is JoeBloggs and the company is acme. Because these names were used as an example on a website for creating certificates, there are also non-malicious files signed with certificates that have the same owner name and company.
There are numerous variants of the installer in different paths on OpFake's host server using different file names (OperaUpdater.sisx, Update6.1.sisx, jimm.sisx). One example path is [IP Address]/builder/build/gen48BF.tmp/OperaUpdater.sisx. The varying part of the path are the 4 characters between gen and .tmp.
There is also a Windows Mobile version of the malware on the same server under a different path, for example: [IP Address]/wm/build/gen7E38.tmp/setup.CAB. Again there are numerous version under different random paths. Currently there are over 5000 folders with random names under wm/build.
Below are two examples of decrypted configuration files, the first one is for a Symbian variant and the second one for a Windows Mobile variant. The entries with "number" and "text" signify the phone number where a message is sent to and the content of the message.
SHA-1: 2518a8bb0419bd28499b41fad2089dd7555e50c8
similer
home
Saturday, October 29, 2011
HTTP cookie
A cookie, also known as an HTTP cookie, web cookie, or browser cookie, is used for an origin website to send state information to a user's browser and for the browser to return the state information to the origin site.[1] The state information can be used for authentication, identification of a user session, user's preferences, shopping cart contents, or anything else that can be accomplished through storing text data on the user's computer.
Cookies are not software. They cannot be programmed, cannot carry viruses, and cannot install malware on the host computer.[2] However, they can be used by spyware to track user's browsing activities – a major privacy concern that prompted European and US law makers to take action.[3][4] Cookies can also be stolen by hackers to gain access to a victim's web account.[5]
The term "cookie" was derived from "magic cookie", which is the packet of data a program receives and sends again unchanged. Magic cookies were already used in computing when computer programmer Lou Montulli had the idea of using them in Web communications in June 1994.[6] At the time, he was an employee of Netscape Communications, which was developing an e-commerce application for a customer. Cookies provided a solution to the problem of reliably implementing a virtual shopping cart.[7][8]
Together with John Giannandrea, Montulli wrote the initial Netscape cookie specification the same year. Version 0.9beta of Mosaic Netscape, released on October 13, 1994,[9][10] supported cookies. The first use of cookies (out of the labs) was checking whether visitors to the Netscape website had already visited the site. Montulli applied for a patent for the cookie technology in 1995, and US 5774670 was granted in 1998. Support for cookies was integrated in Internet Explorer in version 2, released in October 1995.[11]
The introduction of cookies was not widely known to the public at the time. In particular, cookies were accepted by default, and users were not notified of the presence of cookies. The general public learned about them after the Financial Times published an article about them on February 12, 1996. In the same year, cookies received a lot of media attention, especially because of potential privacy implications. Cookies were discussed in two U.S. Federal Trade Commission hearings in 1996 and 1997.
The development of the formal cookie specifications was already ongoing. In particular, the first discussions about a formal specification started in April 1995 on the www-talk mailing list. A special working group within the IETF was formed. Two alternative proposals for introducing state in HTTP transactions had been proposed by Brian Behlendorf and David Kristol respectively, but the group, headed by Kristol himself, soon decided to use the Netscape specification as a starting point. In February 1996, the working group identified third-party cookies as a considerable privacy threat. The specification produced by the group was eventually published as RFC 2109 in February 1997. It specifies that third-party cookies were either not allowed at all, or at least not enabled by default.
At this time, advertising companies were already using third-party cookies. The recommendation about third-party cookies of RFC 2109 was not followed by Netscape and Internet Explorer. RFC 2109 was superseded by RFC 2965 in October 2000.
A definitive specification for cookies as used in the real world was published as RFC 6265 in April 2011.
A session cookie[12] only lasts for the duration of users using the website. A web browser normally deletes session cookies when it quits. A session cookie is created when no Expires directive is provided when the cookie is created.
Persistent cookie
A persistent cookie[12] will outlast user sessions. If a persistent cookie has its Max-Age set to 1 year, then, within the year, the initial value set in that cookie would be sent back to the server every time the user visited the server. This could be used to record a vital piece of information such as how the user initially came to this website. For this reason, persistent cookies are also called tracking cookies or in-memory cookies.
Secure cookie
A secure cookie is only used when a browser is visiting a server via HTTPS, ensuring that the cookie is always encrypted when transmitting from client to server. This makes the cookie less likely to be exposed to cookie theft via eavesdropping.
The HttpOnly cookie is supported by most modern browsers.[13][14] On a supported browser, an HttpOnly session cookie will be used only when transmitting HTTP (or HTTPS) requests, thus restricting access from other, non-HTTP APIs (such as JavaScript). This restriction mitigates but does not eliminate the threat of session cookie theft via Cross-site scripting.[15] This feature applies only to session-management cookies, and not other browser cookies.
Third-party cookie
First-party cookies are cookies set with the same domain (or its subdomain) in your browser's address bar. Third-party cookies are cookies being set with different domains than the one shown on the address bar (i.e. the web pages on that domain may feature content from a third-party domain - e.g. an advertisement run by www.advexample.com showing advert banners).
For example: Suppose a user visits www.example1.com, which sets a cookie with the domain ad.foxytracking.com. When the user later visits www.example2.com, another cookie is set with the domain ad.foxytracking.com. Eventually, both of these cookies will be sent to the advertiser when loading their ads or visiting their website. The advertiser can then use these cookies to build up a browsing history of the user across all the websites this advertiser has footprints on.
Supercookie
A "supercookie" is a cookie with a public suffix domain, like .com, .co.uk or k12.ca.us.[16]
Most browsers, by default, allow first-party cookies—a cookie with domain to be the same or sub-domain of the requesting host. For example, a user visiting www.example.com can have a cookie set with domain www.example.com or .example.com, but not .com.[17] A supercookie with domain .com would be blocked by browsers; otherwise, a malicious website, like attacker.com, could set a supercookie with domain .com and potentially disrupt or impersonate legitimate user requests to example.com. The Public Suffix List is a cross-vendor initiative to provide an accurate list of domain name suffixes changing.[18] Older versions of browsers may not have the most up-to-date list, and will therefore be vulnerable to certain supercookies.
The term "supercookies" is erroneously used in the media for tracking technologies that do not rely on HTTP cookies. Two such "supercookie" mechanisms were found on Microsoft websites: cookie syncing that respawned MUID cookies, and ETag cookies.[19] Due to media attention, Microsoft later disabled this code:
In response to recent attention on "supercookies" in the media, we wanted to share more detail on the immediate action we took to address this issue, as well as affirm our commitment to the privacy of our customers. According to researchers, including Jonathan Mayer at Stanford University, "supercookies" are capable of re-creating users' cookies or other identifiers after people deleted regular cookies. Mr. Mayer identified Microsoft as one among others that had this code, and when he brought his findings to our attention we promptly investigated. We determined that the cookie behavior he observed was occurring under certain circumstances as a result of older code that was used only on our own sites, and was already scheduled to be discontinued. We accelerated this process and quickly disabled this code. At no time did this functionality cause Microsoft cookie identifiers or data associated with those identifiers to be shared outside of Microsoft.
—Mike Hintze[20]
Main article: Zombie cookie
A zombie cookie is any cookie that is automatically recreated after a user has deleted it. This is accomplished by a script storing the content of the cookie in some other locations, such as the local storage available to Flash content, HTML5 storages and other client side mechanisms, and then recreating the cookie from backup stores when the cookie's absence is detected.
A possible interaction between a Web browser and a server holding a Web page, in which the server sends a cookie to the browser and the browser sends it back when requesting another page.
Cookies are arbitrary pieces of data chosen by the Web server and sent to the browser. The browser returns them unchanged to the server, introducing a state (memory of previous events) into otherwise stateless HTTP transactions. Without cookies, each retrieval of a Web page or component of a Web page is an isolated event, mostly unrelated to all other views of the pages of the same site. Other than being set by a web server, cookies can also be set by a script in a language such as JavaScript, if supported and enabled by the Web browser.
Cookie specifications[14][21][22] suggest that browsers should be able to save and send back a minimal number of cookies. In particular, a web browser is expected to be able to store at least 300 cookies of four kilobytes each, and at least 20 cookies per server or domain.
[edit] Setting a cookie
Transfer of Web pages follows the HyperText Transfer Protocol (HTTP). Regardless of cookies, browsers request a page from web servers by sending them a usually short text called HTTP request. For example, to access the page http://www.example.org/index.html, browsers connect to the server www.example.org sending it a request that looks like the following one:
GET /index.html HTTP/1.1
Host: www.example.org
-------→
server
The server replies by sending the requested page preceded by a similar packet of text, called 'HTTP response'. This packet may contain lines requesting the browser to store cookies:
HTTP/1.1 200 OK
Content-type: text/html
Set-Cookie: name=value
Set-Cookie: name2=value2; Expires=Wed, 09 Jun 2021 10:18:14 GMT
(content of page)
browser
←-------
server
The server sends lines of Set-Cookie only if the server wishes the browser to store cookies. Set-Cookie is a directive for the browser to store the cookie and send it back in future requests to the server (subject to expiration time or other cookie attributes), if the browser supports cookies and cookies are enabled. For example, the browser requests the page http://www.example.org/spec.html by sending the server www.example.org a request like the following:
GET /spec.html HTTP/1.1
Host: www.example.org
Cookie: name=value; name2=value2
Accept: */*
browser
-------→
server
This is a request for another page from the same server, and differs from the first one above because it contains the string that the server has previously sent to the browser. This way, the server knows that this request is related to the previous one. The server answers by sending the requested page, possibly adding other cookies as well.
The value of a cookie can be modified by the server by sending a new Set-Cookie: name=newvalue line in response of a page request. The browser then replaces the old value with the new one.
The term "cookie crumb" is sometimes used to refer to the name-value pair.[23] This is not the same as breadcrumb web navigation, which is the technique of showing in each page the list of pages the user has previously visited; this technique, however, may be implemented using cookies.
Cookies can also be set by JavaScript or similar scripts running within the browser. In JavaScript, the object document.cookie is used for this purpose. For example, the instruction document.cookie = "temperature=20" creates a cookie of name temperature and value 20.[24]
Besides the name-value pair, servers can also set these cookie attributes: a cookie domain, a path, expiration time or maximum age, secure flag and httponly flag. Browsers will not send cookie attributes back to the server. They will only send the cookie’s name-value pair. Cookie attributes are used by browsers to determine when to delete a cookie, block a cookie or whether to send a cookie (name-value pair) to the servers.
The cookie domain and path define the scope of the cookie—they tell the browser that cookies should only be sent back to the server for the given domain and path. If not specified, they default to the domain and path of the object that was requested. An example of Set-Cookie directives from a website after a user logged in:
Set-Cookie: LSID=DQAAAK…Eaem_vYg; Domain=docs.foo.com; Path=/accounts; Expires=Wed, 13-Jan-2021 22:23:01 GMT; Secure; HttpOnly
Set-Cookie: HSID=AYQEVn….DKrdst; Domain=.foo.com; Path=/; Expires=Wed, 13-Jan-2021 22:23:01 GMT; HttpOnly
Set-Cookie: SSID=Ap4P….GTEq; Domain=.foo.com; Path=/; Expires=Wed, 13-Jan-2021 22:23:01 GMT; Secure; HttpOnly
......
The first cookie LSID has default domain docs.foo.com and Path /accounts, which tells the browser to use the cookie only when requesting pages contained in docs.foo.com/accounts. The other 2 cookies HSID and SSID would be sent back by the browser while requesting any subdomain in .foo.com on any path, for example www.foo.com/.
Cookies can be set on only top domain and its sub domains. Setting cookies on www.foo.com from www.bar.com will not work for security reasons.[25]
The Expires directive tells the browser when to delete the cookie. It is specified in the form of “Wdy, DD-Mon-YYYY HH:MM:SS GMT”, indicating the exact date/time this cookie will expire. As an alternative to setting cookie expiration as an absolute date/time, RFC 6265 allows the use of the Max-Age attribute to set the cookie’s expiration as an interval of seconds in the future, relative to the time the browser received the cookie. An example of Set-Cookie directives from a website after a user logged in:
Set-Cookie: lu=Rg3vHJZnehYLjVg7qi3bZjzg; Expires=Tue, 15-Jan-2013 21:47:38 GMT; Path=/; Domain=.foo.com; HttpOnly
Set-Cookie: made_write_conn=1295214458; Path=/; Domain=.foo.com
Set-Cookie: reg_fb_gate=deleted; Expires=Thu, 01-Jan-1970 00:00:01 GMT; Path=/; Domain=.foo.com; HttpOnly
......
The first cookie lu is set to expire sometime in 15-Jan-2013; it will be used by the client browser until that time. The second cookie made_write_conn does not have an expiration date, making it a session cookie. It will be deleted after the user closes his/her browser. The third cookie reg_fb_gate has its value changed to deleted, with an expiration time in the past. The browser will delete this cookie right away – note that cookie will only be deleted when the domain and path attributes in the Set-Cookie field match the values used when the cookie was created.
The Secure and HttpOnly attributes do not have associated values. Rather, the presence of the attribute names indicates that the Secure and HttpOnly behaviors are specified.
The Secure attribute is meant to keep cookie communication limited to encrypted transmission, directing browsers to use cookies only via secure/encrypted connections. Naturally, web servers should set Secure cookies via secure/encrypted connections, lest the cookie information be transmitted in a way that allows eavesdropping when first sent to the web browser.
The HttpOnly attribute directs browsers to use cookies via the HTTP protocol only. An HttpOnly cookie is not accessible via non-HTTP methods, such as calls via JavaScript (e.g., referencing "document.cookie"), and therefore cannot be stolen easily via cross-site scripting (a pervasive attack technique[26]). As shown in previous examples, both Facebook and Google use the HttpOnly attribute extensively.
tags:Zombie cookie,super cookie,Persistent cookie,Secure cookie
Cookies are not software. They cannot be programmed, cannot carry viruses, and cannot install malware on the host computer.[2] However, they can be used by spyware to track user's browsing activities – a major privacy concern that prompted European and US law makers to take action.[3][4] Cookies can also be stolen by hackers to gain access to a victim's web account.[5]
History
The term "cookie" was derived from "magic cookie", which is the packet of data a program receives and sends again unchanged. Magic cookies were already used in computing when computer programmer Lou Montulli had the idea of using them in Web communications in June 1994.[6] At the time, he was an employee of Netscape Communications, which was developing an e-commerce application for a customer. Cookies provided a solution to the problem of reliably implementing a virtual shopping cart.[7][8]
Together with John Giannandrea, Montulli wrote the initial Netscape cookie specification the same year. Version 0.9beta of Mosaic Netscape, released on October 13, 1994,[9][10] supported cookies. The first use of cookies (out of the labs) was checking whether visitors to the Netscape website had already visited the site. Montulli applied for a patent for the cookie technology in 1995, and US 5774670 was granted in 1998. Support for cookies was integrated in Internet Explorer in version 2, released in October 1995.[11]
The introduction of cookies was not widely known to the public at the time. In particular, cookies were accepted by default, and users were not notified of the presence of cookies. The general public learned about them after the Financial Times published an article about them on February 12, 1996. In the same year, cookies received a lot of media attention, especially because of potential privacy implications. Cookies were discussed in two U.S. Federal Trade Commission hearings in 1996 and 1997.
The development of the formal cookie specifications was already ongoing. In particular, the first discussions about a formal specification started in April 1995 on the www-talk mailing list. A special working group within the IETF was formed. Two alternative proposals for introducing state in HTTP transactions had been proposed by Brian Behlendorf and David Kristol respectively, but the group, headed by Kristol himself, soon decided to use the Netscape specification as a starting point. In February 1996, the working group identified third-party cookies as a considerable privacy threat. The specification produced by the group was eventually published as RFC 2109 in February 1997. It specifies that third-party cookies were either not allowed at all, or at least not enabled by default.
At this time, advertising companies were already using third-party cookies. The recommendation about third-party cookies of RFC 2109 was not followed by Netscape and Internet Explorer. RFC 2109 was superseded by RFC 2965 in October 2000.
A definitive specification for cookies as used in the real world was published as RFC 6265 in April 2011.
Session cookie
A session cookie[12] only lasts for the duration of users using the website. A web browser normally deletes session cookies when it quits. A session cookie is created when no Expires directive is provided when the cookie is created.
Persistent cookie
A persistent cookie[12] will outlast user sessions. If a persistent cookie has its Max-Age set to 1 year, then, within the year, the initial value set in that cookie would be sent back to the server every time the user visited the server. This could be used to record a vital piece of information such as how the user initially came to this website. For this reason, persistent cookies are also called tracking cookies or in-memory cookies.
Secure cookie
A secure cookie is only used when a browser is visiting a server via HTTPS, ensuring that the cookie is always encrypted when transmitting from client to server. This makes the cookie less likely to be exposed to cookie theft via eavesdropping.
HttpOnly cookie
The HttpOnly cookie is supported by most modern browsers.[13][14] On a supported browser, an HttpOnly session cookie will be used only when transmitting HTTP (or HTTPS) requests, thus restricting access from other, non-HTTP APIs (such as JavaScript). This restriction mitigates but does not eliminate the threat of session cookie theft via Cross-site scripting.[15] This feature applies only to session-management cookies, and not other browser cookies.
Third-party cookie
First-party cookies are cookies set with the same domain (or its subdomain) in your browser's address bar. Third-party cookies are cookies being set with different domains than the one shown on the address bar (i.e. the web pages on that domain may feature content from a third-party domain - e.g. an advertisement run by www.advexample.com showing advert banners).
For example: Suppose a user visits www.example1.com, which sets a cookie with the domain ad.foxytracking.com. When the user later visits www.example2.com, another cookie is set with the domain ad.foxytracking.com. Eventually, both of these cookies will be sent to the advertiser when loading their ads or visiting their website. The advertiser can then use these cookies to build up a browsing history of the user across all the websites this advertiser has footprints on.
Supercookie
A "supercookie" is a cookie with a public suffix domain, like .com, .co.uk or k12.ca.us.[16]
Most browsers, by default, allow first-party cookies—a cookie with domain to be the same or sub-domain of the requesting host. For example, a user visiting www.example.com can have a cookie set with domain www.example.com or .example.com, but not .com.[17] A supercookie with domain .com would be blocked by browsers; otherwise, a malicious website, like attacker.com, could set a supercookie with domain .com and potentially disrupt or impersonate legitimate user requests to example.com. The Public Suffix List is a cross-vendor initiative to provide an accurate list of domain name suffixes changing.[18] Older versions of browsers may not have the most up-to-date list, and will therefore be vulnerable to certain supercookies.
The term "supercookies" is erroneously used in the media for tracking technologies that do not rely on HTTP cookies. Two such "supercookie" mechanisms were found on Microsoft websites: cookie syncing that respawned MUID cookies, and ETag cookies.[19] Due to media attention, Microsoft later disabled this code:
In response to recent attention on "supercookies" in the media, we wanted to share more detail on the immediate action we took to address this issue, as well as affirm our commitment to the privacy of our customers. According to researchers, including Jonathan Mayer at Stanford University, "supercookies" are capable of re-creating users' cookies or other identifiers after people deleted regular cookies. Mr. Mayer identified Microsoft as one among others that had this code, and when he brought his findings to our attention we promptly investigated. We determined that the cookie behavior he observed was occurring under certain circumstances as a result of older code that was used only on our own sites, and was already scheduled to be discontinued. We accelerated this process and quickly disabled this code. At no time did this functionality cause Microsoft cookie identifiers or data associated with those identifiers to be shared outside of Microsoft.
—Mike Hintze[20]
Zombie cookie
Main article: Zombie cookie
A zombie cookie is any cookie that is automatically recreated after a user has deleted it. This is accomplished by a script storing the content of the cookie in some other locations, such as the local storage available to Flash content, HTML5 storages and other client side mechanisms, and then recreating the cookie from backup stores when the cookie's absence is detected.
Implementation
A possible interaction between a Web browser and a server holding a Web page, in which the server sends a cookie to the browser and the browser sends it back when requesting another page.
Cookies are arbitrary pieces of data chosen by the Web server and sent to the browser. The browser returns them unchanged to the server, introducing a state (memory of previous events) into otherwise stateless HTTP transactions. Without cookies, each retrieval of a Web page or component of a Web page is an isolated event, mostly unrelated to all other views of the pages of the same site. Other than being set by a web server, cookies can also be set by a script in a language such as JavaScript, if supported and enabled by the Web browser.
Cookie specifications[14][21][22] suggest that browsers should be able to save and send back a minimal number of cookies. In particular, a web browser is expected to be able to store at least 300 cookies of four kilobytes each, and at least 20 cookies per server or domain.
[edit] Setting a cookie
Transfer of Web pages follows the HyperText Transfer Protocol (HTTP). Regardless of cookies, browsers request a page from web servers by sending them a usually short text called HTTP request. For example, to access the page http://www.example.org/index.html, browsers connect to the server www.example.org sending it a request that looks like the following one:
GET /index.html HTTP/1.1
Host: www.example.org
browser
-------→
server
The server replies by sending the requested page preceded by a similar packet of text, called 'HTTP response'. This packet may contain lines requesting the browser to store cookies:
HTTP/1.1 200 OK
Content-type: text/html
Set-Cookie: name=value
Set-Cookie: name2=value2; Expires=Wed, 09 Jun 2021 10:18:14 GMT
(content of page)
browser
←-------
server
The server sends lines of Set-Cookie only if the server wishes the browser to store cookies. Set-Cookie is a directive for the browser to store the cookie and send it back in future requests to the server (subject to expiration time or other cookie attributes), if the browser supports cookies and cookies are enabled. For example, the browser requests the page http://www.example.org/spec.html by sending the server www.example.org a request like the following:
GET /spec.html HTTP/1.1
Host: www.example.org
Cookie: name=value; name2=value2
Accept: */*
browser
-------→
server
This is a request for another page from the same server, and differs from the first one above because it contains the string that the server has previously sent to the browser. This way, the server knows that this request is related to the previous one. The server answers by sending the requested page, possibly adding other cookies as well.
The value of a cookie can be modified by the server by sending a new Set-Cookie: name=newvalue line in response of a page request. The browser then replaces the old value with the new one.
The term "cookie crumb" is sometimes used to refer to the name-value pair.[23] This is not the same as breadcrumb web navigation, which is the technique of showing in each page the list of pages the user has previously visited; this technique, however, may be implemented using cookies.
Cookies can also be set by JavaScript or similar scripts running within the browser. In JavaScript, the object document.cookie is used for this purpose. For example, the instruction document.cookie = "temperature=20" creates a cookie of name temperature and value 20.[24]
Cookie attributes
Besides the name-value pair, servers can also set these cookie attributes: a cookie domain, a path, expiration time or maximum age, secure flag and httponly flag. Browsers will not send cookie attributes back to the server. They will only send the cookie’s name-value pair. Cookie attributes are used by browsers to determine when to delete a cookie, block a cookie or whether to send a cookie (name-value pair) to the servers.
Domain and Path
The cookie domain and path define the scope of the cookie—they tell the browser that cookies should only be sent back to the server for the given domain and path. If not specified, they default to the domain and path of the object that was requested. An example of Set-Cookie directives from a website after a user logged in:
Set-Cookie: LSID=DQAAAK…Eaem_vYg; Domain=docs.foo.com; Path=/accounts; Expires=Wed, 13-Jan-2021 22:23:01 GMT; Secure; HttpOnly
Set-Cookie: HSID=AYQEVn….DKrdst; Domain=.foo.com; Path=/; Expires=Wed, 13-Jan-2021 22:23:01 GMT; HttpOnly
Set-Cookie: SSID=Ap4P….GTEq; Domain=.foo.com; Path=/; Expires=Wed, 13-Jan-2021 22:23:01 GMT; Secure; HttpOnly
......
The first cookie LSID has default domain docs.foo.com and Path /accounts, which tells the browser to use the cookie only when requesting pages contained in docs.foo.com/accounts. The other 2 cookies HSID and SSID would be sent back by the browser while requesting any subdomain in .foo.com on any path, for example www.foo.com/.
Cookies can be set on only top domain and its sub domains. Setting cookies on www.foo.com from www.bar.com will not work for security reasons.[25]
Expires and Max-Age
The Expires directive tells the browser when to delete the cookie. It is specified in the form of “Wdy, DD-Mon-YYYY HH:MM:SS GMT”, indicating the exact date/time this cookie will expire. As an alternative to setting cookie expiration as an absolute date/time, RFC 6265 allows the use of the Max-Age attribute to set the cookie’s expiration as an interval of seconds in the future, relative to the time the browser received the cookie. An example of Set-Cookie directives from a website after a user logged in:
Set-Cookie: lu=Rg3vHJZnehYLjVg7qi3bZjzg; Expires=Tue, 15-Jan-2013 21:47:38 GMT; Path=/; Domain=.foo.com; HttpOnly
Set-Cookie: made_write_conn=1295214458; Path=/; Domain=.foo.com
Set-Cookie: reg_fb_gate=deleted; Expires=Thu, 01-Jan-1970 00:00:01 GMT; Path=/; Domain=.foo.com; HttpOnly
......
The first cookie lu is set to expire sometime in 15-Jan-2013; it will be used by the client browser until that time. The second cookie made_write_conn does not have an expiration date, making it a session cookie. It will be deleted after the user closes his/her browser. The third cookie reg_fb_gate has its value changed to deleted, with an expiration time in the past. The browser will delete this cookie right away – note that cookie will only be deleted when the domain and path attributes in the Set-Cookie field match the values used when the cookie was created.
Secure and HttpOnly
The Secure and HttpOnly attributes do not have associated values. Rather, the presence of the attribute names indicates that the Secure and HttpOnly behaviors are specified.
The Secure attribute is meant to keep cookie communication limited to encrypted transmission, directing browsers to use cookies only via secure/encrypted connections. Naturally, web servers should set Secure cookies via secure/encrypted connections, lest the cookie information be transmitted in a way that allows eavesdropping when first sent to the web browser.
The HttpOnly attribute directs browsers to use cookies via the HTTP protocol only. An HttpOnly cookie is not accessible via non-HTTP methods, such as calls via JavaScript (e.g., referencing "document.cookie"), and therefore cannot be stolen easily via cross-site scripting (a pervasive attack technique[26]). As shown in previous examples, both Facebook and Google use the HttpOnly attribute extensively.
tags:Zombie cookie,super cookie,Persistent cookie,Secure cookie
Ever cookie
My sites homepage
Background
A traditional HTTP cookie is a relatively small amount of textual data that is stored by the user's browser. Cookies can be used to save preferences and login session information; however, they can also be employed to track users for marketing purposes. Due to concerns over privacy, all major browsers include mechanisms for deleting and/or refusing to accept cookies from websites.
The size restrictions, likelihood of eventual deletion, and simple textual nature of traditional cookies motivated Adobe Systems to add the Local Shared Object (LSO) mechanism to the Adobe Flash player.[1] While Adobe has published a mechanism for deleting LSO cookies (which can store 100KB of data per website, by default),[2] it has met with some criticism from security and privacy experts.[3] In response to the relative difficulty of removing LSO cookies, browser add-ons such as Firefox's "Better Privacy" plugin have been developed.[4]
An evercookie is not merely difficult to delete. It actively "resists" deletion by copying itself in different forms on the user's machine and resurrecting itself if it notices that some of the copies are missing or expired. As such, it serves to highlight the ways in which creators of malware can attack browsers.[5]
Evercookie
On September 13, 2010, Samy Kamkar, creator of the Samy Worm (aka: JS/Spacehero-A)[6]which took down MySpace.com in 2005, released v0.4 beta, as open source, a highly persistent cookie he calls an Evercookie. [7][8][9][10]
According to the project's website:
Evercookie is designed to make persistent data just that, persistent. By storing the same data in several locations that a client can access, if any of the data is ever lost (for example, by clearing cookies), the data can be recovered and then reset and reused. Simply think of it as cookies that just won't go away. Evercookie is a javascript API available that produces extremely persistent cookies in a browser. Its goal is to identify a client even after they've removed standard cookies, Flash cookies (Local Shared Objects or LSOs), and others. Evercookie accomplishes this by storing the cookie data in several types of storage mechanisms that are available on the local browser. Additionally, if Evercookie has found the user has removed any of the types of cookies in question, it recreates them using each mechanism available.
Specifically, when creating a new cookie, Evercookie uses the following storage mechanisms when available:
* Standard HTTP cookies
* Local Shared Objects (Flash cookies)
* Silverlight Isolated Storage
* Storing cookies in RGB values of auto-generated, force-cached PNGs using HTML5 Canvas tag to read pixels (cookies) back out
* Storing cookies in Web history
* Storing cookies in HTTP ETags
* Storing cookies in Web cache
* window.name caching
* Internet Explorer userData storage
* HTML5 Session Storage
* HTML5 Local Storage
* HTML5 Global Storage
* HTML5 Database Storage via SQLite
The developer is looking to add the following features:
* Caching in HTTP Authentication
* Using Java to produce a unique key based on NIC information.
Intent and effect
Created as a demonstration of how sites could track users even after performing actions that would clear "normal" cookies, Evercookie alarmed many experts. Researchers have found ways to delete the Evercookie on some (but not all) browsers in common use.[11]
Usage
Evercookie is ideal for use as a marketing tool that resides on a web server, to be able to persistently collect "anonymous" data browsing habits on home computers. Though this tool could be used for various user browser data, it remains clear that its main advantage is the ability to reconstruct itself on a computer after the computer has undergone a browser cookie purge. For instance, with this tool it is possible to have persistent identification of a specific computer, and since it is specific to an account on that computer, it links the data to an individual. It is conceivable this tool could be used to track a user and the different cookies associated with that user's identifying data without the user's consent. The tool has a great deal of potential to undermine browsing privacy.
tags:Ever cookie http, Web cookies, FTC
Jithin sha m.a
related:http cookies
similer
home
Ever cookie
Background
A traditional HTTP cookie is a relatively small amount of textual data that is stored by the user's browser. Cookies can be used to save preferences and login session information; however, they can also be employed to track users for marketing purposes. Due to concerns over privacy, all major browsers include mechanisms for deleting and/or refusing to accept cookies from websites.
The size restrictions, likelihood of eventual deletion, and simple textual nature of traditional cookies motivated Adobe Systems to add the Local Shared Object (LSO) mechanism to the Adobe Flash player.[1] While Adobe has published a mechanism for deleting LSO cookies (which can store 100KB of data per website, by default),[2] it has met with some criticism from security and privacy experts.[3] In response to the relative difficulty of removing LSO cookies, browser add-ons such as Firefox's "Better Privacy" plugin have been developed.[4]
An evercookie is not merely difficult to delete. It actively "resists" deletion by copying itself in different forms on the user's machine and resurrecting itself if it notices that some of the copies are missing or expired. As such, it serves to highlight the ways in which creators of malware can attack browsers.[5]
Evercookie
On September 13, 2010, Samy Kamkar, creator of the Samy Worm (aka: JS/Spacehero-A)[6]which took down MySpace.com in 2005, released v0.4 beta, as open source, a highly persistent cookie he calls an Evercookie. [7][8][9][10]
According to the project's website:
Evercookie is designed to make persistent data just that, persistent. By storing the same data in several locations that a client can access, if any of the data is ever lost (for example, by clearing cookies), the data can be recovered and then reset and reused. Simply think of it as cookies that just won't go away. Evercookie is a javascript API available that produces extremely persistent cookies in a browser. Its goal is to identify a client even after they've removed standard cookies, Flash cookies (Local Shared Objects or LSOs), and others. Evercookie accomplishes this by storing the cookie data in several types of storage mechanisms that are available on the local browser. Additionally, if Evercookie has found the user has removed any of the types of cookies in question, it recreates them using each mechanism available.
Specifically, when creating a new cookie, Evercookie uses the following storage mechanisms when available:
* Standard HTTP cookies
* Local Shared Objects (Flash cookies)
* Silverlight Isolated Storage
* Storing cookies in RGB values of auto-generated, force-cached PNGs using HTML5 Canvas tag to read pixels (cookies) back out
* Storing cookies in Web history
* Storing cookies in HTTP ETags
* Storing cookies in Web cache
* window.name caching
* Internet Explorer userData storage
* HTML5 Session Storage
* HTML5 Local Storage
* HTML5 Global Storage
* HTML5 Database Storage via SQLite
The developer is looking to add the following features:
* Caching in HTTP Authentication
* Using Java to produce a unique key based on NIC information.
Intent and effect
Created as a demonstration of how sites could track users even after performing actions that would clear "normal" cookies, Evercookie alarmed many experts. Researchers have found ways to delete the Evercookie on some (but not all) browsers in common use.[11]
Usage
Evercookie is ideal for use as a marketing tool that resides on a web server, to be able to persistently collect "anonymous" data browsing habits on home computers. Though this tool could be used for various user browser data, it remains clear that its main advantage is the ability to reconstruct itself on a computer after the computer has undergone a browser cookie purge. For instance, with this tool it is possible to have persistent identification of a specific computer, and since it is specific to an account on that computer, it links the data to an individual. It is conceivable this tool could be used to track a user and the different cookies associated with that user's identifying data without the user's consent. The tool has a great deal of potential to undermine browsing privacy.
tags:Ever cookie http, Web cookies, FTC
Jithin sha m.a
related:http cookies
similer
home
Wednesday, February 2, 2011
Game of the Week
'999: Nine Hours Nine Persons Nine Doors' (DS)
It may not be everybody's cup of tea, but as a long-time lover of point-and-click adventure and mystery/puzzle games, '999' sounds like exactly what I'd like to play... Read more
See More About: 999 puzzle games interactive novels
'World of Warcraft: Cataclysm' Review (PC)
WoW's dominance of the MMORPG genre just doesn't look like it's going to end any time soon, and this expansion will no doubt keep millions of players addicted for a good while yet... Read more
See More About: world of warcraft cataclysm mmorpgs
'DC Universe Online' Review (PS3)
What better way to gain a toehold on the WoW-dominated MMO than by employing the iconic set of superheroes from the DC Universe? A well-constructed game helps, too... Read more
See More About: mmo action games superhero games
'Fluidity' Review (Wii)
The Wii might not have had a blockbuster title like the other big consoles lately, but it does have a lot of interesting and innovative indie games via WiiWare... Read more
See More About: wiiware platformers wii game reviews
'999: Nine Hours Nine Persons Nine Doors' (DS)
It may not be everybody's cup of tea, but as a long-time lover of point-and-click adventure and mystery/puzzle games, '999' sounds like exactly what I'd like to play... Read more
See More About: 999 puzzle games interactive novels
'World of Warcraft: Cataclysm' Review (PC)
WoW's dominance of the MMORPG genre just doesn't look like it's going to end any time soon, and this expansion will no doubt keep millions of players addicted for a good while yet... Read more
See More About: world of warcraft cataclysm mmorpgs
'DC Universe Online' Review (PS3)
What better way to gain a toehold on the WoW-dominated MMO than by employing the iconic set of superheroes from the DC Universe? A well-constructed game helps, too... Read more
See More About: mmo action games superhero games
'Fluidity' Review (Wii)
The Wii might not have had a blockbuster title like the other big consoles lately, but it does have a lot of interesting and innovative indie games via WiiWare... Read more
See More About: wiiware platformers wii game reviews
Programming Editor
Hello Programmers! This week we are looking at how to use attributes in VB.NET. We are also looking at examples of using switch in JavaScript, and how to sort a generic list using anonymous in Delphi. We also look at Oracle discontinuing Rails support in NetBeans 7.0. Have a great week! Using Attributes in VB.NET You see them frequently, especially in more advanced code examples that you might copy out for your own use. SerializableAttribute is one of the most common: ' Instances of this class ' need to be serialized _ Public Class theClass ' Code in the class End Class Oracle Discontinue Rails Support in NetBeans 7.0 Oracle has discontinued support of Ruby on Rails in the upcoming NetBeans 7.0 IDE. Despite being primarily a Java IDE, it did feature support for Ruby and Ruby on Rails, both with jRuby and MRI. However, in order to focus their efforts on making NetBeans 7.0 a better Java IDE, Oracle has decided to drop Ruby on Rails support. Switch In the eleventh "JavaScript by Example" we look at an alternative way we can get JavaScript to make decisions. A switch statement allows us to easily check one field for different values and have it perform different processing for each different value. See More About: javascript tutorial example javascript Sort a Generic Delphi List using an Anonymous Delphi 2009 adds Generics and Anonymous methods to the Delphi language. When you have objects in some list - one of a commonly required tasks is to sort the list: either ascending, descending or using some list-specific algorithm. Using anonymous methods you can apply the sorting function directly "inline" with the call to the Sort method.
Hello Programmers! This week we are looking at how to use attributes in VB.NET. We are also looking at examples of using switch in JavaScript, and how to sort a generic list using anonymous in Delphi. We also look at Oracle discontinuing Rails support in NetBeans 7.0. Have a great week! Using Attributes in VB.NET You see them frequently, especially in more advanced code examples that you might copy out for your own use. SerializableAttribute is one of the most common: ' Instances of this class ' need to be serialized
Subscribe to:
Posts (Atom)