Download .mp3 (right-click -> save link as…)

You can subscribe to the podcast feed via one of the two feeds below (might take a day for itunes to update it) :FeedBurner or iTunes

News stories mentioned:

Download .mp3 (right-click -> save link as…)


You can subscribe to the podcast feed via one of the two feeds below (might take a day for itunes to update it) : FeedBurner or iTunes

News stories mentioned:

Download .mp3 (right-click -> save link as)
You can subscribe to the podcast feed via one of the two feeds below (might take a day for itunes to update it) :
FeedBurner or iTunes

News stories mentioned:

Hacking website of the week:

www.KrebsOnSecurity.com

Websites mentioned:

Trusted online scanners:

NoVirusThanks.org (Possibly Compromised?)

Virus-Trap.org

AVHide.com

Non-Trusted Online Scanners:

VirusTotal.com

Jotti

Botnet, also known as robotic network,  is a group of computers that run the same computer robotic application controlled or manipulated by human operators.  They are also called as botmasters for the purpose of doing co-related tasks. The system is organized in a simple hierarchical structure comprised of many computers, also called as drones or zombies, and a command center that controls all of the drones or zombies into action. Botnets can be large (composed of ten to twenty thousand drones) or small (composed of five hundred to a thousand drones).  It really depends on the sophistication and complexity of its use.

Botnets are very good tools in the hacking world because of their ability to gain other computers that could be used for any purpose. If you are familiar with the security vulnerabilities of a network, its workstations and servers, you can wrest control all of its computers in a matter of days, hours or even minutes with the aid of a very sophisticated botnet application.  Once control is obtained, the task can be done remotely or autonomously.

Knowing who developed the first botnet or the authors of this software can be very vague. I mean, honestly, who would want to claim the software as his if it was the one responsible for hacking the entire computer system of the NSA or the CIA?  However, we can actually trace its roots or how it came to be.  In 1998, NetBus and BackOrifice2000 application were introduced in the IT community. Both were sets of applications designed for a friendlier Microsoft Windows-based remote systems management. If you haven’t heard of it, it’s like the famous Go-to-my-PC application  where you could access your computer at home from almost anywhere and perform any normal tasks as if you are actually using the device.  The difference is that it was built as a command base with other additional software for whatever intention and purpose the author has. Some users came up with some ideas on how it could be used maliciously, like in committing pranks and eavesdropping.  Over time, additional refinements where made independently by various groups, mutating it to some nasty Malware Trojan or just a milled one.

How are they made?

To know how botnets are made, we must first understand its known architectures. Currently, the most common architectures used in botnets are the following:

1. Centralized command and control (C&C)  model

Image is taken from. http://www.malwarecity.com/blog/anatomy-of-a-botnet-196.html

This is considered to be the first botnet architecture used. The botmaster may have the option to login to any of C&C server directly or remotely in order to control and communicate with other C&C server and drone computers. The secondary C&C is usually used as a backup just in case the botmaster fails to connect with the first one. The C&C server may not be restricted to just two and is not also only restricted to one network.  It can control as many zombies from deferent networks depending on the botnet’s level of sophistication.

1. Decentralized, P2P or distributed command and control model.

Image is taken from. http://www.malwarecity.com/blog/anatomy-of-a-botnet-196.html

Considered to be the a versatile architecture because any of the drones can be used as a command center making it harder for anyone to pinpoint its source plus you would not worry of establishing your control with this architechture.

What are the Internet protocols used to establish connections? Almost any.  But currently, the Internet Relay Chat (IRC) botnet is still preferred.  It is the favorite of any botmaster because it’s lightweight and secure enough to login and control because of its password protection.  One example of an IRC-based botnet is Agobot.  It has tools like a packet sniffer, keylogger, rootkit, information harvester, smtp and http client and a DoS attack feature.  Internet Messaging botnets also appeared latching to AOL, Yahoo Messenger, and MSN services.  In August, the social networking site twitter.com was discovered to have a botnet installed.  Twitter.com’s used the Hyper Text Tranfer Protocol.  Its security team found that it was being used as a C&C.   Security teams from Symantec also found a botnet C&C in Google groups this September.  It’s dubbed as “trojan.grup.”

How do you make zombies or drones with others computer? It still goes down to the basics of hacking and exploiting the network and all the computer vulnerabilities.  This includes human reverse engineering or email phishing expeditions.

Botnets could carry a wide range of commands and some of the most common are listed below.  Take note, these commands may vary from each botnet.

Flood or DDoS – Command Used for DoS attacks.

Spam – Download a template message and send out the messages from your drones.

Proxy – Primarily used to conceal ones identity by relaying traffic through target        computer

http.download – Command to download files from the internet.

Who makes them?

Majority of  botnet software is freely distributed without any warranty.  It is even possible to build one on top of those that are already available commercially.  Just take note that this software is largely considered a malware/trojan.   Never attempt to install them if you do not have enough knowledge about their applications.  Botnets are related to viruses, malware and rootkits.

What are they used for?

Botnets are one of the best tools you could use in order to do what any hacker would want to be doing. You could remotely initiate some form of eavesdropping or pranks, like logging or injecting user keystrokes, screen captures, program launching, file browsing etc.  For a broader application, botnets could be used for unethical and unlawful commercial applications such as phishing, sending spam, click frauds in order to up a website’s popularity, information harvesting and planting, command and control on an agency, proxy server alternative to cover  tracks while doing research, and lastly, doing denial of service attacks.  Botmasters could even sell their botfarms to the highest bidder, usually the mafia or other large criminal organizations.

What are the largest botnets?

The largest known botnet attack ever recorded was Storm in 2007.  Recently, another botnet was uncovered that nearly infected two million personal computers in April 2008. Its name though has not been made official.  The Storm botnet was generally used for spamming and uses the Kadmelia P2P overlay protocol rather than an IRC network.  A rootkit was also present, enabling it to hide its presence.  It had the ability to harvest email addresses fromits infected drones.

Some Common Types

The OpenSource community does not support creation and distribution of malicious softwares like botnets.  However, you can actually find them on some underground hackers’ websites and even in torrents.  You could also look them up in Google.  Some of these are: urxbot, spybot, sdbot, rxbot, rbot, phatbot, litmus, gtbot, forbot, evilbot, darkirc, agobot, acebot and storm.

Anyone who owns a computer has probably heard what a virus is.  Most with personal computers may even have their own units infected with one type of virus at one point or another.  If you haven’t, it’s time you learn about it because this can destroy your data.  Viruses are programs created to become a nuisance.  The term encompasses all sorts of malicious software there is in the market.  While some are totally destructive, most are annoying and can cause minor errors in the computer system.

Currently, the human population in this planet is now 6.9 billion.  About one billion of its inhabitants, or 16.7 percent, owns or use a computer. Analysts project that by the end of this year it will double.  With these figures in mind, let’s find out how many computers do viruses infect and what are the most prevalent or common viruses.  As of June 2009, there are about 1.9 million computers which are infected with some type of adware or malware.  This estimate is quite conservative considering the number of unreported cases in many parts of the world.

Spreading Malware

Malware is short for malicious software.  Why malicious?  Because it infiltrates a computer system.  What is the goal of malware? The general goal of a malware is to harvest DATA. It can be user login, passwords, credit card information, bank accounts or transactions or databases that are stored on your PC or web.

A few years ago, e-mail spam with promotional or news-related items were the most popular ways of introducing a malware.  However, individuals and companies have strengthen their e-mail security, which made it e-mailing become less popular among hackers.  Also, spam mails are not read anymore.  They automatically go to the trash folder.

Security experts believe that malware developers have changed their ways or strategies in delivering their attacks.  This time, they are spreading them through websites, using search links with bogus websites or click on icons of popular product advertisements like AV (anti-virus software), and also using events like the death of a popular artist or a popular movie that users would likely to download.

Below is the June 2009 stats for websites infected with malwares (source: http://www.kaspersky.com/news?id=207575855):

From the table, it can be seen that thousands of websites have or are being infected by one form of malware or another. This is an indication that their delivery has gone to harboring or posting websites to delivering the malicious software.

How do hackers spread malware from websites?

1. Using search engines and posing as legitimate products. All of us go to search engines to find out about something. Malware users and developer are now using tools that legitimate web administrators use in order to promote and get a good ranking for their websites in search engines like Google, Yahoo, MSN and AOL.

SEO (Search engine Optimization) – A technique used by website administrators to improve the volume of traffic for their websites has also been used by malware propagators in the form of Spamdexing, link farms and keyword stuffing.

Paid Web Advertising – Criminals also pay to advertise their bogus websites that are packed with malwares.  The advertisement could be a form of product to download or help the poor program.

2. Getting in to social networking websites and other popular websites.

One of the hottest trends in the Internet is the social networking websites like Facebook, Friendster, and Multiply.  Facebook.com alone garnered 1,191,373,339 monthly visits this year. Plus, it is believed that most of the users are not security conscious. Very tempting for malware propagators to exploit.  Their methods of attack:

-  Post as a social networking website user and post malwares in the form of products or downloads.

-  Post as a Facebook user who is known by a group and send message to see a Youtube link, which has been engineered to make users think that they need to update their flash application to view it. By the time the user clicks the update button, malware kicks-in and install a botnet, which not only infects the account but the entire server as well.

-  Exploiting vulnerabilities of a CMS (Content Management System) website and others and then inserting malicious iframes. Inserting iframes is like loading one web page inside another. To conceal its presence, it is often a very small piece of code that is not visible from the browser.  What most iframes do is redirect unwary users to malware sites.

If you are a Star Trek Generation fan and have seen how a high-breed program has taken control of The Enterprise, you will get an idea of what a rootkit is. That program gradually took control of the ship until such time that it was able to decide its course. In plain language, a rootkit is a powerful software that has the potential of wresting control of a system without being detected by security mechanisms. Since the purpose of a rootkit is to grant secret access to a non-administrator, it could be said that this administrative tool is malicious. Imagine a competitor knowing about the company’s trade secrets without the owner being aware of it.

Although it is generally used to hide intruders like Trojans, keyloggers, worms, and inappropriate files, a rootkit can be put to good use. For instance, an antivirus company can use rootkit techniques to protect a server or personal computer from viruses or malwares.

While the rootkit was created in the 1990s, the public only became aware of it in 2005 when Sony BMG had to recall its CDs that used a rootkit to hide the copyright protection. The rootkit prevented unauthorized copying of the CD but unfortunately, it also opened an opportunity for hackers or virus writers to infect or control the computer where the Sony CD had been installed. What Sony envisioned as the solution for the piracy of digital media turned into a scandal that stunned the consumers and the IT community.

You may get nervous and wonder how is a rootkit installed? So long as you keep the administrative rights to yourself, you can rest easy that a rootkit can’t get installed in your system. This is important for systems administrators to remember particularly in businesses that handle large amount of data or whose network infrastructures are complex. A rootkit can hide once it has been installed. A systems administrator must never allow a new employee or even old ones to tamper with the system. Temporary access should not be granted since it only takes one opportunity for the rootkit to be installed. A blackhat (bad hacker) might use keyloggers on the first wave of attack to secure “root” passwords or by embedding rootkits to popularly downloadable software.

Once infected with one, remote access will allow for outside people to do things with the system. There are many forms of rootkits for different types of operating systems and each has its own characteristics and ways of concealment. The first one though was built for the UNIX operating system. Technically, rootkits do the “inline function hooking.” How does this work? Just think of the rootkit being a middle man and deciding which information to send to a running program. It can send decoys to stop the program from detecting errors. Sounds very smart, right? By being able to fool the system, the administrator too is kept in the dark for an indeterminate period of time.

As a very smart malware, rootkits can hide from legitimate systems administrators who routinely monitor their servers and PCs. A rootkit cannot be detected using the following techniques:

1. Looking on file sizes and attributes using Windows explorer.
2. Using task manager to audit valid running processes.
3. Checking entries in Windows registry.
4. Scanning for network connections and ports open using netstat.
5. Inspecting log entries and audit trails.

Can it be removed?

The all-important question is whether a rootkit can be removed just like other system intruders once detected. If you believe your system is safe from a rootkit, prevent future infiltration by making your passwords difficult to determine (add any of these characters `~!@#$%^&*-=+|). As they say, prevention is better than cure. Moreover, install additional security patches, increase the level of user security, and limit remote access.

But if a rootkit is already in your computer or network, you can remove it by first determining where it is located and what is its type. There are a lot of applications in the market that help in protecting the system and removing this software. RootkitRevealer at http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx is one of those applications that can help you detect rootkits in your system. Also, some AntiVirus software, like, Symantec has this capability.

Before attempting to remove the rootkit, you must have a backup copy of all crucial data. Don’t make a backup using software image since this could have been tampered with the rootkit. Reinstall everything up from ground zero, or if you have a reliable software image for restoring the system, then, use it. Download the files but check first whether their integrity has been compromised. You can do this by using MD5 Checksum. See this link for details: http://www.go2linux.org/md5sum-how-to-check-file-integrity

Here are some of the most popular rootkits for the different types of operating systems:

Renepo-A, built for Mac and is popular probably because of the computer manufacturer’s lax security concerning Internet access.

Hackerdefender or hxdef is the most common on Windows.

Adore-ng for Linux.