Major Hackers Personalities

This section contains brief information on some of the most famous hackers, both black and white hats. The individuals below are well known for a variety of reasons: their actions, whether good or bad, their contributions to software and technology development, or their innovative approach, skills and ability to think out of the box.

Richard Stallman is known as the father of free software. When Stallman started working at MIT's Artificial Intelligence Lab in 1971 he was confronted with 'non disclosure agreements' and closed program sources while he was hacking and improving system drivers the 'traditional way'. After an interesting battle to obtain the source code of a faulty printer utility, Stallman gave up his job and became the loudest advocate for free computer software, creating GNU and the Free Software Foundation in the process.

Dennis Ritchie and Ken Thompson are famous for two major software developments of the 20th century: the UNIX operating system and the C programming language. These two began their carriers at Bell Labs in 1960's, revolutionising the computer world forever with their ideas. While Ken Thompson has retired from the computer world, Dennis Ritchie is still employed at Lucent Technology, working on a new operating system derived from Unix, called 'Plan9'.

John Draper, aka 'Cap'n Crunch' is famous for his ability to hack phone systems using nothing but a whistle from the 'Cap'n Crunch' cereal boxes (hence the nickname). Besides being the father of 'phone phreaking', John Draper is also famous for writing what was perhaps the first IBM PC word processor. He now heads his own security venture, developing antispam solutions, thwarting hacker attacks and securing PCs.

Robert Morris is famous for creating the first Internet worm in 1988. It infected thousand of systems, and practically brought the Internet to a halt for nearly a day. The 'Morris Worm' was perhaps the first fully automated hacking tool, exploiting a couple of unpatched vulnerabilities on Vax and Sun computers.

Kevin Mitnick, possibly the best known case of a 'black hat', was caught by the computer expert Tsutomu Shimomura back in 1995.

Kevin Poulsen remains famous for his 1990 hack of the phone system in Los Angeles. This enabled him to become the 102nd caller in a radio-phone and win a Porsche 944. Kevin Poulsen was eventually caught and imprisoned for three years. He now works as a columnist for the online security magazine 'SecurityFocus'.

Vladimir Levin, a Russian computer expert, hacked into Citibank and extracted USD $10 million. He was arrested by Interpol in UK, back in 1995 and sentenced to three years in prison, as well as being required to pay USD $240,015 in restitution.

Tsutomu Shimomura is a good example of a 'white hat'. He was working for the San Diego Supercomputing Center when Kevin Mitnick broke into his network and stole information on cellular technology and other classified data. Tsutomu started the pursuit for Mitnick which eventually led to his arrest.

Linus Torvalds is known as the father of Linux, the most popular Unix-based operating system in use nowadays. Linus started his work on a new operating system in 1991, adopting several controversial technologies for his project, namely the concept of Free Software and GNU's Public License system. He is also known for his early disputes with Andrew Tannenbaum, the author of Minix, which was the inspirational source for Linus' OS project.

Continue reading →

Software Vulnerabilities

'Errare humanum est' (' To err is human.')
Marcus Tullius Cicero, Roman statesman, philosopher and author

'To err is human, but to really foul things up you need a computer'
Paul Ehrlich

The term 'vulnerability' is often mentioned in connection with computer security, in many different contexts.

In its broadest sense, the term 'vulnerability' is associated with some violation of a security policy. This may be due to weak security rules, or it may be that there is a problem within the software itself. In theory, all computer systems have vulnerabilities; whether or not they are serious depends on whether or not they are used to cause damage to the system.

There have been many attempts to clearly define the term 'vulnerability' and to separate the two meanings. MITRE, a US federally funded research and development group, focuses on analysing and solving critical security issues. The group has produced the following definitions:

According to MITRE's CVE Terminology:

[...] A universal vulnerability is a state in a computing system (or set of systems) which either:

• allows an attacker to execute commands as another user
• allows an attacker to access data that is contrary to the specified access restrictions for that data
• allows an attacker to pose as another entity
• allows an attacker to conduct a denial of service

MITRE believes that when an attack is made possible by a weak or inappropriate security policy, this is better described as 'exposure':

An exposure is a state in a computing system (or set of systems) which is not a universal vulnerability, but either:

• allows an attacker to conduct information gathering activities
• allows an attacker to hide activities
• includes a capability that behaves as expected, but can be easily compromised
• is a primary point of entry that an attacker may attempt to use to gain access to the system or data is considered a problem according to some reasonable security policy

When trying to gain unauthorized access to a system, an intruder usually first conducts a routine scan (or investigation) of the target, collects any 'exposed' data, and then exploits security policy weaknesses or vulnerabilities. Vulnerabilities and exposures are therefore both important points to check when securing a system against unauthorized access.

Continue reading →

How to Detect a Hacker Attack

Most computer vulnerabilities can be exploited in a variety of ways. Hacker attacks may use a single specific exploit, several exploits at the same time, a misconfiguration in one of the system components or even a backdoor from an earlier attack.

Due to this, detecting hacker attacks is not an easy task, especially for an inexperienced user. This article gives a few basic guidelines to help you figure out either if your machine is under attack or if the security of your system has been compromised. Keep in mind just like with viruses, there is no 100% guarantee you will detect a hacker attack this way. However, there's a good chance that if your system has been hacked, it will display one or more of the following behaviours.

Windows machines:

• Suspiciously high outgoing network traffic. If you are on a dial-up account or using ADSL and notice an unusually high volume of outgoing network (traffic especially when you computer is idle or not necessarily uploading data), then it is possible that your computer has been compromised. Your computer may be being used either to send spam or by a network worm which is replicating and sending copies of itself. For cable connections, this is less relevant - it is quite common to have the same amount of outgoing traffic as incoming traffic even if you are doing nothing more than browsing sites or downloading data from the Internet.
• Increased disk activity or suspicious looking files in the root directories of any drives. After hacking into a system, many hackers run a massive scan for any interesting documents or files containing passwords or logins for bank or epayment accounts such as PayPal. Similarly, some worms search the disk for files containing email addresses to use for propagation. If you notice major disk activity even when the system is idle in conjunction with suspiciously named files in common folders, this may be an indication of a system hack or malware infection.
• Large number of packets which come from a single address being stopped by a personal firewall. After locating a target (eg. a company's IP range or a pool of home cable users) hackers usually run automated probing tools which try to use various exploits to break into the system. If you run a personal firewall (a fundamental element in protecting against hacker attacks) and notice an unusually high number of stopped packets coming from the same address then this is a good indication that your machine is under attack. The good news is that if your personal firewall is reporting these attacks, you are probably safe. However, depending on how many services you expose to the Internet, the personal firewall may fail to protect you against an attack directed at a specific FTP service running on your system which has been made accessible to all. In this case, the solution is to block the offending IP temporarily until the connection attempts stop. Many personal firewalls and IDSs have such a feature built in.
• Your resident antivirus suddenly starts reporting that backdoors or trojans have been detected, even if you have not done anything out of the ordinary. Although hacker attacks can be complex and innovative, many rely on known trojans or backdoors to gain full access to a compromised system. If the resident component of your antivirus is detecting and reporting such malware, this may be an indication that your system can be accessed from outside.

Unix machines:

• Suspiciously named files in the /tmp folder. Many exploits in the Unix world rely on creating temporary files in the /tmp standard folder which are not always deleted after the system hack. The same is true for some worms known to infect Unix systems; they recompile themselves in the /tmp folder and use it as 'home'.
• Modified system binaries such as 'login', 'telnet', 'ftp', 'finger' or more complex daemons, 'sshd', 'ftpd' and the like. After breaking into a system, a hacker usually attempts to secure access by planting a backdoor in one of the daemons with direct access from the Internet, or by modifying standard system utilities which are used to connect to other systems. The modified binaries are usually part of a rootkit and generally, are 'stealthed' against direct simple inspection. In all cases, it is a good idea to maintain a database of checksums for every system utility and periodically verify them with the system offline, in single user mode.
• Modified /etc/passwd, /etc/shadow, or other system files in the /etc folder. Sometimes hacker attacks may add a new user in /etc/passwd which can be remotely logged in a later date. Look for any suspicious usernames in the password file and monitor all additions, especially on a multi-user system.
• Suspicious services added to /etc/services. Opening a backdoor in a Unix system is sometimes a matter of adding two text lines. This is accomplished by modifying /etc/services as well as /etc/ined.conf. Closely monitor these two files for any additions which may indicate a backdoor bound to an unused or suspicious port.

Continue reading →

An Analysis of Hacker Mentality:

Why people hack is a subject which is often discussed. Some say the explanation is the same as the one given by people who climb mountains: 'because they [computers] are out there'. Others claim that by highlighting vulnerabilities, hacking helps increase computer security. And finally, there is the explanation most often put forward: criminal intent.

Whatever the reason, as long as computers exists there will be hackers - white hats, black hats and grey hats. And because there is no way of predicting which kind of attack ('curiosity' versus 'malicious') will hit your computer first, it is always best to be prepared for the worst.

The truth is that in hours of a machine being connected to the Internet, somebody will scan it with an automated vulnerability probing tool, looking for ways to get in. It may be somebody who is just curious to see what is on the machine, or a white hat from the other side of the world checking to see if the computer is secure. Of course, in real life you wouldn't want passing strangers stopping to check if your house or car were locked, and, if not, to go inside, look around, go through your possessions and leave a note saying 'Hi, I was here, your door was open, but don't mind me and BTW, fix your lock'. If you wouldn't want someone to do this to your house, you wouldn't want someone doing it to your computer. And there is no excuse for doing it to someone else's computer either.

Premeditated, criminal, hacking is obviously even worse. In the real world, somebody walks by, breaks your lock, gets inside, disables your alarm system, steals something or plants listening devices in your phone or surveillance equipment in your living room. If this happens you call the police, they look around, write a report, and you wait for the thieves to be caught. Unfortunately, this is a rare luxury in the computer world; the culprit may be far, far way, downloading your confidential files while sitting in his personal villa or sunbathing by his huge pool, nicely built with stolen money. Or, in a business environment, many large corporations prefer not to report hacking incidents at all, in order to protect their company image. This means that the criminals remain unpunished.

Another hacker motivation may be hooliganism, or digital graffiti, which can be summed up as hacking into systems to cause damage. Web site defacement is a very popular form of digital graffiti and there are some hacking groups which focus on this task alone. Just as in the physical, non-cyber world, catching the hooligans is a tedious task which usually doesn't repay the effort or resources expended.

Whatever the reasoning, be it 'to help others', 'security heads-up!', 'hooliganism' or 'criminal intent', hacking is a phenomenon which is deeply rooted in the world of computing and will probably never die. There will always be people immature enough to abuse public resources, self-proclaimed 'Robin Hoods' and criminals hiding in the dark alleys of cyberspace.

Continue reading →

If your PC is infected:

What to Do If Your Computer Is Infected

Sometimes even an experienced user will not realise that a computer is infected with a virus. This is because viruses can hide among regular files, or camoflage themselves as standard files. This section contains a detailed discussion of the symptoms of virus infection, how to recover data after a virus attack and how to prevent data from being corrupted by malware.

Symptoms of infection

There are a number of symptoms which indicate that your computer has been infected. If you notice "strange things" happening to your computer, namely:

• unexpected messages or images are suddenly displayed
• unusual sounds or music played at random
• your CD-ROM drive mysteriously opens and closes
• programs suddenly start on your computer
• you receive notification from your firewall that some applications have attempted to connect to the Internet, although you did not initiate this, then it is very likely that your computer has been infected by a virus

Additionally, there are some typical symptoms which indicate that your computer has been infected via email:

• your friends mention that they have received messages from your address which you know you did not send
• your mailbox contains a lot of messages without a sender's e-mail address or message header

These problems, however, may not be caused by viruses. For example, infected messages that are supposedly coming from your address can actually be sent from a different computer.

There is a range of secondary symptoms which indicate that your computer may be infected:

• your computer freezes frequently or encounters errors
• your computer slows down when programs are started
• the operating system is unable to load
• files and folders have been deleted or their content has changed
• your hard drive is accessed too often (the light on your main unit flashes rapidly)
• Microsoft Internet Explorer freezes or functions erratically e.g. you cannot close the application window

90% of the time the symptoms listed above indicate a hardware or software problem. Although such symptoms are unlikely to be caused by a virus, you should use your antivirus software to scan your computer fully.

What you should do if you notice symptoms of infection

If you notice that your computer is functioning erratically

1. Don't panic! This golden rule may prevent the loss of important data stored in your computer and help you avoid unnecessary stress.
2. Disconnect your computer from the Internet.
3. If your computer is connected to a Local Area Network, disconnect it.
4. If the computer cannot boot from the hard drive (error at startup), try to start the system in Safe Mode or from the Windows boot disk
5. Before taking any action, back up all critical data to an external drive (a floppy disk, CD, flash memory, etc.).
6. Install antivirus software if you do not have it installed.
7. Download the latest updates for your antivirus database. If possible, do not use the infected computer to download updates, but use a friend's computer, or a computer at your office, an Internet cafe, etc. This is important because if you are connected to the Internet, a virus can send important information to third parties or may try to send itself to all email addresses in your address book. You may also be able to obtain updates for your antivirus software on CD-ROM from the software vendors or authorized dealers.
8. Perform a full system scan.

If no viruses are found during a scan

If no viruses are found during the scan and the symptoms that alarmed you are classifed, you probably have no reason to worry. Check all hardware and software installed in your computer. Download Windows patches using Windows Update. Deinstall all unlicensed software from your computer and clean your hard drives of any junk files.

If viruses are found during a scan

A good antivirus solution will notify you if viruses are found during a scan, and offer several options for dealing with infected objects.

In the vast majority of cases, personal computers are infected by worms, Trojan programs, or viruses. In most cases, lost data can be successfully recovered.

1. A good antivirus solution will provide the option to disinfect for infected objects, quarantine possibly infected objects and delete worms and Trojans. A report will provide the names of the malicious software discovered on your computer.
2. In some cases, you may need a special utility to recover data that have been corrupted. Visit your antivirus software vendor's site, and search for information about the virus, Trojan or worm which has infected your computer. Download any special utilities if these are available.
3. If your computer has been infected by viruses that exploit Microsoft Outlook Express vulnerabilities, you can fully clean your computer by disinfecting all infected objects, and then scanning and disinfecting the mail client's databases. This ensures that the malicious programs cannot be reactivated when messages which were infected prior to scanning are re-opened. You should also download and install security patches for Microsoft Outlook Express.
4. Unfortunately, some viruses cannot be removed from infected objects. Some of these viruses may corrupt information on your computer when infecting, and it may not be possible to restore this information. If a virus cannot be removed from a file, the file should be deleted.

If your computer has suffered a severe virus attack

Some viruses and Trojans can cause severe damage to your computer:

1. If you cannot boot from your hard drive (error at startup), try to boot from the Windows rescue disk. If the system can not recognize your hard drive, the virus has damaged the disk partition table. In this case, try to recover the partition table using scandisk, a standard Windows program. If this does not help, contact a computer data recovery service. Your computer vendor should be able to provide contact details for such services.

If you have a disk management utility installed, some of your logical drives may be unavailable when you boot from the rescue disk. In this case, you should disinfect all accessible drives, reboot from the system hard drive and disinfect the remaining logical drives.

2. Recover corrupted files and applications using backup copies after you have scanned the drive containing this data.

Diagnosing the problem using standard Windows tools

Although this is not recommended unless you are an experience user, you may wish to:

• check the integrity of the file system on your hard drive (using CHKDSK program) and repair file system errors. If there are a large number of errors, you must backup the most important files to removable storage media before fixing the errors
• scan your computer after booting from the Windows rescue disk
• use other standard Windows tools, for example, the scandisk utility

For more details on using these utilities, refer to the Windows Help topics.

If nothing helps

If the symptoms described above persist even after you have scanned your computer, and checked all installed hardware and software and your hard drive using Windows utilities, you should send a message with a full description of the problem to your antivirus vendor's technical support department.

Some antivirus software developers will analyse infected files submitted by users.

After you have eradicated the infection

Once you have eradicated the infection, scan all disks and removable storage media that may be infected by the virus.

Make sure that you have appropriately configured antivirus software installed on your computer.

Practice safe computing.

All of these measures will help prevent your computer getting infected in the future.

Continue reading →

Backdoor.Win32.Delf.duc

Detection added	Mar 04 2008 10:23 GMT
Update released	Mar 04 2008 13:35 GMT
Description added	Oct 03 2008
Behavior	Backdoor
Platform	Win32

• Technical details
• Payload
• Removal instructions

Technical details

This malicious program is a Trojan. It is a Windows PE EXE file. It is 447488 bytes in size.

Payload

The backdoor downloads a list of links to files on the Internet from the following URL:

http://218.234.17.***/install_count.html?id=mypark&MAC=.

is the MAC address of the network adapter.

The backdoor then randomly selects a link from the list, downloads the file placed on the link, and saves it to one of the following folders:

C:\Windows\addins\
C:\Windows\AppPatch\
C:\Windows\Config\
C:\Program Files\Internet Explorer\SIGNUP\
C:\Program Files\Common Files\System\
C:\Program Files\Internet Explorer\Connection Wizard\
C:\Program Files\Internet Explorer\Custom\
C:\Program Files\Internet Explorer\MUI\
C:\Program Files\Internet Explorer\PLUGINS\
c:\windows\
c:\temp
c:\windows\system32\
c:\Program Files\
c:\Program Files\Common Files\
C:\Program Files\Common Files\Microsoft Shared\
C:\Program Files\Common Files\Microsoft Shared\Windows Live\
C:\Program Files\Common Files\Microsoft Shared\MSInfo\
C:\Program Files\Common Files\Services\

The file is saved as "mypark.exe" and is then launched for execution.

Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

1. Use Task Manager to terminate the malicious program’s process.
2. Delete the original backdoor file (the location will depend on how the program originally penetrated the victim machine).
3. Delete "mypark.exe" from the following folders:

   C:\Windows\addins\
   C:\Windows\AppPatch\
   C:\Windows\Config\
   C:\Program Files\Internet Explorer\SIGNUP\
   C:\Program Files\Common Files\System\
   C:\Program Files\Internet Explorer\Connection Wizard\
   C:\Program Files\Internet Explorer\Custom\
   C:\Program Files\Internet Explorer\MUI\
   C:\Program Files\Internet Explorer\PLUGINS\
   c:\windows\
   c:\temp
   c:\windows\system32\
   c:\Program Files\
   c:\Program Files\Common Files\
   C:\Program Files\Common Files\Microsoft Shared\
   C:\Program Files\Common Files\Microsoft Shared\Windows Live\
   C:\Program Files\Common Files\Microsoft Shared\MSInfo\
   C:\Program Files\Common Files\Services\

4. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).

Continue reading →