• Slide 1 Title

    Go to Blogger edit html and replace these slide 1 description with your own words. ...

  • Slide 2 Title

    Go to Blogger edit html and replace these slide 2 description with your own words. ...

  • Slide 3 Title

    Go to Blogger edit html and replace these slide 3 description with your own words. ...

  • Slide 4 Title

    Go to Blogger edit html and replace these slide 4 description with your own words. ...

  • Slide 5 Title

    Go to Blogger edit html and replace these slide 5 description with your own words. ...

Free counters!

Sunday 22 August 2010

The 20 Coolest Jobs in Information Security

  • #1 Information Security Crime Investigator/Forensics Expert
  • #2 System, Network, and/or Web Penetration Tester
  • #3 Forensic Analyst
  • #4 Incident Responder
  • #5 Security Architect
  • #6 Malware Analyst
  • #7 Network Security Engineer
  • #8 Security Analyst
  • #9 Computer Crime Investigator
  • #10 CISO/ISO or Director of Security
  • #11 Application Penetration Tester
  • #12 Security Operations Center Analyst
  • #13 Prosecutor Specializing in Information Security Crime
  • #14 Technical Director and Deputy CISO
  • #15 Intrusion Analyst
  • #16 Vulnerability Researcher/ Exploit Developer
  • #17 Security Auditor
  • #18 Security-savvy Software Developer
  • #19 Security Maven in an Application Developer Organization
  • #20 Disaster Recovery/Business Continuity Analyst/Manager

SSH from ypur Mobile Phone

Here are a few nice little ready-to-use applications that implement SSH clients for some popular cell phones to connect to maintain your server or your home network from anywhere:

- TuSSH
This is written in C and it works with PalmOS and SonyOS
http://go2.wordpress.com/?id=725X1342&site=xorl.wordpress.com&url=http%3A%2F%2Fwww.tussh.com%2F

- MidpSSH
This application is written in Java (J2ME using MIDP 1.0/2.0) and it works with any Java enabled cell phone. It also includes a telnet client.
http://go2.wordpress.com/?id=725X1342&site=xorl.wordpress.com&url=http%3A%2F%2Fwww.xk72.com%2Fmidpssh%2F

- S2PuTTY
This is a port of the popular PuTTY client for SymbianOS.
http://go2.wordpress.com/?id=725X1342&site=xorl.wordpress.com&url=http%3A%2F%2Fs2putty.sourceforge.net%2Findex.html
Pretty useful applications Smiley

Thursday 19 August 2010

Port Scanning Techniques



Port numbers are 16-bit unsigned numbers and can be broadly classified into three categories. Port 0-1023 is "well known ports", 1024 - 49151 are "registered ports" and 49152 - 65535 is "dynamic or private ports".
One problem with port scanning is that it is effortlessly logged by the services listening at the scanned ports. This is because they detect an incoming connection, but do not receive any data, thereby generating an application error log.
To scan UDP ports, an empty UDP datagram is sent to the port. If the port is listening, the services will send back an error message or ignore the incoming datagram. If the port is closed, the operating system send back "ICMP Port Unreachable" (Type 3) message.

Port scanning can be broadly classified into:
  • Open scan
  • Half-open scan
  • Stealth scan
  • Sweeps
  • Misc
How does an attacker decide to use which scan? It depends on the information gathering during reconnaissance regarding the type of network topology, IDS and other logging feature present on the system.

Open Scan

Open scan / TCP connect scan also known as vanilla scan where a full connection is opened to the target system by a three-way TCP/IP handshake. Therefore, it is easiest to be detected and blocked on the network. However the information gathering using open scan is usually the most.
When the port is open, the client sends a SYN flag, the server replies a SYN+ACK flag, which is acknowledged back with an ACK flag by client. Once the handshaking is completed, the connection is terminated by the client. This confirm an open port.
When the port is closed or "not listening" the server response a RST+ACK flag, which is acknowledged back with an RST flag by client, and then the connection is closed.
The disadvantage of this scan technique is that the attacker cannot spoof his identity as spoofing would require sending a correct sequence number as well as setting the appropriate return flags to setup data connection. Moreover, most stately IDS and firewall detect and log this scan, exposing both the attempt and the attacker's IP. The advantage is fast accurate scan that require no additional privilege.

Half-Open Scan

In half-open scan, a complete TCP connection is not established. Instead as soon as the server acknowledge with a SYN+ACK response, the client tears down the connection by sending RST flag. This way, the attacker detect an open port and not establish full connection.


However, some sophisticated IDS and firewall can detect a SYN packet from the void and prevent such scan. Besides, this scan require attacker to make a customer IP packet which in turn requires access to SOCK_RAW (getprotbyname('raw') under most system) or /dev/bpf (Berkeley packet filter), /dev/nit (Sun network interface tap). This requires priviliege access.


Stealth Scan


Initially half open scans were considered stealth, however as IDS software evolved, these scan were easily logged. Now, stealth scan refers to the type of scan where packets are flagged with a particular set of flags other than SYN, or a combination of flags, no flag set, with all flag set, appearing as normal traffic, using fragmented packet or avoiding filtering devices by any other means. All these techniques resort to inverse mapping to determine open ports.
  • SYN|ACK Scan
    Client sends a SYN+ACK flag to the target. For a closed port, server will reply a RST response while an open port will not reply. This is because the TCP protocol requires a SYN flag to initiate the connection. This scan may generate certain amount of false positives. For instance, packets dropped by filtering devices, network traffic, timeouts etc can give a wrong inference of an open port while the port may or may not be open. However this is a fast scan that avoid three-way handshake.
  • FIN Scan
    Similar to SNY|ACK scan, instead a FIN flag is sent to the target. The closed ports are required to reply to the probe packet with RST, while open ports must ignore the packet in question. This scan attempt to exploit vulnerabilities in BSD code. Since most OS are based on BSD or derived from BSD, this was a scan that can return good result. However, most OS applied patches to correct the problem, still there remains a possibility that the attacker may come across one where these patches have not be applied.
  • ACK Scan
    The scan take advantage of the IP routing function to deduce the state of the port from the TTL value. This is based on the fact that IP function is a routing function. Therefore TTL value will be decremented by on by an interface when the IP packet passes through it.
  • NULL Scan
    In NULL scan, the packet is sent without any flag set. This takes advantage of RFC 793 as the RFC does not specify how the system should respond. Most UNIX and UNIX related system respond with a RST (if the port is open) to close the connection. However, Microsoft's implementation does not abide with this standard and reacts differently to such scan. An attacker can use this to differentiate between a Windows machine and others by collaborating with other scan results. For example, if -sF, -sX or -sN scan shows all ports are closed, but a SYN (-sS) scan shows ports are opened, the attacker can infer that he is scanning a windows machine. This is not an exclusive property though, as this behavior is also shown by Cisco, BSDI, HP/UX, MVS and IRIX. Also note that the reserved bits (RES1, RES2) do not affect the result of any scan. Therefore this scan will work only with UNIX and related systems.
  • Xmas Scan
    In Xmas scan, all flags are set. All the available flags in the TCP header are set (ACK, FIN, RST, SYN, URG, PSH) to give the scan an ornamental look. This scan will work on UNIX and related systems and cause the kernel to drop the packet if the receiving port is open.
  • TCP Fragmenting
    This approach is evolved from the need to avoid false positive arising from other scans due to packet filtering device. For any transmission, a minimally allowable fragmented TCP header must contain a destination and source port for the first packet (8 octet, 64 bit), the initialized flags in the next, which allows the remote host to reassemble the packet upon receipt through an internet protocol module that identifies the fragmented packets by the field equivalent values of source, destination, protocol and identification.
    The scan works by splitting the TCP header into small fragments and transmitting it over the network. However, there is a possibility that IP reassembly on the server-side may result in unpredictable and abnormal results - such as fragmentation of the data in the IP header. Some hosts may be incapable of parsing and reassembling the fragmented packets and thus may cause crashes, reboots or even network device monitoring dumps.
    Some firewalls may have rulesets that block IP fragmentation queues in the kernel (like the CONFIG_IP_ALWAYS_DEFRAG option in the Linux kernel) - though this is not widely implemented due to the adverse affect on performance. Since several intrusion detection systems use signature-based mechanisms to signify scanning attempts based on IP and/or the TCP header, fragmentation is often able to evade this type of packet filtering and detection. There is a high possibility of causing network problems on the target network.
Miscellaneous
  • FTP bounce
    This scan takes advantage of the FTP servers with read/write access. The advantage of this scan can be both anonymity and accessibility. Suppose the target network allows FTP data transfer from only its recognized partners. An attacker might discover a service business partner who has a FTP service running with a world-writable directory that any anonymous user can drop files into and read them back from. It could even be the ISP hosting services on its FTP server. The attacker, who has a FTP server and able to run in passive mode, logs in anonymously to the legitimate server and issues instructions for scanning or accessing the target server through a series of FTP commands. He may choose to make this into a batch file and execute it from the legitimate server to avoid detection.
    If a connection is established as a means of active data transfer processing (DTP), the client knows a port is open, with a 150 and 226 response issued by the server. If the transfer fails a 425 error will be generated with a refused build data message. The PASV listener connection can be opened on any machine that grants a file write access to the attacker and used to bounce the scan attack for anonymity. It does not even have to be an FTP server, any utility that will listen on a known TCP port and read raw data from it into a file will do.
    Often these scan are executed as batch files padded with junk so that the TCP windows are full and the connection stay alive long enough for the attacker to execute this commands. Fingerprinting the OS scan help determine the TCP window size and allow the attacker to pad this commands for further access accordingly.
    This scan is hard to trace, permits access to local network and evades firewalls. However, most FTP servers have patched this vulnerability by adopting countermeasures such as preventing third party connection and disallowing listing of restricted ports. Another measure adopted has been restrict write access.
  • UDP scan
    The disadvantage to the attacker is that UDP is a connectionless protocol and unlike TCP does not retransmit packet if they are lost or dropped on the network. Moreover, it is easily detected and unreliable (false positive). Linux kernel limit ICMP error message rates with destination unreachable set to 80 per 4 seconds, thereafter implmenting a 1/4 second penalty if the count is exceeded. This makes the scan slow and moreover the scan requires root access. However it avoids TCP based IDS and can scan non-TCP ports.
Ethical Hacker and Scanning Tools
The most important is knowledge itself. The result of a scanner can be misleading if the ethical hacker does not have good knowledge of common vulnerabilities. Relying solely on the scanning tool to all threats is not practical as the author of the vulnerability check may have written it incorrectly. It is also likely that it was created in a controlled environment and might not work as well in the open.
Besides, performing exhaustive scan against the system in a large enterprise is usually not feasible due to network constraints, stability of the backbone and scanned systems. Another view point is that scanner does not have an internal view of the host audited and can miss critical misconfiguration that result in an insecure setup, but appear "secure" from the outside with automation
 

CISCO PACKET TRACER

Packet Tracer Tutorial | Cisco Video Training

Packet Tracer Tutorial | Cisco Video Training | 916 MB

English | H264 1108 Kbps | 1902x1080 25fps | MP3 125Kbps | 916 MB
Genre: Video Training

Description:
  • Cisco Systems Packet Tracer
  • Packet Tracer OSPF
  • Packet Tracer Subinterfaces
  • Packet Tracer Video
  • Packet Tracer VLANS
  • Switch VLAN
  • WAN connection ADSL
  • EIGRP,FRAME RELAY, HTTP AND DNS Packet Tracer
  • configuration frame relay
  • How to configure OSPF in Packet Tracer.
  • OSPF Authentication Lab using Packet Tracer 5
  • Packet Tracer - DHCP Server with IP Helper
  • Testing Security Policies with Packet Tracer
  • using packet tracer Connecting to a web server using IP.avi
  • Multiuser Connection Packet Tracer 5.1
  • and other
Download Links- Hotfile

http://hotfile.com/dl/62461043/fe9c098/Packet_Tracer_eBTT.part1.rar.html
http://hotfile.com/dl/62461100/533b9a1/Packet_Tracer_eBTT.part2.rar.html
http://hotfile.com/dl/62461282/e4342fb/Packet_Tracer_eBTT.part3.rar.html
http://hotfile.com/dl/62461354/4660753/Packet_Tracer_eBTT.part4.rar.html
http://hotfile.com/dl/62461525/7ac7574/Packet_Tracer_eBTT.part5.rar.html

Friday 6 August 2010

Famous Google Hack Jobs

Famous Google Hack Jobs


The top 6 security breaches and near-disasters that have been keeping Google on its toes.

Millions of people trust Google with their personal data every day. While we'd all like to assume that our information is safe, the fact of the matter is that even Google is not hack-proof. All technology is prone to mechanical and human errors that can leave security holes open for exploit, and Google is no exception.

Regards:Hackfreak

Fortunately, nothing catastrophic has happened yet, but that's not to say that Google hasn't experienced any bumps along the way. Here are 6 of the most famous Google crack jobs, both real and imagined.
  1. Official Google Blog Hacked

    In October 2006, a mysterious post about Google's Click-to-Call project appeared on the official Google blog. This post reported that Google made a decision to cancel a joint project with eBay because it would be "a monopolistic approach that would damage small companies in the CRM area."
    Shortly after being published, the fake post was taken down. Karen Wickre, of the Google Blog team, wrote a response to address the issue in "About that fake post". Wickre notes that a Blogger "bug," also known as a security problem, was to blame for enabling the unauthorized post. She reported that the bug was fixed, but did not offer any other details about the breach.
    Ironically, the fake click-to-call post comes after a real one discussing Google security. In the post, titled "Our security stance," Google Security Team representative Heather Adkins describes Google's commitment to security, noting that they "keep the bad guys out of our systems." Adkins surreptitiously tips her hat to hackers, noting that Google security depends on the community, from users to "external security enthusiasts who keep us on our toes." Search engine experts believe the attack was made to "thumb Google's nose" and show that they are not as secure as they'd like to believe.
  2. AdWords Accounts Hacked

    A user-side breach of security occurred on AdWords accounts in April 2007. Somehow, a malicious file was installed on users' systems. This file was used to steal the users' AdWords passwords and gain access to their accounts. The program then set up ads that changed the users' AdWords campaigns. Most notably, the changes included setting up links that would install a post logger, a type of malware, on the computer of anyone who clicked the link. The malicious program also modified credit card information and prevented the users' computers from accessing AdWords to see all of the changes on their accounts.
    Roger Thompson of Exploit Prevention Labs points out that the hackers took advantage of the lack of a URL preview on Google's sponsored results. Meaning, if users hover over a sponsored result link, a preview of the address is not shown in the user's browser. See Thompson's screen shot for an visual explanation. A lack of this feature means that users have no idea where the links will actually take them, leaving them vulnerable to visiting Web sites with malicious code.
    Google responded to the attack by reporting that they had canceled the accounts that were compromised and assured users that they were taking the steps necessary to keep something like this from happening again. Google also encouraged users to keep their computer's security up to date as the vulnerability was only successful because victims had not incorporated recent patches into their Internet Explorer browsers.
  3. Oops! Google Deletes Itself, Twice

    In March 2006, a Digg user claimed that his friend hacked the official Google blog. The "hacker" left a post on a blog at Google's address. The post explains how he was able to gain access: the Google blog would not come up, so the poster attempted to register the name and it worked. Of course, on Digg, he claims to have figured out the password. These two stories do not correlate, but to determine how they match up would be irrelevant, considering that the post did not constitute a real hack. Jason Goldman, Google's Blogger Product Manager, posted "And we're back," explaining that Google had accidentally deleted their own blog. D'oh! This left it open to be claimed by the poster. He clarifies that the unauthorized post "was not a hack, and nobody guessed [Google's] password."
    Unfortunately, Google did not learn anything from this experience. In April 2007, a post on the Google Mac blog suggests that it, too, was taken over in the same way. Poster "Vishal" writes, "Yo! This is crazy…I tried to register this and I could!" The post was deleted and things are again back to normal for the Google Mac blog. So far, Google has not acknowledged or offered an explanation for this post, but it seems safe to assume that the Google Mac blog was accidentally deleted, and thus left open to registration by the general public. Again.
  4. In the Cookie Jar

    Imagine this: a hacker sets up a Web site with script designed to steal your google.com cookies. Then, they submit this Web site to Digg or Slashdot under the premise that it's a hot story. Any person who visits that site with active google.com cookies could end up with compromised cookie information, allowing the hacker access to their Gmail, search history, documents and more. It's a frightening story, and one that could have happened had a white hat hacker not discovered the security hole first.
    Tony Ruscoe of Google Blogoscoped discovered a vulnerability in Blogger's custom domain service. This vulnerability, he noticed, left users open to cookie security problems. He realized that if someone were to enter a Google subdomain as their Blogger custom domain, it would work as long as Google hadn't already set up a blog at that particular address. Here's the kicker: using the Google subdomain would allow the owner of the Web site to read and write google.com cookies. Yes, the cookies that hold personal information, including passwords.
    Tony set up a "proof of concept" page on a Google subdomain with cookie-stealing JavaScript to test this theory. He then had a friend, Philipp, visit his page. Sure enough, he was able to gain access to a ton of Philipp's sensitive information, viewing Google Docs & Spreadsheets, subjects and snippets from Gmail, Google search history, Google Accounts, Google Reader, Google Notebook and more. Tony informed Google of the vulnerability.
    Google Security quickly wiped out Tony's proof of concept page and redirected erroneous subdomains to a "blog not found" page. As a result, presumably, Blogger no longer allows any Google domains to be entered in Blogger's custom domain function. Hopefully Google has thanked this white hat hacker for exposing this vulnerability before it got into the wrong hands and enabled a serious breach of user privacy. The results of this hole could have been catastrophic.
  5. Gmail Contact List Hijacking

    In January 2007, right around New Year's Day, Googlified discovered a fault in Gmail that allowed a user's contact list to be stolen via JavaScript. Essentially, users who were logged into Gmail could unwittingly expose their contact list if they visited a particular Web site. This site, theoretically, would contain JavaScript written to exploit the vulnerability. The only way to be protected from this hole was to completely log out of Google services before going anywhere else on the Internet, especially suspicious links sent via email.
    Because this vulnerability was exposed with Gmail in beta, Google did not have to report it. However, numerous blogs picked up the story, as well as Digg and Slashdot. Google fixed the problem about 30 hours after being notified. Perhaps security issues like this are the reason why Gmail is still in beta.
  6. Lots of Hype, No Hack

    In May 2005, users who visited Google Search came upon an unexpected surprise: it wasn't there. To top this disheartening experience off, there were quite a few reports of a website, SoGoSearch, showing up instead. Not surprisingly, the blogosphere reacted, initially reporting that Google's domain was hijacked. As the story unfolded, it became apparent that Google was not hacked. Rather, they were experiencing problems with their DNS. As for the SoGoSearch Web site, experts explain that browsers redirected to it when they were unable to find google.com. SoGoSearch has the domain name google.com.net.
    Another faux-hack involves Google SEO guru Matt Cutts. Google likes to have its April Fool's Day fun, and Matt Cutts is no exception. For April Fool's Day, Matt hacked his own blog. Quite a few blogs picked up the story (or played along), reporting that Matt's personal blog was hacked, displaying screen shots of a page blacked out, full of hacker shout-outs and a Dark SEO image that proclaimed, "nous sommes le proprietaire de toi" (We're the owners of you). Matt later responded to the backlash, detailing the fake hack and how he came up with the idea to do it. It turns out that his wife cooked up the page by studying screen shots of hacked sites. He even laid the groundwork for the prank by writing a post in which he said his site was having problems and that he'd be away from the computer for a while. And then he fooled quite a few people into believing his site was really hacked.

The Essential Guide to Vulnerability Scanning

The Essential Guide to Vulnerability Scanning

While it's important to link business networks to the Internet for the free exchange of information, a Net connection also opens the door to potential security breaches by malicious attackers. Fortunately, there's a way to protect your network's susceptible areas. Vulnerability scanning utilizes technology that seeks out security flaws and tests systems for weak points. Most scanning systems generate a report of their findings so that a business can use the information to tighten its network's security. Though it usually refers to the practice of scanning Internet-linked networks, vulnerability scanning can also be applied to system audits conducted on internal networks that assess the threats posed by rogue software or malicious employees.

          Regards: Hackfreak


Many enterprises only perform vulnerability scanning as part of an overall security audit – perhaps as infrequently as once a year. This is a big mistake; not only do networks and network connections get updated far more frequently, but new vulnerabilities are discovered weekly. For a larger organization, it's important to make vulnerability scanning a part of a regular security analysis with much more frequent scanning. 

 

Soft Spots

Attackers looking to gain easy access to business networks use a variety of different techniques. Yet one characteristic all attackers have in common is their desire to search for a network's weak points – its soft spots – which they can then use to launch invasions with minimal effort.
Just as the average burglar looks for an unlocked home door, or a car thief scans vehicles for one with a key left in the ignition, an attacker may examine multiple networks to find the one that provides fast and simple access. This proclivity poses a unique challenge for network administrators who, in order to combat inquisitive attackers, must begin to think like an attacker.

Every new update to system and server software brings the potential for new vulnerabilities along with whatever improvements are delivered. And while these vulnerabilities are often found by teams seeking to strengthen and eliminate these vulnerabilities, hackers and malicious attackers receive these reports and generate invasions as fast as they are made, so new vulnerabilities crop up continually.

Scanner Types

The are three major types of vulnerability scanners that businesses can use to find network soft spots:
  • Network Scanner: General-purpose scanner that scours networks for potential vulnerabilities.
  • Port Scanner: Software that is designed to search a network for open ports that attackers could use as illicit entry points.
  • Web Application Security Scanner: Enables businesses to conduct ongoing risk assessments to identify the vulnerability of Web applications to hostile attacks.

Scanner Tools

Businesses and network administrators can select from a variety of vulnerability-scanner offerings. These are some of the more popular tools:
  • Acunetix Web Vulnerability Scanner: This software suite includes a Web security scanner, crawler, report analysis tool and a database of security checks for all leading Web server platforms.
  • Cenzic Hailstorm: Cenzic's application scanner can analyze Web-application security status across departments, business units and geographies.
  • GFI LANguard Network Security Scanner: This vulnerability-management solution includes network-vulnerability scanning, patch management and auditing support.
  • Teneble Nessus 3: Compatible with various types of Unix, this product performs over 900 remote security checks and suggests solutions for security problems.
  • Nmap: Nmap is a simple port scanner delivered in the form of a free, open-source utility for network exploration or security auditing.
  • QualysGuard: Qualys Inc. claims to be the first software vendor to offer a hosted, on-demand solution for security-risk and compliance management.
  • Retina Network Security Scanner: Vendor eEye Digital Security Inc. contends that its vulnerability scanner detects both known and zero-day vulnerabilities. The product also provides a security-risk assessment that helps business embrace security best practices, adopt policy enforcement and handle regulatory audits.
  • SAINT Network Vulnerability Scanner: This network-vulnerability scanner is integrated with a penetration testing tool to enable users to exploit found vulnerabilities. 

103 Best Security Utilities in d World

Firewalls

1. Comodo Personal Firewall: Comodo categorizes over 10,000 applications as safe, spyware, adware, and more to simplify your firewall management. All you have to do is download it for free.
2. Look 'n’ Stop Firewall: Look 'n' Stop's firewall is now compatible with Windows Vista. The first 30 days are free; after that the cost is $29.

3. SoftPerfect Personal Firewall: SoftPerfect's firewall supports multiple network configurations and has a flexible filtering system — all for free.

4. Bit Defender 10: Labeled by PC World as a “best buy” in 2006, Bit Defender's firewall is now available for free.

5. Securepoint Security: German-style security for free — what more could you want?

6. FWTK.org: Build your own firewall with free programs from this Web site.

7. WiseChoice.Net: This anti-porn filter cannot be turned off, and is designed to restrict porno addicts and the like. After a two-week free trial, the filter costs $5 per month.

8. iSentryII: Get a free download of software with a complete blocking list available for a fee.

9. RegCure: Does your computer keep crashing? Get a free scan from RegCure to identify and fix the problem.

10. ZoneAlarm: ZoneAlarm provides basic firewall services for free, including scanning inbound and outbound traffic.

11. CA Personal Firewall 2009: This firewall, available with a free trial, demonstrates CA’s business-strength protection services.

12. Webroot Desktop Firewall: Formerly $20, this personal firewall from Webroot is now available for free.

Anti-Spyware

13. STOPzilla: This software “blocked all the spyware in [CNet Network Inc.’s] testing” with a free scan.

14. Spyware Blaster 4.0: This free anti-spyware program doesn’t need to be running to protect your machine.

15. Ad-Aware 2007 Free: With more than 250 million downloads, Ad-Aware is one of the most used free anti-spyware programs in the world.

16. Perfect Process V 1.1: Offered by VelociWare, Perfect Process is “the easiest way” to protect against spyware for free.

17. Arovax Shield: This free anti-malware service provides real-time protection by running quietly in the background.

18. Windows Defender: Something free from Microsoft Corp.? Shocking, but true.

19. Who’s Watching Me?: Think you’re computer's being watched? Trapware Corp.'s Who’s Watching Me? program finds who's spying on you for free.

20. SpyBlocker: Blocking bad programs since 1999, SpyBlocker offers its protection against 30,000 threats at no cost for the first 15 days.

21. PrivacyKeyboard: This free program protects not just against spyware, but against hardware keylogging tools used to snoop on your keyboard input directly.

22. XSpy Shield Gold: XSpy protects your machine against keylogging snoopers and other data-mining bad guys. Try it out for free.

23. a-squared Free: Emsi Software's free anti-malware package has been downloaded by nearly 4.3 million users.

Backup

24. Norton Save & Restore 2.0: During the 30-day free trial, Norton Save & Restore 2.0 schedules automatic backups on your computer.

25. Norton Ghost 14.0: Norton's new application includes an exclusive integration with Google Desktop and a 30-day free trial.

26. Autobackup: This program from Acute Software automatically backs up changed files and directories, and it’s free. The pro version starts at $24.95.

27. SyncBackSE: SyncBackSE comes with easy and expert modes, helpful wizards and a 30-day free trial.

28. EZBack-it-up: Without asking you a lot of questions, EZBack-it-up saves your files.

29. Cobian Backup v6.1.1.264: This freeware backup comes with integrated .zip compression.

30. Back-IT-Up 5.0: Free to try, $40 to buy – this program backs up information on networks with up to 20 computers.

31. Back4Win: Back4Win is a free, reliable backup option.

32. ICE Mirror: This freeware only backs up the files that have changed, so it works quickly in the background.

33. Freebyte Backup 3.0: This freeware backup comes with filtering ability if you don’t want to backup your .exe or .txt files.

Encryption

34. Anonymous Surfing: Anonymizer Inc.'s program protects against phishing and pharming by allowing you to surf anonymously. It also hides your IP address from sneaky snoopers. The program is available with a free trial.
35. PGP Desktop Trial: You'll get Pretty Good Privacy with this free 30-day trial.
36. File Waster: Formerly called “File Buddy,” this freeware allows you to encrypt or securely delete sensitive files.
37. CryptMage 5: This strong freeware encryption doesn’t require a cryptologist to use it.
38. Iron Key: The recipients of your encrypted email don’t need to download Iron Key to unlock the file; they just need a password.
39. HandyBits EasyCrypto Deluxe: This easy-to-use freeware encryption is integrated with Windows Explorer.
40. Kryptel Lite: This free version of Kryptel supports integration with Iron Key.
41. TrueCrypt: TrueCrypt offers free, open-sourced, on-the-fly encryption.
42. FreeOTFE: This freeware provides on-the-fly encryption for PCs and PDAs.
43. CompuSec 5.1: Encrypt your whole hard disk for free with CompuSec 5.1.

Anti-Virus

44. AVG Anti-Virus Free Edition: This is one of the few totally free anti-virus offerings online, with more than 80 million users.

45. Avira AntiVir Personal: This software offers basic protection for free, and premium features start at 20 euros.

46. avast! antivirus Home Edition: With over 50 million users, avast! is free for home use.

47. Norton Internet Security 2008 Trialware: Detect and eliminate viruses and spyware for free for 15 days using this program.

48. CA Anti-Virus Plus: Protect your PC from Trojan horses, worms and other nasty critters with CA's free trial.

49. Windows Live OneCare: OneCare is always on, with a red-yellow-green indicator to communicate your PC’s real-time safety level, and comes with a free 90-day trial.

50. McAfee VirusScan: Protect your computer and speed its performance for free with McAfee Inc.'s 14-day trial.

51. PC Tools Antivirus Free Edition 4.0: PC Tools offers powerful protection that’s totally free.

52. PC Security Test: This freeware simulates malicious attacks on your computer, reports the results and fixes your security holes.

53. Trend Micro HouseCall: This freeware offers protection for personal and home-office plans, but Trend Micro suggests that you contribute to a non-profit organization called Schools Online after using their services.

54. Scan Complete: This is the best protection freeware can buy.

55. Norton 360: Norton 360 offers a free 15-day trialware with complete protection.

Spam Killers

56. CA Anti-Spam Plus CA Website Inspector: This professional strength spam blocker also protects against phishing attacks launched from fraudulent Web pages. Try it for free.
57. SPAMfighter: SPAMfighter is a free spam filter for Microsoft Outlook and Outlook Express.

58. Cloudmark Desktop: Awarded “best buy” by Computer Shopper and "editor's choice" by PC Magazine, this spam killer is free for 15 days.

59. POPFile: POPFile scans your incoming emails and presorts good from bad. Financial donations are accepted, but otherwise it's free.

60. eXpurgate: Powered by the European software maker Eleven, eXpurgate is free to personal users.

61. Spamihilator: Spamihilator eliminates 98 percent of spam before it makes it to your inbox, for free.

62. Spamato: With a success rate that hovers just shy of 100 percent, Spamato is one of the best free applications available online.

63. SpamBayes: This is a powerful and free anti-spam program for Outlook that uses Bayesian statistics to separate spam from ham.
64. SpamPal: SpamPal helps sort the junk from Outlook, Outlook Express and Eudora email systems, for free.

65. SpamExperts Desktop: Get free spam protection on all POP3 (post office protocol) and IMAP (internet message access protocol) mail systems; premium features are also available for a fee.

66. Cactus Spam Filter: This free spam filter for POP email accounts bills itself as a “brutal, merciless spam killer.”

67. SpamRIP: SpamRIP filters email by country of origin for an even cleaner inbox than the competition can provide.

68. BullGuard Spamfilter: BullGuard Spamfilter protects against spam with full integration with Mozilla Thunderbird.

69. G-Lock SpamCombat: This spam killer protects POP and IMAP accounts with country-of-origin filters, for free.

70. MailWasher: With over 8 million users, MailWasher scrubs your POP account to keep your inbox clean for free.

71. SpamWeasel Free: Offering flexible configurations and archive viewing, SpamWeasel is a good, free spam blocker.

Parental Control

72. Net Nanny: Protect your kids and monitor their Internet use with a 14-day free trial.

73. FreeShield: FreeShield is a free, easy-to-use porno blocker.

74. ParentalControl Bar: A free service from a non-profit to protect your kids from dangerous pornography.

75. Crawler Parental Control: Control your children’s Web browsing, software use and folder access for free with this program.

76. K9 Web Protection: Over half a million homes have been protected for free by K9.

77. Golden Eye: Don’t just keep your kids off the porn, spy on them too with Golden Eye – for free.

78. Free Parental Control: Detects and removes adult images, cookies and caches for free.

79. KGB Spy: This free keylogger gets your kids’ passwords so you can seriously snoop on them.

80. ChatShield: Keep creeps from IMing your kids, for free.

81. ContentPurity: ContentPurity keeps your directories virginal, for free.

Data Recovery

82. Recuva: This freeware utility recovers lost data now out of beta testing.
83. PC Inspector File Recovery 4.x: This program recovers files even when a header entry is no longer available, for free.
84. TestDisk: TestDisk is freeware that fixes partitions on drives, and makes unbootable disks bootable again.
85. PhotoRec: Recover lost pictures and video files with this freeware application.
86. IsoBuster: IsoBuster offers data recovery for CDs, DVDs and Blu-ray disks, and comes with a free trial.
87. eDATA Unerase Personal Addition: This freeware version of Unerase allows full use of the product on one computer.
88. SoftPerfect File Recovery: This is a free and useful tool for recovering lost or accidentally deleted files from hard disks, CDs, flash drives and more.
89. Undelete Plus: Undelete's latest version, released by TouchStone Software Corp. in October 2007, is free for personal use.
90. FreeUndelete 2.0: Priced at $69 for business customers, Free Undelete 2.0 is free for home or home-office use.
91. RoadKil's Undelete: This freeware recovery program is exclusively for Windows machines.

Identity Theft

92. Norton Confidential: This anti-phishing and anti-pharming software package keeps you safe from identity theft, and is free for 14 days.
93. LifeLock: Free for 30 days, LifeLock monitors your credit reports with all three credit bureaus and offers a $1 million guarantee.
94. Comodo VerificationEngine: Use this freeware to feel confident that you are giving your information to whom intend, instead of a phishing hacker with a phony Web site.
95. McAfee Site Advisor: McAfee Site Advisor scans the Web looking for scams, and even fills in email addresses to see if they result in spam, all for free.
96. SpoofStick: SpoofStick helps identify a spoofed, or fake, site more quickly. This freeware is now available for Firefox.
97. FirePhish Anti-Phising Extension: Mozilla’s free add-on to its Firefox browser helps identify spoofed sites trying to get your important information.
98. TrustWatch: This program helps prevent phishing attacks by providing extra information about sites and the ability to report suspicious activity; it's available with a free download.

Security Suites

99. ZoneAlarm Security Suite: The only Zone Alarm product with parental controls, this program is available for a free trial.
100. Norton 360 2.0: The old comprehensive standby, Norton 360 2.0 is free for a 14-day trial.
101. MacroVirus: This multi-featured product protects against viruses, pop-ups, adware and other baddies; it offers a free scan and free download.
102. CyberDefender: CyberDefender is an anti-virus, anti-phishing and anti-spam suite, and provides a free scan.
103. StopSign: This all-in-one total package is priced for a recurring membership, and comes with a free scan.

DNS Poisoning Summary




########################################################################
##
##  DNS CACHE POISONING DETAILED ANALYSIS REPORT Version 2
##
##  (by Kyle Haugsness and the ISC Incident Handlers)
##
########################################################################


########################################################################
## Summary
########################################################################

Around 22:30 GMT on March 3, 2005 the SANS Internet Storm Center began
receiving reports from multiple sites about DNS cache poisoning attacks
that were redirecting users to websites hosting malware.  As the
"Handler on Duty" for March 4, I began investigating the incident over
the course of the following hours and days.  This report is intended to
provide useful details about this incident to the community.

The initial reports showed solid evidence of DNS cache poisoning, but
there also seemed to be a spyware/adware/malware component at work.
After complete analysis, the attack involved several different
technologies: dynamic DNS, DNS cache poisoning, a bug in Symantec
firewall/gateway products, default settings on Windows NT4/2000,
spwyare/adware, and a compromise of at least 5 UNIX webservers.  We
received information the attack may have started as early as Feb. 22,
2005 but probably only affected a small number of people.

On March 24, we received reports of a different DNS cache poisoning
attack.  This attack did not appear to affect as many people.  This will
be referred to as the "second attack" in the remainder of this report.

After monitoring the situation for several weeks now, it has become
apparent that the attacker(s) are changing their methods and toolset to
point at different compromised servers in an effort to keep the attacks
alive.  This attack morphed into a similar attack with different IP
addresses that users were re-directed toward.  This will be referred to
as the third attack and is still ongoing as of April 1, 2005.

Before proceeding, a note of thanks is in order for all the people that
have submitted reports to us, helped us investigate further, and
provided us logs or data.  The Internet Storm Center is a volunteer
effort and the better information that we receive from the community,
the better analysis we can perform and contribute back to the community.

Contents:

1.  How can others help?
2.  How do I recover from a DNS cache poisoning attack?
3.  What software is vulnerable?
4.  I am a dial-up/DSL/cable modem user -- am I vulnerable?
5.  Where can I test my site to see if I am vulnerable?
6.  What exactly is DNS cache poisoning?
7.  What was the motivation for this type of attack?
8.  Weren't DNS cache poisoning attacks squashed around 8 years ago?
9.  What was the trigger for the attack?
10. How exactly did this DNS cache poisoning attack work?
11. What domain names were being hijacked?
12. What were the victim sites?
13. What malware was placed on my machine if I visited the evil servers?
14. Got packets?
15. Got snort?


########################################################################
## How can others help?
########################################################################

We are still seeking assistance from the community.  You can help out by
providing the following data:

1.  We still would like reports of active cache poisoning.  When
    reporting, please include the DNS server software in use and whether
    you have forwarders in place.  A good description would be "Windows
    2000 server (with registry key to secure cache against polution)
    forwarding to a BIND 8.4.6 server in a DMZ that is not forwarding to
    any other upstream server".  Try to include packet captures of all
    UDP port 53 traffic after you have been poisoned.  Also, try to send
    us a copy of your current DNS cache (see next two paragraphs).

    There doesn't seem to be a method to export the running DNS cache on
    any of the Windows platforms.  The only possibile option would be to
    put the DNS server in debug mode and then dig through the log files,
    which is not really a viable option.  Some people have sent us
    screenshots of the DNS Manager/Console, which is probably the best
    option (unless somebody sends us a better method).

    On BIND you can export the current DNS cache that by running the
    "ndc" command (for BIND 8) or "rndc" (for BIND 9) on the server
    itself as root and then executing "dumpdb".  This command will save
    the current memory cache to the directory specified in your
    named.conf file under the "directory" option; it is typically
    "/var/cache/bind".

2.  Run the snort signatures at the end of this document and send us 
    some of the alerts with the full packet trace.

3.  If your sniffer is big enough, you can start logging all UDP port 53
    traffic into/out of your site.  Later, as we identify more malicious
    DNS servers, we may be asking for all DNS traffic to/from a specific
    IP address.  So it would be helpful to have historical data to
    determine when a specific attack started and what poisoning method
    they used.  If you do set this up, remember to rotate your captures
    so they don't consume all the disk space on your sniffer box.


########################################################################
## How do I recover from a DNS cache poisoning attack?
########################################################################

1.  You need to be absolutely positive that you have not been infected
    with spyware.  Many spyware/adware programs today will modify the
    DNS settings or local hosts file on Windows machines.  So you should
    first run your favorite spyware/adware detection tool.

2.  Try to find out the IP address(es) of the malicious DNS server(s)
    and check our website to determine if this IP address has been
    reported.  If the IP has not been reported, drop us a quick note at
    the following URL: http://isc.sans.org/contact.php

3.  You may want to block the IP address(es) of the malicious DNS
    server(s) at your border routers/firewalls so that your so that your
    cache does not become poisoned again.

4.  Cleaning up from a site-wide DNS cache poisoning may require
    flushing the cache on all of your DNS servers in your organization
    probably starting with the most externally facing DNS boxes first.

5.  On Windows DNS servers, you can stop/start the DNS service to clear
    the cache.  You can also use the dnscmd.exe command from the
    Resource Kit:

        dnscmd.exe /ClearCache

6.  On Windows 2000, XP, and 2003 clients, you can flush the client
    cache by running "ipconfig /flushdns".  (Please note that this will
    do nothing to clean-up a poisoned DNS caching server upstream.)

7.  On BIND 9, you can clear the cache by running "rndc" command and
    executing the "flush" command.  On BIND 8 or below, it appears that
    you have to restart the server.


########################################################################
## What software is vulnerable?
########################################################################

We have confirmation that the following software products are
vulnerable:

1.  Windows NT4 and 2000 DNS servers.

    The default configuration of the DNS server on Windows NT 4 and 2000
    IS INSECURE against DNS cache poisoning attacks.  By default, the
    DNS server does NOT protect you against DNS cache poisoning. If you
    run a resolving nameserver on Windows NT 4 or Windows 2000 (2003 is
    configured securely by default), you are HIGHLY ADVISED to follow
    the instructions here to protect yourself from these attacks:

        http://support.microsoft.com/default.aspx?scid=kb;en-us;241352

2.  Symantec gateway products.

    There was a confirmed bug that allowed DNS cache poisoning in
    various Symantec products.  A patch was released on March 15, 2005
    for the following products:

        Symantec Gateway Security 5400 Series, v2.x
        Symantec Gateway Security 5300 Series, v1.0
        Symantec Enterprise Firewall, v7.0.x (Windows and Solaris)
        Symantec Enterprise Firewall v8.0 (Windows and Solaris)
        Symantec VelociRaptor, Model 1100/1200/1300 v1.5 

    The vulnerability information can be found at the following two
    URLs:

        http://securityresponse.symantec.com/avcenter/security/
          Content/2005.03.15.html
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0817

    This bug was in addition to a previous bug on the same product set that
    was fixed on June 21, 2004:

        http://securityresponse.symantec.com/avcenter/security/
          Content/2004.06.21.html

We have received reports that Windows 2003 and NT4/2000 (with the proper
registry key settings) are still vulnerable.  We are currently working
with Microsoft to determine whether there is a bug or architectural
problem in their DNS software.

Possible theory #1: Windows DNS servers that forward to BIND nameservers
do not ignore the additional authority records in the DNS replies.  In
this scenario, we think that the "secure cache against poisoning"
registry keys are just being ignored.

Possible theory #2: The malicious DNS server is currently responding
with .COM entries that have a TTL of 99,999 seconds which is 1 day, 3
hours, 46 minutes, 39 seconds.  Perhaps there is a bug where the DNS
server looks at the TTL value it received and realizes that it is
greater than the TTL value for .COM in its cache, so it overrides the
value in cache with the new value?

Additionally, we have received reliable reports from sites that were
poisoned by this attack altough they were running BIND entirely.  By
default, the various UNIX-based DNS servers are not vulnerable to this
attack.  However, it may be possible to make them insecure through poor
configuration choices.  If you have any doubt, test it yourself
following the instructions below.


########################################################################
##  I am a dial-up/DSL/cable modem user -- am I vulnerable?
########################################################################

Most likely, no.  The major ISPs typically run UNIX-based DNS resolvers
which are not currently vulnerable.  However, there are some ISPs
running Windows NT4 or 2000 resolvers and may not have secured their DNS
resolvers.  You can test it yourself in the next section.


########################################################################
##  Where can I test my site to see if I am vulnerable?
########################################################################

In order to build a "test myself" site, we developed a tool that can
attempt to poison the .COM cache (or any other domain).  Unfortunately,
there is no subtle way to deploy this in a testing mode.  The danger is
that an end-user at a company or ISP runs the test and if the test is
successful, the cache poisoning will affect all users at that
organization or ISP.  We will try to get this worked out and develop a
test methodology that is less intrusive.

And don't ask us for the proof-of-concept tool.  We are not distributing
it to anyone at this time.


########################################################################
## What exactly is DNS cache poisoning?
########################################################################

Basically, it is method for an attacker to change the IP address that a
hostname resolves to.  For instance the hostname www.cisco.com points to
the IP address 198.133.219.25.  A DNS cache poisoning attack allows an
attacker to change the IP address for a host/domain and point it to a
different IP address.

If the above paragraph didn't make any sense, then take a step back and
understand that DNS (Domain Name System) is the method by which you can
resolve a human name like www.google.com into an IP address.  An IP
address is a computer's unique location on the Internet.  For a very
good explanation of how the global DNS system works, refer to this
article:

    http://computer.howstuffworks.com/dns.htm/printable

Second, you must understand that most end-users on the Internet use a
DNS server that is close to them (at their ISP or within their
organization's firewalls) to lookup names for them.  For performance
reasons, these DNS servers cache the returned data so that it takes less
time to respond to the next client.  If there is a vulnerability or
misconfiguration in the software on these DNS servers, then the cache
poisoning attack is possible.  When a victim DNS cache is poisoned, the
attacker will be affecting ALL future lookups of any domain name he
chooses for ALL users of that DNS server.  Large ISPs may have thousands
of users referencing a single DNS resolver.  So an attack against a
resolver could affect thousands of users, without those users having
done anything wrong.

Here is how the attack works.  First, there needs to be a trigger that
forces the victim site's DNS server to query the evil DNS server. There
are several ways to accomplish this.  A couple of easy methods are
e-mail to a non-existant user (which will generate an NDR to the source
domain), spam e-mail with an external image, banner ads served from
another site, or perhaps triggering it from a bot network or installed
base of spyware.

Once the trigger executes, the victim's site DNS server queries the evil
DNS server.  The attacker includes extra information in the DNS reply
packet.  In both attacks, the reply packets contained root entries for
the entire .COM domain.  If your DNS server is not configured properly,
then it will accept the new entries for .COM and delete the proper
entries for the Verisign servers (who runs the .COM domain).  Once this
has occurred, any future queries that your DNS server makes for .COM
addresses will go to the malicious DNS server.  The server can give you
any address it wants.  In this attack, any hostname that you request is
returned with a couple of IP addresses that are running a webserver and
attempting to exploit client-side bugs in Internet Explorer to install
spyware.

It is important to note that this attack could be used to hijack other
domain roots besides .COM, like .NET, .ORG, or the country TLDs like .CA
or .DE.  The attacker could hijack all of them.  A smart attacker would
potentially just hijack specific hostnames and then return the correct
information for all other queries.  This type of attack would not be as
noticeable and could potentially be very dangerous.


########################################################################
##  What was the motivation for this type of attack?
########################################################################

The motivation for these attacks is very simple: money.  The end goal of
the first attack was to install spyware/adware on as many Windows
machines as possible.  A good spyware/adware program can generate
significant revenue for the attacker.

There is an excellent write-up by the folks at LURHQ that describes the
pay-per-click (PPC) advertising scheme that is likely behind the
first/third attacks: http://www.lurhq.com/ppc-hijack.html.

The second attack seems to have been launched by a known spammer.  But
this is quite a complicated attack for a spammer, so my current theory
is that the attacker(s) are contracting their services for hire.

The motivation for our detailed analyis was because of the DNS cache
poisoning attack, which has the potential for affecting millions of
Internet users and enabling some very dangerous attacks.  After
receiving a couple of reliable reports, it became clear to us that we
needed to get to the very bottom of this attack.


########################################################################
##  Weren't DNS cache poisoning attacks squashed around 8 years ago?
########################################################################

Taking a trip down memory lane... Cache poisoning has been around for a
very long time.  There have been unfortunate bugs in BIND and there have
been design flaws.  The DJB fans will note that djbdns has been secure
against cache poisoning for a long time, too.

Basically, the UNIX-based stuff has been secure against cache poisoning
for quite some time, but there may always be a bug or design flaw that
is discovered.  We are not quite sure why Microsoft left a default
configuration to be unsecure in NT4 and 2000.  (Exercise to reader:
insert Microsoft security comment/opinion/joke here, but keep it to
yourself).


########################################################################
##  What was the trigger for the attack?
########################################################################

We haven't been able to isolate the exact trigger for either attack.
There are several methods to trigger a DNS lookup to a malicious DNS
server.  There are so many methods to do so, that it doesn't really
matter.  It can be accomplished easily, so instead of focusing on the
trigger, security/system administrators should focus on securing their
DNS software.


########################################################################
## How exactly did this DNS cache poisoning attack work?
########################################################################

During the first attack (around Feb 22 to Mar 12, 2005), victims were
being re-directed to one of 3 servers: 217.160.169.87, 207.44.240.79,
216.127.88.131.  The domain names for these servers were: www.7sir7.com,
123xxl.com, and abx4.com.  These domain names were purchased just prior
to the attack being launched.  All of the IP addresses above were UNIX
machines at colocation/web-hosting companies that were compromised.
Most people observed the re-direction because their web-surfing was
obviously affected.  But we also received reports of e-mails getting
bounced and subsequent investigation of log files from those machines
indicated that FTP logins, IMAP/POP logins, and SSH traffic was being
re-directed also.  The attacker had uploaded to the compromised UNIX
machines two client-side exploits for Internet Explorer.  So when users
were re-directed to those servers, the exploit would be launched and if
successful, the victim would be infected with a spyware program.

During the second attack (March 25), there were two malicious DNS
servers that were re-directing people.  The malicious DNS servers were
222.47.183.18 and 222.47.122.203.  These DNS servers were re-directing
people to themselves, where a website selling popular prescription
medication was found.  These webservers did not host any malicious
content.  Instead, this was more the work of a spammer.  Future
investigation into the IP addresses and domain names registered to those
IP addresses indicate that these servers are probably owned by a spammer
with over 300 domain names registered.  It should be noted that the
website advertised indicated "megapowerpills.com", however there is a
real website with that name that is operated on a different IP address.

The third attack is really a continuation of the first attack (March 25
- April 1, 2005), with the same goal of installing a spyware program.
One of the machines from the first attack (216.127.88.131) was never
cleaned-up properly and the attacker came back and changed the poisoning
tool.  This time, the DNS server gave out the following IP addresses:
209.123.63.168, 64.21.61.5, 205.162.201.11.  All of these servers hosted
the same simple webpage, which redirected people to the following URLs
(which we have neutered):

    vparivalka .org /G7 /anticheatsys.php?id=36381
    find-it .web-search .la


########################################################################
## What domain names were being hijacked?
########################################################################

We received some logs from two of the machines that were used to launch
the initial attack observed on March 4.  Remember, that those machines
were compromised.  The log files from those machines indicate the
following statistics over a 3 day period (Mar 2 - 5):

o 1,304 domain names were poisoned/hijacked
o 7,973,953 HTTP get attempts from 966 unique IP addresses.
o 75,529 incoming email messages from 1,863 different mailservers.
o 7,455 failed FTP logins from 635 unique IP addresses (95 unique user
accounts).
o 7,692 attempted IMAP logins (805 unique users, 411 unique IP
addresses).
o 2,027 attempted logins to 82 different webmail (HTTP) servers.

Also during the activity on March 4, 2005, a security administrator who
noticed the attack, exported a copy of his DNS cache, and sent it to us.
For his site, there were 665 hostnames that were poisoned in his DNS
cache.  Since the .COM entry was poisoned, any future queries for any
domain name ending in .COM would have re-directed his users to the
hostile servers.  I analyzed his cache dump to produce the list of
poisoned domain names below.

The following list shows how far-reaching this attack proved to be.  The
list is a small, categorized excerpt of the 665 domain names from his
site (with my short notes) that were being re-directed to hostile web
servers.  It is very important to note that e-mail, FTP logins, HTTPS
sessions, and other types of traffic were also being re-directed to the
malicious servers.  We do not believe that the attacker was reading
e-mail or collecting passwords, but we have no conclusive proof to
assert either theory.

Please note that the below list is not a list of organizations that had
their DNS cache's poisoned.  These organizations were not compromised,
although it is possible that customers of these sites unknowingly gave
out login information or personal information to the malicious servers.
Final disclaimer, this is just a short list of domain names that were
poisoned at a single site.  Any domain name could have been poisoned.


Financial Services
------------------
americanexpress.com (credit cards)
citicards.com (credit cards)
billpay.quickbooks.com (financial software/services)
adp.com (data processing)
hrblockemail.com (financial services)

Corporate Presence
------------------
dhl-usa.com (global shipping)
fedex.com (global shipping)
walmart.com (retail)
samsclub.com (retail)
kraftfoods.com (food products)
averydennison.com (paper products, labels)
ppg.com (worlwide commercial products)
nortelnetworks.com (telecommunications)
potterybarn.com (retail)
weightwatchers.com (retail)
dressbarn.com (retail)
moviefone.com (online movie listings/purchase)
nascar.com (car racing)
officemax.com (retail office supplies)
verizonwireless.com (wireless telephone service)
qvc.com (retail)

Media/Entertainment/News
-------------------
cnn.com
nbc.com
abc.com
fox.com
foxnews.com
espn.com
yahoofs.com
starwave.com (part of go.com)
hotjobs.com (job search)
chicagotribune.com
tribune.com
suntimes.com
wgnradio.com
businessweek.com
wired.com
randomhouse.com
imdb.com (online music database)
napster.com (online music)
musicmatch.com (online music)
allofmp3.com (online music)
audible.com (online music)
modblog.com (mobile blogging site)
entertainment.com
courttv.com

Hardware/Software
-----------------
trendmicro.com (anti-virus)
redhat.com (linux vendor)
msoffice.com
microsoftoffice.com
officeupdate.com
giantcompany.com (microsoft's new anti-spyware)
autodesk.com (AutoCAD)
realone.com
realplayer.com
emc.com (enterprise storage)
creative.com (consumer electronics)
lavasoftusa.com (personal firewalls)
tomshardware.com (pc hardware)

ISP/Hosting/Search
------------------
msn.com
compuserve.com
realpages.com
geocities.com
hotbot.com
switchboard.com
cleanmail.com
webex.com
catalog.com
about.com

Health Industry
---------------
webmd.com (online medical advice)
lilly.com (pharmaceuticals)
questdiagnostics.com (medical testing)

Travel
------
orbitz.com
sabre.com
tickets.com


########################################################################
## What were the victim sites?
########################################################################

Unless we receive very explicit approval to publish a victim's name, we
do not publish their name.  Instead, we offer some very generic
information.  Based on the number of e-mails that we received and by
looking at the log files from the compromised servers, I would
conservatively estimate that 500-1000 medium-to-large size organizations
were affected by these attacks.

There were about 10 organizations that contacted us that have over 1,000
employees.  These organizations are from different sectors of the
economy (banking, manufacturing, insurance, telecommunications).
Interestingly, most of the victims appear to be in North or South
America.


########################################################################
## What malware was placed on my machine if I visited the evil servers?
########################################################################

The webservers in the first/third attack tried to drop a spyware program
onto the victim's computer using a Microsoft Internet Explorer
vulnerability for ANI cursor handling.  The vulnerability was released
on January 11, 2005 and further technical information can be found
here:

    http://www.microsoft.com/technet/security/Bulletin/MS05-002.mspx

Proof of concept exploit code was publicly released soon after the
vulnerability was announced.  The filenames being used in this attack
were: abx.ani and abx22.ani.  Using VirusTotal, these ANI files were
detected as:

    Kaspersky:   Trojan-Downloader.Win32.Ani.d
    McAfee:      Exploit-ANIfile
    BitDefender: Exploit.Win32.MS05-002.Gen

The ANI exploit attempted to download one of the following two
executable files (same exact file) on the webserver: abx_search.exe or
mhh.exe.  These binaries were detected as:

    Kaspersky: AdWare.ToolBar.SearchIt.h
    Panda:     Adware/AbxSearch

If you were infected by this toolbar, you should run your favorite
spyware/adware program to identify and clean it from your computer.


########################################################################
## Got packets?
########################################################################

Here are packet captures from each attack that shows the DNS reply
packets from the malicious DNS servers.  The captures are decoded with
tethereal and hex output is at the end of each packet.  Notice that the
second packet of each capture includes and additional RR for "com".
This is the trigger for overwriting the normal "com" entries that are
the official 13 root nameservers.

The first packet capture was taken several days after the March 4
attack.  It shows that the attacker has modified the address that is
returned for any query.  In this capture, I query for www.cisco.com and
the malicious DNS server returns 209.135.140.198 which is definitely not
the right answer (it should be 198.133.219.25).

Frame 1 (2 on wire, 2 captured)
    Packet Length: 73 bytes
    Capture Length: 73 bytes
Ethernet II
    Destination: 
    Source: 
    Type: IP (0x0800)
Internet Protocol, Src Addr: 10.11.12.13 (10.11.12.13), Dst Addr:
    216.127.88.131 (216.127.88.131)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 59
    Identification: 0x0000
    Flags: 0x04
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 64
    Protocol: UDP (0x11)
    Header checksum: 0xf397 (correct)
    Source: 10.11.12.13 (10.11.12.13)
    Destination: 216.127.88.131 (216.127.88.131)
User Datagram Protocol, Src Port: 34899 (34899), Dst Port: 53 (53)
    Source port: 34899 (34899)
    Destination port: 53 (53)
    Length: 39
    Checksum: 0x9801 (correct)
Domain Name System (query)
    Transaction ID: 0xd4f5
    Flags: 0x0100 (Standard query)
        0... .... .... .... = Response: Message is a query
        .000 0... .... .... = Opcode: Standard query (0)
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...1 .... .... = Recursion desired: Do query recursively
        .... .... ...0 .... = Non-authenticated data OK:
    Non-authenticated data is unacceptable
    Questions: 1
    Answer RRs: 0
    Authority RRs: 0
    Additional RRs: 0
    Queries
        www.cisco.com: type A, class inet
            Name: www.cisco.com
            Type: Host address
            Class: inet

0x0000   4500 003b 0000 4000 4011 f397 0a0b 0c0d        E..;..@.@.......
0x0010   d87f 5883 8853 0035 0027 9801 d4f5 0100        ..X..S.5.'......
0x0020   0001 0000 0000 0000 0377 7777 0563 6973        .........www.cis
0x0030   636f 0363 6f6d 0000 0100 01                    co.com.....


Frame 2 (2 on wire, 2 captured)
    Frame Number: 2
    Packet Length: 119 bytes
    Capture Length: 119 bytes
Ethernet II
    Destination: 
    Source: 
    Type: IP (0x0800)
Internet Protocol, Src Addr: 216.127.88.131 (216.127.88.131), Dst Addr:
    10.11.12.13 (10.11.12.13)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 105
    Identification: 0x0000
    Flags: 0x04
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 51
    Protocol: UDP (0x11)
    Header checksum: 0x006a (correct)
    Source: 216.127.88.131 (216.127.88.131)
    Destination: 10.11.12.13 (10.11.12.13)
User Datagram Protocol, Src Port: 53 (53), Dst Port: 34899 (34899)
    Source port: 53 (53)
    Destination port: 34899 (34899)
    Length: 85
    Checksum: 0x036c (correct)
Domain Name System (response)
    Transaction ID: 0xd4f5
    Flags: 0x8580 (Standard query response, No error)
        1... .... .... .... = Response: Message is a response
        .000 0... .... .... = Opcode: Standard query (0)
        .... .1.. .... .... = Authoritative: Server is an authority for
                                domain
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...1 .... .... = Recursion desired: Do query recursively
        .... .... 1... .... = Recursion available: Server can do
                                recursive queries
        .... .... ..0. .... = Answer authenticated: Answer/authority
                                portion was not authenticated by the
                                server 
        .... .... .... 0000 = Reply code: No error (0)
    Questions: 1
    Answer RRs: 1
    Authority RRs: 1
    Additional RRs: 0
    Queries
        www.cisco.com: type A, class inet
            Name: www.cisco.com
            Type: Host address
            Class: inet
    Answers
        www.cisco.com: type A, class inet, addr 209.135.140.198
            Name: www.cisco.com
            Type: Host address
            Class: inet
            Time to live: 1 day, 3 hours, 46 minutes, 39 seconds
            Data length: 4
            Addr: 209.135.140.198
    Authoritative nameservers
        com: type NS, class inet, ns 3sistersmassage.com
            Name: com
            Type: Authoritative name server
            Class: inet
            Time to live: 1 day, 3 hours, 46 minutes, 39 seconds
            Data length: 18
            Name server: 3sistersmassage.com

0x0000   4500 0069 0000 4000 3311 006a d87f 5883        E..i..@.3..j..X.
0x0010   0a0b 0c0d 0035 8853 0055 036c d4f5 8580        .....5.S.U.l....
0x0020   0001 0001 0001 0000 0377 7777 0563 6973        .........www.cis
0x0030   636f 0363 6f6d 0000 0100 01c0 0c00 0100        co.com..........
0x0040   0100 0186 9f00 04d1 878c c6c0 1600 0200        ................
0x0050   0100 0186 9f00 120f 3373 6973 7465 7273        ........3sisters
0x0060   6d61 7373 6167 65c0 16                         massage..


At the time of the packet capture - 3sistersmassge.com resolved to
216.127.88.131 which was the same server I was talking to.

Below is a packet capture from the second attack.  This one shows
several hostnames (but the same IP address) being returned as the root
nameserver for .com.  For this capture, I'm just showing the response
from a query to lookup an obscure domain name (www.leroysprings.com).
In this case, the malicious DNS server returns 222.47.183.18 as the IP
address and it returns the same IP as the root nameserver for .com.

Frame 1
    Packet Length: 260 bytes
    Capture Length: 260 bytes
Ethernet II
    Destination: 
    Source: 
    Type: IP (0x0800)
Internet Protocol, Src Addr: 222.47.183.18 (222.47.183.18), Dst Addr:
    10.11.12.13 (10.11.12.13)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 246
    Identification: 0x0000
    Flags: 0x04
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 50
    Protocol: UDP (0x11)
    Header checksum: 0x9c9d (correct)
    Source: 222.47.183.18 (222.47.183.18)
    Destination: 10.11.12.13 (10.11.12.13)
User Datagram Protocol, Src Port: 53 (53), Dst Port: 32792 (32792)
    Source port: 53 (53)
    Destination port: 32792 (32792)
    Length: 226
    Checksum: 0xfa49 (correct)
Domain Name System (response)
    Transaction ID: 0x5494
    Flags: 0x8500 (Standard query response, No error)
        1... .... .... .... = Response: Message is a response
        .000 0... .... .... = Opcode: Standard query (0)
        .... .1.. .... .... = Authoritative: Server is an authority for
    domain
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...1 .... .... = Recursion desired: Do query recursively
        .... .... 0... .... = Recursion available: Server can't do
    recursive queries
        .... .... ..0. .... = Answer authenticated: Answer/authority
    portion was not authenticated by the server
    .... .... .... 0000 = Reply code: No error (0)
    Questions: 1
    Answer RRs: 2
    Authority RRs: 4
    Additional RRs: 4
    Queries
        www.leroysprings.com: type A, class inet
            Name: www.leroysprings.com
            Type: Host address
            Class: inet
    Answers
        www.leroysprings.com: type A, class inet, addr 222.47.183.18
            Name: www.leroysprings.com
            Type: Host address
            Class: inet
            Time to live: 1 minute
            Data length: 4
            Addr: 222.47.183.18
        www.leroysprings.com: type A, class inet, addr 222.47.183.18
            Name: www.leroysprings.com
            Type: Host address
            Class: inet
            Time to live: 1 minute
            Data length: 4
            Addr: 222.47.183.18
    Authoritative nameservers
        com: type NS, class inet, ns ns1.m-dns.us
            Name: com
            Type: Authoritative name server
            Class: inet
            Time to live: 1 minute
            Data length: 14
            Name server: ns1.m-dns.us
        com: type NS, class inet, ns ns2.com
            Name: com
            Type: Authoritative name server
            Class: inet
            Time to live: 1 minute
            Data length: 6
            Name server: ns2.com
        com: type NS, class inet, ns ns1.bizwebb.us
            Name: com
            Type: Authoritative name server
            Class: inet
            Time to live: 1 minute
            Data length: 14
            Name server: ns1.bizwebb.us
        com: type NS, class inet, ns ns2.com
            Name: com
            Type: Authoritative name server
            Class: inet
            Time to live: 1 minute
            Data length: 2
            Name server: ns2.com
    Additional records
        ns1.m-dns.us: type A, class inet, addr 222.47.183.18
            Name: ns1.m-dns.us
            Type: Host address
            Class: inet
            Time to live: 1 minute
            Data length: 4
            Addr: 222.47.183.18
        ns2.com: type A, class inet, addr 222.47.183.18
            Name: ns2.com
            Type: Host address
 
0x0000   4500 00f6 0000 4000 3211 9c9d de2f b712        E.....@.2..../..
0x0010   0a0b 0c0d 0035 8018 00e2 fa49 5494 8500        .....5.....IT...
0x0020   0001 0002 0004 0004 0377 7777 0c6c 6572        .........www.ler
0x0030   6f79 7370 7269 6e67 7303 636f 6d00 0001        oysprings.com...
0x0040   0001 c00c 0001 0001 0000 003c 0004 de2f        ...........<.../
0x0050   b712 c00c 0001 0001 0000 003c 0004 de2f        ...........<.../
0x0060   b712 c01d 0002 0001 0000 003c 000e 036e        ...........<...n
0x0070   7331 056d 2d64 6e73 0275 7300 c01d 0002        s1.m-dns.us.....
0x0080   0001 0000 003c 0006 036e 7332 c01d c01d        .....<...ns2....
0x0090   0002 0001 0000 003c 000e 036e 7331 0762        .......<...ns1.b
0x00a0   697a 7765 6262 c05c c01d 0002 0001 0000        izwebb.\........
0x00b0   003c 0002 c06c c052 0001 0001 0000 003c        .<...l.R.......<
0x00c0   0004 de2f b712 c06c 0001 0001 0000 003c        .../...l.......<
0x00d0   0004 de2f b712 c06c 0001 0001 0000 003c        .../...l.......<
0x00e0   0004 de2f b712 c07e 0001 0001 0000 003c        .../...~.......<
0x00f0   0004 de2f b712                                 .../..


########################################################################
## Got snort?
########################################################################

The following Snort signature should catch poisoning for the .COM
domain.  New signatures will be posted to the ISC site as we test and
refine them.  Also check http://bleedingsnort.com/ for the latest
signatures.