Archive

Posts Tagged ‘Threats’

SSL VPN: Architechture of VPN


On my last 2 posts, I had explained the ‘SSL‘ and the ‘VPN‘. What are they, and what is our purpose of using them. Now, we’ll see VPN Architecture. With a simple diagram, I shall try to make you understand.

VPN architectureLet us take our previous example of John. Here, in the figure, the VPN device has 2 Ethernet ports: a Public Port & a Private Port. The Public Port is directly connected to the Internet via firewall and routers. The Private Port is connected to the 30 computers in the XYZ Pvt. Ltd. Now, as we can see, John wishes to connect to VPN; he, using the Internet, can connect to the VPN.

Now, one more thing, we can see, in the figure, over the ‘Internet‘, there is something called “SSL Tunnel Thru Internet“. Remember SSL? This is that tunnel. It is encrypted through several algorithms, which depends on the manufacturer of the device. Some manufacturers uses AES-128 some uses RC4 algorithm.

One more thing, the VPN device looks alike just a normal ’24-port switch‘. It contains more than 1 Ethernet port. It contains all normal hardware components of a CPU: like a Motherboard, a Processor, RAMs, a Hard Disk Drive etc. They also contain some Operating Systems. Generally Linux OS is provided with the devices. The reason is open source, free and its robustness. More over Linux is such a dynamic OS, that, the administrator can perform any type of job there.

So, in a nutshell, this was a brief architecture of VPN devices. If you guys face any problem, just post them in comments or contact us. We shall try to help you.

Thank you.

Advertisements

Conficker Worm: Removal

April 3, 2009 Leave a comment

On 15 October 2008, Microsoft released an emergency out-of-band patch for vulnerability MS08-067, which the worm exploits to spread. The patch applies only to Windows XP SP 2, Windows XP SP 3, Windows 2000 SP4, Windows Vista; Windows XP SP 1 and and earlier are no longer supported.

Microsoft has since released a removal guide for the worm, and recommends using the current release of its Malicious Software Removal Tool to remove the worm, then applying the patch to prevent re-infection.

For Manual Removal of the worm, please follow this link:

I found this link quite useful…

Hope this updates on Win32 Conficker Worm will help you..I will try to add more posts as soon as I get some other useful information.

Thank You

Conficker Worm: Characteristics(contd.)

April 2, 2009 Leave a comment

When executed, the worm copies itself using a random name to the %Sysdir% folder.
(Where %Sysdir% is the Windows system folder; e.g. C:\Windows\System32)
It modifies the following registry key to create a randomly-named service on the affected syetem:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\Parameters\”ServiceDll” = “Path to worm”
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\”ImagePath” = %SystemRoot%\system32\svchost.exe -k netsvcs

Attempts connections to one or more of the following websites to obtain the public ip address of the affected computer.

Starts a HTTP server on a random port on the infected machine to host a copy of the worm.
Continuously scans the subnet of the infected host for vulnerable machines and executes the exploit. If the exploit is successful, the remote computer will then connect back to the http server and download a copy of the worm.
Later variants of w32/Conficker.worm are using scheduled tasks and Autorun.inf file to replicate on to non vulnerable systems or to reinfect previously infected systems after they have been cleaned.

Conficker Worm: Characteristics

April 2, 2009 Leave a comment

It copies itself to the following patches:

  • %Sysdir%\[Random].dll
  • %Program Files%\Internet Explorer\[Random].dll
  • %Program Files%\Movie Maker\[Random].dll
  • %Program Files%\Windows Media Player\[Random].dll
  • %Program Files%\Windows NT\[Random].dll

It disables the following services:

  • WerSvc , ERSvc , BITS , wuauserv , WinDefend , wscsvc

It hooks the following functions in dnsapi.dll :

  • Query_Main , DnsQuery_W , DnsQuery_UTF8 , DnsQuery_A

It hooks the following functions in ws2_32.dll:

  • sendto

The worm deletes the following registry key to disable restarting in safe mode:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot

It deletes the following registry keys:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjects\{FD6905CE-952F-41F1-9A6F-135D9C6622CC}
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender

It terminates the processes that contains the following strings in name:

  • wireshark / unlocker / tcpview / sysclean / scct_ / regmon / procmon / procexp / ms08-06 / mrtstub / mrt. / mbsa. / klwk / kido / kb958 / kb890 / hotfix / gmer /¬† filemon / downad / confick / avenger / autoruns

In order to block users access to security-related domains, prevents network access to any domains that contain the following strings:

  • windowsupdate / wilderssecurity / virus / virscan / trojan / trendmicro / threatexpert / threat / technet / symantec / sunbelt / spyware / spamhaus / sophos / secureworks / securecomputing / safety.live / rootkit / rising / removal / quickheal / ptsecurity / prevx / pctools / panda / onecare / norton / norman / nod32 / networkassociates / mtc.sri / msmvps / msftncsi / mirage / microsoft / mcafee / malware / kaspersky / k7computing / jotti / ikarus / hauri / hacksoft / hackerwatch / grisoft / gdata / freeav / free-av / fortinet / f-secure / f-prot / ewido / etrust / eset / esafe / emsisoft / dslreports / drweb / defender / cyber-ta / cpsecure / conficker / computerassociates / comodo / clamav / centralcommand / ccollomb / castlecops / bothunter / avira / avgate / avast / arcabit / antivir / anti- / ahnlab / agnitum

Conficker Worm: A new threat to computer

April 2, 2009 3 comments

Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in October 2008.
An early variant of the worm propagated through the Internet by exploiting a vulnerability in the network stack of Windows 2000, Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008, Windows 7 Beta, and Windows Server 2008 R2 Beta that was discovered earlier that month.The worm has been unusually difficult for network operators and law enforcement to counter because of its combined use of advanced malware techniques.

Method of Infection:

This worm exploits the MS08-067 Microsoft Windows Server Service vulnerability in order to propagate.conficker_500x3751
Machines should be patched and rebooted to protect against this worm re-infecting the system after cleaning.
Upon detection of this worm the system should be rebooted to clean memory correctly. May require more than one reboot.
Scheduled tasks have been seen to be created on the system to re-activate the worm.

Autorun.inf files have been seen to be used to re-activate the worm.

Symptoms:

If your computer is infected with this worm, you may not experience any symptoms, or you may experience any of the following symptoms:

  • Account lockout policies are being tripped.
  • Automatic Updates, Background Intelligent Transfer Service¬† (BITS), Windows Defender, and Error Reporting Services are disabled.
  • Domain controllers respond slowly to client requests.
  • The network is congested.
  • Various security-related Web sites cannot be accessed.

For more information about Win32/Conficker.b, visit the following Web pages: