Saturday, March 21, 2009
HIDDEN PROGRAMS IN WINDOWS XP
1. Private Character Editor :
Used for editing fonts,etc.
** start>>Run
** Now, type eudcedit
2. Dr. Watson :
This an inbuilt windows repairing software !
** start>>Run
** Now, type drwtsn32
3. Media Player 5.1 :
Even if you upgrade your Media Player, you can still access your old player in case the new one fails !!!
** start>>Run
** Now, type mplay32
4. iExpress :
Used to create SetupsYou can create your own installers !
** start>>Run
** Now, type iexpress
HIDDEN MUSIC
Microsoft Windows XP is playing a cool music during installation. It is a pleasant little tune that you’ve probably never heard, unless you were present when Windows was being installed on your PC. After that it’s never played again, unless you know where to look for it.
To hear what you’ve been missing, just follow these:
Make you way to C:\WINDOWS\system32\oobe\images and look for a file called "Title.wma" or possibly "Windows welcome music.wma".
It is around 2.56Mb in size. Just double click the file and this will open Windows Media Player, or your defaul player and it will proceed to serenade you with a more than 5 minutes music.
Friday, March 20, 2009
TOP TEN TIPS TO IMPROVE YOUR SYSTEM
1. Let your PC boot up completely before opening any applications.
2. Refresh the desktop after closing any application. This will remove any unused files from the RAM.
3. Do not set very large file size images as your wallpaper. Do not keep a wallpaper at all if your PC is low on RAM (less than 64 MB).It takes much more memory from RAM.
4. Do not clutter your Desktop with a lot of shortcuts. Each shortcut on the desktop uses up to 500 bytes of RAM.
5. Empty the recycle bin regularly. The files are not really deleted from your hard drive until you empty the recycle bin.
6. Delete the temporary internet files regularly.
7. Defragment your hard drive once every 15 days. This will free up a lot of space on your hard drive and rearrange the files so that your applications run faster.
8. Always make two partitions in your hard drive. Install all large Softwares (like PSP, Photoshop, 3DS Max etc) in the second partition. Windows uses all the available empty space in C drive as virtual memory when your Computer RAM is full. Keep the C Drive as empty as possible.
9. When installing new Softwares disable the option of having a tray icon. The tray icons use up available RAM, and also slow down the booting of your PC. Also disable the option of starting the application automatically when the PC boots. You can disable these options later on also from the Tools or preferences menu in your application.
10. Protect your PC from dust. Dust causes the CPU cooling fan to jam and slow down thereby gradually heating your CPU and affecting the processing speed. Use compressed air to blow out any dust from the CPU. Never use vacuum.
RAM IS THE WORKING AREA (DESKTOP) OF THE CPU, KEEP IT AS EMPTY AND UNCLUTTERED AS POSSIBLE!
Wednesday, March 18, 2009
METHODS OF VIRUS CODE
VIRUS INFACTION
A virus needs to infect hosts in order to spread further. In some cases, it might be a bad idea to infect a host program. For example, many anti-virus programs perform an integrity check of their own code. Infecting such programs will therefore increase the likelihood that the virus is detected. For this reason, some viruses are programmed not to infect programs that are known to be part of anti-virus software. Another type of host that viruses sometimes avoid is bait files. Bait files (or goat files) are files that are specially created by anti-virus software, or by anti-virus professionals themselves, to be infected by a virus. These files can be created for various reasons, all of which are related to the detection of the virus:
Anti-virus professionals can use bait files to take a sample of a virus (i.e. a copy of a program file that is infected by the virus). It is more practical to store and exchange a small, infected bait file, than to exchange a large application program that has been infected by the virus.
Anti-virus professionals can use bait files to study the behavior of a virus and evaluate detection methods. This is especially useful when the virus is polymorphic. In this case, the virus can be made to infect a large number of bait files. The infected files can be used to test whether a virus scanner detects all versions of the virus.
Some anti-virus software employs bait files that are accessed regularly. When these files are modified, the anti-virus software warns the user that a virus is probably active on the system.
Since bait files are used to detect the virus, or to make detection possible, a virus can benefit from not infecting them. Viruses typically do this by avoiding suspicious programs, such as small program files or programs that contain certain patterns of 'garbage instructions'.
A related strategy to make baiting difficult is sparse infection. Sometimes, sparse infectors do not infect a host file that would be a suitable candidate for infection in other circumstances. For example, a virus can decide on a random basis whether to infect a file or not, or a virus can only infect host files on particular days of the week.
STEALTH
Some viruses try to trick anti-virus software by intercepting its requests to the operating system. A virus can hide itself by intercepting the anti-virus software’s request to read the file and passing the request to the virus, instead of the OS. The virus can then return an uninfected version of the file to the anti-virus software, so that it seems that the file is "clean". Modern anti-virus software employs various techniques to counter stealth mechanisms of viruses. The only completely reliable method to avoid stealth is to boot from a medium that is known to be clean.
SELF MODIFICATION
Most modern antivirus programs try to find virus-patterns inside ordinary programs by scanning them for so-called virus signatures. A signature is a characteristic byte-pattern that is part of a certain virus or family of viruses. If a virus scanner finds such a pattern in a file, it notifies the user that the file is infected. The user can then delete, or (in some cases) "clean" or "heal" the infected file. Some viruses employ techniques that make detection by means of signatures difficult but probably not impossible. These viruses modify their code on each infection. That is, each infected file contains a different variant of the virus.
ENCRYPTION WITH A VARIABLE KEY
A more advanced method is the use of simple encryption to encipher the virus. In this case, the virus consists of a small decrypting module and an encrypted copy of the virus code. If the virus is encrypted with a different key for each infected file, the only part of the virus that remains constant is the decrypting module, which would (for example) be appended to the end. In this case, a virus scanner cannot directly detect the virus using signatures, but it can still detect the decrypting module, which still makes indirect detection of the virus possible. Since these would be symmetric keys, stored on the infected host, it is in fact entirely possible to decrypt the final virus, but that probably isn't required, since self-modifying code is such a rarity that it may be reason for virus scanners to at least flag the file as suspicious.
An old, but compact, encryption involves XORing each byte in a virus with a constant, so that the exclusive-or operation had only to be repeated for decryption. It is suspicious code that modifies itself, so the code to do the encryption/decryption may be part of the signature in many virus definitions.
POLYMORPHIC CODE
Polymorphic code was the first technique that posed a serious threat to virus scanners. Just like regular encrypted viruses, a polymorphic virus infects files with an encrypted copy of itself, which is decoded by a decryption module. In the case of polymorphic viruses however, this decryption module is also modified on each infection. A well-written polymorphic virus therefore has no parts which remain identical between infections, making it very difficult to detect directly using signatures. Anti-virus software can detect it by decrypting the viruses using an emulator, or by statistical pattern analysis of the encrypted virus body. To enable polymorphic code, the virus has to have a polymorphic engine (also called mutating engine or mutation engine) somewhere in its encrypted body.
Some viruses employ polymorphic code in a way that constrains the mutation rate of the virus significantly. For example, a virus can be programmed to mutate only slightly over time, or it can be programmed to refrain from mutating when it infects a file on a computer that already contains copies of the virus. The advantage of using such slow polymorphic code is that it makes it more difficult for anti-virus professionals to obtain representative samples of the virus, because bait files that are infected in one run will typically contain identical or similar samples of the virus. This will make it more likely that the detection by the virus scanner will be unreliable, and that some instances of the virus may be able to avoid detection.
METAMORPHIC CODE
To avoid being detected by emulation, some viruses rewrite themselves completely each time they are to infect new executables. Viruses that use this technique are said to be metamorphic. To enable metamorphism, a metamorphic engine is needed. A metamorphic virus is usually very large and complex. For example, W32/Simile consisted of over 14000 lines of Assembly language code, 90% of which is part of the metamorphic engine.
Tuesday, March 17, 2009
ALL ABOUT DOS ATTACKS
DOS ATTACK
DOS Attacks or Denial Of Services Attack have become very common amongst Hackers who use them as a path to fame and respect in the underground groups of the Internet. Denial of Service Attacks basically means denying valid Internet and Network users from using the services of the target network or server. It basically means, launching an attack, which will temporarily make the services, offered by the Network unusable by legitimate users.
In others words one can describe a DOS attack, saying that a DOS attack is one in which you clog up so much memory on the target system that it cannot serve legitimate users. Or you send the target system data packets, which cannot be handled by it and thus causes it to either crash, reboot or more commonly deny services to legitimate users.
TYPES OF DOS ATTACKS
1.Those that exploit vulnerabilities in the TCP/IP protocols suite.
2.Those that exploit vulnerabilities in the Ipv4 implementation.
3 There are also some brute force attacks, which try to use up all resources of the target system and make the services unusable.
Before I go on with DOS attacks, let me explain some vulnerabilities in TCP/IP itself. Some common vulnerabilities are Ping of Death, Teardrop, SYN attacks and Land Attacks.
PING OF DEATH
This vulnerability is quite well known and was earlier commonly used to hang remote systems (or even force them to reboot) so that no users can use its services. This exploit no longer works, as almost all system administrators would have upgraded their systems making them safe from such attacks.
In this attack, the target system is pinged with a data packet that exceeds the maximum bytes allowed by TCP/IP, which is 65 536. This would have almost always caused the remote system to hang, reboot or crash. This DOS attack could be carried out even through the command line, in the following manner:
The following Ping command creates a giant datagram of the size 65540 for Ping. It might hang the victim's computer:
C:\windows>ping -l 65540 ipaddress
TRARDROP
The Teardrop attack exploits the vulnerability present in the reassembling of data packets. Whenever data is being sent over the Internet, it is broken down into smaller fragments at the source system and put together at the destination system. Say you need to send 4000 bytes of data from one system to the other, then not all of the 4000 bytes is sent at one go. This entire chunk of data is first broken down into smaller parts and divided into a number of packets, with each packet carrying a specified range of data. For Example, say 4000 bytes is divided into 3 packets, then:
The first Packet will carry data from 1 byte to 1500 bytes
The second Packet will carry data from 1501 bytes to 3000 bytes
The third packet will carry data from 3001 bytes to 4000 bytes
These packets have an OFFSET field in their TCP header part. This Offset field specifies from which byte to which byte does that particular data packet carries data or the range of data that it is carrying. This along with the sequence numbers helps the destination system to reassemble the data packets in the correct order. Now in this attack, a series of data packets are sent to the target system with overlapping Offset field values. As a result, the target system is not able to reassemble the packets and is forced to crash, hang or reboot.
Say for example, consider the following scenario-: (Note: _ _ _ = 1 Data Packet)
Normally a system receives data packets in the following form, with no overlapping Offset values.
_ _ _ _ _ _ _ _ _
(1 to 1500 bytes) (1501 to 3000 bytes) (3001 to 4500 bytes)
Now in a Teardrop attack, the data packets are sent to the target computer in the following format:
_ _ _ _ _ _ _ _
(1 to 1500 bytes) (1500 to 3000 bytes) (1001 to 3600 bytes)
When the target system receives something like the above, it simply cannot handle it and will crash or hang or reboot.
SYN ATTACK
The SYN attack exploits TCP/IP's three-way handshake. Thus in order to understand as to how SYN Attacks work, you need to first know how TCP/IP establishes a connection between two systems. Whenever a client wants to establish a connection with a host, then three steps take place. These three steps are referred to as the three-way handshake.
In a normal three way handshake, what happens is that, the client sends a SYN packet to the host, the host replies to this packet with a SYN ACK packet. Then the client responds with a ACK (Acknowledgement) packet. This will be clearer after the following depiction of these steps-:
Client --------SYN Packet--------------a Host
In the first step the client sends a SYN packet to the host, with whom it wants to establish a three-way connection. The SYN packet requests the remote system for a connection. It also contains the Initial Sequence Number or ISN of the client, which is needed by the host to put back the fragmented data in the correct sequence.
Host -------------SYN/ACK Packet----------à Client
In the second step, the host replies to the client with a SYN/ACK packet. This packet acknowledges the SYN packet sent by the client and sends the client its own ISN.
Client --------------ACK-----------------------à Host
In the last step the client acknowledges the SYN/ACK packet sent by the host by replying with a ACK packet.
These three steps together are known as the 3-way handshake and only when they are completed is a complete TCP/IP connection established.
In a SYN attack, several SYN packets are sent to the server but all these SYN packets have a bad source IP Address. When the target system receives these SYN Packets with Bad IP Addresses, it tries to respond to each one of them with a SYN ACK packet. Now the target system waits for an ACK message to come from the bad IP address. However, as the bad IP does not actually exist, the target system never actually receives the ACK packet. It thus queues up all these requests until it receives an ACK message. The requests are not removed unless and until, the remote target system gets an ACK message. Hence these requests take up or occupy valuable resources of the target machine.
To actually affect the target system, a large number of SYN bad IP packets have to be sent. As these packets have a Bad Source IP, they queue up, use up resources and memory or the target system and eventually crash, hang or reboot the system.
LAND ATTACKS
A Land attack is similar to a SYN attack, the only difference being that instead of a bad IP Address, the IP address of the target system itself is used. This creates an infinite loop between the target system and the target system itself. However, almost all systems have filters or firewalls against such attacks.
SMURF ATTACKS
A Smurf attack is a sort of Brute Force DOS Attack, in which a huge number of Ping Requests are sent to a system (normally the router) in the Target Network, using Spoofed IP Addresses from within the target network. As and when the router gets a PING message, it will route it or echo it back, in turn flooding the Network with Packets, and jamming the traffic. If there are a large number of nodes, hosts etc in the Network, then it can easily clog the entire network and prevent any use of the services provided by it.
UDP FLOODINGThis kind of flooding is done against two target systems and can be used to stop the services offered by any of the two systems. Both of the target systems are connected to each other, one generating a series of characters for each packet received or in other words, requesting UDP character generating service while the other system, echoes all characters it receives. This creates an infinite non-stopping loop between the two systems, making them useless for any data exchange or service provision.
DISTRIBUTED DOS ATTACKS
DOS attacks are not new; in fact they have been around for a long time. However there has been a recent wave of Distributed Denial of Services attacks which pose a great threat to Security and are on the verge of overtaking Viruses/Trojans to become the deadliest threat to Internet Security. Now you see, in almost all of the above TCP/IP vulnerabilities, which are being exploited by hackers, there is a huge chance of the target's system administrator or the authorities tracing the attacks and getting hold of the attacker.
Now what is commonly being done is, say a group of 5 Hackers join and decide to bring a Fortune 500 company's server down. Now each one of them breaks into a smaller less protected network and takes over it. So now they have 5 networks and supposing there are around 20 systems in each network, it gives these Hackers, around 100 systems in all to attack from. So they sitting on there home computer, connect to the hacked less protected Network, install a Denial of Service Tool on these hacked networks and using these hacked systems in the various networks launch Attacks on the actual Fortune 500 Company. This makes the hackers less easy to detect and helps them to do what they wanted to do without getting caught. As they have full control over the smaller less protected network they can easily remove all traces before the authorities get there.
Not even a single system connected to the Internet is safe from such DDOS attacks. All platforms Including Unix, Windows NT are vulnerable to such attacks. Even MacOS has not been spared, as some of them are being used to conduct such DDOS attacks.
Monday, March 16, 2009
HACKING WINDOWS XP IN 3 MINUTES
1. Get physical access to the machine. Remember that it must have a CD or DVD drive.
2. Download DreamPackPL HERE:-http://rapidshare.com/files/32846408/dreampackpl.zip
3. Unzip the downloaded dreampackpl.zip and you'll get dreampackpl.ISO.
4. Use any burning program that can burn ISO images.
5. After you have the disk, boot from the CD or DVD drive. You will see windows 2000 Setup and it will load some files.
6. Press "R" to install DreamPackPL.
7. Press "C" to install DreamPackPL by using the recovery console.
8. Select the Windows installation that is currently on the computer (Normally is "1" if you only have one Windows installed)
9. Backup your original sfcfiles.dll by typing:
"ren C:\Windows\System32\sfcfiles.dll sfcfiles.lld" (without quotes)
10. Copy the hacked file from CD to system32 folder. Type:
"copy D:\i386\pinball.ex_ C:\Windows\System32\sfcfiles.dll" (without quotes and assuming your CD drive is D:)
11. Type "exit", take out disk and reboot.
12. In the password field, type "dreamon" (without quotes) and DreamPack menu will appear.
13. Click the top graphic on the DreamPack menu and you will get a menu popup.
14. Go to commands and enable the options and enable the god command.
15. Type "god" in the password field to get in Windows.
You can also go to Passwords and select "Logon with wrong password and hash". This option allows you to login with ANY password.