gadget buzz: December 2007

17 Dec 2007

Googbot- worm

Original issue date: 24th September 2007

It has been observed that a mass-mailing worm named Googbot is circulating in the wild. It propagates by exploiting software vulnerabilities. The worm is exploiting Trend Micro ServerProtect multiple stack-based buffer overflow vulnerability described in CIVN-2007-80 and Windows LSA (Local Security Authority) Service Stack-Based Buffer Overflow vulnerability described in CVE-2003-0533 . Further it opens a backdoor on the infected system on TCP port 7001 to connect to domain io.phatnet.biz and listen for malicious commands from the remote attacker.

The worm has its own SMTP engine to send mass e-mails. It harvests the e-mail addresses from the infected system and sends malicious e-mails to the collected addresses. The e-mail body contains a malicious link which entice the users to click upon using social engineering technique.

Aliases : WORM_AGENT.AAWD [Trend], W32 Duce.a@mm [McAfee], Backdoor.W32.GoogBot.A [Kaspersky]

The e-mail contains the following :

Subject : (any of the following)

Someone has sent you a Private Message!
You have just recieved a NEW message!
You have (1) NEW messages!

Body : (any of the following)

You have just recieved a new Google Message!
You can view your message here: http://www.google.com/gmsgid=4289472
Note: If you do not already have Google Message Viewer installed, you will be prompted to install it.

Upon execution, the worm :

Copies itself to the following location:
%System%\sysboot32.exe
Creates the following registry entry to ensure its execution
at every system startup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run\"System Boot Loader" = "%System%\sysboot32.exe"
Modifies the hosts file for effectively disabling the access to security related websites by adding the following lines like:

127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symanteclive
update.com

Obtains e-mail addresses from the Windows Address Book and also searches for email addresses in files which have the following extensions:
wab, .adb, .tbb, .dbx, .asp, .php, .sht,.htm,.txt
Opens a backdoor on the infected system on TCP port 7001 to connect to domain io.phatnet.biz

In view of rapid propagation of the Googbot worm, users are advised to implement the following countermeasures:

Install and maintain a updated anti-virus software at gateway and desktop level.
Keep up-to-date on patches and fixes on the operating system and above mentioned vulnerabilities.
Monitor outgoing traffic to specified TCP port of the IRC command and control (C&C) server mentioned above.
Enable advanced TCP/IP filtering on systems.
Do not follow links embedded in unsolicited emails.

References:

http://www.symantec.com/enterprise/security_response/writeup
.jsp?docid=2007-091707-2115-99&tabid=1

Disclaimer:

The information provided herein is on "as is" basis, without warranty of any kind.

Trojan Exploiting PDF Vulnerability

Original issue date:30 October 2007

It has been observed that a Malware Trojan named Pidief is circulating widely exploiting Remote code Execution vulnerability in Adobe Acrobat PDF File described in CIVN-2007-128 .

The Trojan comes as a PDF attachment in spammed e-mails with subject lines enticing innocent users into opening the malicious file and executing the malware on their systems.

Aliases : : EXPL_PIDIEF.B [FrSirt], Trojan.Pidief.A [Symantec], EXPL_PIDIEF.B [Trend Micro], Exploit.Win32.AdobeReader.b [Kaspersky]

The e-mail contains the following :

Subject : (any of the following)

Your credit report
Your credit points
Your balance report
Personal Financial Statement
Personal Credit Points

Attachments: (any of the following)

report.pdf
debt.2007.pdf
overdraft.2007.10.26.pdf

Upon execution, the Trojan :

disables Windows firewall by issuing the following command:
netsh firewall set opmode mode=DISABLE
downloads malicious files from different location.
the above said downloaded threat is saved to the following locations
%CurrentFolder%\

In view of rapid propagation of the PDF Malware, users are advised to implement the following countermeasures:

Disable the "mailto:" option in Acrobat, Acrobat 3D 8 and Adobe Reader in the Windows registry
Apply appropriate patches on vulnerable Adobe Systems as mentioned in Cert-In Vulnerability Note CIVN-2007-128.
Delete emails with the above mentioned Subject lines and attachments.
Avoid opening of PDF files through the web browser. Instead save the file to disk before opening.
Install and maintain a updated anti-virus software at gateway and desktop level.
Keep up-to-date on patches and fixes on the operating system and above mentioned vulnerabilities.

References

http://www.symantec.com/business/security_response/writeup.jsp
?docid=2007-102310-3513-99&tabid=1

http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k
=139103

http://www.f-secure.com/weblog/archives/00001303.html

Disclaimer :

The information provided herein is on "as is" basis, without warranty of any kind.

Googbot- worm

Aliases : WORM_AGENT.AAWD [Trend], W32 Duce.a@mm [McAfee], Backdoor.W32.GoogBot.A [Kaspersky]

The e-mail contains the following :

Subject : (any of the following)

Someone has sent you a Private Message!
You have just recieved a NEW message!
You have (1) NEW messages!

Body : (any of the following)

You have just recieved a new Google Message!
You can view your message here: http://www.google.com/gmsgid=4289472
Note: If you do not already have Google Message Viewer installed, you will be prompted to install it.

Upon execution, the worm :

Copies itself to the following location:
%System%\sysboot32.exe
Creates the following registry entry to ensure its execution
at every system startup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run\"System Boot Loader" = "%System%\sysboot32.exe"
Modifies the hosts file for effectively disabling the access to security related websites by adding the following lines like:

127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symanteclive
update.com

Obtains e-mail addresses from the Windows Address Book and also searches for email addresses in files which have the following extensions:
wab, .adb, .tbb, .dbx, .asp, .php, .sht,.htm,.txt
Opens a backdoor on the infected system on TCP port 7001 to connect to domain io.phatnet.biz

In view of rapid propagation of the Googbot worm, users are advised to implement the following countermeasures:

Install and maintain a updated anti-virus software at gateway and desktop level.
Keep up-to-date on patches and fixes on the operating system and above mentioned vulnerabilities.
Monitor outgoing traffic to specified TCP port of the IRC command and control (C&C) server mentioned above.
Enable advanced TCP/IP filtering on systems.
Do not follow links embedded in unsolicited emails.

References:

http://www.symantec.com/enterprise/security_response/writeup
.jsp?docid=2007-091707-2115-99&tabid=1

Disclaimer:

The information provided herein is on "as is" basis, without warranty of any kind.

Trojan Exploiting PDF Vulnerability

The Trojan comes as a PDF attachment in spammed e-mails with subject lines enticing innocent users into opening the malicious file and executing the malware on their systems.

Aliases : : EXPL_PIDIEF.B [FrSirt], Trojan.Pidief.A [Symantec], EXPL_PIDIEF.B [Trend Micro], Exploit.Win32.AdobeReader.b [Kaspersky]

The e-mail contains the following :

Subject : (any of the following)

Your credit report
Your credit points
Your balance report
Personal Financial Statement
Personal Credit Points

Attachments: (any of the following)

report.pdf
debt.2007.pdf
overdraft.2007.10.26.pdf

Upon execution, the Trojan :

disables Windows firewall by issuing the following command:
netsh firewall set opmode mode=DISABLE
downloads malicious files from different location.
the above said downloaded threat is saved to the following locations
%CurrentFolder%\

In view of rapid propagation of the PDF Malware, users are advised to implement the following countermeasures:

Disable the "mailto:" option in Acrobat, Acrobat 3D 8 and Adobe Reader in the Windows registry
Apply appropriate patches on vulnerable Adobe Systems as mentioned in Cert-In Vulnerability Note CIVN-2007-128.
Delete emails with the above mentioned Subject lines and attachments.
Avoid opening of PDF files through the web browser. Instead save the file to disk before opening.
Install and maintain a updated anti-virus software at gateway and desktop level.
Keep up-to-date on patches and fixes on the operating system and above mentioned vulnerabilities.

References

http://www.symantec.com/business/security_response/writeup.jsp
?docid=2007-102310-3513-99&tabid=1

http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k
=139103

http://www.f-secure.com/weblog/archives/00001303.html

Disclaimer :

The information provided herein is on "as is" basis, without warranty of any kind.

16 Dec 2007

Beware of Santa Worm this christmas

A Santa Claus worm might trick you this Christmas my dear readers . It makes MSN and Yahoo instant-messaging users click on a file that delivers unwanted software to a victim's computer.

The worm is IM.GiftCom.All. The worm attempts to dupe IM users making them think that an acquaintance has sent them a link to a harmless Santa Claus file . Once you click on the file , you will see an image of Santa, but what you don't notice is that a rootkit being installed on their system. A rootkit is a tool designed to hide processes and files from the security software used to lock down control of a computer after an initial hack. The malicious attacker can then distribute messages to the user's IM contacts, using a similar technique to lure the unsuspecting acquaintance to click on the link and the worm keeps spreading .

Not only this , there are other worms on IM networks that spread rapidly. They appear as a message from a buddy with a link that looks innocent, but in fact points to malicious code somewhere on the Internet. Once the user clicks on the link, malicious code is installed and runs on the computer. The worm then spreads itself by sending messages to all names on the victim's contact list.These can be treated as medium level security threats

Click here for Santa worm removal

Courtesy: Subhash

Heroes are created

Heroes are created by people to look upon them for help.

People may fight for their country. But they die for their friends..those who have been with them.

......Flag of our Fathers (movie)

Beware of Santa Worm this christmas

Truths of life

If i ask you if you know anything about art, you may tell me about Michelangelo- his life,his work. But you can never tell me what it smells like in the sixteenth chapel. You never actually stood there and looked up at the beautiful ceiling.

If i ask you about women, you may gimme a list of your personal favorites. You may have been laid a few times,but you can't tell me what it feels like to wake up next to a woman if you are truly happy.

If i ask you about war,you probably would throw Shakespeare at me telling whats the big difference.But you have never been in one.You never held your best friend in your lap, watch him gasp his last breadth looking to you for help.

If i ask you about love, you may probably quote me a sonnet; but have never looked into a woman who have been totally lovable.Being at the same level of your eyes; feeling like God put an angel to earth just for you,rescue you from the depths of hell. And you wish to be like her angel-to have the love for her and be there forever...for anything..through anything.

You dont know a real loss because its only caused when you have lost something you have loved more than yourself. Now i don't dare to live up to anybody that much

Microsoft Windows XP Service pack 3 - fake or truth?

I saw an image file of Windows XP Service pack 3 in the hostel LAN and i could not believe it until i googled it to find conflicting statements in different websites. According to Microsoft watch
service pack 3 would not be released until end of 2007 and it has been confirmed from the Microsoft site too. But according to some sites like PC Magazine it has been released and used worldwide by legitimate users and uploaded snapshots too. I am rather confused if it is some cheap trick of some hackers?? So watch out until it has been confirmed in a few days time. Ill wait and watch rather and experimenting on it and making a loss of the current system files.

Microsoft Windows XP Service pack 3 - fake or truth?

15 Dec 2007

Food travelogue - Kasturi resorts,Pune

Its not famous for anything besides being a resort and a marriage hall. Well but how long could it hide the real taste of food that it savours! We have been going there almost everyday and we still dont find it bore to go there again and again. The service is very nice there and a waiter always caters your request. they wont let you lift a thing. The ambiance is nice though the public that comes there is a bit of low profile.Maybe thats why the prices are also ok.

We tried our first chicken tikka here and we liked it so much. It had a really different taste from other chicken we had tasted so far and yet so divine. it was lovely, in fact each of the non veg dishes are too good - worth mentioning. There is also no problem of dropping in anytime unlike Saarja which closes at 4pm and opens at 7pm again! well hats off to you guys for the overall good performance you have.

Food travelogue - Saarja,Pune

Much was heard about this place of Lata Mangeskar but hardly got a chance to go until we finally tracked it down. Its a small nice restaurant cum bar.The entrance bears an elegant look with a wonderful ambiance. The ceiling were so nice, it really seemed like a mahal as someone had said. It was famous for non-veg so we tried out. It was amazingly tasty indeed. In many restaurants if you order two dishes you generally find that the gravy taste almost the same but ...sorry you will find nothing like that here. Each has got a different taste of its own and quite relishing.

Price is a bit higher than normal restaurant rates here. But its worth it. The service is also nice here and you wont be bored eating if you are a good food lover. Do take out some time and visit this place and relish the most tasty dishes of chicken & mutton.

11 Dec 2007

The Christmas Spirit

As a child, i used to wonder what i would plan for the coming Christmas and New year. No dont take me wrong..i am an Indian..it doesn't matter to me if i am a hindu or christian. But everyone can sense the spirit in the air in Christmas time. In Manipur, few people decorate Christmas trees and pack gifts as done in western world.Its not about westernizing our culture but the very thought of decorating christmas tress make me jolt in excitement. Christmas time was like a fairy tale to me..like every child would dream of Santa coming down the chimney and give me gifts and toys. I used to think that Santa does not come to Manipur or India at all.
When i grew up,realizing the fact was quite hard for me. When you come to realize something that never happened it would be a disaster. But the christmas spirit still lies in everyones heart,deep down the core...instilled in us.

And deep down my heart, i sense in me the wandering aroma of hangam thongba (cooked mustard leaves) , aloo iromba (preparation of potato with chillies), khongdrum chamfoot (bolied sweet vegetable)...... (manipuri winter dishes)
I can see paona bazar lined up with glitters, cards, chocolates, gifts..
girls roaming in groups.... guys loitering on their CBZs and Pulsars...
the restaurants are full...the traffic police are busy....
there is bug rush in bazar....old imas and aboks selling clothes and accessories...
the sunday market is open....the chilling winter freezes peoples thoughts....
even the newspapers get drenched in the morning fog...
someone ,somewhere smiles and wishpers "winter is here..and a whole new year lie ahead of me"

The winter season however can be harsh to the poor and needy people around you. So it would be a nice idea to give your old clothes and food leftovers to them. That would be the perfect christmas spirit in you. Play Santa for those poor people...its the spirit of giving that one should learn. Merry Christmas to you all

10 Dec 2007

What is fate?

You see what you wanted to see;
You hear what you wanted to hear;
You believe what you wanted to believe;
You do what you wanted to do;

Then why does life not give you what you wanted?
Why does life not happen the way you wanted it to be?
Why does life take away what you wish for?

4 Dec 2007

A Food travelogue - Kareem's, Pune

I am not a "food service specialist" yet i love to travel near and far for good food. I continue my search on good food and today i went to Kareem's in Aundh, Pune. The entry was nice with a small sign of Kareem's written on it. They had managed to run the place in a small ground floor two room restaurant with some 9/10 tables of 4 chairs each. The reception counter was on the side as well as outside for a guard, with toilets outside. The gate is wonderfully crafted on huge wooden doors like old times. It was truly a feeling of Arabians. There was glass window on one side with curtains made of colourful strings and beads, where we sat. It was hot outside so made to on the AC as we looked at the list of foods. Its a little costly than the other restaurants but i was damn sure that i would be getting quality food so tried "ghost chaamp masala". It hardly took 5 minutes to get the food served steamingly hot. It had the most wonderful taste i had ever tried in mutton, there was a slight taste of tomato in it and amazingly tasty. The quantity however was small compared with others,despite the price.

We also ordered "shahi rogan gosh" with zeera rice later on. It was also amazing recipe..though i personally prefer the earlier one. The zeera rice was too good, smelt of pure ghee. The service was too good, theres always one person watching us - what we need and all. I was about to make another serving when the waiter came and served me, i did not had to worry about anything. I was not given the chance to call them and wait for some time like it generally does in other restaurants. Maybe there were few people thats why, but still there were only 9/10 tables and i think the service must be nice even if crowded.

The interiors were designed like a cave, and the ceiling looked like it was hand crafted. There were designed cloth hanging from the ceiling that made me feel a tinge of arabian camps. I also could see the kitchen through a glass window and it was really clean and nice. the cooks had dresses with white topped hats like professionals. It was really fun and an amazing experience at Kareem's. After the lunch, we were served "meetha pan" instead of the normal "soph" and it was really nice. I happen to go to the toilet outside which was also nice. the wash basin was made of a huge brass vessel and the taps were all brass. They had pressure flush, soap etc in the toilet and clean too. In short, its a very hygienic restaurant with style and culture of Arabs.

The outside space was also nicely utilized with a small counter for reception. There were nets above so that dried twigs and leaves wont fall overhead and there was 4/5 wooden seats made of tree trunks outside for waiting. The ambience is amazing..the food is wow..You should try it out once or while. At least me and my fren would prefer eating there instead of Pizza hut.

2 Dec 2007

Blogger's itch

For a blogger, staying online and yet not writing any blogs makes him crazy about everyday things. Sometimes it makes it so hard in life that he needs to shout somewhere or tell someone else. And where can be the best place to do so but the blogs, of course. I, like a dedicated blogger feel the itch in my fingertips when i do not blog for a day or too. Sometimes i do not have time for writing blogs yet i do make it sure that i can find a topic to write on and scrap it down on the Word so that i can post it later when i am online.

Its like being insomniac, you can't sleep without writing something which you feel about in life. It may be rubbish to someone yet meaningful to him. He can understand at what juncture of life he had went through when he read his own blogs much later on. t gives him a better perspective to know more about himself and with less introspection. Contemplation at a critical moment may be hard at times and differs with one's perspective of life. Well, for me ..all i know is that i am fulfilling my heart's desire to write something down for myself. I believe that other bloggers must also be feeling the same way i do and prove me right. Hope so!

Orkuting - an evolving trend

"Orkuting" is the latest trend coming up with today's youth. There was a time when people were crazy about Mobiles and SMSes, gadgets and online messengers. In today's world, people rather prefer to be connected online rather than just getting connected via SMS or online chats. People want to have the real-time feeling rather then being just another person on this planet. Who does not know about Orkut today? Even if he doesn't access internet, he probably have heard about it from friends who already have. Today the fashion is orkuting, or scrapping on the orkut. Orkut is a well known social networking site.

What is a social networking service?
Social network service focuses on the building and verifying of online social networks for communities of people who share interests and activities, or who are interested in exploring the interests and activities of others, and which necessitates the use of software.Most social network services are primarily web based and provide a collection of various ways for users to interact, such as chat, messaging, email, video, voice chat, file sharing, blogging, discussion groups, and so on.The main types of social networking services are those which contain directories of some categories (such as former classmates), means to connect with friends (usually with self-description pages), and recommender systems linked to trust. Popular methods now combine many of these, with Myspace, Bebo and Facebook being the mostly widely used in this field.

Orkut
orkut makes it easy to find people who share your hobbies and interests, look for romantic connections or establish new business contacts. You can also create and join a wide variety of online communities to discuss current events, reconnect with old school mates or even exchange your favorite recipes.Who you interact with is entirely up to you. Before getting to know an orkut member, you can read their profile and even see how they're connected to you through the friends network.To join orkut, simply sign in with your Google Account and you can begin to create your own profile right away.

Countrywise use:
Brazil 53.52% United States 18.08% India 15.83%

1 Dec 2007

Netiquette - posting styles/ guidelines

Styles:
1. Top-posting
2. Bottom-posting
3. Inline-replying
4. Double-qouting

Top-posting:
Writing the message above the original text, when one replies to an email or a post in a newsgroup.

No problems.  6pm it is then.
Jim
At 10.01am Wednesday, Danny wrote:
> Whoa!  Hold on.  I have job scheduled at 5:30 which mails out
> a report to key tech staff.  Can you not push it back an hour?
> Danny
>
> At 9.40am Wednesday, Jim wrote:
> > I'm going to suspend the mail service for approx. thirty
> > minutes tonight, starting at 5pm, to install some updates
> > and important fixes.
> > Jim

This style of posting resembles forwarding messages with new text appended at the top:

Hello A.B. !

Here is the relevant portion of the letter that X.Z.
sent to our group, as requested.

Yours,
N.N.

On Wednesday, X.Y. wrote:
> Hi, team!
>
> Please work on portions 5 and 9 for Friday.  The customer says
> the rest isn't critical, as they mention below.
>
> Thanks,
> X.Z.
>
> On Monday, Customer wrote:
> > Dear Sir,
> >
> > We will need to have the new doohicky method implemented, as well
> > as the heffalump output.  We really need this by Friday, and if
> > your team needs to shift focus to achieve those two deliverables,
> > we can wait until afterward for the remainder of the work.
> >
> > Thank you,
> > J. Customer

In short,it looks somewhat like this:

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?

Bottom-posting:
The opposite of top-posting. Now the new message is placed below the original text.The reply is placed below the quote to preserve the logical order of the replies and follow the Western reading direction from top to bottom.

This is typically done when only a single portion of the previous message is being replied to; the rest of the quoted material is trimmed.

> At 9.40am Wednesday, Jim wrote:
> > I'm going to suspend the mail service for approx. thirty
> > minutes tonight, starting at 5pm, to install some updates
> > and important fixes.

At 10.01am Wednesday, Danny wrote:
> Whoa! Hold on. I have job scheduled at 5:30 which mails out
> a report to key tech staff. Can you not push it back an hour?No problems. 6pm it is then.

Scrolling down through a post to find a reply is inconvenient, especially for short replies to long messages, and many inexperienced computer users may not know that they need to scroll down to find a reply to their query. When sending an untrimmed bottom posted message, one might indicate inline replies with a notice at the top such as "I have replied below." However, as many modern mail programs are capable of displaying different levels of quotation with different colors (as seen here), this is not so much of an issue any more.

Inline replying:
Inline replies keep related sections of a discussion together within a message. As such it is easier to fork off parallel 'threads' of discussion from a single source message, each perhaps dealing with only one specific point (or subset of points) from the original.

On Thursday, Jim wrote:
> When considering the variation in style between the original
> novel and the movie adaptation, it is clear to see that
[snipped...]

Yes, but almost twenty years separates the book and the film.

> The movie clearly adds a sense of menace to the story which
> is not present in the original book.  This is unacceptable
[Darker interpretation pros and cons, trimmed...]

I agree.  The darker tone works well, once one understands the two are aimed at different audiences.

Double-qouting:
Another style involves replying in an interleaved manner to selected quotes from the original message, as described above, but then following this with a fullquote of the entire message, as if top-posting. This preserves the thread text in a single message, and also allows seeing what's being replied to in context. However this also results in some portions of the original message being quoted twice, which takes up extra space and might be considered confusing.

> Can you present your report an hour later?
Yes I can.  The report will now happen at 3pm, and the summary will be sent no later than 5pm.
Jim


At 10.01am Wednesday, Danny wrote:
> > 2.00pm: Present report
> Jim, I have a meeting at that time. Can you present your report an hour later?
>
> > 4.30pm: Send out summary of feedback
> Also if you do the above, this may need to happen later too.
> Danny
>
>
> At 9.40am Wednesday, Jim wrote:
> > My schedule for today will be:
> > 10.00am: Gather data for report
> > 2.00pm: Present report to team
> > 4.30pm: Send out summary of feedback
> > Jim

Reference: Wikipedia
Courtesy: Ringo for his mail

17 Dec 2007

16 Dec 2007

15 Dec 2007

11 Dec 2007

10 Dec 2007

4 Dec 2007

2 Dec 2007

Countrywise use:

1 Dec 2007

Disqus