Thursday, September 27, 2012
Wednesday, September 26, 2012
100k IEEE site Plain-Text Passwords found on Public FTP
A Romanian researcher – Radu Drăgușin found that
100000 usernames and passwords of the Institute of Electrical and
Electronics Engineers (IEEE) was stored in plaint-text on
a publicly accessible FTP server.
According to him, on Sept. 18 he first discovered a log with
usernames and passwords in plaintext, publicly available via IEEE’s FTP
server for at least a month. He informed them of his find yesterday, and
evidently the organization is addressing the issue.
On the FTP server, according Dragusin were the logfiles for the
offers and ieee.org spectrum.ieee.org – Total data to approximately 376
million HTTP requests. Including 411,308 log entries with login and
password in plain text.
Among the users who’s information was exposed are researchers at
NASA, Stanford, IBM, Google, Apple, Oracle and Samsung. IEEE’s
membership of over 340,000 is roughly half American (49.8 percent as of
2011).
“IEEE suffered a data breach which I discovered on September
18. For a few days I was uncertain what to do with the information and
the data. Yesterday I let them know, and they fixed (at least partially)
the problem. The usernames and passwords kept in plaintext were
publicly available on their FTP server for at least one month prior to
my discovery. Among the almost 100.000 compromised users are Apple,
Google, IBM, Oracle and Samsung employees, as well as researchers from
NASA, Stanford and many other places. I did not and will not make the
raw data available to anyone else.” Message posted on researcher’s site.
Source: THN
Billions of Windows Users Affects with Java Vulnerability
Researchers at Security Explorations disclosed a new vulnerability in
Java that could provide an attacker with control of a victim's
computer. The researchers have confirmed that Java SE 5 – Update 22,
Java SE 6 – Update 35, and Java SE 7 Update 7 running on fully patched
Windows 7 32-bit operating systems are susceptible to the attack.
This
Flaw allowing a malicious hackers to gain complete control of a
victim’s machine through a rigged website. The affected web browsers are
Safari 5.1.7, Opera 12.02, Chrome 21.0.1180.89, Firefox 15.0.1, and
Internet Explorer 9.0.8112.16421.
Though Oracle
released a fix for the most critical vulnerabilities reported by
Security Explorations on August 30th, the security firm quickly found
another flaw in that fix that would allow a hacker to bypass the patch.
That bug in Oracle’s patch still hasn’t been patched, leaving users
vulnerable to both the new flaw and the previous attack.
SOURCE: THN
Tuesday, September 25, 2012
iPhone 5 and 4 Hacked with same Exploit
iPhone 5 is vulnerable to the same attack that successfully breached an iPhone 4S at the mobile Pwn2Own hacker contest held this week at the EUSecWest event in Amsterdam.
As we reported that Joost Pol and Daan
Keuper won the mobile Pwn2Own contest by compromising a fully patched
iPhone 4S device and stealing contacts, browsing history, photos and
videos from the phone.The vaunted security of the iPhone (4S) took an
epic fail tumble during the event when they was able to build an exploit
for a vulnerability in WebKit to beat Apple’s code-signing features and
the MobileSafari sandbox. The same bug is present in the iOS6 Golden
Master development code base, which means iPhone 5 is also vulnerable
to the same exploit. Apple iPads and iPod Touch devices are also
vulnerable.
“We specifically chose this one because it was present in
iOS 6, which means the new iPhone coming out today will be vulnerable
to this attack,” Pol said. The duo won $30,000 for their efforts.
A good thief can hack into your personal data given enough time, we estimate that may mean a full working day of hacking.
A good thief can hack into your personal data given enough time, we estimate that may mean a full working day of hacking.
SOURCE: THN
CCNP Routing 642-902
Refer to the exhibit. When you examine the routing table of R1 and
R4, you are not able to see the R1 Ethernet subnet on the R4 routing
table. You are also not able to see the R4 Ethernet subnet on the R1
routing table. Which configuration change should be made to resolve this
issue? Select the routers where the configuration change will be
required, and select the required EIGRP configuration command(s).
(Choose two.)
A. R1 and R4
B. R2 and R3
C. ip summary-address eigrp 1 10.1.1.0 255.255.255.0 and ip summary-address eigrp 1
D. variance 2
E. eigrp stub connected
F. no auto-summary
Answer: BF
For Best CISCO/MCITP/LINUX/EXCHANGE SERVER/PC HARDWARE AND NETWORKING Training visit www.zoomgroup.com
Join us on facebook
A. R1 and R4
B. R2 and R3
C. ip summary-address eigrp 1 10.1.1.0 255.255.255.0 and ip summary-address eigrp 1
D. variance 2
E. eigrp stub connected
F. no auto-summary
Answer: BF
For Best CISCO/MCITP/LINUX/EXCHANGE SERVER/PC HARDWARE AND NETWORKING Training visit www.zoomgroup.com
Join us on facebook
CCNP Routing 642-902
Refer to the exhibit. You are the network administrator responsible
for the NProuter, the 10.1.1.1 router, and the 10.1.1.2 router. What can
you determine about the OSPF operations from the debug output? Select
the best response.
A.The NProuter has two OSPF neighbors in the “Full” adjacency state.
B.The NProuter serial0/0 interface has the OSPF dead timer set to 10 seconds.
C.The NProuter serial0/0 interface has been configured with an OSPF network type of “point- to-point”.
D.The 10.1.1.1 and 10.1.1.2 routers are not using the default OSPF dead and hello timers setting.
E.The “Mismatched” error is caused by the expiration of the OSPF timers.
Answer: B
For Best CISCO/MCITP/LINUX/EXCHANGE SERVER/PC HARDWARE AND NETWORKING Training visit www.zoomgroup.com
Join us on facebook
A.The NProuter has two OSPF neighbors in the “Full” adjacency state.
B.The NProuter serial0/0 interface has the OSPF dead timer set to 10 seconds.
C.The NProuter serial0/0 interface has been configured with an OSPF network type of “point- to-point”.
D.The 10.1.1.1 and 10.1.1.2 routers are not using the default OSPF dead and hello timers setting.
E.The “Mismatched” error is caused by the expiration of the OSPF timers.
Answer: B
For Best CISCO/MCITP/LINUX/EXCHANGE SERVER/PC HARDWARE AND NETWORKING Training visit www.zoomgroup.com
Join us on facebook
CCNP Routing 642-902
Refer to the exhibit. A client has asked you to consult on an eBGP
loading question. Currently the AS 100 eBGP links have an average
outbound load of 65% and 20% respectively. On further investigation,
traffic from 10.10.24.0 accounts for 45%, and 10.10.25.0 and 10.10.32.0
accounts for 20% each of the outbound load. The customer wants to spread
the load between the two eBGP links more evenly. The BGP attributes are
currently set at their default values.
If you are located at AS 100 and want to influence how AS 100 sends traffic to AS 200, what BGP attribute could you configure to cause AS 100 outbound traffic to load the eBGP links more evenly?
A. On router A, set the default local-preference to 50.
B. On router B, set the default metric to 150.
C. On router B, configure a route map for 10.10.25.0/24 with a local preference of 150 linked to neighbor 192.168.30.2.
D. On router B, set the default local-preference to 150.
Answer: C
For Best CISCO/MCITP/LINUX/EXCHANGE SERVER/PC HARDWARE AND NETWORKING Training visit www.zoomgroup.com
Join us on facebook
If you are located at AS 100 and want to influence how AS 100 sends traffic to AS 200, what BGP attribute could you configure to cause AS 100 outbound traffic to load the eBGP links more evenly?
A. On router A, set the default local-preference to 50.
B. On router B, set the default metric to 150.
C. On router B, configure a route map for 10.10.25.0/24 with a local preference of 150 linked to neighbor 192.168.30.2.
D. On router B, set the default local-preference to 150.
Answer: C
For Best CISCO/MCITP/LINUX/EXCHANGE SERVER/PC HARDWARE AND NETWORKING Training visit www.zoomgroup.com
Join us on facebook
Friday, September 21, 2012
CCNP Routing
Refer to the exhibit. On the basis of the configuration provided, how
are the Hello packets sent by R2 handled by R5 in OSPF area 5?
A.The Hello packets will be exchanged and adjacency will be established between routers R2 and R5.
B.The Hello packets will be exchanged but the routers R2 and R5 will become neighbors only.
C.The Hello packets will be dropped and no adjacency will be established between routers R2 and R5.
D.The Hello packets will be dropped but the routers R2 and R5 will become neighbors.
Answer: C
For Best CISCO/MCITP/LINUX/EXCHANGE SERVER/PC HARDWARE AND NETWORKING Training visit www.zoomgroup.com
Join us on facebook
A.The Hello packets will be exchanged and adjacency will be established between routers R2 and R5.
B.The Hello packets will be exchanged but the routers R2 and R5 will become neighbors only.
C.The Hello packets will be dropped and no adjacency will be established between routers R2 and R5.
D.The Hello packets will be dropped but the routers R2 and R5 will become neighbors.
Answer: C
For Best CISCO/MCITP/LINUX/EXCHANGE SERVER/PC HARDWARE AND NETWORKING Training visit www.zoomgroup.com
Join us on facebook
CCNP Routing
What are three kinds of OSPF areas? (Choose three.)
A. stub
B. active
C. remote
D.backbone
E. ordinary or standard
Answer: ADE
For Best CISCO/MCITP/LINUX/EXCHANGE SERVER/PC HARDWARE AND NETWORKING Training visit www.zoomgroup.com
Join us on facebook
A. stub
B. active
C. remote
D.backbone
E. ordinary or standard
Answer: ADE
For Best CISCO/MCITP/LINUX/EXCHANGE SERVER/PC HARDWARE AND NETWORKING Training visit www.zoomgroup.com
Join us on facebook
CCNP Routing
A company has a BGP network and a BGP route of 196.27.125.0/24
that should be propagated to all of the devices. The route is not now
in any of the routing tables. The administrator determines that an
access list is the cause of the problem. The administrator changes the
access list to allow this route, but the route still does not appear in
any of the routing tables. What should be done to propagate this route?
A. Clear the BGP session.
B. Use the release BGP routing command.
C. Use the service-policy command to adjust the QOS policy to allow the route to propagate.
D. Change both the inbound and outbound policy related to this route.
Answer: A
For Best CISCO/MCITP/LINUX/EXCHANGE SERVER/PC HARDWARE AND NETWORKING Training visit www.zoomgroup.com
Join us on facebook
A. Clear the BGP session.
B. Use the release BGP routing command.
C. Use the service-policy command to adjust the QOS policy to allow the route to propagate.
D. Change both the inbound and outbound policy related to this route.
Answer: A
For Best CISCO/MCITP/LINUX/EXCHANGE SERVER/PC HARDWARE AND NETWORKING Training visit www.zoomgroup.com
Join us on facebook
Tuesday, September 18, 2012
MCITP 70-640
Your company hires 10 new employees. You want the new employees to
connect to the main office through a VPN connection. You create new user
accounts and grant the new employees they Allow Read and Allow Execute
permissions to shared resources in the main office. The new employees
are unable to access shared resources in the main office. You need to
ensure that users are able to establish a VPN connection to the main
office. What should you do?
A.Grant the new employees the Allow Access Dial-in permission.
B.Grant the new employees the Allow Full control permission.
C.Add the new employees to the Remote Desktop Users security group.
D.Add the new employees to the Windows Authorization Access security group.
Answer: A
For Best CISCO/MCITP/LINUX/EXCHANGE SERVER/PC HARDWARE AND NETWORKING Training visit www.zoomgroup.com
Join us on facebook
A.Grant the new employees the Allow Access Dial-in permission.
B.Grant the new employees the Allow Full control permission.
C.Add the new employees to the Remote Desktop Users security group.
D.Add the new employees to the Windows Authorization Access security group.
Answer: A
For Best CISCO/MCITP/LINUX/EXCHANGE SERVER/PC HARDWARE AND NETWORKING Training visit www.zoomgroup.com
Join us on facebook
MCITP 70-640
You need to identify all failed logon attempts on the domain controllers. What should you do?
A.View the Netlogon.log file.
B.View the Security tab on the domain controller computer object.
C.Run Event Viewer.
D.Run the Security and Configuration Wizard.
Answer: C
For Best CISCO/MCITP/LINUX/EXCHANGE SERVER/PC HARDWARE AND NETWORKING Training visit www.zoomgroup.com
Join us on facebook
A.View the Netlogon.log file.
B.View the Security tab on the domain controller computer object.
C.Run Event Viewer.
D.Run the Security and Configuration Wizard.
Answer: C
For Best CISCO/MCITP/LINUX/EXCHANGE SERVER/PC HARDWARE AND NETWORKING Training visit www.zoomgroup.com
Join us on facebook
MCITP 70-640
Your company has an Active Directory domain. The main office has a
DNS server named DNS1 that is configured with Active
Directory-integrated DNS. The branch office has a DNS server named DNS2
that contains a secondary copy of the zone from DNS1. The two offices
are connected with an unreliable WAN link.
You add a new server to the main office. Five minutes after adding the server, a user from the branch office reports that he is unable to connect to the new server. You need to ensure that the user is able to connect to the new server.
What should you do?
A.Clear the cache on DNS2.
B.Reload the zone on DNS1.
C.Refresh the zone on DNS2.
D.Export the zone from DNS1 and import the zone to DNS2.
Answer: C
For Best CISCO/MCITP/LINUX/EXCHANGE SERVER/PC HARDWARE AND NETWORKING Training visit www.zoomgroup.com
Join us on facebook
You add a new server to the main office. Five minutes after adding the server, a user from the branch office reports that he is unable to connect to the new server. You need to ensure that the user is able to connect to the new server.
What should you do?
A.Clear the cache on DNS2.
B.Reload the zone on DNS1.
C.Refresh the zone on DNS2.
D.Export the zone from DNS1 and import the zone to DNS2.
Answer: C
For Best CISCO/MCITP/LINUX/EXCHANGE SERVER/PC HARDWARE AND NETWORKING Training visit www.zoomgroup.com
Join us on facebook
CCNP Routing – 642-902
Which two routing protocols require a metric to be configured when redistributing routes from other protocols? (Choose two.)
A.RIP
B.OSPF
C.EIGRP
D.IS-IS
E.BGP
Answer: AC
For Best CISCO/MCITP/LINUX/EXCHANGE SERVER/PC HARDWARE AND NETWORKING Training visit www.zoomgroup.com
Join us on facebook
A.RIP
B.OSPF
C.EIGRP
D.IS-IS
E.BGP
Answer: AC
For Best CISCO/MCITP/LINUX/EXCHANGE SERVER/PC HARDWARE AND NETWORKING Training visit www.zoomgroup.com
Join us on facebook
CCNP Routing – 642-902
A company has a BGP network and a BGP route of 196.27.125.0/24
that should be propagated to all of the devices. The route is not now
in any of the routing tables. The administrator determines that an
access list is the cause of the problem. The administrator changes the
access list to allow this route, but the route still does not appear in
any of the routing tables. What should be done to propagate this route?
A.Clear the BGP session.
B.Use the release BGP routing command.
C.Use the service-policy command to adjust the QOS policy to allow the route to propagate.
D.Change both the inbound and outbound policy related to this route.
Answer: A
For Best CISCO/MCITP/LINUX/EXCHANGE SERVER/PC HARDWARE AND NETWORKING Training visit www.zoomgroup.com
Join us on facebook
A.Clear the BGP session.
B.Use the release BGP routing command.
C.Use the service-policy command to adjust the QOS policy to allow the route to propagate.
D.Change both the inbound and outbound policy related to this route.
Answer: A
For Best CISCO/MCITP/LINUX/EXCHANGE SERVER/PC HARDWARE AND NETWORKING Training visit www.zoomgroup.com
Join us on facebook
CCNP Routing – 642-902
Which command displays statistics on EIGRP hello, updates, queries, replies, and acknowledgments?
A. debug eigrp packets
B. show ip eigrp traffic
C. show ip eigrp topology
D. show ip eigrp neighbors
Answer: B
For Best CISCO/MCITP/LINUX/EXCHANGE SERVER/PC HARDWARE AND NETWORKING Training visit www.zoomgroup.com
Join us on facebook
A. debug eigrp packets
B. show ip eigrp traffic
C. show ip eigrp topology
D. show ip eigrp neighbors
Answer: B
For Best CISCO/MCITP/LINUX/EXCHANGE SERVER/PC HARDWARE AND NETWORKING Training visit www.zoomgroup.com
Join us on facebook
Friday, September 14, 2012
Operation Aurora - Other Zero-Day Attacks targeting finance and Energy
The infamous Aurora Trojan horse is just one of many attacks launched
by the same group of malware authors over the past three years,
according to researchers at Symantec. Security researchers with Symantec
have issued a report outlining the techniques used by the so-called
“Edgewood” hacking platform and the group behind it.
The group seemingly has an unlimited supply of zero-day vulnerabilities.
The company said that the group is well-funded and armed with more than a half-dozen unpublished security vulnerabilities. “They are definitely shifting their methodology, and there are open questions about why that is,” said Eric Chien, senior technical director for Symantec’s security response group. “They may be finding that older techniques are no longer working.”
“The number of zero-day exploits used indicates access to a high level of technical capability.”The researchers said that the group appears to favour “watering hole” attacks techniques in which the attacker profiles a targeted group and places attack code into sites which the targets are likely to visit.
Here are just some of the most recent exploits that they have used:
• Adobe Flash Player Object Type Confusion Remote Code Execution Vulnerability (CVE-2012-0779)
• Microsoft Internet Explorer Same ID Property Remote Code Execution Vulnerability (CVE-2012-1875)
• Microsoft XML Core Services Remote Code Execution Vulnerability (CVE-2012-1889)
• Adobe Flash Player Remote Code Execution Vulnerability (CVE-2012-1535)
Operation Aurora was a cyber attack which began in mid-2009 and continued through December 2009. The attack was first publicly disclosed by Google on January 12, 2010. In the blog post, Google said the attack originated in China.
The attacks were both sophisticated and well resourced and consistent with an advanced persistent threat attack. The attack has been aimed at dozens of other organizations, of which Adobe Systems, Juniper Networks and Rackspace have publicly confirmed that they were targeted.
The security firm has published details in a 14-page research report titled “The Elderwood Project”. The first thing that stands out in the report is that the vast majority of detections are in the US. In the last year, Symantec detected 677 files used by the Elderwood gang in the US. Rounding out the top five is Canada with 86 files,
China with 53, Hong Kong with 31, and Australia also with 31.
SOURCE: NETASQ
The group seemingly has an unlimited supply of zero-day vulnerabilities.
The company said that the group is well-funded and armed with more than a half-dozen unpublished security vulnerabilities. “They are definitely shifting their methodology, and there are open questions about why that is,” said Eric Chien, senior technical director for Symantec’s security response group. “They may be finding that older techniques are no longer working.”
“The number of zero-day exploits used indicates access to a high level of technical capability.”The researchers said that the group appears to favour “watering hole” attacks techniques in which the attacker profiles a targeted group and places attack code into sites which the targets are likely to visit.
Here are just some of the most recent exploits that they have used:
• Adobe Flash Player Object Type Confusion Remote Code Execution Vulnerability (CVE-2012-0779)
• Microsoft Internet Explorer Same ID Property Remote Code Execution Vulnerability (CVE-2012-1875)
• Microsoft XML Core Services Remote Code Execution Vulnerability (CVE-2012-1889)
• Adobe Flash Player Remote Code Execution Vulnerability (CVE-2012-1535)
Operation Aurora was a cyber attack which began in mid-2009 and continued through December 2009. The attack was first publicly disclosed by Google on January 12, 2010. In the blog post, Google said the attack originated in China.
The attacks were both sophisticated and well resourced and consistent with an advanced persistent threat attack. The attack has been aimed at dozens of other organizations, of which Adobe Systems, Juniper Networks and Rackspace have publicly confirmed that they were targeted.
The security firm has published details in a 14-page research report titled “The Elderwood Project”. The first thing that stands out in the report is that the vast majority of detections are in the US. In the last year, Symantec detected 677 files used by the Elderwood gang in the US. Rounding out the top five is Canada with 86 files,
China with 53, Hong Kong with 31, and Australia also with 31.
SOURCE: NETASQ
Thursday, September 13, 2012
Fedora Linux Toolbox: 1000+ Commands for Fedora, CentOS and Red Hat Power Users
Fedora Linux Toolbox: 1000+ Commands for Fedora, CentOS and Red Hat Power Users
By Christopher Negus, Francois CaenWednesday, September 12, 2012
Tuesday, September 11, 2012
CRIME : New SSL/TLS attack for Hijacking HTTPS Sessions
Two security researchers claim to have developed a new attack that
can decrypt session cookies from HTTPS (Hypertext Transfer Protocol
Secure) connections. From the security researchers who created and
demonstrated the BEAST (Browser Exploit Against SSL/TLS) tool for breaking SSL/TLS encryption comes another attack that exploits a flaw in a feature in all versions of TLS.
The new attack has been given the name CRIME by the researchers.The CRIME attack is based on a weak spot in a special feature in TLS 1.0, but exactly which that feature is has not been revealed by the researchers. They will say that all versions of TLS/SSL including TLS 1.2, on which the BEAST attack did not work are vulnerable.
Once they had the cookie, Rizzo and Duong could return to whatever site the user was visiting and log in using her credentials. HTTPS should prevent this type of session hijacking because it encrypts session cookies while in transit or when stored in the browser. But the new attack, devised by security researchers Juliano Rizzo and Thai Duong, is able to decrypt them.
The CRIME attack code, known as an agent, needs to be loaded inside the victim’s browser. This can be done either by tricking the victim into visiting a rogue website or, if the attacker has control over the victim’s network, by injecting the attack code into an existing HTTP connection.CRIME doesn’t require browser plug-ins to work; JavaScript was used to make it faster, but it could also be implemented without it, Rizzo said.
The attacker must also be able to sniff the victim’s HTTPS traffic. This can be done on open wireless networks; on local area networks (LANs), by using techniques such as ARP spoofing; or by gaining control of the victim’s home router through a vulnerability or default password. CRIME was tested successfully with Mozilla Firefox and Google Chrome.
SOURCE: NETASQ
The new attack has been given the name CRIME by the researchers.The CRIME attack is based on a weak spot in a special feature in TLS 1.0, but exactly which that feature is has not been revealed by the researchers. They will say that all versions of TLS/SSL including TLS 1.2, on which the BEAST attack did not work are vulnerable.
Once they had the cookie, Rizzo and Duong could return to whatever site the user was visiting and log in using her credentials. HTTPS should prevent this type of session hijacking because it encrypts session cookies while in transit or when stored in the browser. But the new attack, devised by security researchers Juliano Rizzo and Thai Duong, is able to decrypt them.
The CRIME attack code, known as an agent, needs to be loaded inside the victim’s browser. This can be done either by tricking the victim into visiting a rogue website or, if the attacker has control over the victim’s network, by injecting the attack code into an existing HTTP connection.CRIME doesn’t require browser plug-ins to work; JavaScript was used to make it faster, but it could also be implemented without it, Rizzo said.
The attacker must also be able to sniff the victim’s HTTPS traffic. This can be done on open wireless networks; on local area networks (LANs), by using techniques such as ARP spoofing; or by gaining control of the victim’s home router through a vulnerability or default password. CRIME was tested successfully with Mozilla Firefox and Google Chrome.
SOURCE: NETASQ
Wednesday, September 5, 2012
Wiper, the Destructive Malware possibly connected to Stuxnet and Duqu
Kaspersky Lab publishes research resulting from the digital forensic
analysis of the hard disk images obtained from the machines attacked by
the Wiper – a destructive malware program attacking computer systems
related to oil facilities in Western Asia.
Security researchers from Kaspersky Lab have uncovered information suggesting a possible link between the mysterious malware that attacked Iranian oil ministry computers in April and the Stuxnet and Duqu cyber espionage threats.
The malware wipes data from hard drives, placing high priority on those with a .pnf extension, which are the type of files Stuxnet and Duqu used, and has other behavioral similarities, according to Schouwenberg.
It also deletes all traces of itself. As a result, researchers have not been able to get a sample, but they’ve reviewed mirror images left on hard drives. Kaspersky’s researchers were not able to find the mysterious malware, which was given the name Wiper, because very little data from the affected hard disk drives was recoverable.
Even though a connection to Flame is unlikely, there is some evidence suggesting that Wiper might be related to Stuxnet or Duqu.For example, on a few of the hard drives analyzed, the researchers found traces of a service called RAHDAUD64 that loaded files named ~DFXX.tmp where XX are two random digits from the C:\WINDOWS\TEMP folder.
No one has ever found a sample of Wiper in order to study its code and determine exactly what it did to machines in Iran. According to Kaspersky, the malware’s algorithm is “designed to quickly destroy as many files as effectively as possible, which can include multiple gigabytes at a time.”
Although Flame can be updated by its creators with various modules, including conceivably a module that would destroy data, there has never been any evidence found that Flame had a module that was used to destroy data on machines or wipe out hard drives.
Source: NETASQ
Security researchers from Kaspersky Lab have uncovered information suggesting a possible link between the mysterious malware that attacked Iranian oil ministry computers in April and the Stuxnet and Duqu cyber espionage threats.
The malware wipes data from hard drives, placing high priority on those with a .pnf extension, which are the type of files Stuxnet and Duqu used, and has other behavioral similarities, according to Schouwenberg.
It also deletes all traces of itself. As a result, researchers have not been able to get a sample, but they’ve reviewed mirror images left on hard drives. Kaspersky’s researchers were not able to find the mysterious malware, which was given the name Wiper, because very little data from the affected hard disk drives was recoverable.
Even though a connection to Flame is unlikely, there is some evidence suggesting that Wiper might be related to Stuxnet or Duqu.For example, on a few of the hard drives analyzed, the researchers found traces of a service called RAHDAUD64 that loaded files named ~DFXX.tmp where XX are two random digits from the C:\WINDOWS\TEMP folder.
No one has ever found a sample of Wiper in order to study its code and determine exactly what it did to machines in Iran. According to Kaspersky, the malware’s algorithm is “designed to quickly destroy as many files as effectively as possible, which can include multiple gigabytes at a time.”
Although Flame can be updated by its creators with various modules, including conceivably a module that would destroy data, there has never been any evidence found that Flame had a module that was used to destroy data on machines or wipe out hard drives.
Source: NETASQ
Tuesday, September 4, 2012
Monday, September 3, 2012
A Linux and UNIX System Programming Handbook
The Linux Programming Interface: A Linux and UNIX System Programming Handbook
By Michael KerriskFor Best CISCO/MCITP/LINUX/EXCHANGE SERVER/PC HARDWARE AND NETWORKING Training visit www.zoomgroup.com
Join us on facebook
CentOS Bible
CentOS Bible
By Christopher Negus, Timothy BoronczykFor Best CISCO/MCITP/LINUX/EXCHANGE SERVER/PC HARDWARE AND NETWORKING Training visit www.zoomgroup.com
Join us on facebook
Subscribe to:
Posts (Atom)