This is not an April fool’s day joke dear. Its a virus which is said to hit many Pcs and takeover control over them on 1st April. The name is conficker. Prominently it targets the Microsoft Operating systems and especially Windows Xp and Vista. Conficker first bubbled up in late 2008 and began making headlines in January as known infections topped 9 million computers. Now in its third variant, Conficker C, the worm has grown incredibly complicated, powerful, and virulent… though no one is quite sure exactly what it will do when D-Day arrives. So its a suspense and we have to watch to see its vulnerabilities on 1st April.

Conficker hideously installs remote softwares on infected PC leaving insecured and allowing remote connection with head servers of the Virus. Its unpredictable that what will be the affects of this worm. But it is said to be that the virus is meant to create a botnet with help of installed malicious softwares and further it will be rented to the cyber-criminals who wish to do SPAM activities and stealing IDs and Passwords and even more.

This worm mostly spreads across networks. If it finds a vulnerable computer, it turns off the automatic backup service, deletes previous restore points, disables many security services, blocks access to a number of security web sites and opens infected machines to receive additional programs from the malware’s creator. The worm then tries to spread itself to other computers on the same network. It even make its copy in removable USB flash memories for spreading.

Who is at risk?

If you have disabled your windows update and have old virus definitions for your antivirus, you may be at high risk. Users who do not have a genuine version of Windows from Microsoft are most at risk since pirated system usually cannot get Microsoft updates and patches.

Advice to Stay Safe from the Downadup aka Conficker Worm:

1. Run a good security suite and antiviruses such as Norton, Kaspersky.
2. Keep your computer updated with the latest patches. If you don’t know how to do this, have someone help you set your system to update itself.
3. Don’t use “free” security scans that pop up on many web sites. All too often these are fake, using scare tactics to try to get you to purchase their “full” service. In many cases these are actually infecting you while they run. There is reason to believe that the creators of the Conficker worm are associated with some of these fake security products.
4. Turn off the “autorun” feature that will automatically run programs found on memory sticks and other USB devices.
5. Be smart with your passwords. This includes

1. Change your passwords periodically
2. Use complex passwords – no simple names or words, use special characters and numbers
3. Using a separate, longer password for each site that has sensitive personal information or access to your bank accounts or credit cards.

1. Use a passwords management system such as Identity Safe (included in Norton Internet Security and Norton 36o) to track your passwords and to fill out forms automatically.

****One symptom that may indicate you are infected is finding that your computer is blocked from accessing the web sites of most security companies.

Conficker is clever in the way it hides its tracks because it uses an enormous number of URLs to communicate with HQ. The first version of Conficker used just 250 addresses each day — which security researchers and ICANN simply bought and/or disabled — but Conficker C will up the ante to 50,000 addresses a day when it goes active, a number which simply can’t be tracked and disabled by hand.

At this point, you should be extra vigilant about protecting your PC: Patch Windows completely through Windows Update and update your anti-malware software as well. Make sure your antivirus software is actually running too, as Conficker may have disabled it.

Microsoft also offers a free online safety scan here, which should be able to detect all Conficker versions.

****Be safe while you surf ****

This is not a new issue of cyber-war between India and Pakistan. Whenever relations go worse they start attacking Indian computer networks and this has increased after the famous Mumbai terror attacks. This was said by the source from home ministry of India.  Already Pakistani hackers are trying out a dry run against Indian networks through popular websites registered there.

Pakistani hackers have created websites such as the www.Songs.Pk, which are infested with software to hack data from the targeted computers, sources from Home Ministry,India said.

“The website www.Songs.Pk has over 12 lakh Indian users who download stuffs like free MP3 bollywood songs and wallpapers and more from these websites on daily basis,” said a cyber expert in the Ministry.

And hence, its very true that with these sites very much popular, it will take few minutes for the hackers to get control over 12 lakh Indian user’s pc or more via means of vulnerable contents added with the downloading stuffs.
“Instead of the existing less harmful virus, new ones such as Botnet and Zoombie can be easily released into the Indian computers, which later on replicate and make the entire server vulnerable,” the expert said.

“Now a days new virus and worms are detected while downloading songs from these websites, which could be just a dry run to manage a bigger attack,” he said.

I even tried to get some more informations regarding this issue and found it true to an extend. Below is the snap-shot showing security property of a song downloaded from the site. Just have a look.

No doubt I am too an Indian and a regular user of this concerned website. Some days back this security alert was not seen in the downloaded content. But now here is the proof above with date and timings. Indian government’s websites have proved to be vulnerable in the past. ” Most of the times such cases are not reported as the servers are based in Pakistan and we cannot do anything in this regard as said by expert.

The condition may become more worst as these newly intruded viruses cannot be detected by antiviruses as their databases may not have their informations for the quick heal as its totally of new type, resulting their intrudence in our networks. So I can just say that PREVENTION IS BETTER THAN CURE. So Indian users dont download stuffs from www.songs.pk . Its better to find alternates for downloading such contents. I will be updating my blog if I come to know of more such type of vulnerable websites which may be insecure to our networks and systems.

The original Post:

http://news.in.msn.com/national/article.aspx?cp-documentid=1775303

But the question is that how much safe we are when we choose a password. We ocassionaly choose the password as the name of our girlfriend/boyfriend,vehicle numbers and so on which are really very much predictable by your near ones or even hackers who have eye on your personal online banking accounts and etc. It is really a very panic situation when we loose our passwords or our accounts are compromised.  So here I got an “interesting theory of passwords” while I was surfing on this issue. I would like to share the similar theory with you too. Just go through and if you feel any trouble while understanding, leave a comment so that I can clarify upto my knowledge regarding the topic.

Before you can easily identify what a “good” password is we should look at what a “bad” password is and why they are not good for security. An example of a bad password might be “book” which has several reasons for being considered bad:

1. It is a word that can be found in the dictionary,
2. It is a very short password,
3. It contains only letters,
4. More than one character is the same.

Two types of attack would “guess” that password in a relatively short space of time. The first of these is a dictionary attack – going through every word in the dictionary is something that is do-able, and whether it appears near the start of the dictionary or at the end it doesn’t matter as it will eventually figure it out (it’s just a matter of how long it takes). The other way it could be obtained is through brute force. Brute force is where every character combination is tried, so if we assume it’s only trying characters but tried passwords of every length from 2 characters onwards we can easily calculate the most attempts that would be needed to crack the password. For each character there are 26 combinations, and for 2 letters we would multiply it so it’d be 26 * 26 attempts. So for a 4 letter password we would have 676 + 17576 + 456976, which calculates as being 475228 attempts. It might sound a lot, but if a piece of software was guessing the password then it wouldn’t take long at all.

Increasing the complexity and length of the password makes a huge difference in how secure your password is. Using capital letters isn’t a huge benefit on it’s own as it’ll still be vulnerable to dictionary attacks, but would increase the attempts on a 2-letter password to 2704. By then adding numbers into the fold we then have a possible of 62 characters for each character of the password and so a 2 letter password would suddenly take 3844 attempts instead of 676. Adding numbers also decreases the likelihood of a dictionary attack from working, but with passwords such as 3book90 there is still a possibility that a dictionary attack would work due to the English language word being in there, but surrounded by integers.

The trick is to use a word that is not in the dictionary and to mix in integers and possibly even symbols into what you use for a password. Using a brute force algorithm on passwords with symbols only appearing on the keyboard would increase to around 96 different characters depending on your keyboard layout. With 96 different characters to choose from a brute force attack would require a maximum of 9216 attacks to correctly guess your password. When we start to increase the length of your password this increases dramatically. Consider the following table:

This can represented mathematically as x^y where x is the number of characters available, and y is the length of the password. As y is used to increase the power x it signifies that the length of the password holds greater importance than the number of different types of character that could be used in an algorithm. As proof let us consider the following example. We have our “base” measure of 26 * 26 to signify 2 characters each with the possibility of 26 characters (lower case only). If we increase the number of characters in the password by one we get 26 * 26 * 26, but if increase the number of available characters by one instead we have 27 * 27. From the table above we know a 3 character password in lower-case is 17,576 attempts, and 27 * 27 comes to 729 and hence proves the fact that password length matters more.

Saying that an 8 character password in lower-case will take 208,827,064,576 attempts though is not strictly true – if the 8 characters formed a word from the dictionary or a word in common usage then it is likely that the word could be calculated in a significantly fewer number of attempts. For example the English language contains approximately 1,000,000 words including scientific words – on top of this we can also include names and words from popular culture and it will still be an awful lot less than the attempts it would take to brute force that password. Hence the reason why it is equally important to also include a range of other characters such as numbers and symbols in your password.

Based upon this reasoning a password such as 90ge0$tationarY100 would be a very strong password. Such passwords don’t have to be hard to remember either – if you use memorable numbers either side and then think of one or more words with some letters replaced by numbers and/or symbols you will have a memorable password that is also secure due to a high number of possible characters, it being long, and not being in a dictionary. Using this example which is 18 characters in length would mean a stunning 4.76 x 10^35 (using standard notation) attempts.

If the system was to block the user after 5 failed attempts for a period of 2 hours then the likelihood of such a password being guessed is impractical. Under such a system it would only manage 60 combinations per day, 420 per week, and 21840 per year. For this password it would then take approximately 2.2 trillion trillion years at most to be cracked. Such a thing is just not feasible – it is more likely they would find a security hole in the system and gain access that way.

So hence, this article might help you to understand the theory of passwords. Better choose an uncrackable password next time.