Security Digest ®

Tejas Patel is my name, I am a security, technology enthusiastic. I try to read and write about them:). My other blog is IT Digest

This blog is dedicated to my security related readings and study.

<< December 2018 >>
Sun Mon Tue Wed Thu Fri Sat
02 03 04 05 06 07 08
09 10 11 12 13 14 15
16 17 18 19 20 21 22
23 24 25 26 27 28 29
30 31

Contact Me

If you want to be updated on this weblog Enter your email here:

rss feed

Feb 20, 2004
General Security Concepts

Now as I start reading the first chapter of my primary book and then finding extra material on the internet or on other books I have allready started to see different point of views between different authors.

Chapter 1. General Security Concepts

Information Security includes three main areas:-

1. Physical Security

2. Operational Security

3. Management & Policies

Other point of view can be found out from & other point of view which is a bit different is pointed here .


1. Physical Security:- three components of physical security

a) Securing physical location

b) Detecting a penetration or theft

c) Recovering from the theft

Some other views from the internet are mentioned at & &


2. Operational Security

Operational Security is about how things are done in an organization from a systems point of view which includes computers, networks, communication of systems and how information is managed into an organization.

It includes policies, topologies, operational issues like backups and network setups and access controls


3. Management and Policies

Management and Policies provide the rules, policies, guidelines and procedures for implementing a secured environment. The policies that are needed to secure the network are administrative, disaster recovery plans (DRP's), backup, design, information policies, Security, Usage and user management policies.

Posted at 09:45 pm by Tejas Patel
Comments (1)

Introduction to Security+ Exam

Well as for the exam, this is an entry level certification in Security Arena. The domains that will be covered are as follows:- Domain Percentage

General Concepts 30%
Communication Security 20%
Infrastructure Security 20%
Basics Of Crytography 15%
Operational/Organizational Security 15%
More dtails about the domains and the contents covered is found from Domains Objectives

Posted at 09:41 pm by Tejas Patel
Make a comment

Excellent material on Port numbers

I found an excellent site where all the all the port numbers are mentioned, which are categorised by well known ports, registered ports, and dynamic and or private ports and the link here has a detailed version. A excellent list and is very much updated. A must have knowledge for aspiring Security Professionals.

Posted at 09:40 pm by Tejas Patel
Make a comment

Merging my blogs

As you all know, I also maintain the Study Security blog, after trying to maintain it seperately for couple of months now, I thought there was no need to keep these both blogs seperately, as I post things that might be applied at both the blogs and so I decided to merge Study Security blog to Securitydigest blog. I will try to bring the important posts to this blog from the other one.

Tejas Patel

Posted at 09:34 pm by Tejas Patel
Make a comment

Microsoft advices users to move to IE 6 with SP1

After the Microsoft OS code got leaked before few days (only partial), somebody after going through the code found bugs in the code and got the news around, Microsoft became alert and is not telling the users of Old IE to the latest version ( I Know guys, some of you guys might be thinking that was'nt this Microsoft's plan anyway) but looking at the positive side just think of upgrading to IE 6, those users will have more features, more security and will be using the latest version as well.

Security News Portal reports more on this.

Posted at 12:35 pm by Tejas Patel
Make a comment

Feb 13, 2004
eEye® Digital Security Uncovers Dangerous Vulnerabilities in Microsoft Windows ASN

Two critical security flaws were announced this week pertaining to Microsoft's ASN library. These vulnerabilities could significantly impact network security worldwide.

Systems Affected
All current versions of Microsoft Windows (e.g. Windows NT, XP, 2000) and Windows Server 2003.

Potential Impact
The ASN vulnerabilities uncovered by eEye could allow an attacker to overwrite heap memory with data, causing the execution of arbitrary code. These flaws can both be detected and exploited remotely and have the capability to cause serious damage if not immediately resolved. Since the ASN library is widely used by Windows security subsystems, the vulnerability is exposed through an array of authentication protocols. This makes these vulnerabilities more dangerous than previous flaws that spawned Nimda, Code Red and Sapphire worms. eEye and Microsoft have released detailed advisories to alert and inform Windows users of the need to immediately remediate vulnerable machines on their networks.

Severity: High (Remote Code Execution)
Because the ASN library is an industry standard used by Windows security subsystems, the vulnerability is exposed through several avenues, including Kerberos, NTLMv2 authentication, and applications that make use of certificates (SSL, digitally-signed email, signed ActiveX controls, etc.). This means that every Windows machine is vulnerable, unless it has been patched.


Protecting Against These Vulnerabilities
The most effective way to protect vulnerable systems is to apply the hotfix released by Microsoft. The hotfix remediates both vulnerabilities, and can be found here:

Retina® Network Security Scanner
Retina has been updated to check for the ASN.1 vulnerabilities. These checks are included in Retina versions 4.9.165 and higher. The following are the related vulnerability audits:

ASN.1 Vulnerability Could Allow Code Execution - NT4

ASN.1 Vulnerability Could Allow Code Execution - 2000

ASN.1 Vulnerability Could Allow Code Execution - XP

ASN.1 Vulnerability Could Allow Code Execution - 2003
Additional Information: eEye Security Bulletins
Microsoft ASN.1 Library Length Overflow Heap Corruption

Microsoft ASN.1 Library Bit String Heap Corruption

Posted at 04:09 am by Tejas Patel
Make a comment

Feb 4, 2004
Some more info about MyDoom

Just after posting my previous post, Cass from Security-forums linked me to other articles and here is some more analysed info on My.Doom. Could not find the direct link, might be it is dead allready, so had to find a cached copy on Google, here is goes.

Refuting tall-tales and stories about the Mydoom.A and the Mydoom.B worms
30th of January, 2004.


- Preface.
- Does Mydoom infect the BIOS?
- The author signed his name - AU.
- Key-logger.
- Hackers are en masse looking for the infected systems!
- The creators of Mydoom MUST be spammers!
- The DoS attack against SCO never happens, it's a PR trick against the
open-source community!
[including a time table for the attack]
- Email message from Joe Stewart about the DoS component of the worm.


There are several tall-tales, claims and rumors regarding the Mydoom
worms which are simply not true.

This document is a summary of information about the Mydoom worms, and
it updates

Here's what we have to say about them.

You can find this document at:

Does Mydoom infect the BIOS?

No. It doesn't.

The author signed his name - AU

In a HEX editor, it might look like the author signed his name.

It is not true.


00 08 87 77 77 78 80 00 00 78 FF FF 88 87 70 00 ...wwx...x....p.
00 78 F7 8F FF FF 78 00 00 78 FF FF FF FF 78 00 .x....x..x....x.
00 78 F7 77 78 FF 78 00 00 78 FF FF FF FF 78 00 .x.wx.x..x....x.
00 78 F7 77 78 FF 78 00 00 78 FF FF FF FF 78 00 .x.wx.x..x....x.
00 78 F7 77 8F FF 78 00 00 78 FF FF FF FF 78 00 .x.w..x..x....x.
00 78 FF FF FF FF 78 00 00 78 7F 7F 7F 7F 78 00 .x....x..x....x.
00 87 73 87 87 87 80 00 00 07 B3 3B 7B 77 80 00 ..s........;{w..

We believe this is the NotePad look-alike ICON of the worm.

This only works if your HEX editor uses 16-byte rows. For instance,
if you use 24 byte rows, its:

00 08 87 77 77 78 80 00 00 78 FF FF 88 87 70 00 00 78 F7 8F FF FF 78 00 ...wwx...x....p..x....x.
00 78 FF FF FF FF 78 00 00 78 F7 77 78 FF 78 00 00 78 FF FF FF FF 78 00 .x....x..x.wx.x..x....x.
00 78 F7 77 78 FF 78 00 00 78 FF FF FF FF 78 00 00 78 F7 77 8F FF 78 00 .x.wx.x..x....x..x.w..x.
00 78 FF FF FF FF 78 00 00 78 FF FF FF FF 78 00 00 78 7F 7F 7F 7F 78 00 .x....x..x....x..x....x.


For some unknown reason, people seem to believe that either Mydoom.A
or Mydoom.B have a key-logger component embedded in them.

That is simply not true. We can not provide with proof or evidence of
this because one simply does not exist that we could find.

There is an option with Mydoom.A and Mydoom.B to upload and execute
files through the backdoor in the worm.

With Mydoom.A you can upload and execute whatever you like, even a tool
to remove the worm itself from the infected machine, as Rolf Rolles

In Mydoom.B you can upload only two files, which are then verified by
file size and an MD5 checksum to make sure the file you are uploading
is one of the two.

There can be many reasons as to why this was done, but basically -
leave control of the worm in the creator's hands.

It is more than plausible to believe that the author saw this failing
in Mydoom.A and released Mydoom.B, which scans for and updates Mydoom.A.

This works much like the Borg, like someone I know said:
"We are the Borg. You will be assimilated".

What are the two files?

Your guess is as good as mine, but we believe that they are probably
two of the three:
1. A backdoor Trojan horse designed to be uploaded through the port the
worm opens.
2. The next version of the worm - Mydoom.C.
3. A removal tool that can be uploaded and executed if anything went

Hackers are en masse looking for the infected systems!

It is true that script-kiddies would be interested in finding infected
machines, but -
1. There is usually a lag-time between when a new security issue appears
and the kiddies start mass-scanning the Internet for it.
2. Hackers can find infected users just looking at their incoming emails.
3. Mydoom.B scans for Mydoom.A, so if anyone reports seeing thousands of
scans for Mydoom.A, it is probably mostly Mydoom.B doing what it was
programmed to do.

The creators of Mydoom MUST be spammers!

Is it possible? Yes.

Is it true? Is it a statement of fact?


Although spammers take a significantly higher role with Trojan horses
and worms these days (which is a fact), there is _no_ *proof* as to
their involvement with this worm.

Mass-mailing worms can help spammers in different ways to accomplish
their own nefarious purposes. This worm performs a denial of service
attack on and, which makes no real sense if you
are a spammer.

One could claim the attack only lasts 12 days and that maybe it is
there to draw attention away from their objectives, but that would
be a plain and simple conspiracy theory.

Conspiracy theories arise when you do not have enough proof to say
something is happening for real.

We have absolutely no proof spammers are involved. It is quite
*possible* that they are.

The DoS attack against SCO never happens, it's a PR trick against the
open-source community!

We have no idea what SCO's PR is or if there is a conspiracy against
the open-source community.

Let me tell you what we do know.

1. The DoS attack does happen (see email message from Joe Stewart
2. It takes a few reboots of the machine to *make* it happen.
3. 100% of computers can perform the DoS attack, but
must be started within a window that spans only 25% of the time.

The timeline is approximately 2 minutes on, 5 minutes off; lather,
rinse, repeat.

You can find a time table for when the DDoS attack will happen, as
calculated by a C program Joe Stewart wrote at:

Mydoom.B has a timeline too, but it can't be predicted as definitely
because of an extra random check.


Information from Joe Stewart with answers about the DoS attack:

Here's why people have been getting inconsistent results when
setting the system date forward and looking for the DoS attack to

Beginning of DDoS date check subroutine:


; callCreateSCOddos

Get the current system time as a FILETIME struct:

4A3DBA CALL DWORD PTR DS:[<&KERNEL32.GetSystemTimeAsFileTime>]

Convert the stored DoS start date from SystemTime to FileTime:

4A3DC7 ADD EAX,214


; Feb 1, 2004
4A3DCD CALL DWORD PTR DS:[<&KERNEL32.SystemTimeToFileTime>]

Compare high-order dword dwHighDateTime:


Compare low-order dword wLowDateTime:


Start the DoS:


; DoS_Loop
4A3DE8 PUSH 400

; skipDos

>From MSDN:
The FILETIME structure is a 64-bit value representing the
number of 100-nanosecond intervals since January 1, 1601 (UTC).

typedef struct _FILETIME {
DWORD dwLowDateTime;
DWORD dwHighDateTime;

The stored starttime as filetime is:

Because the dwords are compared independently, the DoS will not start
anytime the current dwLowDateTime is less than 0xbe9ecb00, no matter
what the dwHighDateTime is. Obviously, this is close to three-quarters
of the time.


Joe Stewart, GCIH
Senior Security Researcher

Gadi Evron -

We would like to thank Joe Stewart and Rolf Rolles for their
contributions to this text.

Posted at 11:06 am by Tejas Patel
Make a comment

Undocuemented information on MyDoom

Independent researcher "Juari Bosnikovich"i> comes out with his research on virus Mydoom. This is what he writes in his email

"When I disassembled the virus I found new information that haven't came up
anywhere else to this time.

Here is the information that is beleived...

1. use restricted usernames to send email to and from
2. encode strings with ROT13 method
3. create a mutex called 'SwebSipcSmtxSO' when ran
4. transform in taskmon.exe and
4.1 add [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"TaskMon" = %sysdir%\taskmon.exe
4.2 add [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"TaskMon" = %sysdir%\taskmon.exe
5. add %sysdir%\shimgapi.dll
open ports 3127/tcp - 3198/tcp
6. stops spreading febuary 12
7. spreads through KaZaA and Electronic Mail System
8. and more very technical fact i will not describe here

What I found...

Even if the virus (Mydoom) is programmed in assembler and compiled
using masm it is made to look like it has been programmed in C++ when
disassembling. It is a fact that many more information are hidden and
undiscovered to this date such as the fact that it will stop spreading on
febuary 12 which is not true. Mydoom will pass in a new phase upon febuary
12 and it will be very much more serious as it will be updated and will
mutate in Mydoom.C. The backdoor (shimgapi.dll) is open a port but this is
used to obscur the real intention of Mydoom.B as well as Outlook express.

It was also unknown that the virus infects the BIOS of the computer it
infects by injecting a 624bytes backdoor written in FORTH which will open
port tcp when Mydoom will be executed AFTER febuary 12.

It is a conclusion that the viral professionals that published diagnosis
of the Mydoom.A virus are trying to hide something or are very

Also there are no way to fix the virus that is injected in the BIOS after
it has been infected except from flashing it AFTER disinfecting the
workstation that was infected.

Juari Bosnikovich"

Jan 29, 2004
Virus Writers are getting a bit more smarter than the PC users

Well lot of saying and reading is going on about 'MyDoom' virus, I never got the information about how it goes on affecting the PC's and how it enters the PC after getting into email attachments (may be I did not read the things extensively).

Now this new virus infects Microsoft PC's and the main intention apart from infecting PC's is to attach SCO's website on Feb. 1st 2004. When a user clicks on email attachment , the user will face some kind of System error saying "Error" or "Server Report" and messages in the body such as "Mail transaction failed. Partial message is available.". The user clicks 'OK' and that's it, the virus is spreading throughout the organisation and than on the Net. It selects a user from your addressbook and than send it to other users so that it looks that the attachment is from some known person.

The antidote is available throughout the Internet so I won't be putting links. But now to justify the subject of this blurb, I said this becuase before some viruses used to fool users by luring them to click a window showing them porn websites, free software and movies, but now which novice user will think that the system error is infact a virus!!!

Posted at 01:16 pm by Tejas Patel
Make a comment

Jan 27, 2004
Beaware of W32/Mydoom@MM

This is spreading like anything and close your Kazaa for the time being.

More info @

Watch out for it.

Posted at 10:22 pm by Tejas Patel
Make a comment

Next Page