Dot Net Interview Questions

Friday, October 29, 2010

Question:-What do you mean by Share Point Portal ?
Answer:
Here I have taken information regarding Share Point Portal Server 2003 provides mainly access to the crucial business information and applications. With the help of Share Point Server we can server information between Public Folders, Data Bases, File Servers and the websites that are based on Windows server 2003. This Share Point Portal is integrated with MSAccess and Windows servers, So we can get a Wide range of document management functionality. We can also create a full featured portal with readymade navigation and structure.

Question:-What is cross page posting in ASP.NET2.0 ?
Answer:
When we have to post data from one page to another in application we used server.transfer method but in this the URL remains the same but in cross page posting there is little different there is normal post back is done but in target page we can access values of server control in the source page.This is quite simple we have to only set the PostBackUrl property of Button,LinkButton or imagebutton which specifies the target page. In target page we can access the PreviousPage property. and we have to use the @PreviousPageType directive. We can access control of PreviousPage by using the findcontrol method. When we set the PostBackURL property ASP.NET framework bind the HTML and Javascript function automatically.

Question: How to start Outlook,NotePad file in AsP.NET with code ?
Answer:
Here is the syntax to open outlook or notepad file in ASP.NET VB.NET Process.Start("Notepad.exe") Process.Start("msimn.exe"); C#.NET System.Diagnostics.Process.Start("msimn.exe"); System.Diagnostics.Process.Start("Notepad.exe");

Question: What is the purpose of IIS ?
Answer:
We can call IIS(Internet Information Services) a powerful Web server that helps us creating highly reliable, scalable and manageable infrastructure for Web application which runs on Windows Server 2003. IIS helps development center and increase Web site and application availability while lowering system administration costs. It also runs on Windows NT/2000 platforms and also for above versions. With IIS, Microsoft includes a set of programs for building and administering Web sites, a search engine, and support for writing Web-based applications that access database. IIS also called http server since it process the http request and gets http response.

Question: What is main difference between GridLayout and FormLayout ?
Answer:
GridLayout helps in providing absolute positioning of every control placed on the page. It is easier to develop page with absolute positioning because control can be placed any where according to our requirement. But FormLayout is little different only experience Web Developer used this one reason is it is helpful for wider range browser. If there is absolute positioning we can notice that there are number of DIV tags. But in FormLayout whole work are done through the tables.

Question: How Visual SourceSafe helps Us ?
Answer:
One of the powerful tool provided by Microsoft to keep up-to-date of files system its keeps records of file history once we add files to source safe it can be add to database and the changes ads by different user to this files are maintained in database from that we can get the older version of files to. This also helps in sharing,merging of files.

Question:-Can you define what is SharePoint and some overview about this ?
Answer:
SharePoint helps workers for creating powerful personalized interfaces only by dragging and drop pre-defined Web Part Components. And these Web Parts components also helps non programmers to get information which care and customize the appearance of Web pages. To under stand it we take an example one Web Part might display a user's information another might create a graph showing current employee status and a third might show a list of Employees Salary. This is also possible that each functions has a link to a video or audio presentation. So now Developers are unable to create these Web Part components and make them available to SharePoint users.

Question:-What is different between WebUserControl and in WebCustomControl ?

Answer: Web user controls :- Web User Control is Easier to create and another thing is that its support is limited for users who use a visual design tool one good thing is that its contains static layout one more thing a separate copy is required for each application.
Web custom controls:-Web Custom Control is typical to create and good for dynamic layout and another thing is it have full tool support for user and a single copy of control is required because it is placed in Global Assembly cache.

Question:-What is Sandbox in SQL server and explain permission level in Sql Server ?
Answer: Sandbox is place where we run trused program or script which is created from the third party. There are three type of Sandbox where user code run.
Safe Access Sandbox:-Here we can only create stored procedure,triggers,functions,datatypes etc.But we doesnot have acess memory ,disk etc.
External Access Sandbox:-We cn access File systems outside the box. We can not play with threading,memory allocation etc.
Unsafe Access Sandbox:-Here we can write unreliable and unsafe code.

Question:-How many types of cookies are there in .NET ?
Answer:
Two type of cookeies.
a) single valued eg request.cookies(”UserName”).value=”dotnetquestion”
b)Multivalued cookies. These are used in the way collections are used example
request.cookies(”CookiName”)(”UserName”)=”dotnetquestionMahesh”
request.cookies(”CookiName”)(”UserID”)=”interview″

Question: When we get Error 'HTTP 502 Proxy Error' ?
Answer:
We get this error when we execute ASP.NET Web pages in Visual Web Developer Web server, because the URL randomly select port number and proxy servers did not recognize the URL and return this error. To resolve this problem we have to change settings in Internet Explorer to bypass the proxy server for local addresses, so that the request is not sent to the proxy.

Question:-What do you mean by three-tier architecture?
Answer: The three-tier architecture was comes into existence to improve management of code and contents and to improve the performance of the web based applications. There are mainly three layers in three-tier architecture. the are define as follows

(1)Presentation
(2)Business Logic

(3)Database

(1)First layer Presentation contains mainly the interface code, and this is shown to user. This code could contain any technology that can be used on the client side like HTML, JavaScript or VBScript etc.

(2)Second layer is Business Logic which contains all the code of the server-side .This layer have code to interact with database and to query, manipulate, pass data to user interface and handle any input from the UI as well.

(3)Third layer Data represents the data store like MS Access, SQL Server, an XML file, an Excel file or even a text file containing data also some additional database are also added to that layers.

Question: What is Finalizer in .NET define Dispose and Finalize?
Answer:
We can say that Finalizer are the methods that's helps in cleanp the code that is executed before object is garbage collected .The process is called finalization . There are two methods of finalizer Dispose and Finalize .There is little diffrenet between two of this method .
When we call Dispose method is realse all the resources hold by an object as well as all the resorces hold by the parent object.When we call Dispose method it clean managed as well as unmanaged resources.
Finalize methd also cleans resources but finalize call dispose clears only the unmanged resources because in finalization the garbase collecter clears all the object hold by managed code so finalization fails to prevent thos one of methd is used that is: GC.SuppressFinalize.

Question: What is late binding ?
Answer:
When code interacts with an object dynamically at runtime .because our code literally doesnot care what type of object it is interacting and with the methods thats are supported by object and with the methods thats are supported by object .The type of object is not known by the IDE or compiler ,no Intellisense nor compile-time syntax checking is possible but we get unprecedented flexibilty in exchange.if we enable strict type checking by using option strict on at the top of our code modules ,then IDE and compiler will enforce early binding behaviour .By default Late binding is done.

Question:-Does .NET CLR and SQL SERVER run in different process?
Answer:
Dot Net CLR and all .net realtes application and Sql Server run in same process or we can say that that on the same address because there is no issue of speed because if these two process are run in different process then there may be a speed issue created one process goes fast and other slow may create the problem.

Question: The IHttpHandler and IHttpHandlerFactory interfaces ?
Answer:
The IHttpHandler interface is implemented by all the handlers. The interface consists of one property called IsReusable. The IsReusable property gets a value indicating whether another request can use the IHttpHandler instance. The method ProcessRequest() allows you to process the current request. This is the core place where all your code goes. This method receives a parameter of type HttpContext using which you can access the intrinsic objects such as Request and Response. The IHttpHandlerFactory interface consists of two methods - GetHandler and ReleaseHandler. The GetHandler() method instantiates the required HTTP handler based on some condition and returns it back to ASP.NET. The ReleaseHandler() method allows the factory to reuse an existing handler.

Question: what is Viewstate?
Answer:
View state is used by the ASP.NET page framework to automatically save the values of the page and of each control just prior to rendering to the page. When the page is posted, one of the first tasks performed by page processing is to restore view state.
State management is the process by which you maintain state and page information over multiple requests for the same or different pages.

The future of SCTP

Wednesday, October 27, 2010

SCTP is a relatively new protocol, considering that it became an RFC in October 2000. Since then, it has found its way into all major operating systems, including GNU/Linux, BSD, and Solaris. It's also available for the Microsoft® Windows® operating systems as a third-party commercial package.

Along with availability, applications will begin to use SCTP as their primary transport. Traditional applications such as FTP and HTTP have been built on the features of SCTP. Other protocols are using SCTP, such as the Session Initiation Protocol (SIP) and the Common Channel Signaling System No. 7 (SS7). Commercially, you can find SCTP in Cisco's IOS.

With the inclusion of SCTP into the 2.6 Linux kernel, it's now possible to build and deploy highly available and reliable networked applications. As an IP-based protocol, SCTP is a seamless replacement for TCP and UDP but also extends new services, such as multi-homing, multi-streaming, and increased security. Now that you've seen some of the high-level features of SCTP, explore its other capabilities. The Linux Kernel SCTP project (lksctp) provides API extensions and documentation that will help you on your way.

Better networking with SCTP

The Stream Control Transmission Protocol combines advantages from both TCP and UDP

The Stream Control Transmission Protocol (SCTP) is a reliable transport protocol that provides stable, ordered delivery of data between two endpoints (much like TCP) and also preserves data message boundaries (like UDP). However, unlike TCP and UDP, SCTP offers such advantages as multi-homing and multi-streaming capabilities, both of which increase availability. In this article, get to know the key features of SCTP in the Linux® 2.6 kernel and take a look at the server and client source code that shows the protocol's ability to deliver multi-streaming.

SCTP is a reliable, general-purpose transport layer protocol for use on IP networks. While the protocol was originally designed for telephony signaling (under the RFC 2960), SCTP provided an added bonus -- it solved some of the limitations of TCP while borrowing beneficial features of UDP. SCTP provides features for high availability, increased reliability, and improved security for socket initiation. (Figure 1 shows the layered architecture of the IP stack.)


Figure 1. Layered architecture of the IP stack
Layered architecture of the IP stack

This article introduces the concept of SCTP in the Linux 2.6 kernel, highlights some of the advanced features (such as multi-homing and -streaming), and provides server and client source code snippets (with a URL to more code) to demonstrate the protocol's ability to deliver multi-streaming.

Let's start with an overview of the IP stack.

The IP stack

The Internet protocol suite is split into several layers; each layer provides specific functionality as shown in Figure 1.

Starting from the bottom:

  • The link layer provides the physical interface to the communication medium (such as an Ethernet device).
  • The network layer manages the movement of packets in a network, specifically making sure packets get to their destination (also called routing).
  • The transport layer regulates the flow of packets between two hosts for the application layer. It also presents the application endpoint for communication, known as a port.
  • Finally, the application layer provides meaning to the data transported through the socket. This data could consist of e-mail messages using the Simple Mail Transport Protocol (SMTP) or Web pages rendered through the Hypertext Transport Protocol (HTTP).

All application layer protocols use the sockets layer as their interface to the transport layer protocol. The Sockets API was developed at UC Berkeley within the BSD UNIX® operating system.

Now for a quick refresher on traditional transport layer protocols before we dive into the workings of SCTP.

The transport layer protocols

The two most popular transport layer protocols are the transmission control protocol (TCP) and the user datagram protocol (UDP):

  • TCP is a reliable protocol that guarantees sequenced, ordered delivery of data and manages congestion within a network.
  • UDP is a message-oriented protocol that neither guarantees ordering of delivery nor manages congestion.

However, UDP is a fast protocol that preserves the boundaries of the messages it transports.

This article presents another option: SCTP. It provides the reliable, ordered delivery of data like TCP but operates in the message-oriented fashion like UDP, preserving message boundaries. SCTP also provides several advanced features:

  • Multi-homing
  • Multi-streaming
  • Initiation protection
  • Message framing
  • Configurable unordered delivery
  • Graceful shutdown

Key features of SCTP

The two most important enhancements in SCTP over traditional transport layer protocols are the end-host multi-homing and multi-streaming capabilities.

Multi-homing

Multi-homing provides applications with higher availability than those that use TCP. A multi-homed host is one that has more than one network interface and therefore more than one IP address for which it can be addressed. In TCP, a connection refers to a channel between two endpoints (in this case, a socket between the interfaces of two hosts). SCTP introduces the concept of an association that exists between two hosts but can potentially collaborate with multiple interfaces at each host.

Figure 2 illustrates the difference between a TCP connection and an SCTP association.


Figure 2. TCP connection vs. an SCTP association
TCP connection vs. an SCTP association

At the top is a TCP connection. Each host includes a single network interface; a connection is created between a single interface on each of the client and server. Upon establishment, the connection is bound to each interface.

At the bottom of the figure, you can see an architecture that includes two network interfaces per host. Two paths are provided through the independent networks, one from interface C0 to S0 and another from C1 to S1. In SCTP, these two paths would be collected into an association.

SCTP monitors the paths of the association using a built-in heartbeat; upon detecting a path failure, the protocol sends traffic over the alternate path. It's not even necessary for the applications to know that a failover recovery occurred.

Failover can also be used to maintain network application connectivity. For example, consider a laptop that includes a wireless 802.11 interface and an Ethernet interface. When the laptop is in its docking station, the higher-speed Ethernet interface would be preferred (in SCTP, called the primary address); but upon loss of this connection (removal from the docking station), connections would be failed over to the wireless interface. Upon return to the docking station, the Ethernet connection would be detected and communication resumed over this interface. This is a powerful mechanism for providing high availability and increased reliability.

Multi-streaming

In some ways, an SCTP association is like a TCP connection except that SCTP supports multiple streams within an association. All the streams within an association are independent but related to the association (see Figure 3).


Figure 3. Relationship of an SCTP association to streams
Relationship of an SCTP association to streams

Each stream is given a stream number that is encoded inside SCTP packets flowing through the association. Multi-streaming is important because a blocked stream (for example, one awaiting re-transmission resulting from the loss of a packet) does not affect the other streams in an association. This problem is commonly referred to as head-of-line blocking. TCP is prone to such blocking.

How can multiple streams provide better responsiveness in transporting data? For example, the HTTP protocol shares control and data over the same socket. A Web client requests a file from a server, and the server sends the file back over the same connection. A multi-streamed HTTP server would provide better interactivity because multiple requests could be serviced on independent streams within the association. This functionality would parallelize the responses, and while not potentially faster, would simultaneously load the HTML and graphics images, providing the perception of better responsiveness.

Multi-streaming is an important feature of SCTP, especially when you consider some of the control and data issues in protocol design. In TCP, control and data typically share the same connection, which can be problematic because control packets can be delayed behind data packets. If control and data were split into independent streams, control data could be dealt with in a more timely manner, resulting in better utilization of available resources.

Initiation protection

Initiating a new connection in TCP and SCTP occurs with a packet handshake. In TCP, it's a called a three-way handshake. The client sends a SYN packet (short for Synchronize) for which the server responds with a SYN-ACK packet (Synchronize-Acknowledge). Finally, the client confirms receipt with an ACK packet (see Figure 4).


Figure 4. The packet exchanges for the TCP and STCP handshake
The packet exchanges for the TCP and SCTP handshake

The problem that can occur with TCP is when a rogue client forges an IP packet with a bogus source address, then floods a server with TCP SYN packets. The server allocates resources for the connections upon receipt of the SYN, then under a flood of SYN packets, eventually runs out and is unable to service new requests. This is called a Denial of Service (DoS) attack.

SCTP protects against this type of attack through a four-way handshake and the introduction of a cookie. In SCTP, a client initiates a connection with an INIT packet. The server responds with an INIT-ACK, which includes the cookie (a unique context identifying this proposed connection). The client then responds with a COOKIE-ECHO, which contains the cookie sent by the server. At this point, the server allocates the resource for the connection and acknowledges this by sending a COOKIE-ACK to the client.

To solve the problem of delayed data movement with the four-way handshake, SCTP permits data to be included in the COOKIE-ECHO and COOKIE-ACK packets.

Message framing

With message framing, the boundaries in which messages are communicated through a socket are preserved; this means that if a client sends 100 bytes to a server followed by 50 bytes, the server will read 100 bytes and 50 bytes, respectively, for two reads. UDP also operates in this way, which makes it advantageous for message-oriented protocols.

In contrast, TCP operates in a byte-stream fashion. Without framing, a peer may receive more or less than was sent (splitting up a write or aggregating multiple writes into a single read). This behavior requires that message-oriented protocols operating over TCP provide data-buffer and message framing within their application layer (a potentially complex task).

SCTP provides for message framing in data transfer. When a peer performs a write on a socket, it is guaranteed that this same-sized chunk of data will be read at the peer endpoint (see Figure 5).


Figure 5. Message framing in UDP/SCTP vs. a byte-stream-oriented protocol
Message framing in UDP/SCTP vs. a byte-stream-oriented protocol

For stream-oriented data, such as audio or video data, lack of framing is acceptable.

Configurable unordered delivery

Messages in SCTP are transferred reliably but not necessarily in the desired order. TCP guarantees that data is delivered in order (which is a good thing, considering TCP is a stream protocol). UDP guarantees no ordering. But, you can also configure streams within SCTP to accept unordered messages if desired.

This feature can be useful in message-oriented protocols in which requests are independent and ordering is not important. Further, you can configure unordered delivery on a stream-by-stream basis within an association.

Graceful shutdown

TCP and SCTP are connection-based protocols, while UDP is a connection-less protocol. Both TCP and SCTP require connection setup and teardown between peers. What's different about socket shutdown in SCTP is the removal of TCP's half-close.

Figure 6 shows the shutdown sequences for TCP and SCTP.


Figure 6. TCP and SCTP connection termination sequences
TCP and SCTP connection termination sequences

In TCP, it's possible for a peer to close its end of a socket (resulting in a FIN packet being sent) but then to continue to receive data. The FIN indicates that no more data is to be sent by this endpoint, but until the peer closes its end of the socket, it may continue to transmit data. Applications rarely use this half-closed state, and therefore the SCTP designers opted to remove it and replace it with a cleaner termination sequence. When a peer closes its socket (resulting in the issuance of a SHUTDOWN primitive), both endpoints are required to close, and no further data movement is permitted in either direction.

Multi-streaming demo

Now that you know the basic features of SCTP, let's look at a sample server and client that are written in the C programming language and demonstrate SCTP's multi-streaming feature.

This example presents a server that implements a form of the daytime protocol. This traditional server emits the current time to a connected client, but for SCTP, I emit the local time on stream 0 and Greenwich Mean Time (GMT) on stream 1. This simple example allows me to demonstrate the APIs for stream communication.

Figure 7 outlines the entire process and shows not only the flow of the application from a sockets API perspective but also the relationships from a client and server perspective.


Figure 7. Sockets functions used in the multi-streaming daytime server and client
Sockets functions used in the multi-streaming daytime server and client

These applications were developed on the GNU/Linux operating system with a 2.6.11 kernel and the Linux Kernel SCTP project (lksctp). The nonstandard sockets functions are provided in the lksctp tools package, which is available from SourceForge. See Resources for links.

The daytime server

The multi-stream daytime server is shown in Listing 1. All error checking is omitted in Listing 1 for better readability, but the code you can download below demonstrates error checking as well as other SCTP socket extensions.

Tracing a hacker

Sometimes, it's just not enough to simply know that there's a Trojan or Virus onboard. Sometimes you need to know exactly why that file is onboard, how it got there - but most importantly, who put it there.

By enumerating the attacker in the same way that they have enumerated the victim, you will be able to see the bigger picture and establish what you're up against. But how can you do this? Read on...

## Connections make the world go round ##

The computer world, at any rate. Every single time you open up a website, send an email or upload your webpages into cyberspace, you are connecting to another machine in order to get the job done. This, of course, presents a major problem, because this simple act is what allows malicious users to target a machine in the first place.

# How do these people find their victim?

Well, first of all, they need to get hold of the victim's IP Address. Your IP (Internet Protocol) address reveals your point of entry to the Internet and can be used in many ways to cause your online activities many, many problems. It may not reveal you by name, but it may be uniquely identifiable and it represents your digital ID while you are online (especially so if you're on a fixed IP / DSL etc).

With an IP address, a Hacker can find out all sorts of weird and wonderful things about their victim (as well as causing all kinds of other trouble, the biggest two being Portnukes/Trojans and the dreaded DoS ((Denial of Service)) attack). Some Hackers like to collect IP Addresses like badges, and like to go back to old targets, messing them around every so often. An IP address is incredibly easy to obtain - until recently, many realtime chat applications (such as MSN) were goldmines of information. Your IP Address is contained as part of the Header Code on all emails that you send and webpages that you visit can store all kinds of information about you. A common trick is for the Hacker to go into a Chatroom, paste his supposed website address all over the place, and when the unsuspecting victim visits, everything about your computer from the operating system to the screen resolution can be logged...and, of course, the all important IP address. In addition, a simple network-wide port scan will reveal vulnerable target machines, and a war-dialler will scan thousands of lines for exposed modems that the hacker can exploit.

So now that you know some of the basic dangers, you're probably wondering how these people connect to a victim's machine?

## Virtual and Physical Ports ##

Everything that you recieve over the Internet comes as a result of other machines connecting to your computer's ports. You have two types; Physical are the holes in the back of your machine, but the important ones are Virtual. These allow transfer of data between your computer and the outside world, some with allocated functions, some without, but knowing how these work is the first step to discovering who is attacking you; you simply MUST have a basic knowledge of this, or you won't get much further.

# What the phrases TCP/UDP actually mean

TCP/IP stands for Transmission Control Protocol and Internet Protocol, a TCP/IP packet is a block of data which is compressed, then a header is put on it and it is sent to another computer (UDP stands for User Datagram Protocol). This is how ALL internet transfers occur, by sending packets. The header in a packet contains the IP address of the one who originally sent you it. Now, your computer comes with an excellent (and free) tool that allows you to see anything that is connected (or is attempting to connect) to you, although bear in mind that it offers no blocking protection; it simply tells you what is going on, and that tool is NETSTAT.

## Netstat: Your first line of defence ##

Netstat is a very fast and reliable method of seeing exactly who or what is connected (or connecting) to your computer. Open up DOS (Start/Programs/MS-DOS Prompt on most systems), and in the MSDOS Prompt, type:

netstat -a

(make sure you include the space inbetween the "t" and the "a").

If you're connected to the Internet when you do this, you should see something like:

QUOTE
Active Connections

Proto Local Address Foreign Address State
TCP macintosh: 20034 modem-123.tun.dialup.co.uk: 50505 ESTABLISHED
TCP macintosh: 80 proxy.webcache.eng.sq: 30101 TIME_WAIT
TCP macintosh MACINTOSH: 0 LISTENING
TCP macintosh MACINTOSH: 0 LISTENING
TCP macintosh MACINTOSH: 0 LISTENING


Now, "Proto(col)" simply means what kind of data transmission is taking place (TCP or UDP), "Local address" is your computer (and the number next to it tells you what port you're connected on), "Foreign Address" is the machine that is connected to you (and what port they're using), and finally "State" is simply whether or not a connection is actually established, or whether the machine in question is waiting for a transmission, or timing out etc.

Now, you need to know all of Netstat's various commands, so type:

netstat ?

You will get something like this:

QUOTE
Displays protocol statistics and current TCP/IP network connections.

NETSTAT [-a] [-e] [-n] [-s] [-p proto] [-r] [interval]

-a Displays all connections and listening ports.
-e Displays Ethernet statistics. This may be combined with the -s option.
-n Displays addresses and port numbers in numerical form.
-p proto Shows connections for the protocol specified by proto; proto may be TCP or UDP. If used with the -s option to display per-protocol statistics, proto may be TCP, UDP, or IP.
-r Displays the routing table.
-s Displays per-protocol statistics. By default, statistics are shown for TCP, UDP and IP; the -p option may be used to specify a subset of the default.


Have a play around with the various options, but the most important use of these methods is when you combine them. The best command to use is

netstat -an

because this will list all connections in Numerical Form, which makes it a lot easier to trace malicious users....Hostnames can be a little confusing if you don't know what you're doing (although they're easily understandable, as we shall see later). Also, by doing this, you can also find out what your own IP address is, which is always useful.

Also,

netstat -b

will tell you what ports are open and what programs are connecting to the internet.

## Types of Port ##

It would be impossible to find out who was attacking you if computers could just access any old port to perform an important function; how could you tell a mail transfer from a Trojan Attack? Well, good news, because your regular, normal connections are assigned to low, commonly used ports, and in general, the higher the number used, the more you should be suspicious. Here are the three main types of port:

# Well Known PortsThese run from 0 to 1023, and are bound to the common services that run on them (for example, mail runs on channel 25 tcp/udp, which is smtp (Simple Mail Transfer Protocol) so if you find one of these ports open (and you usually will), it's usually because of an essential function.

# Registered PortsThese run on 1024 to 49151. Although not bound to a particular service, these are normally used by networking utilities like FTP software, Email client and so on, and they do this by opening on a random port within this range before communicating with the remote server, so don't panic (just be wary, perhaps) if you see any of these open, because they usually close automatically when the system that's running on them terminates (for example, type in a common website name in your browser with netstat open, and watch as it opens up a port at random to act as a buffer for the remote servers). Services like MSN Messenger and ICQ usually run on these Ports.

# Dynamic/Private PortsRanging from 49152 to 65535, these things are rarely used except with certain programs, and even then not very often. This is indeed the usual range of the Trojan, so if you find any of these open, be very suspicious. So, just to recap:

QUOTE
Well Known Ports 0 to 1023 Commonly used, little danger.
Registered Ports 1024 to 49151 Not as common, just be careful.
Dynamic/Private Ports 49152 to 65535 Be extremely suspicious.


## The hunt is on ##

Now, it is essential that you know what you're looking for, and the most common way someone will attack your machine is with a Trojan. This is a program that is sent to you in an email, or attempts to bind itself to one of your ports, and when activated, it can give the user your passwords, access to your hard drive...they can even make your CD Tray pop open and shut. At the end of this Document, you will find a list of the most commonly used Trojans and the ports they operate on. For now, let's take another look at that first example of Netstat....

QUOTE
Active Connections

Proto Local Address Foreign Address State
TCP macintosh: 27374 modem-123.tun.dialup.co.uk: 50505 ESTABLISHED
TCP macintosh: 80 proxy.webcache.eng.sq: 30101 TIME_WAIT
TCP macintosh MACINTOSH: 0 LISTENING
TCP macintosh MACINTOSH: 0 LISTENING
TCP macintosh MACINTOSH: 0 LISTENING


Now, straight away, this should make more sense to you. Your computer is connected on two ports, 80 and 27374. Port 80 is used for http/www transmissions (ie for all intents and purposes, its how you connect to the net, although of course it's a lot more complicated than that). Port 27374, however, is distinctly suspicious; first of all, it is in the registered port range, and although other services (like MSN) use these, let's assume that you have nothing at all running like instant messengers, webpages etc....you're simply connected to the net through proxy. So, now this connection is looking even more troublesome, and when you realise that 27374 is a common port for Netbus (a potentially destructive Trojan), you can see that something is untoward here. So, what you would do is:

QUOTE
1) run Netstat , and use:

Netstat -a

then

Netstat -an

So you have both Hostnames AND IP addresses.


## Tracerouting ##

Having the attacker's IP is all well and good, but what can you do with it? The answer is, a lot more! It's not enough to have the address, you also need to know where the attacker's connections are coming from. You may have used automated tracerouting tools before, but do you jknow how they work?

Go back to MSDOS and type

QUOTE
tracert *type IP address/Hostname here*


Now, what happens is, the Traceroute will show you all the computers inbetween you and the target machine, including blockages, firewalls etc. More often than not, the hostname address listed before the final one will belong to the Hacker's ISP Company. It'll either say who the ISP is somewhere in there, or else you run a second trace on the new IP/hostname address to see who the ISP Company in question is. If the Hostname that you get back doesn't actually seem to mention an actual geographical location within its text, you may think all is lost. But fear not! Suppose you get a hostname such as

http://www.haha.com

Well, that tells us nothing, right? Wrong....simply enter the hostname in your browser, and though many times you will get nothing back, sometimes it will resolve to an ISP, and from there you can easily find out its location and in what areas they operate. This at least gives you a firm geographical location to carry out your investigations in.

If you STILL have nothing, as a last resort you COULD try connecting to your target's ISP's port 13 by Telnet, which will tell you how many hours ahead or behind this ISP is of GMT, thus giving you a geographical trace based on the time mentioned (although bear in mind, the ISP may be doing something stupid like not having their clocks set correctly, giving you a misleading trace. Similarly, a common tactic of Hackers is to deliberately have their computer's clock set to a totally wrong time, so as to throw you off the scent). Also, unless you know what you're doing, I wouldn't advise using Telnet (which is outside the parameters of this tutorial).

## Reverse DNS Query ##

This is probably the most effective way of running a trace on somebody. If ever you're in a chatroom and you see someone saying that they've "hacked into a satellite orbiting the Earth, and are taking pictures of your house right now", ignore them because that's just bad movie nonsense. THIS method is the way to go, with regard to finding out what country (even maybe what State/City etc) someone resides, although it's actually almost impossible to find an EXACT geographical location without actually breaking into your ISP's Head Office and running off with the safe.

To run an rDNS query, simply go back to MS-DOS and type

netstat

and hit return. Any active connections will resolve to hostnames rather than a numerical format.

# DNS

DNS stands for Domain Name Server. These are machines connected to the Internet whose job it is to keep track of the IP Addresses and Domain Names of other machines. When called upon, they take the ASCII Domain Name and convert it to the relevant numeric IP Address. A DNS search translates a hostname into an IP address....which is why we can enter "www.Hotmail.com" and get the website to come up, instead of having to actually remember Hotmail's IP address and enter that instead. Well, Reverse DNS, of course, translates the IP Address into a Hostname (ie - in letters and words instead of numbers, because sometimes the Hacker will employ various methods to stop Netstat from picking up a correct Hostname).

So, for example,

298.12.87.32 is NOT a Hostname.
mail6.bol.net.au IS a Hostname.

Anyway, see the section at the end? (au) means the target lives in Australia. Most (if not all) hostnames end in a specific Country Code, thus narrowing down your search even further. If you know your target's Email Address (ie they foolishly sent you a hate mail, but were silly enough to use a valid email address) but nothing else, then you can use the Country codes to deduce where they're from as well. You can also deduce the IP address of the sender by looking at the emails header (a "hidden" line of code which contains information on the sender)...on Hotmail for example, go to Preferences, and select the "Full Header's Visible" option. Alternatively, you can run a "Finger" Trace on the email address, at:

www.samspade.org

Plus, some ISP's include their name in your Email Address with them too (ie Wanadoo, Supanet etc), and your Hacker may be using an email account that's been provided by a Website hosting company, meaning this would probably have the website host's name in the email address (ie Webspawners). So, you could use the information gleaned to maybe even hunt down their website (then you could run a website check as mentioned previously) or report abuse of that Website Provider's Email account (and thus, the Website that it goes with) to

abuse@companynamegoeshere.com

If your Hacker happens to reside in the USA, go to:

www.usps.gov/ncsc/lookups/abbr_state.txt

for a complete list of US State abbreviatons.

## List of Ports commonly used by Trojans ##

Please note that this isn't a complete list by any means, but it will give you an idea of what to look out for in Netstat. Be aware that some of the lower Ports may well be running valid services.

UDP: 1349 Back Ofrice DLL
31337 BackOfrice 1.20
31338 DeepBO
54321 BackOfrice 2000


TCP: 21 Blade Runner, Doly Trojan, Fore, Invisible FTP, WebEx, WinCrash
23 Tiny Telnet Server
25 Antigen, Email Password Sender, Haebu Coceda, Shtrilitz Stealth, Terminator, WinPC, WinSpy, Kuang2 0.17A-0.30
31 Hackers Paradise
80 Executor
456 Hackers Paradise
555 Ini-Killer, Phase Zero, Stealth Spy
666 Satanz Backdoor
1001 Silencer, WebEx
1011 Doly Trojan
1170 Psyber Stream Server, Voice
1234 Ultors Trojan
1243 SubSeven 1.0 - 1.8
1245 VooDoo Doll
1492 FTP99CMP
1600 Shivka-Burka
1807 SpySender
1981 Shockrave
1999 BackDoor 1.00-1.03
2001 Trojan Cow
2023 Ripper
2115 Bugs
2140 Deep Throat, The Invasor
2801 Phineas Phucker
3024 WinCrash
3129 Masters Paradise
3150 Deep Throat, The Invasor
3700 Portal of Doom
4092 WinCrash
4567 File Nail 1
4590 ICQTrojan
5000 Bubbel
5000 Sockets de Troie
5001 Sockets de Troie
5321 Firehotcker
5400 Blade Runner 0.80 Alpha
5401 Blade Runner 0.80 Alpha
5402 Blade Runner 0.80 Alpha
5400 Blade Runner
5401 Blade Runner
5402 Blade Runner
5569 Robo-Hack
5742 WinCrash
6670 DeepThroat
6771 DeepThroat
6969 GateCrasher, Priority
7000 Remote Grab
7300 NetMonitor
7301 NetMonitor
7306 NetMonitor
7307 NetMonitor
7308 NetMonitor
7789 ICKiller
8787 BackOfrice 2000
9872 Portal of Doom
9873 Portal of Doom
9874 Portal of Doom
9875 Portal of Doom
9989 iNi-Killer
10067 Portal of Doom
10167 Portal of Doom
10607 Coma 1.0.9
11000 Senna Spy
11223 Progenic trojan
12223 Hack´99 KeyLogger
12345 GabanBus, NetBus
12346 GabanBus, NetBus
12361 Whack-a-mole
12362 Whack-a-mole
16969 Priority
20001 Millennium
20034 NetBus 2.0, Beta-NetBus 2.01
21544 GirlFriend 1.0, Beta-1.35
22222 Prosiak
23456 Evil FTP, Ugly FTP
26274 Delta
30100 NetSphere 1.27a
30101 NetSphere 1.27a
30102 NetSphere 1.27a
31337 Back Orifice
31338 Back Orifice, DeepBO
31339 NetSpy DK
31666 BOWhack
33333 Prosiak
34324 BigGluck, TN
40412 The Spy
40421 Masters Paradise
40422 Masters Paradise
40423 Masters Paradise
40426 Masters Paradise
47262 Delta
50505 Sockets de Troie
50766 Fore
53001 Remote Windows Shutdown
54321 SchoolBus .69-1.11
61466 Telecommando
65000 Devil

What is TRP Ratings in the TV Channel

Tuesday, October 5, 2010

Television Rating Point (TRP) is a tool provided to judge which programmes are viewed the most. This gives us an index of the choice of the people and also the popularity of a particular channel. For calculation purpose, a device is attached to the TV set in a few thousand viewers’ houses for judging purpose. These numbers are treated as sample from the overall TV owners in different geographical and demographic sectors. The device is called as People’s Meter. It records the time and the programme that a viewer watches on a particular day. Then, the average is taken for a 30-day period which gives the viewership status for a particular channel.

In the case of a TV advertisement that is aired 5 times reaching 50% of the gross audience with only 60% in the target audience, it would have 250 GRPs (= 5 x 50) -- ie, GRPs = reach x frequency - TRP in is this case should be 60% out of 250 GRPs = 150 TRPs - this is the rating point in the target, 60% of the gross rating.

IP Ports

Ports were developed so that computers could accept data from multiple sources over the same IP address. Think if it like this; Your TV service is the Internet, and the ports are you channels. You have many forms of entertainment, news, and information available through many different channels. Think about this, lets say that MTV is channel 35 on your TV. The same is true for web servers that run on port 80. Every port has a special purpose just as each channel serves a different television program. While you only have 1 cable TV subscription, you can still receive multiple channels.

Two main types of ports: TCP and UDP. TCP stands for Transmission Control Protocol. UDP stands for User Data Protocol. Some programs on your computer will use TCP ports to communication and other may use UDP. It is important to know the difference between how the two operation. See TCP vs. UDP for an explanation with pictures!

There are 65,535 TCP and UDP ports available to transmit data with. Ports 0-1023 are reserved for common use. These ports are assigned by the IANA (Internet Assigned Numbering Authority). This means, that every port from 0-1023 will be the same on every system. For example, let's say a server in New York is using port 80, and so is a server Texas. Because port 80 falls in the range of reserved ports, we know both servers are using port 80 for HTTP connections. Viewing a list of known ports can help you determine which type of connections are present on your machine. To see a list of commonly used port numbers and descriptions click here. For more information see the netstat article. You can view the RFC on ports (RFC 1700) here.

Servers, or any machine for that matter "listen" on certain ports. For example, a server running web, FTP, and Telnet services will listen on a port for each. The act of listening simply means the machine is waiting for another device to connect to it. See the illustration below:





You can see how the server is listening for 3 ports over a single IP address (192.168.0.15). You should also know that it is possible for multiple devices to connect to a single port. Meaning, a telnet server may accept over 100 simultaneous connections to port 23.

TCP vs UDP Which is Best

This article describes how TCP and UDP work, the difference between the two, and why you would choose one over the other.

TCP (Transmission Control Protocol) is the most commonly used protocol on the Internet. The reason for this is because TCP offers error correction. When the TCP protocol is used there is a "guaranteed delivery." This is due largely in part to a method called "flow control." Flow control determines when data needs to be re-sent, and stops the flow of data until previous packets are successfully transferred. This works because if a packet of data is sent, a collision may occur. When this happens, the client re-requests the packet from the server until the whole packet is complete and is identical to its original.

UDP (User Datagram Protocol) is anther commonly used protocol on the Internet. However, UDP is never used to send important data such as webpages, database information, etc; UDP is commonly used for streaming audio and video. Streaming media such as Windows Media audio files (.WMA) , Real Player (.RM), and others use UDP because it offers speed! The reason UDP is faster than TCP is because there is no form of flow control or error correction. The data sent over the Internet is affected by collisions, and errors will be present. Remember that UDP is only concerned with speed. This is the main reason why streaming media is not high quality.





On the contrary, UDP has been implemented among some trojan horse viruses. Hackers develop scripts and trojans to run over UDP in order to mask their activities. UDP packets are also used in DoS (Denial of Service) attacks. It is important to know the difference between TCP port 80 and UDP port 80. If you don't know what ports are go here.

Frame Structure

As data moves along a network, various attributes are added to the file to create a frame. This process is called encapsulation. There are different methods of encapsulation depending on which protocol and topology are being used. As a result, the frame structure of these packets differ as well. The images below show both the TCP and UDP frame structures.

TCP FRAME STRUCTURE

UDP FRAME STRUCTURE



The payload field contains the actually data. Notice that TCP has a more complex frame structure. This is largely due to the fact the TCP is a connection-oriented protocol. The extra fields are need to ensure the "guaranteed delivery" offered by TCP.

InterNet Protocol- IP

Monday, August 9, 2010

IP (Internet Protocol) is the primary network protocol used on the Internet, developed in the 1970s. On the Internet and many other networks, IP is often used together with the Transport Control Protocol (TCP) and referred to interchangeably as TCP/IP.

IP supports unique addressing for computers on a network. Most networks use the Internet Protocol version 4 (IPv4) standard that features IP addresses four bytes (32 bits) in length. The newer Internet Protocol version 6 (IPv6) standard features addresses 16 bytes (128 bits) in length.

Data on an Internet Protocol network is organized into packets. Each IP packet includes both a header (that specifies source, destination, and other information about the data) and the message data itself.

IP functions at layer 3 of the OSI model. It can therefore run on top of different data link interfaces including Ethernet and Wi-Fi.

What is IPv6?

Internet Protocol Version 6 (IPv6) is a network layer protocol that enables data communications over a packet switched network. Packet switching involves the sending and receiving of data in packets between two nodes in a network. The working standard for the IPv6 protocol was published by the Internet Engineering Task Force (IETF) in 1998. The IETF specification for IPv6 is RFC 2460. IPv6 was intended to replace the widely used Internet Protocol Version 4 (IPv4) that is considered the backbone of the modern Internet. IPv6 is often referred to as the "next generation Internet" because of it's expanded capabilities and it's growth through recent large scale deployments. In 2004, Japan and Korea were acknowledged as having the first public deployments of IPv6.

The explosive growth in mobile devices including mobile phones, notebook computers, and wireless handheld devices has created a need for additional blocks of IP addresses. IPv4 currently supports a maximum of approximately 4.3 billion unique IP addresses. IPv6 supports a theoretical maximum of 2128 addresses (340,282,366,920,938,463,463,374,607,431,768,211,456 to be exact!). Recent advancements in network technology including Network Address Translation (NAT) have temporarily lessened the urgency for new IP addresses, however, recent estimates indicate that IPv4 addresses could be exhausted as soon as 2012.

IPv6 and IPv4 share a similar architecture. The majority of transport layer protocols that function with IPv4 will also function with the IPv6 protocol. Most application layer protocols are expected to be interoperable with IPv6 as well, with the notable exception of File Transfer Protocol (FTP). FTP uses embedded network layer addresses to facilitate data transmission. An IPv6 address consists of eight groups of four hexadecimal digits. If a group consists of four zeros, the notation can be shortened using a colon to replace the zeros.

A main advantage of IPv6 is increased address space. The 128-bit length of IPv6 addresses is a significant gain over the 32-bit length of IPv4 addresses, allowing for an almost limitless number of unique IP addresses. The size of the IPv6 address space makes it less vulnerable to malicious activities such as IP scanning. IPv6 packets can support a larger payload than IPv4 packets resulting in increased throughput and transport efficiency.

A key enhancement over IPv4 is native support for mobile devices. IPv6 supports the Mobile IPv6 (MIPv6) protocol which enables mobile devices to switch between networks and receive a roaming notification regardless of physical location. MIPv6 is a hallmark of the protocol and was specified as a firm requirement during the design of IPv6. The IETF has separate specifications for MIPv6 that detail data structure, messaging, and security requirements.

Auto-configuration is another IPv6 enhancement that is considered a great benefit to network administrators. IPv6 devices can independently auto-configure themselves when connected with other IPv6 devices. Configuration tasks that can be carried out automatically include IP address assignment and device numbering. An IPv6 router has the ability to determine its own IPv6 address using data link layer addressing parameters. The IETF has issued RFC 2462 to set guidelines for IPv6 auto-configuration.

The IPv6 protocol improves upon IPv4 with increased authentication and privacy measures. IPSec security is embedded into the IPv6 specification to manage encryption and authentication between hosts. This built in security framework enables secure data traffic between hosts that is independent of any applications on either host. In this way, IPv6 provides an efficient end to end security framework for data transfer at the host or the network level.

The deployment of IPv6 networks is growing worldwide. Full replacement of IPv4 is expected to take some time, as it remains the most widely used Internet Protocol. The United States, China, and India are leading recent deployments of the IPv6 protocol and have large investments in IPv6 network infrastructure. The United States government has mandated that federal agencies must complete the transition to an IPv6 infrastructure no later than 2008. Software companies are also releasing operating systems that support the IPv6 standard. In 1997, IBM became the first commercial vendor to support IPv6 through its AIX 4.3 operating system. The latest version of Microsoft's Windows operating system, Windows Vista, has full IPv6 support enabled by default.

Tunneling

Friday, June 11, 2010

Tunneling is a way in which data is transferred between two networks securely. All the data that is being transferred are fragmented into smaller packets or frames and then passed through the tunnel. This process is different from a normal data transfer between nodes. Every frame passing through the tunnel will be encrypted with an additional layer of tunneling encryption and encapsulation which is also used for routing the packets to the right direction. This encapsulation would then be reverted at the destination with decryption of data which is later sent to the desired destined node.

A tunnel is a logical path between the source and the destination endpoints between two networks. Every packet is encapsulated at the source will be de-capsulated at the destination. This process will keep happening as long as the logical tunnel is persistent between the two endpoints.

Tunneling Protocols

The Windows Server 2003 family supports the following tunneling protocols for secure communication:

  • Point-to-Point Tunneling Protocol (PPTP)
    • PPTP employs user-level PPP authentication methods and Microsoft Point-to-Point Encryption (MPPE) for data encryption.
    • PPTP uses TCP1723 and Protocol 47 (GRE).
    • PPTP uses only NTLM authentication.
    • PPTP provides 56 bit or 128 bit Microsoft Point-to-Point Encryption (MPPE).
  • Layer Two Tunneling Protocol (L2TP)
    • L2TP is an industry-standard Internet tunneling protocol with roughly the same functionality as the Point-to-Point Tunneling Protocol (PPTP). Based on the Layer Two Forwarding (L2F) and Point-to-Point Tunneling Protocol (PPTP) specifications, you can use L2TP to set up tunnels across intervening networks. Like PPTP, L2TP encapsulates Point-to-Point Protocol (PPP) frames, which then encapsulate IP or IPX protocols, allowing users to remotely run programs that are dependent on specific network protocols.
    • L2TP uses the UDP 1701.
    • L2TP does not provide any encryption by itself.
  • L2TP with Internet Protocol security (L2TP/IPSec)
    • L2TP/IPSec employs user-level PPP authentication methods over a connection that is encrypted with IPSec. IPSec requires host authentication using either the Kerberos protocol, shared secret or computer-level certificates.
    • L2TP with IPSec uses UDP 500 = ISAKMP, Protocol 50 = Encapsulated Security Payload (ESP) and possibly Protocol 51 = Authentication Header (AH).
    • L2TP/IPSec uses both Mutual authentication and NTLM authentication.
    • IPSec provides DES (56 bit) and 3DES (168 bit) encryption.

How Tunneling Works

As we know VPN connection are of two type, PPTP (Point-to-Point tunneling protocol) and L2TP (Layer 2 tunneling protocol). Both PPTP and L2TP tunnels are nothing but local sessions between two different endpoints. Incase they have to communicate then the tunneling type must be negotiated between the endpoint, either PPTP or L2TP and then more configurable parameters like encryption, address assignment, compression etc must be configured in order to get the best possible security over the internet based private logical tunnel communication. This communication is created, maintained and terminated using a tunnel management protocol.

Data can be sent once the tunnel is in place and clients or server can use the same tunnel to send and receive data across the internetwork. The data transfer depends upon the tunneling protocols being used for the transfer. For example, whenever the client wants to send data or payload (the packets containing data) to the tunneling server, the tunnel server adds a header to each packet. This header packet contains the routing information which informs the packet about the destination across the internetwork communication. Once the payload is received at the destination, the header information is verified. After which destination tunnel server sends the packet to the destined node or client or server.

Point-to-Point Protocol (PPP)

It is very obvious that the PPTP and L2TP protocoasl arefully dependent upon PPP connection and it is very much important to understand and examine PPP a little more closely. Initially PPP was designed to work with only dial-up connections or dedicated connections. If the data transfer is happening over PPP connection, then the packets going over PPP are encapsulated within PPP frames and then send across or transmitted over to the destination dial-up or PPP server.

There are four distinct phases of negotiation in a PPP connection. Each of these four phases must complete successfully before the PPP connection is ready to transfer user data.

  • Phase 1: PPP Link Establishment First step is where PPP uses the LCP or Link Control Protocol to connect to the destination network. Apart from establishing the connection, LCP is also responsible for maintaining and terminating the connection too. Take for example, during this phase 1, LCP connects to the destination and prepares the authentication protocol which will be used in phase 2. Next step would be to negotiate and find out if these two nodes in a PPP connection would agree on any compression or encryption algorithm. If the answer is yes then the same is be implemented in Phase 4.
  • Phase 2: A User Authentication Second step is where the user credentials are sent to the remote destination for authentication. There are different secure authentication program. The secure method of authentication must be used to safeguard the user credentials. If you are using PAP (password Authentication Protocol) for authorizing user credential, the user information is passed in plain clear text which can be captured easily. This is the only time when the user must take utmost care in handling his/her credential from any theft. If for any reason these credentials were captured by the intruder, and then once the user connection is authenticate, the intruder will traps the communication, disconnect the original user and takes control of the connection.
  • Phase 3: PPP Callback Control The Microsoft implementation of PPP includes an optional callback control phase. This phase uses the Callback Control Protocol (CBCP) immediately after the authentication phase. If configured for callback, both the remote client and NAS disconnect after authentication. The NAS then calls the remote client back at a specified phone number. This provides an additional level of security to dial-up connections. The NAS allows connections from remote clients physically residing at specific phone numbers only. Callback is only used for dial-up connections, not for VPN connections.
  • Phase 4: Invoking Network Layer Protocol(s) Once the previous phases have been completed, PPP invokes the various network control protocols (NCPs) that were selected during the link establishment phase (Phase 1) to configure protocols used by the remote client. For example, during this phase, IPCP is used to assign a dynamic address to the PPP client. In the Microsoft implementation of PPP, the Compression Control Protocol (CCP) is used to negotiate both data compression (using MPPC) and data encryption (using MPPE).

Data-Transfer

Once the four phases of PPP negotiation have been completed, PPP begins to forward data to and from the two peers. Each transmitted data packet is wrapped in a PPP header that is removed by the receiving system. If data compression was selected in phase 1 and negotiated in phase 4, data is compressed before transmission. If data encryption is selected and negotiated, data is encrypted before transmission. If both encryption and compression are negotiated, the data is compressed first, and then encrypted.

Point-to-Point Tunneling Protocol (PPTP)

PPTP encapsulates PPP frames in IP datagram for transmission over an IP internetwork, such as the Internet. PPTP can be used for remote access and router-to-router VPN connections.

PPTP or Point-to-Point tunneling protocol works over TCP port which is also used for tunnel management and GRE or Generic Routing Encapsulation protocol to encapsulat any PPP frames which will later be used in sending data through the tunnel. Compression or encryption will depend on the tunnel configuration.

Layer Two Tunneling Protocol (L2TP)

L2TP was first proposed by Cisco Systems Inc which used a combination Layer 2 Forwarding (L2F) with PPTP. The IP frames can be encapsulated by L2TP to be sent over X.25, FR (Frame Relay), ATM (Asynchronous Transfer Mode) networks. And L2TP based IP tunnel over the internet is the safest way of data transfer today which uses the compression and/or encryption as required to protect the data from intruders.

The Top Ten Harmfull Viruses & Anti Viruses

Wednesday, May 26, 2010

Deadly Computer Viruses

In simple terms, a virus can aptly be called a virtual disease which affects a computer system and makes it sick, forcing to act in a manner undesired by the user. No good deed goes unpunished, and with the joys and leisure that were brought by the computer, along came the viruses to ruin all the fun. There are billions of viruses out there, big and small. But there were some that stood out and ruined things for us in a spectacular fashion. Below is a list of 10 of the deadliest virus which create havoc in the virtual as well as the real world.

I love you

I love you
The three words that can at most motivate you to cross the seven seas - or at least tempt you to open en email. This very temptation was the downfall of many computer users when this multipurpose- multi skilled virus hit the web. It had the ability to replicate itself via IRC chat and email, transfer and hide itself in different files and folders, and infect the registry keys once you opened an email in you inbox declaring “I Love You”. The virus thought to be originated somewhere in the Philippines, caused damage which was estimated to be around $8-10 billion.

Melissa

Melissa

The creator of this virus received a 20 month jail sentence and a $5000 fine. Generated over a decade ago, this clever piece of virtual disease operated through Microsoft Outlook. This is how it worked: you receive an email titled “Here is the Document you asked for” from an unknown sender, you got infected as soon as you opened the email, and the virus would replicate and delivers itself to the top 50 people on your list without you getting a hint of it. Some major US government departments were hit and the damage is thought to be around $1 billion at least. A 20 month jail sentence well deserved.

MyDoom

MyDoom

MyDoom was instigated somewhere in mid 2004 and it actually prompted US senator to propose the creation of a “National Virus Response Centre”. The virus attacked in two phases; the first phase infected different Operating Systems, creating inroads and backdoors and making them vulnerable to external users. Once this problem was sorted out, the MyDoom struck again after few months, this time targeting the Search Engines like Google, slowing them down considerably, and crashing a few.

Nimda

Nimda

Spell it backwards and you will understand its prime targets: yes, the ‘Admin’ and servers. It was basically a worm and has the record of being the fastest ever virus to spread; it took only 22 minutes to break into the list of top ten most deadly viruses of all times. It basically targeted internet servers and websites, creating a mass crater through which thousands of computers were affected at the same time. Once infected, the systems became exposed to open attacks by the outsiders.

Code Red

Code Red

Damages of almost $200 million a day, and affecting the computers inside the White House are the degree of achievements of this virus. It subjugated the Windows by acting as a buffer overflow, sending humongous amount of information to the computer so that it spilt over, eventually forcing a shut down by overlapping the memory of the computers. The problem wasn’t solved until Microsoft issued a revival package to cater for this virus.

SQL Slammer/Saphire

SQL Slammer/Saphire

Another swiftly spreading virus, it hit 75,000 computers in the first 10 minutes of its inception, taking down and severely damaging numerous American Banks, Security systems and organizations, and Airline networks. And the virus wasn’t just privy to the US; it ruthlessly damaged the internet capacity of South Korea for at least half a day. The damage was estimated around at least a billion dollars.

Storm Worm

Storm Worm

One of the latest and most recent viruses to strike the internet, the Storm Worm employed a similar strategy to the one used by the Melissa; the mail’s title mentioned a current natural disaster like an earthquake (but most often a storm). Once the email was opened, the virus spread around like wild fire, affecting registries and documents across the hard disk. It turned out to be a mother-virus, instigating numerous hidden programs in the background which made the PC vulnerable and enticing to hackers.

Klez

Klez

With the mix characteristics of a virus, worm and a Trojan horse, Klez gave the antivirus programs a real headache by simply disabling them and making them look like a joke. However this is only the beginning of its trickery; after it was thought it be defeated, it was taken over, decoded and customized by black hat hackers (hackers who specialize in unauthorized penetration) . Its ability was enhanced by providing it with the capability to "spoof" from the user's address book and make it look like that an email came from them, increasing the chances of the receiver opening the email and becoming the next casualty.
Sasser

Sasser

Damaging the computer through network ports, Sasser mostly targeted Windows 2000 and XP. It’s main casualties were the news agency Agence France-Presse (AFP) which had all its satellite communications jammed for hours , U.S. Airlines which had to reschedule its flights because of the worm had depleted their computers, a Finnish insurance company which was forced to close down 130 of its offices on emergency basis, Goldman Sachs, and Deutsche Post were all badly affected as well. However its unique feature was that it did not spread through emails, but rather observed computers and kept a look out for their vulnerabilities. On the basis of its knowledge, it would scan random IP addresses from the database and send itself to the next victim.

Autorun

Autorun

This virus primarily targeted USBs and flash drives and established them as its major source of movement and propagation. It affected networks and all the computers present on them. Once affected, the folder options would be disabled, the task manager too would be unavailable and the virus itself would become the system administrator. The virus would replicate itself in all the folders, therefore eating up useful space on the hard disk and making it eventually extremely slow. The loss was in terms of useful data on millions of computers across the world.