127.0.0.1 - few Questions

Ok, Well Ive been doing a lot more research into all my questons thanks to Google, as I know how much people hate to spoonfeed!

Any comments, advice on what ive learnt so far would also be appreciated...


There are a number of different forms of data that flow through the internet, and each form of data
If the data exists on the Ethernet, it is called an Ethernet frame,
If the data is between the Ethernet driver and the IP Module, it is called an IP Packet,
If it is between the IP Module and the UDP module it is called a UDP Datagram,
If it is between the IP Module and the TCP Module it is called a TCP Segment, (More generally a transport message)
And if it is in a network application it’s called an application message.

I now know that UDP Datagrams and TCP Segments are divided into packets via the IP Module now, then reassembled somewhere… and somehow… past the destination MAC addresses.
I now know that the header of the packets also contain the MAC address, IP address of the sender and receiver, along with other info so that the packets can be reassembled at the correct destination.
The MAC address, as far as I am led to believe, is to provide a unique hardware address or to be located by the IP module.


I understand that 127.0.0.1 is used to test the network card and TCP/IP Stack, and I have nothing to worry about unless the remote address was different to this or my own.


As well as all this, In the last couple of days, Ive downloaded Ubuntu and will begin to have a play about on that. Looks good, love the way u can boot from CD, very handy if you just need to gain access to files in the admin user, but I’ve grown up with Windows, and find it’s a big step to convert over to it fully. Then you also got the hassle of sorting out your ISP, firewalls, virus killers to run on this new OS.
I understand that Ubuntu can be made to be very secure, which does interest me a great deal. But again, I am still at the stage where I need to grasp the basics in how I can accomplish all this.


Ive also now uncovered some handy useful DOS programs which I really need to get more of an understanding with!
They include…

IPConfig
MSCONFIG -startup
Services.MSC
SFC Nslookup
NBTSTAT
NET

I have found some good little tutorials on some of these system progs aswell, but I don’t feel I am ready to use a lot of them until I grasp the basics first.


Now going onto Viruses, this has been another concern I had, and the conclusion I’ve found is that I will never be 100% sure while using the XP OS unless I know the system inside out.
I need to understand more about the Reigistry Keys and what each KEY is assigned for.
Thinking logically, I presume that the keys are in some kind of order for the computer to recognize in someway?
I have found some good Windows Tips on other sites by searching Google, and it has allowed me to play about a bit within the Registry while knowing Im not messing anything up to much. My next step of learning is to now grasp the Registry settings fully. Understand which each one does.

I now understand to some extent that owning an Anti-Virus program aren’t all they’re cracked out to be.
If the virus is not in the definitions, it wont get picked up, and could be years before a definition is actually found.
Solid technical knowledge I have found is to be the only way for a solid viral defence.

I use a number of different security measures now.
I did go with Node32 and Sunbelt Firewall to replace my Norton, But I have now resorted back to Norton, and putting up with the resources it consumes. If anyone has any serious objections to Norton other than resources, please, id appreciate it if you would PM me and let me know.
Reason I have resorted back…nothing to do with Node..I thought this was a fantastic virus killer.

My issue was more so with the Firewall. After installing Advanced Task Manager, it alerted me that Sunbelt Firewall, was in actual fact a key logger of some kind!!
I then tried installing ZoneAlarm but for some reason there kept being some conflict issues going on somewhere, and after already spending a good few hours trying to sort it all out, I decided to resort back to Norton for that all in one protection.
I now also use Spybot, HiJack This, and Advanced Task Manager.


With Viruses being one of my major concerns, I have had to try and understand them from source level, so I will pass on what I have learnt so far.

I have found that a basic virus must always have at least 2 parts to it…Or Sub Routines. And are created in Assembly language which I now also need to look into more!

The virus must contain a search routine, which can locate new files or discs to infect.
This first routine will will determine just how well the virus can reproduce. Eg, whether it can infect multi disks or just one disk, or just porions of a specific disk.
You also find there is always a size vs functionality trade off that they have to take into concideration.

Secondly, every virus must contain a routine to be able to copy itself into the program which the search routine locates. The type of file it infects, will also vary the size of the virus, as you find that exe files require much more work for the virus to do in able to attach itself correctly. .COM Files are much more easy for the virus to infect.
Now more advanced the virus, the more routines it will have within it.
They may have anti-detection routines, which range in complexity,
As well as more destructive routines, which again, will all add to the size the virus may be.

I have also read that all viruses will fall into 1 of 3 different categories…
1. Overwriting viruses
2. Companion viruses
3. Parasitic viruses

The closer to root they can “hook” the more chance they have of going by undetected.
• I need to grasp this more and figure out why this is. Why do programs at root have more privellage over that on a lower level?

There are so many different styles of viruses I have found and I would be here all day writing about them.

To shorten all this, all I can now say is that running any kind of program that is not ligit, can be releasing malware onto your machine.
There is no way of knowing for sure of viruses as if installing copied windows, you will be installing the virus at root level. Which oculd make it impossible for any AV to pick up. Like I said earlier, I need to understand the structuring and layering more to find out why this is the case, but I will update this post with anything else I find out about all this.

Also, with Trojans and Viruses…

Trojans could download more DLL files from the remote Hacker at later date to change, alter what the Trojan can do.
If written in such a way, it could change from being a backdoor to a keylogger.

So…

That’s all for now. It’s a start to this endless array of questions Ive got, and my next steps are as follows…


1a. Reformat, getting rid of anything which may contain Malware, and anything which could be hooked at the root of the computer.
1b. Partition my Drive to have Windows XP (Maybe Vista) and Ubuntu separate.
1b2. Maybe also look into hooking Ubuntu up to a Server and learn how to use remotely from any machine.
1b3. Learn Linux/ Ubuntu, learn how to make it secure, configure ISP, Firewall, AV etc

2. Look more into Proxys.
3. Identify & Understand why various DLL’s connect via svchost. Distinguish if malware or not.
4. Learn the Registry Inside Out.
5. Learn ALL files that are used to load up progs that the system uses during Start Up.

Anyway, I guess this will keep me going for the next step in my learning.


Like I said, any comments, Suggestions, & Links to anything related would be appreciated.


Thanks again.

Wow, the fact that I actually read all that amazes me. It sounds like you are headed on the right track. If you are THAT worried about viruses, spyware, trojans, etc. Why don't you have a computer that is not connected to the internet? I would take the mindset of all your computers that are connected to the internet will get infected sometime. There is no way to be 100% safe unless you unplug the cable. Even then, you could get a virus throught CD, Disk, thumb drive, etc. I would suggest a good backup system, ghost of your PC, etc. Know that your computer will get infected and be prepared to bring it back to life. Obvioulsy having a firewall, antivirus software, and OS knowlede will help prevent infection.

Thanks for the vote of confidence Skepticals. Still a lot to read, a lot of practical work required also, but im getting there.
Not bad for a couple of days work eh?
Ive managed to gather tonnes of info relating to viruses, "The Little Black Book" at VXHeavens. Probably the best site ive found relating to all this stuff.
The guide shows you even how to create a trojan in C, running with seperate DLLS and giving you the ability of downloading more DLLs to the hosts machine at a later date, to inturn, change the functionality of the trojan itself.
They are basic examples of how they are written, but very interesting....but too much and too indepth to write in this post.
Im using this kind of like a blog entry, gathering and collating the info, and writing it out in an understandable way for me to get my head round.
Adding all this info on C programming, creating multi dll trojans
I couldnt do, as I do not understand how to code in C for a start!

Maybe when I get to that level, and I can understand what I am writing then I will begin to post more advanced topics.

I'll carry on updating as I begin to learn more.


neomax

You sound willing to get into more depth than I have learned, that is for sure. Keep me informed.

nnbnbYou're definitely on the right track with all your researches neomax although I wouldn't personally go right into the details of things at this stage. The important thing I think is to understand enough to pick up the hardware/software and have a try; you'll learn more that way than just blowing your brains with abstract concepts.
On the subject of Ubuntu and Linux in general there are several very comprehensive beginner's posts right here on Firewall.cx - just use the Search facility in the blue text near the top of the page.
Regarding Svchost you might want to have a look at support.microsoft.com/kb/314056 if you haven't found this already. The key thing for you is probably to run the command shown and see what the locations are of the DLLs that are being called. You should then be able to figure out what they are and in turn whether they are legitimate or not

Thanks for the feedback Guys,
Its nice to hear your views on how I am getting on.

Bishop, I take on board what you are saying, it does make sense.
But what Hardware/ Software are we talking about here?
Do you have anything to recommend to me that is well documented and will be of some benefit for me to learn?

All the progs ive been advised to check of late include RegMon, Process Explorer & AutoRun, which I now have installed on my machine.
I will also look into the info on svchost and bookmark the MS site to use more often! It can be very useful!

And I will next try and distinguish if a dll file is anything to be concerned about or not!
I have a few uncertainties in doing this at present, but Im sure I will get my head round it all.
At the moment, the registry is a bit of a jigsaw to myself, and I need to identify why there are various Keys, and why values are set within that specific key.
Once I get a basic understanding of all this, I will then try and identify any suspicious dlls that may be floating around!

But youve given me a lot to go on for the time being.
It will probably take me another couple of days to piece all this together so i can write it in any kind of interpretable manner.

But thanks again,
The support Im getting is all good.


neomax