[ISN] Security UPDATE -- Honeypots That Collect Malware -- August 31, 2005

InfoSec News isn at c4i.org
Thu Sep 1 05:15:51 EDT 2005


This email newsletter comes to you free and is supported by the 
following advertisers, which offer products and services in which 
you might be interested. Please take a moment to visit these 
advertisers' Web sites and show your support for Security UPDATE. 

A Robust Combination from Symantec

How to solve the anti-spam dilemma


1. In Focus: Honeypots That Collect Malware

2. Security News and Features
   - Recent Security Vulnerabilities
   - Vulnerabilities in PHP-based Libraries 
   - Secure Computing to Acquire CyberGuard 
   - EarthLink to Acquire Security Solutions Maker Aluria Software 

3. Security Toolkit
   - Security Matters Blog
   - FAQ

4. New and Improved
   - Pocket PC File Encryption


==== Sponsor: Symantec ====

A Robust Combination from Symantec
   Staying on top of today's vulnerabilities and threats is one of the 
most difficult, time-consuming, and even risky tasks facing IT 
professionals like you. Never has it been so important to proactively 
manage your IT environment. Fortunately, Symantec can help.
   Symantec LiveState Patch Manager 6.0 helps keep your enterprise 
devices secure and available by identifying known vulnerabilities and 
then installing necessary patches on hundreds of systems in minutes, 
not hours. That includes mobile and remote devices, too. 
   For extra protection from threats that even the latest patches can't 
address, there's Symantec Client Security 3.0. With its exclusive 
intrusion prevention technology, Symantec Client Security 3.0 
proactively protects systems against known and unknown exploits before 
they can compromise your system, including spyware, adware, viruses, 
and other malicious intrusions. Learn more at


==== 1. In Focus: Honeypots That Collect Malware ====
   by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

The last two weeks, I've written about proactive honeypots that seek 
out malicious Web sites, two of which are unavailable to the public and 
one that you can download to run on your own networks. If you missed 
either of those articles, they're available on our Web site at the URLs 
below. This week, I'll discuss two "passive" honeypots--that is, 
honeypots that sit waiting for intrusion attempts. 

Because honeypots present an attack point for potential intruders, 
they're useful in determining what sort of intrusion attempts are being 
launched against your network. In some cases, they can detect intrusion 
methods that are completely unknown to even the most up-to-date 
Intrusion Detection Systems (IDSs). 

I recently learned about two new honeypots. The first is mwcollect (at 
the URL below), which was released in April 2005 and is partially 
funded by The Honeynet Project. Mwcollect is designed specifically to 
collect malware--thus the "mw" prefix in the mwcollect name. The tool 
runs on Linux and OpenBSD and can also run on Cygwin, a Linux 
environment that runs on Windows platforms.

Mwcollect is a little different from typical honeypots because it was 
originally designed to collect bot software, but the current version 
collects worms and other forms of malware that take advantage of 
vulnerabilities that mwcollect exposes. According to the mwcollect Web 
site, systems that run the tool can't be infected with malware due to 
the way mwcollect operates internally. It binds to specified ports, 
waits for an exploit attempt, scans for shell code, and tries to 
download any related malware. Captured malware can then be added to a 
database at the mwcollect Web site. 

The next version of mwcollect will allow three levels of network 
interactivity. The first level is the same as I describe above. The 
second level will passively analyze network traffic (like a sniffer in 
promiscuous mode would) and will try to download any related malware. 
The third or lowest level of interactivity will also passively analyze 
network traffic but won't try to download related malware. You can 
learn a little more about the tool at the Web site, and join in an 
Internet Relay Chat (IRC) for further discussion. 

The second new honeypot, Nepenthes, was released earlier this month and 
is similar to mwcollect. It too presents known vulnerabilities to the 
network and waits for intrusion attempts. Current modules for Nepenthes 
allow it to emulate problems with DCOM, Local Security Authority 
Service (LSASS), WINS, ASN1, NetBIOS, SQL Server, and a lot more 
Microsoft services. Because Nepenthes runs on Linux systems, none of 
those services would actually be available, which means exploits 
against them would have little or no effect on the underlying OS. 

Just like mwcollect, when Nepenthes detects intrusion attempts, it 
tries to download any related malware through a variety of methods 
including FTP, Trivial FTP (TFTP), and HTTP. Captured malware is then 
sent to a center server hosted by the developers of the tool. 

Documentation for Nepenthes doesn't explain what goes on under the 
hood. But as best I can determine (I haven't actually installed the 
tool yet), it captures shell-code exploits; looks for instructions that 
try to download code from the Internet (which many types of malware 
have); and if it finds such instructions, proceeds to try to download 
the malware in accordance with the intruder's intent--for example, if 
the captured code indicates that the system should use FTP to download 
a file, Nepenthes will try to do that. I suspect that mwcollect works 
in a similar fashion. Nepenthes doesn't appear to run on Windows 
platforms using Cygwin, so you'll probably need a Linux-based system to 
put it to use on your networks.

If you use honeypots as do so many administrators these days, be sure 
to take a closer look at mwcollect and Nepenthes. 


We need your help! Windows IT Pro is launching its second Windows IT 
Pro Industry Salary Survey, and we want to find out all about you and 
what makes you a satisfied IT pro. When you complete the survey (about 
10 minutes of your time), you'll be entered in a drawing for one of two 
$300 American Express gift certificates. Look for the survey results--
and see how you stack up against your peers--in our December issue. To 
take the survey, go to 


==== Sponsor: Postini ====

How to solve the anti-spam dilemma
   In this free white paper learn why older spam prevention 
technologies using traditional content filtering don't work against the 
latest spammer tactics - and why more corporate email administrators 
are turning to a more accurate, more effective approach: managed email 
security service. Find out how to achieve email security dynamically 
with multiple layer protection ... minimize false positives ... cut 
email administration costs (and hassles) ... and keep user communities 
happy and productive. Download your free copy now.


==== 2. Security News and Features ====

Recent Security Vulnerabilities
   If you subscribe to this newsletter, you also receive Security 
Alerts, which inform you about recently discovered security 
vulnerabilities. You can also find information about these 
discoveries at

Vulnerabilities in PHP-based Libraries 
   Major security problems in two popular Hypertext Preprocessor (PHP)-
based libraries have led to complete removal of a particular 
programming function in those libraries. In June, problems were 
discovered in libraries that provide PHP-based support for XML and RPC, 
both of which are used by many applications today, including hugely 
popular blog software packages. A subsequent code audit revealed still 
more vulnerabilities. 

Secure Computing to Acquire CyberGuard 
   Secure Computing announced that it will acquire CyberGuard. Under 
the terms of the deal, Secure Computing will acquire all outstanding 
shares of CyberGuard common stock and in turn give shares of its common 
stock, as well as cash, to CyberGuard stockholders.

EarthLink to Acquire Security Solutions Maker Aluria Software 
   EarthLink and Aluria Software announced a deal in which EarthLink 
will acquire the assets of Aluria, makers of the Spyware Eliminator 
software. Terms of the deal, expected to close in September, weren't 


==== Resources and Events ====

SQL Server 2005 Roadshow Is Coming to a City Near You
   Get the facts about migrating to SQL Server 2005. SQL Server experts 
will present real-world information about administration, development, 
and business intelligence to help you implement a best-practices 
migration to SQL Server 2005 and improve your database computing 
environment. Attend and receive a 1-year membership to PASS and 1-year 
subscription to SQL Server Magazine. Register now!

Consolidate Your SQL Server Infrastructure
   Shared data clustering is the breakthrough consolidation solution 
for Microsoft Windows servers. In this free Web seminar, learn how 
shared data clustering technology can reduce capital expenditures by at 
least 50 percent, improve management efficiency, reduce operational 
expense, ensure high availability across all SQL Server instances, and 
more! Find out how you can reduce the overall Total Cost of Ownership 
(TCO) for SQL Server cluster deployments by as much as 60 percent over 
three years! Sign up today!

High Risk Internet Access: Are You in Control?
   Defending against Internet criminals, spyware, and phishing and 
addressing the points of risk that Internet-enabled applications expose 
your organization to can seem like an epic battle with Medusa. So how 
do you take control of these valuable resources? In this free Web 
seminar, you'll get the tools you need to help you analyze the impact 
Internet-based threats have on your organization and tools to aid you 
in the construction of Acceptable-Use Policies (AUPs).

Get Ready for SQL Server 2005 Roadshow in Europe
   Back by popular demand--Get the facts about migrating to SQL Server 
2005! SQL Server experts will present real-world information about 
administration, development, and business intelligence to help you 
implement a best-practices migration to SQL Server 2005 and improve 
your database-computing environment. Receive a 1-year membership to 
PASS and 1-year subscription to SQL Server Magazine. Register now!

Discover SQL Server 2005 for the enterprise. Are you prepared?
   In this free, half-day event, you'll learn how the top new features 
of SQL Server 2005 will help you create and manage large-scale, 
mission-critical, enterprise database applications--making your job 
easier. Find out how to leverage SQL Server 2005's new capabilities to 
best support your business initiatives. Register today!

All high availability solutions are not created equal--how does yours 
measure up?
   In this free Web seminar, you'll get the tools you need to ensure 
your systems aren't going down. You'll discover the various categories 
of high availability and disaster recovery solutions available and the 
pros and cons of each. You'll learn what solutions help you take 
preemptive, corrective action without resorting to a full system 
failover, or in extreme cases, that perform a nondisruptive, automatic 
switchover to a secondary server.


==== Featured White Paper ====

The Impact of Disk Defragmentation
   Nearly every IT professional has a fragmentation horror story--in 
which fragmentation severely degraded performance so that systems were 
unusable. In this free white paper, learn what impact fragmentation has 
on users and system activities and discover how quickly fragmentation 
accumulates as a result of these activities. Plus get the 
recommendations you need to manage the frequency of defragmentation 
across your infrastructure.


==== 3. Security Toolkit ==== 

Security Matters Blog: Wi-Fi Security Is Better Than I Expected 
   by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=1264F:4FB69

There's a lot of talk about the need for increased Wi-Fi security. I 
was surprised at what I found when I did a little "war driving" in my 

   by John Savill, http://list.windowsitpro.com/t?ctl=1264E:4FB69 

Q: I created a custom .adm file and imported it into a Group Policy 
Object's (GPO's) Administrative Templates. Why can't I see any of the 
settings in Group Policy Editor (GPE)?

Find the answer at


==== Announcements ====
   (from Windows IT Pro and its partners)

Stay Up-To-Date with the Windows IT Security Newsletter
   Each new issue of the Windows IT Security newsletter features 
related product coverage of the best security tools available and 
expert advice on the best way to implement various security components. 
We've also expanded our security content to include even more 
fundamentals on building and maintaining a secure enterprise. In 
addition, paid subscribers get online access to our entire online 
security article database (over 1900 articles)! Subscribe today:

VIP Monthly Online Pass = Quick Security Answers!
   Sign up today for your VIP Monthly Online Pass and get 24/7 access 
to the entire online article database, including exclusive, subscriber-
only Windows IT Security newsletter content. That's a database of over 
1900 security articles to help you get all the answers you need, when 
you need them. Sign up now:


==== 4. New and Improved ====
   by Renee Munshi, products at windowsitpro.com

Pocket PC File Encryption
   Infotecs offers ViPNet Safe Disk for Pocket PC, which encrypts and 
password-protects sensitive files on PDAs. Data is protected even when 
the device is switched off or in standby mode. You can open and edit 
any file from a secure folder in a word processor or database program--
the file is automatically decrypted when opened and encrypted when 
saved. ViPNet Safe Disk for Pocket PC supports two 256-bit encryption 
algorithms: Advanced Encryption Standard (AES) and Government Standard 
(GOST). The interface is specially designed to help PDA users manage 
protected files and folders with just a few taps. You can exchange 
protected data with a PC that's running ViPNet Safe Disk. ViPNet Safe 
Disk for Pocket PC runs under Windows Mobile 2003 and costs $26.40 for 
a single-user license. For more information, go to 

Tell Us About a Hot Product and Get a T-Shirt!
   Have you used a product that changed your IT experience by saving 
you time or easing your daily burden? Tell us about the product, and 
we'll send you a T-shirt if we write about the product in a future 
Windows IT Pro What's Hot column. Send your product suggestions with 
information about how the product has helped you to 
   whatshot at windowsitpro.com.

Editor's note: Share Your Security Discoveries and Get $100
   Share your security-related discoveries, comments, or problems and 
solutions in the Windows IT Security print newsletter's Reader to 
Reader column. Email your contributions (500 words or less) to 
r2rwinitsec at windowsitpro.com. If we print your submission, you'll 
get $100. We edit submissions for style, grammar, and length.


==== Sponsored Links ====

Professional and secure remote control from all major platforms

Argent Versus MOM 2005
   Experts Pick the Best Windows Monitoring Solution

Tech jobs at Dice
   Search 65K+ new IT jobs daily--Tech expert jobs at top companies!


==== Contact Us ==== 

About the newsletter -- letters at windowsitpro.com
About technical questions -- http://list.windowsitpro.com/t?ctl=12650:4FB69
About product news -- products at windowsitpro.com
About your subscription -- windowsitproupdate at windowsitpro.com
About sponsoring Security UPDATE -- salesopps at windowsitpro.com


This email newsletter is brought to you by Windows IT Security, 
the leading publication for IT professionals securing the Windows 
enterprise from external intruders and controlling access for 
internal users. Subscribe today.

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2005, Penton Media, Inc. All rights reserved.

More information about the ISN mailing list