[ISN] Inside Botnets
isn at c4i.org
Fri Mar 31 01:23:34 EST 2006
This email newsletter comes to you free and is supported by the
following advertisers, which offer products and services in which
you might be interested. Please take a moment to visit these
advertisers' Web sites and show your support for Security UPDATE.
1. In Focus: Inside Botnets
2. Security News and Features
- Recent Security Vulnerabilities
- Check Point and Sourcefire Cancel Merger
- MetaFisher Still Stealing Sensitive Data
3. Security Toolkit
- Security Matters Blog
- Security Forum Featured Thread
- Share Your Security Tips
4. New and Improved
- Security Test Web Apps as You Write Them
==== Sponsor: Winternals Software ====
Winternals Protection Manager
How will you protect your enterprise from zero-day attacks?
Protection Manager blocks unknown applications from running until you
specifically authorize them. No need to wait for an update--you're
already protected. Plus, Protection Manager enables a secure successful
least privilege network without compromising legacy applications by
decoupling privilege levels of applications from users, and promotes
culturally acceptable PC lockdown with real-time approval or denial of
user application requests. Protection Manager forms a crucial layer of
your defense-in-depth security strategy, helping enforce corporate
technology policies, ensuring compliance with regulatory acts like
HIPAA and Sarbanes-Oxley, and dramatically reducing the labor burden on
IT. Download your 30-day evaluation copy of Protection Manager at:
==== 1. In Focus: Inside Botnets ====
by Mark Joseph Edwards, News Editor, mark at ntsecurity / net
In the news recently was an interesting story about MetaFisher (also
known as Spy-Agent), a Trojan horse program that steals personal
financial information. What was particularly interesting about the news
report that I received from iDefense was screenshots of the control
interface used by the MetaFisher bot network (botnet) operators. The
images give a good idea of what goes on behind the scenes of botnets.
If you've already looked at the news story that I posted on our Web
site and didn't see the images, be sure to check it again--I added the
images on Monday. You can link to the story from the MetaFisher news
Botnets are a huge problem. Understanding how bots work helps us
understand how to defend against them and how to shut down botnets.
Every antivirus vendor and many other types of security vendors hold a
wealth of information about untold numbers of bots. However, when these
companies publish alerts and advisories about bots, the reports rarely
contain greatly detailed information that describes the inner workings
and capabilities of the bots. So learning how a bot behaves is
typically rough work. Even if you manage to capture a bot, you're left
to reverse-engineer it on your own.
Paul Barford and Vinod Yegneswaran of the University of Wisconsin
Computer Sciences Department wrote an excellent white paper, "An Inside
Look at Botnets." The pair give detailed insight into four types of
bots, including those based on Agobot, SDBot, GT Bot, and Spybot.
If you read the white paper, you'll learn that although most bots today
operate in conjunction with Internet Relay Chat (IRC) servers (which
makes shutting down botnets somewhat less difficult), some bots are
beginning to gain peer-to-peer functionality. This evolution of course
means that shutting down botnets will become more difficult in many
cases in the future.
What I found particularly interesting about the white paper is that
Barford and Yegneswaran reveal the complete command sets of the bot
variants they examined. The commands include those used by bots during
interaction with IRC servers and those used by bots for interactivity
with the local host on which the bot is installed. For example, some
bots can scan the registry to obtain CD-ROM keys, AOL account
information, PayPal account information, and so on. Some bots can also
lock down a host to some extent by disabling services selectively as
well as starting the bot operator's services of choice. These commands
give botnet operators a huge amount of control over infected systems.
Other commands let the botnet operators perform exploits and attacks.
For example, Agobot (which is among the most sophisticated of bots
today) can scan for systems with vulnerabilities in DCOM, DameWare
Development software, and Famtech International's RADMIN; scan for back
doors left open by Bagle and MyDoom; and brute-force-crack NetBIOS and
Microsoft SQL Server passwords. Agobot can also launch seven types of
Distributed Denial of Service (DDoS) attacks. Adding to the danger
level, Agobot is polymorphic to some extent, with four ways of
obscuring its network communications.
This is just a brief summary of some of the information you'll learn by
reading "An Inside Look at Botnets." The paper (available in PDF format
at the URL below) is a real eye-opener, particularly if you don't have
much knowledge of how bots operate. The information can help you think
of ways to detect some of the related activity on your networks. It's
definitely worth the read.
==== Sponsor: Liquid Machines ====
Extend Microsoft Windows Rights Management Services (RMS) to support
enterprise requirements for information protection, including
proprietary business data.
==== 2. Security News and Features ====
Recent Security Vulnerabilities
If you subscribe to this newsletter, you also receive Security
Alerts, which inform you about recently discovered security
vulnerabilities. You can also find information about these
Check Point and Sourcefire Cancel Merger
We previously reported that Israeli-based Check Point Software and
U.S.-based Sourcefire planned to merge pending review by the Committee
on Foreign Investment in the United States. The merger has now been
cancelled, with no official reason given.
MetaFisher Still Stealing Sensitive Data
MetaFisher--a Trojan horse discovered over a month ago--is still
wreaking havoc against unsuspecting users. Ken Dunham of iDefense
provided screenshots (seen below) of the attacker's management
interface for the bot network (botnet). Take a look!
==== Resources and Events ====
Learn to secure your IM traffic--don't let your critical business
information be intercepted!
When disaster strikes your servers, whether they're dedicated to
Windows, SQL, or Exchange, you need answers. Make sure that when an
emergency occurs, you're prepared. Get the HA Solutions eBook and get
started on your recovery plan today!
Use Windows Server 2003 R2 as a platform for SQL Server 2005 to support
large-database requirements, including clustering and multiple
processors. Register for this free Web seminar today!
Gain control of your messaging data with step-by-step instructions for
complying with the law, ensuring your systems are working properly, and
ultimately making your job easier.
How do you ensure that your email system isn't vulnerable to a
messaging meltdown? In this Web seminar, Exchange guru Paul Robichaux
tells you what you should do before you have an outage to increase your
chances of coming out of it smelling like roses.
==== Featured White Paper ====
Learn to identify the top 5 IM security risks and protect your networks
==== Hot Spot ====
Explore how the standardization of storage hardware will change
market dynamics, focusing on the growth of iSCSI SANs and "glue
==== 3. Security Toolkit ====
Security Matters Blog: Think IPsec
by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=2548B:4FB69
IPsec could help you improve security for your domains and servers.
This blog article links you to resources that show you how.
by John Savill, http://list.windowsitpro.com/t?ctl=25489:4FB69
Q: How can I use a script to list all subnets in a site?
Find the answer at http://list.windowsitpro.com/t?ctl=25485:4FB69
Security Forum Featured Thread:
Marcus has been trying to configure a Juniper Networks NetScreen 5GT
firewall to pass PPTP traffic to a VPN on Windows Small Business Server
(SBS) 2003. He can connect and is prompted for a username and password,
but then the connection just hangs. The event log shows an error (event
ID 20209) indicating that Generic Routing Encapsulation (GRE) packets
were unable to pass through the firewall. Marcus says he found a way to
create a custom service for GRE passthrough, but this still didn't
resolve the issue. Any ideas? Join the discussion at
Share Your Security Tips and Get $100
Share your security-related tips, comments, or problems and
solutions in the Windows IT Security print newsletter's
Reader to Reader column. Email your contributions to
r2rwinitsec at windowsitpro.com. If we print your submission, you'll
get $100. We edit submissions for style, grammar, and length.
==== Announcements ====
(from Windows IT Pro and its partners)
VIP Monthly Pass Subscribers have it all!
Become a VIP Monthly Pass subscriber and get continuous, inside
access to ALL the online resources published in Windows IT Pro, SQL
Server Magazine, and the Exchange and Outlook Administrator, Windows
Scripting Solutions, and Windows IT Security newsletters--that's more
than 26,000 articles at your fingertips. You'll also get the latest
digital issue (just like the print edition, but delivered directly to
your inbox) of Windows IT Pro each month. Subscribe now:
Save 44% off Exchange & Outlook Administrator
For a limited time, order the Exchange & Outlook Administrator
newsletter and SAVE up to $80 off the cover price. You'll discover
endless tools and solutions you won't find anywhere else to help you
migrate, optimize, administer, back up, recover, and secure Exchange
and Outlook. You'll also get FREE, unlimited access to the full online
Exchange article library (more than 1,000 articles). Subscribe now:
==== 4. New and Improved ====
by Renee Munshi, products at windowsitpro.com
Security Test Web Apps as You Write Them
Compuware DevPartner SecurityChecker 2.0 identifies security
vulnerabilities in Microsoft ASP.NET applications and pinpoints their
location in source code. New features in DevPartner SecurityChecker 2.0
include full integration with Visual Studio 2005; improvements in
creating and managing discovery maps; improvements in existing SQL
injection and other vulnerability detection; and 30 new integrity
rules, including rules for finding Google hacking vulnerabilities such
as pages containing configuration information and hidden content.
DevPartner SecurityChecker 2.0 is currently available for a U.S. list
price of $12,000 per concurrent user. Volume discounts are available.
Tell Us About a Hot Product and Get a T-Shirt!
Have you used a product that changed your IT experience by saving
you time or easing your daily burden? Tell us about the product, and
we'll send you a T-shirt if we write about the product in a future
Windows IT Pro What's Hot column. Send your product suggestions with
information about how the product has helped you to
whatshot at windowsitpro.com.
==== Contact Us ====
About the newsletter -- letters at windowsitpro.com
About technical questions -- http://list.windowsitpro.com/t?ctl=2548D:4FB69
About product news -- products at windowsitpro.com
About your subscription -- windowsitproupdate at windowsitpro.com
About sponsoring Security UPDATE -- salesopps at windowsitpro.com
This email newsletter is brought to you by Windows IT Security,
the leading publication for IT professionals securing the Windows
enterprise from external intruders and controlling access for
internal users. Subscribe today.
Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department
Copyright 2006, Penton Media, Inc. All rights reserved.
More information about the ISN