[ISN] Inside Botnets

InfoSec News isn at c4i.org
Fri Mar 31 01:23:34 EST 2006


This email newsletter comes to you free and is supported by the 
following advertisers, which offer products and services in which 
you might be interested. Please take a moment to visit these 
advertisers' Web sites and show your support for Security UPDATE. 

Winternals Software

Liquid Machines


1. In Focus: Inside Botnets

2. Security News and Features
   - Recent Security Vulnerabilities
   - Check Point and Sourcefire Cancel Merger
   - MetaFisher Still Stealing Sensitive Data

3. Security Toolkit
   - Security Matters Blog
   - FAQ
   - Security Forum Featured Thread
   - Share Your Security Tips

4. New and Improved
   - Security Test Web Apps as You Write Them


==== Sponsor: Winternals Software ====

Winternals Protection Manager
   How will you protect your enterprise from zero-day attacks? 
Protection Manager blocks unknown applications from running until you 
specifically authorize them. No need to wait for an update--you're 
already protected. Plus, Protection Manager enables a secure successful 
least privilege network without compromising legacy applications by 
decoupling privilege levels of applications from users, and promotes 
culturally acceptable PC lockdown with real-time approval or denial of 
user application requests. Protection Manager forms a crucial layer of 
your defense-in-depth security strategy, helping enforce corporate 
technology policies, ensuring compliance with regulatory acts like 
HIPAA and Sarbanes-Oxley, and dramatically reducing the labor burden on 
IT. Download your 30-day evaluation copy of Protection Manager at: 


==== 1. In Focus: Inside Botnets ====
   by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

In the news recently was an interesting story about MetaFisher (also 
known as Spy-Agent), a Trojan horse program that steals personal 
financial information. What was particularly interesting about the news 
report that I received from iDefense was screenshots of the control 
interface used by the MetaFisher bot network (botnet) operators. The 
images give a good idea of what goes on behind the scenes of botnets. 
If you've already looked at the news story that I posted on our Web 
site and didn't see the images, be sure to check it again--I added the 
images on Monday. You can link to the story from the MetaFisher news 
story below.

Botnets are a huge problem. Understanding how bots work helps us 
understand how to defend against them and how to shut down botnets. 
Every antivirus vendor and many other types of security vendors hold a 
wealth of information about untold numbers of bots. However, when these 
companies publish alerts and advisories about bots, the reports rarely 
contain greatly detailed information that describes the inner workings 
and capabilities of the bots. So learning how a bot behaves is 
typically rough work. Even if you manage to capture a bot, you're left 
to reverse-engineer it on your own. 

Paul Barford and Vinod Yegneswaran of the University of Wisconsin 
Computer Sciences Department wrote an excellent white paper, "An Inside 
Look at Botnets." The pair give detailed insight into four types of 
bots, including those based on Agobot, SDBot, GT Bot, and Spybot. 

If you read the white paper, you'll learn that although most bots today 
operate in conjunction with Internet Relay Chat (IRC) servers (which 
makes shutting down botnets somewhat less difficult), some bots are 
beginning to gain peer-to-peer functionality. This evolution of course 
means that shutting down botnets will become more difficult in many 
cases in the future. 

What I found particularly interesting about the white paper is that 
Barford and Yegneswaran reveal the complete command sets of the bot 
variants they examined. The commands include those used by bots during 
interaction with IRC servers and those used by bots for interactivity 
with the local host on which the bot is installed. For example, some 
bots can scan the registry to obtain CD-ROM keys, AOL account 
information, PayPal account information, and so on. Some bots can also 
lock down a host to some extent by disabling services selectively as 
well as starting the bot operator's services of choice. These commands 
give botnet operators a huge amount of control over infected systems. 

Other commands let the botnet operators perform exploits and attacks. 
For example, Agobot (which is among the most sophisticated of bots 
today) can scan for systems with vulnerabilities in DCOM, DameWare 
Development software, and Famtech International's RADMIN; scan for back 
doors left open by Bagle and MyDoom; and brute-force-crack NetBIOS and 
Microsoft SQL Server passwords. Agobot can also launch seven types of 
Distributed Denial of Service (DDoS) attacks. Adding to the danger 
level, Agobot is polymorphic to some extent, with four ways of 
obscuring its network communications. 

This is just a brief summary of some of the information you'll learn by 
reading "An Inside Look at Botnets." The paper (available in PDF format 
at the URL below) is a real eye-opener, particularly if you don't have 
much knowledge of how bots operate. The information can help you think 
of ways to detect some of the related activity on your networks. It's 
definitely worth the read.


==== Sponsor: Liquid Machines ====

Extend Microsoft Windows Rights Management Services (RMS) to support 
enterprise requirements for information protection, including 
proprietary business data.


==== 2. Security News and Features ====

Recent Security Vulnerabilities
   If you subscribe to this newsletter, you also receive Security 
Alerts, which inform you about recently discovered security 
vulnerabilities. You can also find information about these 
discoveries at

Check Point and Sourcefire Cancel Merger
   We previously reported that Israeli-based Check Point Software and 
U.S.-based Sourcefire planned to merge pending review by the Committee 
on Foreign Investment in the United States. The merger has now been 
cancelled, with no official reason given.

MetaFisher Still Stealing Sensitive Data
   MetaFisher--a Trojan horse discovered over a month ago--is still 
wreaking havoc against unsuspecting users. Ken Dunham of iDefense 
provided screenshots (seen below) of the attacker's management 
interface for the bot network (botnet). Take a look! 


==== Resources and Events ====

Learn to secure your IM traffic--don't let your critical business 
information be intercepted!

When disaster strikes your servers, whether they're dedicated to 
Windows, SQL, or Exchange, you need answers. Make sure that when an 
emergency occurs, you're prepared. Get the HA Solutions eBook and get 
started on your recovery plan today!

Use Windows Server 2003 R2 as a platform for SQL Server 2005 to support 
large-database requirements, including clustering and multiple 
processors. Register for this free Web seminar today!

Gain control of your messaging data with step-by-step instructions for 
complying with the law, ensuring your systems are working properly, and 
ultimately making your job easier.

How do you ensure that your email system isn't vulnerable to a 
messaging meltdown? In this Web seminar, Exchange guru Paul Robichaux 
tells you what you should do before you have an outage to increase your 
chances of coming out of it smelling like roses.


==== Featured White Paper ====

Learn to identify the top 5 IM security risks and protect your networks 
and users.


==== Hot Spot ====

LeftHand Networks
   Explore how the standardization of storage hardware will change 
market dynamics, focusing on the growth of iSCSI SANs and "glue 


==== 3. Security Toolkit ==== 

Security Matters Blog: Think IPsec
   by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=2548B:4FB69

IPsec could help you improve security for your domains and servers. 
This blog article links you to resources that show you how.

   by John Savill, http://list.windowsitpro.com/t?ctl=25489:4FB69 

Q: How can I use a script to list all subnets in a site?

Find the answer at http://list.windowsitpro.com/t?ctl=25485:4FB69

Security Forum Featured Thread: 
   Marcus has been trying to configure a Juniper Networks NetScreen 5GT 
firewall to pass PPTP traffic to a VPN on Windows Small Business Server 
(SBS) 2003. He can connect and is prompted for a username and password, 
but then the connection just hangs. The event log shows an error (event 
ID 20209) indicating that Generic Routing Encapsulation (GRE) packets 
were unable to pass through the firewall. Marcus says he found a way to 
create a custom service for GRE passthrough, but this still didn't 
resolve the issue. Any ideas? Join the discussion at 

Share Your Security Tips and Get $100
   Share your security-related tips, comments, or problems and 
solutions in the Windows IT Security print newsletter's 
Reader to Reader column. Email your contributions to 
r2rwinitsec at windowsitpro.com. If we print your submission, you'll 
get $100. We edit submissions for style, grammar, and length.


==== Announcements ====
   (from Windows IT Pro and its partners)

VIP Monthly Pass Subscribers have it all!
   Become a VIP Monthly Pass subscriber and get continuous, inside 
access to ALL the online resources published in Windows IT Pro, SQL 
Server Magazine, and the Exchange and Outlook Administrator, Windows 
Scripting Solutions, and Windows IT Security newsletters--that's more 
than 26,000 articles at your fingertips. You'll also get the latest 
digital issue (just like the print edition, but delivered directly to 
your inbox) of Windows IT Pro each month. Subscribe now:

Save 44% off Exchange & Outlook Administrator
   For a limited time, order the Exchange & Outlook Administrator 
newsletter and SAVE up to $80 off the cover price. You'll discover 
endless tools and solutions you won't find anywhere else to help you 
migrate, optimize, administer, back up, recover, and secure Exchange 
and Outlook. You'll also get FREE, unlimited access to the full online 
Exchange article library (more than 1,000 articles). Subscribe now:


==== 4. New and Improved ====
   by Renee Munshi, products at windowsitpro.com

Security Test Web Apps as You Write Them
   Compuware DevPartner SecurityChecker 2.0 identifies security 
vulnerabilities in Microsoft ASP.NET applications and pinpoints their 
location in source code. New features in DevPartner SecurityChecker 2.0 
include full integration with Visual Studio 2005; improvements in 
creating and managing discovery maps; improvements in existing SQL 
injection and other vulnerability detection; and 30 new integrity 
rules, including rules for finding Google hacking vulnerabilities such 
as pages containing configuration information and hidden content. 
DevPartner SecurityChecker 2.0 is currently available for a U.S. list 
price of $12,000 per concurrent user. Volume discounts are available.

Tell Us About a Hot Product and Get a T-Shirt!
   Have you used a product that changed your IT experience by saving 
you time or easing your daily burden? Tell us about the product, and 
we'll send you a T-shirt if we write about the product in a future 
Windows IT Pro What's Hot column. Send your product suggestions with 
information about how the product has helped you to 
   whatshot at windowsitpro.com.


==== Contact Us ==== 

About the newsletter -- letters at windowsitpro.com
About technical questions -- http://list.windowsitpro.com/t?ctl=2548D:4FB69
About product news -- products at windowsitpro.com
About your subscription -- windowsitproupdate at windowsitpro.com
About sponsoring Security UPDATE -- salesopps at windowsitpro.com


This email newsletter is brought to you by Windows IT Security, 
the leading publication for IT professionals securing the Windows 
enterprise from external intruders and controlling access for 
internal users. Subscribe today.

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2006, Penton Media, Inc. All rights reserved.

More information about the ISN mailing list