Security UPDATE--eVade-o-Matic Nearly Evades My Understanding--November 1, 2006


Reducing the Cost of IT Compliance: Streamlining the IT Compliance Life Cycle

Protect Your Network - Threats Brought in By Remote Laptops

Achieving Compliance: Best Practices for Outward Bound Internet Content Protection

=== CONTENTS ===================================================

IN FOCUS: eVade-o-Matic Nearly Evades My Understanding


- IE 7.0 and Firefox 2.0 Both Have New Antiphishing Technologies

- IE 7.0 Vulnerable to Address Bar Spoofing

- Norman Data Defense Systems Introduces Automated Malware Forensics

- Recent Security Vulnerabilities


- Security Matters Blog: Firefox 2.0 Badly Broken?

- FAQ: Using a Script to Check User or Group Existence

- From the Forum: Database Security Error

- Know Your IT Security Contest

- Your IT Pro Vote Counts!


- Easing Smart Card Administration

- Wanted: Your Reviews of Products




=== SPONSOR: Scalable Software =================================

Reducing the Cost of IT Compliance: Streamlining the IT Compliance Life Cycle

The average enterprise spends nearly $10 million annually on IT compliance. Download this free whitepaper today to streamline the compliance lifecycle, and dramatically reduce your company's costs!

=== IN FOCUS: eVade-o-Matic Nearly Evades My Understanding =====

by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Metasploit is billed as a benevolent forensic tool to test security. In summary, it's a toolkit that nearly anyone with a modest amount of computer experience can use to exploit vulnerabilities to the maximum extent. Just plug in a module, fill in some parameters, and presto, instant exploitation.

The logo on the Metasploit home page (see URL below) paints a picture that's the complete opposite of benevolence, in my mind anyway. The logo contains the image of an obviously malicious intruder (who reminds me of the Joker from the old "Batman" TV series) sitting at a keyboard with any of a variety of "catchy" phrases emblazoned next to it. The phrase cycles on each page reload and offers such pithiness as "Point. Click. Root.," "The Best a Haxor Can Get," "Always hot exploits. Always.," and "What would you like to Metasploit today?"

About the only beneficial thing I can see about Metasploit is that if it had to be developed at all, at least it's available to the public so that white hats can use it.

Metasploit is about to take on an even more insidious tinge when the eVade-o-Matic Module (VoMM, for short) is released. VoMM makes it possible to completely evade signature-based security systems (including signature-based intrusion detection systems--IDSs--and antivirus platforms) by continually changing a piece of code. If code morphs with each new use, an endless number of detection signatures would be needed, which simply isn't practical. Therefore, VoMM and similar technologies render signature-based security systems useless for the most part.

According to information posted on the blog (see the URL below), VoMM uses a number of techniques to morph code, including white space randomization, string obfuscation and encoding, random comments and comment placement, code block randomization, variable name and function name randomization and obfuscation, and function pointer reassignments. You can get a very detailed analysis of exactly what VoMM does.

While these sorts of evasion techniques are by no means new to the world of malware, what is new is the packaging of such techniques into a tool like Metasploit, which anybody with one firing neuron can download to immediately experience that warm and fuzzy "point, click, root" feeling. Rest assured that VoMM will be used by just about every "bad guy" on the planet. Why anyone would unleash this madness upon the world nearly evades my understanding. Nearly.

=== SPONSOR: 8e6 Technologies ==================================

Protect Your Network - Threats Brought in By Remote Laptops

Learn how employee laptops indiscriminately harm company networks, despite standard security gear, and gain valuable information on how to protect your company against these threats - without throwing out the laptops. Get the FREE white paper from 8e6 Technologies. Qualify Now!

=== SECURITY NEWS AND FEATURES =================================

IE 7.0 and Firefox 2.0 Both Have New Antiphishing Technologies

Microsoft released the long-awaited Internet Explorer 7.0, and Mozilla Foundation released its long-awaited Firefox 2.0. Both include new antiphishing technology.

IE 7.0 Vulnerable to Address Bar Spoofing

Secunia reports that an anonymous person discovered that it's possible to partially spoof the Internet Explorer (IE) 7.0 Address bar in a pop-up window, which might lead to phishing attacks.

Norman Data Systems Introduces Automated Malware Forensics

Norman's new offerings bring malware analysis tools out of private labs and into corporate networks.

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

=== SPONSOR: Surf Control ======================================

Achieving Compliance: Best Practices for Outward Bound Internet Content Protection

Achieve compliance in today's complex regulatory environment, while managing threats to the inward- and outward-bound communications vital to your business. Adopt a best-practices approach, such as the one outlined in the international information security standard ISO/IEC 17799:2005. Download the whitepaper today and secure the confidentiality, availability and integrity of your corporate information!

=== GIVE AND TAKE ==============================================

SECURITY MATTERS BLOG: Firefox 2.0 Badly Broken?

by Mark Joseph Edwards,

I'm about to lose my patience with Firefox 2.0. It seems badly broken, and I wonder if these symptoms are happening to anyone else. Read the blog to learn about what I've found.

FAQ: Using a Script to Check User or Group Existence

by John Savill,

Q: How can I use a script to check whether an Active Directory (AD) user or group exists?

Find the answer at

FROM THE FORUM: Database Security Error

A forum participant uses SQL Server 2000 with SP4 and sees an error in his logs that reads "Login failed for user 'RECOVER'." Does this error have something to do with failed writes to audit files? If you have an idea, join the discussion at:


Share your security-related tips, comments, or solutions in 1000 words or less, and you could be one of 13 lucky winners of a Zune media player. Tell us how you do patch management, share a security script, or write about a security article you've read or a Webcast you've viewed. Submit your entry between now and December 13. We'll select the 13 best entries, and the winners will receive a Zune media player--plus, we'll publish the winning entries in the Windows IT Security newsletter. Email your contributions to [email protected]

Prizes are courtesy of Microsoft Learning Paths for Security:


Vote for the next "IT Pro of the Month!" Take the time to reward excellence to an IT pro who deserves it. The first 100 to cast their vote will receive a one-year print subscription to Windows IT Pro magazine--compliments of Microsoft. Voting only takes a few seconds, so don't miss out. Cast your vote now:

=== PRODUCTS ===================================================

by Renee Munshi, [email protected]

Easing Smart Card Administration

Gemalto announced integration of its .NET smart cards in Microsoft Certificate Life Cycle Manager (CLM). Gemalto .NET cards run a streamlined version of the .NET framework and provide cryptographic capabilities and two-factor authentication. Support for Gemalto .NET smart cards is integrated into Windows Vista or available from the Microsoft Download Center for Windows 2000/XP/Server 2003. CLM streamlines the provisioning, configuration, and management of digital certificates and smart cards. Gemalto .NET smart cards for testing can be ordered online at the first URL below, and CLM Beta 2 is available for download at the second URL below.

WANTED: your reviews of products you've tested and used in production. Send your experiences and ratings of products to [email protected] and get a Best Buy gift certificate.

=== RESOURCES AND EVENTS =======================================

For more security-related resources, visit

Can disaster recovery planning create real value for your business beyond mere survival? Justify your investments in DR planning, and get real answers to your questions about how DR planning and implementation affect the financial performance of your organization. Make cost-effective decisions to positively impact your bottom line! Live event: Tuesday, November 14

How do you manage security vulnerabilities? If you depend on vulnerability assessments to determine the state of your IT security systems, you won't want to miss this Web seminar. Special research from Gartner indicates that deeper penetration is needed to augment your existing vulnerability management processes. Learn more today!

Learn all you need to know about code-signing technology, including the goals and benefits of code signing, how it works, and the underlying cryptographic and security concepts and building blocks. Download this complete eBook today--free!

Does your company have $500,000 to spend on one email discovery request? Join us for this free Web seminar to learn how you can implement an email archiving solution to optimize email management and proactively take control of e-discovery--and save the IT search party for when you really need it! On-demand Web Seminar

Total Cost of Ownership--TCO. It's every executive's favorite buzzword, but what does it really mean and how does it affect you? In this podcast, Ben Smith explains how your organization can use virtualization technology to measurably improve the TCO for servers and clients.

=== FEATURED WHITE PAPER =======================================

Is your email easily accessible, yet secure, in the event of an e-discovery request? With the phenomenal growth in email volume and the high cost of failing to comply with a discovery request, you can't afford to lose any email. Download this free white paper and implement a strong email retention and management system today!

=== ANNOUNCEMENTS ==============================================

Uncover Essential Windows Knowledge Through Excavator

Try out the ultimate vertical search tool--Windows Excavator. Windows Excavator gives you fast, thorough third-party information while filtering out unwanted content. Visit today!

Your Vote Counts!

Vote for the next "IT Pro of the Month!" Take the time to reward excellence in an IT pro. The first 100 readers to cast a vote will receive a one-year subscription to Windows IT Pro, compliments of Microsoft. Voting takes only a few seconds, so don't miss out. Cast your vote now:


Security UDPATE is brought to you by the Windows IT Pro Web site's Security page (first URL below) and the Windows IT Security newsletter (subscribe at the second URL below).

Subscribe to Security UPDATE at

Unsubscribe by clicking

Be sure to add [email protected] to your antispam software's list of allowed senders.

To contact us:

About Security UPDATE content -- [email protected]

About technical questions --

About your product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.

221 East 29th Street, Loveland, CO 80538

Attention: Customer Service Department

Copyright 2006, Penton Media, Inc. All rights reserved.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.