Security UPDATE--Malware Up Close--August 23, 2006

IN FOCUS: Malware Up Close

NEWS AND FEATURES

- BorderWare Teams Up with Zfone Creator

- Darknet Aims to Keep Net Traffic Confidential

- Market Watch: Network Quarantine

- Recent Security Vulnerabilities

GIVE AND TAKE

- Security Matters Blog: Hardcore IDS 1.0

- FAQ: Windows Live OneCare and VPNs

- From the Forum: Prevent Web Site Defacement

- Instant Poll: IPsec Authentication Methods

- Share Your Security Tips

PRODUCTS

- Manage and Secure Remote Systems

- Wanted: Your Reviews of Products

RESOURCES AND EVENTS

FEATURED WHITE PAPER

ANNOUNCEMENTS

=== SPONSOR: CrossTec

Are you spending too much time monitoring security logs?

Research shows that IT Security Managers can spend over four hours a day monitoring various security event logs and chasing after alerts. Activeworx saves you valuable time because it consolidates and manages logs from multiple vendors and devices. Activeworx Security Center is a cost-effective security information management solution that provides real-time security device log monitoring with correlated alerts, audit and compliance reports, and tools for advanced, in-depth forensic analysis. Activeworx reduces the time it takes to analyze event data from multiple sources and produces real-time reports that pinpoint network security breaches and vulnerabilities. These in-depth reports provide the details necessary for regulatory compliance reporting for Sarbanes-Oxley, HIPAA, and the Gramm-Leach-Bliley Act. Try Activeworx for free - fast install and free support.

http://www.crossteccorp.com/TryASC/?utm_source=WinITPro&utm_medium=newsletter&utm_campaign=asc082306

=== IN FOCUS: Malware Up Close

by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

On August 15, Security UPDATE subscribers received the Security Alert "Exploits Attack Windows Server Service," regarding new exploits that install bots onto unprotected systems. You can also find the Alert at the URL below.

http://www.windowsitpro.com/Article/ArticleID/93190/93190.html

The exploits were reported by LURHQ, a provider of threat and vulnerability management services. A few days after its initial report, LURHQ posted a detailed analysis of one of the exploits, which installs a variant of Mocbot. The analysis goes far beyond the typical level of detail you might expect to see from your antivirus or anti-malware vendor, which makes it both interesting and valuable as an educational expose.

LURHQ captured and installed the exploit and set up a small forensics network to investigate the inner workings of the bot and its related botnet. The test network consisted of two systems: One to infect with the bot and one to simulate the Internet in order to gather forensic data. One goal was to discover the command and control center for the botnet. Another goal was to discover logon information for the command and control center so that when the data-collecting system made a manual connection to the center, the connector would appear to be just another bot in the network and not a forensics investigator.

Building these two systems required some specialized tools. LURHQ used a Windows system for the client to infect. The second system acted as a "sandnet"--that is, a server in an isolated environment. The sandnet software LURHQ used is a toolkit called The Reusable Unknown Malware Analysis Net (Truman), which you can download at the URL below. Truman is based on a bootable Linux image and includes a collection of scripts that help provide the required interactivity with malware to gather data.

http://www.lurhq.com/truman

With the two systems working together, LURHQ discovered that the botnet instructs the bot to join certain Internet Relay Chat (IRC) channels and then download a Trojan horse program that serves as a proxy for sending spam. In this case, the spammers are helping to sell porn, wrist watches, and other popular items.

LURHQ's description is a good step-by-step example of what's involved in malware analysis, so be sure to read it if you're interested in doing this sort of thing yourself or are just curious about how experts do it.

http://lurhq.com/mocbot-spam.html

LURHQ credits myNetWatchman with assisting in its analysis process. In a nutshell, myNetWatchman collects security log information from participants and analyzes malicious activity so that it can report that activity to the proper ISP in the hope that the ISP will take action. The goal is to minimize the amount of time a compromised system is exposed to the Internet. To learn more about myNetWatchman, including how you can participate, go the URL below.

http://www.mynetwatchman.com/faq.asp

===

Roadshow Targets Oracle/SQL Server Interoperability

Cross-platform experts from Scalability Experts and Solid Quality Learning will present interoperability tips to IT professionals and DBAs who work with Oracle or SQL Server in a one-day roadshow that kicks off September 7 in Washington, D.C. Sponsored by Oracle Magazine, Windows IT Pro, HP, Intel, and Microsoft, the show will feature information about the Windows 64-bit platform for database computing, an under-the-hood tour of Oracle and SQL Server, an overview of deploying highly available Oracle and SQL Server databases, guidelines for using SQL Server business intelligence on the Oracle platform, and a research-based session about how IT professionals can prepare for the changing database job market.

The roadshow will visit 12 cities between September 7 and October 24: Washington, D.C.; Boston; Columbus, Ohio; Chicago; St. Louis; Houston; Irvine, Calif.; San Francisco; Phoenix; New York; Atlanta; and Seattle. Attendees who register before August 25 will enter a drawing for a free iPod nano sponsored by Windows IT Pro. For complete agenda and speaker information, go to

http://www.windowsitpro.com/roadshows/sqloracle/

=== SPONSOR: St. Bernard Software

Clean Up Your Company's Email Act: Using Filters to Block Threats

Do you want to block unwanted or undesirable email? Download this free whitepaper to learn how to manage the content of information crossing your network.

http://www.windowsitpro.com/go/whitepapers/stbernard/cleanup/?code=SECMid0823

=== SECURITY NEWS AND FEATURES

BorderWare Teams Up with Zfone Creator

BorderWare Technologies will become the first commercial licensee of Phil Zimmermann's Zfone encryption technology. BorderWare intends to integrate the technology into its SIPassure VoIP firewall solution.

http://www.windowsitpro.com/Article/ArticleID/93234/93234.html

Darknet Aims to Keep Net Traffic Confidential

A new "darknet" service launched in Sweden gives people anonymity on the Internet for 5 euros (about $6.50) per month. The service lets customers use a PPTP VPN with 128-bit encryption, which routes their Internet traffic through servers in Sweden.

http://www.windowsitpro.com/Article/ArticleID/93204/93204.html

Market Watch: Network Quarantine

Some vendors now offer simpler, cheaper alternatives in the emerging Network Access Control (NAC) market. Jeff Fellinge tells you all about it in this article on our Web site.

http://www.windowsitpro.com/Article/ArticleID/50253/50253.html Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

http://www.windowsitpro.com/departments/departmentid/752/752.html

=== SPONSOR: Availl

Ensure Instant Access To Files at Remote Servers/Offices

Confused by WAFS, Wide Area Mirroring, DFS, WAN acceleration, or Replication technologies? Do you have remote sites with common data or file needs? Get a free software trial, and register for the free seminar.

http://findtechinfo.com/penton/nl/118

=== GIVE AND TAKE

SECURITY MATTERS BLOG: Hardcore IDS 1.0

by Mark Joseph Edwards, http://www.windowsitpro.com/securitymatters

Based on Snort 2.6, Hardcore IDS 1.0 looks like an easy way to quickly build a new intrusion detection system (IDS). Learn more about it and get a link to download the latest version in the blog article on our Web site.

http://www.windowsitpro.com/Article/ArticleID/93138/93138.html

FAQ: Windows Live OneCare and VPNs

by John Savill, http://www.windowsitpro.com/windowsnt20002003faq

Q: I installed Windows Live OneCare and can no longer connect to my workplace via VPN. What's wrong?

Find the answer at

http://www.windowsitpro.com/Article/ArticleID/93162/93162.html

FROM THE FORUM: Prevent Web Site Defacement

A forum participant would like to know what steps to take to prevent a Web site defacing attack on Windows 2000 servers. To join the discussion, go to

http://forums.windowsitpro.com/web/forum/messageview.aspx?catid=42&threadid=48874&enterthread=y

INSTANT POLL: IPsec Authentication Methods

What is your preferred method of authenticating IPsec connections?

- Pre-shared key

- Digital certificate

- Kerberos

Submit your vote at

http://www.windowsitpro.com/windowssecurity#poll

SHARE YOUR SECURITY TIPS AND GET $100

Share your security-related tips, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions to [email protected]. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.

=== PRODUCTS

by Renee Munshi, [email protected]

Manage and Secure Remote Systems

Anfibia Software announced the release of Desktop Orbiter 4.1.3, which fixes bugs and adds new features to this remote security and administration tool. Administrators can use Desktop Orbiter to protect and manage multiple computers from a central location. Along with other features, Desktop Orbiter enforces security policies on managed computers, disables access to components such as the Start menu and Control Panel, restricts access to Web sites, keeps track of active connections and open ports used by applications and services, provides reporting tools, and supports 256-bit AES encryption and key-based authentication. Desktop Orbiter is designed for businesses, schools, public libraries, Internet cafes, and other settings. It supports Windows 2003/XP/2000. A 10-user pack costs $399, and volume discounts are available. For more information, go to

http://www.anfibia-soft.com

WANTED: your reviews of products you've tested and used in production. Send your experiences and ratings of products to [email protected] and get a Best Buy gift certificate.

=== RESOURCES AND EVENTS

Cross-Platform Data Roadshow

Oracle professionals will cover key concepts about Oracle and SQL Server in enterprise database computing. This event provides invaluable information, including benefits of 64-bit computing on the Windows platform, SQL Server BI for Oracle, high-availability proof points for SQL and Oracle, and much more.

http://www.windowsitpro.com/roadshows/sqloracle/?code=0823emailannc

Microsoft Tech·Ed: IT Forum

Discover more at Microsoft's premier EMEA conference designed to provide IT professionals with technical training, information, and community resources to build, plan, deploy, and manage the secure connected enterprise. Visit the Website for further information and register before the Early Bird deadline of 29 September 2006 to save 300 euros.

http://www.microsoft.com/europe/teched-itforum

14 - 17 November 2006, Barcelona, Spain

Best Practices for Migrating Applications to a New Operating System

Take the necessary steps for application management, from converting legacy applications to MSI to conflict and usability testing. Don't overlook an important component during your OS migration--join us for this free on-demand Web seminar.

http://www.windowsitpro.com/go/seminars/macrovision/appmanagement/?partnerref=0821emailannc

Total Cost of Ownership (TCO). It's every executive's favorite buzzword, but what does it really mean and how does it affect you? In this podcast, Ben Smith explains how your organization can use virtualization technology to measurably improve TCO for servers and clients.

http://www.windowsitpro.com/go/podcast/hp/virtualization/?code=0821emailannc

Ensure that you're being effective with your internal network security. Are your DIY options protecting you against worms, BotNets, Trojans, and hackers? Make sure! On-Demand Web Seminar.

http://www.windowsitpro.com/go/seminars/alertlogic/outsourcing/?partnerref=0821emailannc

=== FEATURED WHITE PAPER

Did you know that wasteful processes can drive the cost of document management and output to as high as 10-15% of your company's annual revenues? Download this free white paper today and find out how you can use fax solutions to achieve cost control, security, compliance, increased workflow, and more.

http://www.windowsitpro.com/go/whitepapers/Faxback/faxing?code=0821featwp

=== ANNOUNCEMENTS

Monthly Online Pass--only $14.95 per month!

Includes instant online access to every article ever written in the Windows IT Security newsletter, your #1 resource for everything security. Order now:

https://store.pentontech.com/index.cfm?s=1&promocode=eu2568um

Save $40 off Windows IT Pro

Subscribe to Windows IT Pro magazine today and SAVE up to $40! Along with your 12 issues, you'll get FREE access to the entire Windows IT Pro online article archive, which houses more than 9,000 helpful IT articles. This is a limited-time offer, so order now:

https://store.pentontech.com/index.cfm?s=1&promocode=eu2068uw