Security UPDATE--Inside Botnets--March 29, 2006

This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE.

Winternals Software

Liquid Machines


1. In Focus: Inside Botnets

2. Security News and Features

- Recent Security Vulnerabilities

- Check Point and Sourcefire Cancel Merger

- MetaFisher Still Stealing Sensitive Data

3. Security Toolkit

- Security Matters Blog


- Security Forum Featured Thread

- Share Your Security Tips

4. New and Improved

- Security Test Web Apps as You Write Them


==== Sponsor: Winternals Software ====

Winternals Protection Manager

How will you protect your enterprise from zero-day attacks? Protection Manager blocks unknown applications from running until you specifically authorize them. No need to wait for an update--you're already protected. Plus, Protection Manager enables a secure successful least privilege network without compromising legacy applications by decoupling privilege levels of applications from users, and promotes culturally acceptable PC lockdown with real-time approval or denial of user application requests. Protection Manager forms a crucial layer of your defense-in-depth security strategy, helping enforce corporate technology policies, ensuring compliance with regulatory acts like HIPAA and Sarbanes-Oxley, and dramatically reducing the labor burden on IT. Download your 30-day evaluation copy of Protection Manager at:


==== 1. In Focus: Inside Botnets ====

by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

In the news recently was an interesting story about MetaFisher (also known as Spy-Agent), a Trojan horse program that steals personal financial information. What was particularly interesting about the news report that I received from iDefense was screenshots of the control interface used by the MetaFisher bot network (botnet) operators. The images give a good idea of what goes on behind the scenes of botnets. If you've already looked at the news story that I posted on our Web site and didn't see the images, be sure to check it again--I added the images on Monday. You can link to the story from the MetaFisher news story below.

Botnets are a huge problem. Understanding how bots work helps us understand how to defend against them and how to shut down botnets. Every antivirus vendor and many other types of security vendors hold a wealth of information about untold numbers of bots. However, when these companies publish alerts and advisories about bots, the reports rarely contain greatly detailed information that describes the inner workings and capabilities of the bots. So learning how a bot behaves is typically rough work. Even if you manage to capture a bot, you're left to reverse-engineer it on your own.

Paul Barford and Vinod Yegneswaran of the University of Wisconsin Computer Sciences Department wrote an excellent white paper, "An Inside Look at Botnets." The pair give detailed insight into four types of bots, including those based on Agobot, SDBot, GT Bot, and Spybot.

If you read the white paper, you'll learn that although most bots today operate in conjunction with Internet Relay Chat (IRC) servers (which makes shutting down botnets somewhat less difficult), some bots are beginning to gain peer-to-peer functionality. This evolution of course means that shutting down botnets will become more difficult in many cases in the future.

What I found particularly interesting about the white paper is that Barford and Yegneswaran reveal the complete command sets of the bot variants they examined. The commands include those used by bots during interaction with IRC servers and those used by bots for interactivity with the local host on which the bot is installed. For example, some bots can scan the registry to obtain CD-ROM keys, AOL account information, PayPal account information, and so on. Some bots can also lock down a host to some extent by disabling services selectively as well as starting the bot operator's services of choice. These commands give botnet operators a huge amount of control over infected systems.

Other commands let the botnet operators perform exploits and attacks. For example, Agobot (which is among the most sophisticated of bots today) can scan for systems with vulnerabilities in DCOM, DameWare Development software, and Famtech International's RADMIN; scan for back doors left open by Bagle and MyDoom; and brute-force-crack NetBIOS and Microsoft SQL Server passwords. Agobot can also launch seven types of Distributed Denial of Service (DDoS) attacks. Adding to the danger level, Agobot is polymorphic to some extent, with four ways of obscuring its network communications.

This is just a brief summary of some of the information you'll learn by reading "An Inside Look at Botnets." The paper (available in PDF format at the URL below) is a real eye-opener, particularly if you don't have much knowledge of how bots operate. The information can help you think of ways to detect some of the related activity on your networks. It's definitely worth the read.


==== Sponsor: Liquid Machines ====

Extend Microsoft Windows Rights Management Services (RMS) to support enterprise requirements for information protection, including proprietary business data.


==== 2. Security News and Features ====

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

Check Point and Sourcefire Cancel Merger

We previously reported that Israeli-based Check Point Software and U.S.-based Sourcefire planned to merge pending review by the Committee on Foreign Investment in the United States. The merger has now been cancelled, with no official reason given.

MetaFisher Still Stealing Sensitive Data

MetaFisher--a Trojan horse discovered over a month ago--is still wreaking havoc against unsuspecting users. Ken Dunham of iDefense provided screenshots (seen below) of the attacker's management interface for the bot network (botnet). Take a look!


==== Resources and Events ====

Learn to secure your IM traffic--don't let your critical business information be intercepted!

When disaster strikes your servers, whether they're dedicated to Windows, SQL, or Exchange, you need answers. Make sure that when an emergency occurs, you're prepared. Get the HA Solutions eBook and get started on your recovery plan today!

Use Windows Server 2003 R2 as a platform for SQL Server 2005 to support large-database requirements, including clustering and multiple processors. Register for this free Web seminar today!

Gain control of your messaging data with step-by-step instructions for complying with the law, ensuring your systems are working properly, and ultimately making your job easier.

How do you ensure that your email system isn't vulnerable to a messaging meltdown? In this Web seminar, Exchange guru Paul Robichaux tells you what you should do before you have an outage to increase your chances of coming out of it smelling like roses.


==== Featured White Paper ====

Learn to identify the top 5 IM security risks and protect your networks and users.


==== Hot Spot ====

LeftHand Networks

Explore how the standardization of storage hardware will change market dynamics, focusing on the growth of iSCSI SANs and "glue software."


==== 3. Security Toolkit ====

Security Matters Blog: Think IPsec

by Mark Joseph Edwards,

IPsec could help you improve security for your domains and servers. This blog article links you to resources that show you how.


by John Savill,

Q: How can I use a script to list all subnets in a site?

Find the answer at

Security Forum Featured Thread:

Marcus has been trying to configure a Juniper Networks NetScreen 5GT firewall to pass PPTP traffic to a VPN on Windows Small Business Server (SBS) 2003. He can connect and is prompted for a username and password, but then the connection just hangs. The event log shows an error (event ID 20209) indicating that Generic Routing Encapsulation (GRE) packets were unable to pass through the firewall. Marcus says he found a way to create a custom service for GRE passthrough, but this still didn't resolve the issue. Any ideas? Join the discussion at

Share Your Security Tips and Get $100

Share your security-related tips, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions to [email protected] If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.


==== Announcements ====

(from Windows IT Pro and its partners)

VIP Monthly Pass Subscribers have it all!

Become a VIP Monthly Pass subscriber and get continuous, inside access to ALL the online resources published in Windows IT Pro, SQL Server Magazine, and the Exchange and Outlook Administrator, Windows Scripting Solutions, and Windows IT Security newsletters--that's more than 26,000 articles at your fingertips. You'll also get the latest digital issue (just like the print edition, but delivered directly to your inbox) of Windows IT Pro each month. Subscribe now:

Save 44% off Exchange & Outlook Administrator

For a limited time, order the Exchange & Outlook Administrator newsletter and SAVE up to $80 off the cover price. You'll discover endless tools and solutions you won't find anywhere else to help you migrate, optimize, administer, back up, recover, and secure Exchange and Outlook. You'll also get FREE, unlimited access to the full online Exchange article library (more than 1,000 articles). Subscribe now:


==== 4. New and Improved ====

by Renee Munshi, [email protected]

Security Test Web Apps as You Write Them

Compuware DevPartner SecurityChecker 2.0 identifies security vulnerabilities in Microsoft ASP.NET applications and pinpoints their location in source code. New features in DevPartner SecurityChecker 2.0 include full integration with Visual Studio 2005; improvements in creating and managing discovery maps; improvements in existing SQL injection and other vulnerability detection; and 30 new integrity rules, including rules for finding Google hacking vulnerabilities such as pages containing configuration information and hidden content. DevPartner SecurityChecker 2.0 is currently available for a U.S. list price of $12,000 per concurrent user. Volume discounts are available.

Tell Us About a Hot Product and Get a T-Shirt!

Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to

[email protected]


==== Contact Us ====

About the newsletter -- [email protected]

About technical questions --

About product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]


This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today.

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.

221 East 29th Street, Loveland, CO 80538

Attention: Customer Service Department

Copyright 2006, Penton Media, Inc. All rights reserved.

TAGS: Windows 8
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.