Security UPDATE--Malware Up Close--August 23, 2006


Are you spending too much time monitoring security logs?

Clean Up Your Company's Email Act: Using Filters to Block Threats

Ensure Instant Access To Files at Remote Servers/Offices



IN FOCUS: Malware Up Close


- BorderWare Teams Up with Zfone Creator

- Darknet Aims to Keep Net Traffic Confidential

- Market Watch: Network Quarantine

- Recent Security Vulnerabilities


- Security Matters Blog: Hardcore IDS 1.0

- FAQ: Windows Live OneCare and VPNs

- From the Forum: Prevent Web Site Defacement

- Instant Poll: IPsec Authentication Methods

- Share Your Security Tips


- Manage and Secure Remote Systems

- Wanted: Your Reviews of Products




=== SPONSOR: CrossTec


Are you spending too much time monitoring security logs?

Research shows that IT Security Managers can spend over four hours a day monitoring various security event logs and chasing after alerts. Activeworx saves you valuable time because it consolidates and manages logs from multiple vendors and devices. Activeworx Security Center is a cost-effective security information management solution that provides real-time security device log monitoring with correlated alerts, audit and compliance reports, and tools for advanced, in-depth forensic analysis. Activeworx reduces the time it takes to analyze event data from multiple sources and produces real-time reports that pinpoint network security breaches and vulnerabilities. These in-depth reports provide the details necessary for regulatory compliance reporting for Sarbanes-Oxley, HIPAA, and the Gramm-Leach-Bliley Act. Try Activeworx for free - fast install and free support.

=== IN FOCUS: Malware Up Close


by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

On August 15, Security UPDATE subscribers received the Security Alert "Exploits Attack Windows Server Service," regarding new exploits that install bots onto unprotected systems. You can also find the Alert at the URL below.

The exploits were reported by LURHQ, a provider of threat and vulnerability management services. A few days after its initial report, LURHQ posted a detailed analysis of one of the exploits, which installs a variant of Mocbot. The analysis goes far beyond the typical level of detail you might expect to see from your antivirus or anti-malware vendor, which makes it both interesting and valuable as an educational expose.

LURHQ captured and installed the exploit and set up a small forensics network to investigate the inner workings of the bot and its related botnet. The test network consisted of two systems: One to infect with the bot and one to simulate the Internet in order to gather forensic data. One goal was to discover the command and control center for the botnet. Another goal was to discover logon information for the command and control center so that when the data-collecting system made a manual connection to the center, the connector would appear to be just another bot in the network and not a forensics investigator.

Building these two systems required some specialized tools. LURHQ used a Windows system for the client to infect. The second system acted as a "sandnet"--that is, a server in an isolated environment. The sandnet software LURHQ used is a toolkit called The Reusable Unknown Malware Analysis Net (Truman), which you can download at the URL below. Truman is based on a bootable Linux image and includes a collection of scripts that help provide the required interactivity with malware to gather data.

With the two systems working together, LURHQ discovered that the botnet instructs the bot to join certain Internet Relay Chat (IRC) channels and then download a Trojan horse program that serves as a proxy for sending spam. In this case, the spammers are helping to sell porn, wrist watches, and other popular items.

LURHQ's description is a good step-by-step example of what's involved in malware analysis, so be sure to read it if you're interested in doing this sort of thing yourself or are just curious about how experts do it.

LURHQ credits myNetWatchman with assisting in its analysis process. In a nutshell, myNetWatchman collects security log information from participants and analyzes malicious activity so that it can report that activity to the proper ISP in the hope that the ISP will take action. The goal is to minimize the amount of time a compromised system is exposed to the Internet. To learn more about myNetWatchman, including how you can participate, go the URL below.


Roadshow Targets Oracle/SQL Server Interoperability

Cross-platform experts from Scalability Experts and Solid Quality Learning will present interoperability tips to IT professionals and DBAs who work with Oracle or SQL Server in a one-day roadshow that kicks off September 7 in Washington, D.C. Sponsored by Oracle Magazine, Windows IT Pro, HP, Intel, and Microsoft, the show will feature information about the Windows 64-bit platform for database computing, an under-the-hood tour of Oracle and SQL Server, an overview of deploying highly available Oracle and SQL Server databases, guidelines for using SQL Server business intelligence on the Oracle platform, and a research-based session about how IT professionals can prepare for the changing database job market.

The roadshow will visit 12 cities between September 7 and October 24: Washington, D.C.; Boston; Columbus, Ohio; Chicago; St. Louis; Houston; Irvine, Calif.; San Francisco; Phoenix; New York; Atlanta; and Seattle. Attendees who register before August 25 will enter a drawing for a free iPod nano sponsored by Windows IT Pro. For complete agenda and speaker information, go to

=== SPONSOR: St. Bernard Software


Clean Up Your Company's Email Act: Using Filters to Block Threats

Do you want to block unwanted or undesirable email? Download this free whitepaper to learn how to manage the content of information crossing your network.



BorderWare Teams Up with Zfone Creator

BorderWare Technologies will become the first commercial licensee of Phil Zimmermann's Zfone encryption technology. BorderWare intends to integrate the technology into its SIPassure VoIP firewall solution.

Darknet Aims to Keep Net Traffic Confidential

A new "darknet" service launched in Sweden gives people anonymity on the Internet for 5 euros (about $6.50) per month. The service lets customers use a PPTP VPN with 128-bit encryption, which routes their Internet traffic through servers in Sweden.

Market Watch: Network Quarantine

Some vendors now offer simpler, cheaper alternatives in the emerging Network Access Control (NAC) market. Jeff Fellinge tells you all about it in this article on our Web site. Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

=== SPONSOR: Availl


Ensure Instant Access To Files at Remote Servers/Offices

Confused by WAFS, Wide Area Mirroring, DFS, WAN acceleration, or Replication technologies? Do you have remote sites with common data or file needs? Get a free software trial, and register for the free seminar.




by Mark Joseph Edwards,

Based on Snort 2.6, Hardcore IDS 1.0 looks like an easy way to quickly build a new intrusion detection system (IDS). Learn more about it and get a link to download the latest version in the blog article on our Web site.

FAQ: Windows Live OneCare and VPNs

by John Savill,

Q: I installed Windows Live OneCare and can no longer connect to my workplace via VPN. What's wrong?

Find the answer at

FROM THE FORUM: Prevent Web Site Defacement

A forum participant would like to know what steps to take to prevent a Web site defacing attack on Windows 2000 servers. To join the discussion, go to

INSTANT POLL: IPsec Authentication Methods

What is your preferred method of authenticating IPsec connections?

- Pre-shared key

- Digital certificate

- Kerberos

Submit your vote at


Share your security-related tips, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions to [email protected] If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.



by Renee Munshi, [email protected]

Manage and Secure Remote Systems

Anfibia Software announced the release of Desktop Orbiter 4.1.3, which fixes bugs and adds new features to this remote security and administration tool. Administrators can use Desktop Orbiter to protect and manage multiple computers from a central location. Along with other features, Desktop Orbiter enforces security policies on managed computers, disables access to components such as the Start menu and Control Panel, restricts access to Web sites, keeps track of active connections and open ports used by applications and services, provides reporting tools, and supports 256-bit AES encryption and key-based authentication. Desktop Orbiter is designed for businesses, schools, public libraries, Internet cafes, and other settings. It supports Windows 2003/XP/2000. A 10-user pack costs $399, and volume discounts are available. For more information, go to

WANTED: your reviews of products you've tested and used in production. Send your experiences and ratings of products to [email protected] and get a Best Buy gift certificate.



Cross-Platform Data Roadshow

Oracle professionals will cover key concepts about Oracle and SQL Server in enterprise database computing. This event provides invaluable information, including benefits of 64-bit computing on the Windows platform, SQL Server BI for Oracle, high-availability proof points for SQL and Oracle, and much more.

Microsoft Tech·Ed: IT Forum

Discover more at Microsoft's premier EMEA conference designed to provide IT professionals with technical training, information, and community resources to build, plan, deploy, and manage the secure connected enterprise. Visit the Website for further information and register before the Early Bird deadline of 29 September 2006 to save 300 euros.

14 - 17 November 2006, Barcelona, Spain

Best Practices for Migrating Applications to a New Operating System

Take the necessary steps for application management, from converting legacy applications to MSI to conflict and usability testing. Don't overlook an important component during your OS migration--join us for this free on-demand Web seminar.

Total Cost of Ownership (TCO). It's every executive's favorite buzzword, but what does it really mean and how does it affect you? In this podcast, Ben Smith explains how your organization can use virtualization technology to measurably improve TCO for servers and clients.

Ensure that you're being effective with your internal network security. Are your DIY options protecting you against worms, BotNets, Trojans, and hackers? Make sure! On-Demand Web Seminar.



Did you know that wasteful processes can drive the cost of document management and output to as high as 10-15% of your company's annual revenues? Download this free white paper today and find out how you can use fax solutions to achieve cost control, security, compliance, increased workflow, and more.



Monthly Online Pass--only $14.95 per month!

Includes instant online access to every article ever written in the Windows IT Security newsletter, your #1 resource for everything security. Order now:

Save $40 off Windows IT Pro

Subscribe to Windows IT Pro magazine today and SAVE up to $40! Along with your 12 issues, you'll get FREE access to the entire Windows IT Pro online article archive, which houses more than 9,000 helpful IT articles. This is a limited-time offer, so order now:


Security UDPATE is brought to you by the Windows IT Pro Web site's Security page (first URL below) and the Windows IT Security newsletter (subscribe at the second URL below).

Subscribe to Security UPDATE at

Unsubscribe by clicking

Be sure to add [email protected] to your antispam software's list of allowed senders.

To contact us:

About Security UPDATE content -- [email protected]

About technical questions --

About your product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.

221 East 29th Street, Loveland, CO 80538

Attention: Customer Service Department

Copyright 2006, Penton Media, Inc. All rights reserved.

TAGS: Windows 8
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.