AOH :: ISN-2901.HTM

Malware Up Close

Malware Up Close
Malware Up Close


Are you spending too much time monitoring security logs? 

Clean Up Your Company's Email Act: Using Filters to Block Threats 

Ensure Instant Access To Files at Remote Servers/Offices 

=== CONTENTS ==================================================
IN FOCUS: Malware Up Close

   - BorderWare Teams Up with Zfone Creator
   - Darknet Aims to Keep Net Traffic Confidential
   - Market Watch: Network Quarantine
   - Recent Security Vulnerabilities

   - Security Matters Blog: Hardcore IDS 1.0
   - FAQ: Windows Live OneCare and VPNs
   - From the Forum: Prevent Web Site Defacement 
   - Instant Poll: IPsec Authentication Methods 
   - Share Your Security Tips

   - Manage and Secure Remote Systems
   - Wanted: Your Reviews of Products 




=== SPONSOR: CrossTec =========================================
Are you spending too much time monitoring security logs?
   Research shows that IT Security Managers can spend over four hours a 
day monitoring various security event logs and chasing after alerts. 
Activeworx saves you valuable time because it consolidates and manages 
logs from multiple vendors and devices. Activeworx Security Center is a 
cost-effective security information management solution that provides 
real-time security device log monitoring with correlated alerts, audit 
and compliance reports, and tools for advanced, in-depth forensic 
analysis. Activeworx reduces the time it takes to analyze event data 
from multiple sources and produces real-time reports that pinpoint 
network security breaches and vulnerabilities. These in-depth reports 
provide the details necessary for regulatory compliance reporting for 
Sarbanes-Oxley, HIPAA, and the Gramm-Leach-Bliley Act. Try Activeworx 
for free - fast install and free support. 

=== IN FOCUS: Malware Up Close ================================   by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

On August 15, Security UPDATE subscribers received the Security Alert 
"Exploits Attack Windows Server Service," regarding new exploits that 
install bots onto unprotected systems. You can also find the Alert at 
the URL below. 

The exploits were reported by LURHQ, a provider of threat and 
vulnerability management services. A few days after its initial report, 
LURHQ posted a detailed analysis of one of the exploits, which installs 
a variant of Mocbot. The analysis goes far beyond the typical level of 
detail you might expect to see from your antivirus or anti-malware 
vendor, which makes it both interesting and valuable as an educational 

LURHQ captured and installed the exploit and set up a small forensics 
network to investigate the inner workings of the bot and its related 
botnet. The test network consisted of two systems: One to infect with 
the bot and one to simulate the Internet in order to gather forensic 
data. One goal was to discover the command and control center for the 
botnet. Another goal was to discover logon information for the command 
and control center so that when the data-collecting system made a 
manual connection to the center, the connector would appear to be just 
another bot in the network and not a forensics investigator. 

Building these two systems required some specialized tools. LURHQ used 
a Windows system for the client to infect. The second system acted as a 
"sandnet"--that is, a server in an isolated environment. The sandnet 
software LURHQ used is a toolkit called The Reusable Unknown Malware 
Analysis Net (Truman), which you can download at the URL below. Truman 
is based on a bootable Linux image and includes a collection of scripts 
that help provide the required interactivity with malware to gather 

With the two systems working together, LURHQ discovered that the botnet 
instructs the bot to join certain Internet Relay Chat (IRC) channels 
and then download a Trojan horse program that serves as a proxy for 
sending spam. In this case, the spammers are helping to sell porn, 
wrist watches, and other popular items. 

LURHQ's description is a good step-by-step example of what's involved 
in malware analysis, so be sure to read it if you're interested in 
doing this sort of thing yourself or are just curious about how experts 
do it. 

LURHQ credits myNetWatchman with assisting in its analysis process. In 
a nutshell, myNetWatchman collects security log information from 
participants and analyzes malicious activity so that it can report that 
activity to the proper ISP in the hope that the ISP will take action. 
The goal is to minimize the amount of time a compromised system is 
exposed to the Internet. To learn more about myNetWatchman, including 
how you can participate, go the URL below. 

Roadshow Targets Oracle/SQL Server Interoperability
   Cross-platform experts from Scalability Experts and Solid Quality Learning 
will present interoperability tips to IT professionals and DBAs who work with 
Oracle or SQL Server in a one-day roadshow that kicks off September 7 in 
Washington, D.C. Sponsored by Oracle Magazine, Windows IT Pro, HP, Intel, and 
Microsoft, the show will feature information about the Windows 64-bit platform 
for database computing, an under-the-hood tour of Oracle and SQL Server, an 
overview of deploying highly available Oracle and SQL Server databases, 
guidelines for using SQL Server business intelligence on the Oracle platform, 
and a research-based session about how IT professionals can prepare for the 
changing database job market.
   The roadshow will visit 12 cities between September 7 and October 24: 
Washington, D.C.; Boston; Columbus, Ohio; Chicago; St. Louis; Houston; Irvine, 
Calif.; San Francisco; Phoenix; New York; Atlanta; and Seattle. Attendees who 
register before August 25 will enter a drawing for a free iPod nano sponsored by 
Windows IT Pro. For complete agenda and speaker information, go to 

=== SPONSOR: St. Bernard Software =============================
Clean Up Your Company's Email Act: Using Filters to Block Threats
   Do you want to block unwanted or undesirable email? Download this 
free whitepaper to learn how to manage the content of information 
crossing your network. 

=== SECURITY NEWS AND FEATURES ================================
BorderWare Teams Up with Zfone Creator
   BorderWare Technologies will become the first commercial licensee of 
Phil Zimmermann's Zfone encryption technology. BorderWare intends to 
integrate the technology into its SIPassure VoIP firewall solution. 

Darknet Aims to Keep Net Traffic Confidential
   A new "darknet" service launched in Sweden gives people anonymity on 
the Internet for 5 euros (about $6.50) per month. The service lets 
customers use a PPTP VPN with 128-bit encryption, which routes their 
Internet traffic through servers in Sweden. 

Market Watch: Network Quarantine
   Some vendors now offer simpler, cheaper alternatives in the emerging 
Network Access Control (NAC) market. Jeff Fellinge tells you all about 
it in this article on our Web site. 
Recent Security Vulnerabilities
   If you subscribe to this newsletter, you also receive Security 
Alerts, which inform you about recently discovered security 
vulnerabilities. You can also find information about these 
discoveries at 

=== SPONSOR: Availl ===========================================
Ensure Instant Access To Files at Remote Servers/Offices
   Confused by WAFS, Wide Area Mirroring, DFS, WAN acceleration, or 
Replication technologies? Do you have remote sites with common data or 
file needs? Get a free software trial, and register for the free 

=== GIVE AND TAKE =============================================
by Mark Joseph Edwards, 

Based on Snort 2.6, Hardcore IDS 1.0 looks like an easy way to quickly 
build a new intrusion detection system (IDS). Learn more about it and 
get a link to download the latest version in the blog article on our 
Web site. 

FAQ: Windows Live OneCare and VPNs
by John Savill, 

Q: I installed Windows Live OneCare and can no longer connect to my 
workplace via VPN. What's wrong?

Find the answer at 

FROM THE FORUM: Prevent Web Site Defacement
   A forum participant would like to know what steps to take to prevent 
a Web site defacing attack on Windows 2000 servers. To join the 
discussion, go to 

INSTANT POLL: IPsec Authentication Methods 
   What is your preferred method of authenticating IPsec connections?
   - Pre-shared key 
   - Digital certificate 
   - Kerberos 

Submit your vote at 

   Share your security-related tips, comments, or problems and 
solutions in the Windows IT Security print newsletter's 
Reader to Reader column. Email your contributions to If we print your submission, you'll 
get $100. We edit submissions for style, grammar, and length.

=== PRODUCTS ================================================== by Renee Munshi, 

Manage and Secure Remote Systems
   Anfibia Software announced the release of Desktop Orbiter 4.1.3, which 
fixes bugs and adds new features to this remote security and administration 
tool. Administrators can use Desktop Orbiter to protect and manage multiple 
computers from a central location. Along with other features, Desktop 
Orbiter enforces security policies on managed computers, disables access to 
components such as the Start menu and Control Panel, restricts access to 
Web sites, keeps track of active connections and open ports used by 
applications and services, provides reporting tools, and supports 256-bit 
AES encryption and key-based authentication. Desktop Orbiter is designed 
for businesses, schools, public libraries, Internet cafes, and other 
settings. It supports Windows 2003/XP/2000. A 10-user pack costs $399, and 
volume discounts are available. For more information, go to 

WANTED: your reviews of products you've tested and used in 
production. Send your experiences and ratings of products to and get a Best Buy gift certificate. 

=== RESOURCES AND EVENTS ======================================
Cross-Platform Data Roadshow 
   Oracle professionals will cover key concepts about Oracle and SQL 
Server in enterprise database computing. This event provides invaluable 
information, including benefits of 64-bit computing on the Windows 
platform, SQL Server BI for Oracle, high-availability proof points for 
SQL and Oracle, and much more. 

Microsoft TechEd: IT Forum 
   Discover more at Microsoft's premier EMEA conference designed to 
provide IT professionals with technical training, information, and 
community resources to build, plan, deploy, and manage the secure 
connected enterprise. Visit the Website for further information and 
register before the Early Bird deadline of 29 September 2006 to save 
300 euros. 
   14 - 17 November 2006, Barcelona, Spain

Best Practices for Migrating Applications to a New Operating System 
   Take the necessary steps for application management, from converting 
legacy applications to MSI to conflict and usability testing. Don't 
overlook an important component during your OS migration--join us for 
this free on-demand Web seminar. 

Total Cost of Ownership (TCO). It's every executive's favorite 
buzzword, but what does it really mean and how does it affect you? In 
this podcast, Ben Smith explains how your organization can use 
virtualization technology to measurably improve TCO for servers and 

Ensure that you're being effective with your internal network security. 
Are your DIY options protecting you against worms, BotNets, Trojans, 
and hackers? Make sure! On-Demand Web Seminar. 

=== FEATURED WHITE PAPER ======================================
Did you know that wasteful processes can drive the cost of document 
management and output to as high as 10-15% of your company's annual 
revenues? Download this free white paper today and find out how you can 
use fax solutions to achieve cost control, security, compliance, 
increased workflow, and more. 

=== ANNOUNCEMENTS =============================================
Monthly Online Pass--only $14.95 per month! 
   Includes instant online access to every article ever written in the 
Windows IT Security newsletter, your #1 resource for everything 
security. Order now:

Save $40 off Windows IT Pro  
   Subscribe to Windows IT Pro magazine today and SAVE up to $40! Along 
with your 12 issues, you'll get FREE access to the entire Windows IT 
Pro online article archive, which houses more than 9,000 helpful IT 
articles. This is a limited-time offer, so order now:

Security UDPATE is brought to you by the Windows IT Pro Web site's 
Security page (first URL below) and the Windows IT Security newsletter 
(subscribe at the second URL below).

Subscribe to Security UPDATE at 

Be sure to add 
to your antispam software's list of allowed senders.

To contact us: 
About Security UPDATE content -- 
About technical questions -- 
About your product news -- 
About your subscription -- 
About sponsoring Security UPDATE -- 

View the Windows IT Pro privacy policy at 

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2006, Penton Media, Inc. All rights reserved.

HITBSecConf2006 - Malaysia 
The largest network security event in Asia 
32 internationally renowned speakers 
7 tracks of hands-on technical training sessions. 
Register now: 

Site design & layout copyright © 1986-2014 CodeGods