BotHunter: Another Useful Linux Tool

BotHunter: Another Useful Linux Tool
BotHunter: Another Useful Linux Tool

Forwarded with permission from: Security UPDATE 


Ensuring Protection and Availability for Microsoft Exchange 

Eliminate the Achilles Heel of the Desktop - Admin Rights 

Gain Control of Software Usage and Reduce Audit Risks 

=== CONTENTS ==================================================
IN FOCUS: BotHunter: Another Useful Linux Tool

   - RSA Expands Security Offerings with Tablus Acquisition
   - Symantec's New Evidence Collection and Transfer Tools
   - Oracle Expands Its Middleware with More Security
   - Recent Security Vulnerabilities

   - Security Matters Blog: Cisco and Google Both Inflict DoS Upon 
   - FAQ: How to List a User's SMTP Email Addresses
   - From the Forum: Object Access Logging
   - Share Your Security Tips

   - Zip and Encrypt Outlook Email Attachments
   - Product Evaluations from the Real World




=== SPONSOR: Double-Take Software =============================
Ensuring Protection and Availability for Microsoft Exchange
   Microsoft Exchange is integral to an organization's day-to-day 
operation. For many companies, an hour of Exchange downtime can cost 
hundreds of thousands of dollars in lost productivity. This paper 
discusses new ways to maintain Exchange uptime by using data 
protection, failover, and application availability. When recoverability 
matters, depend on Double-Take Software to protect and recover business 
critical data and applications. 

=== IN FOCUS: BotHunter: Another Useful Linux Tool ============   by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

BotHunter is a passive traffic monitoring system that can locate bot 
activity on your network, but you need Linux to use it. Nevertheless, 
it'll help protect your Windows-based network against bot infiltration. 

The tool, which was recently released to the public, was developed by 
the Cyber-Threat Analytics (Cyber-TA) Project. Extensive details about 
BotHunter were presented at the 16th annual USENIX Security Symposium, 
which took place August 6-10. The white paper prepared for the 
symposium is available online and describes the technology used by the 

According to the white paper, BotHunter tracks communication between 
internal network devices and systems external to the local network. The 
data exchanges are compared to a state-based infection model that can 
detect a malware infection process and identify both the target and the 
source of the attack. 

Under the hood, BotHunter uses Snort along with custom malware-focused 
rule sets. Added to Snort are two custom plug-ins called SLADE and 
SCADE that were developed especially for BotHunter. SLADE performs 
payload analysis, and SCADE performs port scan analyses of inbound and 
outbound traffic. 

It might sound somewhat simple on the surface, but it's actually 
complex and quite effective. The BotHunter developers, Phillip Porras 
of SRI International and Wenke Lee of Georgia Institute of Technology, 
established a honeynet that uses BotHunter. The developers wrote that 
"Over a 3-week period between March and April 2007, we analyzed a total 
of 2,019 successful Windows XP and Windows 2000 remote-exploit bot or 
worm infections." BotHunter detected 1,920 of those 2,019 infections, 
which is roughly a 95 percent success rate. Not bad, especially for a 
free tool! 

A really slick feature of BotHunter is its integrated support for 
"large-scale privacy-preserving data sharing." The feature lets 
BotHunter operators send bot profiles to a central repository operated 
by Cyber-TA, which is then made available to all who provide BotHunter 
data and other researchers. The feature sends data by using Transport 
Layer Security (TLS) over a TOR (The Onion Router) network to keep 
reports reasonably anonymous and lets operators selectively obfuscate 
IP addresses and other sensitive information before they share their 

As with many excellent security tools, BotHunter runs on Linux. If 
you're not familiar with Linux, know that it's not so hard to use, so 
consider building a system and learning the ins and outs. You'll find 
that the OS comes in very handy. 

BotHunter requires Fedora, Debian, or SUSE Linux, plus Sun 
Microsystems' Java 2 Platform, Standard Edition (J2SE) 1.4.2 or later 
Java Runtime Environment (JRE), which is used to read alert streams 
from Snort. Of course, you'll also need a spunky system to run the 
platform, so be sure that you use a system with a fast CPU, fast hard 
drives, and plenty of RAM. You might also need other tools, such as 
VMware, depending on how you plan to implement a test platform. 

You can download the BotHunter source code at the Cyber-TA Web site at 
the first URL below, and you can read the extensive white paper about 
BotHunter at the second URL below. The white paper explains exactly how 
the platform works and details the hardware that's running the honeynet 
that the development team is currently using to test BotHunter. 

=== SPONSOR: BeyondTrust ======================================
Eliminate the Achilles Heel of the Desktop - Admin Rights
   BeyondTrust enables users without administrative privileges to run 
all required applications, processes and ActiveX controls. By removing 
the need to grant end users administrative rights, IT departments can 
eliminate what is otherwise the Achilles heel of the desktop - end 
users with administrative power that can be exploited by malware and 
malicious users to change security settings, disable other security 
solutions such as anti-virus and more. Free Download! 

=== SECURITY NEWS AND FEATURES ================================
RSA Expands Security Offerings with Tablus Acquisition
   RSA said the acquisition will allow it to add data discovery and 
classification, monitoring, and data loss prevention capabilities to 
its existing portfolio of solutions. 

Symantec's New Evidence Collection and Transfer Tools
   Symantec announced the release of new connectors for its Enterprise 
Vault platform that help automate the collection and transfer of 
electronic evidence. 

Oracle Expands Its Middleware with More Security
   Oracle recently launched a beta preview of its Oracle Authentication 
Services for Operating Systems, a new component of its Identity 
Management offering, which is part of Oracle Fusion Middleware. 

Recent Security Vulnerabilities
   If you subscribe to this newsletter, you also receive Security 
Alerts, which inform you about recently discovered security 
vulnerabilities. You can also find information about these 
discoveries at 

=== SPONSOR: Macrovision ======================================
Gain Control of Software Usage and Reduce Audit Risks
   Most organizations face serious challenges, including understanding 
vendor licensing models, cost overruns, missed deadlines, business 
opportunities, and lost user productivity. Learn to address these 
challenges, and prepare for audits. Register for the free Web seminar, 
available now! 

=== GIVE AND TAKE =============================================
SECURITY MATTERS BLOG: Cisco and Google Both Inflict DoS Upon 
by Mark Joseph Edwards, 

In what must be embarrassing moments for Cisco and Google, both 
companies managed to inflict Denial of Service (DoS) upon themselves 
last week. You can read about those incidents and about how hackers 
have cracked AT&T's lock on the new iPhone. Check out the Security 
Matters blog on our Web site. 

FAQ: How to List a User's SMTP Email Addresses
by John Savill, 

Q: How can I generate a list of all the SMTP mail addresses a user has?

Find the answer at 

FROM THE FORUM: Object Access Logging
   A forum participant wants to know if there's any value in having 
auditing turned on for failures for Audit Object Access if there's 
nothing turned on at the folder level. 

   Share your security-related tips, comments, or problems and 
solutions in Security Pro VIP's Reader to Reader column. Email your 
contributions to If we print your submission, 
you'll get $100. We edit submissions for style, grammar, and length.

=== PRODUCTS ================================================== by Renee Munshi, 

Zip and Encrypt Outlook Email Attachments
   WinZip Computing, a Corel Company, announced the public beta of 
WinZip E-Mail Companion 2.0, which lets you compress outgoing email 
attachments and, if desired, use advanced AES encryption to protect 
them. WinZip E-Mail Companion 2.0 Beta is the follow-up to WinZip 
Companion for Outlook 1.0, adding support for Microsoft Outlook 
Express, Microsoft Windows Mail (Windows Vista), and Outlook 2007 to 
existing support for Outlook 2002 and 2003. WinZip E-Mail Companion 2.0 
also includes new compression options, the ability to zip and encrypt 
from within Microsoft Office applications, and improved file naming. 
For more information or to download the beta, go to 

   Share your product experience with your peers. Have you discovered a 
great product that saves you time and money? Do you use something you 
wouldn't wish on anyone? Tell the world! If we publish your opinion, 
we'll send you a Best Buy gift card! Send information about a product 
you use and whether it helps or hinders you to 

=== RESOURCES AND EVENTS ======================================   For more security-related resources, visit 

Getting the Most from DFS
   This Web seminar covers DFS: what it is, how it works, the server 
and client OS versions that support it, how to configure it, its 
limitations, using DFS-N and DFS-R, and how to manage DFS. Learn the 
basics and get a quick "how-to" on implementing DFS-N and DFS-R in your 
Windows Server 2003 environment. Don't miss this Web seminar. 

Don't miss Fall Connections 2007, the premier event for Microsoft 
developers and DBAs, November 5-8, 2007, in Las Vegas. It will impact 
how you build solutions, increase your productivity, and enhance your 
development skills to give your company the competitive edge! 

File fragmentation is a serious problem. As a disk becomes fragmented, 
the workload on the OS and hardware increases, making it more difficult 
for applications to read and write data. File corruption becomes a 
distinct possibility, the computer's performance degrades, and its 
reliability is endangered. This white paper looks at the effect of disk 
defragmentation on your users. 

=== FEATURED WHITE PAPER ======================================
KVM over IP in Distributed IT Environments
   Keyboard/video/mouse (KVM) switches are a valuable management tool, 
but they have weaknesses in distributed environments. This white paper 
presents the complexities of managing the distributed data center and 
highlights the advantages of using a KVM-over-IP solution for flexible, 
scalable, affordable CAT5-based remote access. 

=== ANNOUNCEMENTS =============================================
Search Thousands of SQL Articles Online and on CD 
   A SQL Server Magazine Master CD subscription buys you portable, 
lightning-fast access to the entire SQL Server article database on CD, 
plus exclusive, up-to-the-minute access to the new articles we publish 
on every day. Order your subscription now! 

Save 1/2 Off Security Pro VIP 
   Security Pro VIP is an online resource that delivers new articles 
every week to help you defend your network. Subscribers also receive 
tips, cautionary advice, direct access to our editors for technical 
Q&As, and a host of other benefits! Order now, and save up to 50 

Security UDPATE is brought to you by the Windows IT Pro Web site's 
Security page (first URL below) and Security Pro VIP (second URL 

Subscribe to Security UPDATE at 

Be sure to add 
to your antispam software's list of allowed senders.

To contact us: 
About Security UPDATE content -- 
About technical questions -- 
About your product news -- 
About your subscription -- 
About sponsoring Security UPDATE -- 

View the Windows IT Pro privacy policy at 

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2007, Penton Media, Inc. All rights reserved.

Attend HITBSecConf2007 - Malaysia 
Taking place September 3-6 2007 featuring seven tracks of technical 
training and a dual-track security conference with keynote speakers 
Lance Spitzner and Mikko Hypponen!  -  Book your seats today! 

Site design & layout copyright © 1986-2014 CodeGods