[ISN] BotHunter: Another Useful Linux Tool

From: InfoSec News (alerts@private)
Date: Wed Aug 15 2007 - 23:24:42 PDT


Forwarded with permission from: Security UPDATE <Security_UPDATE (at) list.windowsitpro.com>

PLEASE VISIT OUR SPONSORS, WHO BRING YOU SECURITY UPDATE FOR FREE:

Ensuring Protection and Availability for Microsoft Exchange
   http://list.windowsitpro.com/t?ctl=624B9:57B62BBB09A69279A28782D07A346BFF

Eliminate the Achilles Heel of the Desktop - Admin Rights
   http://list.windowsitpro.com/t?ctl=624B8:57B62BBB09A69279A28782D07A346BFF

Gain Control of Software Usage and Reduce Audit Risks
   http://list.windowsitpro.com/t?ctl=624B7:57B62BBB09A69279A28782D07A346BFF


=== CONTENTS ===================================================

IN FOCUS: BotHunter: Another Useful Linux Tool

NEWS AND FEATURES
   - RSA Expands Security Offerings with Tablus Acquisition
   - Symantec's New Evidence Collection and Transfer Tools
   - Oracle Expands Its Middleware with More Security
   - Recent Security Vulnerabilities

GIVE AND TAKE
   - Security Matters Blog: Cisco and Google Both Inflict DoS Upon 
Themselves
   - FAQ: How to List a User's SMTP Email Addresses
   - From the Forum: Object Access Logging
   - Share Your Security Tips

PRODUCTS
   - Zip and Encrypt Outlook Email Attachments
   - Product Evaluations from the Real World

RESOURCES AND EVENTS

FEATURED WHITE PAPER

ANNOUNCEMENTS


=== SPONSOR: Double-Take Software ==============================

Ensuring Protection and Availability for Microsoft Exchange
   Microsoft Exchange is integral to an organization's day-to-day 
operation. For many companies, an hour of Exchange downtime can cost 
hundreds of thousands of dollars in lost productivity. This paper 
discusses new ways to maintain Exchange uptime by using data 
protection, failover, and application availability. When recoverability 
matters, depend on Double-Take Software to protect and recover business 
critical data and applications.
   http://list.windowsitpro.com/t?ctl=624B9:57B62BBB09A69279A28782D07A346BFF


=== IN FOCUS: BotHunter: Another Useful Linux Tool =============
   by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

BotHunter is a passive traffic monitoring system that can locate bot 
activity on your network, but you need Linux to use it. Nevertheless, 
it'll help protect your Windows-based network against bot infiltration. 

The tool, which was recently released to the public, was developed by 
the Cyber-Threat Analytics (Cyber-TA) Project. Extensive details about 
BotHunter were presented at the 16th annual USENIX Security Symposium, 
which took place August 6-10. The white paper prepared for the 
symposium is available online and describes the technology used by the 
tool. 

According to the white paper, BotHunter tracks communication between 
internal network devices and systems external to the local network. The 
data exchanges are compared to a state-based infection model that can 
detect a malware infection process and identify both the target and the 
source of the attack. 

Under the hood, BotHunter uses Snort along with custom malware-focused 
rule sets. Added to Snort are two custom plug-ins called SLADE and 
SCADE that were developed especially for BotHunter. SLADE performs 
payload analysis, and SCADE performs port scan analyses of inbound and 
outbound traffic. 

It might sound somewhat simple on the surface, but it's actually 
complex and quite effective. The BotHunter developers, Phillip Porras 
of SRI International and Wenke Lee of Georgia Institute of Technology, 
established a honeynet that uses BotHunter. The developers wrote that 
"Over a 3-week period between March and April 2007, we analyzed a total 
of 2,019 successful Windows XP and Windows 2000 remote-exploit bot or 
worm infections." BotHunter detected 1,920 of those 2,019 infections, 
which is roughly a 95 percent success rate. Not bad, especially for a 
free tool! 

A really slick feature of BotHunter is its integrated support for 
"large-scale privacy-preserving data sharing." The feature lets 
BotHunter operators send bot profiles to a central repository operated 
by Cyber-TA, which is then made available to all who provide BotHunter 
data and other researchers. The feature sends data by using Transport 
Layer Security (TLS) over a TOR (The Onion Router) network to keep 
reports reasonably anonymous and lets operators selectively obfuscate 
IP addresses and other sensitive information before they share their 
data.

As with many excellent security tools, BotHunter runs on Linux. If 
you're not familiar with Linux, know that it's not so hard to use, so 
consider building a system and learning the ins and outs. You'll find 
that the OS comes in very handy. 

BotHunter requires Fedora, Debian, or SUSE Linux, plus Sun 
Microsystems' Java 2 Platform, Standard Edition (J2SE) 1.4.2 or later 
Java Runtime Environment (JRE), which is used to read alert streams 
from Snort. Of course, you'll also need a spunky system to run the 
platform, so be sure that you use a system with a fast CPU, fast hard 
drives, and plenty of RAM. You might also need other tools, such as 
VMware, depending on how you plan to implement a test platform. 

You can download the BotHunter source code at the Cyber-TA Web site at 
the first URL below, and you can read the extensive white paper about 
BotHunter at the second URL below. The white paper explains exactly how 
the platform works and details the hardware that's running the honeynet 
that the development team is currently using to test BotHunter. 
   http://list.windowsitpro.com/t?ctl=624C4:57B62BBB09A69279A28782D07A346BFF
   http://list.windowsitpro.com/t?ctl=624BF:57B62BBB09A69279A28782D07A346BFF


=== SPONSOR: BeyondTrust =======================================

Eliminate the Achilles Heel of the Desktop - Admin Rights
   BeyondTrust enables users without administrative privileges to run 
all required applications, processes and ActiveX controls. By removing 
the need to grant end users administrative rights, IT departments can 
eliminate what is otherwise the Achilles heel of the desktop - end 
users with administrative power that can be exploited by malware and 
malicious users to change security settings, disable other security 
solutions such as anti-virus and more. Free Download!
   http://list.windowsitpro.com/t?ctl=624B8:57B62BBB09A69279A28782D07A346BFF


=== SECURITY NEWS AND FEATURES =================================

RSA Expands Security Offerings with Tablus Acquisition
   RSA said the acquisition will allow it to add data discovery and 
classification, monitoring, and data loss prevention capabilities to 
its existing portfolio of solutions.
   http://list.windowsitpro.com/t?ctl=624C5:57B62BBB09A69279A28782D07A346BFF

Symantec's New Evidence Collection and Transfer Tools
   Symantec announced the release of new connectors for its Enterprise 
Vault platform that help automate the collection and transfer of 
electronic evidence.
   http://list.windowsitpro.com/t?ctl=624C6:57B62BBB09A69279A28782D07A346BFF

Oracle Expands Its Middleware with More Security
   Oracle recently launched a beta preview of its Oracle Authentication 
Services for Operating Systems, a new component of its Identity 
Management offering, which is part of Oracle Fusion Middleware.
   http://list.windowsitpro.com/t?ctl=624C7:57B62BBB09A69279A28782D07A346BFF

Recent Security Vulnerabilities
   If you subscribe to this newsletter, you also receive Security 
Alerts, which inform you about recently discovered security 
vulnerabilities. You can also find information about these 
discoveries at
   http://list.windowsitpro.com/t?ctl=624BD:57B62BBB09A69279A28782D07A346BFF


=== SPONSOR: Macrovision =======================================

Gain Control of Software Usage and Reduce Audit Risks
   Most organizations face serious challenges, including understanding 
vendor licensing models, cost overruns, missed deadlines, business 
opportunities, and lost user productivity. Learn to address these 
challenges, and prepare for audits. Register for the free Web seminar, 
available now!
   http://list.windowsitpro.com/t?ctl=624B7:57B62BBB09A69279A28782D07A346BFF


=== GIVE AND TAKE ==============================================

SECURITY MATTERS BLOG: Cisco and Google Both Inflict DoS Upon 
Themselves
   by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=624CC:57B62BBB09A69279A28782D07A346BFF

In what must be embarrassing moments for Cisco and Google, both 
companies managed to inflict Denial of Service (DoS) upon themselves 
last week. You can read about those incidents and about how hackers 
have cracked AT&T's lock on the new iPhone. Check out the Security 
Matters blog on our Web site. 
   http://list.windowsitpro.com/t?ctl=624BA:57B62BBB09A69279A28782D07A346BFF

FAQ: How to List a User's SMTP Email Addresses
   by John Savill, http://list.windowsitpro.com/t?ctl=624CA:57B62BBB09A69279A28782D07A346BFF 

Q: How can I generate a list of all the SMTP mail addresses a user has?

Find the answer at
   http://list.windowsitpro.com/t?ctl=624C8:57B62BBB09A69279A28782D07A346BFF

FROM THE FORUM: Object Access Logging
   A forum participant wants to know if there's any value in having 
auditing turned on for failures for Audit Object Access if there's 
nothing turned on at the folder level.
   http://list.windowsitpro.com/t?ctl=624B6:57B62BBB09A69279A28782D07A346BFF

SHARE YOUR SECURITY TIPS AND GET $100
   Share your security-related tips, comments, or problems and 
solutions in Security Pro VIP's Reader to Reader column. Email your 
contributions to r2r@private If we print your submission, 
you'll get $100. We edit submissions for style, grammar, and length.


=== PRODUCTS ===================================================
   by Renee Munshi, products@private

Zip and Encrypt Outlook Email Attachments
   WinZip Computing, a Corel Company, announced the public beta of 
WinZip E-Mail Companion 2.0, which lets you compress outgoing email 
attachments and, if desired, use advanced AES encryption to protect 
them. WinZip E-Mail Companion 2.0 Beta is the follow-up to WinZip 
Companion for Outlook 1.0, adding support for Microsoft Outlook 
Express, Microsoft Windows Mail (Windows Vista), and Outlook 2007 to 
existing support for Outlook 2002 and 2003. WinZip E-Mail Companion 2.0 
also includes new compression options, the ability to zip and encrypt 
from within Microsoft Office applications, and improved file naming. 
For more information or to download the beta, go to
   http://list.windowsitpro.com/t?ctl=624CF:57B62BBB09A69279A28782D07A346BFF

PRODUCT EVALUATIONS FROM THE REAL WORLD
   Share your product experience with your peers. Have you discovered a 
great product that saves you time and money? Do you use something you 
wouldn't wish on anyone? Tell the world! If we publish your opinion, 
we'll send you a Best Buy gift card! Send information about a product 
you use and whether it helps or hinders you to 
whatshot@private


=== RESOURCES AND EVENTS =======================================
   For more security-related resources, visit
   http://list.windowsitpro.com/t?ctl=624C9:57B62BBB09A69279A28782D07A346BFF

Getting the Most from DFS
   This Web seminar covers DFS: what it is, how it works, the server 
and client OS versions that support it, how to configure it, its 
limitations, using DFS-N and DFS-R, and how to manage DFS. Learn the 
basics and get a quick "how-to" on implementing DFS-N and DFS-R in your 
Windows Server 2003 environment. Don't miss this Web seminar.
   http://list.windowsitpro.com/t?ctl=624BC:57B62BBB09A69279A28782D07A346BFF

Don't miss Fall Connections 2007, the premier event for Microsoft 
developers and DBAs, November 5-8, 2007, in Las Vegas. It will impact 
how you build solutions, increase your productivity, and enhance your 
development skills to give your company the competitive edge!  
   http://list.windowsitpro.com/t?ctl=624CD:57B62BBB09A69279A28782D07A346BFF

File fragmentation is a serious problem. As a disk becomes fragmented, 
the workload on the OS and hardware increases, making it more difficult 
for applications to read and write data. File corruption becomes a 
distinct possibility, the computer's performance degrades, and its 
reliability is endangered. This white paper looks at the effect of disk 
defragmentation on your users.  
   http://list.windowsitpro.com/t?ctl=624BB:57B62BBB09A69279A28782D07A346BFF


=== FEATURED WHITE PAPER =======================================

KVM over IP in Distributed IT Environments
   Keyboard/video/mouse (KVM) switches are a valuable management tool, 
but they have weaknesses in distributed environments. This white paper 
presents the complexities of managing the distributed data center and 
highlights the advantages of using a KVM-over-IP solution for flexible, 
scalable, affordable CAT5-based remote access.
   http://list.windowsitpro.com/t?ctl=624BE:57B62BBB09A69279A28782D07A346BFF


=== ANNOUNCEMENTS ==============================================

Search Thousands of SQL Articles Online and on CD 
   A SQL Server Magazine Master CD subscription buys you portable, 
lightning-fast access to the entire SQL Server article database on CD, 
plus exclusive, up-to-the-minute access to the new articles we publish 
on SQLMag.com every day. Order your subscription now! 
   http://list.windowsitpro.com/t?ctl=624C1:57B62BBB09A69279A28782D07A346BFF

Save 1/2 Off Security Pro VIP 
   Security Pro VIP is an online resource that delivers new articles 
every week to help you defend your network. Subscribers also receive 
tips, cautionary advice, direct access to our editors for technical 
Q&As, and a host of other benefits! Order now, and save up to 50 
percent! 
   http://list.windowsitpro.com/t?ctl=624C0:57B62BBB09A69279A28782D07A346BFF


================================================================

Security UDPATE is brought to you by the Windows IT Pro Web site's 
Security page (first URL below) and Security Pro VIP (second URL 
below).
   http://list.windowsitpro.com/t?ctl=624CB:57B62BBB09A69279A28782D07A346BFF
   http://list.windowsitpro.com/t?ctl=624D0:57B62BBB09A69279A28782D07A346BFF

Subscribe to Security UPDATE at
   http://list.windowsitpro.com/t?ctl=624C3:57B62BBB09A69279A28782D07A346BFF

Be sure to add Security_UPDATE@private 
to your antispam software's list of allowed senders.

To contact us: 
   About Security UPDATE content -- letters@private
   About technical questions -- http://list.windowsitpro.com/t?ctl=624CE:57B62BBB09A69279A28782D07A346BFF
   About your product news -- products@private
   About your subscription -- windowsitproupdate@private
   About sponsoring Security UPDATE -- salesopps@private

View the Windows IT Pro privacy policy at
   http://list.windowsitpro.com/t?ctl=624C2:57B62BBB09A69279A28782D07A346BFF

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2007, Penton Media, Inc. All rights reserved.


____________________________________
Attend HITBSecConf2007 - Malaysia 
Taking place September 3-6 2007 featuring seven tracks of technical 
training and a dual-track security conference with keynote speakers 
Lance Spitzner and Mikko Hypponen!  -  Book your seats today! 
http://conference.hitb.org/hitbsecconf2007kl/



This archive was generated by hypermail 2.1.3 : Wed Aug 15 2007 - 23:34:46 PDT