News

Wednesday, December 19, 2007

Malware Evolves to Bypass Common Controls

SECURITY UPDATE
A Penton Media Property
December 19, 2007


If you want to view this on the web go to:
http://ct.email.windowsitpro.com/rd/cts?d=33-876-803-202-62923-48837-0-0-0-1-2-207


IN FOCUS

--Malware Evolves to Bypass Common Controls
by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Botnets and Trojans are huge headaches. They're everywhere, and their
numbers are growing exponentially. Sometimes that kind of malware is
discovered by security scanning software. Other times it's discovered
by
unusual traffic patterns sent to specific IP addresses, sometimes on
atypical ports.

When you discover such malware, you can typically, monitor it to learn
which IP addresses it's communicating with and then block access to
those addresses. The blocking technique is particularly effective in
stopping bots and Trojans. Therefore one key to survival for many types
of malware is decentralization of malware command and control centers.
The next wave of malware promises to make the task of blocking far more
difficult.

In a new report, security solution maker Finjan describes upcoming
trends in malware behavior. Finjan points out that instead of using
typical point-to-point communication, new forms of malware will use
seemingly harmless technologies and existing Web sites to mask their
traffic.

Many Web sites, such as Google, Yahoo!, and Feedburner (to name just a
few) are available for access from within enterprise networks and
certainly from within most every home user's network. Traffic to and
from such sites wouldn't seem unusual in most cases. Several companies
(including the companies I just named) provide incredibly useful
technologies such as RSS feed aggregation and data aggregation from
disparate sources. Malware developers realize that and aim to take
advantage of it by using these publicly available resources as a
go-between.

In one type of scenario, a botnet operator could post a message to a
site, such as a blog on a free blog hosting site (MySpace, for
example).
Bots in the botnet could then download the blog's RSS feed, parse the
content, extract commands, and act on them. In another scenario,
spyware
could do the same thing the bots do, but it could also post information
back to the blog as comments if the blog is configured so that all
comments must be approved before being published (thereby keeping any
data out of sight). Or the spyware could post the data back to the blog
as an unpublished post by using such technologies as XML-RPC.

The problem here is obvious. It's not reasonable to think you can
protect your network by blocking access to sites in hopes of stopping
botnets and spyware because any number of different sites could be used
and blocking sites reduces overall Internet value. One solution that
might help is packet content inspection, although that's not foolproof
either. Any number of innocuous word combinations could be used as
commands for bots and spyware. So we're facing a much more difficult
problem to solve. Of course when it comes to security, an ounce of
prevention is worth a megaton of cure, which means that you should use
the best security products you can get.

Next week, I'll tell you about a particular set of preventive solutions
and how they stack up against their peers. Until then, if you're
interested, head over to Finjan's site and get a copy of its report.
It's available in PDF format at

finjan.com/GetObject.aspx?ObjId=545
(http://ct.email.windowsitpro.com/rd/cts?d=33-876-803-202-62923-48838-0-0-0-1-2-207)

----------------------------------------
ADVERTISEMENT
Kroll Ontrack

Crashed server? You have a need for speed!

Ontrack Data Recovery services provide the fastest, most cost-effective
recovery solutions available utilizing the industry's only lab-quality,
remote data recovery service.

* No need to ship any equipment
* Fast, secure connection allows engineers to begin data recovery work
in minutes

Special Offer: For a limited time, if you need data recovery service on
any server or RAID system, you will receive:

* Free initial consultation with a data recovery engineer to help you
determine the fastest, most cost-effective course of action
* Free service upgrade to our Priority-level Service
* Free comprehensive, remote evaluation of your storage media

For immediate assistance, call 800 872 2599 - or visit:
http://ct.email.windowsitpro.com/rd/cts?d=33-876-803-202-62923-48839-0-0-0-1-2-207

----------------------------------------


SECURITY NEWS AND FEATURES

--Rise of the Rootkits
First it was viruses, then it was Trojans, next came worms, and of
course, then came spam. Now rootkit infections are on the rise,
according to Prevx, makers of spyware and malware detection and
remediation technologies.
To view the full article go to:
http://ct.email.windowsitpro.com/rd/cts?d=33-876-803-202-62923-48840-0-0-0-1-2-207

--F-Secure Says Malware Skyrocketed in 2007
Innovation is down, but the number of malware variations has gone way
up. F-Secure said the volume can be attributed to bad guys using
malware
generator kits. Not only that, but exploit production techniques have
been refined for much greater effectiveness.
To view the full article go to:
http://ct.email.windowsitpro.com/rd/cts?d=33-876-803-202-62923-48841-0-0-0-1-2-207

--Recent Security Vulnerabilities
If you subscribe to this newsletter, you also receive Security Alerts,
which inform you about recently discovered security vulnerabilities.
You
can also find information about these discoveries at
www.windowsitpro.com/departments/departmentid/752/752.html
(http://ct.email.windowsitpro.com/rd/cts?d=33-876-803-202-62923-48842-0-0-0-1-2-207)

----------------------------------------
ADVERTISEMENT
Shavlik

The Essential Guide to Creating an Environment for Sustaining
Compliance

Before the onslaught of today's security-related mandates, most
companies were already struggling to deal with their own internal
mandates for security and control of their IT infrastructure. Now even
small companies with a tightly-focused business scope are impacted by
multiple security mandates from within the organization, as well as
from
government, regulatory and industry requirements. Faced with the
multiple mandates and looming deadlines, it's easy to take a reactive,
point-in-time oriented approach.

http://ct.email.windowsitpro.com/rd/cts?d=33-876-803-202-62923-48843-0-0-0-1-2-207

----------------------------------------


GIVE AND TAKE

--SECURITY MATTERS BLOG: A More Traditional Trojan
by Mark Joseph Edwards
What's to stop someone from creating a more traditional type of Trojan
that exploits the growing trend of installing Wi-Fi networks
everywhere?
Apparently nothing.
To view the full article go to:
http://ct.email.windowsitpro.com/rd/cts?d=33-876-803-202-62923-48844-0-0-0-1-2-207

--FAQ: Use DFSR Instead of NTFRS in Windows Server 2008
by John Savill
Q: How can I configure my Windows Server 2008-mode domain to use
Distributed File System Replication (DFSR) instead of NT File
Replication System (NTFRS)?

Find the answer at

www.windowsitpro.com/Article/ArticleID/97813
(http://ct.email.windowsitpro.com/rd/cts?d=33-876-803-202-62923-48845-0-0-0-1-2-207)

--FROM THE FORUM: Password Complexity Requirements on Windows Server
2003
A forum participant has a Windows 2003 Active Directory (AD) domain and
wants to increase the domain's password complexity requirements so that
users would need to use two out of four character types (rather than no
complexity requirements or three out of four character types). Is this
possible? Join the discussion at
forums.windowsitpro.com/web/forum/messageview.aspx?catid=42&threadid=88376&enterthread=y
(http://ct.email.windowsitpro.com/rd/cts?d=33-876-803-202-62923-48846-0-0-0-1-2-207)

--SHARE YOUR SECURITY TIPS AND GET $100
Share your security-related tips, comments, or problems and
solutions in Security Pro VIP's Reader to Reader column. Email your
contributions to r2r@securityprovip.com
(mailto:r2r@securityprovip.com).
If we print your submission, you'll get $100. We edit submissions for
style, grammar, and length.

----------------------------------------
ADVERTISEMENT
CorasWorks

Using SharePoint 2007 as a Platform for Managing Information Across the
Enterprise

Learn the basics of the content management process and understand
how
workflow and information management policies are implemented in Office
SharePoint Server 2007 solutions. After listening to this podcast, you
will know how to develop a tactical approach to your own automated
processing solutions with ease of implementation and use as key
components of that solution.

www.windowsitpro.com/go/podcast/corasworks/enterpriseinfo/?code=sechot1219

----------------------------------------


PRODUCTS

--Security Products Add PCI Compliance Reporting
eEye Digital Security announced the PCI Compliance Reporter, a series
of
report templates designed to ensure that organizations comply with the
Payment Card Industry Data Security Standard (PCI DSS). The PCI
Compliance Reporter is available for use with the REM Security
Management Console and the REM 1505 Appliance and will be available in
the Retina Network Security Scanner by the end of the year. The REM
1505
Appliance with the PCI Compliance Reporter starts at $20,000. To learn
more, go to
www.eeye.com/html/index.html (http://ct.email.windowsitpro.com/rd/cts?d=33-876-803-202-62923-48847-0-0-0-1-2-207)


RESOURCES AND EVENTS

Risky Business: Managing Risk Through Security and Continuity
Risk management is about finding cost-effective ways to minimize or
mitigate threats, and the risk associated with them. Recent studies
have
found that the level of risk an organization has to accept can be
greatly reduced by focusing on business continuity. At the front end,
security technology provides a proactive response. However, one of the
greatest impacts security threats can bring is business downtime. This
Web seminar will address how to differentiate alternative HA/DR
solutions in the marketplace, how to ensure seamless recovery, how to
keep your users continuously connected, and more.
www.windowsitpro.com/go/seminars/neverfail/managingrisk/?partnerref=121707er
(http://ct.email.windowsitpro.com/rd/cts?d=33-876-803-202-62923-48848-0-0-0-1-2-207)

So You Think You're Compliant...
According to Gartner, 30% of enterprises will experience at least one
audit per year. There's no way for you to be entirely sure that your
organization is in compliance with software regulations. Join this Web
seminar to learn all about a new solution that can help you avoid
audits, control licenses, maximize key user productivity, and more.
www.windowsitpro.com/go/seminars/macrovision/softwareregulations/?partnerref=121707er
(http://ct.email.windowsitpro.com/rd/cts?d=33-876-803-202-62923-48849-0-0-0-1-2-207)

Tips for Data Protection and Disaster Recovery
Even if you don't live in a disaster-prone area, you should still be
prepared for things such as structure fires, major traffic accidents,
and the like. The responses to many disasters will be the same; you can
make plans based on the expected duration of recovery, the impact of
the
disaster on your facilities and the surrounding area, and other
factors.
Download this eBook to learn how to make a disaster plan that works for
your organization.
www.windowsitpro.com/go/ebooks/ca/disaster/?code=121707er
(http://ct.email.windowsitpro.com/rd/cts?d=33-876-803-202-62923-48850-0-0-0-1-2-207)


FEATURED WHITE PAPER

The Impact of Virtualization Software - IDC Report
Virtualization is one of those rare technologies that has the distinct
potential to really change the dynamics of the IT industry in many ways
as it quickly becomes a key component of modern computing. This IDC
Technology Assessment presents an evaluation of how virtualization
technologies are impacting operating environments and the market in the
short and long term. Read this paper to see the many compelling cost-
and space-saving reasons for using system virtualization software.
www.windowsitpro.com/go/micrositewp/idc/impact/?code=121707er
(http://ct.email.windowsitpro.com/rd/cts?d=33-876-803-202-62923-48851-0-0-0-1-2-207)


ANNOUNCEMENTS

Exchange 2007 Mastery Series: January 28, 2008
Three info-packed eLearning seminars for only $99 ($79 before December
15)!
Hosted by Windows IT Pro
Mark Arnold--MCSE+M, Microsoft MVP--will coach you through Exchange
2007
storage solutions: planning for archiving and compliance, optimizing
your iSCSI network storage, and finding the sweet spot between memory
and spindles.
www.windowsitpro.com/go/elearning/masteringexchange2007
(http://ct.email.windowsitpro.com/rd/cts?d=33-876-803-202-62923-48852-0-0-0-1-2-207)

CONTACT US

Security UDPATE is brought to you by the Windows IT Pro Web site's
Security page (first URL below) and Security Pro VIP (second URL
below).

http://ct.email.windowsitpro.com/rd/cts?d=33-876-803-202-62923-48853-0-0-0-1-2-207

http://ct.email.windowsitpro.com/rd/cts?d=33-876-803-202-62923-48854-0-0-0-1-2-207

Manage your Security UPDATE subscription at
http://ct.email.windowsitpro.com/rd/cts?d=33-876-803-202-62923-48855-0-0-0-1-2-207.

Be sure to add Security_UPDATE@email.windowsitpro.com
to your spam filter's list of allowed senders.

To contact us:
About Security UPDATE content -- mailto:letters@windowsitpro.com
About technical questions -- http://ct.email.windowsitpro.com/rd/cts?d=33-876-803-202-62923-48856-0-0-0-1-2-207

About your product news -- mailto:products@windowsitpro.com
About your subscription --
mailto:windowsitproupdate@windowsitpro.com
About sponsoring Security UPDATE --
mailto:salesopps@windowsitpro.com

View the Windows IT Pro privacy policy at

http://ct.email.windowsitpro.com/rd/cts?d=33-876-803-202-62923-48857-0-0-0-1-2-207

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2007, Penton Media, Inc. All rights reserved.

No comments:

Blog Archive