A Penton Media Property
May 7, 2008
If you want to view this on the web go to:
http://ct.email.windowsitpro.com/rd/cts?d=33-7115-803-202-62923-701576-0-0-0-1-2-207
----------------------------------------
ADVERTISEMENT
VeriSign, Inc. / SSL
Increase confidence on your site
Give your site visitors the reassurance that your site is safe to
transact on with VeriSign Extended Validation (EV) SSL Certificates.
The new certificates turn the address bar green in high security
browsers letting customers know that they are on the site they intended
to be on. Learn how to provide the latest advancement in SSL, EV SSL,
and give your customers the confidence to transact on your site with
this free white paper.
http://ct.email.windowsitpro.com/rd/cts?d=33-7115-803-202-62923-701577-0-0-0-1-2-207
----------------------------------------
IN FOCUS
--What If You Could Take Down a Botnet?
by Mark Joseph Edwards, News Editor
Last week, Cody Pierce and Pedram Amini (members of TippingPoint's
security research group) released a detailed analysis of the Kraken
botnet. The purpose of the analysis was to see whether the bot network
could be infiltrated.
In order to test that possibility, Pierce and Amini had to take a very
close look at the inner workings of the botnet code. With a sample in
hand, they disassembled the code and dove into its inner workings to
find an inroad into the botnet. The idea wasn't to become a bot in the
network but to become a command and control server for the actual bots.
Amini explained, "The key to overtaking the botnet is understanding how
the overall client-server architecture works. Kraken infected systems
attempt to 'phone home' to a master command and control server by
systematically generating sub-domains from various dynamic DNS resolver
services such as dyndns.com. By reverse engineering the list of names
and successfully registering some of the sub-domains Kraken is looking
for, we can emulate a server and begin to infiltrate the network zombie
by zombie. Stated simply, Kraken infected systems world wide start to
connect to a server we control."
After reverse-engineering the bot, which of course included its
encryption algorithm, Pierce and Amini were successful with their
infiltration. After one week of running their rogue command and control
server, they discovered that about 25,000 systems were infected with the
Kraken bot. That is to say, about 25,000 unique computers connected to
their rogue command and control server.
Apparently there's some debate about how big the Kraken botnet really
is. The estimates range from roughly 185,000 bots to as many as 650,000
bots. Pierce and Amini said that since they were able to communicate
with 25,000 bots, they effectively had control over anywhere from 4 to
14 percent of the entire botnet.
Then came the question of what to do with such control: sit back and
watch, or on the other hand, possibly take action to remove the bot
software from infected systems. That's an interesting question with no
easy answer, although cleaning up the infected systems is very tempting.
First, there are issues that center around legalities. For example, is
it legal to remove malware from people's systems without their
permission? I'd guess that it's not. Even so, would authorities or
individuals seek to press charges if unauthorized removal took place?
Then there are issues that center around potential damage to an infected
system. Pierce and Amini point out that Dave Endler, who also works at
TippingPoint, is against removal for these relatively solid reasons:
What if a computer is damaged or crashes in the process of removal? And
what if such a computer were in some way partially responsible for
someone's life, as might be the case if a computer were located in a
hospital, clinic, or doctor's office?
Clearly the only safe way to handle this kind of dilemma is to gather
the IP addresses of infected computers, find out which companies manage
those IP addresses, and contact those companies to let them know about
the infected systems. Hopefully those companies would take steps to
clean up the botnets and help the end users of those addresses get some
adequate protection installed on their systems.
Of course, because cleaning up the infected systems through the use of a
command and control server is incredibly tempting, there are those who
would take such action regardless of the risks involved.
If you're interested in the details of the analysis or in sharing your
perspective on how you think such an issue should be handled, head over
to TippingPoint's Digital Vaccine Labs blog at the URL below. There
you'll find detailed technical explanations of the analysis (including
disassembled code snippets), links to related information regarding
Kraken, and plenty of comments from readers who've commented on how they
think the moral issue should be handled.
dvlabs.tippingpoint.com/blog/2008/04/28/kraken-botnet-infiltration
(http://ct.email.windowsitpro.com/rd/cts?d=33-7115-803-202-62923-701578-0-0-0-1-2-207)
--Security Horror Story Contest
Tell us about a security hole that you found, a virus that shut down
your network, an embarrassing or scary near-miss or direct hit. (Be sure
to describe how you solved the problem too.) We'll print the best tales
in a Windows IT Pro cover story (anonymously, if you like), and you'll
win a 1-year Windows IT Pro VIP subscription. Send your security horror
stories (no more than 500 words) to lpeters@windowsitpro.com
(mailto:lpeters@windowsitpro.com) by May 9.
----------------------------------------
ADVERTISEMENT
Neverfail
Justifying Business Continuity and Risk Management
To deliver business continuity and proper risk management requires a
disaster recovery or high availability solution that is architected to
deliver 24x7 availability for critical applications. Availability of
mission-critical applications to all users at all times is a key
component of justifying business continuity and risk management plans.
Merging traditional disciplines such as high availability, disaster
recovery and continuous operations to deal with planned and unplanned
downtime is the key to creating and justifying 24x7 business continuity.
Register for this webinar today to hear how Neverfail, a leader in
providing disaster recovery, business continuity, and continuous
availability solutions, can help you justify your need for a business
continuity and risk management plan.
http://ct.email.windowsitpro.com/rd/cts?d=33-7115-803-202-62923-701579-0-0-0-1-2-207
----------------------------------------
SECURITY NEWS AND FEATURES
--Malware Authors Turn to AV Companies to Defend Copyrights
Malware authors don't stand a chance of enforcing any type of copyright
on their malicious code--or do they? Some malware authors are
threatening to send copies of code that violates their "copyright" to
antivirus companies.
To view the full article go to:
http://ct.email.windowsitpro.com/rd/cts?d=33-7115-803-202-62923-701580-0-0-0-1-2-207
--Microsoft Hosts LE Tech 2008 Training
Microsoft is hosting Law Enforcement Technology (LE Tech) 2008 to help
train law enforcement agency personnel in the ways of tracking down and
convicting criminals by using digital evidence.
To view the full article go to:
http://ct.email.windowsitpro.com/rd/cts?d=33-7115-803-202-62923-701581-0-0-0-1-2-207
--Abraxas Buys Anonymizer
The industry's oldest Web anonymization service has been acquired by
Abraxas, who intends to add the service to its risk mitigation
technology offerings.
To view the full article go to:
http://ct.email.windowsitpro.com/rd/cts?d=33-7115-803-202-62923-701582-0-0-0-1-2-207
--Recent Security Vulnerabilities
If you subscribe to this newsletter, you also receive Security Alerts,
which inform you about recently discovered security vulnerabilities. You
can also find information about these discoveries at
www.windowsitpro.com/departments/departmentid/752/752.html
(http://ct.email.windowsitpro.com/rd/cts?d=33-7115-803-202-62923-701583-0-0-0-1-2-207)
GIVE AND TAKE
--SECURITY MATTERS BLOG: New Tricks for SQL Injection Attacks
by Mark Joseph Edwards
You might think procedures that don't accept user input are immune from
SQL injection attacks. But that's not always the case. Learn why in this
blog entry.
windowsitpro.com/blog/index.cfm?action=BlogIndex&DepartmentID=949
(http://ct.email.windowsitpro.com/rd/cts?d=33-7115-803-202-62923-701584-0-0-0-1-2-207)
--FAQ: PowerShell Lists Machine Services
by John Savill
Q. How can I use Windows PowerShell to return a list of machine services
in a designated state?
Find the answer at
windowsitpro.com/article/articleid/98944
(http://ct.email.windowsitpro.com/rd/cts?d=33-7115-803-202-62923-701585-0-0-0-1-2-207)
--Vote in the 2008 Windows IT Pro Community Choice Awards!
Final voting for the Windows IT Pro Community Choice Awards is now open!
Voting in this awards program is open to all Windows IT Pro Web site
visitors, but vendors whose products are nominated are prohibited from
voting. Enter the voting tool at:
www.surveymonkey.com/s.aspx?sm=_2fz97tv4rU5iY2IsYDbyCRg_3d_3d
(http://ct.email.windowsitpro.com/rd/cts?d=33-7115-803-202-62923-701586-0-0-0-1-2-207)
Voting closes May 23 at 11:45 p.m. Mountain Time.
--SHARE YOUR SECURITY TIPS AND GET $100
Share your security-related tips, comments, or problems and solutions in
Security Pro VIP's Reader to Reader column. Email your contributions to
r2r@securityprovip.com (mailto:r2r@securityprovip.com). If we print your
submission, you'll get $100. We edit submissions for style, grammar, and
length.
PRODUCTS
--New Hosted Email Service for SMBs
Proofpoint announced Proofpoint on Demand--Standard Edition, an
easier-to-use, lower-cost version of its Proofpoint on Demand service
designed for small-to-midsized businesses (SMBs). Standard Edition
provides spam blocking, virus protection, and content filtering
capabilities (to detect outbound spam and virus-laden messages). It's
hosted in a multi-tenant environment that uses the same data centers as
Proofpoint's dedicated offering, Proofpoint on Demand--Enterprise
Edition. The Standard Edition also offers the same performance
guarantees, including 99 percent spam effectiveness, 100 percent virus
protection, "five nines" availability, and "no delay" email delivery.
For more information, go to
www.proofpoint.com (http://ct.email.windowsitpro.com/rd/cts?d=33-7115-803-202-62923-701587-0-0-0-1-2-207)
RESOURCES AND EVENTS
Top 5 Advantages of Using Hosted Microsoft Exchange 2007 and SharePoint
Services
Learn how and why businesses of all sizes are evaluating full-featured,
enterprise-class solutions such as Microsoft Exchange Server 2007 and
SharePoint to meet their business goals. Download this on-demand seminar
to see how a hosted service fits with SharePoint and Exchange.
windowsitpro.com/Downloads/Index.cfm?fuseaction=ShowDownload&uuid=02ffc8f7-ca42-48dd-8a4b-601096249b5e&code=043008er
(http://ct.email.windowsitpro.com/rd/cts?d=33-7115-803-202-62923-701588-0-0-0-1-2-207)
Small companies rarely stay that way--they grow. Regardless of the stage
of growth, there's always a need to access, report on, and analyze data
from different sources. This white paper discusses the components of
business intelligence (BI) and enterprise performance management
solutions that a growing business should consider and leverage.
windowsitpro.com/whitepapers/Index.cfm?fuseaction=ShowWP&wpid=3266d75c-94e4-42e6-b9ce-0cf9db98f285&code=043008er
(http://ct.email.windowsitpro.com/rd/cts?d=33-7115-803-202-62923-701589-0-0-0-1-2-207)
SQL Server 2008 is on the way, and it's got the industry buzzing. The
first significant upgrade in three years features envelope-pushing
enhancements and improvements. Examine the 10 most valuable features of
the SQL Server 2008 release. Read this white paper to discover all 10
and see how SQL Server 2008 can make your life easier.
www.sqlmag.com/Whitepapers/Index.cfm?fuseaction=ShowWP&WPID=35198088-9642-4fe2-8b24-a968bc4bda22&code=043008E&R
(http://ct.email.windowsitpro.com/rd/cts?d=33-7115-803-202-62923-701590-0-0-0-1-2-207)
FEATURED WHITE PAPER
This white paper discusses how Network Access Control (NAC) handles
rogue computers, how to fit NAC into any environment, the components to
look for in a NAC solution, and the results you can expect when you put
such a solution into place. Download this white paper to ensure that
your company can combat today's threats while remaining nimble enough to
address tomorrow's.
www.windowsitpro.com/go/wp/sophos/nac/?code=043008e&r
(http://ct.email.windowsitpro.com/rd/cts?d=33-7115-803-202-62923-701591-0-0-0-1-2-207)
ANNOUNCEMENTS
Windows IT Pro Master CD: Take the Experts with You!
Find the solutions you need within the thousands of searchable articles,
helpful bonus content, and loads of expert advice on the Windows IT Pro
Master CD. A Master CD subscription buys you portable access to the
entire Windows IT Pro article database plus exclusive access to all the
new articles we publish only on WindowsITPro.com every day. It's like
having a team of consultants in your pocket! Get real-world solutions
fast--order the Windows IT Pro Master CD today.
store.pentontech.com/index.cfm?s=1&promocode=EU2284WC&
(http://ct.email.windowsitpro.com/rd/cts?d=33-7115-803-202-62923-701592-0-0-0-1-2-207)
CONTACT US
Security UDPATE is brought to you by the Windows IT Pro Web site's
Security page (first URL below) and Security Pro VIP (second URL
below).
http://ct.email.windowsitpro.com/rd/cts?d=33-7115-803-202-62923-701593-0-0-0-1-2-207
http://ct.email.windowsitpro.com/rd/cts?d=33-7115-803-202-62923-701594-0-0-0-1-2-207
You are subscribed to this newsletter as boy.blogger@gmail.com
Manage your Security UPDATE subscription at
http://ct.email.windowsitpro.com/rd/cts?d=33-7115-803-202-62923-701595-0-0-0-1-2-207.
Be sure to add Security_UPDATE@email.windowsitpro.com
to your spam filter's list of allowed senders.
To contact us:
About Security UPDATE content -- mailto:letters@windowsitpro.com
About technical questions -- http://ct.email.windowsitpro.com/rd/cts?d=33-7115-803-202-62923-701597-0-0-0-1-2-207
About your product news -- mailto:products@windowsitpro.com
About your subscription -- mailto:windowsitproupdate@windowsitpro.com
About sponsoring Security UPDATE -- mailto:salesopps@windowsitpro.com
View the Windows IT Pro privacy policy at
http://ct.email.windowsitpro.com/rd/cts?d=33-7115-803-202-62923-701598-0-0-0-1-2-207
Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department
Copyright 2008, Penton Media, Inc. All rights reserved.
No comments:
Post a Comment