Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Information Security News: BotHunter: Another Useful Linux Tool

BotHunter: Another Useful Linux Tool

From: InfoSec News <alerts_at_infosecnews.org>
Date: Thu, 16 Aug 2007 01:24:42 -0500 (CDT)

Forwarded with permission from: Security UPDATE <Security_UPDATE (at) list.windowsitpro.com>

PLEASE VISIT OUR SPONSORS, WHO BRING YOU SECURITY UPDATE FOR FREE:

Ensuring Protection and Availability for Microsoft Exchange
   http://list.windowsitpro.com/t?ctl=624B9:57B62BBB09A69279A28782D07A346BFF

Eliminate the Achilles Heel of the Desktop - Admin Rights
   http://list.windowsitpro.com/t?ctl=624B8:57B62BBB09A69279A28782D07A346BFF

Gain Control of Software Usage and Reduce Audit Risks
   http://list.windowsitpro.com/t?ctl=624B7:57B62BBB09A69279A28782D07A346BFF

=== CONTENTS ===================================================

IN FOCUS: BotHunter: Another Useful Linux Tool

NEWS AND FEATURES
   - RSA Expands Security Offerings with Tablus Acquisition
   - Symantec's New Evidence Collection and Transfer Tools
   - Oracle Expands Its Middleware with More Security
   - Recent Security Vulnerabilities

GIVE AND TAKE
   - Security Matters Blog: Cisco and Google Both Inflict DoS Upon
Themselves
   - FAQ: How to List a User's SMTP Email Addresses
   - From the Forum: Object Access Logging
   - Share Your Security Tips

PRODUCTS
   - Zip and Encrypt Outlook Email Attachments
   - Product Evaluations from the Real World

RESOURCES AND EVENTS

FEATURED WHITE PAPER

ANNOUNCEMENTS

=== SPONSOR: Double-Take Software ==============================

Ensuring Protection and Availability for Microsoft Exchange
   Microsoft Exchange is integral to an organization's day-to-day
operation. For many companies, an hour of Exchange downtime can cost
hundreds of thousands of dollars in lost productivity. This paper
discusses new ways to maintain Exchange uptime by using data
protection, failover, and application availability. When recoverability
matters, depend on Double-Take Software to protect and recover business
critical data and applications.
   http://list.windowsitpro.com/t?ctl=624B9:57B62BBB09A69279A28782D07A346BFF

=== IN FOCUS: BotHunter: Another Useful Linux Tool =============
   by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

BotHunter is a passive traffic monitoring system that can locate bot
activity on your network, but you need Linux to use it. Nevertheless,
it'll help protect your Windows-based network against bot infiltration.

The tool, which was recently released to the public, was developed by
the Cyber-Threat Analytics (Cyber-TA) Project. Extensive details about
BotHunter were presented at the 16th annual USENIX Security Symposium,
which took place August 6-10. The white paper prepared for the
symposium is available online and describes the technology used by the
tool.

According to the white paper, BotHunter tracks communication between
internal network devices and systems external to the local network. The
data exchanges are compared to a state-based infection model that can
detect a malware infection process and identify both the target and the
source of the attack.

Under the hood, BotHunter uses Snort along with custom malware-focused
rule sets. Added to Snort are two custom plug-ins called SLADE and
SCADE that were developed especially for BotHunter. SLADE performs
payload analysis, and SCADE performs port scan analyses of inbound and
outbound traffic.

It might sound somewhat simple on the surface, but it's actually
complex and quite effective. The BotHunter developers, Phillip Porras
of SRI International and Wenke Lee of Georgia Institute of Technology,
established a honeynet that uses BotHunter. The developers wrote that
"Over a 3-week period between March and April 2007, we analyzed a total
of 2,019 successful Windows XP and Windows 2000 remote-exploit bot or
worm infections." BotHunter detected 1,920 of those 2,019 infections,
which is roughly a 95 percent success rate. Not bad, especially for a
free tool!

A really slick feature of BotHunter is its integrated support for
"large-scale privacy-preserving data sharing." The feature lets
BotHunter operators send bot profiles to a central repository operated
by Cyber-TA, which is then made available to all who provide BotHunter
data and other researchers. The feature sends data by using Transport
Layer Security (TLS) over a TOR (The Onion Router) network to keep
reports reasonably anonymous and lets operators selectively obfuscate
IP addresses and other sensitive information before they share their
data.

As with many excellent security tools, BotHunter runs on Linux. If
you're not familiar with Linux, know that it's not so hard to use, so
consider building a system and learning the ins and outs. You'll find
that the OS comes in very handy.

BotHunter requires Fedora, Debian, or SUSE Linux, plus Sun
Microsystems' Java 2 Platform, Standard Edition (J2SE) 1.4.2 or later
Java Runtime Environment (JRE), which is used to read alert streams
from Snort. Of course, you'll also need a spunky system to run the
platform, so be sure that you use a system with a fast CPU, fast hard
drives, and plenty of RAM. You might also need other tools, such as
VMware, depending on how you plan to implement a test platform.

You can download the BotHunter source code at the Cyber-TA Web site at
the first URL below, and you can read the extensive white paper about
BotHunter at the second URL below. The white paper explains exactly how
the platform works and details the hardware that's running the honeynet
that the development team is currently using to test BotHunter.
   http://list.windowsitpro.com/t?ctl=624C4:57B62BBB09A69279A28782D07A346BFF
   http://list.windowsitpro.com/t?ctl=624BF:57B62BBB09A69279A28782D07A346BFF

=== SPONSOR: BeyondTrust =======================================

Eliminate the Achilles Heel of the Desktop - Admin Rights
   BeyondTrust enables users without administrative privileges to run
all required applications, processes and ActiveX controls. By removing
the need to grant end users administrative rights, IT departments can
eliminate what is otherwise the Achilles heel of the desktop - end
users with administrative power that can be exploited by malware and
malicious users to change security settings, disable other security
solutions such as anti-virus and more. Free Download!
   http://list.windowsitpro.com/t?ctl=624B8:57B62BBB09A69279A28782D07A346BFF

=== SECURITY NEWS AND FEATURES =================================

RSA Expands Security Offerings with Tablus Acquisition
   RSA said the acquisition will allow it to add data discovery and
classification, monitoring, and data loss prevention capabilities to
its existing portfolio of solutions.
   http://list.windowsitpro.com/t?ctl=624C5:57B62BBB09A69279A28782D07A346BFF

Symantec's New Evidence Collection and Transfer Tools
   Symantec announced the release of new connectors for its Enterprise
Vault platform that help automate the collection and transfer of
electronic evidence.
   http://list.windowsitpro.com/t?ctl=624C6:57B62BBB09A69279A28782D07A346BFF

Oracle Expands Its Middleware with More Security
   Oracle recently launched a beta preview of its Oracle Authentication
Services for Operating Systems, a new component of its Identity
Management offering, which is part of Oracle Fusion Middleware.
   http://list.windowsitpro.com/t?ctl=624C7:57B62BBB09A69279A28782D07A346BFF

Recent Security Vulnerabilities
   If you subscribe to this newsletter, you also receive Security
Alerts, which inform you about recently discovered security
vulnerabilities. You can also find information about these
discoveries at
   http://list.windowsitpro.com/t?ctl=624BD:57B62BBB09A69279A28782D07A346BFF

=== SPONSOR: Macrovision =======================================

Gain Control of Software Usage and Reduce Audit Risks
   Most organizations face serious challenges, including understanding
vendor licensing models, cost overruns, missed deadlines, business
opportunities, and lost user productivity. Learn to address these
challenges, and prepare for audits. Register for the free Web seminar,
available now!
   http://list.windowsitpro.com/t?ctl=624B7:57B62BBB09A69279A28782D07A346BFF

=== GIVE AND TAKE ==============================================

SECURITY MATTERS BLOG: Cisco and Google Both Inflict DoS Upon
Themselves
   by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=624CC:57B62BBB09A69279A28782D07A346BFF

In what must be embarrassing moments for Cisco and Google, both
companies managed to inflict Denial of Service (DoS) upon themselves
last week. You can read about those incidents and about how hackers
have cracked AT&T's lock on the new iPhone. Check out the Security
Matters blog on our Web site.
   http://list.windowsitpro.com/t?ctl=624BA:57B62BBB09A69279A28782D07A346BFF

FAQ: How to List a User's SMTP Email Addresses
   by John Savill, http://list.windowsitpro.com/t?ctl=624CA:57B62BBB09A69279A28782D07A346BFF

Q: How can I generate a list of all the SMTP mail addresses a user has?

Find the answer at
   http://list.windowsitpro.com/t?ctl=624C8:57B62BBB09A69279A28782D07A346BFF

FROM THE FORUM: Object Access Logging
   A forum participant wants to know if there's any value in having
auditing turned on for failures for Audit Object Access if there's
nothing turned on at the folder level.
   http://list.windowsitpro.com/t?ctl=624B6:57B62BBB09A69279A28782D07A346BFF

SHARE YOUR SECURITY TIPS AND GET $100
   Share your security-related tips, comments, or problems and
solutions in Security Pro VIP's Reader to Reader column. Email your
contributions to r2r_at_securityprovip.com. If we print your submission,
you'll get $100. We edit submissions for style, grammar, and length.

=== PRODUCTS ===================================================
   by Renee Munshi, products_at_windowsitpro.com

Zip and Encrypt Outlook Email Attachments
   WinZip Computing, a Corel Company, announced the public beta of
WinZip E-Mail Companion 2.0, which lets you compress outgoing email
attachments and, if desired, use advanced AES encryption to protect
them. WinZip E-Mail Companion 2.0 Beta is the follow-up to WinZip
Companion for Outlook 1.0, adding support for Microsoft Outlook
Express, Microsoft Windows Mail (Windows Vista), and Outlook 2007 to
existing support for Outlook 2002 and 2003. WinZip E-Mail Companion 2.0
also includes new compression options, the ability to zip and encrypt
from within Microsoft Office applications, and improved file naming.
For more information or to download the beta, go to
   http://list.windowsitpro.com/t?ctl=624CF:57B62BBB09A69279A28782D07A346BFF

PRODUCT EVALUATIONS FROM THE REAL WORLD
   Share your product experience with your peers. Have you discovered a
great product that saves you time and money? Do you use something you
wouldn't wish on anyone? Tell the world! If we publish your opinion,
we'll send you a Best Buy gift card! Send information about a product
you use and whether it helps or hinders you to
whatshot_at_windowsitpro.com.

=== RESOURCES AND EVENTS =======================================
   For more security-related resources, visit
   http://list.windowsitpro.com/t?ctl=624C9:57B62BBB09A69279A28782D07A346BFF

Getting the Most from DFS
   This Web seminar covers DFS: what it is, how it works, the server
and client OS versions that support it, how to configure it, its
limitations, using DFS-N and DFS-R, and how to manage DFS. Learn the
basics and get a quick "how-to" on implementing DFS-N and DFS-R in your
Windows Server 2003 environment. Don't miss this Web seminar.
   http://list.windowsitpro.com/t?ctl=624BC:57B62BBB09A69279A28782D07A346BFF

Don't miss Fall Connections 2007, the premier event for Microsoft
developers and DBAs, November 5-8, 2007, in Las Vegas. It will impact
how you build solutions, increase your productivity, and enhance your
development skills to give your company the competitive edge!
   http://list.windowsitpro.com/t?ctl=624CD:57B62BBB09A69279A28782D07A346BFF

File fragmentation is a serious problem. As a disk becomes fragmented,
the workload on the OS and hardware increases, making it more difficult
for applications to read and write data. File corruption becomes a
distinct possibility, the computer's performance degrades, and its
reliability is endangered. This white paper looks at the effect of disk
defragmentation on your users.
   http://list.windowsitpro.com/t?ctl=624BB:57B62BBB09A69279A28782D07A346BFF

=== FEATURED WHITE PAPER =======================================

KVM over IP in Distributed IT Environments
   Keyboard/video/mouse (KVM) switches are a valuable management tool,
but they have weaknesses in distributed environments. This white paper
presents the complexities of managing the distributed data center and
highlights the advantages of using a KVM-over-IP solution for flexible,
scalable, affordable CAT5-based remote access.
   http://list.windowsitpro.com/t?ctl=624BE:57B62BBB09A69279A28782D07A346BFF

=== ANNOUNCEMENTS ==============================================

Search Thousands of SQL Articles Online and on CD
   A SQL Server Magazine Master CD subscription buys you portable,
lightning-fast access to the entire SQL Server article database on CD,
plus exclusive, up-to-the-minute access to the new articles we publish
on SQLMag.com every day. Order your subscription now!
   http://list.windowsitpro.com/t?ctl=624C1:57B62BBB09A69279A28782D07A346BFF

Save 1/2 Off Security Pro VIP
   Security Pro VIP is an online resource that delivers new articles
every week to help you defend your network. Subscribers also receive
tips, cautionary advice, direct access to our editors for technical
Q&As, and a host of other benefits! Order now, and save up to 50
percent!
   http://list.windowsitpro.com/t?ctl=624C0:57B62BBB09A69279A28782D07A346BFF

================================================================

Security UDPATE is brought to you by the Windows IT Pro Web site's
Security page (first URL below) and Security Pro VIP (second URL
below).
   http://list.windowsitpro.com/t?ctl=624CB:57B62BBB09A69279A28782D07A346BFF
   http://list.windowsitpro.com/t?ctl=624D0:57B62BBB09A69279A28782D07A346BFF

Subscribe to Security UPDATE at
   http://list.windowsitpro.com/t?ctl=624C3:57B62BBB09A69279A28782D07A346BFF

Be sure to add Security_UPDATE_at_list.windowsitpro.com
to your antispam software's list of allowed senders.

To contact us:
   About Security UPDATE content -- letters_at_windowsitpro.com
   About technical questions -- http://list.windowsitpro.com/t?ctl=624CE:57B62BBB09A69279A28782D07A346BFF
   About your product news -- products_at_windowsitpro.com
   About your subscription -- windowsitproupdate_at_windowsitpro.com
   About sponsoring Security UPDATE -- salesopps_at_windowsitpro.com

View the Windows IT Pro privacy policy at
   http://list.windowsitpro.com/t?ctl=624C2:57B62BBB09A69279A28782D07A346BFF

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2007, Penton Media, Inc. All rights reserved.

____________________________________
Attend HITBSecConf2007 - Malaysia
Taking place September 3-6 2007 featuring seven tracks of technical
training and a dual-track security conference with keynote speakers
Lance Spitzner and Mikko Hypponen! - Book your seats today!
http://conference.hitb.org/hitbsecconf2007kl/
Received on Aug 15 2007

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]