Security Watch

Free Tool Hunts Bots

Research project creates tool to seek and kill bots; homeland power threat guidelines; server attack vector in Confixx.

A “dialog-correlation-based” tool called BotHunter has been released free to the Internet. BotHunter attempts to correlate network traffic patterns to identify likely bot-controlled systems within your network. The tool is the result of the Cyber-Threat Analytics research project. BotHunter runs on several different Linux platforms.

Truly an excellent idea and well worth investigating. It is difficult to say whether this will become a standard feature of networks in the future, especially given that there is a patent pending on the “dialog-correlation-based” feature. However, being able to quickly and accurately identify bot traffic within your perimeter is invaluable. We would not expect this tool to work much better than anything else if there were a storm of traffic, but given that today’s bot infections often start in your network from a single machine brought in from an insecure environment, being able to identify a bot before it infects more systems could save considerable effort, not to mention IP and other collateral damage.

Confixx Lets Them In
Reports say (here and here) that Confixx, an administration tool, contains a vulnerability which remote attackers could exploit to cause commands on the server to execute code of their choice. To exploit the vulnerability, an attacker can only use applications that already exist on the Web server. Patches are available.

This is yet another situation where a tool used by a hosting provider to allow their customers to manage their box (or their instance on a given box) contains a flaw that has the potential to compromise an entire system. A single flawed use of the tool could compromise every site hosted on the system.

If you use a hosting provider, at least ensure that you are the only customer on a given box. Then, ensure that all of the tools on that box are inventoried and monitored by your own security team to ensure they are maintained up to date.

Homeland Power Threat Guidelines
The U.S. Department of Homeland Security has set out draft guidelines to be used by automated control systems, often referred to as SCADA systems, reports VNUnet. The guidelines encompass threats which many have long believed couldn’t possibly attack such systems, such as controlling spam or performing antivirus updates. The guidelines are intended to be guidance, and are not legally binding on those whom it targets.

Want More Security?

This column was originally published in our weekly Security Watch newsletter. To subscribe, click here.

It would appear to us that the DHS is being prudent and works on the assumption that some control systems may be simultaneously, or even periodically, connected to networks or systems which reach the Internet. In so doing, they are able to make guidelines that could protect systems commonly viewed to not connect to the Internet, from attacks that may originate from systems which share both the public and private networks in a corporation or entity.

While there has been no known proof that SCADA systems have been affected by Internet-born malware, the possibility certainly exists especially if, for example, a laptop can connect to a SCADA network and also be taken out of that environment. Ergo, why not make such recommendations?

An interesting recommendation allegedly included in the guidelines is that antivirus software be updated while the systems are not connected to a network. One has to wonder just how efficiently this could be achieved.

About the Author

Russ Cooper is a senior information security analyst with Verizon Business, Inc. He's also founder and editor of NTBugtraq,, one of the industry's most influential mailing lists dedicated to Microsoft security. One of the world's most-recognized security experts, he's often quoted by major media outlets on security issues.

comments powered by Disqus
Most   Popular