Security Watch

Free Tool Hunts Bots

Research project creates tool to seek and kill bots; homeland power threat guidelines; server attack vector in Confixx.

• By Russ Cooper
• 09/17/2007

Truly an excellent idea and well worth investigating. It is difficult to say whether this will become a standard feature of networks in the future, especially given that there is a patent pending on the “dialog-correlation-based” feature. However, being able to quickly and accurately identify bot traffic within your perimeter is invaluable. We would not expect this tool to work much better than anything else if there were a storm of traffic, but given that today’s bot infections often start in your network from a single machine brought in from an insecure environment, being able to identify a bot before it infects more systems could save considerable effort, not to mention IP and other collateral damage.

Confixx Lets Them In
Reports say (here and here) that Confixx, an administration tool, contains a vulnerability which remote attackers could exploit to cause commands on the server to execute code of their choice. To exploit the vulnerability, an attacker can only use applications that already exist on the Web server. Patches are available.

This is yet another situation where a tool used by a hosting provider to allow their customers to manage their box (or their instance on a given box) contains a flaw that has the potential to compromise an entire system. A single flawed use of the tool could compromise every site hosted on the system.

If you use a hosting provider, at least ensure that you are the only customer on a given box. Then, ensure that all of the tools on that box are inventoried and monitored by your own security team to ensure they are maintained up to date.

Homeland Power Threat Guidelines
The U.S. Department of Homeland Security has set out draft guidelines to be used by automated control systems, often referred to as SCADA systems, reports VNUnet. The guidelines encompass threats which many have long believed couldn’t possibly attack such systems, such as controlling spam or performing antivirus updates. The guidelines are intended to be guidance, and are not legally binding on those whom it targets.

It would appear to us that the DHS is being prudent and works on the assumption that some control systems may be simultaneously, or even periodically, connected to networks or systems which reach the Internet. In so doing, they are able to make guidelines that could protect systems commonly viewed to not connect to the Internet, from attacks that may originate from systems which share both the public and private networks in a corporation or entity.

While there has been no known proof that SCADA systems have been affected by Internet-born malware, the possibility certainly exists especially if, for example, a laptop can connect to a SCADA network and also be taken out of that environment. Ergo, why not make such recommendations?

An interesting recommendation allegedly included in the guidelines is that antivirus software be updated while the systems are not connected to a network. One has to wonder just how efficiently this could be achieved.