25C3: "Banking Malware 101" Slides

Tuesday, December 30. 2008
The slides I used for my presentation at the 25th Chaos Communication Congress (25C3) are now available for download. The presentation was also recorded and should be available in the next few days at http://ftp.ccc.de/congress/25c3/pre-release/. The congress was a lot of fun, unfortunately I had to leave earlier...

An interesting presentation is scheduled for today at 15:15 CET: Jacob and Alex talk about Making the theoretical possible. Not many details are available (see the "abstract" at the left-hand side), but it seems like they found something big that basically affects everyone. Rumors are that they broke a Root CA key that is included in major browsers - the truth will be revealed in a couple of hours...
Posted by Thorsten Holz in honeynets, malware at 11:47 | Comments (0) | Trackbacks (0)

Analyzing Malicious PDF Files

Monday, December 22. 2008
CWSandbox
Recently we added a new feature to cwsandbox.org: It is now also possible to upload suspicious PDF files that are then analyzed with the help of CWSandbox. Basically we open the submitted file with Acrobat Reader 8.1.1 since that version has several vulnerabilities. During runtime, we then observe the behavior of Acrobat and can detect suspicious changes such as new files on the hard disk or modified registry keys. Based on the generated report, it is then possible to detect malicious PDF files.

An example of such an analysis is available at https://cwsandbox.org/?page=details&id=520505&password=sfgpk. The PDF file 0416.pdf is malicious and has a rather good detection by AV vendors (21/38 - full details). In the CWSandbox report, we can see that the PDF file is opened with Acrobat Reader and then it drops a new file called wuweb.exe which is also executed. Afterwards, several other files are dropped and a server located in Singapore is contacted. Unfortunately this server is now offline, but presumably the server was used to download additional malware from the system
Posted by Thorsten Holz in CWSandbox, malware at 13:50 | Comments (2) | Trackback (1)

25C3: "Banking Malware 101"

Saturday, December 20. 2008
admin
The 25th Chaos Communication Congress (25C3) will take place next week in Berlin, Germany. CCC is always fun and I'm really looking forward to the Congress. I will give a talk on banking malware at the second day (see the schedule for details). The talk can be summarized as:
In the recent years, we observed a growing sophistication how credentials are stolen from compromised machines: the attackers use sophisticated keyloggers to control the victim's machine and use different techniques to steal the actual credentials. In this talk, we present an overview of this threat and empirical measurement results.

Some aspects of this talk are covered by our recent technical report on banking malware, but I will go into some more technical details. If you also attend CCC, you can find me there and we can discuss questions :)
Posted by Thorsten Holz in admin, malware at 10:42 | Comments (2) | Trackbacks (0)

EC2ND'08: "Towards Next-Generation Botnets"

Friday, December 19. 2008
We recently published a paper at EC2ND 2008, the fourth European Conference on Computer Network Defense, on next-generation botnets. The paper highlights challenges we might face in the near future when botnets evolve beyond simple IRC-based botnets that we observe today: The area of botnets faces – similar to other fields – an arms race between botmasters and defenders. To keep up with latest developments, researchers need to continue to improve detection and mitigation methods and investigate new techniques used by botmasters. The goal of our work is to increase the understanding of more advanced botnet designs. We anticipate that this paper ultimately leads to the development of new, sophisticated techniques, which will help to fend off arising threats. While the topic of the paper is a bit offensive, I hope that it leads to the development of novel detection techniques that can also be used to stop more advanced botnets.

The full paper contains a discussion of the features of Rambot, the name we gave this project. This work was a collaboration with Ralf Hund and Matthias Hamann, two students from our lab.

Abstract: In this paper, we introduce the design of an advanced bot called Rambot that is based on the weaknesses we found when tracking a diverse set of botnets over a period of several months. The main features of this bot are peer-to-peer communication, strong cryptography, a credit-point system to build bilateral trust amongst bots, and a proof-of-work scheme to protect against potential attacks. The goal of this work is to increase the understanding of more advanced botnet designs, such that more efficient detection and mitigation systems can be developed in the future.

Posted by Thorsten Holz in paper at 23:17 | Comments (0) | Trackbacks (0)

Banking Trojans

Thursday, December 18. 2008
CWSandbox
My previous post already contains some information on our recent work, but I think it makes sense to include some more details. We wanted to study an attack class we call impersonation attacks, i.e., all attacks in which an attacker wants to steal a credential from a victim in order to impersonate as the victim at a provider:

This kind of attacks is quite common, for example also phishing attacks fall under this class: In such an attack, the attacker uses phishing e-mails as an attack channel and lures the victim into revealing his credentials at a bogus site. These credentials are then sent to the attacker using the harvesting channel, which can for example be e-mail. The attacker can then use the stolen credentials to impersonate as the victim, for example at an online bank.

We studied a specified type of impersonation attacks, namely the attacks in which keyloggers and banking trojans are used by the attacker. Example of such malware include ZeuS/Wsnpoem and Limbo/Nethell, which we studied in detail. Based on the information collected during dynamic analysis, we found many dropzones and got access to many logfiles. We performed a statistical analysis of this data and here are some highlights:
  • We found a total of 175 different countries in which the 170,000 victims are located and almost one third of the infected machines are located in either Russia or the United States.

  • We also found that the dropzones are located in many different Autonomous Systems (68 different AS in total), but several AS host a larger percentage of ZeuS dropzones: The three most common AS host 49% of all dropzones, indicating that there are some providers preferred by the attackers. Presumably those providers offer bullet-proof hosting, i.e., takedown requests are not handled properly by these providers.

  • In total, we found 10,775 unique bank account credentials in all logfiles. This includes passwords and all bank account details as entered by a victim during a normal transaction. Furthermore, we found more than 5,600 full credit card details and tens of thousands of passwords for different sites.

  • The distribution of victim IP addresses is highly non-uniform: The majority of victims are located in the IP address ranges between 58.* – 92.* and 189.* – 220.*.

  • The results of analyzing the potential income of an attacker indicate that an attacker can earn several hundred dollars per day based on impersonation attacks with keyloggers – a seemingly lucrative business.

Full details are available in the technical report. Note that the data we collected during this study is very sensitive. We thus handed over this data to AusCERT, the national Computer Emergency Response Team (CERT) for Australia, since they are in a position to notify the victims.

Update: I received a few comments regarding how to protect against this threat. Best way for protection is patching and not clicking all links and attachments. Furthermore, you can protect yourself against keyloggers by using two-factor authentification when doing bank transactions. German banks offer services such as mobile TAN/SMS-TAN in which a transaction number is sent to the mobile phone to authorize a transaction. A weaker system is iTAN (indexed TAN). The Postbank also published some guidance on how to protect yourself. If you follow these guidelines, you should be relatively secure and not affected by banking trojans.
Posted by Thorsten Holz in CWSandbox, malware, paper at 09:43 | Comments (2) | Trackbacks (0)

Technical Report: "Learning More About the Underground Economy: A Case-Study of Keyloggers and Dropzones"

Thursday, December 18. 2008
CWSandbox
In the last few months, we analyzed quite a few malware samples that are related to stealing of banking credentials. These keyloggers are used by attackers to harvest sensitive information like credit cards numbers, username/password combinations and similar data from an infected machine. We developed some techniques to automatically find the dropzones, i.e., the server that is used by the bad guys to send the stolen information to. The following picture illustrates the attack process:



The basic idea of our approach is to use honeypots to automatically collect malware samples, perform dynamic analysis with the help of CWSandbox and a user simulation, and use the observed data to find the dropzone in an automated way. Using these techniques, we were able to find more than 300 dropzones and we were also able to fully access more than 70 dropzones. We found stolen information from more than 170,000 victims (33 GB of data) and also analyzed this data: Within the dropzone data, we found more than 10,000 bank accounts with full information, more than 140,000 e-mail passwords for large portals and some other interesting infos.

Today we published a technical report that summarizes our findings.

Abstract: We study an active underground economy that trades stolen digital credentials.We present a method with which it is possible to directly analyze the amount of data harvested through these types of attacks in a highly automated fashion. We exemplify this method by applying it to keylogger-based stealing of credentials via dropzones, anonymous collection points of illicitly collected data. Based on the collected data from more than 70 dropzones, we present the first empirical study of this phenomenon, giving many first-hand details about the attacks that were observed during a seven-month period between April and October 2008. This helps us better understand the nature and size of these quickly emerging underground marketplaces.
Posted by Thorsten Holz in CWSandbox, malware, paper at 09:27 | Comments (6) | Trackback (1)

Client-Side Honeypots

Wednesday, December 17. 2008
A client-side honeypot is a type of honeypots that is designed to collect information about client-side attacks. Typically such a honeypot uses Internet Explorer and continuously surfs the Web in an automated way. During the surfing, the system activity is closely monitored for changes such a new files on the hard disk or new processes since such changes indicate a successful drive-by download. In such a case, a malicious website has compromised the web browser by just visiting the site. Examples of client-side honeypots are Capture-HPC and the MITRE Honeyclient.

We run several client-side honeypots in our lab and find new malicious website frequently. At the moment, we find quite often sites that use malicious PDF files to exploit our browser. In such an attack, a vulnerability in the Adobe Acrobat Reader is exploited in order to execute code on the victim's machine. To illustrate such an exploit, I created a quick movie that shows a live exploit. In the future, I hope to cover client-side exploits more frequently. With exploits such as the current MS08-078 vulnerability I'm sure that we will observe more malicious sites in the future...
Posted by Thorsten Holz in honeynets, malware at 21:18 | Comments (2) | Trackbacks (0)

Facebook friend spam / Koobface

Thursday, December 4. 2008
CWSandbox
Since a few days, a new round of malicious friend messages is going around at Facebook. The messages all look similar, an example is
"Oh noooooo
hxxp://www.facebook.com/l.php?u=hxxp://geocities.com%2Fmaxmonroe79%2Findex.htm..."

To reply to this message, follow the link below:
http://www.facebook.com/n/?inbox/readmessage.php&t=10085171....

Once a victim clicks on the link, he also needs to confirm the redirect on the Facebook site. Afterwards, the attackers use social engineering to trick the victim into installing the malware sample named flash_update.exe. I have also uploaded a movie to illustrate the infection process and to test the new media options I added to this blog: http://honeyblog.org/pages/20081204-koobface.html

Fortinet has some more information on a related incident: http://www.fortiguardcenter.com/advisory/FGA-2008-26.html
Posted by Thorsten Holz in CWSandbox, malware at 13:27 | Comments (0) | Trackbacks (0)
(Page 1 of 2, totaling 10 entries) » next page