New Bot-Family Detected: Light-Bots

Thursday, May 8. 2008
Today, we observed a new family of bots while doing some research at our lab. While investigating several Kinder Surprises, we detected two samples of a bot family named Light-Bots (see the picture at the right hand side for more detail about the bots). A closer analysis revealed that the bot exists in at least two version, we empirically found version S104 and S105. The propagation scheme is a variant of classical social engineering: victim's are tricked into buying a Kinder Surprise and the bot is contained in the egg, similar to a Trojan Horse. At this point, we do not have any CWSandbox report of the bot behavior nor any signatures. However, the bot also contains a README that indicates a close relationship with the domain www.magic-kinder.com:
Posted by Thorsten Holz in malware at 20:53 | Comments (0) | Trackbacks (0)

Polluting Storm

Friday, April 25. 2008
Dark Reading had recently an article about our work on Storm Worm entitled "Researchers Infiltrate and 'Pollute' Storm Botnet" (also featured on /.). The article quotes Jose Nazario:
"This has been a taboo subject of exploration, as people do not want to mess with other peoples' PCs by injecting commands," he says.

Just to clarify: We did not inject commands into Storm Worm, but just interfered with the communication process as explained in our LEET'08 paper. No commands were executed on an infected machine, we just injected packets into the communication process in order to stop the C&C channel. In practice, this does not affect an infected machine, no extra network packets or CPU cycles are used on an infected machine.

Slashdot had also covered our work a few days ago: Storm Dismantled at USENIX LEET Workshop.
Posted by Thorsten Holz in malware at 16:33 | Comments (0) | Trackbacks (0)

WOMBAT / FORWARD

Friday, April 25. 2008
In the last few days, the first workshops for two projects funded by the European Union took place: WOMBAT and FORWARD.

Project description WOMBAT:
The WOMBAT project aims at providing new means to understand the existing and emerging threats that are targeting the Internet economy and the net citizens. To reach this goal, the proposal includes three key workpackages: (i) real time gathering of a diverse set of security related raw data, (ii) enrichment of this input by means of various analysis techniques, and (iii) root cause identification and understanding of the phenomena under scrutiny. The acquired knowledge will be shared with all interested security actors (ISPs, CERTs, security vendors, etc.), enabling them to make sound security investment decisions and to focus on the most dangerous activities first. Special care will also be devoted to impact the level of confidence of the European citizens in the net economy by leveraging security awareness in Europe thanks to the gained expertise.


Project description FORWARD:
The FORWARD initiative aims at identifying, networking, and coordinating the multiple research efforts that are underway in the area of Cyber-threats defenses, and leveraging these efforts with other activities to build secure and trusted ICT systems and infrastructures.


The initial workshops were quite interesting, let's see how both projects evolve :-)
The websites of both WOMBAT and FORWARD contain more information about the actual project, including more information about the participants and the initial workshops.
Posted by Thorsten Holz in general at 14:07 | Comments (0) | Trackbacks (0)

LEET'08: Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm

Friday, April 11. 2008
Next week at the First USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET'08), I will present our work on Storm Worm and the measurement results. The full paper is now available. See you at LEET next week!

Abstract:
Botnets, i.e., networks of compromised machines under a common control infrastructure, are commonly controlled by an attacker with the help of a central server: all compromised machines connect to the central server and wait for commands.

However, the first botnets that use peer-to-peer networks for remote control of the compromised machines appeared in the wild recently. In this paper, we introduce a methodology to analyze and mitigate peer-to-peer botnets. In a case study, we examine in detail the Storm Worm botnet, the most wide-spread peer-to-peer botnet currently propagating in the wild. We were able to infiltrate and analyze in-depth the botnet, which allows us to estimate the total number of compromised machines. Furthermore, we present two different ways to disrupt the communication channel between controller and compromised machines in order to mitigate the botnet and evaluate the effectiveness of these mechanisms.
Posted by Thorsten Holz in malware, paper at 11:24 | Comments (2) | Trackbacks (0)

April Fool's Day & Storm

Monday, March 31. 2008
A new "joke" from the Storm Worm botnet right before April Fool's Day.

Consistent with their past behavior on having new propagation schemes right before important dates of national interest (start of NFL season, Halloween, Christmas Eve, ...), the botnet started to use a new social engineering theme right before April Fool's Day. The websites offer the actual bot binary with three different filenames (foolsday.exe, funny.exe, and kickme.exe), but they seems to actually be the same binary. I did not observe any drive-by download attack, thus it seems like they solely rely on social engineering - so don't fall for this hoax :-)
Posted by Thorsten Holz in malware at 22:45 | Comments (0) | Trackbacks (0)

New Capture-HPC release

Sunday, March 30. 2008
A tool announcement:

The Honeynet Project and School of Mathematics, Statistics and Computer Science at Victoria University of Wellington have just released version 2.1 of Capture-HPC, a tool that is able to find and investigate the increasing problem of client-side computer attacks. This new software release increases the features and speeds performance allowing anyone to investigate a larger range and quantity of client-side computer attacks. Capture-HPC is freely available from the main Honeynet Project web site at: https://projects.honeynet.org/capture-hpc/wiki. It is written and distributed under the GNU General Public License, v2.

Capture-HPC is a computer security product that allows anyone to: investigate client-side computer attacks; security researchers to find and study malicious servers; virus and malware researchers to collect malware pushed by malicious servers; network administrators to monitor their systems for client-side attacks; and web site operators to monitor their web sites for unauthorized modifications with client-side attack code.
Posted by Thorsten Holz in honeynets at 23:44 | Comments (0) | Trackbacks (0)

CanSecWest PWN2OWN 2008

Tuesday, March 18. 2008
Announcing CanSecWest PWN2OWN 2008.
===================================

Three targets, all patched. All in typical client configurations with typical user configurations. You hack it, you get to keep it.

Each has a file on them and it contains the instructions and how to claim the prize.

Targets (typical road-warrior clients):
  • VAIO VGN-TZ37CN running Ubuntu 7.10
  • Fujitsu U810 running Vista Ultimate SP1
  • MacBook Air running OSX 10.5.2

This year's contest will begin on March 26th, and go during the presentation hours and breaks of the conference until March 28th. The main purpose of this contest is to present new vulnerabilities in these systems so that the affected vendor(s) can address them. Participation is open to any registered attendee of CanSecWest 2008.
Posted by Thorsten Holz in administrativa at 09:18 | Comments (0) | Trackbacks (0)

Program for LEET'08 & Storm Paper

Tuesday, March 18. 2008
The tentative program for the First USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET'08) is now available.

We also have a paper accepted: "Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm"
We still need to revise the paper based on the reviewer's feedback, as a teaser the preliminary abstract:

"Botnets, i.e., networks of compromised machines under a common control infrastructure, are commonly controlled by an attacker with the help of a central server: all compromised machines connect to the central server and wait for commands.
However, the first botnets that use peer-to-peer (P2P) networks for remote control of the compromised machines appeared in the wild recently. In this paper, we introduce a methodology to analyze and mitigate P2P botnets. In a case study, we examine in detail the Storm Worm botnet, the most wide-spread P2P botnet currently propagating in the wild. We were able to infiltrate and analyze in-depth the botnet, which allows us to estimate the total number of compromised machines. Furthermore, we present two different ways to disrupt the communication channel between controller and compromised machines in order to mitigate the botnet and evaluate the effectiveness of these mechanisms."
Posted by Thorsten Holz in administrativa at 01:29 | Comments (0) | Trackbacks (0)

CAPTCHA fun

Thursday, March 13. 2008
Websense had a few weeks ago a story on "Google’s CAPTCHA busted in recent spammer tactics". The basic idea is that the attacker automatically signs up for freemail accounts (e.g., Google or live.com) with the help of certain malware. During the registration process, the attacker needs to solve a CAPTCHA. This can be done for example with the help of humans which are paid for this task. Another option is to use humans who want to access a certain service, e.g., a porn website. This is the cheaper option, and presumably also effective. An example of such a CAPTCHA attack is currently available at gift-vip.net. Caution: this is not work-safe and do not open it if you do not want to see adult content. I also created a short movie which illustrates this process. The movie is also available as .mov and .swf file.

Thanks a lot Nick FitzGerald for this tip!

[Update]: Please be careful when opening the actual site since it also contains a malicious iframe.
Posted by Thorsten Holz in malware at 12:16 | Comments (0) | Trackbacks (0)

SSAC Advisory on Fast Flux Hosting and DNS

Thursday, March 13. 2008
The Security and Stability Advisory Committee (SSAC) of ICANN released an advisory regarding "Fast Flux Hosting and DNS", in which they detail ICANN's view of FFSNs. Thanks Jose for the heads-up!

Introduction

"Fast flux" is an evasion technique that cyber-criminals and Internet miscreants use to evade identification and to frustrate law enforcement and anticrime efforts aimed at locating and shutting down web sites used for illegal purposes. Fast flux hosting is an application of technology that supports a wide variety of cyber-crime activities (fraud, identity theft, online scams) and is considered one of the most serious threats to online activities today. Basic fast flux hosting uses rapid modification of IP addresses associated with a system that hosts a malicious activity to evade detection and take down efforts. This technique is also used to rapidly modify the IP addresses of the name servers that resolve the domain names of the fluxed malicious hosts (this variant is sometimes called NS fast flux). A particularly troublesome variant of fast flux hosting, "double flux", fluxes addresses of both name servers and malicious (web server) hosts.

This Advisory describes the technical aspects of fast flux hosting and fast flux service networks. It explains how the DNS is exploited to abet criminal activities that employ fast flux hosting, identifying the impacts of fast flux hosting, and calling particular attention to the way such attacks extend the malicious or profitable lifetime of the illegal activities conducted using these fast flux techniques. It describes current and possible methods of mitigating fast flux hosting at various points in the Internet. The Advisory discusses the pros and cons of these mitigation methods, identifies those methods that SSAC considers practical and sensible, and recommends that appropriate bodies consider policies that would make the practical mitigation methods universally available to registrants, ISPs, registrars and registries (where applicable for each).
Posted by Thorsten Holz in paper at 08:31 | Comment (1) | Trackbacks (0)
(Page 1 of 17, totaling 168 entries) » next page