CWSandbox: First Results

Sunday, April 30. 2006
Some time ago I blogged about the diploma thesis on "Automatic Behaviour Analysis of Malware" by Carsten Willems that I supervise. Preliminary results are now available and we will start a beta test soon. Below you find the (rather detailed) results of an analysis of a malicious binary with the md5sum 7f60162c2c0bd2cc7531e51328e98290. Compared to the output by the Norman Sandbox which is available at http://sandbox.norman.no/live_2.html?logfile=816205, the CWSandbox has much more detailed results. If you want more information, don't hesitate to contact Carsten or me.



analysis of c:\analyse\log\7f60162c2c0bd2cc7531e51328e98290.exe\run_1\



proc_1

PID=720

Username=Administrator

Filename=c:\analyse\binary\7f60162c2c0bd2cc7531e51328e98290.exe

MD5=7f60162c2c0bd2cc7531e51328e98290

Continue reading "CWSandbox: First Results"

Posted by Thorsten Holz in honeynets at 14:56 | Comments (-15) | Trackbacks (12)

Hack In The Box 2006: Playing with Botnets for Fun and Profit

Saturday, April 29. 2006
I am glad that I was invited to speak at this year's HITB security conference. It will take place in Malaysia in September and if you have time to go there, I strongly advise you to go. The last conferences must have been very interesting from what I have heard and I expect only the best from this year :-) I will talk about honeypots & botnets, you can find the abstract below.

A preliminary version of the conference program is available. The keynote speakers are Bruce Schneier, Mark Curphey from Foundstone, and John Viega. Together with the other speakers (Van Hauser, The Grugq, Philippe Biondi & Arnaud Ebalard, Mike Davis, and many others), the program will be very exciting.

Presentation Details:
Botnets are still a huge threat within the Internet. These network of compromised machines can be used to carry out DDoS attacks, send spam, or other nefarious purposes. Since the time between a security advisory, the first proof-of-concept exploit, and automated utilization with the help of bots becomes shorter and shorter, this threat will presumably grow.

In this presentation, we will briefly present the background of bots & botnets, especially focussing on latest trends. The main part will deal with some ways to play with a botnet: Using nepenthes, we are able to automatically collect new malware. With the help of a sandbox, this malware can be quickly analyzed, focussing on extracting all important information about the botnet from the binary. And this information can then be used to impersonate as a legal bot and to join the botnet. Now the fun begins since we are part of the botnet and can observe everything what is happening.

There are other ways to play with a botnet, some of which are more grey than others. In the presentation, we will introduce these ways to give the audience some food for thought to develop their own techniques. Furthermore, we present in detail the results we have obtained during our work in the last months. Besides rather offensive results, we will also give some best practice recommendations to mitigate the risk posed by botnets.
Posted by Thorsten Holz in administrativa at 20:59 | Comments (-10) | Trackbacks (8)

Honeypot Compromises

Friday, April 28. 2006
Just a quick update on the status of our honeypots. Currently, we have amongst other honeypots one virtual honeynet with three honeypots:

  • Windows XP SP 2 with open share

  • SuSE 9.1 with MySQL, Apache 2.0.49 and several web applications

  • Red Hat 8.0 with good ol' Wu-FTPd 2.6.0 and a world-writeable directory


Jan Göbel maintains this honeynet as part of his diploma thesis. In April 2006 we had two compromises on these systems:

  1. SSH brute-force attack due to weak password: The adversary got shell access and after local priviledge escalation, he downloaded additional SSH brute-forcer and tried to compromise further hosts. Several other tools could be retrieved by a further analysis.

  2. Compromise through Horde web application: A vulnerable Horde installation was compromised and an IRC bouncer installed. The honeypot is still online, let's see what happens further...


Since several other web applications are running on the Linux-based honeypots, I expect some further compromises in the near future. It seems like web apps are currently one of the easiest ways to compromise a network infrastructure...
Together with Simon Marechal and Frederic Raynal I wrote an article entitled New Threats and Attacks on the World Wide Web that talks about attack trends against these systems.

Abstract:
Ten years ago, very few networks had a firewall; today, they're ubiquitous. The newest target is the workstation: client-side attacks have increased because direct attacks on servers aren't so easy anymore. Moreover, as new defenses are raised, information flows are increasingly embedded into Web applications, making them extremely valuable as well, and, thus, the next target. This article describes some of these new threats.

Continue reading "Honeypot Compromises"

Posted by Thorsten Holz in honeynets, paper at 20:06 | Comments (-7) | Trackbacks (7)

Web-based Malware & Honeypots

Monday, April 24. 2006
A few days ago, Johannes Ullrich posted a detailed report about phpBB bots/worms at the Internet Storm Center. His analysis of the bot implemented in Perl is something you should definitely read.

Besides these bots, there is also some other kind of web-based malware around. What I see quite frequently are simple backdoors written in PHP that are automatically uploaded to vulnerable machines. At http://honeyblog.org/junkyard/web-based/ I started to collect some of them. I modified them a bit so that they cannot cause any harm to others. Please use them just for educational purposes... With time, I plan to extend this collection.

With certain honeypots, it is also possible to learn more about this threat. Two projects that deal with web-based decoys are Google Hack Honeypots and PHP.Hop - PHP Honeypot Project by the French Honeynet Project. In the near future, there will also be a diplom student who deals with this type of honeypots as part of his thesis: Diploma Project: Web-based Honeypot Decoys
Posted by Thorsten Holz in honeynets at 02:07 | Comments (-7) | Trackbacks (6)

GHP Status Report & Nepenthes 0.1.7 Available

Sunday, April 23. 2006
Every six month, each member of the Honeynet Research Alliance has to deliver a status report and describe what has happened during the last months. This bi-annual reports are due at the end of March and September each year and therefore we had to publish a status report for the German Honeynet Project a few days ago. You can find it at http://pi1.informatik.uni-mannheim.de/projects/honeynet/status2006-1

A few minutes ago, a new version of nepenthes has been released: nepenthes 0.1.7 is available via sourceforge.
Posted by Thorsten Holz in honeynets at 20:16 | Comments (-77) | Trackbacks (65)
(Page 1 of 2, totaling 7 entries) » next page