honeyblog

A detailed analysis of a honeypot compromise at one of the honeypots of the Philippine Honeynet project is available at their site. Our honeynet is currently rather silent, mainly due to the fact that we are currently in a rebuilding phase - but by the end of next week, we should have a couple of honeypots up and running again.

At the RAID'06 conference taking place in Hamburg between September 20 and 22, we published a paper on nepenthes. It describes nepenthes in detail and gives an overview of preliminary results. I had published excerpt from the paper previously here at this blog, but now also the final paper is available.

Abstract:
Up to now, there is little empirically backed quantitative and qualitative knowledge about self-replicating malware publicly available. This hampers research in these topics because many counter-strategies against malware, e.g., network- and host-based intrusion detection systems, need hard empirical data to take full effect.
We present the nepenthes platform, a framework for large-scale collection of information on self-replicating malware in the wild. The basic principle of nepenthes is to emulate only the vulnerable parts of a service. This leads to an efficient and effective solution that offers many advantages compared to other honeypot-based solutions. Furthermore, nepenthes offers a flexible deployment solution, leading to even better scalability. Using the nepenthes platform we and several other organizations were able to greatly broaden the empirical basis of data available about self-replicating malware and provide thousands of samples of previously unknown malware to vendors of host-based IDS/anti-virus systems. This greatly improves the detection rate of this kind of threat.

Greetings from Hack In The Box 2006! I'm happy to announce that we have finally a public web interface to CWSandbox: just go to http://www.cwsandbox.org and submit a binary. A couple of minutes later, you should find an analysis in your e-mail inbox.

William Salusky over at ISC wrote:

"Malware analysts rejoice! A public submission interface for the CWSandox (NEW)

The public availability of a submission interface into the CWSandbox is finally at hand.

The CWSandbox has been a somewhat closely held tool in the professional security and AV researcher community for many months now. The CWSandbox results offer near immediate insight into the actions of malicious code execution on win32 based systems which in turn offers you, the affected party some quick intel on what might be happening on your network!

Please be kind and submit samples that you have vetted in some way as malicious. I'm sure this project would not be interested in receiving copies of your %SYSTEM% directory.

You can submit your malicious code samples via the sample web submission form at:
https://luigi.informatik.uni-mannheim.de/submit.php

CWSandbox results containing the sandbox/AV results are emailed to the submitter address.

This sandbox environment currently tracks malicious code variants against only three free/unnamed AV products at the moment. I'm confident that this project would be interested in hearing from commercial AV vendors willing to offer unix based solutions to further their detection effort.

Handler on duty
W"

Indeed, if AV vendors want to help us with some kind of AV engines, we are more than happy to hear from you :-) It is also possible to license CWSandbox if you want to use it at your site - for more information just contact thorsten [dot] holz [@] gmail [dot] com

Since the economics aspects of network attacks seem to be of interest to some people (eWEEK and /.) I blog more about it... But at first, let me thank Jens Hektor and Jan Göbel who analyzed the incident and provided me with further data - without them, I could not blog about this :-)

Recently there was a malware incident within the network of my old university in Aachen: Blast-o-Mat, a custom IDS system, picked up an infected machine and redirected it to a quarantine webserver. This way, the user is instantly noticed that something went wrong and he can download patches and AV engines at that web site. A closer examination revealed that the infected machine also did some strange web requests. It tried to post data to a PHP script located at a remote server. It turned out that this machine was infected with Haxdoor (F-Secure report), one of the most advanced Trojans out there nowadays. Haxdoor (AKA Goldun) is - among other things - capable of collecting private data like username/password combinations entered within Internet Explorer and has also some rootkit capabilities.

During further investigation, several log files which contained all information stolen from all infected machines could be found. In total, these log files contained more than 6,6 million entries, an equivalent of 285 MB of data. This data was stolen from the compromised machines between April 19 and April 27, 2006, so within only nine days. In total, more than 39,000 different IP addresses fell victim of this particular Haxdoor infection. This shows the effectiveness of this kind of attacks.

The vast majority of victims was located in Germany, most of them within IP ranges of dial-up users. This user group is an easy, yet very attractive, target for attackers: people who use the Internet at home for entertaining purposes are often not very security aware. Furthermore, patch management or additional
security software like anti-virus engines or host-based firewalls are unfamiliar terms for them. Thus an attacker can compromise these unpatched machines with the help of autonomous spreading software in the form of bots. Once he has complete control over the victim’s machine, he can use it to install additional tools, for example keylogger or even more advanced tools like Haxdoor.

Presumably the most severe form of identity theft caused by Haxdoor is information related to financial transactions. This Trojan monitors the use of Internet Explorer and sends captured data (e.g., URLs and content of HTML-forms) to a central logging server, and thus this very sensitive information can be
captured by the attacker. In the log files we found traces of at least 15 different banks whose customers were affected. Moreover, the log file contains at least complete information about 280 bank accounts and 28 credit card numbers with complete details. The rather low number of credit card details can be explained with the help of the nationality of the victims: in Germany, the usage of credit cards is not as common as in the US.

In addition, Haxdoor is capable of retrieving the information in the Protected Storage (PStore ) Service of infected machines which contains rather sensitive information as the following (sanitized) example shows:

-==; Protected Storage: 

Outlook: pop.gmx.net | PASS 

http://12090.forum.onetwomax.de/:StringData | USER PASS 

http://ksv-hessen.de/:StringData | USER PASS 

http://pixum.de/:StringData | e-Mail PASS 

http://www.fussballstammtisch.de:StringData | USER PASS 

http://www.willstequatschen.com/index.php:StringData | USER PASS 

-==; Account 

POP3 Server | pop.gmx.net 

POP3 User Name | e-Mail 

This information was handed over to the fine guys at DFN-CERT, the Computer Emergency Response Team responsible for German research and education networks. The affected users were warned in cooperation with universities, ISPs and other affected sites - at least as good as possible...

Just a short announcement: I will again teach a Security Masters Dojo at this year's PacSec entitled Advanced Honeypot Tactics.

This course shows how to use honeypot technologies as a concrete improvement to your organisations security defences. This course will concentrate on low-interaction honeynet technology, especially nepenthes and honeyd. We will also cover topics like phishing, bots/botnets, manual attacks, web-application security and a few other topics. For each of them, we will take a look at how attackers proceed and how to defend against the threat. Many hands-on exercises help to get a deeper understanding.

So see you in Tokyo :-)