Call for Paper: RAID '07

Friday, December 22. 2006
The Call for Papers for the International Symposium on Recent Advances in Intrusion Detection (RAID '07) is now available. I am very proud to be one of the members of the program committee and would love to see many submissions to the conference.

Important dates:
  • Paper submissions due: Saturday, March 31st, 2007

  • Panel proposals due: May 5th, 2007

  • Notification to authors: June 1st, 2007

  • Final papers due: June 16th, 2007

  • Deadline for poster abstract submission: July 7th, 2007

  • Notification for poster acceptance: July 23rd, 2007

The conference will be held from September 5-7, 2007, in Crowne Plaza, Gold Coast, Queensland, Australia.

About RAID:
This symposium, the 10th in an annual series, brings together leading researchers and practitioners from academia, government, and industry to discuss issues and technologies related to intrusion detection and defense. The Recent Advances in Intrusion Detection (RAID) International Symposium series is intended to further advances in intrusion defense by promoting the exchange of ideas in a broad range of topics. As in previous years, all topics related to intrusion detection, prevention and defense systems and technologies are within scope, including but not limited to the following:

Continue reading "Call for Paper: RAID '07"

Posted by Thorsten Holz in administrativa at 18:18 | Comments (0) | Trackbacks (0)

Messenger Spam

Wednesday, December 20. 2006
Yesterday we set up another Windows-based honeypot. Those are fun since you the chances are high that you receive first results after a few minutes. A Windows honeypot without any service pack will be compromised in a short amount of time by some kind of autonomous spreading malware. Or you will collect information about scam sites.

Within a couple of minutes after we connected the honeypot to the Internet, the first message spam arrived:



It claims that the registry "may be corrupt and needs to be clean immediately" - yeah, on a fresh installation of Windows... Of course, it offers you also the perfect solution for this task: www.refreshxp.com
On that web site, you can download an installer (CWSandbox Analysis), which of course finds some corrupt registry keys and offers you to buy a complete version of the tool.

Continue reading "Messenger Spam"

Posted by Thorsten Holz in honeynets at 15:50 | Comments (2) | Trackbacks (0)

CWSandbox vs. Banking Spyware

Monday, December 18. 2006
Something we see quite often are malware binaries that are used to steal sensitive information used for online banking. This kind of malware is pretty popular especially in Brasil, but we see it also coming from other countries. Today we take a quick look at one of those Brasilian spyware programs...
The complete infection process is split up into several stages: the first stage creates two new files on the hard disk and then executes one of them. The second stage opens a web page (http://www.humortadela.com.br) and downloads additional malware from the Internet (http://210.58.101.241/modules/xfsection/html/msmm.exe) in the background. The last stage is then used to find windows which contain a specific title and the list is rather large - the malware binary tries to detect whether the victim has opened a specific window:
Evite que outras pessoas vejam você digitar sua senha
Evite que outras pessoas te vejam digitar a sua -senha-
A senha de oito dígitos é usada somente para o login
Não abra e-mail de origem desconhecida
Verifique um pequeno cadeado fechado na parte inferior do navegador
Verifique um pequeno cadeado na parte inferior de seu navegador
Evite que outras pessoas vejam você digitar a sua -senha-
Mantenha atualizado o sistema operacional, o navegador e o anti-vírus/trojan
Troque sua senha caso ela possa ser descoberta facilmente
Sempre consulte esta página para novas informações sobre a segurança
Sempre consulte esta página para novas informações sobre segurança
Evite realizar operações em equipamentos de uso público
Não permita que outras pessoas conheçam os seus dados de acesso
Escolha "senhas" diferentes do seu nascimento, CPF e n° seqüenciais
Note se no incio do campo "endereço" surgem as letras "https"
Não use atalhos em e-mail para acessar o site. Digite o endereço direto no navegador
Não abra arquivos de origem desconhecida
Evite abrir arquivos executáveis anexados às suas mensagens
Não faça alteração cadastral por e-mail
Não enviamos e-mail sem a sua permissão
Cuidado com links e downloads contidos em mensagens promocionais
Nunca digite seus dados de acesso em e-mail
Memorize suas senhas sem anotá-las
A senha de oito números somente é usada para o login

I don't speak Portuguese, but a quick search at Google reveals that these titles are commonly used by Banco do Brasil, so this bank is the target of these attacks...

The complete report is also available as HTML analysis and XML analysis.

Update: Fixed "Portuguese" - thanks to Bjoern Weiland

Continue reading "CWSandbox vs. Banking Spyware"

Posted by Thorsten Holz in malware at 10:07 | Comments (2) | Trackbacks (0)

3322.org

Sunday, December 17. 2006
The Internet Storm Center had recently an article about a botnet that uses the SAV remote exploit ("sav worm and its cc"). The botnet uses ftpd.3322.org to download the binary to the infected machines. 3322.org seems to be a rather gray domain, I saw it a couple of times used this year in different malware binaries. At least the following subdomains of 3322.org were used for either botnet C&C traffic or to download additional malware to compromised machines:
NameLess.3322.org
viviandan.go.3322.org
googlehk.3322.org
applehu.3322.org
cnjacks.3322.org
myth998.3322.org
yxrgaa.3322.org
a1860.3322.org
qinqin1.3322.org
shanben.3322.org
panguwy.3322.org
et47.3322.org

So watching your borders and taking a look at whether machines from within your network access these domains could be a good opportuntity to detect infected machines...
Posted by Thorsten Holz in malware at 07:37 | Comment (1) | Trackbacks (0)

Honeypot Compromise: Default FTP Login

Saturday, December 16. 2006
We had another compromise of one of our honeypots this week. The honeypot was running Windows 2000 Professional with latest service packs. In addition, a firewall blocked access to TCP ports 135 and 445, in order to block most of the automated attacks caused by bots and other autonomous spreading malware. The honeypot was running XAMPP, a free software package containing the Apache web server, MySQL database, FileZilla FTP server, and some other tools. XAMPP is not designed for use as a production system, but we choose it in the hope to find manual attacks.
Actually this was successful: we caught an attacker that used the default password of the FileZilla FTP server in order to upload netcat and a PHP shell backdoor. With the help of these tools, he got access to a command shell on the honeypot and installed his complete tool set. Some interesting tools (log sweeper for Windows, vulnerability scanner, ...) could be retrieved and we still analyze the incident.
The honeypot was set up and administrated by Torsten Stern as part of his internship at our lab.
Posted by Thorsten Holz in honeynets at 14:39 | Comment (1) | Trackbacks (0)
(Page 1 of 2, totaling 9 entries) » next page