Advanced Honeypot-Based Intrusion Detection

Sunday, January 28. 2007
Together with Jan Göbel and Jens Hektor from the Center for Computing and Communication at RWTH Aachen University, I published an article entitled "Advanced Honeypot-Based Intrusion Detection" in the recent ;login: (Volume 31, Number 6) magazine.

The paper describes a custom network intrusion detection system called Blast-o-Mat based on different sensors, one of them being nepenthes. We describe the system and give an overview of the lessons learned, some quantitative results, and an example of a Haxdoor infection detected via the system.

A live demo of Blast-o-Mat is available at the Blast-o-mat Status page.

Abstract:
At RWTH Aachen University, with about 40,000 computer-using people to support, we have built a system to detect infected machines based on honeypots. One important building block of Blast-o-Mat is Nepenthes, which we use both to detect malware-infected systems and to collect malware. Nepenthes is a
low-interaction honeypot that appears as vulnerable software but instead decodes attack code and downloads malware. We have been successful at uncovering and quarantining infected systems with sensors listening at 0.1% of our address space. Investigation of collected malware has led to discovery of many infected systems and even a huge cache of stolen identity information.
Posted by Thorsten Holz in paper at 21:52 | Comment (1) | Trackback (1)

Stock Spam

Wednesday, January 10. 2007
This morning I took a closer look at the 500 last messages of my spam inbox at the gmail account (about the last five days). 106 of them were stock spam, thus a little more than 20% of the spam I receive is related to this kind of spam. These messages target only eight different ticker symbols:

As you can see, all of these ticker symbols are traded at Pink Sheets, an electronic system for trading penny stocks.

When taking a look at the reaction of the stock quotes, you can see some influence, some of the stocks being currently in their "pump" phase:


Presumably we will see a drop in the quotes in the next few days.

Most of the stock spam messages nowadays are image-based: only two ticker symbols are advertized via plain-text messages, the other six use images. Common OCR is pretty weak at recognizing the image content since it is scrambled in order to make filtering harder:
$ gocr personnel.gif
_
H'LuN,.pK . H '% BIopH, ARMAcE%IcAL s_ocK!, , _
HEA%HeuNIv,E\RsE,I'nc
S_b'ol: HLU_ , ,
Price: $o.o8 ' ' , '
5.day Target: , $O.50 ,' ,
Rating: Strong Buy ,,
HLU_.PH .$15 billion, plastic _cosmetic surgey m,a_ket!
H L U . P H .,G ETrl G READY TO E X P L O' D,E ! ! ! _


For more background at this kind of attacks, take a look at our study on stock spam ("The Effect of Stock Spam on Financial Markets").
Posted by Thorsten Holz in paper at 13:36 | Comments (2) | Trackback (1)
(Page 1 of 1, totaling 2 entries)