Damage by Botnets

Monday, April 30. 2007
A few days ago, Ed Felton posted a summary of a recent Botnet Briefing in Washington. The interesting point is the question whether or not the $5000 damage threshold of the Computer Fraud and Abuse Act is too high for such cases and if it would make more sense to have some designated number of computers affected. Presumably this comes back to the question on how to estimate the damage of a single incident. Do you take into account the time to clean up the bot-infected machines (re-installing the system, customizing everything, restoring from backup, ...) and also the costs of possible DDoS, identity theft, or other kind of victims?
Posted by Thorsten Holz in general at 12:56 | Comments (0) | Trackbacks (0)

Web-based Honeypot Decoys

Monday, April 30. 2007
Michael Müter just finished his diploma thesis entitled "Web-based Honeypot Decoys".

Abstract
Honeypots are a well known technique in order to gain more information about the proceeding of attackers in communication networks. With the constant growth of the Internet web applications have become more and more attractive and worthwhile targets for attackers. The web-based honeypots that exist so far exclusively focus on a low-interaction approach which only allows to monitor and observe a very limited amount of information about an attack.
In this work we extend the concept of honeypots and develop a generic high-interaction web-based honeypot toolkit. The toolkit allows to transform an arbitrary web application into a high-interaction web-based honeypot, which can capture and record every single step an attacker performs at a system. In order to monitor and analyse the large amounts of data a high-interaction system accumulates, we furthermore develop a tool which supports the process of gaining the important information out of the collected data. We demonstrate the success of our approach by presenting different results and examples we obtained with our implementation during the last months.


Continue reading "Web-based Honeypot Decoys"

Posted by Thorsten Holz in honeynets at 10:50 | Comment (1) | Trackbacks (0)

CWSandbox vs. ALLAPLE

Thursday, April 26. 2007
Since middle of December 2006, a polymorphic worm with the name ALLAPLE.B is spreading. Due to the help of Corrado Leita and ScriptGen, nepenthes can also capture this particular worm. Each iteration has a new MD5 sum, thus this hash function is a weak indicator for uniqueness of a given sample. However, it is pretty easy to spot ALLAPLE with the help of CWSandbox since the worm has some unique behavior, for example:
  • It uses the filename urdvxc.exe

  • The mutex is always jhdheddfffffhjk5trh

  • It pings hosts in a random class B network and if a hosts replies to ICMP echo requests, it tries to attack them on TCP port 139 and 445

In contrast to static analysis, such a behavior-based malware classification can help to categorize a given malware sample just based on the action it performs. For example, we captured yesterday 84 samples with different MD5 sum that behave exactly like ALLAPLE does. All these samples belong to the same family and are only minor variants.

The complete report is available as HTML analysis and XML analysis.

Continue reading "CWSandbox vs. ALLAPLE"

Posted by Thorsten Holz in malware at 08:13 | Comments (0) | Trackbacks (0)

Security of virtual machines

Friday, April 20. 2007
Tavis Ormandy just gave an interesting presentation at CanSecWest'07 about the security of virtual machines (QEMU, VMware, Bochs, ...) entitled "An Empirical Study into the Security Exposure to Hosts of Hostile Virtualized Environment". Using fuzzing and other techniques, he managed to find quite a few bugs in popular VMs, amongst others:
  • heap overflow in QEMU's NE2000 network device

  • heap overflow in QEMU's VGA code

  • vulnerability in VMware's power management code

For example, his summary for the security of QEMU is:
An attacker with access to a QEMU virtualized environment could potentially compromise the virtual machine process and execute arbitrary code with the privileges of the emulator. Malware being studied inside QEMU, even in an unprivileged state, can terminate the virtual machine safely and reliably.

Regarding malware analysis, these results presumably mean that the malware analysis process should be carried out on a native machine with some kind of restore cards since we can not trust the malware code. We use such a setup within CWSandbox and the results look promising.

Tavis also released a paper describing the results in detail. The paper also includes some proof-of-concept demos. Soon you can also find his presentation at the CanSec website.

Abstract
As virtual machines become increasingly commonplace as a method of separating hostile or hazardous code from commodity systems, the potential security exposure from implementation flaws has increased dramatically. This paper investigates the state of popular virtual machine implementations for x86 systems, employing a combination of source code auditing and blackbox random testing to assess the security
exposure to the hosts of hostile virtualized environment.
Posted by Thorsten Holz in paper at 23:24 | Comments (0) | Trackbacks (0)

Rishi: Identify Bot Contaminated Hosts

Thursday, April 19. 2007
HotBots'07 took place last week in Boston. The paper by Jan Göbel and me is now available and I also publish the slides from my talk.
This workshop was by invitation only. As a courtesy, USENIX made the accepted papers available to everyone.


Continue reading "Rishi: Identify Bot Contaminated Hosts "

Posted by Thorsten Holz in paper at 17:54 | Comment (1) | Trackbacks (0)
(Page 1 of 2, totaling 8 entries) » next page