Call for Paper: 5th ACM Workshop on Recurring Malware (WORM) 2007

Wednesday, April 18. 2007
The Call for Paper for the 5th ACM Workshop on Recurring Malware (WORM) 2007 is now available. I am very proud to be one of the members of the program committee and would love to see many submissions to the workshop.

Important dates:
  • Paper submissions due: Sunday, June 17th, 2007

  • Notification to authors: August 7th, 2007

  • Final papers due: August 22nd, 2007

The workshop will be held at November 2nd, 2007 at George Mason University, VA, USA, in association with the 14th ACM Conference on Computer and Communications Security (CCS).

About WORM:
Internet-wide infectious epidemics have emerged as one of the leading threats to information security and service availability. Self-propagating threats, often termed worms, exploit software weaknesses, hardware limitations, Internet topology, and the open Internet communication model to compromise large numbers of networked systems. Malware is increasingly used as a beachhead to launch further malicious activities, such as installing spyware, deploying phishing servers and spam relays, or performing information espionage. Unfortunately, current operational practices still face significant challenges in containing these threats as evidenced by the rise in automated botnet networks and the continued presence of worms released years ago. The goal of this workshop is to provide a forum for exchanging ideas, increasing understanding, and relating experiences on malicious code from a wide range of communities, including academia, industry, and the government.
Posted by Thorsten Holz in administrativa at 17:08 | Comments (0) | Trackbacks (0)

chmod 777 Apple

Tuesday, April 17. 2007
It's again time for CanSecWest, taking place in Vancouver this week. I teach a course on honeypots today and the conference itself starts tomorrow. The program looks really good, especially looking forward to see Jose's talk on "Reverse Engineering Malicious Javascript", "Post-Mortem RAM Forensics", and Ilja's "Unusual Bugs" talk.

Dragos has announced a contest, in which you can win a Apple MacBook Pro:
We've announced that we will be having a contest "PWN to OWN" where two, pimp, loaded up, Apple Macbook Pro's will be set up on their own AP (with security updates but otherwise default) and attendees will be able to connect to the ethernet or WiFi. The first to exploit it (there are victory conditions, and progressive rules over the three days) gets to go home with it. (Limit one per person, Can't use the same vuln on both.) If they survive the three days in the "jungle," they become prizes for best lightning talk and best speaker. Detailed contest rules to follow shortly.
Posted by Thorsten Holz in administrativa at 16:47 | Comments (0) | Trackbacks (0)

Program for HotBots'07 / Rishi

Thursday, April 5. 2007
The program for the First Workshop on Hot Topics in Understanding Botnets is now online. The program committee accepted 11 papers from 32 submissions. Together with Jan Göbel, I also submitted a paper which was accepted. The paper entitled "Rishi: Identify Bot Contaminated Hosts by IRC Nickname Evaluation", describes a simple, yet effective methods to detect bot-contaminated hosts within a given network. It tries to detect suspicious IRC nicknames and preliminary results show the usefulness. I will upload the paper once the workshop is over.

Abstract:
In this paper, we describe a simple, yet effective method to detect bot-infected machines within a given network that relies on detection of the communication channel between bot and Command & Control server (C&C server). The presented techniques are mainly based on passively monitoring network traffic for unusual or suspicious IRC nicknames, IRC servers, and uncommon server ports. By using n-gram analysis and a scoring system, we are able to detect bots that use uncommon communication channels, which are commonly not detected by classical intrusion detection systems. Upon detection, it is possible to determine the IP address of the C\&C server, as well as, the channels a bot joined and the additional parameters which were set. The software "Rishi" implements the mentioned features and is able to automatically generate warning emails to report infected machines to an administrator. Within the 10 GBit network of RWTH Aachen university, we detected 82 bot-infected machines within two weeks, some of them using communication channels not picked up by other intrusion detection systems.
Posted by Thorsten Holz in administrativa, paper at 08:50 | Comments (0) | Trackbacks (0)
« previous page   (Page 2 of 2, totaling 8 entries)