Status Report German Honeynet Project

Tuesday, May 22. 2007
We have just published the status report of the German Honeynet Project. It highlights some of the work we did in the last twelve months between April 2006 and April 2007.
Posted by Thorsten Holz in general at 19:28 | Comments (0) | Trackback (1)

Disclosing too much...

Thursday, May 10. 2007
F-Secure's blog has today an entry entitled "Advanced tools to handle stolen information". That blog entry deals with an information stealing trojan which sends all collected data to a central drop site. They also have some screenshots and this is were things get messy: using the information from the screenshot, it is trivial to find information about other victims. Within a couple of minutes I could find personal data of about 100 other victims. This information includes, amongst other, the following entries:
  • system info: user, processor, operation system, memory, IP address, disc information, folders, process list, installed programs, ...
  • ICQ 2003a & Lite passwords
  • dialup passwords
  • passwords from Windows protected storage
  • Wand & email Opera passwords

Perhaps it is better to handle such information more carefully and not publish too much. FX wrote about this topic some time ago in the Sabre Lablog: "Irresponsible Disclosure"
Posted by Thorsten Holz in general at 19:53 | Comment (1) | Trackbacks (0)

"Exploring Multiple Execution Paths for Malware Analysis"

Wednesday, May 9. 2007
The upcoming 2007 IEEE Symposium on Security and Privacy has some interesting papers. The paper by Andreas Moser, Christopher Kruegel, and Engin Kirda from the Secure Systems Lab on "Exploring Multiple Execution Paths for Malware Analysis" deals with dynamic enumeration of execution paths. Such an approach can help to detect execution paths that are only triggered on certain conditions and helps with behavior-based analysis of malware.

Abstract
Malicious code (or malware) is defined as software that fulfills the deliberately harmful intent of an attacker. Malware analysis is the process of determining the behavior and purpose of a given malware sample (such as a virus, worm, or Trojan horse). This process is a necessary step to be able to develop effective detection techniques and removal tools. Currently, malware analysis is mostly a manual process that is tedious and time-intensive. To mitigate this problem, a number of analysis tools have been proposed that automatically extract the behavior of an unknown program by executing it in a restricted environment and recording the operating system calls that are invoked.
The problem of dynamic analysis tools is that only a single program execution is observed. Unfortunately, however, it is possible that certain malicious actions are only triggered under specific circumstances (e.g., on a particular day, when a certain file is present, or when a certain command is received). In this paper, we propose a system that allows us to explore multiple execution paths and identify malicious actions that are executed only when certain conditions are met. This enables us to automatically extract a more complete view of the program under analysis and identify under which circumstances suspicious actions are carried out. Our experimental results demonstrate that many malware samples show different behavior depending on input read from the environment. Thus, by exploring multiple execution paths, we can obtain a more complete picture of their actions.
Posted by Thorsten Holz in paper at 11:14 | Comments (0) | Trackback (1)

Click Fraud via Botnets

Tuesday, May 8. 2007
Another phenomenon we observe from time to time is click fraud caused by botnets: the botherder instructs the bots to visit a certain web site and all bots then open the site and cause a click. This can be useful for automated fraud via clicks on ads or the manipulation of votes like the following four (sanitized) examples show:
.visit http://pagead2.googlesyndication.com/pagead/iclk?sa=l&ai=B8z[...]
&num=2&adurl=http://www.XXXex-billionaire.com&client=ca-pub-8277125265[...]&nm=22

.vizit http://pagead2.googlesyndication.com/pagead/ads?client=ca-pub-05841[...]
&dt=1178[...]&lmt=1178[...]&format=728x90_as&output=html&channel=9949[...] &url=http%3A%2F%2Fwww.XXX-mp3.us%2FMusic%2F&ad_type=text
&ref=http%3A%2F%2Fwww.XXXmp3.us%2F&cc=100&flash=9&u_h=864 &u_w=1152&u_ah=804&u_aw=1152&u_cd=32&u_tz=120&u_his=2&u_java=true

.open http://www.fallenXXX.com/?ref=293375

.visit http://www.shXXX.net/chat1/vote.php?VID=1313
Posted by Thorsten Holz in malware at 10:51 | Comments (0) | Trackbacks (0)

IRC-Botnet Channels

Monday, May 7. 2007
On a typical day, we analyze between 40-50 IRC-based bots that successfully connect to their C&C server. When analyzing these bots, we also keep track of the channel topic in order to observe trends and spots new bot variants. The following listing shows the botnet channel topics for yesterday:
12 : =DvFdgNVh+JvueFDRdUbN7jfpRH&+t9I1B7V5xHfjCH9jmqzHLiLH6Zl[...]
9 : xvvv msass 150 0 0 -b -r -s
4 : xvvv asn139 150 0 0 -b -r -s
3 : .asc asn1smb 200 0 0 -r -b
2 : .scanall -b -r -a -s
2 : .k1ng.root asn445 200 4 0 -b -r
2 : .advscan asn1smb 50 5 0 -r
1 : zasc lsass_445 200 5 0 -b -r
1 : =320zAyMVhEGmtqT74wK9HD8DhqA0Ccno6ZHIygtIqjOx85Ygi1gNpHdEpX[...]
1 : =0LzmBRdf3nOwPmxZDQa1phEvUEA+cUlicB044hPPH4JAHyZD1tsSQ9xLLcSw
1 : .root.mass -a -r -b
1 : .raw join #scan1,#fatalimpact
1 : .asc asn445 200 5 0 -b -r -s
1 : .asc asn1smb 101 5 0 -r -s
1 : .advscan kt1 200 5 0 -r -a -s
1 : .advscan dcom135 150 5 0 -b -s
1 : .advscan asn1smb 50 3 0 -b -s
1 : .advscan asn1smbnt 120 4 0 -r -s
1 : .advscan asn1smbnt 100 3 800 -b -r
1 : #advscan dcom135 100 0 0 -r -b

The first column displays the number of binaries with a different MD5 sum that have joined a channel with the same topic.
We have three unique encrypted botnets which can be easily spotted due to the channel topic starting with an = sign. Furthermore, we see that the typical command is propagation: the bots are instructed to search for other victims and scan their neighborhood for vulnerable machines.
Posted by Thorsten Holz in malware at 08:02 | Comments (0) | Trackbacks (0)
(Page 1 of 3, totaling 11 entries) » next page