Virtual Honeypots

Tuesday, July 31. 2007
virtual-honeypots
Niels Provos and I have written a book on "Virtual Honeypots: From Botnet Tracking to Intrusion Detection" which was released a couple of days ago. The book deals with high- and low-interaction honeypots and focuses on Honeyd, malware collection, client-side honeypots, botnet tracking, and many more topics. You can order it now in your favorite bookstore, looking forward to your comments :-)


Continue reading "Virtual Honeypots"

Posted by Thorsten Holz in administrativa, virtual-honeypots at 02:41 | Comments (9) | Trackbacks (0)

Sunshine on a stormy day

Friday, July 20. 2007
Storm Worm (aka Peacomm) is presumably one of the most successful bots nowadays. It uses P2P (modified edonkey protocol) for communication and is spreading since February this year. If you take a look at your spam mails, you will find mails which inform you about ecards received from various sites, e.g.:
Hi. Friend has sent you an ecard.
See your card as often as you wish during the next 15 days.

SEEING YOUR CARD

If your email software creates links to Web pages, click on your
card's direct www address below while you are connected to the Internet:

http:///?

Or copy and paste it into your browser's "Location" box (where Internet
addresses go).

We hope you enjoy your awesome card.

Wishing you the best,
Postmaster,
postcard.com

The link in the mail sends you to a Storm infected host. Once you click on the link, you see the following text in your browser:
Your Download Should Begin Shortly. If your download does not start in approximately 15 seconds, you can click here to launch the download.

Besides this text, the web site also contains an obfuscated browser exploit if you use Internet Explorer. If you click on the link on that web site, a file called ecard.exe (depending on the current spam run) is installed on your machine. The executable installs a kernel driver, drops an ini-file with a list of initial peers in the Windows folder, and then tries to contact these peers in order to get an updated list of peers. Once the bot is part of the botnet, it receives updates, spam templates, and DDoS commands via the search functionality of the edonkey protocol. I'll post more about Storm in the next couple of days...

And to get finally back to the topic of this posting: the fine guys at MW-Blog have just released a removal tool for Storm Worm.
Posted by Thorsten Holz in malware at 13:26 | Comments (0) | Trackbacks (0)

Know your Enemy: Fast-Flux Service Networks

Monday, July 16. 2007
The Honeynet Project & Research Alliance are excited to announce the release of a new paper, "KYE: Fast-Flux Service Networks". This whitepaper details a growing technique within the criminal community called fast-flux networks. This is an architecture that builds more robust networks for malicious activity while making them more difficult to track and shutdown. You can learn more at http://www.honeynet.org/papers/ff/index.html. This is the first KYE paper we are releasing in both .pdf and .html format.
Posted by Thorsten Holz in honeynets at 00:59 | Comments (0) | Trackback (1)

USENIX Security '07

Wednesday, July 11. 2007
I was a bit busy in the last few weeks, some time passed since my last blog entry :-/ Now some updates, first an advertizement for USENIX Security'07:

"Don't miss the 16th USENIX Security Symposium to be held August 6-10, 2007, in Boston, MA.

The 3-day technical conference will kick off on Wednesday, August 8, and includes:

- Keynote address by Steven Levy, Senior Editor and Columnist, Newsweek, on "How the iPod Shuffled the World as We Know It"

- Invited talks featuring our most impressive slate of speakers to date, including:
-- David Dill, Stanford University, on "Computer Security and Voting"
-- Peter Gutmann, University of Auckland, New Zealand, on "Windows Vista Content Protection"

- 23 refereed papers, 1 panel, Work-in-Progress Reports (WiPs), and a
poster session on the latest research.

More information: http://www.usenix.org/events/sec07/tech/

Register by July 16 and save up to $300!"
Posted by Thorsten Holz in administrativa at 06:01 | Comments (0) | Trackbacks (0)
(Page 1 of 1, totaling 4 entries)