Merry Christmas Storm!

Monday, December 24. 2007
Consistent with previous spam runs, the authors of Storm Worm now also adopted the propagation scheme to the upcoming Christmas holidays. The spam mails contain for example the following text:

"This Christmas, we want to show you something you will really enjoy. This might not be fun for the whole family, but I bet you'll like it come one take 2 min and check it out. hxxp:// merrychristmasdude . com/"

Please note: Do not visit this site since it contains several exploit for web browser or common browser plugins.

The website shows "Mrs Clause" and some naughty pictures. The malware binary has the name stripshow.exe and - as usual - the MD5 sum changes every couple of minutes. Quick sandboxing shows that the behavior of the binary is similar to previous versions of Storm. The domain merrychristmasdude.com uses fast-flux: repeated DNS lookups always return different A records for this domain. Thus it seems like there is nothing really new - only the theme used for the propagation mails has changed...
Posted by Thorsten Holz in malware at 10:09 | Comments (0) | Trackback (1)

Amun Honeypot

Tuesday, December 11. 2007
Today, Jan Göbel released his tool Amun. The tool is similar to nepenthes and designed to collect samples of autonomous spreading malware. The basic idea is to simulate vulnerable network service and trick an incoming exploitation attempt into thinking that the honeypot is a real system.

Amun is implemented in Python and thus it is quite easy to add additional vulnerability modules. The tool can be downloaded via http://zero.ram.rwth-aachen.de/amun/download.php.
Posted by Thorsten Holz in honeynets at 11:03 | Comments (2) | Trackbacks (0)

UCSB iCTF Results

Saturday, December 8. 2007
The 2007 UCSB International Capture The Flag contest finished a few minutes ago. The guys from the UCSB had organized an awesome contest with seven different services and many interesting challenges. The team from our lab had much fun and at the end, we scored second place - just the team from Milano (Chocolate Makers) beat us. Looking forward to next year's contest :-)

Info:
The UCSB International Capture The Flag (also known as the iCTF) is a distributed, wide-area security exercise, whose goal is to test the security skills of the participants from both the attack and defense viewpoints.

The Capture The Flag contest is a multi-site, multi-team hacking contest in which a number of teams compete independently against each other.

Each team is given a virtualized network installation (for example, a Linux host and/or a Windows host). The hosts provide a number of services. The services have a number of undisclosed vulnerabilities, which have been included in the servers' software by the contest organizers.

The goal of each team is to maintain the set of services available and uncompromised throughout the contest phase. Each team can (and should) attempt to compromise other teams' services. Since all the teams receive an identical copy of the virtual network, the task of each team is to find vulnerabilities in their copy of the hosts and possibly fix the vulnerabilities without disrupting the services. At the same time, the teams have to leverage their knowledge about the vulnerabilities they found to compromise the servers run by other teams. Compromising a service will allow a team to bypass the service's security mechanisms and to "capture the flag" associated with the service.

During the contest a scoring system keeps track, for each team, of which services are available, and which services have been compromised.

More info: http://www.cs.ucsb.edu/~vigna/CTF/
Posted by Thorsten Holz in administrativa at 02:28 | Comments (0) | Trackback (1)

Real Network Visualization

Friday, December 7. 2007
As a comment to my post on the xkcd comic on network visualization, Jon Oberheide, a researcher from the University of Michigan, pointed me to their version of malware visualization - pretty awesome!



Picture available at http://jon.oberheide.org/malware.jpg
Posted by Thorsten Holz in malware at 09:55 | Comments (0) | Trackbacks (0)

Storm Worm Potpourri

Thursday, December 6. 2007
Storm Worm was quiet in the last few days, nothing really exiting happened at the honeypots infected with the bot. Many of the spam mails sent by the bot are stock spam messages which advertise a certain stock. An example of an attachment sent some time ago is Complaint.pdf which advertizes Score One Inc. (SREA.OB), a small company traded over the counter.

Many of the fast-flux domains used by Storm Worm are currently non-functional, only two seem to resolve:
$ dig yxbegan.com



; <<>> DiG 9.4.1-P1 <<>> yxbegan.com

;; global options:  printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59661

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 12, ADDITIONAL: 0



;; QUESTION SECTION:

;yxbegan.com.                   IN      A



;; ANSWER SECTION:

yxbegan.com.            0       IN      A       74.134.155.14



;; AUTHORITY SECTION:

yxbegan.com.            172800  IN      NS      ns13.yxbegan.com.

yxbegan.com.            172800  IN      NS      ns2.yxbegan.com.

yxbegan.com.            172800  IN      NS      ns3.yxbegan.com.

yxbegan.com.            172800  IN      NS      ns4.yxbegan.com.

yxbegan.com.            172800  IN      NS      ns5.yxbegan.com.

yxbegan.com.            172800  IN      NS      ns6.yxbegan.com.

yxbegan.com.            172800  IN      NS      ns7.yxbegan.com.

yxbegan.com.            172800  IN      NS      ns8.yxbegan.com.

yxbegan.com.            172800  IN      NS      ns9.yxbegan.com.

yxbegan.com.            172800  IN      NS      ns10.yxbegan.com.

yxbegan.com.            172800  IN      NS      ns11.yxbegan.com.

yxbegan.com.            172800  IN      NS      ns12.yxbegan.com.



;; Query time: 4376 msec

;; SERVER: X.X.X.X#53(X.X.X.X)

;; WHEN: Thu Dec  6 08:59:53 2007

;; MSG SIZE  rcvd: 265

In consecutive lookups, always a new A record is returned:
yxbegan.com.            0       IN      A       69.224.113.183

yxbegan.com.            0       IN      A       123.215.78.167

yxbegan.com.            0       IN      A       168.188.56.76

yxbegan.com.            0       IN      A       220.129.76.210

yxbegan.com.            0       IN      A       59.23.185.81

More info to follow :)
Posted by Thorsten Holz in honeynets, malware at 08:53 | Comments (2) | Trackbacks (0)
(Page 1 of 2, totaling 9 entries) » next page