Collecting Autonomous Spreading Malware Using High-Interaction Honeypots

Friday, January 11. 2008
Together with a few researchers from the Chinese Honeynet Project, we published a paper about capturing autonomous spreading malware with high-interaction honeypots at the 9th International Conference on Information and Communications Security (ICICS 2007) which is now available.

Abstract: Autonomous spreading malware in the form of worms or bots has become a severe threat in today’s Internet. Collecting the sample as early as possible is a necessary precondition for the further treatment of the spreading malware, e.g., to develop antivirus signatures. In this paper, we present an integrated toolkit called HoneyBow, which is able to collect autonomous spreading malware in an automated manner using high-interaction honeypots. Compared to low-interaction honeypots, HoneyBow has several advantages due to a wider range of captured samples and the capability of collecting malware which propagates by exploiting new vulnerabilities. We validate the properties of HoneyBow with experimental data collected during a period of about nine months, in which we collected thousands of malware binaries. Furthermore, we demonstrate the capability of collecting new malware via a case study of a certain bot.

Keywords: Honeypots - Intrusion Detection Systems - Malware

Full Paper: Collecting Autonomous Spreading Malware Using High-Interaction Honeypots (LNCS 4861)
Posted by Thorsten Holz in honeynets, malware, paper at 09:43 | Comments (0) | Trackbacks (0)

Stock Spam Works - Ralsky Case

Thursday, January 10. 2008
I covered stock spam a couple of times before in this blog. A few days ago, Alan Ralsky (one of the biggest spammers on Earth) was arrested and indicted to be involved in stock spam. The full indictment is available at the website of Spamhaus (Ralsky Indictment) and it is an interesting read. The article uncovers Ralsky's spam approach and discloses how he and his group made a lot of money with advertizing of stocks via spam e-mails. It seems like stock spam works.
Posted by Thorsten Holz at 17:15 | Comments (0) | Trackbacks (0)

Measuring the Success Rate of Storm Worm

Thursday, January 3. 2008
Just around Christmas, machines infected with Storm Worm started to send out spam e-mails again. These e-mails contained different kinds of Christmas or New Year's Eve wishes. Within the Storm botnet, such mails are sent to propagate the bot: the botherders hope that innocent users fall for this social engineering trick and click on the link contained in the mail. Once they click on the link, they are redirected to a website which contains a link to the actual Storm binary. This website commonly also contains browser exploits (depending on the user-agent and they are served only once per IP address) to compromise the web browser of a visitor in order to install the Storm binary.



The picture illustrates the success rate of the botnet: The x-axis shows the date, starting a few days before Christmas and ending today. The y-axis represents the number of infected machines within Stormnet, the "encrypted" part of the botnet in which the actual communication is XORed with a 40 byte key. As you can see, the first days before Christmas the size of the botnet was around 5-14 thousand infected machines. However, just around Christmas the size grows again due to successful infections and new victims which fell for the social engineering mails. For now, the botnet has peaked at about 40 thousand infected machines being online at a time.

Moreover, the picture also shows a clear diurnal pattern: the size of the botnet changes over time each day. This could indicate that a majority of the infected machines are located within a certain region. A closer examination of this phenomenon is necessary.

The actual picture was generated by Moritz Steiner, a colleague of mine with whom I analyze the Storm botnet.

Update: Brandon Enright pointed out that the diurnal pattern could also have other causes and thus I updated this part.
Posted by Thorsten Holz in malware at 23:08 | Comment (1) | Trackback (1)

Honeywall CDROM 1.3 beta Published

Thursday, January 3. 2008
After several months of development, a new version of the Honeywall is available: The Honeywall CDROM is a bootable CD that installs onto a hard drive and comes with all the tools and functionality for you to implement data capture, control, and analysis.

You can get the ISO image for testing here: http://www.honeynet.org/tools/cdrom/roo/iso/test/roo-1.3.hw-b1.iso

More information about the Honeywall development is available at the public Trac reachable via https://projects.honeynet.org/honeywall
Posted by Thorsten Holz in honeynets at 16:48 | Comments (0) | Trackbacks (0)
(Page 1 of 1, totaling 4 entries)