April Fool's Day & Storm

Monday, March 31. 2008
A new "joke" from the Storm Worm botnet right before April Fool's Day.

Consistent with their past behavior on having new propagation schemes right before important dates of national interest (start of NFL season, Halloween, Christmas Eve, ...), the botnet started to use a new social engineering theme right before April Fool's Day. The websites offer the actual bot binary with three different filenames (foolsday.exe, funny.exe, and kickme.exe), but they seems to actually be the same binary. I did not observe any drive-by download attack, thus it seems like they solely rely on social engineering - so don't fall for this hoax :-)
Posted by Thorsten Holz in malware at 22:45 | Comments (0) | Trackbacks (0)

New Capture-HPC release

Sunday, March 30. 2008
A tool announcement:

The Honeynet Project and School of Mathematics, Statistics and Computer Science at Victoria University of Wellington have just released version 2.1 of Capture-HPC, a tool that is able to find and investigate the increasing problem of client-side computer attacks. This new software release increases the features and speeds performance allowing anyone to investigate a larger range and quantity of client-side computer attacks. Capture-HPC is freely available from the main Honeynet Project web site at: https://projects.honeynet.org/capture-hpc/wiki. It is written and distributed under the GNU General Public License, v2.

Capture-HPC is a computer security product that allows anyone to: investigate client-side computer attacks; security researchers to find and study malicious servers; virus and malware researchers to collect malware pushed by malicious servers; network administrators to monitor their systems for client-side attacks; and web site operators to monitor their web sites for unauthorized modifications with client-side attack code.
Posted by Thorsten Holz in honeynets at 23:44 | Comments (0) | Trackbacks (0)

CanSecWest PWN2OWN 2008

Tuesday, March 18. 2008
Announcing CanSecWest PWN2OWN 2008.
===================================

Three targets, all patched. All in typical client configurations with typical user configurations. You hack it, you get to keep it.

Each has a file on them and it contains the instructions and how to claim the prize.

Targets (typical road-warrior clients):
  • VAIO VGN-TZ37CN running Ubuntu 7.10
  • Fujitsu U810 running Vista Ultimate SP1
  • MacBook Air running OSX 10.5.2

This year's contest will begin on March 26th, and go during the presentation hours and breaks of the conference until March 28th. The main purpose of this contest is to present new vulnerabilities in these systems so that the affected vendor(s) can address them. Participation is open to any registered attendee of CanSecWest 2008.
Posted by Thorsten Holz in administrativa at 09:18 | Comments (0) | Trackbacks (0)

Program for LEET'08 & Storm Paper

Tuesday, March 18. 2008
The tentative program for the First USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET'08) is now available.

We also have a paper accepted: "Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm"
We still need to revise the paper based on the reviewer's feedback, as a teaser the preliminary abstract:

"Botnets, i.e., networks of compromised machines under a common control infrastructure, are commonly controlled by an attacker with the help of a central server: all compromised machines connect to the central server and wait for commands.
However, the first botnets that use peer-to-peer (P2P) networks for remote control of the compromised machines appeared in the wild recently. In this paper, we introduce a methodology to analyze and mitigate P2P botnets. In a case study, we examine in detail the Storm Worm botnet, the most wide-spread P2P botnet currently propagating in the wild. We were able to infiltrate and analyze in-depth the botnet, which allows us to estimate the total number of compromised machines. Furthermore, we present two different ways to disrupt the communication channel between controller and compromised machines in order to mitigate the botnet and evaluate the effectiveness of these mechanisms."
Posted by Thorsten Holz in administrativa at 01:29 | Comments (0) | Trackbacks (0)

CAPTCHA fun

Thursday, March 13. 2008
Websense had a few weeks ago a story on "Google’s CAPTCHA busted in recent spammer tactics". The basic idea is that the attacker automatically signs up for freemail accounts (e.g., Google or live.com) with the help of certain malware. During the registration process, the attacker needs to solve a CAPTCHA. This can be done for example with the help of humans which are paid for this task. Another option is to use humans who want to access a certain service, e.g., a porn website. This is the cheaper option, and presumably also effective. An example of such a CAPTCHA attack is currently available at gift-vip.net. Caution: this is not work-safe and do not open it if you do not want to see adult content. I also created a short movie which illustrates this process. The movie is also available as .mov and .swf file.

Thanks a lot Nick FitzGerald for this tip!

[Update]: Please be careful when opening the actual site since it also contains a malicious iframe.
Posted by Thorsten Holz in malware at 12:16 | Comments (0) | Trackbacks (0)

SSAC Advisory on Fast Flux Hosting and DNS

Thursday, March 13. 2008
The Security and Stability Advisory Committee (SSAC) of ICANN released an advisory regarding "Fast Flux Hosting and DNS", in which they detail ICANN's view of FFSNs. Thanks Jose for the heads-up!

Introduction

"Fast flux" is an evasion technique that cyber-criminals and Internet miscreants use to evade identification and to frustrate law enforcement and anticrime efforts aimed at locating and shutting down web sites used for illegal purposes. Fast flux hosting is an application of technology that supports a wide variety of cyber-crime activities (fraud, identity theft, online scams) and is considered one of the most serious threats to online activities today. Basic fast flux hosting uses rapid modification of IP addresses associated with a system that hosts a malicious activity to evade detection and take down efforts. This technique is also used to rapidly modify the IP addresses of the name servers that resolve the domain names of the fluxed malicious hosts (this variant is sometimes called NS fast flux). A particularly troublesome variant of fast flux hosting, "double flux", fluxes addresses of both name servers and malicious (web server) hosts.

This Advisory describes the technical aspects of fast flux hosting and fast flux service networks. It explains how the DNS is exploited to abet criminal activities that employ fast flux hosting, identifying the impacts of fast flux hosting, and calling particular attention to the way such attacks extend the malicious or profitable lifetime of the illegal activities conducted using these fast flux techniques. It describes current and possible methods of mitigating fast flux hosting at various points in the Internet. The Advisory discusses the pros and cons of these mitigation methods, identifies those methods that SSAC considers practical and sensible, and recommends that appropriate bodies consider policies that would make the practical mitigation methods universally available to registrants, ISPs, registrars and registries (where applicable for each).
Posted by Thorsten Holz in paper at 08:31 | Comment (1) | Trackbacks (0)

loads.cc vs. CWSandbox

Wednesday, March 12. 2008
Sunbelt covered the 3D screensaver spam and the background of this scam in some detail. Dancho Danchev also blogged about some details of this incident. And here are my 2 cent of info:

The file load.exe (MD5: b20e4e725cc86b489ec441b97b728285) drops two files called 0.EXE and 1.EXE which are subsequently executed. 0.EXE creates the two files C:\Documents and Settings\USER\Local Settings\Application Data\cftmon.exe and C:\WINDOWS\system32\drivers\spools.exe, which are also automatically started via a registry key. Furthermore, the following HTTP requests are sent:

http://195.93.218.25/ld/?&v=driver&d=0
http://195.93.218.25/ld/manda.php?id=-396739409&v=driver&d=0
http://195.93.218.25/m.exe

This IP address belongs to Buildhouse Ltd., located in Russia - a grey hosting provider?

More complete info: cwsandbox.org.
Posted by Thorsten Holz in malware at 18:00 | Comments (0) | Trackbacks (0)

NDSS'08 Presentation

Wednesday, March 12. 2008
Yesterday I forgot to post the link to my presentation :-/
The presentation I gave at NDSS'08 is available at http://honeyblog.org/junkyard/paper/08_ff_NDSS.pdf. If you have comments or questions, please let me know!
Posted by Thorsten Holz in paper at 09:02 | Comments (0) | Trackbacks (0)

"Measuring and Detecting Fast-Flux Service Networks"

Tuesday, March 11. 2008
One of the projects at our lab focuses on fast-flux service networks (FFSNs), a mechanism used by attackers to build an overlay network on top of compromised machines. FFSNs are for example used to host scam pages or malicious content. Our findings were published in a paper at NDSS'08. The full paper is also available since a couple of weeks.

Abstract:
We present the first empirical study of fast-flux service networks (FFSNs), a newly emerging and still not widely-known phenomenon in the Internet. FFSNs employ DNS to establish a proxy network on compromised machines through which illegal online services can be hosted with very high availability. Through our measurements we show that the threat which FFSNs pose is significant: FFSNs occur on a worldwide scale and already host a substantial percentage of online scams. Based on analysis of the principles of FFSNs, we develop a metric with which FFSNs can be effectively detected. Considering our detection technique we also discuss possible mitigation strategies.

Full paper
Posted by Thorsten Holz in paper at 16:42 | Comments (0) | Trackbacks (0)

Postcards from Storm

Monday, March 3. 2008
Storm Worm changed its propagation scheme again. It now sends out spam mails pointing to fake "ecards". The spammed site contains just an image and points to a binary called postcard.exe. A quick analysis shows that the core functionality has not changed at all.
Posted by Thorsten Holz in malware at 07:28 | Comments (0) | Trackbacks (0)
(Page 1 of 1, totaling 10 entries)