Mail Problems

Thursday, June 5. 2008
The mail server of our university is down since more than two days (sic!). I'm wondering how many mails I have lost up to now and what kind of interesting information did not reach me... If you want to reach me, please use the Gmail account. On the other hand: no distracting e-mails and lots of time to write papers. The ACSAC deadline is next Sunday, presumably I have a paper ready until then :)
Posted by Thorsten Holz in general at 20:59 | Comments (0) | Trackbacks (0)

OECD Report on Malware

Wednesday, June 4. 2008
A few days ago, the OECD published a report entitled "Malicious Software (Malware): A Security Threat to the Internet Economy". It provides a high-level overview of current threats in the area of malware and is a nice read.

Excerpt: "This report, developed in collaboration with experts, aims to inform policy makers about malware impacts, growth and evolution, and countermeasures to combat malware. It seeks to analyse some of the main issues associated with malware and to explore how the international community can better work together to address the problem. Highlights include the following:
  • Spam has evolved from a nuisance to a vehicle for fraud to a vector for distributing malware. Malware, in the form of botnets, has become a critical part of a self sustaining cyber attack system. The use of malware has become more sophisticated and targeted. Many attacks are smaller and attempt to stay "below the radar" of the security and law enforcement communities.

  • The effectiveness of current security technologies and other protections in detecting and containing malware is challenged by the shrinking of the time between the discovery of vulnerabilities in software products and their exploitation.

  • [...]

  • Current response and mitigation are mainly reactive. There is a need for more structured and strategic co-ordination at national and international levels with involvement of all actors to more adequately assess and mitigate the risk of malware.

  • No single entity has a global understanding of the scope, trends, development and consequences of malware and thus the overall malware problem is difficult to quantify. Data on malware are not consistent and terminology for cataloguing and measuring the occurrence of malware is not harmonised.

  • Although its economic and social impacts may be hard to quantify, malware used directly or indirectly can harm critical information infrastructures, result in financial losses, and plays a role in the erosion of trust and confidence in the Internet economy."

A similar report was published a few months ago by ENISA: "Security Economics and The Internal Market" (Authors: R. Anderson, R. Böhme, R. Clayton, and T. Moore) - definitely worth reading!
Posted by Thorsten Holz in paper at 01:17 | Comments (0) | Trackbacks (0)

Storm Worm Dead?

Tuesday, June 3. 2008
The Internet Storm Center had today a story about a "New Stormworm download site". The Storm Worm botnet is thus still live and propagating. However, the size of the botnet is decreasing significantly: Currently, only about 8.2K hosts are online within the network (based on measurement results with the crawler presented in the LEET'08 paper). Compared to the size a few months ago (40K in January, even more a few months earlier), this is a strong decrease. Will the botnet thus become obsolete in the near future?

The CWSandbox analysis of the Storm Worm sample loveyou.exe (MD5: 0679c17b9072d378cb0a39272fed98f5) shows the typical signs of a Storm sample: It first drops a file called C:\WINDOWS\farkrish.exe and also the typical peer-list:

H:\WINDOWS\farkrish.config [peers] 000011213D362D29747E07640874096F = C933DDCB2E6E00
H:\WINDOWS\farkrish.config [peers] 01006C75C1523825A27A642FD05F6859 = BDA2AF3A4A3600
H:\WINDOWS\farkrish.config [peers] 02003727703C8435FA41B70F977E6055 = 53C8003932CD00
H:\WINDOWS\farkrish.config [peers] 0300B623D3499048CC4BB30B5857C959 = C86E5D666A2C00
H:\WINDOWS\farkrish.config [peers] 04000A4C7B4BBC41AE5B6B486A00F613 = 7B11B24647B600
H:\WINDOWS\farkrish.config [peers] 05002744C35A572A932662411A117715 = 7B150612413A00
H:\WINDOWS\farkrish.config [peers] 06000772D412A4727D1B415B7A73F450 = 183C4148226F00
H:\WINDOWS\farkrish.config [peers] 07000600822E65796C39356C6E3C750E = 7B12A2E745FA00
H:\WINDOWS\farkrish.config [peers] 0800F81A9A4D644D6566FC73591C0B5F = C925ECC4375C00
H:\WINDOWS\farkrish.config [peers] 090007168A1C884C2D60D12FD900D86E = 7D19C551116E00
H:\WINDOWS\farkrish.config [peers] 0A00C95E9909F25F7844635C9D0FAD62 = BDA663FA77E400
H:\WINDOWS\farkrish.config [peers] 0B00364A9F3CC648DC1EE87E0E022E70 = 53CB22366F8D00
H:\WINDOWS\farkrish.config [peers] 0C00C65A0A69484DDF47D724A81F3B52 = A007E95F321F00
H:\WINDOWS\farkrish.config [peers] 0D00DE0895137F5AC2376814D6415F4D = 40FEB3F7645700
H:\WINDOWS\farkrish.config [peers] 0E007A157B4A305BD352D1039829B24C = 43954E9F0F4D00
H:\WINDOWS\farkrish.config [peers] 0F00042A5F72C81BD16DDB4B7A38DD14 = 3EFBBF4273AC00
H:\WINDOWS\farkrish.config [peers] 1000A535661B0414FA6556507D75880A = CBDA9AA318CD00
H:\WINDOWS\farkrish.config [peers] 1100556AD128A56385603C71BF3A3476 = 4421178C717600
H:\WINDOWS\farkrish.config [peers] 12000A1B5609B740B609833F2C11B212 = C93AE62B6AFA00
H:\WINDOWS\farkrish.config [peers] 1300907BD345E730C048E311A3705B21 = 539C8C79473500
H:\WINDOWS\farkrish.config [peers] 1400FA75B31AF97F4564B80F49060C72 = 477196302BC400
H:\WINDOWS\farkrish.config [peers] 1500D1510455D5005746601F4E4A584F = BD9C1C33213F00
[...]

Besides this, farkrish.exe is allowed to access the network and the infected machines syncs the time via NTP. The content of the UDP packets that are sent out have the same structure as always:
0000     10 a6 e6 22 f9 ca cc b0 2d a2 8c c7 de 57 ba 53

0010     5e c5 e5 a6 17 02 48 31 46
Thus it seems that there are no major changes in this new update release.
Posted by Thorsten Holz in malware at 11:59 | Comments (0) | Trackbacks (0)
« previous page   (Page 2 of 2, totaling 8 entries)