malware

Low-interaction honeypots like Nepenthes or Amun are good at capturing autonomous spreading malware that propagates via exploiting vulnerabilities in network services: by emulating specific vulnerabilities, these honeypots trick malware into exploiting the honeypot and we can capture a copy of the malware.
These honeypots also allow us to observe outbreaks of new malware samples: since quite many people run Nepenthes or Amun nowadays and also send the samples to cwsandbox.org for automated malware analysis, we can correlate the submissions of many different sensors at a central location. For example, we received the malware sample with MD5 sum cb032b12af742555e60124f6d7d2d2ea from a total of 57 different sensor at the timestamps depicted below:

Timestamp               Filename

2008-01-10 19:36:25     grospolinacb032b12af742555e60124f6d7d2d2eauLa1AA

2008-01-10 22:11:47     nepenthescb032b12af742555e60124f6d7d2d2easBj96A

2008-01-11 00:03:32     nepenthescb032b12af742555e60124f6d7d2d2easm4aaA

2008-01-11 00:18:58     nepenthescb032b12af742555e60124f6d7d2d2eaA

2008-01-11 00:22:22     nepenthescb032b12af742555e60124f6d7d2d2eayK4gcQ

2008-01-11 00:22:56     nepenthescb032b12af742555e60124f6d7d2d2eadOoZcA

2008-01-11 00:34:36     nepenthescb032b12af742555e60124f6d7d2d2eaf92wA

2008-01-11 00:44:56     nepenthescb032b12af742555e60124f6d7d2d2eaBmLfOg

2008-01-11 00:45:09     nepenthescb032b12af742555e60124f6d7d2d2eagv4WoQ

2008-01-11 00:53:59     nepenthescb032b12af742555e60124f6d7d2d2eaOewZcA

2008-01-11 01:11:01     nepenthescb032b12af742555e60124f6d7d2d2eaQANtUA

2008-01-11 01:56:59     nepenthescb032b12af742555e60124f6d7d2d2eaeEtIA

2008-01-11 04:48:11     nepenthescb032b12af742555e60124f6d7d2d2eaYO0fA

2008-01-11 05:32:44     nepenthescb032b12af742555e60124f6d7d2d2eadOoZcA

2008-01-11 06:35:31     nepenthescb032b12af742555e60124f6d7d2d2eaf0fA

2008-01-11 08:21:13     nepenthescb032b12af742555e60124f6d7d2d2eaze0fA

2008-01-11 08:49:09     nepenthescb032b12af742555e60124f6d7d2d2eaSu4fA

2008-01-11 09:25:49     nepenthescb032b12af742555e60124f6d7d2d2eaanj2kA

2008-01-11 09:41:40     nepenthescb032b12af742555e60124f6d7d2d2eaJ8ZcA

2008-01-11 12:00:10     cb032b12af742555e60124f6d7d2d2ea

2008-01-11 13:42:14     nepenthescb032b12af742555e60124f6d7d2d2ea1E4a6A

2008-01-11 14:15:43     nepenthescb032b12af742555e60124f6d7d2d2eaSHkgA

2008-01-11 14:37:06     grospolinacb032b12af742555e60124f6d7d2d2eamKgfA

2008-01-11 14:38:37     nepenthescb032b12af742555e60124f6d7d2d2eabGhXGQ

2008-01-11 18:30:29     nepenthescb032b12af742555e60124f6d7d2d2eaMPofKg

2008-01-11 18:39:25     nepenthescb032b12af742555e60124f6d7d2d2eaGSGoWQ

2008-01-11 20:33:26     nepenthescb032b12af742555e60124f6d7d2d2eab0fA

2008-01-12 04:19:46     nepenthescb032b12af742555e60124f6d7d2d2eauJQiA

2008-01-12 12:12:12     nepenthescb032b12af742555e60124f6d7d2d2eaGDoqMQ

2008-01-12 14:32:15     nepenthescb032b12af742555e60124f6d7d2d2eaSIUgA

2008-01-13 20:37:45     nepenthescb032b12af742555e60124f6d7d2d2eaYO0fA

2008-01-14 17:38:54     nepenthescb032b12af742555e60124f6d7d2d2eaQ8fA

2008-01-14 22:26:54     grospolinacb032b12af742555e60124f6d7d2d2ea2rqiGw

2008-01-15 06:27:12     nepenthescb032b12af742555e60124f6d7d2d2eaM0sA

2008-01-15 09:32:40     nepenthescb032b12af742555e60124f6d7d2d2eaM0sA

2008-01-18 10:20:58     nepenthescb032b12af742555e60124f6d7d2d2eaKEuA

2008-01-19 02:10:38     nepenthescb032b12af742555e60124f6d7d2d2eagfofkA

2008-01-20 05:37:39     nepenthescb032b12af742555e60124f6d7d2d2eaxeoZcA

2008-01-25 09:43:36     nepenthescb032b12af742555e60124f6d7d2d2eaLvAfA

2008-01-29 15:36:08     nepenthescb032b12af742555e60124f6d7d2d2eaBxofsA

2008-01-29 20:47:39     nepenthescb032b12af742555e60124f6d7d2d2eaJ00A

2008-02-01 18:48:12     nepenthescb032b12af742555e60124f6d7d2d2eaEcoA

2008-02-02 12:24:22     nepenthescb032b12af742555e60124f6d7d2d2eawcUgLg

2008-02-02 19:35:56     cb032b12af742555e60124f6d7d2d2ea

2008-02-07 13:59:24     cb032b12af742555e60124f6d7d2d2ea.dat

2008-02-08 15:48:30     nepenthescb032b12af742555e60124f6d7d2d2eaGfoWA

2008-02-14 14:14:03     cb032b12af742555e60124f6d7d2d2eacb032b12af742555...2ea

2008-02-21 14:20:01     nepenthescb032b12af742555e60124f6d7d2d2eaWN0fA

2008-02-28 16:56:53     nepenthescb032b12af742555e60124f6d7d2d2eaoexA

2008-03-03 15:15:39     nepenthescb032b12af742555e60124f6d7d2d2eaA

2008-03-11 02:56:00     nepenthescb032b12af742555e60124f6d7d2d2eaAfA

2008-03-14 11:11:51     nepenthescb032b12af742555e60124f6d7d2d2eaJgfA

2008-03-15 17:31:37     nepenthescb032b12af742555e60124f6d7d2d2eaGGYnA

2008-03-20 10:55:43     nepenthescb032b12af742555e60124f6d7d2d2eacb032b1...2ea

2008-03-20 17:05:07     nepenthescb032b12af742555e60124f6d7d2d2eaoflA

2008-03-31 12:12:02     nepenthescb032b12af742555e60124f6d7d2d2eaYO0fA

2008-04-07 07:06:12     nepenthescb032b12af742555e60124f6d7d2d2eaxMUg3A

2008-04-08 02:37:22     cb032b12af742555e60124f6d7d2d2ea

Each timestamp depicts the first point in time where the specific sensor captured a copy of the malware. As you can see, the malware outbreak happened presumably at January 10, 2008. From then on, honeypot sensors all around the world captured a copy of this specific bot. The CWSandbox report contains more detailed information about the botnet, e.g.:

• The bot creates a file named C:\WINDOWS\system32\explorer.exe, which is a copy of itself


• It creates a run key for the Windows registry such that the bot is started again after a reboot


• The C&C server is located at the IP address 67.43.232.36 and listens on the TCP port 8080


• C&C channel is #wawa and the command issued by the botmaster at the time of analysis is: ipscan s.s.s dcom2 -f -s

A quick follow-up to our DIMVA'08 paper on "Learning and Classification of Malware Behavior": the slides from Konrad's talk are now available and provide a quick overview of the topic.

In the near future, we will integrate the results of this paper to the webinterface of cwsandbox.org - stay tuned :)

Björn Weiland recently sent me a few graphs with interesting observations he made when tracking the Storm Worm botnet as part of his thesis on detection of advanced botnets.
The first graph visualizes the network communication of a Storm sample when executed on a machine with a private IP address. In that configuration, the bot typically sends out spam e-mails or participates in distributed denial-of-service attacks. The x-axis shows the time, while the y-axis shows the UDP/TCP destination port number the bot communicates on:


The graph shows that the bot first uses NTP to synchronize the clock of the victim's machine. Afterwards, it contacts many other machines, typically on TCP ports < 33.789 (strange port number?!?). After a few minutes, it also starts with spamming (lots of connections on TCP port 25). What is interesting are all the communications that happen on higher port numbers: we can, for example, identify an IP address hosted at Intercage. This IP address is part of the static backend of the botnet. In addition, an IP address related to the University of California in San Diego (UCSD) sticks out, presumably related to their Storm Worm research. I'm not yet sure what all the other IP addresses mean, but presumably all of them are also suspicious and somehow related to the botnet.

The second graph shows the network communication of a sample executed on a machine with a public IP address. In this configuration, the bot is typically used to relay messages or host services related to the botnet. Again, the x-axis depicts a timeline, whereas the y-axis show the TCP / UDP destination port number:


Here we can observe a completely different pattern compared to the first graph. Overall, the full port range is used, with some more dense and some more sparse parts. We can also observe more TCP communication and also quite a lot communication on TCP port 80, which is related to the web sites hosted by the botnet.

The port range between destination port 50,000 and 51,000 is far more dense compared to lower / higher ports as the following figure shows:

This port range is commonly used for RTP / RTCP as defined in RFC 4504 - presumably just a coincidence for Storm Worm.

Does anybody have an explanation for the distribution of destination ports used by Storm Worm? And thanks a lot to Björn for the permission to publish the figures!

The Storm Worm botnet changed the propagation theme again and now uses a social engineering theme that builds on the weak US dollar and the ongoing financial crisis:


The text above the picture reads:

The U.S. Government began to realize the plan to replace the Dollar with the "Amero", the new currency of the North American Currency Union. Canada, the United States of America and Mexico have resolved to unit in order to resist the Worldwide Financial Crysis. You can become acquainted with the plan of the implementation of Amero, just click on the icon under this text.

From a technical point, nothing seems to change compared to previous versions of the binary. In the last few days, our crawler measured an effective size (i.e., how many bots are online at the moment) of the botnet between six and ten thousand machines. In total, the botnet is still bigger, we observe high churn rates between different crawls.

Back in February, we published a paper on fast-flux service networks at NDSS'08. The basic idea behind fast-flux networks is a fast change in the mapping between a domain name and the corresponding IP addresses. The attackers use this mechanism to build a proxy-network on top of compromised machines to maintain a robust hosting infrastructure for their services. For more information on this topic, see the paper by the Honeynet Project or our NDSS paper.

To foster research in this area, the data collected during our study is available for research purposes. Up to now, quite a few people mailed me and asked for the data. To make this process a bit more scalable and also minimize the amount of work needed at my side, we decided to simply publish all the data such that everyone can download the raw data and use it for whatever purpose. Today, I uploaded a tarball which contains a summary of the fast-flux data collected over a period of several weeks. The tarball contains a potpourri of different measurements and has a total size of 7.3 MB. It contains about 55K raw dig lookup files and has an unpacked size of about 220 MB. The archive contains the following data:

• storm-qavoter.com.log: dig lookups for domain used by the Storm Worm botnet which uses fast-flux techniques


• asprox-damnec-hydra.log: dig lookups for Asprox/Damnec botnet which also uses fast-flux techniques


• lookups-ff: dig lookups for fast-flux domains, confirmed manually


• lookups-spam: dig lookups for various domains found in spam e-mails


• lookups-benign: dig lookups for (probable) benign domains, most of them collected via dmoz or Alexa


• lookups-ndss: part of the domains used for the NDSS paper


• lookups-ndss-ff: suspected fast-flux domains from NDSS paper

So if you are interested in this area and want to learn more about it, just download the archive (7.3 MB) and play with the files :)