IT Underground: Fast-Flux Service Networks

Friday, October 31. 2008
On Tuesday, I gave a presentation at IT Underground on fast-flux networks. The presentation is a summary of the work we did recently on different aspects of fast-flux networks and includes aspects we published at Malware'08 and NDSS'08.

All slides are also available. And if you want to learn more about fast-flux networks: some time ago, we published the data we collected during our study to foster research in this area.

During the panel discussion of the conference the topic of bad registrars and co-location providers came up. I was criticized for my opinion that social pressure can work, but it was good to see that at the same day ICANN has terminated the Registrar Accreditation Agreement (RAA) for EstDomains. The following correspodence avaiable at http://www.icann.org/correspondence/burnette-to-tsastsin-28oct08-en.pdf states:
Dear Mr. Tsastsin:

Be advised that the Internet Corporation for Assigned Names and Numbers (ICANN) Registrar Accreditation Agreement (RAA) for EstDomains, Inc. (customer No. 919, IANA No. 943) is terminated.


Posted by Thorsten Holz in malware, paper at 09:30 | Comment (1) | Trackbacks (0)

Call for Paper: 2nd Workshop on Large-scale Exploits and Emergent Threats (LEET '09)

Thursday, October 9. 2008
The Call for Papers for the Second USENIX Workshop on Large-scale Exploits and Emergent Threats (LEET '09) is available since a couple of days. I am very proud to be one of the members of the program committee and hope that some readers of this blog also submit a paper to the workshop. LEET '09 will focus - similar to last year's workshop - on the underlying mechanisms used to compromise and control hosts, the large-scale "applications" being perpetrated upon this framework, and the social and economic networks driving these threats.

Important dates:
  • Paper submissions due: January 16, 2009, 11:59 p.m. EST

  • Notification to authors: March 2, 2009

  • Final papers due: March 30, 2009

  • Workshop: April 21, 2009 - Boston, MA, USA

The workshop will be will be held immediately before the 6th USENIX Symposium on Networked Systems Design and Implementation (NSDI '09), which will take place April 22–24, 2009.

Overview:
As the Internet has become a universal mechanism for commerce and communication, it has also become an attractive medium for online criminal enterprise. Today, widespread vulnerabilities in both software and user behavior allow miscreants to compromise millions of hosts (worms, viruses, drive-by exploits, etc.), conceal their activities with sophisticated system software (rootkits), and manage these resources via a distributed command and control framework (botnets). This platform in turn provides economics of scale for a wide range of criminal activities including spam, phishing, DDoS, click fraud, and so on.

Posted by Thorsten Holz in general, paper at 19:58 | Comments (0) | Trackbacks (0)

MALWARE'08: "As the Net Churns: Fast-Flux Botnet Observations"

Tuesday, October 7. 2008
Together with Jose Nazario, I published a paper about fast-flux botnet observations at the 3rd International Conference on Malicious and Unwanted Software (Malware 2008). The paper contains information about different aspects of fast-flux service networks collected with the help of ATLAS, Arbor's Active Threat Level Analysis System. Since several months, ATLAS has the capability to monitor fast-flux service networks and a live view of the collected information is available at http://atlas.arbor.net/summary/fastflux.

Abstract:
While botnets themselves provide a rich platform for financial gain for the botnet master, the use of the infected hosts as webservers can provide an additional botnet use. Botnet herders often use fast-flux DNS techniques to host unwanted or illegal content within a botnet. These techniques change the mapping of the domain name to different bots within the botnet with constant shifting, while the bots simply relay content back to a central server. This can give the attackers additional stepping stones to thwart takedown and can obscure their true origins.
Evidence suggests that more attackers are adopting fast-flux techniques, but very little data has been gathered to discover what these botnets are being used for. To address this gap in understanding, we have been mining live traffic to discover new fast-flux domains and then tracking those botnets with active measurements for several months. We have identified over 900 fast-flux domain names from early to mid 2008 and monitored their use across the Internet to discern fast-flux botnet behaviors. We found that the active lifetimes of fast-flux botnets vary from less than one day to months, domains that are used in fast-flux operations are often registered but dormant for months prior to activation, that these botnets are associated with a broad range of online fraud and crime including pharmacy sites, phishing and malware distribution, and that we can identify distinct botnets across multiple domain names. We support our findings through an in-depth examination of an Internet-scale data continuously collected for hundreds of domain names over several months.

The full paper is now available. Unfortunately I can not attend MALWARE'08 which takes place today and tomorrow, but I hope everyone has a good time at the conference!
Posted by Thorsten Holz in paper at 10:44 | Comments (3) | Trackbacks (0)

IMF'08: "Reconstructing People's Lives: A Case Study in Teaching Forensic Computing"

Thursday, October 2. 2008
Last week I attended the 4th International Conference on IT Incident Management & IT Forensics (IMF'08) which took place in Mannheim, Germany. IMF's focus is on different aspects of forensic and the program was a mix of academic and industry talks. Especially the invited talks were interesting, my personal highlight was FX's talk on router forensics (the slides from a similar talk at BlackHat DC are available at Recurity Labs).

Together with Felix Freiling and Martin Mink, I had a paper at IMF about the lessons we learned when teaching IT forensics at our university. The paper is now available and present some of the high-level findings.
At our lab, we regularly offer a lecture on IT forensics that deals with the principles of forensics, file system analysis, live analysis, and similar topics. Last time we had two main exercises: filesystem forensic on a prepared floppy disk and some hard disks we bought at eBay and a live analysis of a compromised honeypot. All slides used during the lecture on IT forensics are available at the website of our lab. Perhaps we can also publish more material (e.g., the exercises we used during the ecture), I need to check this...
We also regularly offer a lab on practical aspects of IT security and last time we also included a part on forensics. In theses exercises the students had to analyze used hard disks, flash drives, and mobile phones.

More information about these lectures and labs is available in the IMF'08 paper.
Posted by Thorsten Holz in general, paper at 15:26 | Comments (0) | Trackbacks (0)
(Page 1 of 1, totaling 4 entries)