25C3: "Banking Malware 101" Slides

Tuesday, December 30. 2008
The slides I used for my presentation at the 25th Chaos Communication Congress (25C3) are now available for download. The presentation was also recorded and should be available in the next few days at http://ftp.ccc.de/congress/25c3/pre-release/. The congress was a lot of fun, unfortunately I had to leave earlier...

An interesting presentation is scheduled for today at 15:15 CET: Jacob and Alex talk about Making the theoretical possible. Not many details are available (see the "abstract" at the left-hand side), but it seems like they found something big that basically affects everyone. Rumors are that they broke a Root CA key that is included in major browsers - the truth will be revealed in a couple of hours...
Posted by Thorsten Holz in honeynets, malware at 11:47 | Comments (0) | Trackbacks (0)

Client-Side Honeypots

Wednesday, December 17. 2008
A client-side honeypot is a type of honeypots that is designed to collect information about client-side attacks. Typically such a honeypot uses Internet Explorer and continuously surfs the Web in an automated way. During the surfing, the system activity is closely monitored for changes such a new files on the hard disk or new processes since such changes indicate a successful drive-by download. In such a case, a malicious website has compromised the web browser by just visiting the site. Examples of client-side honeypots are Capture-HPC and the MITRE Honeyclient.

We run several client-side honeypots in our lab and find new malicious website frequently. At the moment, we find quite often sites that use malicious PDF files to exploit our browser. In such an attack, a vulnerability in the Adobe Acrobat Reader is exploited in order to execute code on the victim's machine. To illustrate such an exploit, I created a quick movie that shows a live exploit. In the future, I hope to cover client-side exploits more frequently. With exploits such as the current MS08-078 vulnerability I'm sure that we will observe more malicious sites in the future...
Posted by Thorsten Holz in honeynets, malware at 21:18 | Comments (2) | Trackbacks (0)

Old Entries / Honeypot Presentation

Tuesday, December 2. 2008
admin
Getting the old entries back is not as easy as expected :-/ I'm currently busy with my thesis (I hope to finish by the end of the year...) and thus I have not much time to focus on the blog, sorry. But I will start with new blog entries and later on add the old entries once I have a bit more time.

In the meantime: I recently did a lecture on honeypots at the University of Mannheim that provides an introduction to different kinds of honeypots and honeynets. The slides are 5 MB in size and now available in PDF format.

Posted by Thorsten Holz in admin, honeynets at 11:12 | Comments (0) | Trackbacks (0)

Hardware failure

Monday, December 1. 2008
admin
Due to a broken hard disk, this blog was offline for a few days :-(

The system is now up and running again, but it will take some time until everything works as expected. So stay tuned, I hope to fix everything in the next few days.
Posted by Thorsten Holz in admin, honeynets, malware, paper at 16:21 | Comment (1) | Trackback (1)
(Page 1 of 1, totaling 4 entries)