honeyblog

A few weeks ago, I blogged about our paper "Walowdac – Analysis of a Peer-to-Peer Botnet". The paper provides an overview of the Waledac botnet and its specific aspects compared to Storm Worm and similar peer-to-peer botnets. The paper also contains some measurement results for the botnet like the typical number of online bots and similar statistics.

In the last couple of days, the situation changed a bit: we worked on an active takedown of the botnet together with experts from Microsoft, Shadowserver, the University of Mannheim, University of Bonn, University of Washington, Symantec and others. The operation is know within Microsoft as "Operation b49" and involved domain takedowns and additional technical countermeasures. Microsoft also did some fantastic work on the legal side, the complaint filed by Microsoft ("Microsoft Corporation v. John Does 1-27, et. al.") is available online. As a result, the communication infrastructure of Waledac has been disrupted to a certain extent and the botmaster can effectively not send commands to the bots. The Waledac Tracker by sudosecure.net also shows a nice decline in the number of bots for the last few days. Note, however, that the infected machines are still up and running, thus some clean-up at that side is still necessary...

You can read more about the story in a blog post by Microsoft: "Cracking Down on Botnets". And I will update the blog with new information once we start to analyze the collected data...

In the last couple of months, we have worked on a technique to de-anonymize users based on the way they interact with social networks. The idea behind our attack is the fact that the group memberships of a user (i.e., the groups of a social network to which a user belongs) is often sufficient to uniquely identify this user. This means that there are only a few (or in the best case only one) users of a social network that are a member of exactly the same groups.

The attack scenario is the following: a malicious website wants to de-anonymize a user, i.e., find out the real name and identity of a visitor. The attack is implemented in two phases. In a first phase, we crawl the groups of a social network to determine the members of the different groups. This is our database from which we can generate a group fingerprint per user. In the second phase, we use the well-known technique of history stealing to probe the browser's history for links to group, thus determining the group fingerprint of the visitor. Wen can then compare this fingerprint to our database and de-anonymize the visitor. Even when unique identification is not possible, then the attack might still significantly reduce the size of the set of candidates that the victim belongs to.

As a proof-of-concept, we implemented the attack for XING, a well-known "Social Network for Business Professionals". Please note that this attack is not specific to XING or any other social network - it is generally applicable to different kinds of modern web applications that contain unique links for user that can be probed via history stealing. We crawled the ~7000 public groups of XING and found about 1.8 million members that belong to at least one group. These users are vulnerable to our attack and we have a demo website to participate in our experiment. Note that this test is only successful if you are a member of XING and a member of at least one group. If you regularly participate in groups the chances are higher that we can successfully de-anonymize you :-)

The following pictures show the different stages of the proof-of-concept attack:


We have published a technical report that summarizes our preliminary results at http://www.iseclab.org/papers/sonda-TR.pdf. In the next couple of weeks, we will finish the work on the paper and present our results at the 31st IEEE Symposium on Security & Privacy in May. A demo of the attack is available at http://www.iseclab.org/people/gilbert/experiment/.