"Studying Aspects of the Underground Economy"

Wednesday, January 20. 2010
Today I gave a talk at the International Computer Science Institute (ICSI) that focussed on some of the research I did in the past year. The slides are now available.

Abstract:
With the growing digital economy, it comes as no surprise that criminal activities in digital business have lead to a digital underground economy. Because it is such a fast-moving field, tracking and understanding this underground economy is difficult and most information in this area is vague. In this talk, we discuss several approaches to study the structure of these underground markets. In particular, we present a method with which it is possible to directly analyze the amount of data harvested through keylogger-based attacks in a highly automated fashion. Based on real-world data, we can get a glimpse into the digital underground economy. However, many open questions remain that will be discussed in the last part of the talk.

You can get the slides at http:///honeyblog.org/junkyard/presentations/10_underground-economy_ICSI.pdf.
Posted by Thorsten Holz in honeynets, malware, paper at 06:53 | Comments (0) | Trackback (1)

Call for Papers: WEIS'10

Monday, January 18. 2010
admin
I am happy to serve on the program committee of the 9th Workshop on the Economics of Information Security (WEIS). The Call for Papers is now available. WEIS will take place on June 7-8, 2010 at Harvard University, Cambridge, MA, USA

Important dates are:
  • Submissions due: February 22, 2010
  • Notification of acceptance: April 2, 2010
  • Workshop: June 7-8, 2010

Information security continues to grow in importance, as threats proliferate, privacy erodes, and attackers find new sources of value. Yet the security of information systems depends on more than just technology. Good security requires an understanding of the incentives and tradeoffs inherent to the behavior of systems and organizations. As society’s dependence on information technology has deepened, policy makers, including the President of the United States, have taken notice. Now more than ever, careful research is needed to accurately characterize threats and countermeasures, in both the public and private sectors.

The Workshop on the Economics of Information Security (WEIS) is the leading forum for interdisciplinary scholarship on information security, combining expertise from the fields of economics, social science, business, law, policy and computer science. Prior workshops have explored the role of incentives between attackers and defenders, identified market failures dogging Internet security, and assessed investments in cyber-defense. This workshop will build on past efforts using empirical and analytic tools to not only understand threats, but also strengthen security through novel evaluations of available solutions. How should information risk be modeled given the constraints of rare incidence and high interdependence? How do individuals’ and organizations’ perceptions of privacy and security color their decision making? How can we move towards a more secure information infrastructure and code base while accounting for the incentives of stakeholders?

The full Call for Papers is available at http://weis2010.econinfosec.org/cfp.html.
Posted by Thorsten Holz in admin, paper at 19:15 | Comments (0) | Trackbacks (0)

Challenge 1 posted - Signed books as prizes!

Monday, January 18. 2010
The first challenge of the Honeynet Forensic Challenge 2010 has been posted at http://honeynet.org/node/504. The task is to analyze a packet capture that was collected by a honeypot. Analyze and answer the following questions:
  1. Which systems (i.e. IP addresses) are involved? (2pts)
  2. What can you find out about the attacking host (e.g., where is it located)? (2pts)
  3. How many TCP sessions are contained in the dump file? (2pts)
  4. How long did it take to perform the attack? (2pts)
  5. Which operating system was targeted by the attack? And which service? Which vulnerability? (6pts)
  6. Can you sketch an overview of the general actions performed by the attacker? (6pts)
  7. What specific vulnerability was attacked? (2pts)
  8. What actions does the shellcode perform? Pls list the shellcode. (8pts)
  9. Do you think a Honeypot was used to pose as a vulnerable victim? Why? (6pts)
  10. Was there malware involved? Whats the name of the malware? (We are not looking for a detailed malware analysis for this challenge) (2pts)
  11. Do you think this is a manual or an automated attack? Why? (2pts)

Get the pcap at http://honeynet.org/files/attack-trace.pcap_.gz, they were provided together with the questions by Tillmann Werner. Deadline for submissions is Monday, February 1st 2010 at 17:00 EST. There will be some small prizes, among them signed copies of our book "Virtual Honeypots: From Botnet Tracking to Intrusion Detection". Full information is available at http://honeynet.org/node/504.
Posted by Thorsten Holz in honeynets, malware at 08:56 | Comments (0) | Trackbacks (0)

Honeynet Project Forensic Challenge 2010

Tuesday, January 12. 2010
Finally, after several years without any Honeynet Project Challenges, there will finally be new Forensic Challenges starting next Monday (January 18th, 2010). Here is the official announcement:
I am very happy to announce the Honeynet Project Forensic Challenge 2010. The purpose of the Forensic Challenges is to take learning one step farther. Instead of having the Honeynet Project analyze attacks and share their findings, Forensic Challenges give the security community the opportunity to analyze attacks and share their findings. In the end, individuals and organizations not only learn about threats, but also learn how to analyze them. Even better, individuals can access the write-ups from other individuals, and learn about new tools and techniques for analyzing attacks. Best of all, the attacks of the Forensic Challenge are attacks encountered in the wild, real hacks, provided by our members.
It has been several years since we provided Forensic Challenges and with the Forensic Challenge 2010, we will provide desperately needed upgrades. The Forensic Challenge 2010 will include a mixture of server-side attacks on the latest operating systems and services, attacks on client-side attacks that emerged in the past few years, attacks on VoiP systems, web applications, etc. At the end of challenge, we will provide a sample solution created by our members using the state-of-the-art tools that are publicly available, such as libemu and dionaea.
The first challenge (of several for 2010) will be posted on our Forensic Challenges web site on Monday, January 18th 2010. We will be open to submissions for about two weeks and announce the winners by February 15th 2010. This year, we will also award the top three submissions with prizes! Please check the web site on Monday, January 18th 2010 for further details….

Christian Seifert

Full details will be published at http://honeynet.org/challenges.

Update: The date was apparently wrong, I corrected it from January 15th to January 18th.
Posted by Thorsten Holz in honeynets at 20:22 | Comments (0) | Trackbacks (0)

Walowdac – Analysis of a Peer-to-Peer Botnet

Sunday, January 3. 2010
One of the most interesting botnets of 2009 was Waledac: the botnet implements a peer-to-peer-based communication channel and it can be seen as the successor of Storm Worm, since it implemented many similar ideas (e.g., a very similar language for spam templates was used). The researchers from Trend Micro had published an analysis of the botnet and we also examined the botnet. The result is a paper entitled "Walowdac - Analysis of a Peer-to-Peer Botnet": instead of passively observing the network, we implemented an active infiltration component. We emulate the protocol of a bot and are able to observe the inner communication aspects of the network. As a result, we obtain an in-depth overview of the botnet that enables us to study different aspects of the network, e.g., efficiency of the spam campaigns or number of active bots. As a small peak of the results, the following pictures shows the number of active bots in different countries on a specific day in August 2009. We can for example observe diurnal patterns and clearly see the effects of timezones on the size of the botnet:


Abstract:
A botnet is a network of compromised machines under the control of an attacker. Botnets are the driving force behind several misuses on the Internet, for example spam mails or automated identity theft. In this paper, we study the most prevalent peer-to-peer botnet in 2009: Waledac. We present our infiltration of the Waledac botnet, which can be seen as the successor of the Storm Worm botnet. To achieve this we implemented a clone of the Waledac bot named Walowdac. It implements the communication features of Waledac but does not cause any harm, i.e., no spam emails are sent and no other commands are executed. With the help of this tool we observed a minimum daily population of 55,000 Waledac bots and a total of roughly 390,000 infected machines throughout the world. Furthermore, we gathered internal information about the success rates of spam campaigns and newly introduced features like the theft of credentials from victim machines.

The paper was joint work with Ben Stock, Jan Göbel, Markus Engelberth, and Felix C. Freiling. The full paper is available at http://honeyblog.org/junkyard/paper/waledac-ec2nd09.pdf and it was published at EC2ND 2009.

Posted by Thorsten Holz in malware, paper at 12:26 | Comments (0) | Trackback (1)
« previous page   (Page 2 of 10, totaling 50 entries) » next page