loads.cc vs. CWSandbox

Wednesday, March 12. 2008
Sunbelt covered the 3D screensaver spam and the background of this scam in some detail. Dancho Danchev also blogged about some details of this incident. And here are my 2 cent of info:

The file load.exe (MD5: b20e4e725cc86b489ec441b97b728285) drops two files called 0.EXE and 1.EXE which are subsequently executed. 0.EXE creates the two files C:\Documents and Settings\USER\Local Settings\Application Data\cftmon.exe and C:\WINDOWS\system32\drivers\spools.exe, which are also automatically started via a registry key. Furthermore, the following HTTP requests are sent:

http://195.93.218.25/ld/?&v=driver&d=0
http://195.93.218.25/ld/manda.php?id=-396739409&v=driver&d=0
http://195.93.218.25/m.exe

This IP address belongs to Buildhouse Ltd., located in Russia - a grey hosting provider?

More complete info: cwsandbox.org.
Posted by Thorsten Holz in malware at 18:00 | Comments (0) | Trackbacks (0)

NDSS'08 Presentation

Wednesday, March 12. 2008
Yesterday I forgot to post the link to my presentation :-/
The presentation I gave at NDSS'08 is available at http://honeyblog.org/junkyard/paper/08_ff_NDSS.pdf. If you have comments or questions, please let me know!
Posted by Thorsten Holz in paper at 09:02 | Comments (0) | Trackbacks (0)

"Measuring and Detecting Fast-Flux Service Networks"

Tuesday, March 11. 2008
One of the projects at our lab focuses on fast-flux service networks (FFSNs), a mechanism used by attackers to build an overlay network on top of compromised machines. FFSNs are for example used to host scam pages or malicious content. Our findings were published in a paper at NDSS'08. The full paper is also available since a couple of weeks.

Abstract:
We present the first empirical study of fast-flux service networks (FFSNs), a newly emerging and still not widely-known phenomenon in the Internet. FFSNs employ DNS to establish a proxy network on compromised machines through which illegal online services can be hosted with very high availability. Through our measurements we show that the threat which FFSNs pose is significant: FFSNs occur on a worldwide scale and already host a substantial percentage of online scams. Based on analysis of the principles of FFSNs, we develop a metric with which FFSNs can be effectively detected. Considering our detection technique we also discuss possible mitigation strategies.

Full paper
Posted by Thorsten Holz in paper at 16:42 | Comments (0) | Trackbacks (0)

Postcards from Storm

Monday, March 3. 2008
Storm Worm changed its propagation scheme again. It now sends out spam mails pointing to fake "ecards". The spammed site contains just an image and points to a binary called postcard.exe. A quick analysis shows that the core functionality has not changed at all.
Posted by Thorsten Holz in malware at 07:28 | Comments (0) | Trackbacks (0)

Call for Paper: EuroSec 2008

Friday, February 1. 2008
EuroSec is a new workshop associated with the Annual ACM SIGOPS EuroSys conference. The workshop aims to bring together researchers, practitioners, system administrators, system programmers, and others interested in the latest advances in the security of computer systems and networks. The focus of the workshop is on novel, practical, systems-oriented work.

EuroSec explicitly encourages members of the systems community to explore leading-edge topics and ideas before they are presented at a major conference. All submissions will be reviewed by the Program Committee. Only original, novel work will be considered for publication. Accepted papers will be published in the proceedings of EuroSec in the ACM Digital Library

You are hereby invited to submit papers of 6-8 single-spaced pages (including figures, tables and references). Font size should be 10pt.

Important Dates:
Deadline for paper submission: February 4th, 2008 (firm deadline)
Notification of acceptance or rejection: March 1st, 2008
Final paper camera ready copy: March 14th, 2008
Workshop dates: March 31st, 2008

You can find more information at http://www.cs.vu.nl/eurosec08/
Posted by Thorsten Holz in administrativa at 14:23 | Comments (0) | Trackbacks (0)

Collecting Autonomous Spreading Malware Using High-Interaction Honeypots

Friday, January 11. 2008
Together with a few researchers from the Chinese Honeynet Project, we published a paper about capturing autonomous spreading malware with high-interaction honeypots at the 9th International Conference on Information and Communications Security (ICICS 2007) which is now available.

Abstract: Autonomous spreading malware in the form of worms or bots has become a severe threat in today’s Internet. Collecting the sample as early as possible is a necessary precondition for the further treatment of the spreading malware, e.g., to develop antivirus signatures. In this paper, we present an integrated toolkit called HoneyBow, which is able to collect autonomous spreading malware in an automated manner using high-interaction honeypots. Compared to low-interaction honeypots, HoneyBow has several advantages due to a wider range of captured samples and the capability of collecting malware which propagates by exploiting new vulnerabilities. We validate the properties of HoneyBow with experimental data collected during a period of about nine months, in which we collected thousands of malware binaries. Furthermore, we demonstrate the capability of collecting new malware via a case study of a certain bot.

Keywords: Honeypots - Intrusion Detection Systems - Malware

Full Paper: Collecting Autonomous Spreading Malware Using High-Interaction Honeypots (LNCS 4861)
Posted by Thorsten Holz in honeynets, malware, paper at 09:43 | Comments (0) | Trackbacks (0)

Stock Spam Works - Ralsky Case

Thursday, January 10. 2008
I covered stock spam a couple of times before in this blog. A few days ago, Alan Ralsky (one of the biggest spammers on Earth) was arrested and indicted to be involved in stock spam. The full indictment is available at the website of Spamhaus (Ralsky Indictment) and it is an interesting read. The article uncovers Ralsky's spam approach and discloses how he and his group made a lot of money with advertizing of stocks via spam e-mails. It seems like stock spam works.
Posted by Thorsten Holz at 17:15 | Comments (0) | Trackbacks (0)

Measuring the Success Rate of Storm Worm

Thursday, January 3. 2008
Just around Christmas, machines infected with Storm Worm started to send out spam e-mails again. These e-mails contained different kinds of Christmas or New Year's Eve wishes. Within the Storm botnet, such mails are sent to propagate the bot: the botherders hope that innocent users fall for this social engineering trick and click on the link contained in the mail. Once they click on the link, they are redirected to a website which contains a link to the actual Storm binary. This website commonly also contains browser exploits (depending on the user-agent and they are served only once per IP address) to compromise the web browser of a visitor in order to install the Storm binary.



The picture illustrates the success rate of the botnet: The x-axis shows the date, starting a few days before Christmas and ending today. The y-axis represents the number of infected machines within Stormnet, the "encrypted" part of the botnet in which the actual communication is XORed with a 40 byte key. As you can see, the first days before Christmas the size of the botnet was around 5-14 thousand infected machines. However, just around Christmas the size grows again due to successful infections and new victims which fell for the social engineering mails. For now, the botnet has peaked at about 40 thousand infected machines being online at a time.

Moreover, the picture also shows a clear diurnal pattern: the size of the botnet changes over time each day. This could indicate that a majority of the infected machines are located within a certain region. A closer examination of this phenomenon is necessary.

The actual picture was generated by Moritz Steiner, a colleague of mine with whom I analyze the Storm botnet.

Update: Brandon Enright pointed out that the diurnal pattern could also have other causes and thus I updated this part.
Posted by Thorsten Holz in malware at 23:08 | Comment (1) | Trackback (1)

Honeywall CDROM 1.3 beta Published

Thursday, January 3. 2008
After several months of development, a new version of the Honeywall is available: The Honeywall CDROM is a bootable CD that installs onto a hard drive and comes with all the tools and functionality for you to implement data capture, control, and analysis.

You can get the ISO image for testing here: http://www.honeynet.org/tools/cdrom/roo/iso/test/roo-1.3.hw-b1.iso

More information about the Honeywall development is available at the public Trac reachable via https://projects.honeynet.org/honeywall
Posted by Thorsten Holz in honeynets at 16:48 | Comments (0) | Trackbacks (0)

Merry Christmas Storm!

Monday, December 24. 2007
Consistent with previous spam runs, the authors of Storm Worm now also adopted the propagation scheme to the upcoming Christmas holidays. The spam mails contain for example the following text:

"This Christmas, we want to show you something you will really enjoy. This might not be fun for the whole family, but I bet you'll like it come one take 2 min and check it out. hxxp:// merrychristmasdude . com/"

Please note: Do not visit this site since it contains several exploit for web browser or common browser plugins.

The website shows "Mrs Clause" and some naughty pictures. The malware binary has the name stripshow.exe and - as usual - the MD5 sum changes every couple of minutes. Quick sandboxing shows that the behavior of the binary is similar to previous versions of Storm. The domain merrychristmasdude.com uses fast-flux: repeated DNS lookups always return different A records for this domain. Thus it seems like there is nothing really new - only the theme used for the propagation mails has changed...
Posted by Thorsten Holz in malware at 10:09 | Comments (0) | Trackback (1)
« previous page   (Page 2 of 17, totaling 168 entries) » next page