honeyblog

Today and tomorrow DIMVA'08 takes place in Paris. DIMVA'08 is the Fifth Conference on Detection of Intrusions and Malware & Vulnerability Assessment and organized by the special interest group SIDAR of the German Informatics Society (GI).

Our paper entitled "Learning and Classification of Malware Behavior" is a joint work with Konrad Rieck, Carsten Willems, Patrick Düssel, Pavel Laskov, and Felix Freiling. The paper deals with malware classification, i.e., how to automatically learn malware families using labels. We use (noisy) labels by an anti-virus product and then apply machine learning algorithms to classify malware based on execution traces generated with the help of CWSandbox. In an experiment with over 3,000 previously undetected malware binaries, our system correctly predicted almost 70% of labels assigned by an anti-virus scanner four weeks later. Our method also detects unknown behavior, so that malware families not present in the learning corpus are correctly identified as unknown. The analysis of prominent features inferred by our discriminative models has shown interesting similarities between malware families; in particular, we have discovered that Doomber and Gobot worms derive from the same origin, with Doomber being an extension of Gobot - all in an automated way.

Abstract:
Malicious software in form of Internet worms, computer viruses, and Trojan horses poses a major threat to the security of networked systems. The diversity and amount of its variants severely undermine the effectiveness of classical signature-based detection. Yet variants of malware families share typical behavioral patterns reflecting its origin and purpose. We aim to exploit these shared patterns for classification of malware and propose a method for learning and discrimination of malware behavior. Our method proceeds in three stages: (a) behavior of collected malware is monitored in a sandbox environment, (b) based on a corpus of malware labeled by an anti-virus scanner a malware behavior classifier is trained using learning techniques and (c) discriminative features of the behavior models are ranked for explanation of classification decisions. Experiments with different heterogeneous test data collected over several months using honeypots demonstrate the effectiveness of our method, especially in detecting novel instances of malware families previously not recognized by commercial anti-virus software.

The full paper is now available.

Tonight the Storm Worm botnet changed the propagation theme again. They have a bogus story, but an interesting picture:

Just now US Army's Delta Force and U.S. Air Force have invaded Iran. Approximately 20000 soldiers crossed the border into Iran and broke down the Iran's Army resistance. The video made by US soldier was received today morning. Click on the video to see first minutes of the beginning of the World War III. God save us.

The directory structure of the website is similar to the previous campaigns:

• A file called ind.php is included which contains a couple of exploits for common web browser vulnerabilities.
• The actual Storm Worm binary is called iran_occupation.exe and it behaves similar to previous versions

So actually nothing really new at the botnet side...
Warning: Please do not visit the website visible in the screenshot, it may harm your computer.

Back in April, our paper on low-interaction, client-side honeypots entitled "Monkey-Spider: Detecting Malicious Websites with Low-Interaction Honeyclients" was published at Sicherheit'08, the main security conference for the German speaking community. The paper presents a client-side honeypot that can be used to detect malicious web sites. The basic idea is to use the crawler Heritrix to download content efficiently and then analyze the downloaded content with different means, e.g., AV scanners, CWSandbox, or other tools. To our surprise, the paper won the best paper award of the conference :-)

Abstract:
Client-side attacks are on the rise: malicious websites that exploit vulnerabilities in the visitor’s browser are posing a serious threat to client security, compromising innocent users who visit these sites without having a patched web browser. Currently, there is neither a freely available comprehensive database of threats on the Web nor sufficient freely available tools to build such a database. In this work, we introduce the Monkey-Spider project. Utilizing it as a client honeypot, we portray the challenge in such an approach and evaluate our system as a high-speed, Internet-scale analysis tool to build a database of threats found in the wild. Furthermore, we evaluate the system by analyzing different crawls performed during a period of three months and present the lessons learned.

The full paper is now also available for download and the software is published at SourceForge: http://monkeyspider.sourceforge.net/. The software is released under the terms of GPLv3 and the maintainer is Ali Ikinci (ali at ikinci dot info).

The 7th Workshop on the Economics of Information Security (WEIS'08) took place last week at Dartmouth College's Tuck School of Business. Several interesting papers like "Security Economics and European Policy", "Do Data Breach Disclosure Laws Reduce Identity Theft?", or "The Impact of Incentives on Notice and Take-down" were presented during the workshop. Our paper entitled "Studying Malicious Websites and the Underground Economy on the Chinese Web" deals with several aspects of the underground economy within China's part of the World Wide Web. Amongst other techniques, we use client-side honeypots to study malicious websites.

Abstract:
The World Wide Web gains more and more popularity within China with more than 1.31 million websites on the Chinese Web in June 2007. Driven by the economic profits, cyber criminals are on the rise and use the Web to exploit innocent users. In fact, a real underground black market with thousand of participants has developed which brings together malicious users who trade exploits, malware, virtual assets, stolen credentials, and more. In this paper, we provide a detailed overview of this underground black market and present a model to describe the market. We substantiate our model with the help of measurement results within the Chinese Web. First, we show that the amount of virtual assets traded on this underground market is huge. Second, our research proves that a significant amount of websites within China’s part of the Web contain some kind of malicious content: our measurements reveal that about 1.49% of the examined sites contain malicious content that tries to attack the visitor’s browser.

The paper is a collaboration with several researchers from China (Jianwei Zhuge, Chengyu Song, Jinpeng Guo, Xinhui Han, and Wei Zou) and a revised version of our technical report on the same topic. The full version of the paper is now available.

Danmec/Asprox is an SQL injection attack tool that is responsible for some aspects of the recent wave of SQL injections (full list maintained by ShadowServer). This malware also uses fast-flux techniques to host some facets of the attacks. Since a few days, the attackers also use the .mobi TLD - the first time I see this TLD being abused this way by malware. The following listing shows the results of a DNS lookup for one of the .mobi domains:

$ dig allocbn.mobi

; <<>> DiG 9.3.4 <<>> allocbn.mobi
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26203
;; flags: qr rd ra; QUERY: 1, ANSWER: 14, AUTHORITY: 4, ADDITIONAL: 0

;; QUESTION SECTION:
;allocbn.mobi. IN A

;; ANSWER SECTION:
allocbn.mobi. 600 IN A 200.167.230.85
allocbn.mobi. 600 IN A 69.247.175.135
allocbn.mobi. 600 IN A 71.56.42.87
allocbn.mobi. 600 IN A 72.187.108.240
allocbn.mobi. 600 IN A 74.138.199.132
allocbn.mobi. 600 IN A 75.66.193.0
allocbn.mobi. 600 IN A 75.143.150.108
allocbn.mobi. 600 IN A 76.175.178.111
allocbn.mobi. 600 IN A 98.165.213.34
allocbn.mobi. 600 IN A 98.192.74.13
allocbn.mobi. 600 IN A 98.223.61.12
allocbn.mobi. 600 IN A 99.233.217.232
allocbn.mobi. 600 IN A 118.160.173.122
allocbn.mobi. 600 IN A 190.18.116.54

The DNS answer has a short time to live (600 seconds - 10 minutes) and the IP addresses are located in many different networks - a typical sign for fast-flux techniques. Most IP addresses are located in dial-up networks like Comcast and Roadrunner, presumably these machines are infected and compromised machines. When doing a DNS lookup a couple of minutes later, a different set of IP addresses is returned:

;; ANSWER SECTION:
allocbn.mobi. 493 IN A 208.107.82.31 [NEW]
allocbn.mobi. 493 IN A 71.56.42.87
allocbn.mobi. 493 IN A 72.177.224.125 [NEW]
allocbn.mobi. 493 IN A 72.187.175.42 [NEW]
allocbn.mobi. 493 IN A 75.143.150.108
allocbn.mobi. 493 IN A 76.171.151.145 [NEW]
allocbn.mobi. 493 IN A 76.175.178.111
allocbn.mobi. 493 IN A 81.203.14.159 [NEW]
allocbn.mobi. 493 IN A 92.233.227.123 [NEW]
allocbn.mobi. 493 IN A 98.165.213.34
allocbn.mobi. 493 IN A 98.192.74.13
allocbn.mobi. 493 IN A 98.223.61.12
allocbn.mobi. 493 IN A 99.233.217.232
allocbn.mobi. 493 IN A 156.34.132.62 [NEW]

This indicates the "fluxiness" of the domain. By DNS mining, i.e., performing DNS lookups of this domain every TTL +1 seconds, we can observe the botnet behind this attack. In the past week, we found about 1,000 unique bot IP addresses this way.