Entries by Thorsten Holz

Consistent with previous spam runs, the authors of Storm Worm now also adopted the propagation scheme to the upcoming Christmas holidays. The spam mails contain for example the following text:

"This Christmas, we want to show you something you will really enjoy. This might not be fun for the whole family, but I bet you'll like it come one take 2 min and check it out. hxxp:// merrychristmasdude . com/"

Please note: Do not visit this site since it contains several exploit for web browser or common browser plugins.

The website shows "Mrs Clause" and some naughty pictures. The malware binary has the name stripshow.exe and - as usual - the MD5 sum changes every couple of minutes. Quick sandboxing shows that the behavior of the binary is similar to previous versions of Storm. The domain merrychristmasdude.com uses fast-flux: repeated DNS lookups always return different A records for this domain. Thus it seems like there is nothing really new - only the theme used for the propagation mails has changed...

Today, Jan Göbel released his tool Amun. The tool is similar to nepenthes and designed to collect samples of autonomous spreading malware. The basic idea is to simulate vulnerable network service and trick an incoming exploitation attempt into thinking that the honeypot is a real system.

Amun is implemented in Python and thus it is quite easy to add additional vulnerability modules. The tool can be downloaded via http://zero.ram.rwth-aachen.de/amun/download.php.

The 2007 UCSB International Capture The Flag contest finished a few minutes ago. The guys from the UCSB had organized an awesome contest with seven different services and many interesting challenges. The team from our lab had much fun and at the end, we scored second place - just the team from Milano (Chocolate Makers) beat us. Looking forward to next year's contest :-)

Info:
The UCSB International Capture The Flag (also known as the iCTF) is a distributed, wide-area security exercise, whose goal is to test the security skills of the participants from both the attack and defense viewpoints.

The Capture The Flag contest is a multi-site, multi-team hacking contest in which a number of teams compete independently against each other.

Each team is given a virtualized network installation (for example, a Linux host and/or a Windows host). The hosts provide a number of services. The services have a number of undisclosed vulnerabilities, which have been included in the servers' software by the contest organizers.

The goal of each team is to maintain the set of services available and uncompromised throughout the contest phase. Each team can (and should) attempt to compromise other teams' services. Since all the teams receive an identical copy of the virtual network, the task of each team is to find vulnerabilities in their copy of the hosts and possibly fix the vulnerabilities without disrupting the services. At the same time, the teams have to leverage their knowledge about the vulnerabilities they found to compromise the servers run by other teams. Compromising a service will allow a team to bypass the service's security mechanisms and to "capture the flag" associated with the service.

During the contest a scoring system keeps track, for each team, of which services are available, and which services have been compromised.

More info: http://www.cs.ucsb.edu/~vigna/CTF/

As a comment to my post on the xkcd comic on network visualization, Jon Oberheide, a researcher from the University of Michigan, pointed me to their version of malware visualization - pretty awesome!



Picture available at http://jon.oberheide.org/malware.jpg

Storm Worm was quiet in the last few days, nothing really exiting happened at the honeypots infected with the bot. Many of the spam mails sent by the bot are stock spam messages which advertise a certain stock. An example of an attachment sent some time ago is Complaint.pdf which advertizes Score One Inc. (SREA.OB), a small company traded over the counter.

Many of the fast-flux domains used by Storm Worm are currently non-functional, only two seem to resolve:

$ dig yxbegan.com



; <<>> DiG 9.4.1-P1 <<>> yxbegan.com

;; global options:  printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59661

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 12, ADDITIONAL: 0



;; QUESTION SECTION:

;yxbegan.com.                   IN      A



;; ANSWER SECTION:

yxbegan.com.            0       IN      A       74.134.155.14



;; AUTHORITY SECTION:

yxbegan.com.            172800  IN      NS      ns13.yxbegan.com.

yxbegan.com.            172800  IN      NS      ns2.yxbegan.com.

yxbegan.com.            172800  IN      NS      ns3.yxbegan.com.

yxbegan.com.            172800  IN      NS      ns4.yxbegan.com.

yxbegan.com.            172800  IN      NS      ns5.yxbegan.com.

yxbegan.com.            172800  IN      NS      ns6.yxbegan.com.

yxbegan.com.            172800  IN      NS      ns7.yxbegan.com.

yxbegan.com.            172800  IN      NS      ns8.yxbegan.com.

yxbegan.com.            172800  IN      NS      ns9.yxbegan.com.

yxbegan.com.            172800  IN      NS      ns10.yxbegan.com.

yxbegan.com.            172800  IN      NS      ns11.yxbegan.com.

yxbegan.com.            172800  IN      NS      ns12.yxbegan.com.



;; Query time: 4376 msec

;; SERVER: X.X.X.X#53(X.X.X.X)

;; WHEN: Thu Dec  6 08:59:53 2007

;; MSG SIZE  rcvd: 265

In consecutive lookups, always a new A record is returned:

yxbegan.com.            0       IN      A       69.224.113.183

yxbegan.com.            0       IN      A       123.215.78.167

yxbegan.com.            0       IN      A       168.188.56.76

yxbegan.com.            0       IN      A       220.129.76.210

yxbegan.com.            0       IN      A       59.23.185.81

More info to follow :)

Together with the researchers from the Chinese Honeynet Project, we also examined the extend of malicious websites on the Chinese Web. Using high- and low-interaction honeyclients, we were able to find about 2,500 sites (1,49% of overall examined sites) that tried to compromise an unpatched system. Furthermore, we also studied the underground black market which is used to trade exploits, malware, and stolen virtual goods. Several measurements provide an insight into the black market on the Chinese Web and show that the attackers are organized pretty well. We published our findings as a technical report to share the lessons we learned.

Abstract:

The World Wide Web gains more and more popularity within China with more than 1.31 million websites on the Chinese Web in June 2007. Driven by the economic profits, cyber criminals are on the rise and use the Web to exploit innocent users. In fact, a real underground black market with thousand of participants has developed which brings together malicious users who trade exploits, malware, virtual assets, stolen credentials, and more. In this paper, we provide a detailed overview of this underground black market and present a model to describe the market. We substantiate our model with the help of measurement results within the Chinese Web. First, we show that the amount of virtual assets traded on this underground market is huge. Second, our research proofs that a significant amount of websites within China's part of the Web are malicious: our measurements reveal that about 1.49% of the examined sites contain some kind of malicious content.

The complete report is available as TR-2007-011.

Together with a few researchers from China, we studied IRC-based botnets in order to understand the extent of this phenomenon. Using different kinds of honeypots and several sensors deployed across different regions in China, we were able to collect thousands of bot binaries. With the help of a behavior-based analysis mechanism similar to CWSandbox, we could extract the Command & Control (C&C) server in an automated way. In a third step, we used this information to connect to the actual C&C server and passively monitored the activity in the channel. Furthermore, we also actively probed the C&C servers to find out other characteristics of these machines. The complete setup and our results are described in a technical report we just published.

Abstract:

Botnets, networks of compromised machines that can be remotely controlled by an attacker, are one of the most common attack platforms nowadays. They can, for example, be used to launch distributed denial-of-service (DDoS) attacks, steal sensitive information, or send spam emails. A long-term measurement study of botnet activities is useful as a basis for further research on global botnet mitigation and disruption techniques. We have built a distributed and fully-automated botnet measurement system which allows us to collect data on the botnet activity we observe in China. Based on the analysis of tracking records of 3,290 IRC-based botnets during a period of almost twelve months, this paper presents several novel results of botnet activities which can only be measured via long-term easurements. These include. amongst others, botnet lifetime, botnet discovery trends and distributions, command and control channel distributions, botnet size and end-host distributions. Furthermore, our measurements confirm and extend several previous results from this area.

Our results show that the botnet problem is of global scale, with a scattered distribution of the control infrastructure and also a scattered distribution of the victims. Furthermore, the control infrastructure itself is rather flexible, with an average lifetime of a Command & Control server of about 54 days. These results can also leverage research in the area of botnet detection, mitigation, and disruption: only by understanding the problem in detail, we can develop efficient counter measures.

The complete report is available as TR-2007-010. And more information regarding the Chinese Honeynet Project is available at the website of the Artemis Project.

The Call for Papers for the 5th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA'08) is available since a couple of days. Since I am a member of the program committee, I would love to see some submission from the readers of my blog.

About the conference:
The annual DIMVA conference serves as a premier forum for advancing the state of the art in intrusion detection, malware detection, and vulnerability assessment. Each year DIMVA brings together international experts from academia, industry and government to present and discuss novel research in these areas. DIMVA is organized by the special interest group Security - Intrusion Detection and Response of the German Informatics Society (GI). In 2008, the conference takes place July 10-11th, 2008 in Paris, France.

DIMVA solicits submission of high-quality, original scientific work. This year we invite two types of paper submissions:

• Full papers, presenting novel and mature research results. Full papers are limited to 20 pages, prepared according to the instructions provided below. They will be reviewed by the program committee, and papers accepted for presentation at the conference will be included in the proceedings.


• Short papers (extended abstracts), presenting original, still ongoing work that has not yet reached the maturity required for a full paper. Short papers are limited to 10 pages, prepared according to the instructions provided below. They will also be reviewed by the program committee, and papers accepted for presentation at the conference will be included in the proceedings (containing Extended Abstract in the title).

Important Dates:
Deadline for paper submission: February 4th, 2008 (firm deadline)
Notification of acceptance or rejection: April 8th, 2008
Final paper camera ready copy: April 25th, 2008
Conference dates: July 10-11th, 2008

Full Call for Papers is available at http://www.dimva2008.org/cfp2008.html

ENISA (European Network and Information Security Agency) published a few days ago a study of the botnet phenomenon: Botnets – The Silent Threat

The study provides a good overview of the current botnet problem and show some interesting numbers. According to the measurements (carried out by S21sec), the most common infection methods are browser exploits (65%), email attachments (13%,) operating system exploits (11%), and downloaded Internet files (9%). Thus more research in the area of client honeypots is needed - the weakest link in the security chain is nowadays the enduser who does not patch his Internet Explorer and opens every e-mail attachment.

Furthermore, the study also contains some more interesting numbers:

Estimations show that there are at least 1.000 different Botnet C& C servers running constantly. An average C&C server controls 20.000 compromised computers (ranging from 10-300.000). Estimations indicate ca 53.000, new, active bots/day. A spam bot can send up to 3 spam emails/s (ca 259.000 emails/day).

The measurements at our lab indicate that there could be even more botnets. However, we observe that an average C&C server controls significantly less than 20.000 compromised machines, often only a few hundred or at most a few thousand machines are controlled by a given server. Even Storm Worm has nowadays less than 80.000 machines online. It would be nice to get a better insight of how they estimate the 53,000 new bots per day - after all, node churn and other effects make such measurements hard.

The study also contains an overview of countermeasures at various levels. Besides some glitches (Storm does not always use UDP port 4000, Rock phish and Fast-Flux networks are only partially related to botnets, ...) the study is worth reading.

Best comic of the year related to my previous post and worm visualization in general: http://xkcd.com/350/