DIMVA'08 Slides

Tuesday, July 22. 2008
A quick follow-up to our DIMVA'08 paper on "Learning and Classification of Malware Behavior": the slides from Konrad's talk are now available and provide a quick overview of the topic.

In the near future, we will integrate the results of this paper to the webinterface of cwsandbox.org - stay tuned :)
Posted by Thorsten Holz in general, malware, paper at 13:56 | Comments (0) | Trackbacks (0)

Fast-Flux Data

Wednesday, July 16. 2008
Back in February, we published a paper on fast-flux service networks at NDSS'08. The basic idea behind fast-flux networks is a fast change in the mapping between a domain name and the corresponding IP addresses. The attackers use this mechanism to build a proxy-network on top of compromised machines to maintain a robust hosting infrastructure for their services. For more information on this topic, see the paper by the Honeynet Project or our NDSS paper.

To foster research in this area, the data collected during our study is available for research purposes. Up to now, quite a few people mailed me and asked for the data. To make this process a bit more scalable and also minimize the amount of work needed at my side, we decided to simply publish all the data such that everyone can download the raw data and use it for whatever purpose. Today, I uploaded a tarball which contains a summary of the fast-flux data collected over a period of several weeks. The tarball contains a potpourri of different measurements and has a total size of 7.3 MB. It contains about 55K raw dig lookup files and has an unpacked size of about 220 MB. The archive contains the following data:
  • storm-qavoter.com.log: dig lookups for domain used by the Storm Worm botnet which uses fast-flux techniques

  • asprox-damnec-hydra.log: dig lookups for Asprox/Damnec botnet which also uses fast-flux techniques

  • lookups-ff: dig lookups for fast-flux domains, confirmed manually

  • lookups-spam: dig lookups for various domains found in spam e-mails

  • lookups-benign: dig lookups for (probable) benign domains, most of them collected via dmoz or Alexa

  • lookups-ndss: part of the domains used for the NDSS paper

  • lookups-ndss-ff: suspected fast-flux domains from NDSS paper

So if you are interested in this area and want to learn more about it, just download the archive (7.3 MB) and play with the files :)
Posted by Thorsten Holz in general, honeynets, malware, paper at 23:57 | Comment (1) | Trackbacks (0)

DIMVA'08: "Learning and Classification of Malware Behavior"

Thursday, July 10. 2008
Today and tomorrow DIMVA'08 takes place in Paris. DIMVA'08 is the Fifth Conference on Detection of Intrusions and Malware & Vulnerability Assessment and organized by the special interest group SIDAR of the German Informatics Society (GI).

Our paper entitled "Learning and Classification of Malware Behavior" is a joint work with Konrad Rieck, Carsten Willems, Patrick Düssel, Pavel Laskov, and Felix Freiling. The paper deals with malware classification, i.e., how to automatically learn malware families using labels. We use (noisy) labels by an anti-virus product and then apply machine learning algorithms to classify malware based on execution traces generated with the help of CWSandbox. In an experiment with over 3,000 previously undetected malware binaries, our system correctly predicted almost 70% of labels assigned by an anti-virus scanner four weeks later. Our method also detects unknown behavior, so that malware families not present in the learning corpus are correctly identified as unknown. The analysis of prominent features inferred by our discriminative models has shown interesting similarities between malware families; in particular, we have discovered that Doomber and Gobot worms derive from the same origin, with Doomber being an extension of Gobot - all in an automated way.

Abstract:
Malicious software in form of Internet worms, computer viruses, and Trojan horses poses a major threat to the security of networked systems. The diversity and amount of its variants severely undermine the effectiveness of classical signature-based detection. Yet variants of malware families share typical behavioral patterns reflecting its origin and purpose. We aim to exploit these shared patterns for classification of malware and propose a method for learning and discrimination of malware behavior. Our method proceeds in three stages: (a) behavior of collected malware is monitored in a sandbox environment, (b) based on a corpus of malware labeled by an anti-virus scanner a malware behavior classifier is trained using learning techniques and (c) discriminative features of the behavior models are ranked for explanation of classification decisions. Experiments with different heterogeneous test data collected over several months using honeypots demonstrate the effectiveness of our method, especially in detecting novel instances of malware families previously not recognized by commercial anti-virus software.

The full paper is now available.
Posted by Thorsten Holz in malware, paper at 10:06 | Comments (0) | Trackback (1)

Sicherheit'08: "Monkey-Spider: Detecting Malicious Websites with Low-Interaction Honeyclients"

Sunday, July 6. 2008
Back in April, our paper on low-interaction, client-side honeypots entitled "Monkey-Spider: Detecting Malicious Websites with Low-Interaction Honeyclients" was published at Sicherheit'08, the main security conference for the German speaking community. The paper presents a client-side honeypot that can be used to detect malicious web sites. The basic idea is to use the crawler Heritrix to download content efficiently and then analyze the downloaded content with different means, e.g., AV scanners, CWSandbox, or other tools. To our surprise, the paper won the best paper award of the conference :-)

Abstract:
Client-side attacks are on the rise: malicious websites that exploit vulnerabilities in the visitor’s browser are posing a serious threat to client security, compromising innocent users who visit these sites without having a patched web browser. Currently, there is neither a freely available comprehensive database of threats on the Web nor sufficient freely available tools to build such a database. In this work, we introduce the Monkey-Spider project. Utilizing it as a client honeypot, we portray the challenge in such an approach and evaluate our system as a high-speed, Internet-scale analysis tool to build a database of threats found in the wild. Furthermore, we evaluate the system by analyzing different crawls performed during a period of three months and present the lessons learned.

The full paper is now also available for download and the software is published at SourceForge: http://monkeyspider.sourceforge.net/. The software is released under the terms of GPLv3 and the maintainer is Ali Ikinci (ali at ikinci dot info).
Posted by Thorsten Holz in honeynets, paper at 19:55 | Comments (0) | Trackbacks (0)

WEIS'08: "Studying Malicious Websites and the Underground Economy on the Chinese Web"

Friday, July 4. 2008
The 7th Workshop on the Economics of Information Security (WEIS'08) took place last week at Dartmouth College's Tuck School of Business. Several interesting papers like "Security Economics and European Policy", "Do Data Breach Disclosure Laws Reduce Identity Theft?", or "The Impact of Incentives on Notice and Take-down" were presented during the workshop. Our paper entitled "Studying Malicious Websites and the Underground Economy on the Chinese Web" deals with several aspects of the underground economy within China's part of the World Wide Web. Amongst other techniques, we use client-side honeypots to study malicious websites.

Abstract:
The World Wide Web gains more and more popularity within China with more than 1.31 million websites on the Chinese Web in June 2007. Driven by the economic profits, cyber criminals are on the rise and use the Web to exploit innocent users. In fact, a real underground black market with thousand of participants has developed which brings together malicious users who trade exploits, malware, virtual assets, stolen credentials, and more. In this paper, we provide a detailed overview of this underground black market and present a model to describe the market. We substantiate our model with the help of measurement results within the Chinese Web. First, we show that the amount of virtual assets traded on this underground market is huge. Second, our research proves that a significant amount of websites within China’s part of the Web contain some kind of malicious content: our measurements reveal that about 1.49% of the examined sites contain malicious content that tries to attack the visitor’s browser.

The paper is a collaboration with several researchers from China (Jianwei Zhuge, Chengyu Song, Jinpeng Guo, Xinhui Han, and Wei Zou) and a revised version of our technical report on the same topic. The full version of the paper is now available.


Continue reading "WEIS'08: "Studying Malicious Websites and the Underground Economy on the Chinese Web""

Posted by Thorsten Holz in honeynets, paper at 10:32 | Comments (0) | Trackbacks (0)
(Page 1 of 8, totaling 38 entries) » next page