Rishi: Identify Bot Contaminated Hosts

Thursday, April 19. 2007
HotBots'07 took place last week in Boston. The paper by Jan Göbel and me is now available and I also publish the slides from my talk.
This workshop was by invitation only. As a courtesy, USENIX made the accepted papers available to everyone.


Continue reading "Rishi: Identify Bot Contaminated Hosts "

Posted by Thorsten Holz in paper at 17:54 | Comment (1) | Trackbacks (0)

Program for HotBots'07 / Rishi

Thursday, April 5. 2007
The program for the First Workshop on Hot Topics in Understanding Botnets is now online. The program committee accepted 11 papers from 32 submissions. Together with Jan Göbel, I also submitted a paper which was accepted. The paper entitled "Rishi: Identify Bot Contaminated Hosts by IRC Nickname Evaluation", describes a simple, yet effective methods to detect bot-contaminated hosts within a given network. It tries to detect suspicious IRC nicknames and preliminary results show the usefulness. I will upload the paper once the workshop is over.

Abstract:
In this paper, we describe a simple, yet effective method to detect bot-infected machines within a given network that relies on detection of the communication channel between bot and Command & Control server (C&C server). The presented techniques are mainly based on passively monitoring network traffic for unusual or suspicious IRC nicknames, IRC servers, and uncommon server ports. By using n-gram analysis and a scoring system, we are able to detect bots that use uncommon communication channels, which are commonly not detected by classical intrusion detection systems. Upon detection, it is possible to determine the IP address of the C\&C server, as well as, the channels a bot joined and the additional parameters which were set. The software "Rishi" implements the mentioned features and is able to automatically generate warning emails to report infected machines to an administrator. Within the 10 GBit network of RWTH Aachen university, we detected 82 bot-infected machines within two weeks, some of them using communication channels not picked up by other intrusion detection systems.
Posted by Thorsten Holz in administrativa, paper at 08:50 | Comments (0) | Trackbacks (0)

"Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure"

Monday, March 5. 2007
The recent ACM Conference on Computer and Communications Security (CCS'06) had some interesting papers. One of them deals with so called Puppetnets. A puppetnet is created by malicious web sites which exploit a visiting web browser and take control of it. Similar to a botnet, these puppetnets can be used to mount DDoS attacks, reconnaissance probes, or other nefarious purposes. Presumably the threat posed by these networks is way lower than botnets, but nevertheless they could pose a problem in the future due to the prevalance of client-side exploits. The whole paper is entitled "Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure".

Abstract
Most of the recent work on Web security focuses on preventing attacks that directly harm the browser’s host machine and user. In this paper we attempt to quantify the threat of browsers being indirectly misused for attacking third parties. Specifically, we look at how the existing Web infrastructure (e.g., the languages, protocols, and security policies) can be exploited by malicious Web sites to remotely instruct browsers to orchestrate actions including denial of service attacks, worm propagation and reconnaissance scans. We show that, depending mostly on the popularity of a maliciousWeb site and user browsing patterns, attackers are able to create powerful botnet-like infrastructures that can cause significant damage. We explore the effectiveness of countermeasures including anomaly detection and more fine-grained browser security policies.

Continue reading ""Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure""

Posted by Thorsten Holz in paper at 12:17 | Comment (1) | Trackbacks (0)

Advanced Honeypot-Based Intrusion Detection

Sunday, January 28. 2007
Together with Jan Göbel and Jens Hektor from the Center for Computing and Communication at RWTH Aachen University, I published an article entitled "Advanced Honeypot-Based Intrusion Detection" in the recent ;login: (Volume 31, Number 6) magazine.

The paper describes a custom network intrusion detection system called Blast-o-Mat based on different sensors, one of them being nepenthes. We describe the system and give an overview of the lessons learned, some quantitative results, and an example of a Haxdoor infection detected via the system.

A live demo of Blast-o-Mat is available at the Blast-o-mat Status page.

Abstract:
At RWTH Aachen University, with about 40,000 computer-using people to support, we have built a system to detect infected machines based on honeypots. One important building block of Blast-o-Mat is Nepenthes, which we use both to detect malware-infected systems and to collect malware. Nepenthes is a
low-interaction honeypot that appears as vulnerable software but instead decodes attack code and downloads malware. We have been successful at uncovering and quarantining infected systems with sensors listening at 0.1% of our address space. Investigation of collected malware has led to discovery of many infected systems and even a huge cache of stolen identity information.
Posted by Thorsten Holz in paper at 21:52 | Comment (1) | Trackback (1)

Stock Spam

Wednesday, January 10. 2007
This morning I took a closer look at the 500 last messages of my spam inbox at the gmail account (about the last five days). 106 of them were stock spam, thus a little more than 20% of the spam I receive is related to this kind of spam. These messages target only eight different ticker symbols:

As you can see, all of these ticker symbols are traded at Pink Sheets, an electronic system for trading penny stocks.

When taking a look at the reaction of the stock quotes, you can see some influence, some of the stocks being currently in their "pump" phase:


Presumably we will see a drop in the quotes in the next few days.

Most of the stock spam messages nowadays are image-based: only two ticker symbols are advertized via plain-text messages, the other six use images. Common OCR is pretty weak at recognizing the image content since it is scrambled in order to make filtering harder:
$ gocr personnel.gif
_
H'LuN,.pK . H '% BIopH, ARMAcE%IcAL s_ocK!, , _
HEA%HeuNIv,E\RsE,I'nc
S_b'ol: HLU_ , ,
Price: $o.o8 ' ' , '
5.day Target: , $O.50 ,' ,
Rating: Strong Buy ,,
HLU_.PH .$15 billion, plastic _cosmetic surgey m,a_ket!
H L U . P H .,G ETrl G READY TO E X P L O' D,E ! ! ! _


For more background at this kind of attacks, take a look at our study on stock spam ("The Effect of Stock Spam on Financial Markets").
Posted by Thorsten Holz in paper at 13:36 | Comments (2) | Trackback (1)

"$NAME message" | "It me $NAME" | "Me again $NAME" | "$NAME wrote"

Friday, November 24. 2006
Perhaps you have seen some stock spam messages in your inbox recently that have one of the topics from the title. Those spam waves belong to some advertizing "campaigns" for CNPM, GAMN, and NSLT (once with GIF images and once with only text in the message body). Pretty interesting to see that stock spam is still around and it seems like the volume is rising. Is that an indication that stock spam is really a lucrative business? If not, the spammers presumably would have stopped those campaigns... Seems like our study on "The Effect of Stock Spam on Financial Markets" was not completely wrong :-)
Posted by Thorsten Holz in paper at 00:18 | Comments (0) | Trackbacks (0)

SecurityFocus: "Viruses, Phishing, and Trojans For Profit"

Thursday, October 26. 2006
Kelly Martin from SecurityFocus published a nice article regarding the economic aspects of the underground: "Viruses, Phishing, and Trojans For Profit" is definitely an interesting read with links to many other articles. And I'm now off to start my YouTube :-)
Posted by Thorsten Holz in paper at 12:11 | Comments (0) | Trackbacks (0)

A Multifaceted Approach to Understanding the Botnet Phenomenon

Thursday, October 19. 2006
At the upcoming Internet Measurement Conference 2006, one of the papers deals with botnets. The paper entitled "A Multifaceted Approach to Understanding the Botnet Phenomenon" by Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, and Andreas Terzis from Johns Hopkins University presents results from their botnet studies. The data they have collected are very similar to the ones we have collected at the German Honeynet Project. In fact, they use nepenthes as one of the basic blocks of their system. They then analyze the collected binaries via "graybox testing" (logging of all network-related activity + active IRC testing) - perhaps CWSandbox would yield better results. The resulting botnet information is then used to track the botnet with a drone - a similar approach we had presented in the "Know your Enemy: Tracking Botnets" and our ESORICS'05 papers. They also use DNS cache snooping to learn more about malicious DNS entries.

Abstract:
The academic community has long acknowledged the existence of malicious botnets, however to date, very little is known about the behavior of these distributed computing platforms. To the best of our knowledge, botnet behavior has never been methodically studied, botnet prevalence on the Internet is mostly a mystery, and the botnet life cycle has yet to be modeled. Uncertainty abounds. In this paper, we attempt to clear the fog surrounding botnets by constructing a multifaceted and distributed measurement infrastructure. Throughout a period of more than three months, we used this infrastructure to track 192 unique IRC botnets of size ranging from a few hundred to several thousand infected end-hosts. Our results show that botnets represent a major contributor to unwanted Internet traffic—27% of all malicious connection attempts observed from our distributed darknet can be directly attributed to botnetrelated spreading activity. Furthermore, we discovered evidence of botnet infections in 11% of the 800,000 DNS domains we examined, indicating a high diversity among botnet victims. Taken as a whole, these results not only highlight the prominence of botnets, but also provide deep insights that may facilitate further research to curtail this phenomenon.

Continue reading "A Multifaceted Approach to Understanding the Botnet Phenomenon"

Posted by Thorsten Holz in paper at 13:14 | Comments (0) | Trackbacks (0)

Call for Paper: HotBots '07

Wednesday, October 18. 2006
The Call for Papers for the First Workshop on Hot Topics in Understanding Botnets (HotBots '07) is now available. I am very proud to be one of the members of the program committee and would love to see many submissions to the conference.

HotBots '07 will be co-located with the 4th USENIX Symposium on Networked Systems Design & Implementation (NSDI '07), which will take place April 11–13, 2007 in Cambridge, MA.

Important dates:
  • Paper submissions due: February 26, 2007

  • Notification to authors: March 19, 2007

  • Final papers due: April 2, 2007

The conference will be held at April 10, 2007, in Cambridge, MA.

Overview:
Preliminary research or experience papers are solicited for the First Workshop on Hot Topics in Understanding Botnets (HotBots '07).

HotBots is intended as a forum for lively discussion of innovative ideas, recent progress, or practical experience in understanding all aspects of botnets. Intriguing preliminary results and thought-provoking ideas will be strongly favored. Papers will be selected for their potential to stimulate discussion in the workshop.


HotBots '07 will be a one-day event, Tuesday, April 10, 2007, co-located with the 4th USENIX Symposium on Networked Systems Design & Implementation (NSDI '07) in Cambridge, MA.

Workshop Format
To ensure a productive workshop environment, attendance will be by invitation and/or acceptance of paper submission.

Each author will have 15 minutes to present his or her idea, followed by 15 minutes of discussion with the workshop participants.

Continue reading "Call for Paper: HotBots '07"

Posted by Thorsten Holz in administrativa, paper at 13:03 | Comments (0) | Trackbacks (0)

Call for Paper: 16th USENIX Security Symposium

Tuesday, September 26. 2006
The Call for Papers for the 16th USENIX Security Symposium is now available. I am very proud to be one of the members of the program committee and of course I would like to see many honeynet-related papers submitted to the conference!

Important dates:
  • Paper submissions due: Thursday, February 1, 2007, 11:59 p.m. PST

  • Panel proposals due: Thursday, March 29, 2007

  • Notification to authors: Wednesday, April 4, 2007

  • Final papers due: Monday, May 14, 2007

  • Work-in-Progress reports due: Wednesday, August 8, 2007, 6:00 p.m. EDT

The conference will be held from August 6–10, 2007, in Boston, MA.

About USENIX Security:
The USENIX Security Symposium brings together researchers, practitioners, system administrators, system programmers, and others interested in the latest advances in the security of computer systems and networks. T

All researchers are encouraged to submit papers covering novel and scientifically significant practical works in security or applied cryptography. Submissions are due on February 1, 2007, 11:59 p.m. PST. The Symposium will span five days: a two-day training program will be followed by a two and one-half day technical program, which will include refereed papers, invited talks, Work-in-Progress reports, panel discussions, and Birds-of-a-Feather sessions.

Continue reading "Call for Paper: 16th USENIX Security Symposium"

Posted by Thorsten Holz in administrativa, paper at 20:29 | Comments (0) | Trackbacks (0)
« previous page   (Page 2 of 4, totaling 32 entries) » next page