Technical Report: Characterizing the IRC-based Botnet Phenomenon

Monday, December 3. 2007
Together with a few researchers from China, we studied IRC-based botnets in order to understand the extent of this phenomenon. Using different kinds of honeypots and several sensors deployed across different regions in China, we were able to collect thousands of bot binaries. With the help of a behavior-based analysis mechanism similar to CWSandbox, we could extract the Command & Control (C&C) server in an automated way. In a third step, we used this information to connect to the actual C&C server and passively monitored the activity in the channel. Furthermore, we also actively probed the C&C servers to find out other characteristics of these machines. The complete setup and our results are described in a technical report we just published.

Abstract:
Botnets, networks of compromised machines that can be remotely controlled by an attacker, are one of the most common attack platforms nowadays. They can, for example, be used to launch distributed denial-of-service (DDoS) attacks, steal sensitive information, or send spam emails. A long-term measurement study of botnet activities is useful as a basis for further research on global botnet mitigation and disruption techniques. We have built a distributed and fully-automated botnet measurement system which allows us to collect data on the botnet activity we observe in China. Based on the analysis of tracking records of 3,290 IRC-based botnets during a period of almost twelve months, this paper presents several novel results of botnet activities which can only be measured via long-term easurements. These include. amongst others, botnet lifetime, botnet discovery trends and distributions, command and control channel distributions, botnet size and end-host distributions. Furthermore, our measurements confirm and extend several previous results from this area.

Our results show that the botnet problem is of global scale, with a scattered distribution of the control infrastructure and also a scattered distribution of the victims. Furthermore, the control infrastructure itself is rather flexible, with an average lifetime of a Command & Control server of about 54 days. These results can also leverage research in the area of botnet detection, mitigation, and disruption: only by understanding the problem in detail, we can develop efficient counter measures.


The complete report is available as TR-2007-010. And more information regarding the Chinese Honeynet Project is available at the website of the Artemis Project.
Posted by Thorsten Holz in honeynets, malware, paper at 14:02 | Comments (0) | Trackback (1)

New KYE paper: Malicious Web Servers

Tuesday, August 14. 2007
The Honeynet Project & Research Alliance are excited to announce the release of a new paper in our Know Your Enemy series, "KYE: Malicious Web Servers". In this paper, we take an in-depth look at malicious web servers that attack web browsers, and we evaluate several defensive strategies that can be employed to counter this threat of client-side attacks. All the malicious web servers identified in this study were found with our client honeypot Capture-HPC.

Besides providing the information of this paper, we also publish the complete data set. We hope that Capture-HPC and the data enable the security community to easily become involved in studying the phenomenon of malicious servers.
Posted by Thorsten Holz in administrativa, honeynets, paper at 20:04 | Comments (0) | Trackbacks (0)

"Exploring Multiple Execution Paths for Malware Analysis"

Wednesday, May 9. 2007
The upcoming 2007 IEEE Symposium on Security and Privacy has some interesting papers. The paper by Andreas Moser, Christopher Kruegel, and Engin Kirda from the Secure Systems Lab on "Exploring Multiple Execution Paths for Malware Analysis" deals with dynamic enumeration of execution paths. Such an approach can help to detect execution paths that are only triggered on certain conditions and helps with behavior-based analysis of malware.

Abstract
Malicious code (or malware) is defined as software that fulfills the deliberately harmful intent of an attacker. Malware analysis is the process of determining the behavior and purpose of a given malware sample (such as a virus, worm, or Trojan horse). This process is a necessary step to be able to develop effective detection techniques and removal tools. Currently, malware analysis is mostly a manual process that is tedious and time-intensive. To mitigate this problem, a number of analysis tools have been proposed that automatically extract the behavior of an unknown program by executing it in a restricted environment and recording the operating system calls that are invoked.
The problem of dynamic analysis tools is that only a single program execution is observed. Unfortunately, however, it is possible that certain malicious actions are only triggered under specific circumstances (e.g., on a particular day, when a certain file is present, or when a certain command is received). In this paper, we propose a system that allows us to explore multiple execution paths and identify malicious actions that are executed only when certain conditions are met. This enables us to automatically extract a more complete view of the program under analysis and identify under which circumstances suspicious actions are carried out. Our experimental results demonstrate that many malware samples show different behavior depending on input read from the environment. Thus, by exploring multiple execution paths, we can obtain a more complete picture of their actions.
Posted by Thorsten Holz in paper at 11:14 | Comments (0) | Trackback (1)

Security of virtual machines

Friday, April 20. 2007
Tavis Ormandy just gave an interesting presentation at CanSecWest'07 about the security of virtual machines (QEMU, VMware, Bochs, ...) entitled "An Empirical Study into the Security Exposure to Hosts of Hostile Virtualized Environment". Using fuzzing and other techniques, he managed to find quite a few bugs in popular VMs, amongst others:
  • heap overflow in QEMU's NE2000 network device

  • heap overflow in QEMU's VGA code

  • vulnerability in VMware's power management code

For example, his summary for the security of QEMU is:
An attacker with access to a QEMU virtualized environment could potentially compromise the virtual machine process and execute arbitrary code with the privileges of the emulator. Malware being studied inside QEMU, even in an unprivileged state, can terminate the virtual machine safely and reliably.

Regarding malware analysis, these results presumably mean that the malware analysis process should be carried out on a native machine with some kind of restore cards since we can not trust the malware code. We use such a setup within CWSandbox and the results look promising.

Tavis also released a paper describing the results in detail. The paper also includes some proof-of-concept demos. Soon you can also find his presentation at the CanSec website.

Abstract
As virtual machines become increasingly commonplace as a method of separating hostile or hazardous code from commodity systems, the potential security exposure from implementation flaws has increased dramatically. This paper investigates the state of popular virtual machine implementations for x86 systems, employing a combination of source code auditing and blackbox random testing to assess the security
exposure to the hosts of hostile virtualized environment.
Posted by Thorsten Holz in paper at 23:24 | Comments (0) | Trackbacks (0)

Rishi: Identify Bot Contaminated Hosts

Thursday, April 19. 2007
HotBots'07 took place last week in Boston. The paper by Jan Göbel and me is now available and I also publish the slides from my talk.
This workshop was by invitation only. As a courtesy, USENIX made the accepted papers available to everyone.


Continue reading "Rishi: Identify Bot Contaminated Hosts "

Posted by Thorsten Holz in paper at 17:54 | Comment (1) | Trackbacks (0)
« previous page   (Page 4 of 9, totaling 41 entries) » next page