Storm Worm, Encryption, Disruption, and more...

Saturday, January 17. 2009
Dancho did an interview on the topic of Storm Worm, in which some wrong facts are described by Georg Wicherski, who said: "On the 24c3 congress at the end of 2007, Thorsten Holz gave a presentation on disrupting Zhelatin’s command and control infrastructure, involving a /16 network or 65536 nodes in other terms." This statement is wrong: we did not use 65536 machines, but just 2 machines - one machine in Sophia Antipolis, France and the other one in Mannheim, Germany. Actually everything is also possible with just one machine: the second machine was just used for measurements and to verify the results. I'm not sure what caused this confusion, presumably they did not read our paper on the topic :)

We also found out that the "authentication" used by Storm is very weak: The four byte XOR key is a simple obfuscation scheme, whereas the 64bit RSA needs a little bit more work to break the crypto. Actually we published our results back in April 2008 during the First USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET '08), a fact that some people seemed to have missed. Frederic Dahl also summarized all of these aspects in his diploma thesis which was published in March 2008.

My presentation from back then is available as "Measurements and Mitigation of Peer-to-Peer-based Botnets" and I also did a talk during the work-in-progress session on the crypto aspects of Storm Worm: "Other Aspects of Storm Worm".

Nowadays Storm Worm is not a very interesting botnet, we actually stopped the crawler several months ago since not many infected machines are still online in the network...
Posted by Thorsten Holz in malware at 12:03 | Comments (2) | Trackbacks (0)

Malicious PDFs Analysis Continued

Monday, January 12. 2009
CWSandbox
After my initial posting about the possibility to analyze PDF files with CWSandbox we received a few more such samples. In all cases the PDF file exploits a vulnerability in Acrobat Reader once the file is opened. With the help of CWSandbox it is possible to observe this exploit and also the actions of the malware after the compromise (e.g., downloading of additional malware from another server). Please find below three additional examples of such reports:

If you happen to have more malicious PDFs, please submit them at cwsandbox.org :-)
Posted by Thorsten Holz in CWSandbox, malware at 13:18 | Comment (1) | Trackbacks (0)

Fast-Flux Data from ATLAS

Friday, January 9. 2009
Yesterday Jose blogged about "2008 H2 Fast Flux Data Analysis" based on the information collected by ATLAS. They discover on average between 40 and 50 new fast-flux domains per day and found the following trends:
We’re seeing two trends of note with respect to 2008 with fast flux domain registrations and use. The first is the growth of .CN as a fast flux TLD. Most of the .CN domains we see registered and fluxing come through a registrar like BIZCN, whom we now treat with some suspicion. [...] The second big trend over 2008 is the migration away from .COM and .CN to a lot more TLDs.

It's interesting to see the new developments in this area compared to our paper from late 2007 and the measurement results from ATLAS. Our fast-flux tracking system will be online again in the next few days, I will also blog about some updates in the future.
Posted by Thorsten Holz in honeynets, malware, paper at 10:03 | Comments (0) | Trackbacks (0)

25C3: "Banking Malware 101" Slides

Tuesday, December 30. 2008
The slides I used for my presentation at the 25th Chaos Communication Congress (25C3) are now available for download. The presentation was also recorded and should be available in the next few days at http://ftp.ccc.de/congress/25c3/pre-release/. The congress was a lot of fun, unfortunately I had to leave earlier...

An interesting presentation is scheduled for today at 15:15 CET: Jacob and Alex talk about Making the theoretical possible. Not many details are available (see the "abstract" at the left-hand side), but it seems like they found something big that basically affects everyone. Rumors are that they broke a Root CA key that is included in major browsers - the truth will be revealed in a couple of hours...
Posted by Thorsten Holz in honeynets, malware at 11:47 | Comments (0) | Trackbacks (0)

Analyzing Malicious PDF Files

Monday, December 22. 2008
CWSandbox
Recently we added a new feature to cwsandbox.org: It is now also possible to upload suspicious PDF files that are then analyzed with the help of CWSandbox. Basically we open the submitted file with Acrobat Reader 8.1.1 since that version has several vulnerabilities. During runtime, we then observe the behavior of Acrobat and can detect suspicious changes such as new files on the hard disk or modified registry keys. Based on the generated report, it is then possible to detect malicious PDF files.

An example of such an analysis is available at https://cwsandbox.org/?page=details&id=520505&password=sfgpk. The PDF file 0416.pdf is malicious and has a rather good detection by AV vendors (21/38 - full details). In the CWSandbox report, we can see that the PDF file is opened with Acrobat Reader and then it drops a new file called wuweb.exe which is also executed. Afterwards, several other files are dropped and a server located in Singapore is contacted. Unfortunately this server is now offline, but presumably the server was used to download additional malware from the system
Posted by Thorsten Holz in CWSandbox, malware at 13:50 | Comments (3) | Trackbacks (2)
« previous page   (Page 5 of 7, totaling 31 entries) » next page