Today, we observed a new family of bots while doing some research at our lab. While investigating several Kinder Surprises, we detected two samples of a bot family named Light-Bots (see the picture at the right hand side for more detail about the bots). A closer analysis revealed that the bot exists in at least two version, we empirically found version S104 and S105. The propagation scheme is a variant of classical social engineering: victim's are tricked into buying a Kinder Surprise and the bot is contained in the egg, similar to a Trojan Horse. At this point, we do not have any CWSandbox report of the bot behavior nor any signatures. However, the bot also contains a README that indicates a close relationship with the domain www.magic-kinder.com:

Dark Reading had recently an article about our work on Storm Worm entitled "Researchers Infiltrate and 'Pollute' Storm Botnet" (also featured on /.). The article quotes Jose Nazario:

"This has been a taboo subject of exploration, as people do not want to mess with other peoples' PCs by injecting commands," he says.

Just to clarify: We did not inject commands into Storm Worm, but just interfered with the communication process as explained in our LEET'08 paper. No commands were executed on an infected machine, we just injected packets into the communication process in order to stop the C&C channel. In practice, this does not affect an infected machine, no extra network packets or CPU cycles are used on an infected machine.

Slashdot had also covered our work a few days ago: Storm Dismantled at USENIX LEET Workshop.

In the last few days, the first workshops for two projects funded by the European Union took place: WOMBAT and FORWARD.

Project description WOMBAT:

The WOMBAT project aims at providing new means to understand the existing and emerging threats that are targeting the Internet economy and the net citizens. To reach this goal, the proposal includes three key workpackages: (i) real time gathering of a diverse set of security related raw data, (ii) enrichment of this input by means of various analysis techniques, and (iii) root cause identification and understanding of the phenomena under scrutiny. The acquired knowledge will be shared with all interested security actors (ISPs, CERTs, security vendors, etc.), enabling them to make sound security investment decisions and to focus on the most dangerous activities first. Special care will also be devoted to impact the level of confidence of the European citizens in the net economy by leveraging security awareness in Europe thanks to the gained expertise.

Project description FORWARD:

The FORWARD initiative aims at identifying, networking, and coordinating the multiple research efforts that are underway in the area of Cyber-threats defenses, and leveraging these efforts with other activities to build secure and trusted ICT systems and infrastructures.

The initial workshops were quite interesting, let's see how both projects evolve :-)
The websites of both WOMBAT and FORWARD contain more information about the actual project, including more information about the participants and the initial workshops.

A new "joke" from the Storm Worm botnet right before April Fool's Day.

Consistent with their past behavior on having new propagation schemes right before important dates of national interest (start of NFL season, Halloween, Christmas Eve, ...), the botnet started to use a new social engineering theme right before April Fool's Day. The websites offer the actual bot binary with three different filenames (foolsday.exe, funny.exe, and kickme.exe), but they seems to actually be the same binary. I did not observe any drive-by download attack, thus it seems like they solely rely on social engineering - so don't fall for this hoax :-)

A tool announcement:

The Honeynet Project and School of Mathematics, Statistics and Computer Science at Victoria University of Wellington have just released version 2.1 of Capture-HPC, a tool that is able to find and investigate the increasing problem of client-side computer attacks. This new software release increases the features and speeds performance allowing anyone to investigate a larger range and quantity of client-side computer attacks. Capture-HPC is freely available from the main Honeynet Project web site at: https://projects.honeynet.org/capture-hpc/wiki. It is written and distributed under the GNU General Public License, v2.

Capture-HPC is a computer security product that allows anyone to: investigate client-side computer attacks; security researchers to find and study malicious servers; virus and malware researchers to collect malware pushed by malicious servers; network administrators to monitor their systems for client-side attacks; and web site operators to monitor their web sites for unauthorized modifications with client-side attack code.

Announcing CanSecWest PWN2OWN 2008.
===================================

Three targets, all patched. All in typical client configurations with typical user configurations. You hack it, you get to keep it.

Each has a file on them and it contains the instructions and how to claim the prize.

Targets (typical road-warrior clients):

• VAIO VGN-TZ37CN running Ubuntu 7.10
• Fujitsu U810 running Vista Ultimate SP1
• MacBook Air running OSX 10.5.2

This year's contest will begin on March 26th, and go during the presentation hours and breaks of the conference until March 28th. The main purpose of this contest is to present new vulnerabilities in these systems so that the affected vendor(s) can address them. Participation is open to any registered attendee of CanSecWest 2008.

The tentative program for the First USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET'08) is now available.

We also have a paper accepted: "Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm"
We still need to revise the paper based on the reviewer's feedback, as a teaser the preliminary abstract:

"Botnets, i.e., networks of compromised machines under a common control infrastructure, are commonly controlled by an attacker with the help of a central server: all compromised machines connect to the central server and wait for commands.
However, the first botnets that use peer-to-peer (P2P) networks for remote control of the compromised machines appeared in the wild recently. In this paper, we introduce a methodology to analyze and mitigate P2P botnets. In a case study, we examine in detail the Storm Worm botnet, the most wide-spread P2P botnet currently propagating in the wild. We were able to infiltrate and analyze in-depth the botnet, which allows us to estimate the total number of compromised machines. Furthermore, we present two different ways to disrupt the communication channel between controller and compromised machines in order to mitigate the botnet and evaluate the effectiveness of these mechanisms."

Websense had a few weeks ago a story on "Google’s CAPTCHA busted in recent spammer tactics". The basic idea is that the attacker automatically signs up for freemail accounts (e.g., Google or live.com) with the help of certain malware. During the registration process, the attacker needs to solve a CAPTCHA. This can be done for example with the help of humans which are paid for this task. Another option is to use humans who want to access a certain service, e.g., a porn website. This is the cheaper option, and presumably also effective. An example of such a CAPTCHA attack is currently available at gift-vip.net. Caution: this is not work-safe and do not open it if you do not want to see adult content. I also created a short movie which illustrates this process. The movie is also available as .mov and .swf file.

Thanks a lot Nick FitzGerald for this tip!

[Update]: Please be careful when opening the actual site since it also contains a malicious iframe.

The Security and Stability Advisory Committee (SSAC) of ICANN released an advisory regarding "Fast Flux Hosting and DNS", in which they detail ICANN's view of FFSNs. Thanks Jose for the heads-up!

Introduction

"Fast flux" is an evasion technique that cyber-criminals and Internet miscreants use to evade identification and to frustrate law enforcement and anticrime efforts aimed at locating and shutting down web sites used for illegal purposes. Fast flux hosting is an application of technology that supports a wide variety of cyber-crime activities (fraud, identity theft, online scams) and is considered one of the most serious threats to online activities today. Basic fast flux hosting uses rapid modification of IP addresses associated with a system that hosts a malicious activity to evade detection and take down efforts. This technique is also used to rapidly modify the IP addresses of the name servers that resolve the domain names of the fluxed malicious hosts (this variant is sometimes called NS fast flux). A particularly troublesome variant of fast flux hosting, "double flux", fluxes addresses of both name servers and malicious (web server) hosts.

This Advisory describes the technical aspects of fast flux hosting and fast flux service networks. It explains how the DNS is exploited to abet criminal activities that employ fast flux hosting, identifying the impacts of fast flux hosting, and calling particular attention to the way such attacks extend the malicious or profitable lifetime of the illegal activities conducted using these fast flux techniques. It describes current and possible methods of mitigating fast flux hosting at various points in the Internet. The Advisory discusses the pros and cons of these mitigation methods, identifies those methods that SSAC considers practical and sensible, and recommends that appropriate bodies consider policies that would make the practical mitigation methods universally available to registrants, ISPs, registrars and registries (where applicable for each).

Sunbelt covered the 3D screensaver spam and the background of this scam in some detail. Dancho Danchev also blogged about some details of this incident. And here are my 2 cent of info:

The file load.exe (MD5: b20e4e725cc86b489ec441b97b728285) drops two files called 0.EXE and 1.EXE which are subsequently executed. 0.EXE creates the two files C:\Documents and Settings\USER\Local Settings\Application Data\cftmon.exe and C:\WINDOWS\system32\drivers\spools.exe, which are also automatically started via a registry key. Furthermore, the following HTTP requests are sent:

http://195.93.218.25/ld/?&v=driver&d=0
http://195.93.218.25/ld/manda.php?id=-396739409&v=driver&d=0
http://195.93.218.25/m.exe

This IP address belongs to Buildhouse Ltd., located in Russia - a grey hosting provider?

More complete info: cwsandbox.org.

Yesterday I forgot to post the link to my presentation :-/
The presentation I gave at NDSS'08 is available at http://honeyblog.org/junkyard/paper/08_ff_NDSS.pdf. If you have comments or questions, please let me know!

One of the projects at our lab focuses on fast-flux service networks (FFSNs), a mechanism used by attackers to build an overlay network on top of compromised machines. FFSNs are for example used to host scam pages or malicious content. Our findings were published in a paper at NDSS'08. The full paper is also available since a couple of weeks.

Abstract:
We present the first empirical study of fast-flux service networks (FFSNs), a newly emerging and still not widely-known phenomenon in the Internet. FFSNs employ DNS to establish a proxy network on compromised machines through which illegal online services can be hosted with very high availability. Through our measurements we show that the threat which FFSNs pose is significant: FFSNs occur on a worldwide scale and already host a substantial percentage of online scams. Based on analysis of the principles of FFSNs, we develop a metric with which FFSNs can be effectively detected. Considering our detection technique we also discuss possible mitigation strategies.

Full paper

Storm Worm changed its propagation scheme again. It now sends out spam mails pointing to fake "ecards". The spammed site contains just an image and points to a binary called postcard.exe. A quick analysis shows that the core functionality has not changed at all.

EuroSec is a new workshop associated with the Annual ACM SIGOPS EuroSys conference. The workshop aims to bring together researchers, practitioners, system administrators, system programmers, and others interested in the latest advances in the security of computer systems and networks. The focus of the workshop is on novel, practical, systems-oriented work.

EuroSec explicitly encourages members of the systems community to explore leading-edge topics and ideas before they are presented at a major conference. All submissions will be reviewed by the Program Committee. Only original, novel work will be considered for publication. Accepted papers will be published in the proceedings of EuroSec in the ACM Digital Library

You are hereby invited to submit papers of 6-8 single-spaced pages (including figures, tables and references). Font size should be 10pt.

Important Dates:
Deadline for paper submission: February 4th, 2008 (firm deadline)
Notification of acceptance or rejection: March 1st, 2008
Final paper camera ready copy: March 14th, 2008
Workshop dates: March 31st, 2008

You can find more information at http://www.cs.vu.nl/eurosec08/