honeyblog - admin

SysSec Workshop

nospam@example.com (Thorsten Holz) — Tue, 15 Feb 2011 16:35:00 +0100

It has been quite some time since I last blogged, in the past few months I mainly used my Twitter account to publish news. Today I want to blog again since the information about the SysSec Network of Excellence will not fit into a single tweet. SysSec is a Network of Excellence in the field of Systems Security, which has been created to build on the successful experience of the FORWARD initiative to work towards:

creating a virtual center of excellence, to consolidate the Systems Security research community in Europe
promoting cybersecurity education
engaging a think-tank in discovering the threats and vulnerabilities of the Current and Future Internet,
creating an active research roadmap in the area, and
developing a joint working plan to conduct State-of-the-Art collaborative research.

As part of its dissemination activities, the SysSec Network of Excellence proposes to organize a workshop focused on system security research, as the first step towards creating a virtual center of excellence to consolidate the Systems Security research community in Europe. The 1st SysSec Workshop targets researchers from Europe and the rest of the World, with the short-term goal of creating a vigorous forum to map the systems security research area, with particular focus on European security communities. While this workshop invites submissions from all the research groups on systems security in the world, it encourages particularly research groups from Europe to take advantage of this opportunity. The long-term goal of this first of a series of periodic workshops, is to build a reference meeting place of the systems security community in Europe.

The Last Line of Defense - http://tllod.com

nospam@example.com (Thorsten Holz) — Thu, 01 Jul 2010 15:11:00 +0200

I am excited to announce that the website of our start-up company LastLine, Inc., is now live at http://www.tllod.com. The team behind LastLine is composed of people you know from the International Secure Systems Lab (http://iseclab.org), we are coming from the University of California, Santa Barbara, the Vienna University of Technology (Austria), Eurecom (France), and Ruhr-University Bochum (Germany). We all have extensive expertise in malware analysis and malware countermeasures (see our list of publications) and you might know tools like Anubis or Wepawet that have been developed by us.

LastLine, Inc., provides protection technology that is complementary to existing anti-virus software and firewalls. Our approach is based on cyber crime intelligence that we gather by analyzing millions of suspicious URLs and binaries each day. More precisely, using our advanced malware analysis tools, we pinpoint the exploit servers that are behind drive-by exploits campaigns and the command and control server that manage botnets. These servers constitute the malicious infrastructure that is used by cyber criminals to carry out their attacks.

One of the first product we offer is llweb, a tool that analyzes web sites for the presence of malicious code, such as drive-by download exploits. llweb was developed by the creators of Wepawet and you can find out more about the tool at http://tllod.com/products/llweb. We also offer several other tools and services: llmon is a service that helps organizations to determine if their hosts are used to deliver or control malware. We continuously monitor whether a customer's assets participate in malicious activities, and if so, we provide detailed and early warning so that proper mitigation steps can be initiated. llmon was developed by some of the creators of FIRE. Furthermore, we provide access to the list of IP addresses, domains, and URLs that we identify to be associated with malicious activity on the Internet. Customers can obtain continuously-updated intelligence, which can be leveraged internally to identify compromised hosts or configure network access control mechanisms. You can find more about our products at http://tllod.com/what.

Call for Papers: EC2ND'10

nospam@example.com (Thorsten Holz) — Thu, 24 Jun 2010 09:54:00 +0200

The sixth European Conference on Computer Network Defense (EC2ND) will be held at the Faculty of Electrical Engineering and Computer Science at Berlin Institute of Technology (TU Berlin) on October 28-29, 2010. The conference brings together researchers from academia and industry within Europe and beyond to present and discuss current topics in applied network and systems security. EC2ND 2010 invites submissions presenting novel ideas in the areas of network defense, intrusion detection and systems security.

EC2ND 2010 specifically encourages submissions presenting work at an early stage with the intention to act as a discussion forum for innovative security research. While our goal is to solicit ideas that are not completely worked out, and might have challenging and interesting open questions, we expect submissions to be supported by some evidence of feasibility or preliminary quantitative results.

Important dates:

Paper submission deadline: July 2, 2010
Paper acceptance or rejection: August 6, 2010
Final paper camera ready copy: August 13, 2010
Conference dates: October 28-29, 2010

The full Call for Papers is available at http://2010.ec2nd.org/cfp/

Chaosradio Express #155

nospam@example.com (Thorsten Holz) — Thu, 10 Jun 2010 18:07:40 +0200

Recently I recorded a longer podcast together with Tim Pritlove on malware and botnets. It was published a few days ago as Chaosradio Express #155. The podcast is in German and lasts for about 2.5 hours. The podcast is available at http://chaosradio.ccc.de/cre155.html and you can also get it via iTunes.

Here the German description:

Malware hat sich in den letzten 10 Jahren von einem Forschungsfeld zu einer globalen Bedrohung der internationalen Dateninfrastruktur entwickelt. Botnetze stellen dabei die bedauerliche Krönung der kriminellen Aktivitäten dar und es erfordert einen großen Aufwand, diesen Systemen nachzugehen und sie wieder auszuschalten. Trotz eines fortwährenden Katz- und Mausspielchens gelingt es den Sicherheitsforschern immer wieder, große Botnetze vom Netz zu nehmen. Im Gespräch mit Tim Pritlove erläutert Thorsten Holz Geschichte und technische Hintergründe zu Malware und Botnetzen.

Themen: wie sich Malware über die Zeit vom Experiment zum Werkzeug von Kriminellen entwickelt hat; welche Sicherheitslücken ausgenutzt werden; welche Methoden Betriebssysteme haben, sich gegen Malware zu wehren; das Layer-8-Problem; die Antiviren-Industrie; was Microsoft für seine Sicherheit getan hat; Botnetze und Spam und andere Formen der Monetarisierung; wie sich Botnetze gegen Aufklärung schützen; wie man ein Botnetz ausforscht, austrickst und lahmlegt; Botnetze aufspüren mit Honeypots; Botnetze in Behörden und Botschaften; Kommunikation und Kollaboration von Securitygruppen; technische und moralische Probleme beim Herunterfahren eines Botnets; Kooperation mit ISPs; Botnetzbekämpfung vs. Zensurinfrastruktur; Botnetze und der Mac; Konzepte für sichere Betriebssysteme; Security Usability; Automatisierte Malware Analyse.

USENIX LEET'10 & RAID 2010

nospam@example.com (Thorsten Holz) — Thu, 15 Apr 2010 09:06:23 +0200

A quick announcement:

Join us at the 3rd USENIX Workshop on Large-Scale Exploits and Emergent Threats, which will take place in San Jose, CA, on April 27, 2010. LEET '10 will provide a unique forum for the discussion of threats to the confidentiality of our data, the integrity of digital transactions, and the dependability of the technologies we increasingly rely on.

The program includes:
-- Keynote Address: "Why Don't I (Still) Trust Anything?" by Jeff Moss, Founder, Black Hat and DEF CON

-- Invited Talk: "Naked Avatars and Other Cautionary Tales About MMORPG Password Stealers," by Jeff Williams, Microsoft Malware Protection Center

-- Sessions on threat measurement and characterization, botnets, threat detection and mitigation, and more.

Check out the full program at
http://www.usenix.org/events/leet10/tech/

Connect with the broad community of researchers and practitioners who focus on worms, bots, spam, spyware, phishing, DDoS, and the ever-increasing palette of large-scale Internet-based threats in fostering the development of preliminary work in this diverse area and stimulating discussion of thought-provoking ideas.

Find out more and register today at
http://www.usenix.org/leet10/proga

And please note that the deadline for RAID 2010 has been extended to April 21, 2010. See the Call for Participation for more details. Looking forward to your papers!

Continue reading "USENIX LEET'10 & RAID 2010"

Waledac Infection Check

nospam@example.com (Thorsten Holz) — Tue, 02 Mar 2010 22:29:00 +0100

Ben Stock has implemented a web service to check a given IP address for infection with Waledac, similar to the Conficker Eye Chart. The idea is that we are currently tracking Waledac as part of the take-down effort and thus we have a pretty good overview of the individual bots within the botnet. Therefore we are in a position to determine if we have seen a given IP address in the recent past as a bot, which indicates that this IP address might be related to a Waledac infection. Of course, effects like NAT or DHCP need to be taken into account: if an IP address is not listed, this does not necessarily mean that you are not infected.

The check is available at http://mwanalysis.org/waledac/, feedback is welcome!

Call for Papers: LEET'10

nospam@example.com (Thorsten Holz) — Mon, 25 Jan 2010 09:03:00 +0100

The submissions deadline for the 3rd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET '10) is quickly approaching. Please submit your work by Thursday, February 25, 2010, 11:59 p.m. PST. The full call for papers is available at http://www.usenix.org/events/leet10/cfp/, see an overview below:

Topics
Now in its third year, LEET continues to provide a unique forum for the discussion of threats to the confidentiality of our data, the integrity of digital transactions, and the dependability of the technologies we increasingly rely on. We encourage submissions of papers that focus on the malicious activities themselves (e.g., reconnaissance, exploitation, privilege escalation, rootkit installation, attack), our responses as defenders (e.g., prevention, detection, and mitigation), or the social, political, and economic goals driving these malicious activities and the legal and ethical codes guiding our defensive responses.

Overview
Information technology (IT) adds $2 trillion annually to the US economy alone. While these technologies have enabled significant global economic growth, they have become rich targets for malicious activity. The US Federal Bureau of Investigation (FBI) indicated that cyber crime reached an all-time high in 2008; cyber crime now ranks as the FBI's third highest priority, behind such dramatic threats as counter-terrorism and counter-espionage. Much of this malicious activity is driven by economic incentives, but recently we have seen the emergence of highly visible, politically motivated attacks. While the motivations for malicious behavior and the technical mechanisms that enable them remain rich areas of research, it is clear that today our global society is faced with a wide range of cyber criminal activities: spam, phishing, denial of service, click fraud, etc.

Workshop Format
LEET aims to be a true workshop, with the twin goals of fostering the development of preliminary work and helping to unify the broad community of researchers and practitioners who focus on worms, bots, spam, spyware, phishing, DDoS, and the ever-increasing palette of large-scale Internet-based threats. Intriguing preliminary results and thought-provoking ideas will be strongly favored; papers will be selected for their potential to stimulate discussion in the workshop. Each author will have 15 minutes to present his or her work, followed by 15 minutes of discussion with the workshop participants.

Call for Papers: WEIS'10

nospam@example.com (Thorsten Holz) — Mon, 18 Jan 2010 19:15:00 +0100

I am happy to serve on the program committee of the 9th Workshop on the Economics of Information Security (WEIS). The Call for Papers is now available. WEIS will take place on June 7-8, 2010 at Harvard University, Cambridge, MA, USA

Important dates are:

Submissions due: February 22, 2010
Notification of acceptance: April 2, 2010
Workshop: June 7-8, 2010

Information security continues to grow in importance, as threats proliferate, privacy erodes, and attackers find new sources of value. Yet the security of information systems depends on more than just technology. Good security requires an understanding of the incentives and tradeoffs inherent to the behavior of systems and organizations. As society’s dependence on information technology has deepened, policy makers, including the President of the United States, have taken notice. Now more than ever, careful research is needed to accurately characterize threats and countermeasures, in both the public and private sectors.

The Workshop on the Economics of Information Security (WEIS) is the leading forum for interdisciplinary scholarship on information security, combining expertise from the fields of economics, social science, business, law, policy and computer science. Prior workshops have explored the role of incentives between attackers and defenders, identified market failures dogging Internet security, and assessed investments in cyber-defense. This workshop will build on past efforts using empirical and analytic tools to not only understand threats, but also strengthen security through novel evaluations of available solutions. How should information risk be modeled given the constraints of rare incidence and high interdependence? How do individuals’ and organizations’ perceptions of privacy and security color their decision making? How can we move towards a more secure information infrastructure and code base while accounting for the incentives of stakeholders?

The full Call for Papers is available at http://weis2010.econinfosec.org/cfp.html.

Call for Papers: DIMVA 2010

nospam@example.com (Thorsten Holz) — Sun, 27 Dec 2009 13:01:33 +0100

I am happy to be a member of the program committee for the Seventh Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA 2010). The Call for Papers is now available and we are looking forward to review your submissions. DIMVA will take place in Bonn, Germany on July 8-9 2010.

Deadline for paper submission: February 5, 2010

Notification of acceptance/rejection: April 5, 2010

Final camera-ready copies due: April 26, 2010

Conference: July 8-9, 2010

The annual DIMVA conference serves as a premier forum for advancing the state of the art in intrusion detection, malware detection, and vulnerability assessment. Each year DIMVA brings together international experts from academia, industry and government to present and discuss novel research in these areas. DIMVA is organized by the special interest group Security - Intrusion Detection and Response (SIDAR) of the German Informatics Society (GI). The conference proceedings will appear in Springer's Lecture Notes in Computer Science (LNCS) series.

DIMVA solicits submission of high-quality, original scientific work.
This year we invite two types of paper submissions:

Full papers, presenting novel and mature research results. Full papers are limited to 20 pages, prepared according to the instructions provided below. They will be reviewed by the program committee, and papers accepted for presentation at the conference will be included in the proceedings.

Short papers (extended abstracts), presenting original, still ongoing work that has not yet reached the maturity required for a full paper. Short papers are limited to 10 pages, prepared according to the instructions provided below. They will also be reviewed by the program committee, and papers accepted for presentation at the conference will be included in the proceedings (containing Extended Abstract in the title).

The full Call for Papers is available at http://dimva2010.fkie.fraunhofer.de/cfp-dimva2010.txt

Call for Papers: EuroSec 2010

nospam@example.com (Thorsten Holz) — Wed, 25 Nov 2009 16:29:24 +0100

The next edition of the European Workshop on System Security (EuroSec 2010) will take place on the 13th of April, 2010, in Paris, France. Please find below the call for papers.

About EuroSec:
EuroSec is a new workshop associated with the Annual ACM SIGOPS EuroSys conference. The workshop aims to bring together researchers, practitioners, system administrators, system programmers, and others interested in the latest advances in the security of computer systems and networks. The focus of the workshop is on novel, practical, systems-oriented work.

Important dates:

Paper submission: February 7, 2010 (Hard deadline, no extensions), 5pm, PST
Acceptance notification: March 1, 2010
Final paper due: March 12, 2010
Workshop: April 13, 2010

Continue reading "Call for Papers: EuroSec 2010"

Server Move

nospam@example.com (Thorsten Holz) — Sun, 30 Aug 2009 09:09:28 +0200

During the weekend the blog moved to another server. I hoped the transition is now complete and everything is still working as expected. If you observe broken links or similar glitches, please let me know at thorsten.holz [at] gmail.com.

Alive Again: CWSandbox.org and Me

nospam@example.com (Thorsten Holz) — Wed, 08 Jul 2009 15:03:00 +0200

In the last few weeks I did not have much time to blog, my real life kept me busy. In the meantime, I finished my Ph.D. studies at the Laboratory for Dependable Distributed Systems and prepared my move to Vienna: I joined the International Secure Systems Lab (http://www.iseclab.org/) where I now work as a postdoc researcher. For now I stay in academia, let's see what the future brings. Basically I will continue my work on bots/botnets, honeypots/honeynets, malware analysis, and underground economy. In the next couple of days I will blog about some recent papers that we published - this will serve as the foundations of my work in the next months.

The public interface to CWSandbox at http://cwsandbox.org/ was offline for several weeks due to some internal problems, but the service is now online again. The backend was completely revised and a new database layout provides better scalability.

Blog of the FORWARD Project

nospam@example.com (Thorsten Holz) — Fri, 20 Mar 2009 17:45:00 +0100

One of the projects I am involved in is FORWARD:

FORWARD is an initiative by the European Commission to promote the collaboration and partnership between Academia and Industry in their common goal of protecting Information and Communication Technology (ICT) infrastructures. Communication networks and computers are under constant Cyber-threats from malicious users and organizations that use viruses, worms, spyware, botnets, spam, and phishing, to harm the European citizens and organizations.

The FORWARD initiative aims at identifying, networking, and coordinating the multiple research efforts that are underway in the area of Cyber-threats defenses, and leveraging these efforts with other activities to build secure and trusted ICT systems and infrastructures.

A complete overview of the FORWARD project is available at http://www.ict-forward.eu/. The project is funded as part of the European Community's Seventh Framework Programme. Since some time, the project also maintains a blog, which is located at http://blogs.ict-forward.eu/forward/. There you can find the latest updates and an overview of the current project activity. Check it out and comment on the project, we would love to get your feedback!

CanSec / PWN2OWN contest

nospam@example.com (Thorsten Holz) — Thu, 19 Mar 2009 18:39:00 +0100

It has been some time since my last blog entry, I've been busy with my thesis. My defense is at the end of next month - finally getting ready with everything :)

This week I am in Vancouver for CanSec, I taught a course about honeypots on Monday. Now I'm enjoying the conference, the agenda is pretty cool this year! The main focus of yesterday was on mobile phones, most of the presentations dealt with smartphones like the iPhone or the Android platform. Sniffing keystrokes via a laser microphone or a voltmeter is next, really looking forward to that presentation.

CanSec also has a new edition of the PWN2OWN contest. This year, the main focus of the contest is web browsers and mobile phones. On the first day, several browsers were 0wned, Nils even managed to exploit three different browsers. Below is a screenshot of the scoreboard taken in the afternoon - Julien then managed to compromise the machine and afterwards Nils scored for the third time:

Interestingly, nobody attacked the smartphones - perhaps we see some attacks during day 2 and 3.

25C3: "Banking Malware 101"

nospam@example.com (Thorsten Holz) — Sat, 20 Dec 2008 10:42:00 +0100

The 25th Chaos Communication Congress (25C3) will take place next week in Berlin, Germany. CCC is always fun and I'm really looking forward to the Congress. I will give a talk on banking malware at the second day (see the schedule for details). The talk can be summarized as:

In the recent years, we observed a growing sophistication how credentials are stolen from compromised machines: the attackers use sophisticated keyloggers to control the victim's machine and use different techniques to steal the actual credentials. In this talk, we present an overview of this threat and empirical measurement results.

Some aspects of this talk are covered by our recent technical report on banking malware, but I will go into some more technical details. If you also attend CCC, you can find me there and we can discuss questions :)