honeyblog - paper

LEET'08: Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm

nospam@example.com (Thorsten Holz) — Fri, 11 Apr 2008 11:24:41 +0200

Next week at the First USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET'08), I will present our work on Storm Worm and the measurement results. The full paper is now available. See you at LEET next week!

Abstract:
Botnets, i.e., networks of compromised machines under a common control infrastructure, are commonly controlled by an attacker with the help of a central server: all compromised machines connect to the central server and wait for commands.

However, the first botnets that use peer-to-peer networks for remote control of the compromised machines appeared in the wild recently. In this paper, we introduce a methodology to analyze and mitigate peer-to-peer botnets. In a case study, we examine in detail the Storm Worm botnet, the most wide-spread peer-to-peer botnet currently propagating in the wild. We were able to infiltrate and analyze in-depth the botnet, which allows us to estimate the total number of compromised machines. Furthermore, we present two different ways to disrupt the communication channel between controller and compromised machines in order to mitigate the botnet and evaluate the effectiveness of these mechanisms.

SSAC Advisory on Fast Flux Hosting and DNS

nospam@example.com (Thorsten Holz) — Thu, 13 Mar 2008 08:31:00 +0100

The Security and Stability Advisory Committee (SSAC) of ICANN released an advisory regarding "Fast Flux Hosting and DNS", in which they detail ICANN's view of FFSNs. Thanks Jose for the heads-up!

Introduction

"Fast flux" is an evasion technique that cyber-criminals and Internet miscreants use to evade identification and to frustrate law enforcement and anticrime efforts aimed at locating and shutting down web sites used for illegal purposes. Fast flux hosting is an application of technology that supports a wide variety of cyber-crime activities (fraud, identity theft, online scams) and is considered one of the most serious threats to online activities today. Basic fast flux hosting uses rapid modification of IP addresses associated with a system that hosts a malicious activity to evade detection and take down efforts. This technique is also used to rapidly modify the IP addresses of the name servers that resolve the domain names of the fluxed malicious hosts (this variant is sometimes called NS fast flux). A particularly troublesome variant of fast flux hosting, "double flux", fluxes addresses of both name servers and malicious (web server) hosts.

This Advisory describes the technical aspects of fast flux hosting and fast flux service networks. It explains how the DNS is exploited to abet criminal activities that employ fast flux hosting, identifying the impacts of fast flux hosting, and calling particular attention to the way such attacks extend the malicious or profitable lifetime of the illegal activities conducted using these fast flux techniques. It describes current and possible methods of mitigating fast flux hosting at various points in the Internet. The Advisory discusses the pros and cons of these mitigation methods, identifies those methods that SSAC considers practical and sensible, and recommends that appropriate bodies consider policies that would make the practical mitigation methods universally available to registrants, ISPs, registrars and registries (where applicable for each).

NDSS'08 Presentation

nospam@example.com (Thorsten Holz) — Wed, 12 Mar 2008 09:02:00 +0100

Yesterday I forgot to post the link to my presentation :-/
The presentation I gave at NDSS'08 is available at http://honeyblog.org/junkyard/paper/08_ff_NDSS.pdf. If you have comments or questions, please let me know!

"Measuring and Detecting Fast-Flux Service Networks"

nospam@example.com (Thorsten Holz) — Tue, 11 Mar 2008 16:42:22 +0100

One of the projects at our lab focuses on fast-flux service networks (FFSNs), a mechanism used by attackers to build an overlay network on top of compromised machines. FFSNs are for example used to host scam pages or malicious content. Our findings were published in a paper at NDSS'08. The full paper is also available since a couple of weeks.

Abstract:
We present the first empirical study of fast-flux service networks (FFSNs), a newly emerging and still not widely-known phenomenon in the Internet. FFSNs employ DNS to establish a proxy network on compromised machines through which illegal online services can be hosted with very high availability. Through our measurements we show that the threat which FFSNs pose is significant: FFSNs occur on a worldwide scale and already host a substantial percentage of online scams. Based on analysis of the principles of FFSNs, we develop a metric with which FFSNs can be effectively detected. Considering our detection technique we also discuss possible mitigation strategies.

Full paper

Collecting Autonomous Spreading Malware Using High-Interaction Honeypots

nospam@example.com (Thorsten Holz) — Fri, 11 Jan 2008 09:43:56 +0100

Together with a few researchers from the Chinese Honeynet Project, we published a paper about capturing autonomous spreading malware with high-interaction honeypots at the 9th International Conference on Information and Communications Security (ICICS 2007) which is now available.

Abstract: Autonomous spreading malware in the form of worms or bots has become a severe threat in today’s Internet. Collecting the sample as early as possible is a necessary precondition for the further treatment of the spreading malware, e.g., to develop antivirus signatures. In this paper, we present an integrated toolkit called HoneyBow, which is able to collect autonomous spreading malware in an automated manner using high-interaction honeypots. Compared to low-interaction honeypots, HoneyBow has several advantages due to a wider range of captured samples and the capability of collecting malware which propagates by exploiting new vulnerabilities. We validate the properties of HoneyBow with experimental data collected during a period of about nine months, in which we collected thousands of malware binaries. Furthermore, we demonstrate the capability of collecting new malware via a case study of a certain bot.

Keywords: Honeypots - Intrusion Detection Systems - Malware

Full Paper: Collecting Autonomous Spreading Malware Using High-Interaction Honeypots (LNCS 4861)

Technical Report: Studying Malicious Websites and the Underground Economy on the Chinese Web

nospam@example.com (Thorsten Holz) — Tue, 4 Dec 2007 08:16:00 +0100

Together with the researchers from the Chinese Honeynet Project, we also examined the extend of malicious websites on the Chinese Web. Using high- and low-interaction honeyclients, we were able to find about 2,500 sites (1,49% of overall examined sites) that tried to compromise an unpatched system. Furthermore, we also studied the underground black market which is used to trade exploits, malware, and stolen virtual goods. Several measurements provide an insight into the black market on the Chinese Web and show that the attackers are organized pretty well. We published our findings as a technical report to share the lessons we learned.

Abstract:

The World Wide Web gains more and more popularity within China with more than 1.31 million websites on the Chinese Web in June 2007. Driven by the economic profits, cyber criminals are on the rise and use the Web to exploit innocent users. In fact, a real underground black market with thousand of participants has developed which brings together malicious users who trade exploits, malware, virtual assets, stolen credentials, and more. In this paper, we provide a detailed overview of this underground black market and present a model to describe the market. We substantiate our model with the help of measurement results within the Chinese Web. First, we show that the amount of virtual assets traded on this underground market is huge. Second, our research proofs that a significant amount of websites within China's part of the Web are malicious: our measurements reveal that about 1.49% of the examined sites contain some kind of malicious content.

The complete report is available as TR-2007-011.

Technical Report: Characterizing the IRC-based Botnet Phenomenon

nospam@example.com (Thorsten Holz) — Mon, 3 Dec 2007 14:02:00 +0100

Together with a few researchers from China, we studied IRC-based botnets in order to understand the extent of this phenomenon. Using different kinds of honeypots and several sensors deployed across different regions in China, we were able to collect thousands of bot binaries. With the help of a behavior-based analysis mechanism similar to CWSandbox, we could extract the Command & Control (C&C) server in an automated way. In a third step, we used this information to connect to the actual C&C server and passively monitored the activity in the channel. Furthermore, we also actively probed the C&C servers to find out other characteristics of these machines. The complete setup and our results are described in a technical report we just published.

Abstract:

Botnets, networks of compromised machines that can be remotely controlled by an attacker, are one of the most common attack platforms nowadays. They can, for example, be used to launch distributed denial-of-service (DDoS) attacks, steal sensitive information, or send spam emails. A long-term measurement study of botnet activities is useful as a basis for further research on global botnet mitigation and disruption techniques. We have built a distributed and fully-automated botnet measurement system which allows us to collect data on the botnet activity we observe in China. Based on the analysis of tracking records of 3,290 IRC-based botnets during a period of almost twelve months, this paper presents several novel results of botnet activities which can only be measured via long-term easurements. These include. amongst others, botnet lifetime, botnet discovery trends and distributions, command and control channel distributions, botnet size and end-host distributions. Furthermore, our measurements confirm and extend several previous results from this area.

Our results show that the botnet problem is of global scale, with a scattered distribution of the control infrastructure and also a scattered distribution of the victims. Furthermore, the control infrastructure itself is rather flexible, with an average lifetime of a Command & Control server of about 54 days. These results can also leverage research in the area of botnet detection, mitigation, and disruption: only by understanding the problem in detail, we can develop efficient counter measures.

The complete report is available as TR-2007-010. And more information regarding the Chinese Honeynet Project is available at the website of the Artemis Project.

New KYE paper: Malicious Web Servers

nospam@example.com (Thorsten Holz) — Tue, 14 Aug 2007 20:04:14 +0200

The Honeynet Project & Research Alliance are excited to announce the release of a new paper in our Know Your Enemy series, "KYE: Malicious Web Servers". In this paper, we take an in-depth look at malicious web servers that attack web browsers, and we evaluate several defensive strategies that can be employed to counter this threat of client-side attacks. All the malicious web servers identified in this study were found with our client honeypot Capture-HPC.

Besides providing the information of this paper, we also publish the complete data set. We hope that Capture-HPC and the data enable the security community to easily become involved in studying the phenomenon of malicious servers.

"Exploring Multiple Execution Paths for Malware Analysis"

nospam@example.com (Thorsten Holz) — Wed, 9 May 2007 11:14:00 +0200

The upcoming 2007 IEEE Symposium on Security and Privacy has some interesting papers. The paper by Andreas Moser, Christopher Kruegel, and Engin Kirda from the Secure Systems Lab on "Exploring Multiple Execution Paths for Malware Analysis" deals with dynamic enumeration of execution paths. Such an approach can help to detect execution paths that are only triggered on certain conditions and helps with behavior-based analysis of malware.

Abstract
Malicious code (or malware) is defined as software that fulfills the deliberately harmful intent of an attacker. Malware analysis is the process of determining the behavior and purpose of a given malware sample (such as a virus, worm, or Trojan horse). This process is a necessary step to be able to develop effective detection techniques and removal tools. Currently, malware analysis is mostly a manual process that is tedious and time-intensive. To mitigate this problem, a number of analysis tools have been proposed that automatically extract the behavior of an unknown program by executing it in a restricted environment and recording the operating system calls that are invoked.
The problem of dynamic analysis tools is that only a single program execution is observed. Unfortunately, however, it is possible that certain malicious actions are only triggered under specific circumstances (e.g., on a particular day, when a certain file is present, or when a certain command is received). In this paper, we propose a system that allows us to explore multiple execution paths and identify malicious actions that are executed only when certain conditions are met. This enables us to automatically extract a more complete view of the program under analysis and identify under which circumstances suspicious actions are carried out. Our experimental results demonstrate that many malware samples show different behavior depending on input read from the environment. Thus, by exploring multiple execution paths, we can obtain a more complete picture of their actions.

Security of virtual machines

nospam@example.com (Thorsten Holz) — Fri, 20 Apr 2007 23:24:44 +0200

Tavis Ormandy just gave an interesting presentation at CanSecWest'07 about the security of virtual machines (QEMU, VMware, Bochs, ...) entitled "An Empirical Study into the Security Exposure to Hosts of Hostile Virtualized Environment". Using fuzzing and other techniques, he managed to find quite a few bugs in popular VMs, amongst others:

heap overflow in QEMU's NE2000 network device

heap overflow in QEMU's VGA code

vulnerability in VMware's power management code

For example, his summary for the security of QEMU is:

An attacker with access to a QEMU virtualized environment could potentially compromise the virtual machine process and execute arbitrary code with the privileges of the emulator. Malware being studied inside QEMU, even in an unprivileged state, can terminate the virtual machine safely and reliably.

Regarding malware analysis, these results presumably mean that the malware analysis process should be carried out on a native machine with some kind of restore cards since we can not trust the malware code. We use such a setup within CWSandbox and the results look promising.

Tavis also released a paper describing the results in detail. The paper also includes some proof-of-concept demos. Soon you can also find his presentation at the CanSec website.

Abstract
As virtual machines become increasingly commonplace as a method of separating hostile or hazardous code from commodity systems, the potential security exposure from implementation flaws has increased dramatically. This paper investigates the state of popular virtual machine implementations for x86 systems, employing a combination of source code auditing and blackbox random testing to assess the security
exposure to the hosts of hostile virtualized environment.

Rishi: Identify Bot Contaminated Hosts

nospam@example.com (Thorsten Holz) — Thu, 19 Apr 2007 17:54:00 +0200

HotBots'07 took place last week in Boston. The paper by Jan Göbel and me is now available and I also publish the slides from my talk.
This workshop was by invitation only. As a courtesy, USENIX made the accepted papers available to everyone.

Continue reading "Rishi: Identify Bot Contaminated Hosts "

Program for HotBots'07 / Rishi

nospam@example.com (Thorsten Holz) — Thu, 5 Apr 2007 08:50:00 +0200

The program for the First Workshop on Hot Topics in Understanding Botnets is now online. The program committee accepted 11 papers from 32 submissions. Together with Jan Göbel, I also submitted a paper which was accepted. The paper entitled "Rishi: Identify Bot Contaminated Hosts by IRC Nickname Evaluation", describes a simple, yet effective methods to detect bot-contaminated hosts within a given network. It tries to detect suspicious IRC nicknames and preliminary results show the usefulness. I will upload the paper once the workshop is over.

Abstract:
In this paper, we describe a simple, yet effective method to detect bot-infected machines within a given network that relies on detection of the communication channel between bot and Command & Control server (C&C server). The presented techniques are mainly based on passively monitoring network traffic for unusual or suspicious IRC nicknames, IRC servers, and uncommon server ports. By using n-gram analysis and a scoring system, we are able to detect bots that use uncommon communication channels, which are commonly not detected by classical intrusion detection systems. Upon detection, it is possible to determine the IP address of the C\&C server, as well as, the channels a bot joined and the additional parameters which were set. The software "Rishi" implements the mentioned features and is able to automatically generate warning emails to report infected machines to an administrator. Within the 10 GBit network of RWTH Aachen university, we detected 82 bot-infected machines within two weeks, some of them using communication channels not picked up by other intrusion detection systems.

"Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure"

nospam@example.com (Thorsten Holz) — Mon, 5 Mar 2007 12:17:00 +0100

The recent ACM Conference on Computer and Communications Security (CCS'06) had some interesting papers. One of them deals with so called Puppetnets. A puppetnet is created by malicious web sites which exploit a visiting web browser and take control of it. Similar to a botnet, these puppetnets can be used to mount DDoS attacks, reconnaissance probes, or other nefarious purposes. Presumably the threat posed by these networks is way lower than botnets, but nevertheless they could pose a problem in the future due to the prevalance of client-side exploits. The whole paper is entitled "Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure".

Abstract
Most of the recent work on Web security focuses on preventing attacks that directly harm the browser’s host machine and user. In this paper we attempt to quantify the threat of browsers being indirectly misused for attacking third parties. Specifically, we look at how the existing Web infrastructure (e.g., the languages, protocols, and security policies) can be exploited by malicious Web sites to remotely instruct browsers to orchestrate actions including denial of service attacks, worm propagation and reconnaissance scans. We show that, depending mostly on the popularity of a maliciousWeb site and user browsing patterns, attackers are able to create powerful botnet-like infrastructures that can cause significant damage. We explore the effectiveness of countermeasures including anomaly detection and more fine-grained browser security policies.

Continue reading ""Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure""

Advanced Honeypot-Based Intrusion Detection

nospam@example.com (Thorsten Holz) — Sun, 28 Jan 2007 21:52:00 +0100

Together with Jan Göbel and Jens Hektor from the Center for Computing and Communication at RWTH Aachen University, I published an article entitled "Advanced Honeypot-Based Intrusion Detection" in the recent ;login: (Volume 31, Number 6) magazine.

The paper describes a custom network intrusion detection system called Blast-o-Mat based on different sensors, one of them being nepenthes. We describe the system and give an overview of the lessons learned, some quantitative results, and an example of a Haxdoor infection detected via the system.

A live demo of Blast-o-Mat is available at the Blast-o-mat Status page.

Abstract:
At RWTH Aachen University, with about 40,000 computer-using people to support, we have built a system to detect infected machines based on honeypots. One important building block of Blast-o-Mat is Nepenthes, which we use both to detect malware-infected systems and to collect malware. Nepenthes is a
low-interaction honeypot that appears as vulnerable software but instead decodes attack code and downloads malware. We have been successful at uncovering and quarantining infected systems with sensors listening at 0.1% of our address space. Investigation of collected malware has led to discovery of many infected systems and even a huge cache of stolen identity information.

Stock Spam

nospam@example.com (Thorsten Holz) — Wed, 10 Jan 2007 13:36:00 +0100

This morning I took a closer look at the 500 last messages of my spam inbox at the gmail account (about the last five days). 106 of them were stock spam, thus a little more than 20% of the spam I receive is related to this kind of spam. These messages target only eight different ticker symbols:

As you can see, all of these ticker symbols are traded at Pink Sheets, an electronic system for trading penny stocks.

When taking a look at the reaction of the stock quotes, you can see some influence, some of the stocks being currently in their "pump" phase:

Presumably we will see a drop in the quotes in the next few days.

Most of the stock spam messages nowadays are image-based: only two ticker symbols are advertized via plain-text messages, the other six use images. Common OCR is pretty weak at recognizing the image content since it is scrambled in order to make filtering harder:

$ gocr personnel.gif
_
H'LuN,.pK . H '% BIopH, ARMAcE%IcAL s_ocK!, , _
HEA%HeuNIv,E\RsE,I'nc
S_b'ol: HLU_ , ,
Price: $o.o8 ' ' , '
5.day Target: , $O.50 ,' ,
Rating: Strong Buy ,,
HLU_.PH .$15 billion, plastic _cosmetic surgey m,a_ket!
H L U . P H .,G ETrl G READY TO E X P L O' D,E ! ! ! _

For more background at this kind of attacks, take a look at our study on stock spam ("The Effect of Stock Spam on Financial Markets").