honeyblog - malware

New Bot-Family Detected: Light-Bots

nospam@example.com (Thorsten Holz) — Thu, 8 May 2008 20:53:00 +0200

Today, we observed a new family of bots while doing some research at our lab. While investigating several Kinder Surprises, we detected two samples of a bot family named Light-Bots (see the picture at the right hand side for more detail about the bots). A closer analysis revealed that the bot exists in at least two version, we empirically found version S104 and S105. The propagation scheme is a variant of classical social engineering: victim's are tricked into buying a Kinder Surprise and the bot is contained in the egg, similar to a Trojan Horse. At this point, we do not have any CWSandbox report of the bot behavior nor any signatures. However, the bot also contains a README that indicates a close relationship with the domain www.magic-kinder.com:

Polluting Storm

nospam@example.com (Thorsten Holz) — Fri, 25 Apr 2008 16:33:43 +0200

Dark Reading had recently an article about our work on Storm Worm entitled "Researchers Infiltrate and 'Pollute' Storm Botnet" (also featured on /.). The article quotes Jose Nazario:

"This has been a taboo subject of exploration, as people do not want to mess with other peoples' PCs by injecting commands," he says.

Just to clarify: We did not inject commands into Storm Worm, but just interfered with the communication process as explained in our LEET'08 paper. No commands were executed on an infected machine, we just injected packets into the communication process in order to stop the C&C channel. In practice, this does not affect an infected machine, no extra network packets or CPU cycles are used on an infected machine.

Slashdot had also covered our work a few days ago: Storm Dismantled at USENIX LEET Workshop.

LEET'08: Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm

nospam@example.com (Thorsten Holz) — Fri, 11 Apr 2008 11:24:41 +0200

Next week at the First USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET'08), I will present our work on Storm Worm and the measurement results. The full paper is now available. See you at LEET next week!

Abstract:
Botnets, i.e., networks of compromised machines under a common control infrastructure, are commonly controlled by an attacker with the help of a central server: all compromised machines connect to the central server and wait for commands.

However, the first botnets that use peer-to-peer networks for remote control of the compromised machines appeared in the wild recently. In this paper, we introduce a methodology to analyze and mitigate peer-to-peer botnets. In a case study, we examine in detail the Storm Worm botnet, the most wide-spread peer-to-peer botnet currently propagating in the wild. We were able to infiltrate and analyze in-depth the botnet, which allows us to estimate the total number of compromised machines. Furthermore, we present two different ways to disrupt the communication channel between controller and compromised machines in order to mitigate the botnet and evaluate the effectiveness of these mechanisms.

April Fool's Day & Storm

nospam@example.com (Thorsten Holz) — Mon, 31 Mar 2008 22:45:54 +0200

A new "joke" from the Storm Worm botnet right before April Fool's Day.

Consistent with their past behavior on having new propagation schemes right before important dates of national interest (start of NFL season, Halloween, Christmas Eve, ...), the botnet started to use a new social engineering theme right before April Fool's Day. The websites offer the actual bot binary with three different filenames (foolsday.exe, funny.exe, and kickme.exe), but they seems to actually be the same binary. I did not observe any drive-by download attack, thus it seems like they solely rely on social engineering - so don't fall for this hoax :-)

CAPTCHA fun

nospam@example.com (Thorsten Holz) — Thu, 13 Mar 2008 12:16:00 +0100

Websense had a few weeks ago a story on "Google’s CAPTCHA busted in recent spammer tactics". The basic idea is that the attacker automatically signs up for freemail accounts (e.g., Google or live.com) with the help of certain malware. During the registration process, the attacker needs to solve a CAPTCHA. This can be done for example with the help of humans which are paid for this task. Another option is to use humans who want to access a certain service, e.g., a porn website. This is the cheaper option, and presumably also effective. An example of such a CAPTCHA attack is currently available at gift-vip.net. Caution: this is not work-safe and do not open it if you do not want to see adult content. I also created a short movie which illustrates this process. The movie is also available as .mov and .swf file.

Thanks a lot Nick FitzGerald for this tip!

[Update]: Please be careful when opening the actual site since it also contains a malicious iframe.

loads.cc vs. CWSandbox

nospam@example.com (Thorsten Holz) — Wed, 12 Mar 2008 18:00:00 +0100

Sunbelt covered the 3D screensaver spam and the background of this scam in some detail. Dancho Danchev also blogged about some details of this incident. And here are my 2 cent of info:

The file load.exe (MD5: b20e4e725cc86b489ec441b97b728285) drops two files called 0.EXE and 1.EXE which are subsequently executed. 0.EXE creates the two files C:\Documents and Settings\USER\Local Settings\Application Data\cftmon.exe and C:\WINDOWS\system32\drivers\spools.exe, which are also automatically started via a registry key. Furthermore, the following HTTP requests are sent:

http://195.93.218.25/ld/?&v=driver&d=0
http://195.93.218.25/ld/manda.php?id=-396739409&v=driver&d=0
http://195.93.218.25/m.exe

This IP address belongs to Buildhouse Ltd., located in Russia - a grey hosting provider?

More complete info: cwsandbox.org.

Postcards from Storm

nospam@example.com (Thorsten Holz) — Mon, 3 Mar 2008 07:28:14 +0100

Storm Worm changed its propagation scheme again. It now sends out spam mails pointing to fake "ecards". The spammed site contains just an image and points to a binary called postcard.exe. A quick analysis shows that the core functionality has not changed at all.

Collecting Autonomous Spreading Malware Using High-Interaction Honeypots

nospam@example.com (Thorsten Holz) — Fri, 11 Jan 2008 09:43:56 +0100

Together with a few researchers from the Chinese Honeynet Project, we published a paper about capturing autonomous spreading malware with high-interaction honeypots at the 9th International Conference on Information and Communications Security (ICICS 2007) which is now available.

Abstract: Autonomous spreading malware in the form of worms or bots has become a severe threat in today’s Internet. Collecting the sample as early as possible is a necessary precondition for the further treatment of the spreading malware, e.g., to develop antivirus signatures. In this paper, we present an integrated toolkit called HoneyBow, which is able to collect autonomous spreading malware in an automated manner using high-interaction honeypots. Compared to low-interaction honeypots, HoneyBow has several advantages due to a wider range of captured samples and the capability of collecting malware which propagates by exploiting new vulnerabilities. We validate the properties of HoneyBow with experimental data collected during a period of about nine months, in which we collected thousands of malware binaries. Furthermore, we demonstrate the capability of collecting new malware via a case study of a certain bot.

Keywords: Honeypots - Intrusion Detection Systems - Malware

Full Paper: Collecting Autonomous Spreading Malware Using High-Interaction Honeypots (LNCS 4861)

Measuring the Success Rate of Storm Worm

nospam@example.com (Thorsten Holz) — Thu, 3 Jan 2008 23:08:00 +0100

Just around Christmas, machines infected with Storm Worm started to send out spam e-mails again. These e-mails contained different kinds of Christmas or New Year's Eve wishes. Within the Storm botnet, such mails are sent to propagate the bot: the botherders hope that innocent users fall for this social engineering trick and click on the link contained in the mail. Once they click on the link, they are redirected to a website which contains a link to the actual Storm binary. This website commonly also contains browser exploits (depending on the user-agent and they are served only once per IP address) to compromise the web browser of a visitor in order to install the Storm binary.

The picture illustrates the success rate of the botnet: The x-axis shows the date, starting a few days before Christmas and ending today. The y-axis represents the number of infected machines within Stormnet, the "encrypted" part of the botnet in which the actual communication is XORed with a 40 byte key. As you can see, the first days before Christmas the size of the botnet was around 5-14 thousand infected machines. However, just around Christmas the size grows again due to successful infections and new victims which fell for the social engineering mails. For now, the botnet has peaked at about 40 thousand infected machines being online at a time.

Moreover, the picture also shows a clear diurnal pattern: the size of the botnet changes over time each day. This could indicate that a majority of the infected machines are located within a certain region. A closer examination of this phenomenon is necessary.

The actual picture was generated by Moritz Steiner, a colleague of mine with whom I analyze the Storm botnet.

Update: Brandon Enright pointed out that the diurnal pattern could also have other causes and thus I updated this part.

Merry Christmas Storm!

nospam@example.com (Thorsten Holz) — Mon, 24 Dec 2007 10:09:01 +0100

Consistent with previous spam runs, the authors of Storm Worm now also adopted the propagation scheme to the upcoming Christmas holidays. The spam mails contain for example the following text:

"This Christmas, we want to show you something you will really enjoy. This might not be fun for the whole family, but I bet you'll like it come one take 2 min and check it out. hxxp:// merrychristmasdude . com/"

Please note: Do not visit this site since it contains several exploit for web browser or common browser plugins.

The website shows "Mrs Clause" and some naughty pictures. The malware binary has the name stripshow.exe and - as usual - the MD5 sum changes every couple of minutes. Quick sandboxing shows that the behavior of the binary is similar to previous versions of Storm. The domain merrychristmasdude.com uses fast-flux: repeated DNS lookups always return different A records for this domain. Thus it seems like there is nothing really new - only the theme used for the propagation mails has changed...

Real Network Visualization

nospam@example.com (Thorsten Holz) — Fri, 7 Dec 2007 09:55:54 +0100

As a comment to my post on the xkcd comic on network visualization, Jon Oberheide, a researcher from the University of Michigan, pointed me to their version of malware visualization - pretty awesome!

Picture available at http://jon.oberheide.org/malware.jpg

Storm Worm Potpourri

nospam@example.com (Thorsten Holz) — Thu, 6 Dec 2007 08:53:08 +0100

Storm Worm was quiet in the last few days, nothing really exiting happened at the honeypots infected with the bot. Many of the spam mails sent by the bot are stock spam messages which advertise a certain stock. An example of an attachment sent some time ago is Complaint.pdf which advertizes Score One Inc. (SREA.OB), a small company traded over the counter.

Many of the fast-flux domains used by Storm Worm are currently non-functional, only two seem to resolve:

$ dig yxbegan.com



; <<>> DiG 9.4.1-P1 <<>> yxbegan.com

;; global options:  printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59661

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 12, ADDITIONAL: 0



;; QUESTION SECTION:

;yxbegan.com.                   IN      A



;; ANSWER SECTION:

yxbegan.com.            0       IN      A       74.134.155.14



;; AUTHORITY SECTION:

yxbegan.com.            172800  IN      NS      ns13.yxbegan.com.

yxbegan.com.            172800  IN      NS      ns2.yxbegan.com.

yxbegan.com.            172800  IN      NS      ns3.yxbegan.com.

yxbegan.com.            172800  IN      NS      ns4.yxbegan.com.

yxbegan.com.            172800  IN      NS      ns5.yxbegan.com.

yxbegan.com.            172800  IN      NS      ns6.yxbegan.com.

yxbegan.com.            172800  IN      NS      ns7.yxbegan.com.

yxbegan.com.            172800  IN      NS      ns8.yxbegan.com.

yxbegan.com.            172800  IN      NS      ns9.yxbegan.com.

yxbegan.com.            172800  IN      NS      ns10.yxbegan.com.

yxbegan.com.            172800  IN      NS      ns11.yxbegan.com.

yxbegan.com.            172800  IN      NS      ns12.yxbegan.com.



;; Query time: 4376 msec

;; SERVER: X.X.X.X#53(X.X.X.X)

;; WHEN: Thu Dec  6 08:59:53 2007

;; MSG SIZE  rcvd: 265

In consecutive lookups, always a new A record is returned:

yxbegan.com.            0       IN      A       69.224.113.183

yxbegan.com.            0       IN      A       123.215.78.167

yxbegan.com.            0       IN      A       168.188.56.76

yxbegan.com.            0       IN      A       220.129.76.210

yxbegan.com.            0       IN      A       59.23.185.81

More info to follow :)

Technical Report: Studying Malicious Websites and the Underground Economy on the Chinese Web

nospam@example.com (Thorsten Holz) — Tue, 4 Dec 2007 08:16:00 +0100

Together with the researchers from the Chinese Honeynet Project, we also examined the extend of malicious websites on the Chinese Web. Using high- and low-interaction honeyclients, we were able to find about 2,500 sites (1,49% of overall examined sites) that tried to compromise an unpatched system. Furthermore, we also studied the underground black market which is used to trade exploits, malware, and stolen virtual goods. Several measurements provide an insight into the black market on the Chinese Web and show that the attackers are organized pretty well. We published our findings as a technical report to share the lessons we learned.

Abstract:

The World Wide Web gains more and more popularity within China with more than 1.31 million websites on the Chinese Web in June 2007. Driven by the economic profits, cyber criminals are on the rise and use the Web to exploit innocent users. In fact, a real underground black market with thousand of participants has developed which brings together malicious users who trade exploits, malware, virtual assets, stolen credentials, and more. In this paper, we provide a detailed overview of this underground black market and present a model to describe the market. We substantiate our model with the help of measurement results within the Chinese Web. First, we show that the amount of virtual assets traded on this underground market is huge. Second, our research proofs that a significant amount of websites within China's part of the Web are malicious: our measurements reveal that about 1.49% of the examined sites contain some kind of malicious content.

The complete report is available as TR-2007-011.

Technical Report: Characterizing the IRC-based Botnet Phenomenon

nospam@example.com (Thorsten Holz) — Mon, 3 Dec 2007 14:02:00 +0100

Together with a few researchers from China, we studied IRC-based botnets in order to understand the extent of this phenomenon. Using different kinds of honeypots and several sensors deployed across different regions in China, we were able to collect thousands of bot binaries. With the help of a behavior-based analysis mechanism similar to CWSandbox, we could extract the Command & Control (C&C) server in an automated way. In a third step, we used this information to connect to the actual C&C server and passively monitored the activity in the channel. Furthermore, we also actively probed the C&C servers to find out other characteristics of these machines. The complete setup and our results are described in a technical report we just published.

Abstract:

Botnets, networks of compromised machines that can be remotely controlled by an attacker, are one of the most common attack platforms nowadays. They can, for example, be used to launch distributed denial-of-service (DDoS) attacks, steal sensitive information, or send spam emails. A long-term measurement study of botnet activities is useful as a basis for further research on global botnet mitigation and disruption techniques. We have built a distributed and fully-automated botnet measurement system which allows us to collect data on the botnet activity we observe in China. Based on the analysis of tracking records of 3,290 IRC-based botnets during a period of almost twelve months, this paper presents several novel results of botnet activities which can only be measured via long-term easurements. These include. amongst others, botnet lifetime, botnet discovery trends and distributions, command and control channel distributions, botnet size and end-host distributions. Furthermore, our measurements confirm and extend several previous results from this area.

Our results show that the botnet problem is of global scale, with a scattered distribution of the control infrastructure and also a scattered distribution of the victims. Furthermore, the control infrastructure itself is rather flexible, with an average lifetime of a Command & Control server of about 54 days. These results can also leverage research in the area of botnet detection, mitigation, and disruption: only by understanding the problem in detail, we can develop efficient counter measures.

The complete report is available as TR-2007-010. And more information regarding the Chinese Honeynet Project is available at the website of the Artemis Project.

ENISA botnet study

nospam@example.com (Thorsten Holz) — Sat, 1 Dec 2007 13:09:09 +0100

ENISA (European Network and Information Security Agency) published a few days ago a study of the botnet phenomenon: Botnets – The Silent Threat

The study provides a good overview of the current botnet problem and show some interesting numbers. According to the measurements (carried out by S21sec), the most common infection methods are browser exploits (65%), email attachments (13%,) operating system exploits (11%), and downloaded Internet files (9%). Thus more research in the area of client honeypots is needed - the weakest link in the security chain is nowadays the enduser who does not patch his Internet Explorer and opens every e-mail attachment.

Furthermore, the study also contains some more interesting numbers:

Estimations show that there are at least 1.000 different Botnet C& C servers running constantly. An average C&C server controls 20.000 compromised computers (ranging from 10-300.000). Estimations indicate ca 53.000, new, active bots/day. A spam bot can send up to 3 spam emails/s (ca 259.000 emails/day).

The measurements at our lab indicate that there could be even more botnets. However, we observe that an average C&C server controls significantly less than 20.000 compromised machines, often only a few hundred or at most a few thousand machines are controlled by a given server. Even Storm Worm has nowadays less than 80.000 machines online. It would be nice to get a better insight of how they estimate the 53,000 new bots per day - after all, node churn and other effects make such measurements hard.

The study also contains an overview of countermeasures at various levels. Besides some glitches (Storm does not always use UDP port 4000, Rock phish and Fast-Flux networks are only partially related to botnets, ...) the study is worth reading.