honeyblog

2011 Honeynet Project Security Workshop Slides + Videos

nospam@example.com (Thorsten Holz) — Tue, 26 Apr 2011 23:06:18 +0200

The slides and videos from the 2011 Honeynet Project Security Workshop (Paris) are now available! You can get the material from http://www.honeynet.org/SecurityWorkshops/2011_Paris.

About the workshop:

The workshop brought together experts in the field of information security from around the world to share the latest advances in security research. Our members covered topics such as new honeyclients, mobile malware, new reversing techniques, VOIP attacks and even social behavior of attackers. And besides the presentation, Felix Leder and Mark Schloesser from our Giraffe chapter and Guillaume Arcas from our French chapter put up some hands on exercises that allowed participants to test their skillz.

SysSec Workshop

nospam@example.com (Thorsten Holz) — Tue, 15 Feb 2011 16:35:00 +0100

It has been quite some time since I last blogged, in the past few months I mainly used my Twitter account to publish news. Today I want to blog again since the information about the SysSec Network of Excellence will not fit into a single tweet. SysSec is a Network of Excellence in the field of Systems Security, which has been created to build on the successful experience of the FORWARD initiative to work towards:

creating a virtual center of excellence, to consolidate the Systems Security research community in Europe
promoting cybersecurity education
engaging a think-tank in discovering the threats and vulnerabilities of the Current and Future Internet,
creating an active research roadmap in the area, and
developing a joint working plan to conduct State-of-the-Art collaborative research.

As part of its dissemination activities, the SysSec Network of Excellence proposes to organize a workshop focused on system security research, as the first step towards creating a virtual center of excellence to consolidate the Systems Security research community in Europe. The 1st SysSec Workshop targets researchers from Europe and the rest of the World, with the short-term goal of creating a vigorous forum to map the systems security research area, with particular focus on European security communities. While this workshop invites submissions from all the research groups on systems security in the world, it encourages particularly research groups from Europe to take advantage of this opportunity. The long-term goal of this first of a series of periodic workshops, is to build a reference meeting place of the systems security community in Europe.

The Last Line of Defense - http://tllod.com

nospam@example.com (Thorsten Holz) — Thu, 01 Jul 2010 15:11:00 +0200

I am excited to announce that the website of our start-up company LastLine, Inc., is now live at http://www.tllod.com. The team behind LastLine is composed of people you know from the International Secure Systems Lab (http://iseclab.org), we are coming from the University of California, Santa Barbara, the Vienna University of Technology (Austria), Eurecom (France), and Ruhr-University Bochum (Germany). We all have extensive expertise in malware analysis and malware countermeasures (see our list of publications) and you might know tools like Anubis or Wepawet that have been developed by us.

LastLine, Inc., provides protection technology that is complementary to existing anti-virus software and firewalls. Our approach is based on cyber crime intelligence that we gather by analyzing millions of suspicious URLs and binaries each day. More precisely, using our advanced malware analysis tools, we pinpoint the exploit servers that are behind drive-by exploits campaigns and the command and control server that manage botnets. These servers constitute the malicious infrastructure that is used by cyber criminals to carry out their attacks.

One of the first product we offer is llweb, a tool that analyzes web sites for the presence of malicious code, such as drive-by download exploits. llweb was developed by the creators of Wepawet and you can find out more about the tool at http://tllod.com/products/llweb. We also offer several other tools and services: llmon is a service that helps organizations to determine if their hosts are used to deliver or control malware. We continuously monitor whether a customer's assets participate in malicious activities, and if so, we provide detailed and early warning so that proper mitigation steps can be initiated. llmon was developed by some of the creators of FIRE. Furthermore, we provide access to the list of IP addresses, domains, and URLs that we identify to be associated with malicious activity on the Internet. Customers can obtain continuously-updated intelligence, which can be leveraged internally to identify compromised hosts or configure network access control mechanisms. You can find more about our products at http://tllod.com/what.

Call for Papers: EC2ND'10

nospam@example.com (Thorsten Holz) — Thu, 24 Jun 2010 09:54:00 +0200

The sixth European Conference on Computer Network Defense (EC2ND) will be held at the Faculty of Electrical Engineering and Computer Science at Berlin Institute of Technology (TU Berlin) on October 28-29, 2010. The conference brings together researchers from academia and industry within Europe and beyond to present and discuss current topics in applied network and systems security. EC2ND 2010 invites submissions presenting novel ideas in the areas of network defense, intrusion detection and systems security.

EC2ND 2010 specifically encourages submissions presenting work at an early stage with the intention to act as a discussion forum for innovative security research. While our goal is to solicit ideas that are not completely worked out, and might have challenging and interesting open questions, we expect submissions to be supported by some evidence of feasibility or preliminary quantitative results.

Important dates:

Paper submission deadline: July 2, 2010
Paper acceptance or rejection: August 6, 2010
Final paper camera ready copy: August 13, 2010
Conference dates: October 28-29, 2010

The full Call for Papers is available at http://2010.ec2nd.org/cfp/

Chaosradio Express #155

nospam@example.com (Thorsten Holz) — Thu, 10 Jun 2010 18:07:40 +0200

Recently I recorded a longer podcast together with Tim Pritlove on malware and botnets. It was published a few days ago as Chaosradio Express #155. The podcast is in German and lasts for about 2.5 hours. The podcast is available at http://chaosradio.ccc.de/cre155.html and you can also get it via iTunes.

Here the German description:

Malware hat sich in den letzten 10 Jahren von einem Forschungsfeld zu einer globalen Bedrohung der internationalen Dateninfrastruktur entwickelt. Botnetze stellen dabei die bedauerliche Krönung der kriminellen Aktivitäten dar und es erfordert einen großen Aufwand, diesen Systemen nachzugehen und sie wieder auszuschalten. Trotz eines fortwährenden Katz- und Mausspielchens gelingt es den Sicherheitsforschern immer wieder, große Botnetze vom Netz zu nehmen. Im Gespräch mit Tim Pritlove erläutert Thorsten Holz Geschichte und technische Hintergründe zu Malware und Botnetzen.

Themen: wie sich Malware über die Zeit vom Experiment zum Werkzeug von Kriminellen entwickelt hat; welche Sicherheitslücken ausgenutzt werden; welche Methoden Betriebssysteme haben, sich gegen Malware zu wehren; das Layer-8-Problem; die Antiviren-Industrie; was Microsoft für seine Sicherheit getan hat; Botnetze und Spam und andere Formen der Monetarisierung; wie sich Botnetze gegen Aufklärung schützen; wie man ein Botnetz ausforscht, austrickst und lahmlegt; Botnetze aufspüren mit Honeypots; Botnetze in Behörden und Botschaften; Kommunikation und Kollaboration von Securitygruppen; technische und moralische Probleme beim Herunterfahren eines Botnets; Kooperation mit ISPs; Botnetzbekämpfung vs. Zensurinfrastruktur; Botnetze und der Mac; Konzepte für sichere Betriebssysteme; Security Usability; Automatisierte Malware Analyse.

Challenge 4 of the Forensic Challenge 2010 - VoIP

nospam@example.com (Thorsten Holz) — Thu, 10 Jun 2010 16:38:56 +0200

Quick blog posting about the new forensic challenge by the Honeynet Project:

Challenge 4 - VoIP - (provided by Ben Reardon from the Australian and Sjur Eivind Usken from Norwegian Chapter) takes you into the world of voice communications on the Internet. VoIP with SIP is becoming the de-facto standard for voice communication on the Internet. As this technology becomes more common, malicious parties have more opportunities and stronger motives to take control of these systems to conduct nefarious activities. This Challenge is designed to examine and explore some of attributes of the SIP and RTP protocols. Enjoy the challenge.

You can find all info at http://honeynet.org/challenges/2010_4_voip. Submission deadline is June 30th 2010 - thus you still have some time to work on the challenge. You can win books, for example a signed copy of "Virtual Honeypots: From Botnet Tracking to Intrusion Detection" by Niels and me.

"Is the Internet for Porn? An Insight Into the Online Adult Industry"

nospam@example.com (Thorsten Holz) — Thu, 06 May 2010 13:47:00 +0200

Recently, we studied an aspect of the World Wide Web that did not receive a lot of attention yet - the online adult industry. Compared to traditional media, the Internet provides fast, easy, and anonymous access to the desired content. That, in turn, results in a huge number of users accessing pornographic content. To improve the understanding of this part of the Web, we performed a study of the online adult industry. As a result, we provide a detailed overview of the individual actors and roles within the online adult industry, which enables us to better understand the mechanisms with which visitors are redirected between the individual parties and how money flows between them. Furthermore, we examined the security aspects of more than 250,000 adult pages and studied, among other aspects, the prevalence of drive-by download attacks. In addition, we analyzed domain-specific security threats such as disguised traffic redirection techniques, and surveyed the hosting infrastructure of adult sites.

Lastly, we operated two adult web sites on our own. By becoming adult web site operators ourselves, we gained additional insights on unique security aspects in this domain. This enabled us to obtain a deeper understanding of the related abuse potential. We participated in adult traffic trading, and provide a detailed discussion of this unique aspect of adult web sites, including insights into the economical implications, and possible attack vectors that a malicious site operator could leverage. For example, we discovered that a malicious operator could infect more than 20,000 with a minimal investment of about $160. Furthermore, we experimentally show that a malicious site operator could benefit from domain-specific business practices that facilitate click-fraud and mass exploitation. We conclude that many participants of this industry have business models that are based on very questionable practices that could very well be abused for malicious activities and conducting cyber-crime. In fact, we found evidence that this kind of abuse is already happening in the wild.

All details of our study are available in the paper. The paper will be presented at the Ninth Workshop on the Economics of Information Security (WEIS 2010). WEIS will take place on June 7/8 at Harvard University.

Abstract:
The online adult industry is among the most profitable business branches on the Internet, and its web sites attract large amounts of visitors and traffic. Nevertheless, no study has yet characterized the industry’s economical and security-related structure. As cyber-criminals are motivated by financial incentives, a deeper understanding and identification of the economic actors and interdependencies in the online adult business is important for analyzing security-related aspects of this industry.
In this paper, we provide a survey of the different economic roles that adult web sites assume, and highlight their economic and technical features. We provide insights into security flaws and potential points of interest for cyber-criminals. We achieve this by applying a combination of automatic and manual analysis techniques to investigate the economic structure of the online adult industry and its business cases. Furthermore, we also performed several experiments to gain a better understanding of the flow of visitors to these sites and the related cash flow, and report on the lessons learned while operating adult web sites on our own.

This paper was joint work with Gilbert Wondracek, Christian Platzer, Engin Kirda, and Christopher Kruegel, all members of the International Secure Systems Lab. You can get the paper at http://honeyblog.org/junkyard/paper/adultSites-weis2010.pdf.

USENIX LEET'10 & RAID 2010

nospam@example.com (Thorsten Holz) — Thu, 15 Apr 2010 09:06:23 +0200

A quick announcement:

Join us at the 3rd USENIX Workshop on Large-Scale Exploits and Emergent Threats, which will take place in San Jose, CA, on April 27, 2010. LEET '10 will provide a unique forum for the discussion of threats to the confidentiality of our data, the integrity of digital transactions, and the dependability of the technologies we increasingly rely on.

The program includes:
-- Keynote Address: "Why Don't I (Still) Trust Anything?" by Jeff Moss, Founder, Black Hat and DEF CON

-- Invited Talk: "Naked Avatars and Other Cautionary Tales About MMORPG Password Stealers," by Jeff Williams, Microsoft Malware Protection Center

-- Sessions on threat measurement and characterization, botnets, threat detection and mitigation, and more.

Check out the full program at
http://www.usenix.org/events/leet10/tech/

Connect with the broad community of researchers and practitioners who focus on worms, bots, spam, spyware, phishing, DDoS, and the ever-increasing palette of large-scale Internet-based threats in fostering the development of preliminary work in this diverse area and stimulating discussion of thought-provoking ideas.

Find out more and register today at
http://www.usenix.org/leet10/proga

And please note that the deadline for RAID 2010 has been extended to April 21, 2010. See the Call for Participation for more details. Looking forward to your papers!

Continue reading "USENIX LEET'10 & RAID 2010"

Technical Report: "Abusing Social Networks for Automated User Profiling"

nospam@example.com (Thorsten Holz) — Wed, 17 Mar 2010 11:37:00 +0100

We recently published a technical report on another project related to social networks. The paper is entitled "Abusing Social Networks for Automated User Profiling" and we focus on automatically collecting information about users based on the information available in different networks.

Imagine that you have a profile on Facebook, on LinkedIn, and on MySpace. Perhaps you do not want to directly link these profiles, for example since you want to have a more serious profile on LinkedIn, while having a more relaxed one on MySpace and Facebook. Thus you use different pseudonym/names on the different profiles and expect that the information can not be correlated. However, there is a problem with that assumption: during the registration on the different networks, you used the same e-mail address. And a social network typically enables a user to search for e-mail addresses in order to find friends (a convenient feature, after all you want to network with your friends). An attacker can thus go ahead and search on each network for a given e-mail address, scrape the profile related to that address, and then correlate the information found on different network. At the end, an attacker can thus enrich a given e-mail address with information collected on different social networks.

An attacker can not only search for one e-mail address at a time, but typically for hundreds or even thousands. And he can not only do this once, but thousands of times per day. For example, we were able to check about 10 million e-mail addresses on Facebook per day. A spammer could use this "feature" to verify e-mail addresses by using Facebook as an oracle to determine whether or not a given e-mail address is valid. Furthermore, the correlation aspect is of course also a privacy problem since an attacker can find "hidden" information and correlate information across different networks.

We have contacted different social networks. Facebook and XING have already addressed the problem - thanks a lot!

Abstract:
Recently, social networks such as Facebook have experienced a huge surge in popularity. The amount of personal information stored in these sites calls for appropriate security precautions to protect this data.
In this paper, we describe how we are able to take advantage of a common weakness, namely the fact that an attacker can query the social network for registered e-mail addresses on a large scale. Starting with a list of about 10.4 million email addresses, we were able to automatically identify more than 1.2 million user profiles associated with these addresses. By crawling these profiles, we collect publicly available personal information about each user, which we use for automated profiling (i.e., to enrich the information available from each user).
Finally, we propose a number of mitigation techniques to protect the user’s privacy. We have contacted the most popular providers, who acknowledged the threat and are currently implementing our countermeasures. Facebook and XING in particular have recently fixed the problem.

The technical report is available at http://www.iseclab.org/papers/socialabuse-TR.pdf and it was joint work with Marco Balduzzi, Christian Platzer, Engin Kirda, Davide Balzarotti, and Christopher Kruegel.

Twitter Spamdetector Service

nospam@example.com (Thorsten Holz) — Tue, 16 Mar 2010 12:50:00 +0100

At the International Secure Systems Lab, we have developed a couple of services like Anubis, Wepawet, or FIRE. Lately, we have worked on a mechanism to detect spammers on Twitter, a popular microblogging service. We have developed several heuristics to detect spamming profiles, and have already reported thousands of these profiles to Twitter, who then shut down these profiles. Now we have created a profile to which users can flag spammers on Twitter: the flagged accounts are added to our database, allowing us to detect profiles from campaigns we did not observe before.

The profile is @spamdetector, and the messages it accepts are of the format

"@spamdetector @spamaccount"

Whenever you see a suspicious account, you can simply send us a notification and our system will check if this account is likely a spammer or not. This helps us to improve our heuristics, and we can help Twitter to shut down suspicious profiles, leading to a better service.

This work was carried out by Gianluca Stringhini, a PhD student at University of California, Santa Barbara, working as research assistant at the Computer Security lab. And you can find my tweets at @thorstenholz.

"Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries"

nospam@example.com (Thorsten Holz) — Fri, 12 Mar 2010 08:09:00 +0100

When analyzing malware samples, a human analyst is typically interested in understanding/recovering a specific algorithms of the given sample. In the case of Conficker, for example, she might be interested in extracting the domain generation algorithm such that she can understand what domains are currently and in the future used by the malware. Or for spam bots, she might be interested in how the malware downloads spam templates, decodes them, and then generates the actual spam messages. Or for bots, she might be interested in understanding how binary updates are downloaded, decoded, and then executed.

In each case, the binary itself encodes the algorithm, but it is cumbersome and hard work to understand all of this. Thus it would be useful to have a tool that enables a malware analyst to automatically extract from a given binary sample the relevant algorithm related to a specific task. In a paper that will be presented at the 31st IEEE Symposium on Security & Privacy we introduce Inspector Gadget, a tool that implements exactly this. A gadget encapsulates all code related to a specific task and can be executed in a stand-alone fashion. A gadget player can take a gadget and replay it, for example to determine which domains are currently used by Conficker, or download and decode an update for a bot binary. Furthermore, we introduce an approach to revert gadget based on a enhanced brute-force algorithm: this is useful to understand the effects of malware in detail and we can (in certain cases) also revert obfuscation algorithms, i.e., to understand what data has been exfiltrated by a given sample. The full paper has all the details and describes Inspector Gadget in more depth. And if you are interested in the topic, you should also read the paper by Caballero et al. on BCR (paper title is "Binary Code Extraction and Interface Identification for Security Applications").

Abstract:
Unfortunately, malicious software is still an unsolved problem and a major threat on the Internet. An important component in the fight against malicious software is the analysis of malware samples: Only if an analyst understands the behavior of a given sample, she can design appropriate countermeasures. Manual approaches are frequently used to analyze certain key algorithms, such as downloading of encoded updates, or generating new DNS domains for command and control purposes.
In this paper, we present a novel approach to automatically extract, from a given binary executable, the algorithm related to a certain activity of the sample. We isolate and extract these instructions and generate a so-called gadget, i.e., a stand-alone component that encapsulates a specific behavior. We make sure that a gadget can autonomously perform a specific task by including all relevant code and data into the gadget such that it can be executed in a self-contained fashion.
Gadgets are useful entities in analyzing malicious software: In particular, they are valuable for practitioners, as understanding a certain activity that is embedded in a binary sample (e.g., the update function) is still largely a manual and complex task. Our evaluation with several real-world samples demonstrates that our approach is versatile and useful in practice.

The full paper is available at http://www.iseclab.org/papers/ieee_sp10_inspector_gadget.pdf and will be presented in May at the 31st IEEE Symposium on Security & Privacy. The paper was joint work with Clemens Kolbitsch, Christopher Kruegel, and Engin Kirda - all members of the International Secure Systems Lab.

Waledac Infection Check

nospam@example.com (Thorsten Holz) — Tue, 02 Mar 2010 22:29:00 +0100

Ben Stock has implemented a web service to check a given IP address for infection with Waledac, similar to the Conficker Eye Chart. The idea is that we are currently tracking Waledac as part of the take-down effort and thus we have a pretty good overview of the individual bots within the botnet. Therefore we are in a position to determine if we have seen a given IP address in the recent past as a bot, which indicates that this IP address might be related to a Waledac infection. Of course, effects like NAT or DHCP need to be taken into account: if an IP address is not listed, this does not necessarily mean that you are not infected.

The check is available at http://mwanalysis.org/waledac/, feedback is welcome!

Waledac Takedown Successful

nospam@example.com (Thorsten Holz) — Thu, 25 Feb 2010 15:57:00 +0100

A few weeks ago, I blogged about our paper "Walowdac – Analysis of a Peer-to-Peer Botnet". The paper provides an overview of the Waledac botnet and its specific aspects compared to Storm Worm and similar peer-to-peer botnets. The paper also contains some measurement results for the botnet like the typical number of online bots and similar statistics.

In the last couple of days, the situation changed a bit: we worked on an active takedown of the botnet together with experts from Microsoft, Shadowserver, the University of Mannheim, University of Bonn, University of Washington, Symantec and others. The operation is know within Microsoft as "Operation b49" and involved domain takedowns and additional technical countermeasures. Microsoft also did some fantastic work on the legal side, the complaint filed by Microsoft ("Microsoft Corporation v. John Does 1-27, et. al.") is available online. As a result, the communication infrastructure of Waledac has been disrupted to a certain extent and the botmaster can effectively not send commands to the bots. The Waledac Tracker by sudosecure.net also shows a nice decline in the number of bots for the last few days. Note, however, that the infected machines are still up and running, thus some clean-up at that side is still necessary...

You can read more about the story in a blog post by Microsoft: "Cracking Down on Botnets". And I will update the blog with new information once we start to analyze the collected data...

"A Practical Attack to De-Anonymize Social Network Users"

nospam@example.com (Thorsten Holz) — Mon, 01 Feb 2010 16:43:00 +0100

In the last couple of months, we have worked on a technique to de-anonymize users based on the way they interact with social networks. The idea behind our attack is the fact that the group memberships of a user (i.e., the groups of a social network to which a user belongs) is often sufficient to uniquely identify this user. This means that there are only a few (or in the best case only one) users of a social network that are a member of exactly the same groups.

The attack scenario is the following: a malicious website wants to de-anonymize a user, i.e., find out the real name and identity of a visitor. The attack is implemented in two phases. In a first phase, we crawl the groups of a social network to determine the members of the different groups. This is our database from which we can generate a group fingerprint per user. In the second phase, we use the well-known technique of history stealing to probe the browser's history for links to group, thus determining the group fingerprint of the visitor. Wen can then compare this fingerprint to our database and de-anonymize the visitor. Even when unique identification is not possible, then the attack might still significantly reduce the size of the set of candidates that the victim belongs to.

As a proof-of-concept, we implemented the attack for XING, a well-known "Social Network for Business Professionals". Please note that this attack is not specific to XING or any other social network - it is generally applicable to different kinds of modern web applications that contain unique links for user that can be probed via history stealing. We crawled the ~7000 public groups of XING and found about 1.8 million members that belong to at least one group. These users are vulnerable to our attack and we have a demo website to participate in our experiment. Note that this test is only successful if you are a member of XING and a member of at least one group. If you regularly participate in groups the chances are higher that we can successfully de-anonymize you :-)

The following pictures show the different stages of the proof-of-concept attack:

We have published a technical report that summarizes our preliminary results at http://www.iseclab.org/papers/sonda-TR.pdf. In the next couple of weeks, we will finish the work on the paper and present our results at the 31st IEEE Symposium on Security & Privacy in May. A demo of the attack is available at http://www.iseclab.org/people/gilbert/experiment/.

Data Set For Malware Clustering/Classification

nospam@example.com (Thorsten Holz) — Fri, 29 Jan 2010 14:08:00 +0100

About one month ago I blogged about our research on malware clustering and classification. We have now also released the full data set from our experiments, such that other people can reproduce the results and compare our approach to theirs. You can find all information at http://pi1.informatik.uni-mannheim.de/malheur/, together with a description of the different data.

Quick overview of the data:

Our reference data set is extracted from our large database of malware binaries maintained at CWSandbox. The malware binaries have been collected over a period of three years from a variety of sources. From the overall database, we select binaries which have been assigned to a known class of malware by the majority of six independent anti-virus products. We append the overall anti-virus label to the filename of each report. Although anti-virus labels suffer from inconsistency, we expect the selection using different scanners to be reasonable consistent and accurate. To compensate for the skewed distribution of classes, we discard classes with less than 20 samples and restrict the maximum contribution of each class to 300 binaries. The selected malware binaries are then executed and monitored using CWSandbox, resulting in a total of 3.133 behavior reports in MIST format.

The application data set consists of seven chunks of malware binaries obtained from the anti-malware vendor Sunbelt Software. The binaries correspond to malware collected during seven consecutive days in August 2009 and originate from a variety of sources. Sunbelt Software uses these very samples to create and update signatures for their VIPRE anti-malware product as well as for their security data feed ThreatTrack. The complete test data set consists of 33.698 behavior reports in MIST format.

The full technical report is available at http://honeyblog.org/junkyard/paper/malheur-TR-2009.pdf.

Update: I changed the terms within the description to use the correct description.