honeyblog

GSoC Update

thorsten.holz@gmail.com (Thorsten Holz) — Tue, 21 Apr 2009 16:00:00 +0200

Yesterday the results of Google Summer of Code (GSoC) were released and the Honeynet Project will mentor nine students during the summer who work on different projects: http://socghop.appspot.com/org/home/google/gsoc2009/honeynet. More information is also available at the Honeynet Project GSoC site.

I'm happy to mentor Lukas Rist, who will work on Glastopf. The goal of the project is to learn more about attacks by emulating vulnerabilities in web applications ("We have two goals: First, collecting and analyzing data and second, trying to inform compromised web page owner. Actually we are mainly collecting Remote File Inclusion attacks, but others will follow."). The source code is available at http://trac.1durch0.de/trac and will be improver during the GSoC period.

Ready or Not?

thorsten.holz@gmail.com (Thorsten Holz) — Mon, 13 Apr 2009 16:36:00 +0200

Several days ago, I finally handed in my dissertation with the title "Tracking and Mitigation of Malicious Remote Control Networks". The thesis was reviewed by Prof. Freiling and Prof. Kruegel and my defense is at the end of the month. The thesis itself deals with different methods to study malicious remote control networks, i.e., a mechanism that enables an attacker the control over a large number of compromised machines for illicit activities. Typical examples of this kind of remote control networks are botnets and fast-flux service networks. The thesis summarizes the work from the last few years and the resulting publications.
Once my defense is over I will post a link to my thesis, it is not yet public. For now I'm really happy that my PhD studies are (almost) over, looking forward to new challenges in the future :-)

And another good news arrived today via e-mail:

On behalf of the 18th USENIX Security Symposium (USENIX Security '09) program committee, I am delighted to inform you that your paper #108 has been accepted to appear in the conference.

Title: Return-Oriented Rootkits: Bypassing Kernel Code Integrity
Protection Mechanisms
Authors: Ralf Hund (University of Mannheim)
Thorsten Holz (University of Mannheim)
Felix Freiling (University of Mannheim)

This year's selection process was very selective, and your paper was one of only 26 papers accepted out of 176 submissions. Congratulations!

LEET'09 Taking Place Soon

thorsten.holz@gmail.com (Thorsten Holz) — Tue, 07 Apr 2009 08:38:00 +0200

Join us at the 2nd USENIX Workshop on Large-Scale Exploits and Emergent Threats: Botnets, Spyware, Worms, and More (LEET'09), which will take place in Boston, MA, on April 21, 2009. LEET '09 will focus on the underlying mechanisms used to compromise and control hosts, the large-scale "applications" being perpetrated upon this framework, and the social and economic networks driving these threats. Sessions include Malware Analysis, Ethics in Botnet Research, Malware Behavior, and more.

The full program is available at http://www.usenix.org/events/leet09/tech/.

LEET '09 will also include a session for Work-in-Progress reports. We encourage you to submit an abstract or proposal for a 5-minute presentation on your preliminary work to leet09wips@usenix.org.

Connect with the broad community of researchers and practitioners who focus on worms, bots, spam, spyware, phishing, DDoS, and the ever-increasing palette of large-scale Internet-based threats in fostering the development of preliminary work in this diverse area and stimulating discussion of thought-provoking ideas.

Find out more and register today at http://www.usenix.org/leet09/

Conficker Detection

thorsten.holz@gmail.com (Thorsten Holz) — Thu, 02 Apr 2009 10:19:00 +0200

The Internet did not break down yesterday due to Conficker, it seems like the topic was hyped a bit too much by the media.
In case you want to quickly check whether or not your machine is infected with the worm, you can use a simple check developed by Joe Stewart from SecureWorks. Simply go to http://honeyblog.org/junkyard/conficker/ and check which images your browser shows:

Conficker (aka Downadup, Kido) is known to block access to over 100 anti-virus and security websites.

If you are blocked from loading the remote images in the first row of the top table above (AV/security sites) but not blocked from loading the remote images in the second row (websites of alternative operating systems) then your Windows PC may be infected by Conficker (or some other malicious software).

If you can see all six images in both rows of the top table, you are either not infected by Conficker, or you may be using a proxy server, in which case you will not be able to use this test to make an accurate determination, since Conficker will be unable to block you from viewing the AV/security sites.

Furthermore, the Honeynet Project recently released a paper entitled "Know Your Enemy: Containing Conficker" which presents in detail several methods to detect the worm based on network characteristics,

Abstract:
The Conficker worm has infected several million computers since it first started spreading in late 2008 but attempts to mitigate Conficker have not yet proved very successful. In this paper we present several potential methods to contain Conficker. The approaches presented take advantage of the way Conficker patches infected systems, which can be used to remotely detect a compromised system. Furthermore, we demonstrate various methods to detect and remove Conficker locally and a potential vaccination tool is presented. Finally, the domainname generation mechanism for all three Conficker variants is discussed in detail and an overview of the potential for upcoming domain collisions in version .C is provided. Tools for all the ideas presented here are freely available for download including source code.

Google Summer of Code 2009

thorsten.holz@gmail.com (Thorsten Holz) — Mon, 23 Mar 2009 14:14:00 +0100

The Honeynet Project was selected for this year's Google Summer of Code. If you are a student and interested in participating in the program, please take a look at http://www.honeynet.org/gsoc. There you will find all information about the projects related to the Honeynet Project. Google will begin accepting applications from students beginning today, thus you need to be quick...

Learning more about RFI Attacks

thorsten.holz@gmail.com (Thorsten Holz) — Sat, 21 Mar 2009 10:59:00 +0100

As part of the work at our lab we started to work on methods to learn more about remote file inclusion (RFI) attacks. The Internet Storm Center has developed a web-based honeypot which is available in a beta version. This honeypot can be used to collect information about different kinds of attacks, but requires the participant to install and maintain a honeypot on his own. For example, it is possible to deploy this honeypot on a OpenWrt router.
Since we are aiming only at RFI attacks, an easier approach is to redirect incoming malicious request to a central honeypot which then aggregates the information. Jan already blogged about this idea, this posting is meant to spread the word.

You can help us by using the following .htaccess file on your web server:

Options +FollowSymlinks
RewriteEngine on
RewriteCond %{QUERY_STRING} (.+=http:\/\/.+)
RewriteRule ^(.+)$ http://link.informatik.uni-mannheim.de/$1?%1 [R,NC]

The script checks if the incoming request looks like an RFI attack (RewriteCond) and then redirects this request to one of our honeypots (RewriteRule). Please let us know if you have any questions or ideas.

Blog of the FORWARD Project

thorsten.holz@gmail.com (Thorsten Holz) — Fri, 20 Mar 2009 17:45:00 +0100

One of the projects I am involved in is FORWARD:

FORWARD is an initiative by the European Commission to promote the collaboration and partnership between Academia and Industry in their common goal of protecting Information and Communication Technology (ICT) infrastructures. Communication networks and computers are under constant Cyber-threats from malicious users and organizations that use viruses, worms, spyware, botnets, spam, and phishing, to harm the European citizens and organizations.

The FORWARD initiative aims at identifying, networking, and coordinating the multiple research efforts that are underway in the area of Cyber-threats defenses, and leveraging these efforts with other activities to build secure and trusted ICT systems and infrastructures.

A complete overview of the FORWARD project is available at http://www.ict-forward.eu/. The project is funded as part of the European Community's Seventh Framework Programme. Since some time, the project also maintains a blog, which is located at http://blogs.ict-forward.eu/forward/. There you can find the latest updates and an overview of the current project activity. Check it out and comment on the project, we would love to get your feedback!

CanSec / PWN2OWN contest

thorsten.holz@gmail.com (Thorsten Holz) — Thu, 19 Mar 2009 18:39:00 +0100

It has been some time since my last blog entry, I've been busy with my thesis. My defense is at the end of next month - finally getting ready with everything :)

This week I am in Vancouver for CanSec, I taught a course about honeypots on Monday. Now I'm enjoying the conference, the agenda is pretty cool this year! The main focus of yesterday was on mobile phones, most of the presentations dealt with smartphones like the iPhone or the Android platform. Sniffing keystrokes via a laser microphone or a voltmeter is next, really looking forward to that presentation.

CanSec also has a new edition of the PWN2OWN contest. This year, the main focus of the contest is web browsers and mobile phones. On the first day, several browsers were 0wned, Nils even managed to exploit three different browsers. Below is a screenshot of the scoreboard taken in the afternoon - Julien then managed to compromise the machine and afterwards Nils scored for the third time:

Interestingly, nobody attacked the smartphones - perhaps we see some attacks during day 2 and 3.

ICANN: Initial Report of the GNSO Fast Flux Hosting Working Group

thorsten.holz@gmail.com (Thorsten Holz) — Thu, 29 Jan 2009 23:50:13 +0100

Fast-Flux Service Networks is a phenomenon I covered in this blog a couple of times earlier on. We als published two papers on this topic and made the data collected during our study available. Back in May 2008 ICANN had formed a working group to address this problem which should answer the following questions:

Who benefits from fast flux, and who is harmed?

Who would benefit from cessation of the practice and who would be harmed?

Are registry operators involved, or could they be, in fast flux hosting activities? If so, how?

Are registrars involved in fast flux hosting activities? If so, how?

How are registrants affected by fast flux hosting?

How are Internet users affected by fast flux hosting?

What technical (e.g. changes to the way in which DNS updates operate) and policy (e.g. changes to registry/registrar agreements or rules governing permissible registrant behavior) measures could be implemented by registries and registrars to mitigate the negative effects of fast flux?

What would be the impact (positive or negative) of establishing limitations, guidelines, or restrictions on registrants, registrars and/or registries with respect to practices that enable or facilitate fast flux hosting?

What would be the impact of these limitations, guidelines, or restrictions to product and service innovation?

What are some of the best practices available with regard to protection from fast flux?

Since a few days the initial report of this working group is available and the report is an interesting read. Public comments should be sent directly to ICANN until February 15, 2009 - so if you have comments, please send them to ICANN.

Storm Worm, Encryption, Disruption, and more...

thorsten.holz@gmail.com (Thorsten Holz) — Sat, 17 Jan 2009 12:03:00 +0100

Dancho did an interview on the topic of Storm Worm, in which some wrong facts are described by Georg Wicherski, who said: "On the 24c3 congress at the end of 2007, Thorsten Holz gave a presentation on disrupting Zhelatin’s command and control infrastructure, involving a /16 network or 65536 nodes in other terms." This statement is wrong: we did not use 65536 machines, but just 2 machines - one machine in Sophia Antipolis, France and the other one in Mannheim, Germany. Actually everything is also possible with just one machine: the second machine was just used for measurements and to verify the results. I'm not sure what caused this confusion, presumably they did not read our paper on the topic :)

We also found out that the "authentication" used by Storm is very weak: The four byte XOR key is a simple obfuscation scheme, whereas the 64bit RSA needs a little bit more work to break the crypto. Actually we published our results back in April 2008 during the First USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET '08), a fact that some people seemed to have missed. Frederic Dahl also summarized all of these aspects in his diploma thesis which was published in March 2008.

My presentation from back then is available as "Measurements and Mitigation of Peer-to-Peer-based Botnets" and I also did a talk during the work-in-progress session on the crypto aspects of Storm Worm: "Other Aspects of Storm Worm".

Nowadays Storm Worm is not a very interesting botnet, we actually stopped the crawler several months ago since not many infected machines are still online in the network...

Using Honeypots to Study Web-based Attacks

thorsten.holz@gmail.com (Thorsten Holz) — Wed, 14 Jan 2009 23:08:00 +0100

The Internet Storm Center has an interesting entry on how to use honeypots to capture attacks against web-applications: "Roundcube Webmail follow-up":

A fermented honeypot is one that has been set up based on exploit attempts identified by a first stage honeypot. What happens is that the attacker(s) get all sticky in the original honeypot and when they come back for more sweetness, they get the fermented honeypot too. Now, along with getting all sticky in the first honeypot, they get all drunk on excitement in the fermented honeypot. [...] Development of a fermented honeypot is not without effort. There is no typical Win32 click-n-create nonsense. A fermented honeypot must be specifically crafted to correctly emulate the focused attack. The author, or 'brew master', is well capable of taking a traditional honeypot and fermenting it accordingly.

Basically they first observe the scanning/exploitation attempts against the Roundcube html2text.php vulnerability and then set up a second-stage honeypot that responds to these scanning attempts, offering more bait for the attacker. This is a good example how honeypots work and it also helps them to observe the actual infection of a vulnerable system.

Malicious PDFs Analysis Continued

thorsten.holz@gmail.com (Thorsten Holz) — Mon, 12 Jan 2009 13:18:00 +0100

After my initial posting about the possibility to analyze PDF files with CWSandbox we received a few more such samples. In all cases the PDF file exploits a vulnerability in Acrobat Reader once the file is opened. With the help of CWSandbox it is possible to observe this exploit and also the actions of the malware after the compromise (e.g., downloading of additional malware from another server). Please find below three additional examples of such reports:

https://cwsandbox.org/?page=report&analysisid=879663&password=vqtgp

https://cwsandbox.org/?page=report&analysisid=878305&password=utxuc

https://cwsandbox.org/?page=report&analysisid=878393&password=pmviw

If you happen to have more malicious PDFs, please submit them at cwsandbox.org :-)

Call for Papers: LEET'09 and EuroSec'09

thorsten.holz@gmail.com (Thorsten Holz) — Sat, 10 Jan 2009 11:03:00 +0100

Just a quick reminder of two upcoming deadlines for workshops I am involved with:

The Call for Papers for the 2nd USENIX Workshop on Large-Scale Exploits and Emergent Threat (LEET'09) ends on January 16, 2009. More information is available at http://www.usenix.org/events/leet09/.

The deadline for the 2009 European Workshop on System Security (EuroSec'09) is on January 19, 2009. More information is available at http://www.ics.forth.gr/dcs/eurosec09/.

Looking forward to your submissions!

Fast-Flux Data from ATLAS

thorsten.holz@gmail.com (Thorsten Holz) — Fri, 09 Jan 2009 10:03:00 +0100

Yesterday Jose blogged about "2008 H2 Fast Flux Data Analysis" based on the information collected by ATLAS. They discover on average between 40 and 50 new fast-flux domains per day and found the following trends:

We’re seeing two trends of note with respect to 2008 with fast flux domain registrations and use. The first is the growth of .CN as a fast flux TLD. Most of the .CN domains we see registered and fluxing come through a registrar like BIZCN, whom we now treat with some suspicion. [...] The second big trend over 2008 is the migration away from .COM and .CN to a lot more TLDs.

It's interesting to see the new developments in this area compared to our paper from late 2007 and the measurement results from ATLAS. Our fast-flux tracking system will be online again in the next few days, I will also blog about some updates in the future.

25C3: "Banking Malware 101" Slides

thorsten.holz@gmail.com (Thorsten Holz) — Tue, 30 Dec 2008 11:47:07 +0100

The slides I used for my presentation at the 25th Chaos Communication Congress (25C3) are now available for download. The presentation was also recorded and should be available in the next few days at http://ftp.ccc.de/congress/25c3/pre-release/. The congress was a lot of fun, unfortunately I had to leave earlier...

An interesting presentation is scheduled for today at 15:15 CET: Jacob and Alex talk about Making the theoretical possible. Not many details are available (see the "abstract" at the left-hand side), but it seems like they found something big that basically affects everyone. Rumors are that they broke a Root CA key that is included in major browsers - the truth will be revealed in a couple of hours...