DIMVA'08 Slides

Tuesday, July 22. 2008
A quick follow-up to our DIMVA'08 paper on "Learning and Classification of Malware Behavior": the slides from Konrad's talk are now available and provide a quick overview of the topic.

In the near future, we will integrate the results of this paper to the webinterface of cwsandbox.org - stay tuned :)
Posted by Thorsten Holz in general, malware, paper at 13:56 | Comments (0) | Trackbacks (0)

Interesting Pattern in Storm Worm Traffic

Monday, July 21. 2008
Björn Weiland recently sent me a few graphs with interesting observations he made when tracking the Storm Worm botnet as part of his thesis on detection of advanced botnets.
The first graph visualizes the network communication of a Storm sample when executed on a machine with a private IP address. In that configuration, the bot typically sends out spam e-mails or participates in distributed denial-of-service attacks. The x-axis shows the time, while the y-axis shows the UDP/TCP destination port number the bot communicates on:


The graph shows that the bot first uses NTP to synchronize the clock of the victim's machine. Afterwards, it contacts many other machines, typically on TCP ports < 33.789 (strange port number?!?). After a few minutes, it also starts with spamming (lots of connections on TCP port 25). What is interesting are all the communications that happen on higher port numbers: we can, for example, identify an IP address hosted at Intercage. This IP address is part of the static backend of the botnet. In addition, an IP address related to the University of California in San Diego (UCSD) sticks out, presumably related to their Storm Worm research. I'm not yet sure what all the other IP addresses mean, but presumably all of them are also suspicious and somehow related to the botnet.

The second graph shows the network communication of a sample executed on a machine with a public IP address. In this configuration, the bot is typically used to relay messages or host services related to the botnet. Again, the x-axis depicts a timeline, whereas the y-axis show the TCP / UDP destination port number:


Here we can observe a completely different pattern compared to the first graph. Overall, the full port range is used, with some more dense and some more sparse parts. We can also observe more TCP communication and also quite a lot communication on TCP port 80, which is related to the web sites hosted by the botnet.

The port range between destination port 50,000 and 51,000 is far more dense compared to lower / higher ports as the following figure shows:

This port range is commonly used for RTP / RTCP as defined in RFC 4504 - presumably just a coincidence for Storm Worm.

Does anybody have an explanation for the distribution of destination ports used by Storm Worm? And thanks a lot to Björn for the permission to publish the figures!
Posted by Thorsten Holz in malware at 17:52 | Comments (0) | Trackbacks (0)

New Storm Campaign: Amero

Monday, July 21. 2008
The Storm Worm botnet changed the propagation theme again and now uses a social engineering theme that builds on the weak US dollar and the ongoing financial crisis:


The text above the picture reads:
The U.S. Government began to realize the plan to replace the Dollar with the "Amero", the new currency of the North American Currency Union. Canada, the United States of America and Mexico have resolved to unit in order to resist the Worldwide Financial Crysis. You can become acquainted with the plan of the implementation of Amero, just click on the icon under this text.

From a technical point, nothing seems to change compared to previous versions of the binary. In the last few days, our crawler measured an effective size (i.e., how many bots are online at the moment) of the botnet between six and ten thousand machines. In total, the botnet is still bigger, we observe high churn rates between different crawls.

Posted by Thorsten Holz in malware at 16:21 | Comments (0) | Trackbacks (0)
(Page 1 of 64, totaling 192 entries) » next page