paper

SPRING Proceedings

Friday, August 8. 2008

Today the workshop SPRING took place at our lab in Mannheim. SPRING is an annual networking event for junior scientists who work in the area of reactive security. The talks focussed on topics like automated malware clustering, intrusion detection systems that use peer-to-peer techniques, netflow analysis, anomaly detection on smartphones, and more. I organized the workshop, thus I'm happy that it ends in a few minutes :-)

In the next few days, we will upload all slides and also a few pictures taken during the workshop. The proceedings are already available. They contain a short abstract (one page) for each talk and provide an overview of the different topics covered today.

Posted by Thorsten Holz in general, paper at 18:25 | Comment (1) | Trackbacks (0)

WOOT'08 and HotSec'08

Tuesday, July 29. 2008

Besides USENIX Security, also two interesting workshops take place this week: 2nd USENIX Workshop on Offensive Technologies (WOOT '08) and 3rd USENIX Workshop on Hot Topics in Security (HotSec '08). Both workshops have an interesting program and the proceedings are an interesting read! My favorite paper picks:

Towards Systematic Evaluation of the Evadability of Bot/Botnet Detection Methods by Stinson and Mitchell (WOOT'08) discusses how existing botnet detection systems like Rishi, BotHunter, BotMiner, and others can be circumvented

Towards Application Security on Untrusted Operating Systems by Ports and Garfinkel (HotSec'08) discusses how malicious behavior in each major OS subsystem can undermine application security and how this threat can possibly be mitigated

There Is No Free Phish: An Analysis of "Free" and Live Phishing Kits by Cova et al. (WOOT'08) analyzes "free" phishing kits like the famous Mr. Brain kits that contain backdoors

Insecure Context Switching: Inoculating Regular Expressions for Survivability by Drewry and Ormandy (WOOT'08) shows how regular expressions can be used in a malicious way, leading to complexity attacks

The full papers will be available a few days after the workshops took place.

Posted by Thorsten Holz in paper at 12:15 | Comments (0) | Trackbacks (0)

USENIX Security'08

Monday, July 28. 2008

This week, the 17th USENIX Security Symposium takes place in San Jose, CA. Unfortunately I can not attend this year :-( But there are many interesting papers you should check out, for example:

All Your iFRAMEs Point to Us by Provos et al. analyzes the threat by malicious iframes injected into websites

Lest We Remember: Cold Boot Attacks on Encryption Keys by Halderman et al. is the paper about the now famous cold boot attack, for which the full source code was released last week by Jacob Appelbaum at The Last HOPE in New York City

CloudAV: N-Version Antivirus in the Network Cloud by Oberheide et al. deals with n-version AV-scanning (basically examining a given sample with n AV-scanners and behavior-analysis tools like CWSandbox or Norman Sandbox), thereby improving detection rates

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection by Gu et al. shows how botnets can be detected by correlating netflow data, finding similar behavior within the network traffic

Hypervisor Support for Identifying Covertly Executing Binaries by Litty et al. introduces a system to detect malicious code with the help of a hypervisor built on top of Xen.

And many others

The full papers will be available a few days after the conference took place. A really good conference this year with an exciting program! Looking forward to attend next year :-)

Posted by Thorsten Holz in paper at 12:14 | Comment (1) | Trackbacks (0)

DIMVA'08 Slides

Tuesday, July 22. 2008

A quick follow-up to our DIMVA'08 paper on "Learning and Classification of Malware Behavior": the slides from Konrad's talk are now available and provide a quick overview of the topic.

In the near future, we will integrate the results of this paper to the webinterface of cwsandbox.org - stay tuned :)

Posted by Thorsten Holz in general, malware, paper at 13:56 | Comments (0) | Trackbacks (0)

Fast-Flux Data

Wednesday, July 16. 2008

Back in February, we published a paper on fast-flux service networks at NDSS'08. The basic idea behind fast-flux networks is a fast change in the mapping between a domain name and the corresponding IP addresses. The attackers use this mechanism to build a proxy-network on top of compromised machines to maintain a robust hosting infrastructure for their services. For more information on this topic, see the paper by the Honeynet Project or our NDSS paper.

To foster research in this area, the data collected during our study is available for research purposes. Up to now, quite a few people mailed me and asked for the data. To make this process a bit more scalable and also minimize the amount of work needed at my side, we decided to simply publish all the data such that everyone can download the raw data and use it for whatever purpose. Today, I uploaded a tarball which contains a summary of the fast-flux data collected over a period of several weeks. The tarball contains a potpourri of different measurements and has a total size of 7.3 MB. It contains about 55K raw dig lookup files and has an unpacked size of about 220 MB. The archive contains the following data:

storm-qavoter.com.log: dig lookups for domain used by the Storm Worm botnet which uses fast-flux techniques

asprox-damnec-hydra.log: dig lookups for Asprox/Damnec botnet which also uses fast-flux techniques

lookups-ff: dig lookups for fast-flux domains, confirmed manually

lookups-spam: dig lookups for various domains found in spam e-mails

lookups-benign: dig lookups for (probable) benign domains, most of them collected via dmoz or Alexa

lookups-ndss: part of the domains used for the NDSS paper

lookups-ndss-ff: suspected fast-flux domains from NDSS paper

So if you are interested in this area and want to learn more about it, just download the archive (7.3 MB) and play with the files :)

Posted by Thorsten Holz in general, honeynets, malware, paper at 23:57 | Comment (1) | Trackbacks (0)

SPRING Proceedings

WOOT'08 and HotSec'08

USENIX Security'08

DIMVA'08 Slides

Fast-Flux Data

About

Calendar

Quicksearch

Archives

Categories

Syndicate This Blog

Creative Commons

	August '08
Mon	Tue	Wed	Thu	Fri	Sat	Sun
				1	2	3
4	5	6	7	8	9	10
11	12	13	14	15	16	17
18	19	20	21	22	23	24
25	26	27	28	29	30	31