SPRING Proceedings

Friday, August 8. 2008
Today the workshop SPRING took place at our lab in Mannheim. SPRING is an annual networking event for junior scientists who work in the area of reactive security. The talks focussed on topics like automated malware clustering, intrusion detection systems that use peer-to-peer techniques, netflow analysis, anomaly detection on smartphones, and more. I organized the workshop, thus I'm happy that it ends in a few minutes :-)

In the next few days, we will upload all slides and also a few pictures taken during the workshop. The proceedings are already available. They contain a short abstract (one page) for each talk and provide an overview of the different topics covered today.
Posted by Thorsten Holz in general, paper at 18:25 | Comment (1) | Trackbacks (0)

DIMVA'08 Slides

Tuesday, July 22. 2008
A quick follow-up to our DIMVA'08 paper on "Learning and Classification of Malware Behavior": the slides from Konrad's talk are now available and provide a quick overview of the topic.

In the near future, we will integrate the results of this paper to the webinterface of cwsandbox.org - stay tuned :)
Posted by Thorsten Holz in general, malware, paper at 13:56 | Comments (0) | Trackbacks (0)

Fast-Flux Data

Wednesday, July 16. 2008
Back in February, we published a paper on fast-flux service networks at NDSS'08. The basic idea behind fast-flux networks is a fast change in the mapping between a domain name and the corresponding IP addresses. The attackers use this mechanism to build a proxy-network on top of compromised machines to maintain a robust hosting infrastructure for their services. For more information on this topic, see the paper by the Honeynet Project or our NDSS paper.

To foster research in this area, the data collected during our study is available for research purposes. Up to now, quite a few people mailed me and asked for the data. To make this process a bit more scalable and also minimize the amount of work needed at my side, we decided to simply publish all the data such that everyone can download the raw data and use it for whatever purpose. Today, I uploaded a tarball which contains a summary of the fast-flux data collected over a period of several weeks. The tarball contains a potpourri of different measurements and has a total size of 7.3 MB. It contains about 55K raw dig lookup files and has an unpacked size of about 220 MB. The archive contains the following data:
  • storm-qavoter.com.log: dig lookups for domain used by the Storm Worm botnet which uses fast-flux techniques

  • asprox-damnec-hydra.log: dig lookups for Asprox/Damnec botnet which also uses fast-flux techniques

  • lookups-ff: dig lookups for fast-flux domains, confirmed manually

  • lookups-spam: dig lookups for various domains found in spam e-mails

  • lookups-benign: dig lookups for (probable) benign domains, most of them collected via dmoz or Alexa

  • lookups-ndss: part of the domains used for the NDSS paper

  • lookups-ndss-ff: suspected fast-flux domains from NDSS paper

So if you are interested in this area and want to learn more about it, just download the archive (7.3 MB) and play with the files :)
Posted by Thorsten Holz in general, honeynets, malware, paper at 23:57 | Comment (1) | Trackbacks (0)

Stock Spam

Tuesday, June 17. 2008
Pump and dump schemes for penny stocks based on spam mails were quite common in the years 2006 and 2007. Nowadays, however, it seems like these schemes are over and I receive such mails only very seldom. One recent example of such a scam mail is:
Now see for yourself.

Corporation: Angstrom Microsystems
Symbol OTCBB: agms
Suggested: Buy/hold
Monday close : .400
Shares traded: 331,485

Excellent release last week and investors are noticing and volume is up.

This is the beginning of great things, sales are up and deployment is increasing Angstrom Microsystems will blow you away.

Move before it's too late, obtain this stock NOW.

Please note that I modified the mail text to increase readability.
Such schemes work in practice and spam mails can actually influence the stock market as we showed in a study. This works since the quote of a penny stock can be influenced with a relative low number of trades.

Recently Sophos blogged about a spam campaign in which the mails contained a text about the downtime of Amazon. They theorized that these spam mails are used for shorting the Amazon stock for Short and Distort scams. I doubt that this is true - especially given the fact that more than five million Amazon stocks are traded per day...


Continue reading "Stock Spam"

Posted by Thorsten Holz in general at 19:16 | Comments (3) | Trackbacks (0)

Mail Problems

Thursday, June 5. 2008
The mail server of our university is down since more than two days (sic!). I'm wondering how many mails I have lost up to now and what kind of interesting information did not reach me... If you want to reach me, please use the Gmail account. On the other hand: no distracting e-mails and lots of time to write papers. The ACSAC deadline is next Sunday, presumably I have a paper ready until then :)
Posted by Thorsten Holz in general at 20:59 | Comments (0) | Trackbacks (0)
(Page 1 of 3, totaling 12 entries) » next page