research

I am excited to announce that the website of our start-up company LastLine, Inc., is now live at http://www.tllod.com. The team behind LastLine is composed of people you know from the International Secure Systems Lab (http://iseclab.org), we are coming from the University of California, Santa Barbara, the Vienna University of Technology (Austria), Eurecom (France), and Ruhr-University Bochum (Germany). We all have extensive expertise in malware analysis and malware countermeasures (see our list of publications) and you might know tools like Anubis or Wepawet that have been developed by us.

LastLine, Inc., provides protection technology that is complementary to existing anti-virus software and firewalls. Our approach is based on cyber crime intelligence that we gather by analyzing millions of suspicious URLs and binaries each day. More precisely, using our advanced malware analysis tools, we pinpoint the exploit servers that are behind drive-by exploits campaigns and the command and control server that manage botnets. These servers constitute the malicious infrastructure that is used by cyber criminals to carry out their attacks.

One of the first product we offer is llweb, a tool that analyzes web sites for the presence of malicious code, such as drive-by download exploits. llweb was developed by the creators of Wepawet and you can find out more about the tool at http://tllod.com/products/llweb. We also offer several other tools and services: llmon is a service that helps organizations to determine if their hosts are used to deliver or control malware. We continuously monitor whether a customer's assets participate in malicious activities, and if so, we provide detailed and early warning so that proper mitigation steps can be initiated. llmon was developed by some of the creators of FIRE. Furthermore, we provide access to the list of IP addresses, domains, and URLs that we identify to be associated with malicious activity on the Internet. Customers can obtain continuously-updated intelligence, which can be leveraged internally to identify compromised hosts or configure network access control mechanisms. You can find more about our products at http://tllod.com/what.

The sixth European Conference on Computer Network Defense (EC2ND) will be held at the Faculty of Electrical Engineering and Computer Science at Berlin Institute of Technology (TU Berlin) on October 28-29, 2010. The conference brings together researchers from academia and industry within Europe and beyond to present and discuss current topics in applied network and systems security. EC2ND 2010 invites submissions presenting novel ideas in the areas of network defense, intrusion detection and systems security.

EC2ND 2010 specifically encourages submissions presenting work at an early stage with the intention to act as a discussion forum for innovative security research. While our goal is to solicit ideas that are not completely worked out, and might have challenging and interesting open questions, we expect submissions to be supported by some evidence of feasibility or preliminary quantitative results.

Important dates:

• Paper submission deadline: July 2, 2010
• Paper acceptance or rejection: August 6, 2010
• Final paper camera ready copy: August 13, 2010
• Conference dates: October 28-29, 2010

The full Call for Papers is available at http://2010.ec2nd.org/cfp/

Recently, we studied an aspect of the World Wide Web that did not receive a lot of attention yet - the online adult industry. Compared to traditional media, the Internet provides fast, easy, and anonymous access to the desired content. That, in turn, results in a huge number of users accessing pornographic content. To improve the understanding of this part of the Web, we performed a study of the online adult industry. As a result, we provide a detailed overview of the individual actors and roles within the online adult industry, which enables us to better understand the mechanisms with which visitors are redirected between the individual parties and how money flows between them. Furthermore, we examined the security aspects of more than 250,000 adult pages and studied, among other aspects, the prevalence of drive-by download attacks. In addition, we analyzed domain-specific security threats such as disguised traffic redirection techniques, and surveyed the hosting infrastructure of adult sites.

Lastly, we operated two adult web sites on our own. By becoming adult web site operators ourselves, we gained additional insights on unique security aspects in this domain. This enabled us to obtain a deeper understanding of the related abuse potential. We participated in adult traffic trading, and provide a detailed discussion of this unique aspect of adult web sites, including insights into the economical implications, and possible attack vectors that a malicious site operator could leverage. For example, we discovered that a malicious operator could infect more than 20,000 with a minimal investment of about $160. Furthermore, we experimentally show that a malicious site operator could benefit from domain-specific business practices that facilitate click-fraud and mass exploitation. We conclude that many participants of this industry have business models that are based on very questionable practices that could very well be abused for malicious activities and conducting cyber-crime. In fact, we found evidence that this kind of abuse is already happening in the wild.

All details of our study are available in the paper. The paper will be presented at the Ninth Workshop on the Economics of Information Security (WEIS 2010). WEIS will take place on June 7/8 at Harvard University.

Abstract:
The online adult industry is among the most profitable business branches on the Internet, and its web sites attract large amounts of visitors and traffic. Nevertheless, no study has yet characterized the industry’s economical and security-related structure. As cyber-criminals are motivated by financial incentives, a deeper understanding and identification of the economic actors and interdependencies in the online adult business is important for analyzing security-related aspects of this industry.
In this paper, we provide a survey of the different economic roles that adult web sites assume, and highlight their economic and technical features. We provide insights into security flaws and potential points of interest for cyber-criminals. We achieve this by applying a combination of automatic and manual analysis techniques to investigate the economic structure of the online adult industry and its business cases. Furthermore, we also performed several experiments to gain a better understanding of the flow of visitors to these sites and the related cash flow, and report on the lessons learned while operating adult web sites on our own.

This paper was joint work with Gilbert Wondracek, Christian Platzer, Engin Kirda, and Christopher Kruegel, all members of the International Secure Systems Lab. You can get the paper at http://honeyblog.org/junkyard/paper/adultSites-weis2010.pdf.

We recently published a technical report on another project related to social networks. The paper is entitled "Abusing Social Networks for Automated User Profiling" and we focus on automatically collecting information about users based on the information available in different networks.

Imagine that you have a profile on Facebook, on LinkedIn, and on MySpace. Perhaps you do not want to directly link these profiles, for example since you want to have a more serious profile on LinkedIn, while having a more relaxed one on MySpace and Facebook. Thus you use different pseudonym/names on the different profiles and expect that the information can not be correlated. However, there is a problem with that assumption: during the registration on the different networks, you used the same e-mail address. And a social network typically enables a user to search for e-mail addresses in order to find friends (a convenient feature, after all you want to network with your friends). An attacker can thus go ahead and search on each network for a given e-mail address, scrape the profile related to that address, and then correlate the information found on different network. At the end, an attacker can thus enrich a given e-mail address with information collected on different social networks.

An attacker can not only search for one e-mail address at a time, but typically for hundreds or even thousands. And he can not only do this once, but thousands of times per day. For example, we were able to check about 10 million e-mail addresses on Facebook per day. A spammer could use this "feature" to verify e-mail addresses by using Facebook as an oracle to determine whether or not a given e-mail address is valid. Furthermore, the correlation aspect is of course also a privacy problem since an attacker can find "hidden" information and correlate information across different networks.

We have contacted different social networks. Facebook and XING have already addressed the problem - thanks a lot!

Abstract:
Recently, social networks such as Facebook have experienced a huge surge in popularity. The amount of personal information stored in these sites calls for appropriate security precautions to protect this data.
In this paper, we describe how we are able to take advantage of a common weakness, namely the fact that an attacker can query the social network for registered e-mail addresses on a large scale. Starting with a list of about 10.4 million email addresses, we were able to automatically identify more than 1.2 million user profiles associated with these addresses. By crawling these profiles, we collect publicly available personal information about each user, which we use for automated profiling (i.e., to enrich the information available from each user).
Finally, we propose a number of mitigation techniques to protect the user’s privacy. We have contacted the most popular providers, who acknowledged the threat and are currently implementing our countermeasures. Facebook and XING in particular have recently fixed the problem.

The technical report is available at http://www.iseclab.org/papers/socialabuse-TR.pdf and it was joint work with Marco Balduzzi, Christian Platzer, Engin Kirda, Davide Balzarotti, and Christopher Kruegel.

At the International Secure Systems Lab, we have developed a couple of services like Anubis, Wepawet, or FIRE. Lately, we have worked on a mechanism to detect spammers on Twitter, a popular microblogging service. We have developed several heuristics to detect spamming profiles, and have already reported thousands of these profiles to Twitter, who then shut down these profiles. Now we have created a profile to which users can flag spammers on Twitter: the flagged accounts are added to our database, allowing us to detect profiles from campaigns we did not observe before.

The profile is @spamdetector, and the messages it accepts are of the format

"@spamdetector @spamaccount"

Whenever you see a suspicious account, you can simply send us a notification and our system will check if this account is likely a spammer or not. This helps us to improve our heuristics, and we can help Twitter to shut down suspicious profiles, leading to a better service.

This work was carried out by Gianluca Stringhini, a PhD student at University of California, Santa Barbara, working as research assistant at the Computer Security lab. And you can find my tweets at @thorstenholz.