honeyblog - honeynets

Observing Malware Outbreaks with Honeypots

nospam@example.com (Thorsten Holz) — Sat, 26 Jul 2008 13:05:00 +0200

Low-interaction honeypots like Nepenthes or Amun are good at capturing autonomous spreading malware that propagates via exploiting vulnerabilities in network services: by emulating specific vulnerabilities, these honeypots trick malware into exploiting the honeypot and we can capture a copy of the malware.
These honeypots also allow us to observe outbreaks of new malware samples: since quite many people run Nepenthes or Amun nowadays and also send the samples to cwsandbox.org for automated malware analysis, we can correlate the submissions of many different sensors at a central location. For example, we received the malware sample with MD5 sum cb032b12af742555e60124f6d7d2d2ea from a total of 57 different sensor at the timestamps depicted below:



Timestamp               Filename

2008-01-10 19:36:25     grospolinacb032b12af742555e60124f6d7d2d2eauLa1AA

2008-01-10 22:11:47     nepenthescb032b12af742555e60124f6d7d2d2easBj96A

2008-01-11 00:03:32     nepenthescb032b12af742555e60124f6d7d2d2easm4aaA

2008-01-11 00:18:58     nepenthescb032b12af742555e60124f6d7d2d2eaA

2008-01-11 00:22:22     nepenthescb032b12af742555e60124f6d7d2d2eayK4gcQ

2008-01-11 00:22:56     nepenthescb032b12af742555e60124f6d7d2d2eadOoZcA

2008-01-11 00:34:36     nepenthescb032b12af742555e60124f6d7d2d2eaf92wA

2008-01-11 00:44:56     nepenthescb032b12af742555e60124f6d7d2d2eaBmLfOg

2008-01-11 00:45:09     nepenthescb032b12af742555e60124f6d7d2d2eagv4WoQ

2008-01-11 00:53:59     nepenthescb032b12af742555e60124f6d7d2d2eaOewZcA

2008-01-11 01:11:01     nepenthescb032b12af742555e60124f6d7d2d2eaQANtUA

2008-01-11 01:56:59     nepenthescb032b12af742555e60124f6d7d2d2eaeEtIA

2008-01-11 04:48:11     nepenthescb032b12af742555e60124f6d7d2d2eaYO0fA

2008-01-11 05:32:44     nepenthescb032b12af742555e60124f6d7d2d2eadOoZcA

2008-01-11 06:35:31     nepenthescb032b12af742555e60124f6d7d2d2eaf0fA

2008-01-11 08:21:13     nepenthescb032b12af742555e60124f6d7d2d2eaze0fA

2008-01-11 08:49:09     nepenthescb032b12af742555e60124f6d7d2d2eaSu4fA

2008-01-11 09:25:49     nepenthescb032b12af742555e60124f6d7d2d2eaanj2kA

2008-01-11 09:41:40     nepenthescb032b12af742555e60124f6d7d2d2eaJ8ZcA

2008-01-11 12:00:10     cb032b12af742555e60124f6d7d2d2ea

2008-01-11 13:42:14     nepenthescb032b12af742555e60124f6d7d2d2ea1E4a6A

2008-01-11 14:15:43     nepenthescb032b12af742555e60124f6d7d2d2eaSHkgA

2008-01-11 14:37:06     grospolinacb032b12af742555e60124f6d7d2d2eamKgfA

2008-01-11 14:38:37     nepenthescb032b12af742555e60124f6d7d2d2eabGhXGQ

2008-01-11 18:30:29     nepenthescb032b12af742555e60124f6d7d2d2eaMPofKg

2008-01-11 18:39:25     nepenthescb032b12af742555e60124f6d7d2d2eaGSGoWQ

2008-01-11 20:33:26     nepenthescb032b12af742555e60124f6d7d2d2eab0fA

2008-01-12 04:19:46     nepenthescb032b12af742555e60124f6d7d2d2eauJQiA

2008-01-12 12:12:12     nepenthescb032b12af742555e60124f6d7d2d2eaGDoqMQ

2008-01-12 14:32:15     nepenthescb032b12af742555e60124f6d7d2d2eaSIUgA

2008-01-13 20:37:45     nepenthescb032b12af742555e60124f6d7d2d2eaYO0fA

2008-01-14 17:38:54     nepenthescb032b12af742555e60124f6d7d2d2eaQ8fA

2008-01-14 22:26:54     grospolinacb032b12af742555e60124f6d7d2d2ea2rqiGw

2008-01-15 06:27:12     nepenthescb032b12af742555e60124f6d7d2d2eaM0sA

2008-01-15 09:32:40     nepenthescb032b12af742555e60124f6d7d2d2eaM0sA

2008-01-18 10:20:58     nepenthescb032b12af742555e60124f6d7d2d2eaKEuA

2008-01-19 02:10:38     nepenthescb032b12af742555e60124f6d7d2d2eagfofkA

2008-01-20 05:37:39     nepenthescb032b12af742555e60124f6d7d2d2eaxeoZcA

2008-01-25 09:43:36     nepenthescb032b12af742555e60124f6d7d2d2eaLvAfA

2008-01-29 15:36:08     nepenthescb032b12af742555e60124f6d7d2d2eaBxofsA

2008-01-29 20:47:39     nepenthescb032b12af742555e60124f6d7d2d2eaJ00A

2008-02-01 18:48:12     nepenthescb032b12af742555e60124f6d7d2d2eaEcoA

2008-02-02 12:24:22     nepenthescb032b12af742555e60124f6d7d2d2eawcUgLg

2008-02-02 19:35:56     cb032b12af742555e60124f6d7d2d2ea

2008-02-07 13:59:24     cb032b12af742555e60124f6d7d2d2ea.dat

2008-02-08 15:48:30     nepenthescb032b12af742555e60124f6d7d2d2eaGfoWA

2008-02-14 14:14:03     cb032b12af742555e60124f6d7d2d2eacb032b12af742555...2ea

2008-02-21 14:20:01     nepenthescb032b12af742555e60124f6d7d2d2eaWN0fA

2008-02-28 16:56:53     nepenthescb032b12af742555e60124f6d7d2d2eaoexA

2008-03-03 15:15:39     nepenthescb032b12af742555e60124f6d7d2d2eaA

2008-03-11 02:56:00     nepenthescb032b12af742555e60124f6d7d2d2eaAfA

2008-03-14 11:11:51     nepenthescb032b12af742555e60124f6d7d2d2eaJgfA

2008-03-15 17:31:37     nepenthescb032b12af742555e60124f6d7d2d2eaGGYnA

2008-03-20 10:55:43     nepenthescb032b12af742555e60124f6d7d2d2eacb032b1...2ea

2008-03-20 17:05:07     nepenthescb032b12af742555e60124f6d7d2d2eaoflA

2008-03-31 12:12:02     nepenthescb032b12af742555e60124f6d7d2d2eaYO0fA

2008-04-07 07:06:12     nepenthescb032b12af742555e60124f6d7d2d2eaxMUg3A

2008-04-08 02:37:22     cb032b12af742555e60124f6d7d2d2ea

Each timestamp depicts the first point in time where the specific sensor captured a copy of the malware. As you can see, the malware outbreak happened presumably at January 10, 2008. From then on, honeypot sensors all around the world captured a copy of this specific bot. The CWSandbox report contains more detailed information about the botnet, e.g.:

The bot creates a file named C:\WINDOWS\system32\explorer.exe, which is a copy of itself

It creates a run key for the Windows registry such that the bot is started again after a reboot

The C&C server is located at the IP address 67.43.232.36 and listens on the TCP port 8080

C&C channel is #wawa and the command issued by the botmaster at the time of analysis is: ipscan s.s.s dcom2 -f -s

Fast-Flux Data

nospam@example.com (Thorsten Holz) — Wed, 16 Jul 2008 23:57:00 +0200

Back in February, we published a paper on fast-flux service networks at NDSS'08. The basic idea behind fast-flux networks is a fast change in the mapping between a domain name and the corresponding IP addresses. The attackers use this mechanism to build a proxy-network on top of compromised machines to maintain a robust hosting infrastructure for their services. For more information on this topic, see the paper by the Honeynet Project or our NDSS paper.

To foster research in this area, the data collected during our study is available for research purposes. Up to now, quite a few people mailed me and asked for the data. To make this process a bit more scalable and also minimize the amount of work needed at my side, we decided to simply publish all the data such that everyone can download the raw data and use it for whatever purpose. Today, I uploaded a tarball which contains a summary of the fast-flux data collected over a period of several weeks. The tarball contains a potpourri of different measurements and has a total size of 7.3 MB. It contains about 55K raw dig lookup files and has an unpacked size of about 220 MB. The archive contains the following data:

storm-qavoter.com.log: dig lookups for domain used by the Storm Worm botnet which uses fast-flux techniques

asprox-damnec-hydra.log: dig lookups for Asprox/Damnec botnet which also uses fast-flux techniques

lookups-ff: dig lookups for fast-flux domains, confirmed manually

lookups-spam: dig lookups for various domains found in spam e-mails

lookups-benign: dig lookups for (probable) benign domains, most of them collected via dmoz or Alexa

lookups-ndss: part of the domains used for the NDSS paper

lookups-ndss-ff: suspected fast-flux domains from NDSS paper

So if you are interested in this area and want to learn more about it, just download the archive (7.3 MB) and play with the files :)

Survival of the Fittest

nospam@example.com (Thorsten Holz) — Mon, 14 Jul 2008 20:47:00 +0200

The Internet Storm Center blogged about the Survival Time on the Internet today. The survival time is defined as:

The survivaltime is calculated as the average time between reports for an average target IP address. If you are assuming that most of these reports are generated by worms that attempt to propagate, an unpatched system would be infected by such a probe.
The average time between probes will vary widely from network to network. Some of our submitters subscribe to ISPs which block ports commonly used by worms. As a result, these submitters report a much longer 'survival time'. On the other hand, University Networks and users of high speed internet services are frequently targeted with additional scans from malware like bots. If you are connected to such a network, your 'survival time' will be much smaller.
The main issue here is of course that the time to download critical patches will exceed this survival time.

With the help of honeypots, we can measure the survival time. For example, we can use low-interaction honeypot such as nepenthes or amun that emulate common network-based vulnerabilities and deploy them at different locations. The average time it takes to download the first binary is an estimation of the survival time: The honeypots emulate known vulnerabilities and are thus exploited by different kinds of autonomous spreading malware - similar to an unpatched system. At our lab, we deployed ten honeypots in different network ranges and measured different things as I'll explain with the following graphs. These are all based on measurements between August 2007 and July 2008.

This plot shows the total number of attacks (blue) and of downloads (red) per sensor for the measurement period. We see that there are huge differences depending on the network location (e.g., whether or not the ISP filters specific ports). Furthermore, not all attacks are successful and we also observed quite a lot failed attacks.

This plot shows the percentage of attacks (red) and downloads (blue) per time of day. We can observe a clear diurnal pattern: lower attack volume during the night and higher attack volume during the day, following the typical behavior of humans.

This plot shows the attacks (blue) and the downloads (red) per weekday for all sensors during the measurement period. The values are given in percentage of the sum of all attacks/downloads over the chosen period of time. The attack traffic is slightly higher during the weekends.

Another interesting observation is whether or not the attacks originate from the same ASN as the honeypot as depicted in the above picture. The figure shows the percentage of attacks coming from the same ISP as the honeypot, e.g., for sensor 1, about 90% of the attacks originate from machines within the same autonomous system. The graph can be interpreted as many attacks being local - which makes sense since autonomous spreading malware often prefers to propagate locally. In some ASNs, however, it seems like most attacks originate from other ASNs.

Finally, this graph shows an estimation of the survival time: The graph shows the average amount of time for the honeypot to be attacked successfully. Red bars are honeypots with a static IP address, thus we have only one measurement point for these honeypots. For the blue bars, each honeypot had a dynamic IP address, e.g., a disconnect every 24 hours. The bar depicts the average time from obtaining a new DHCP lease to first download which can be interpreted as the time it would take for an unpatched system to be compromised. Compared to the survival time from the Internet Storm Center which is currently below five minutes, we measure a higher survival time. However, the time is still short and you need to patch a system before taking it online.

More information and many more graphs are available in the thesis from Laura Itzel (unfortunately in German only).

Update: I updated the description of the fourth figure to explain it a bit better for non-German speaking readers.

Sicherheit'08: "Monkey-Spider: Detecting Malicious Websites with Low-Interaction Honeyclients"

nospam@example.com (Thorsten Holz) — Sun, 6 Jul 2008 19:55:00 +0200

Back in April, our paper on low-interaction, client-side honeypots entitled "Monkey-Spider: Detecting Malicious Websites with Low-Interaction Honeyclients" was published at Sicherheit'08, the main security conference for the German speaking community. The paper presents a client-side honeypot that can be used to detect malicious web sites. The basic idea is to use the crawler Heritrix to download content efficiently and then analyze the downloaded content with different means, e.g., AV scanners, CWSandbox, or other tools. To our surprise, the paper won the best paper award of the conference :-)

Abstract:
Client-side attacks are on the rise: malicious websites that exploit vulnerabilities in the visitor’s browser are posing a serious threat to client security, compromising innocent users who visit these sites without having a patched web browser. Currently, there is neither a freely available comprehensive database of threats on the Web nor sufficient freely available tools to build such a database. In this work, we introduce the Monkey-Spider project. Utilizing it as a client honeypot, we portray the challenge in such an approach and evaluate our system as a high-speed, Internet-scale analysis tool to build a database of threats found in the wild. Furthermore, we evaluate the system by analyzing different crawls performed during a period of three months and present the lessons learned.

The full paper is now also available for download and the software is published at SourceForge: http://monkeyspider.sourceforge.net/. The software is released under the terms of GPLv3 and the maintainer is Ali Ikinci (ali at ikinci dot info).

WEIS'08: "Studying Malicious Websites and the Underground Economy on the Chinese Web"

nospam@example.com (Thorsten Holz) — Fri, 4 Jul 2008 10:32:00 +0200

The 7th Workshop on the Economics of Information Security (WEIS'08) took place last week at Dartmouth College's Tuck School of Business. Several interesting papers like "Security Economics and European Policy", "Do Data Breach Disclosure Laws Reduce Identity Theft?", or "The Impact of Incentives on Notice and Take-down" were presented during the workshop. Our paper entitled "Studying Malicious Websites and the Underground Economy on the Chinese Web" deals with several aspects of the underground economy within China's part of the World Wide Web. Amongst other techniques, we use client-side honeypots to study malicious websites.

Abstract:
The World Wide Web gains more and more popularity within China with more than 1.31 million websites on the Chinese Web in June 2007. Driven by the economic profits, cyber criminals are on the rise and use the Web to exploit innocent users. In fact, a real underground black market with thousand of participants has developed which brings together malicious users who trade exploits, malware, virtual assets, stolen credentials, and more. In this paper, we provide a detailed overview of this underground black market and present a model to describe the market. We substantiate our model with the help of measurement results within the Chinese Web. First, we show that the amount of virtual assets traded on this underground market is huge. Second, our research proves that a significant amount of websites within China’s part of the Web contain some kind of malicious content: our measurements reveal that about 1.49% of the examined sites contain malicious content that tries to attack the visitor’s browser.

The paper is a collaboration with several researchers from China (Jianwei Zhuge, Chengyu Song, Jinpeng Guo, Xinhui Han, and Wei Zou) and a revised version of our technical report on the same topic. The full version of the paper is now available.

Continue reading "WEIS'08: "Studying Malicious Websites and the Underground Economy on the Chinese Web""

Good ol' #CCpower

nospam@example.com (Thorsten Holz) — Fri, 6 Jun 2008 00:06:00 +0200

A few weeks ago, one of our honeypots was hacked and the attacker installed an IRC bouncer on the machine. Nothing too spectacular, but nevertheless interesting since we can then observe how the attackers communicate with each other and what channels they use. The interesting part is that the attackers joined one of the well-known carding channels, in which credit card infos, Paypal accounts, PINs, and other stolen information is traded. Here a small excerpt, the full dump is many megabytes in size:

- DonDax SELLING Selling USA/Europe VISA/MC DUMPS ,BANKS(halifax,HSBC etc ),Fulls(PIN,DOB,SSN),Paypals(email),EGOLD, and Cvv2's(worldwide). No ripping and NO TESTS. - Hicks Cashout WESTERN UNION on UK LONDON / GREECE- ATHEENS !!! - Hicks Selling dumps+pin new ones every week and FULLS ALSO !!! - JuanesXloT Scot Epic partea ta 50% !! DE asemenea scot conturi caja madrid partea ta 50% ! Caut spammer bun sa fim parteneri am eu scamuri partea ta 50% ! Sau daca ai tu carduri care merg facute cu 1010000... si merg scoase - M3ster Daca doresti sa-ti achizitionezi un RooT de :scan / flood / pagina / emech / psybnc sau poate un remote desktop, Shell , sau poate vrei un site, Ofer Hosting, cc / paypal / spam /drone /boti , Tot ce trebuie sa - Maka` I need email list all country big file on email list like 500 mb 1-2 gb if you have prv me - d3x SELLING EU DUMPS WITH PIN [TRACK1/TRACK2+PIN] || PAYPAL ACCOUNTS WITH GOOD BALANCE [VERIFIED/UNVERIFIED] || FULLZ AND CVV2 [US/EU] || DONT WASTE MY TIME OR I WILL IGNORE YOU || FOR DEAL ICQ : 436306694 - traxpro Selling USA/Worldwide VISA/MC dumps from hotels. Natural track. Various bins are available. Offering tutorials, software and other additional info for all my clients. - traxpro Spamming for HSBC, Halifax, CIBC. e-trade bank logins. Selling UK, USA, Swedish, Australian cvvs. - Selling CVV, Checked and Verified 5$ each, E-gold and WU(for bigger orders) Accepted - Charleskj Am Nevoie De Un Php Mailer Uplodat Care Trimite Inbox , Cine Are Prv Me , Pot Oferi Multe / Need A Php Mailer Uploated That Sends Inbox , Who Have Please Prv Me , Can Offer Many Things !!!

Different people offer a diverse set of stolen credentials, which can then be abused - quite interesting to observe all the trading activity (although we can only see the advertisements and not the actual trades). Last year, Franklin et al. published a study entitled "An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants". In this paper, the authors present an analysis of 13 million public IRC messages obtained from several networks and channels, collected over a 7 month period. The particular channel we observed is one of them - time for some analysis to validate their measurements...

New Capture-HPC release

nospam@example.com (Thorsten Holz) — Sun, 30 Mar 2008 23:44:43 +0200

A tool announcement:

The Honeynet Project and School of Mathematics, Statistics and Computer Science at Victoria University of Wellington have just released version 2.1 of Capture-HPC, a tool that is able to find and investigate the increasing problem of client-side computer attacks. This new software release increases the features and speeds performance allowing anyone to investigate a larger range and quantity of client-side computer attacks. Capture-HPC is freely available from the main Honeynet Project web site at: https://projects.honeynet.org/capture-hpc/wiki. It is written and distributed under the GNU General Public License, v2.

Capture-HPC is a computer security product that allows anyone to: investigate client-side computer attacks; security researchers to find and study malicious servers; virus and malware researchers to collect malware pushed by malicious servers; network administrators to monitor their systems for client-side attacks; and web site operators to monitor their web sites for unauthorized modifications with client-side attack code.

Collecting Autonomous Spreading Malware Using High-Interaction Honeypots

nospam@example.com (Thorsten Holz) — Fri, 11 Jan 2008 09:43:56 +0100

Together with a few researchers from the Chinese Honeynet Project, we published a paper about capturing autonomous spreading malware with high-interaction honeypots at the 9th International Conference on Information and Communications Security (ICICS 2007) which is now available.

Abstract: Autonomous spreading malware in the form of worms or bots has become a severe threat in today’s Internet. Collecting the sample as early as possible is a necessary precondition for the further treatment of the spreading malware, e.g., to develop antivirus signatures. In this paper, we present an integrated toolkit called HoneyBow, which is able to collect autonomous spreading malware in an automated manner using high-interaction honeypots. Compared to low-interaction honeypots, HoneyBow has several advantages due to a wider range of captured samples and the capability of collecting malware which propagates by exploiting new vulnerabilities. We validate the properties of HoneyBow with experimental data collected during a period of about nine months, in which we collected thousands of malware binaries. Furthermore, we demonstrate the capability of collecting new malware via a case study of a certain bot.

Keywords: Honeypots - Intrusion Detection Systems - Malware

Full Paper: Collecting Autonomous Spreading Malware Using High-Interaction Honeypots (LNCS 4861)

Honeywall CDROM 1.3 beta Published

nospam@example.com (Thorsten Holz) — Thu, 3 Jan 2008 16:48:16 +0100

After several months of development, a new version of the Honeywall is available: The Honeywall CDROM is a bootable CD that installs onto a hard drive and comes with all the tools and functionality for you to implement data capture, control, and analysis.

You can get the ISO image for testing here: http://www.honeynet.org/tools/cdrom/roo/iso/test/roo-1.3.hw-b1.iso

More information about the Honeywall development is available at the public Trac reachable via https://projects.honeynet.org/honeywall

Amun Honeypot

nospam@example.com (Thorsten Holz) — Tue, 11 Dec 2007 11:03:54 +0100

Today, Jan Göbel released his tool Amun. The tool is similar to nepenthes and designed to collect samples of autonomous spreading malware. The basic idea is to simulate vulnerable network service and trick an incoming exploitation attempt into thinking that the honeypot is a real system.

Amun is implemented in Python and thus it is quite easy to add additional vulnerability modules. The tool can be downloaded via http://zero.ram.rwth-aachen.de/amun/download.php.

Storm Worm Potpourri

nospam@example.com (Thorsten Holz) — Thu, 6 Dec 2007 08:53:08 +0100

Storm Worm was quiet in the last few days, nothing really exiting happened at the honeypots infected with the bot. Many of the spam mails sent by the bot are stock spam messages which advertise a certain stock. An example of an attachment sent some time ago is Complaint.pdf which advertizes Score One Inc. (SREA.OB), a small company traded over the counter.

Many of the fast-flux domains used by Storm Worm are currently non-functional, only two seem to resolve:

$ dig yxbegan.com



; <<>> DiG 9.4.1-P1 <<>> yxbegan.com

;; global options:  printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59661

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 12, ADDITIONAL: 0



;; QUESTION SECTION:

;yxbegan.com.                   IN      A



;; ANSWER SECTION:

yxbegan.com.            0       IN      A       74.134.155.14



;; AUTHORITY SECTION:

yxbegan.com.            172800  IN      NS      ns13.yxbegan.com.

yxbegan.com.            172800  IN      NS      ns2.yxbegan.com.

yxbegan.com.            172800  IN      NS      ns3.yxbegan.com.

yxbegan.com.            172800  IN      NS      ns4.yxbegan.com.

yxbegan.com.            172800  IN      NS      ns5.yxbegan.com.

yxbegan.com.            172800  IN      NS      ns6.yxbegan.com.

yxbegan.com.            172800  IN      NS      ns7.yxbegan.com.

yxbegan.com.            172800  IN      NS      ns8.yxbegan.com.

yxbegan.com.            172800  IN      NS      ns9.yxbegan.com.

yxbegan.com.            172800  IN      NS      ns10.yxbegan.com.

yxbegan.com.            172800  IN      NS      ns11.yxbegan.com.

yxbegan.com.            172800  IN      NS      ns12.yxbegan.com.



;; Query time: 4376 msec

;; SERVER: X.X.X.X#53(X.X.X.X)

;; WHEN: Thu Dec  6 08:59:53 2007

;; MSG SIZE  rcvd: 265

In consecutive lookups, always a new A record is returned:

yxbegan.com.            0       IN      A       69.224.113.183

yxbegan.com.            0       IN      A       123.215.78.167

yxbegan.com.            0       IN      A       168.188.56.76

yxbegan.com.            0       IN      A       220.129.76.210

yxbegan.com.            0       IN      A       59.23.185.81

More info to follow :)

Technical Report: Studying Malicious Websites and the Underground Economy on the Chinese Web

nospam@example.com (Thorsten Holz) — Tue, 4 Dec 2007 08:16:00 +0100

Together with the researchers from the Chinese Honeynet Project, we also examined the extend of malicious websites on the Chinese Web. Using high- and low-interaction honeyclients, we were able to find about 2,500 sites (1,49% of overall examined sites) that tried to compromise an unpatched system. Furthermore, we also studied the underground black market which is used to trade exploits, malware, and stolen virtual goods. Several measurements provide an insight into the black market on the Chinese Web and show that the attackers are organized pretty well. We published our findings as a technical report to share the lessons we learned.

Abstract:

The World Wide Web gains more and more popularity within China with more than 1.31 million websites on the Chinese Web in June 2007. Driven by the economic profits, cyber criminals are on the rise and use the Web to exploit innocent users. In fact, a real underground black market with thousand of participants has developed which brings together malicious users who trade exploits, malware, virtual assets, stolen credentials, and more. In this paper, we provide a detailed overview of this underground black market and present a model to describe the market. We substantiate our model with the help of measurement results within the Chinese Web. First, we show that the amount of virtual assets traded on this underground market is huge. Second, our research proofs that a significant amount of websites within China's part of the Web are malicious: our measurements reveal that about 1.49% of the examined sites contain some kind of malicious content.

The complete report is available as TR-2007-011.

Technical Report: Characterizing the IRC-based Botnet Phenomenon

nospam@example.com (Thorsten Holz) — Mon, 3 Dec 2007 14:02:00 +0100

Together with a few researchers from China, we studied IRC-based botnets in order to understand the extent of this phenomenon. Using different kinds of honeypots and several sensors deployed across different regions in China, we were able to collect thousands of bot binaries. With the help of a behavior-based analysis mechanism similar to CWSandbox, we could extract the Command & Control (C&C) server in an automated way. In a third step, we used this information to connect to the actual C&C server and passively monitored the activity in the channel. Furthermore, we also actively probed the C&C servers to find out other characteristics of these machines. The complete setup and our results are described in a technical report we just published.

Abstract:

Botnets, networks of compromised machines that can be remotely controlled by an attacker, are one of the most common attack platforms nowadays. They can, for example, be used to launch distributed denial-of-service (DDoS) attacks, steal sensitive information, or send spam emails. A long-term measurement study of botnet activities is useful as a basis for further research on global botnet mitigation and disruption techniques. We have built a distributed and fully-automated botnet measurement system which allows us to collect data on the botnet activity we observe in China. Based on the analysis of tracking records of 3,290 IRC-based botnets during a period of almost twelve months, this paper presents several novel results of botnet activities which can only be measured via long-term easurements. These include. amongst others, botnet lifetime, botnet discovery trends and distributions, command and control channel distributions, botnet size and end-host distributions. Furthermore, our measurements confirm and extend several previous results from this area.

Our results show that the botnet problem is of global scale, with a scattered distribution of the control infrastructure and also a scattered distribution of the victims. Furthermore, the control infrastructure itself is rather flexible, with an average lifetime of a Command & Control server of about 54 days. These results can also leverage research in the area of botnet detection, mitigation, and disruption: only by understanding the problem in detail, we can develop efficient counter measures.

The complete report is available as TR-2007-010. And more information regarding the Chinese Honeynet Project is available at the website of the Artemis Project.

Honeynet Project's Status Report for 2007

nospam@example.com (Thorsten Holz) — Thu, 18 Oct 2007 15:27:17 +0200

The status report of the Honeynet Project for the fiscal year 2007 is online since a couple of days. It contains an overview of what the Honeynet Project has done in the past year, together with links to the status report of each chapter. If you want to know what was done during the last couple of months, this is a good starting point.

Release of Capture-HPC 2.0

nospam@example.com (Thorsten Holz) — Thu, 13 Sep 2007 01:20:27 +0200

Christian Seifert just mailed me and told me about the new release of Capture-HPC. Lots of new features are included in the release, which, hopefully, lowers the bar to get into research about malicious servers as well as expand the possibilities of the research... Here a (partial) list of specific new features:

support for any client application that is http protocol aware (for example, Microsoft Excel)

ability to automatically collect malware

ability to automatically collect network traffic on the client

ability to push exclusion lists from the Capture Server to the Capture Client

improved control of Internet Explorer: obtain HTML error codes; specify visitation delay after page has been retrieved; retry visitation of URLs in case of time outs or network errors, ...

support for plug-in architecture, that allows to create fine grained control of clients (for example, as provided for Internet Explorer), but also allows for integration of client applications that require complex interactions to retrieve content from the web ( e.g. Safari is such an application. It doesn't allow retrieval of web content by passing the URL as a parameter)

The tool and the source code are available from https://www.client-honeynet.org/creleases.html.