honeyblog - paper

SPRING Proceedings

nospam@example.com (Thorsten Holz) — Fri, 8 Aug 2008 18:25:00 +0200

Today the workshop SPRING took place at our lab in Mannheim. SPRING is an annual networking event for junior scientists who work in the area of reactive security. The talks focussed on topics like automated malware clustering, intrusion detection systems that use peer-to-peer techniques, netflow analysis, anomaly detection on smartphones, and more. I organized the workshop, thus I'm happy that it ends in a few minutes :-)

In the next few days, we will upload all slides and also a few pictures taken during the workshop. The proceedings are already available. They contain a short abstract (one page) for each talk and provide an overview of the different topics covered today.

WOOT'08 and HotSec'08

nospam@example.com (Thorsten Holz) — Tue, 29 Jul 2008 12:15:00 +0200

Besides USENIX Security, also two interesting workshops take place this week: 2nd USENIX Workshop on Offensive Technologies (WOOT '08) and 3rd USENIX Workshop on Hot Topics in Security (HotSec '08). Both workshops have an interesting program and the proceedings are an interesting read! My favorite paper picks:

Towards Systematic Evaluation of the Evadability of Bot/Botnet Detection Methods by Stinson and Mitchell (WOOT'08) discusses how existing botnet detection systems like Rishi, BotHunter, BotMiner, and others can be circumvented

Towards Application Security on Untrusted Operating Systems by Ports and Garfinkel (HotSec'08) discusses how malicious behavior in each major OS subsystem can undermine application security and how this threat can possibly be mitigated

There Is No Free Phish: An Analysis of "Free" and Live Phishing Kits by Cova et al. (WOOT'08) analyzes "free" phishing kits like the famous Mr. Brain kits that contain backdoors

Insecure Context Switching: Inoculating Regular Expressions for Survivability by Drewry and Ormandy (WOOT'08) shows how regular expressions can be used in a malicious way, leading to complexity attacks

The full papers will be available a few days after the workshops took place.

USENIX Security'08

nospam@example.com (Thorsten Holz) — Mon, 28 Jul 2008 12:14:00 +0200

This week, the 17th USENIX Security Symposium takes place in San Jose, CA. Unfortunately I can not attend this year :-( But there are many interesting papers you should check out, for example:

All Your iFRAMEs Point to Us by Provos et al. analyzes the threat by malicious iframes injected into websites

Lest We Remember: Cold Boot Attacks on Encryption Keys by Halderman et al. is the paper about the now famous cold boot attack, for which the full source code was released last week by Jacob Appelbaum at The Last HOPE in New York City

CloudAV: N-Version Antivirus in the Network Cloud by Oberheide et al. deals with n-version AV-scanning (basically examining a given sample with n AV-scanners and behavior-analysis tools like CWSandbox or Norman Sandbox), thereby improving detection rates

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection by Gu et al. shows how botnets can be detected by correlating netflow data, finding similar behavior within the network traffic

Hypervisor Support for Identifying Covertly Executing Binaries by Litty et al. introduces a system to detect malicious code with the help of a hypervisor built on top of Xen.

And many others

The full papers will be available a few days after the conference took place. A really good conference this year with an exciting program! Looking forward to attend next year :-)

DIMVA'08 Slides

nospam@example.com (Thorsten Holz) — Tue, 22 Jul 2008 13:56:00 +0200

A quick follow-up to our DIMVA'08 paper on "Learning and Classification of Malware Behavior": the slides from Konrad's talk are now available and provide a quick overview of the topic.

In the near future, we will integrate the results of this paper to the webinterface of cwsandbox.org - stay tuned :)

Fast-Flux Data

nospam@example.com (Thorsten Holz) — Wed, 16 Jul 2008 23:57:00 +0200

Back in February, we published a paper on fast-flux service networks at NDSS'08. The basic idea behind fast-flux networks is a fast change in the mapping between a domain name and the corresponding IP addresses. The attackers use this mechanism to build a proxy-network on top of compromised machines to maintain a robust hosting infrastructure for their services. For more information on this topic, see the paper by the Honeynet Project or our NDSS paper.

To foster research in this area, the data collected during our study is available for research purposes. Up to now, quite a few people mailed me and asked for the data. To make this process a bit more scalable and also minimize the amount of work needed at my side, we decided to simply publish all the data such that everyone can download the raw data and use it for whatever purpose. Today, I uploaded a tarball which contains a summary of the fast-flux data collected over a period of several weeks. The tarball contains a potpourri of different measurements and has a total size of 7.3 MB. It contains about 55K raw dig lookup files and has an unpacked size of about 220 MB. The archive contains the following data:

storm-qavoter.com.log: dig lookups for domain used by the Storm Worm botnet which uses fast-flux techniques

asprox-damnec-hydra.log: dig lookups for Asprox/Damnec botnet which also uses fast-flux techniques

lookups-ff: dig lookups for fast-flux domains, confirmed manually

lookups-spam: dig lookups for various domains found in spam e-mails

lookups-benign: dig lookups for (probable) benign domains, most of them collected via dmoz or Alexa

lookups-ndss: part of the domains used for the NDSS paper

lookups-ndss-ff: suspected fast-flux domains from NDSS paper

So if you are interested in this area and want to learn more about it, just download the archive (7.3 MB) and play with the files :)

DIMVA'08: "Learning and Classification of Malware Behavior"

nospam@example.com (Thorsten Holz) — Thu, 10 Jul 2008 10:06:00 +0200

Today and tomorrow DIMVA'08 takes place in Paris. DIMVA'08 is the Fifth Conference on Detection of Intrusions and Malware & Vulnerability Assessment and organized by the special interest group SIDAR of the German Informatics Society (GI).

Our paper entitled "Learning and Classification of Malware Behavior" is a joint work with Konrad Rieck, Carsten Willems, Patrick Düssel, Pavel Laskov, and Felix Freiling. The paper deals with malware classification, i.e., how to automatically learn malware families using labels. We use (noisy) labels by an anti-virus product and then apply machine learning algorithms to classify malware based on execution traces generated with the help of CWSandbox. In an experiment with over 3,000 previously undetected malware binaries, our system correctly predicted almost 70% of labels assigned by an anti-virus scanner four weeks later. Our method also detects unknown behavior, so that malware families not present in the learning corpus are correctly identified as unknown. The analysis of prominent features inferred by our discriminative models has shown interesting similarities between malware families; in particular, we have discovered that Doomber and Gobot worms derive from the same origin, with Doomber being an extension of Gobot - all in an automated way.

Abstract:
Malicious software in form of Internet worms, computer viruses, and Trojan horses poses a major threat to the security of networked systems. The diversity and amount of its variants severely undermine the effectiveness of classical signature-based detection. Yet variants of malware families share typical behavioral patterns reflecting its origin and purpose. We aim to exploit these shared patterns for classification of malware and propose a method for learning and discrimination of malware behavior. Our method proceeds in three stages: (a) behavior of collected malware is monitored in a sandbox environment, (b) based on a corpus of malware labeled by an anti-virus scanner a malware behavior classifier is trained using learning techniques and (c) discriminative features of the behavior models are ranked for explanation of classification decisions. Experiments with different heterogeneous test data collected over several months using honeypots demonstrate the effectiveness of our method, especially in detecting novel instances of malware families previously not recognized by commercial anti-virus software.

The full paper is now available.

Sicherheit'08: "Monkey-Spider: Detecting Malicious Websites with Low-Interaction Honeyclients"

nospam@example.com (Thorsten Holz) — Sun, 6 Jul 2008 19:55:00 +0200

Back in April, our paper on low-interaction, client-side honeypots entitled "Monkey-Spider: Detecting Malicious Websites with Low-Interaction Honeyclients" was published at Sicherheit'08, the main security conference for the German speaking community. The paper presents a client-side honeypot that can be used to detect malicious web sites. The basic idea is to use the crawler Heritrix to download content efficiently and then analyze the downloaded content with different means, e.g., AV scanners, CWSandbox, or other tools. To our surprise, the paper won the best paper award of the conference :-)

Abstract:
Client-side attacks are on the rise: malicious websites that exploit vulnerabilities in the visitor’s browser are posing a serious threat to client security, compromising innocent users who visit these sites without having a patched web browser. Currently, there is neither a freely available comprehensive database of threats on the Web nor sufficient freely available tools to build such a database. In this work, we introduce the Monkey-Spider project. Utilizing it as a client honeypot, we portray the challenge in such an approach and evaluate our system as a high-speed, Internet-scale analysis tool to build a database of threats found in the wild. Furthermore, we evaluate the system by analyzing different crawls performed during a period of three months and present the lessons learned.

The full paper is now also available for download and the software is published at SourceForge: http://monkeyspider.sourceforge.net/. The software is released under the terms of GPLv3 and the maintainer is Ali Ikinci (ali at ikinci dot info).

WEIS'08: "Studying Malicious Websites and the Underground Economy on the Chinese Web"

nospam@example.com (Thorsten Holz) — Fri, 4 Jul 2008 10:32:00 +0200

The 7th Workshop on the Economics of Information Security (WEIS'08) took place last week at Dartmouth College's Tuck School of Business. Several interesting papers like "Security Economics and European Policy", "Do Data Breach Disclosure Laws Reduce Identity Theft?", or "The Impact of Incentives on Notice and Take-down" were presented during the workshop. Our paper entitled "Studying Malicious Websites and the Underground Economy on the Chinese Web" deals with several aspects of the underground economy within China's part of the World Wide Web. Amongst other techniques, we use client-side honeypots to study malicious websites.

Abstract:
The World Wide Web gains more and more popularity within China with more than 1.31 million websites on the Chinese Web in June 2007. Driven by the economic profits, cyber criminals are on the rise and use the Web to exploit innocent users. In fact, a real underground black market with thousand of participants has developed which brings together malicious users who trade exploits, malware, virtual assets, stolen credentials, and more. In this paper, we provide a detailed overview of this underground black market and present a model to describe the market. We substantiate our model with the help of measurement results within the Chinese Web. First, we show that the amount of virtual assets traded on this underground market is huge. Second, our research proves that a significant amount of websites within China’s part of the Web contain some kind of malicious content: our measurements reveal that about 1.49% of the examined sites contain malicious content that tries to attack the visitor’s browser.

The paper is a collaboration with several researchers from China (Jianwei Zhuge, Chengyu Song, Jinpeng Guo, Xinhui Han, and Wei Zou) and a revised version of our technical report on the same topic. The full version of the paper is now available.

Continue reading "WEIS'08: "Studying Malicious Websites and the Underground Economy on the Chinese Web""

OECD Report on Malware

nospam@example.com (Thorsten Holz) — Wed, 4 Jun 2008 01:17:00 +0200

A few days ago, the OECD published a report entitled "Malicious Software (Malware): A Security Threat to the Internet Economy". It provides a high-level overview of current threats in the area of malware and is a nice read.

Excerpt: "This report, developed in collaboration with experts, aims to inform policy makers about malware impacts, growth and evolution, and countermeasures to combat malware. It seeks to analyse some of the main issues associated with malware and to explore how the international community can better work together to address the problem. Highlights include the following:

Spam has evolved from a nuisance to a vehicle for fraud to a vector for distributing malware. Malware, in the form of botnets, has become a critical part of a self sustaining cyber attack system. The use of malware has become more sophisticated and targeted. Many attacks are smaller and attempt to stay "below the radar" of the security and law enforcement communities.

The effectiveness of current security technologies and other protections in detecting and containing malware is challenged by the shrinking of the time between the discovery of vulnerabilities in software products and their exploitation.

[...]

Current response and mitigation are mainly reactive. There is a need for more structured and strategic co-ordination at national and international levels with involvement of all actors to more adequately assess and mitigate the risk of malware.

No single entity has a global understanding of the scope, trends, development and consequences of malware and thus the overall malware problem is difficult to quantify. Data on malware are not consistent and terminology for cataloguing and measuring the occurrence of malware is not harmonised.

Although its economic and social impacts may be hard to quantify, malware used directly or indirectly can harm critical information infrastructures, result in financial losses, and plays a role in the erosion of trust and confidence in the Internet economy."

A similar report was published a few months ago by ENISA: "Security Economics and The Internal Market" (Authors: R. Anderson, R. Böhme, R. Clayton, and T. Moore) - definitely worth reading!

LEET'08: Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm

nospam@example.com (Thorsten Holz) — Fri, 11 Apr 2008 11:24:41 +0200

Next week at the First USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET'08), I will present our work on Storm Worm and the measurement results. The full paper is now available. See you at LEET next week!

Abstract:
Botnets, i.e., networks of compromised machines under a common control infrastructure, are commonly controlled by an attacker with the help of a central server: all compromised machines connect to the central server and wait for commands.

However, the first botnets that use peer-to-peer networks for remote control of the compromised machines appeared in the wild recently. In this paper, we introduce a methodology to analyze and mitigate peer-to-peer botnets. In a case study, we examine in detail the Storm Worm botnet, the most wide-spread peer-to-peer botnet currently propagating in the wild. We were able to infiltrate and analyze in-depth the botnet, which allows us to estimate the total number of compromised machines. Furthermore, we present two different ways to disrupt the communication channel between controller and compromised machines in order to mitigate the botnet and evaluate the effectiveness of these mechanisms.

SSAC Advisory on Fast Flux Hosting and DNS

nospam@example.com (Thorsten Holz) — Thu, 13 Mar 2008 08:31:00 +0100

The Security and Stability Advisory Committee (SSAC) of ICANN released an advisory regarding "Fast Flux Hosting and DNS", in which they detail ICANN's view of FFSNs. Thanks Jose for the heads-up!

Introduction

"Fast flux" is an evasion technique that cyber-criminals and Internet miscreants use to evade identification and to frustrate law enforcement and anticrime efforts aimed at locating and shutting down web sites used for illegal purposes. Fast flux hosting is an application of technology that supports a wide variety of cyber-crime activities (fraud, identity theft, online scams) and is considered one of the most serious threats to online activities today. Basic fast flux hosting uses rapid modification of IP addresses associated with a system that hosts a malicious activity to evade detection and take down efforts. This technique is also used to rapidly modify the IP addresses of the name servers that resolve the domain names of the fluxed malicious hosts (this variant is sometimes called NS fast flux). A particularly troublesome variant of fast flux hosting, "double flux", fluxes addresses of both name servers and malicious (web server) hosts.

This Advisory describes the technical aspects of fast flux hosting and fast flux service networks. It explains how the DNS is exploited to abet criminal activities that employ fast flux hosting, identifying the impacts of fast flux hosting, and calling particular attention to the way such attacks extend the malicious or profitable lifetime of the illegal activities conducted using these fast flux techniques. It describes current and possible methods of mitigating fast flux hosting at various points in the Internet. The Advisory discusses the pros and cons of these mitigation methods, identifies those methods that SSAC considers practical and sensible, and recommends that appropriate bodies consider policies that would make the practical mitigation methods universally available to registrants, ISPs, registrars and registries (where applicable for each).

NDSS'08 Presentation

nospam@example.com (Thorsten Holz) — Wed, 12 Mar 2008 09:02:00 +0100

Yesterday I forgot to post the link to my presentation :-/
The presentation I gave at NDSS'08 is available at http://honeyblog.org/junkyard/paper/08_ff_NDSS.pdf. If you have comments or questions, please let me know!

"Measuring and Detecting Fast-Flux Service Networks"

nospam@example.com (Thorsten Holz) — Tue, 11 Mar 2008 16:42:22 +0100

One of the projects at our lab focuses on fast-flux service networks (FFSNs), a mechanism used by attackers to build an overlay network on top of compromised machines. FFSNs are for example used to host scam pages or malicious content. Our findings were published in a paper at NDSS'08. The full paper is also available since a couple of weeks.

Abstract:
We present the first empirical study of fast-flux service networks (FFSNs), a newly emerging and still not widely-known phenomenon in the Internet. FFSNs employ DNS to establish a proxy network on compromised machines through which illegal online services can be hosted with very high availability. Through our measurements we show that the threat which FFSNs pose is significant: FFSNs occur on a worldwide scale and already host a substantial percentage of online scams. Based on analysis of the principles of FFSNs, we develop a metric with which FFSNs can be effectively detected. Considering our detection technique we also discuss possible mitigation strategies.

Full paper

Collecting Autonomous Spreading Malware Using High-Interaction Honeypots

nospam@example.com (Thorsten Holz) — Fri, 11 Jan 2008 09:43:56 +0100

Together with a few researchers from the Chinese Honeynet Project, we published a paper about capturing autonomous spreading malware with high-interaction honeypots at the 9th International Conference on Information and Communications Security (ICICS 2007) which is now available.

Abstract: Autonomous spreading malware in the form of worms or bots has become a severe threat in today’s Internet. Collecting the sample as early as possible is a necessary precondition for the further treatment of the spreading malware, e.g., to develop antivirus signatures. In this paper, we present an integrated toolkit called HoneyBow, which is able to collect autonomous spreading malware in an automated manner using high-interaction honeypots. Compared to low-interaction honeypots, HoneyBow has several advantages due to a wider range of captured samples and the capability of collecting malware which propagates by exploiting new vulnerabilities. We validate the properties of HoneyBow with experimental data collected during a period of about nine months, in which we collected thousands of malware binaries. Furthermore, we demonstrate the capability of collecting new malware via a case study of a certain bot.

Keywords: Honeypots - Intrusion Detection Systems - Malware

Full Paper: Collecting Autonomous Spreading Malware Using High-Interaction Honeypots (LNCS 4861)

Technical Report: Studying Malicious Websites and the Underground Economy on the Chinese Web

nospam@example.com (Thorsten Holz) — Tue, 4 Dec 2007 08:16:00 +0100

Together with the researchers from the Chinese Honeynet Project, we also examined the extend of malicious websites on the Chinese Web. Using high- and low-interaction honeyclients, we were able to find about 2,500 sites (1,49% of overall examined sites) that tried to compromise an unpatched system. Furthermore, we also studied the underground black market which is used to trade exploits, malware, and stolen virtual goods. Several measurements provide an insight into the black market on the Chinese Web and show that the attackers are organized pretty well. We published our findings as a technical report to share the lessons we learned.

Abstract:

The World Wide Web gains more and more popularity within China with more than 1.31 million websites on the Chinese Web in June 2007. Driven by the economic profits, cyber criminals are on the rise and use the Web to exploit innocent users. In fact, a real underground black market with thousand of participants has developed which brings together malicious users who trade exploits, malware, virtual assets, stolen credentials, and more. In this paper, we provide a detailed overview of this underground black market and present a model to describe the market. We substantiate our model with the help of measurement results within the Chinese Web. First, we show that the amount of virtual assets traded on this underground market is huge. Second, our research proofs that a significant amount of websites within China's part of the Web are malicious: our measurements reveal that about 1.49% of the examined sites contain some kind of malicious content.

The complete report is available as TR-2007-011.