honeyblog - malware

Waledac Infection Check

nospam@example.com (Thorsten Holz) — Tue, 02 Mar 2010 22:29:00 +0100

Ben Stock has implemented a web service to check a given IP address for infection with Waledac, similar to the Conficker Eye Chart. The idea is that we are currently tracking Waledac as part of the take-down effort and thus we have a pretty good overview of the individual bots within the botnet. Therefore we are in a position to determine if we have seen a given IP address in the recent past as a bot, which indicates that this IP address might be related to a Waledac infection. Of course, effects like NAT or DHCP need to be taken into account: if an IP address is not listed, this does not necessarily mean that you are not infected.

The check is available at http://mwanalysis.org/waledac/, feedback is welcome!

Waledac Takedown Successful

nospam@example.com (Thorsten Holz) — Thu, 25 Feb 2010 15:57:00 +0100

A few weeks ago, I blogged about our paper "Walowdac – Analysis of a Peer-to-Peer Botnet". The paper provides an overview of the Waledac botnet and its specific aspects compared to Storm Worm and similar peer-to-peer botnets. The paper also contains some measurement results for the botnet like the typical number of online bots and similar statistics.

In the last couple of days, the situation changed a bit: we worked on an active takedown of the botnet together with experts from Microsoft, Shadowserver, the University of Mannheim, University of Bonn, University of Washington, Symantec and others. The operation is know within Microsoft as "Operation b49" and involved domain takedowns and additional technical countermeasures. Microsoft also did some fantastic work on the legal side, the complaint filed by Microsoft ("Microsoft Corporation v. John Does 1-27, et. al.") is available online. As a result, the communication infrastructure of Waledac has been disrupted to a certain extent and the botmaster can effectively not send commands to the bots. The Waledac Tracker by sudosecure.net also shows a nice decline in the number of bots for the last few days. Note, however, that the infected machines are still up and running, thus some clean-up at that side is still necessary...

You can read more about the story in a blog post by Microsoft: "Cracking Down on Botnets". And I will update the blog with new information once we start to analyze the collected data...

Data Set For Malware Clustering/Classification

nospam@example.com (Thorsten Holz) — Fri, 29 Jan 2010 14:08:00 +0100

About one month ago I blogged about our research on malware clustering and classification. We have now also released the full data set from our experiments, such that other people can reproduce the results and compare our approach to theirs. You can find all information at http://pi1.informatik.uni-mannheim.de/malheur/, together with a description of the different data.

Quick overview of the data:

Our reference data set is extracted from our large database of malware binaries maintained at CWSandbox. The malware binaries have been collected over a period of three years from a variety of sources. From the overall database, we select binaries which have been assigned to a known class of malware by the majority of six independent anti-virus products. We append the overall anti-virus label to the filename of each report. Although anti-virus labels suffer from inconsistency, we expect the selection using different scanners to be reasonable consistent and accurate. To compensate for the skewed distribution of classes, we discard classes with less than 20 samples and restrict the maximum contribution of each class to 300 binaries. The selected malware binaries are then executed and monitored using CWSandbox, resulting in a total of 3.133 behavior reports in MIST format.

The application data set consists of seven chunks of malware binaries obtained from the anti-malware vendor Sunbelt Software. The binaries correspond to malware collected during seven consecutive days in August 2009 and originate from a variety of sources. Sunbelt Software uses these very samples to create and update signatures for their VIPRE anti-malware product as well as for their security data feed ThreatTrack. The complete test data set consists of 33.698 behavior reports in MIST format.

The full technical report is available at http://honeyblog.org/junkyard/paper/malheur-TR-2009.pdf.

Update: I changed the terms within the description to use the correct description.

Call for Papers: LEET'10

nospam@example.com (Thorsten Holz) — Mon, 25 Jan 2010 09:03:00 +0100

The submissions deadline for the 3rd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET '10) is quickly approaching. Please submit your work by Thursday, February 25, 2010, 11:59 p.m. PST. The full call for papers is available at http://www.usenix.org/events/leet10/cfp/, see an overview below:

Topics
Now in its third year, LEET continues to provide a unique forum for the discussion of threats to the confidentiality of our data, the integrity of digital transactions, and the dependability of the technologies we increasingly rely on. We encourage submissions of papers that focus on the malicious activities themselves (e.g., reconnaissance, exploitation, privilege escalation, rootkit installation, attack), our responses as defenders (e.g., prevention, detection, and mitigation), or the social, political, and economic goals driving these malicious activities and the legal and ethical codes guiding our defensive responses.

Overview
Information technology (IT) adds $2 trillion annually to the US economy alone. While these technologies have enabled significant global economic growth, they have become rich targets for malicious activity. The US Federal Bureau of Investigation (FBI) indicated that cyber crime reached an all-time high in 2008; cyber crime now ranks as the FBI's third highest priority, behind such dramatic threats as counter-terrorism and counter-espionage. Much of this malicious activity is driven by economic incentives, but recently we have seen the emergence of highly visible, politically motivated attacks. While the motivations for malicious behavior and the technical mechanisms that enable them remain rich areas of research, it is clear that today our global society is faced with a wide range of cyber criminal activities: spam, phishing, denial of service, click fraud, etc.

Workshop Format
LEET aims to be a true workshop, with the twin goals of fostering the development of preliminary work and helping to unify the broad community of researchers and practitioners who focus on worms, bots, spam, spyware, phishing, DDoS, and the ever-increasing palette of large-scale Internet-based threats. Intriguing preliminary results and thought-provoking ideas will be strongly favored; papers will be selected for their potential to stimulate discussion in the workshop. Each author will have 15 minutes to present his or her work, followed by 15 minutes of discussion with the workshop participants.

"Studying Aspects of the Underground Economy"

nospam@example.com (Thorsten Holz) — Wed, 20 Jan 2010 06:53:00 +0100

Today I gave a talk at the International Computer Science Institute (ICSI) that focussed on some of the research I did in the past year. The slides are now available.

Abstract:
With the growing digital economy, it comes as no surprise that criminal activities in digital business have lead to a digital underground economy. Because it is such a fast-moving field, tracking and understanding this underground economy is difficult and most information in this area is vague. In this talk, we discuss several approaches to study the structure of these underground markets. In particular, we present a method with which it is possible to directly analyze the amount of data harvested through keylogger-based attacks in a highly automated fashion. Based on real-world data, we can get a glimpse into the digital underground economy. However, many open questions remain that will be discussed in the last part of the talk.

You can get the slides at http:///honeyblog.org/junkyard/presentations/10_underground-economy_ICSI.pdf.

Challenge 1 posted - Signed books as prizes!

nospam@example.com (Thorsten Holz) — Mon, 18 Jan 2010 08:56:00 +0100

The first challenge of the Honeynet Forensic Challenge 2010 has been posted at http://honeynet.org/node/504. The task is to analyze a packet capture that was collected by a honeypot. Analyze and answer the following questions:

Which systems (i.e. IP addresses) are involved? (2pts)
What can you find out about the attacking host (e.g., where is it located)? (2pts)
How many TCP sessions are contained in the dump file? (2pts)
How long did it take to perform the attack? (2pts)
Which operating system was targeted by the attack? And which service? Which vulnerability? (6pts)
Can you sketch an overview of the general actions performed by the attacker? (6pts)
What specific vulnerability was attacked? (2pts)
What actions does the shellcode perform? Pls list the shellcode. (8pts)
Do you think a Honeypot was used to pose as a vulnerable victim? Why? (6pts)
Was there malware involved? Whats the name of the malware? (We are not looking for a detailed malware analysis for this challenge) (2pts)
Do you think this is a manual or an automated attack? Why? (2pts)

Get the pcap at http://honeynet.org/files/attack-trace.pcap_.gz, they were provided together with the questions by Tillmann Werner. Deadline for submissions is Monday, February 1st 2010 at 17:00 EST. There will be some small prizes, among them signed copies of our book "Virtual Honeypots: From Botnet Tracking to Intrusion Detection". Full information is available at http://honeynet.org/node/504.

Walowdac – Analysis of a Peer-to-Peer Botnet

nospam@example.com (Thorsten Holz) — Sun, 03 Jan 2010 12:26:00 +0100

One of the most interesting botnets of 2009 was Waledac: the botnet implements a peer-to-peer-based communication channel and it can be seen as the successor of Storm Worm, since it implemented many similar ideas (e.g., a very similar language for spam templates was used). The researchers from Trend Micro had published an analysis of the botnet and we also examined the botnet. The result is a paper entitled "Walowdac - Analysis of a Peer-to-Peer Botnet": instead of passively observing the network, we implemented an active infiltration component. We emulate the protocol of a bot and are able to observe the inner communication aspects of the network. As a result, we obtain an in-depth overview of the botnet that enables us to study different aspects of the network, e.g., efficiency of the spam campaigns or number of active bots. As a small peak of the results, the following pictures shows the number of active bots in different countries on a specific day in August 2009. We can for example observe diurnal patterns and clearly see the effects of timezones on the size of the botnet:

Abstract:
A botnet is a network of compromised machines under the control of an attacker. Botnets are the driving force behind several misuses on the Internet, for example spam mails or automated identity theft. In this paper, we study the most prevalent peer-to-peer botnet in 2009: Waledac. We present our infiltration of the Waledac botnet, which can be seen as the successor of the Storm Worm botnet. To achieve this we implemented a clone of the Waledac bot named Walowdac. It implements the communication features of Waledac but does not cause any harm, i.e., no spam emails are sent and no other commands are executed. With the help of this tool we observed a minimum daily population of 55,000 Waledac bots and a total of roughly 390,000 infected machines throughout the world. Furthermore, we gathered internal information about the success rates of spam campaigns and newly introduced features like the theft of credentials from victim machines.

The paper was joint work with Ben Stock, Jan Göbel, Markus Engelberth, and Felix C. Freiling. The full paper is available at http://honeyblog.org/junkyard/paper/waledac-ec2nd09.pdf and it was published at EC2ND 2009.

Automatic Analysis of Malware Behavior using Machine Learning

nospam@example.com (Thorsten Holz) — Mon, 28 Dec 2009 12:15:00 +0100

In the last couple of years, several honeypot solutions to automatically "collect" malware samples were developed. With these tools, it is possible to obtain copies of malware samples without any human interaction. As a result, we are able to collect quite a few malware samples per day, which then also need to be analyzed. Thus, several sandbox solutions were developed that automate the analysis step by performing dynamic, behavior-based analysis. The result of the dynamic analysis is typically a report that summarizes the observed behavior. The next logical step is to use that information to perform malware classification and malware clustering: at the end of that process, we can then obtain information about which samples perform basically the same kind of activity. We can then automatically find variants of well-known threats, identify new malware families, and reduce the manual effort needed to analyze the large number of incoming malware samples.

In the last couple of months, we worked on malware classification and malware clustering. The results are summarized in a technical report. In the article, we introduce a learning-based framework for automatic analysis of malware behavior. To apply this framework in practice, it suffices to collect a large number of malware samples and monitor their behavior using a sandbox environment. By embedding the observed behavior in a vector space, reflecting behavioral patterns in its dimensions, we are able to apply learning algorithms, such as clustering and classification, for analysis of malware behavior. Both techniques are important for an automated processing of malware samples and we show in several experiments that our techniques significantly improve previous work in this area. For example, the concept of prototypes allows for efficient clustering and classification, while also enabling a security researcher to focus manual analysis on prototypes instead of all malware samples. Moreover, we introduce a technique to perform behavior-based analysis in an incremental way that avoids run-time and memory overhead inherent to previous approaches.

Abstract
Malicious software — so called malware — poses a major threat to the security of computer systems. The amount and diversity of its variants render classic security defenses ineffective, such that millions of hosts in the Internet are infected with malware in form of computer viruses, Internet worms and Trojan horses. While obfuscation and polymorphism employed by malware largely impede detection at file level, the dynamic analysis of malware binaries during run-time provides an instrument for characterizing and defending against the threat of malicious software.
In this article, we propose a framework for automatic analysis of malware behavior using machine learning. The framework allows for automatically identifying novel classes of malware with similar behavior (clustering) and assigning unknown malware to these discovered classes (classification). Based on both, clustering and classification, we propose an incremental approach for behavior-based analysis, capable to process the behavior of thousands of malware binaries on a daily basis. The incremental analysis significantly reduces the run-time overhead of current analysis methods, while providing an accurate discovery and discrimination of novel malware variants.

The full technical report is available at http://honeyblog.org/junkyard/paper/malheur-TR-2009.pd. It was joint work with Konrad Rieck, Philipp Trinius, and Carsten Willems. And the word cloud was generated using http://www.wordle.net/.

AV Tracker

nospam@example.com (Thorsten Holz) — Thu, 22 Oct 2009 12:49:00 +0200

A couple of days ago, the website "AV Tracker" went online, which publishes information about various automated analysis systems. The idea is that the attacker uploads a binary to an analysis system, waits for the sample to be executed, and then the binary phones home some information to a server under the control of the attacker. The collected information is then published at "AV Tracker", exposing information about the analysis systems. Besides some well-known AV companies, also CWSandbox and Anubis were affected.

We analyzed the binary and found that it sends a simply HTTP request, in which all extracted information is encoded. An example for an analysis report generated by one of the samples is http://anubis.iseclab.org/?action=result&task_id=361b5a8ee7235954252b02d33b3a7d24. This can be defeated by blocking access to the reporting server or by regularly changing the IP address of the analysis systems, but at the end this will be some kind of arms race again.

Some other interesting information is also embedded in the binary. When extracting the strings from the sample, the following text becomes visible (some information is hidden by dots):

This is Peter Kl....... fuck ...... fuck the world fuck you all!
I was once working with ...... and was a white hat, now I am the worst mean motherfucker black hat and I am selling the source code of ...... .. :D
I am with the ~~Sinowal~~Whistler developers, funny days, aren't ;) and fuck ..... they don't have no idea :D bitches

A related article was also published today at http://www.viruslist.com/en/weblog under the title "A black hat loses control".

$645.00 ...

nospam@example.com (Thorsten Holz) — Thu, 10 Sep 2009 23:27:13 +0200

... is the amount I am worth in the underground economy, at least according to Symantec's new website on which they advertise (in a somewhat entertaining way) Norton 2010 products. Here are the results when I take the risk assessment:

[...] In the underground economy, you're really worth about $645.00. And that's on a good day.
Your entire digital life could go on the auction block for as little as $10.96, whether you like it or not.

How they compute these numbers and on what methodology / measurements this is based remains completely unclear, after all it is just some kind of marketing. But the movies are funny, perhaps they can serve as some kind of security awareness campaign. Main drawback is that the website is almost completely built on top of Flash and JavaScript - how about not using all these techniques next time? In some recent measurements we found that the vast majority of web surfers still have an unpatched version of Flash installed, better teach them to regularly update their system next time...

Thread Graphs for Visualizing Malware Behavior

nospam@example.com (Thorsten Holz) — Tue, 25 Aug 2009 23:33:00 +0200

The last blog post dealt with our recent research on visualizing malware behavior. Now a quick update on the thread graphs we generate for visualizing malware behavior: since tree maps display nothing about the sequence of operations, we use another presentation format to visualize the temporal behavior of the individual threads of a sample. A thread graph can be regarded as a behavioral ﬁngerprint of the sample that represents the temporal order of executed system commands and the different threads spawned by a binary. The x-axis represents the time (sequence of performed actions), while the y-axis indicates the operation/section of the performed action. An analyst can then study this behavior graph to quickly learn more about the actions of each individual thread.

The following two pictures show examples of this kind of visualization:

On the left hand picture, we can see that one thread is responsible for the majority of operations for the sample. This thread performs many registry operations and initially performs many network- and system-related operations (operations 90-140). Additionally, two more threads are spawned, but they perform only a limited amount of operations during the analysis phase. The thread graph for the malware sample on the right side is completely different and an analyst can get a quick overview of what actions a given samples performs.

"Towards Proactive Spam Filtering"

nospam@example.com (Thorsten Holz) — Fri, 31 Jul 2009 12:08:00 +0200

A common technique employed by spammers is to send spam mails with the help of botnets. In a typical setting, the spammer uses so called template-based spamming: the attacker sends the bots a spam template that describes the structure of the spam message to be sent. Furthermore, the attacker sends meta-data like recipient list, subject list, and a list of URLs that are used to ﬁll in variables in the template. The bots then construct an email based on the template and the meta-data, and send this email to the targets. As a result, the actual work of handling the SMTP communication is moved from the control server to the bots. Nowadays this technique is used by most large spam botnets, like Waledac, Bobax, Rustock, Cutwail, and a lot of the other major spam botnets as Joe Stewart explained in detail.

Since spammers nowadays use such a tactic, we can also collect spam mails in a more efficient way: Instead of waiting at the end-user's mailboxes or spamtraps for mail messages to arrive and then decide whether or not this is spam, we directly interact with the servers that are used to send spam messages. The basic idea is that we execute spambots, i.e., malicious software dedicated to sending spam emails, in a controlled (honeypot) environment and collect all email messages sent by the bots. This enables us to directly interfere with botnet control servers to collect current spam messages sent by a speciﬁc botnet.

We describe this idea in more detail in a short paper that was published at DIMVA'09. The paper is also available on this blog.

Abstract: With increasing security measures in network services, remote exploitation is getting harder. As a result, attackers concentrate on more reliable attack vectors like email: victims are infected using either malicious attachments or links leading to malicious websites. Therefore eﬃcient ﬁltering and blocking methods for spam messages are needed. Unfortunately, most spam ﬁltering solutions proposed so far are reactive, they require a large amount of both ham and spam messages to eﬃciently generate rules to diﬀerentiate between both. In this paper, we introduce a more proactive approach that allows us to directly collect spam message by interacting with the spam botnet controllers. We are able to observe current spam runs and obtain a copy of latest spam messages in a fast and eﬃcient way. Based on the collected information we are able to generate templates that represent a concise summary of a spam run. The collected data can then be used to improve current spam ﬁltering techniques and develop new venues to eﬃciently ﬁlter mails.

"Automatically Generating Models for Botnet Detection"

nospam@example.com (Thorsten Holz) — Fri, 17 Jul 2009 01:55:00 +0200

One of the papers that we will publish at the European Symposium on Research in Computer Security (ESORICS'09) focusses on the problem of detecting bots within a given network. Previous research focussed for example on detecting bots using human-generated signatures and anomaly detectors (e.g., BotHunter) or correlating the activity of individual hosts in order to find machines that react in lockstep (e.g., BotMiner or TAMD). We present a system that automatically generates signatures which encapsulate the behavior of an infected machine. The important observation is that the principle behind bots is that they receive a command from the botherder and then respond in a specific way. Using real-world traces of many botnets we show that it is possible to spot the bot responses in the network traces using a change point detection algorithm. Based on this information we can then identify the commands and we use all information to then encode a signature which we map into Bro rules. Experiments in different networks show that this approach outperforms BotHunter. More information about the approach is available in the paper and all the gory details are published in a technical report.

Abstract: A botnet is a network of compromised hosts that is under the control of a single, malicious entity, often called the botmaster. We present a system that aims to detect bots, independent of any prior information about the command and control channels or propagation vectors, and without requiring multiple infections for correlation. Our system relies on detection models that target the characteristic fact that every bot receives commands from the botmaster to which it responds in a speciﬁc way. These detection models are generated automatically from network trafﬁc traces recorded from actual bot instances. We have implemented the proposed approach and demonstrate that it can extract effective detection models for a variety of different bot families. These models are precise in describing the activity of bots and raise very few false positives.

This work is a collaboration with Peter Wurzinger, Leyla Bilge, Jan Goebel, Christopher Kruegel, and Engin Kirda. And the word cloud on the top of the posting is generated with the help of http://www.wordle.net/.

LEET'09 Taking Place Soon

nospam@example.com (Thorsten Holz) — Tue, 07 Apr 2009 08:38:00 +0200

Join us at the 2nd USENIX Workshop on Large-Scale Exploits and Emergent Threats: Botnets, Spyware, Worms, and More (LEET'09), which will take place in Boston, MA, on April 21, 2009. LEET '09 will focus on the underlying mechanisms used to compromise and control hosts, the large-scale "applications" being perpetrated upon this framework, and the social and economic networks driving these threats. Sessions include Malware Analysis, Ethics in Botnet Research, Malware Behavior, and more.

The full program is available at http://www.usenix.org/events/leet09/tech/.

LEET '09 will also include a session for Work-in-Progress reports. We encourage you to submit an abstract or proposal for a 5-minute presentation on your preliminary work to leet09wips@usenix.org.

Connect with the broad community of researchers and practitioners who focus on worms, bots, spam, spyware, phishing, DDoS, and the ever-increasing palette of large-scale Internet-based threats in fostering the development of preliminary work in this diverse area and stimulating discussion of thought-provoking ideas.

Find out more and register today at http://www.usenix.org/leet09/

Conficker Detection

nospam@example.com (Thorsten Holz) — Thu, 02 Apr 2009 10:19:00 +0200

The Internet did not break down yesterday due to Conficker, it seems like the topic was hyped a bit too much by the media.
In case you want to quickly check whether or not your machine is infected with the worm, you can use a simple check developed by Joe Stewart from SecureWorks. Simply go to http://honeyblog.org/junkyard/conficker/ and check which images your browser shows:

Conficker (aka Downadup, Kido) is known to block access to over 100 anti-virus and security websites.

If you are blocked from loading the remote images in the first row of the top table above (AV/security sites) but not blocked from loading the remote images in the second row (websites of alternative operating systems) then your Windows PC may be infected by Conficker (or some other malicious software).

If you can see all six images in both rows of the top table, you are either not infected by Conficker, or you may be using a proxy server, in which case you will not be able to use this test to make an accurate determination, since Conficker will be unable to block you from viewing the AV/security sites.

Furthermore, the Honeynet Project recently released a paper entitled "Know Your Enemy: Containing Conficker" which presents in detail several methods to detect the worm based on network characteristics,

Abstract:
The Conficker worm has infected several million computers since it first started spreading in late 2008 but attempts to mitigate Conficker have not yet proved very successful. In this paper we present several potential methods to contain Conficker. The approaches presented take advantage of the way Conficker patches infected systems, which can be used to remotely detect a compromised system. Furthermore, we demonstrate various methods to detect and remove Conficker locally and a potential vaccination tool is presented. Finally, the domainname generation mechanism for all three Conficker variants is discussed in detail and an overview of the potential for upcoming domain collisions in version .C is provided. Tools for all the ideas presented here are freely available for download including source code.