honeyblog - general

SPRING Proceedings

nospam@example.com (Thorsten Holz) — Fri, 8 Aug 2008 18:25:00 +0200

Today the workshop SPRING took place at our lab in Mannheim. SPRING is an annual networking event for junior scientists who work in the area of reactive security. The talks focussed on topics like automated malware clustering, intrusion detection systems that use peer-to-peer techniques, netflow analysis, anomaly detection on smartphones, and more. I organized the workshop, thus I'm happy that it ends in a few minutes :-)

In the next few days, we will upload all slides and also a few pictures taken during the workshop. The proceedings are already available. They contain a short abstract (one page) for each talk and provide an overview of the different topics covered today.

DIMVA'08 Slides

nospam@example.com (Thorsten Holz) — Tue, 22 Jul 2008 13:56:00 +0200

A quick follow-up to our DIMVA'08 paper on "Learning and Classification of Malware Behavior": the slides from Konrad's talk are now available and provide a quick overview of the topic.

In the near future, we will integrate the results of this paper to the webinterface of cwsandbox.org - stay tuned :)

Fast-Flux Data

nospam@example.com (Thorsten Holz) — Wed, 16 Jul 2008 23:57:00 +0200

Back in February, we published a paper on fast-flux service networks at NDSS'08. The basic idea behind fast-flux networks is a fast change in the mapping between a domain name and the corresponding IP addresses. The attackers use this mechanism to build a proxy-network on top of compromised machines to maintain a robust hosting infrastructure for their services. For more information on this topic, see the paper by the Honeynet Project or our NDSS paper.

To foster research in this area, the data collected during our study is available for research purposes. Up to now, quite a few people mailed me and asked for the data. To make this process a bit more scalable and also minimize the amount of work needed at my side, we decided to simply publish all the data such that everyone can download the raw data and use it for whatever purpose. Today, I uploaded a tarball which contains a summary of the fast-flux data collected over a period of several weeks. The tarball contains a potpourri of different measurements and has a total size of 7.3 MB. It contains about 55K raw dig lookup files and has an unpacked size of about 220 MB. The archive contains the following data:

storm-qavoter.com.log: dig lookups for domain used by the Storm Worm botnet which uses fast-flux techniques

asprox-damnec-hydra.log: dig lookups for Asprox/Damnec botnet which also uses fast-flux techniques

lookups-ff: dig lookups for fast-flux domains, confirmed manually

lookups-spam: dig lookups for various domains found in spam e-mails

lookups-benign: dig lookups for (probable) benign domains, most of them collected via dmoz or Alexa

lookups-ndss: part of the domains used for the NDSS paper

lookups-ndss-ff: suspected fast-flux domains from NDSS paper

So if you are interested in this area and want to learn more about it, just download the archive (7.3 MB) and play with the files :)

Stock Spam

nospam@example.com (Thorsten Holz) — Tue, 17 Jun 2008 19:16:00 +0200

Pump and dump schemes for penny stocks based on spam mails were quite common in the years 2006 and 2007. Nowadays, however, it seems like these schemes are over and I receive such mails only very seldom. One recent example of such a scam mail is:

Now see for yourself.

Corporation: Angstrom Microsystems
Symbol OTCBB: agms
Suggested: Buy/hold
Monday close : .400
Shares traded: 331,485

Excellent release last week and investors are noticing and volume is up.

This is the beginning of great things, sales are up and deployment is increasing Angstrom Microsystems will blow you away.

Move before it's too late, obtain this stock NOW.

Please note that I modified the mail text to increase readability.
Such schemes work in practice and spam mails can actually influence the stock market as we showed in a study. This works since the quote of a penny stock can be influenced with a relative low number of trades.

Recently Sophos blogged about a spam campaign in which the mails contained a text about the downtime of Amazon. They theorized that these spam mails are used for shorting the Amazon stock for Short and Distort scams. I doubt that this is true - especially given the fact that more than five million Amazon stocks are traded per day...

Continue reading "Stock Spam"

Mail Problems

nospam@example.com (Thorsten Holz) — Thu, 5 Jun 2008 20:59:32 +0200

The mail server of our university is down since more than two days (sic!). I'm wondering how many mails I have lost up to now and what kind of interesting information did not reach me... If you want to reach me, please use the Gmail account. On the other hand: no distracting e-mails and lots of time to write papers. The ACSAC deadline is next Sunday, presumably I have a paper ready until then :)

Storm Worm Presentation

nospam@example.com (Thorsten Holz) — Thu, 29 May 2008 14:20:00 +0200

Two days ago I gave a presentation at IT-Sicherheits-Forum, a German conference on IT security, on Storm Worm. The presentation is now available. It provides an overview of Storm Worm and highlights various aspects of the botnet. The presentation is an extended version of our LEET'08 paper on the same topic.

Storm is still an interesting botnet. However, the botnet is getting smaller and smaller - nowadays there are typically less than ten thousand machines online during a typical day. Seems like the good ol' days of Storm are over...

Call for Paper: EC2ND'08

nospam@example.com (Thorsten Holz) — Wed, 14 May 2008 16:53:00 +0200

The CFP for the fourth annual European Conference on Computer Network Defense (EC2ND'08) is up online at http://2008.ec2nd.org/.

The conference will take place on December 11th & 12th 2008 in the Faculty of Engineering and Computing at Dublin City University. The theme of the conference is the protection of computer networks. As with past EC2ND conferences, this year's event will encourage participants from academia and industry within Europe and beyond to discuss current topics in applied network and systems security.

EC2ND 2008 invites submissions presenting novel ideas at an early stage with the intention to act as a discussion forum and feedback channel for promising, innovative security research. While our goal is to solicit ideas that are not completely worked out, and might have challenging and interesting open questions, we expect submissions to be supported by some evidence of feasibility or preliminary quantitative results.

Important Dates:
Paper Submission Deadline: September 1st, 2008
Notification of Acceptance: September 18th, 2008
Final Paper Due: October 1st, 2008
Conference Dates: December 11th & 12th, 2008

You can find more information at http://2008.ec2nd.org/.

WOMBAT / FORWARD

nospam@example.com (Thorsten Holz) — Fri, 25 Apr 2008 14:07:23 +0200

In the last few days, the first workshops for two projects funded by the European Union took place: WOMBAT and FORWARD.

Project description WOMBAT:

The WOMBAT project aims at providing new means to understand the existing and emerging threats that are targeting the Internet economy and the net citizens. To reach this goal, the proposal includes three key workpackages: (i) real time gathering of a diverse set of security related raw data, (ii) enrichment of this input by means of various analysis techniques, and (iii) root cause identification and understanding of the phenomena under scrutiny. The acquired knowledge will be shared with all interested security actors (ISPs, CERTs, security vendors, etc.), enabling them to make sound security investment decisions and to focus on the most dangerous activities first. Special care will also be devoted to impact the level of confidence of the European citizens in the net economy by leveraging security awareness in Europe thanks to the gained expertise.

Project description FORWARD:

The FORWARD initiative aims at identifying, networking, and coordinating the multiple research efforts that are underway in the area of Cyber-threats defenses, and leveraging these efforts with other activities to build secure and trusted ICT systems and infrastructures.

The initial workshops were quite interesting, let's see how both projects evolve :-)
The websites of both WOMBAT and FORWARD contain more information about the actual project, including more information about the participants and the initial workshops.

Status Report German Honeynet Project

nospam@example.com (Thorsten Holz) — Tue, 22 May 2007 19:28:20 +0200

We have just published the status report of the German Honeynet Project. It highlights some of the work we did in the last twelve months between April 2006 and April 2007.

Disclosing too much...

nospam@example.com (Thorsten Holz) — Thu, 10 May 2007 19:53:00 +0200

F-Secure's blog has today an entry entitled "Advanced tools to handle stolen information". That blog entry deals with an information stealing trojan which sends all collected data to a central drop site. They also have some screenshots and this is were things get messy: using the information from the screenshot, it is trivial to find information about other victims. Within a couple of minutes I could find personal data of about 100 other victims. This information includes, amongst other, the following entries:

system info: user, processor, operation system, memory, IP address, disc information, folders, process list, installed programs, ...
ICQ 2003a & Lite passwords
dialup passwords
passwords from Windows protected storage
Wand & email Opera passwords

Perhaps it is better to handle such information more carefully and not publish too much. FX wrote about this topic some time ago in the Sabre Lablog: "Irresponsible Disclosure"

Damage by Botnets

nospam@example.com (Thorsten Holz) — Mon, 30 Apr 2007 12:56:00 +0200

A few days ago, Ed Felton posted a summary of a recent Botnet Briefing in Washington. The interesting point is the question whether or not the $5000 damage threshold of the Computer Fraud and Abuse Act is too high for such cases and if it would make more sense to have some designated number of computers affected. Presumably this comes back to the question on how to estimate the damage of a single incident. Do you take into account the time to clean up the bot-infected machines (re-installing the system, customizing everything, restoring from backup, ...) and also the costs of possible DDoS, identity theft, or other kind of victims?

German Stock Spam

nospam@example.com (Thorsten Holz) — Wed, 31 Jan 2007 14:11:24 +0100

Yesterday I received the first stock spam sample in German (see below). Seems like the spammers are moving forward and target now also other languages...
As a side note: Alex from SunbeltBLOG posted a few days ago some interesting statistics regarding spam bots and their efficiency

Dr. Y.Buchholz, Anlage-Strategien und Konzepte, Reutlingen

Kauf-Tipp der Woche:
EECH GROUP AG (P&T Technology)

Name : EECH GROUP AG (P&T Technology)
WKN : 685280
ISIN : DE0006852809
Kürzel : PTA
Schluss-Stand 31.12.2006 : Euro 0.52
Prognose bis 31.12.2007 : Euro 4.85

Günstiger Einstieg in den Alternativ-Energie-Sektor.
Von der EECH GROUP AG (P&T Technology) erwarten wir in den kommenden Wochen und Monate durchwegs positive Nachrichten. Dem interessierten Anleger empfehlen wir dringend, diesen Titel ins Depot aufzunehmen.

Firmen-Portrait:

Seit dem 1. Dezember 2005 firmiert die ehemalige P&T Technology AG unter EECH Group AG. Verbunden mit der Namensänderung ist eine strategische Neuausrichtung. Die EECH Group wird laut eigenen Angaben das bestehende Konzeptions-, Vertriebs- und Finanzierungswissen über den Bereich der erneuerbaren Energien hinaus für weitere Anlageklassen wie Immobilien und Kunst nutzen. Die breitere Aufstellung als Emissionshaus über die bisher aufgelegten Fonds im Bereich der erneuerbaren Energien hinaus, soll neben der verbesserten Wertschöpfung auch eine breitere Risikostreuung für das Unternehmen gewährleisten. In den letzten Jahren bildete die Windpark-Projektentwicklung bis hin zur schlüsselfertigen Errichtung solcher Anlagen im In- und Ausland das Hauptgeschäftsfeld des Unternehmens.
Bereits 2002 war von der Gesellschaft ein Restrukturierungsprogramm in Angriff genommen worden, das 2003 durch Kostenreduzierung und Verkauf von Projekten 2003 erste Früchte zeigte und so die Liquidität der Gesellschaft sicherte. Zudem konnte ein Windpark rückabgewickelt werden, wodurch Haftungsrisiken vermindert wurden, die ansonsten auf die Liquidität gedrückt und den Fortbestand der Firma gefährdet hätten. Die flüssigen Mittel der Gesellschaft sind ohnehin auch weiterhin knapp bemessen und stellen ein Risiko für das weitere Geschäft dar. Künftige Linie soll es daher sein, Windparks auch schon im Planungsstadium zu veräußern und nicht mehr als Generalunternehmer aufzutreten. Die Gesellschaft erhofft sich vor allem einen Rückfluss an Investitionen aus Frankreich. Des Weiteren hatte die P&T Technologies AG 2003 ihre Beteiligung am Emissionshaus EECH AG auf 100% ausgebaut. Ende 2005 erfolgte dann die Umfirmierung.
Im Geschäftsjahr 2004 ermäßigten sich die Umsatzerlöse des Konzerns auf 47,25 (i.V. 53,57) Mill. Euro. Unter dem Strich konnte der Konzernjahresfehlbetrag auf minus 3,77 (minus 14,17) Mill. Euro eingegrenzt werden. Das Eigenkapital betrug zum 31. Dezember 5,80 (9,42) Mill. Euro bei einer Bilanzsumme von 45,98 (85,87) Mill. Euro.

Wir wünschen Ihnen viel Erfolg
Dr. Y.Buchholz, Anlage-Strategien und Konzepte, Reutlingen

Disclaimer / Haftungsausschluss und Risikohinweise: Indirekte sowie direkte Regressinanspruchnahme und Gewährleistung muss trotz akkuratem Research und der Sorgfaltspflicht verbundenen Prognostik kategorisch ausgeschlossen werden. Handelsanregungen oder Empfehlungen in unseren Strategien, stellen keine Aufforderung von Kauf oder Verkauf von Wertpapieren oder derivativen Finanzprodukten dar. Eine Haftung für mittelbare und unmittelbare Folgen der veröffentlichten Inhalte ist somit ausgeschlossen. Dr. Y.Buchholz, Anlage-Strategien und Konzepte bezieht Informationen aus Quellen, die wir als vertrauenswürdig erachtet. Eine Gewähr hinsichtlich Qualität und Wahrheitsgehalt dieser Informationen muss dennoch kategorisch ausgeschlossen werden. Die Strategie-Empfehlungen dürfen keinesfalls als persönliche oder auch allgemeine Beratung aufgefasst werden, auch nicht stillschweigend, da wir mittels veröffentlichter Inhalte lediglich unsere subjektive Meinung reflektieren. Weiterhin kann nicht ausgeschlossen werden, dass Redaktionsmitglieder sich im Besitz von Wertpapieren befinden, über die wir im Rahmen unserer Newsletter oder anderweitig Bericht erstatten. Leser, die auf Grund der in diesem Newsletter veröffentlichten Inhalte Anlageentscheidungen treffen bzw. Transaktionen durchführen, handeln vollständig auf eigene Gefahr. Die in unseren Newslettern oder anderweitig damit im Zusammenhang stehenden Informationen begründen somit keinerlei Haftungsobligo.
Ausdrücklich weisen wir auf die im Wertpapiergeschäft immer vorhandenen erheblichen Risiken hin. Aktieninvestitionen sowie Optionsscheingeschäfte, der Handel mit derivativen Finanzprodukten als auch Anlagen in Investmentfonds beinhalten das Risiko enormer Wertverluste. Insbesondere gilt dies auch im Zusammenhang mit dem börslichen und vorbörslichen Handel von Neuemissionen und speziell bei Anlagen in nicht börsennotierte Unternehmen, wie dies bei Venture Capital-Anlagen der Fall ist. Ein Totalverlust des eingesetzten Kapitals kann dabei keineswegs ausgeschlossen werden. Eigenverantwortliche Anlageentscheidungen im Wertpapiergeschäft darf der Anleger nur bei eingehender Kenntnis der Materie in Erwägung ziehen, in jedem Falle aber ist die Inanspruchnahme einer persönlichen Beratung der Haus und/oder Depotbank unbedingt zu empfehlen.