honeyblog

SPRING Proceedings

nospam@example.com (Thorsten Holz) — Fri, 8 Aug 2008 18:25:00 +0200

Today the workshop SPRING took place at our lab in Mannheim. SPRING is an annual networking event for junior scientists who work in the area of reactive security. The talks focussed on topics like automated malware clustering, intrusion detection systems that use peer-to-peer techniques, netflow analysis, anomaly detection on smartphones, and more. I organized the workshop, thus I'm happy that it ends in a few minutes :-)

In the next few days, we will upload all slides and also a few pictures taken during the workshop. The proceedings are already available. They contain a short abstract (one page) for each talk and provide an overview of the different topics covered today.

WOOT'08 and HotSec'08

nospam@example.com (Thorsten Holz) — Tue, 29 Jul 2008 12:15:00 +0200

Besides USENIX Security, also two interesting workshops take place this week: 2nd USENIX Workshop on Offensive Technologies (WOOT '08) and 3rd USENIX Workshop on Hot Topics in Security (HotSec '08). Both workshops have an interesting program and the proceedings are an interesting read! My favorite paper picks:

Towards Systematic Evaluation of the Evadability of Bot/Botnet Detection Methods by Stinson and Mitchell (WOOT'08) discusses how existing botnet detection systems like Rishi, BotHunter, BotMiner, and others can be circumvented

Towards Application Security on Untrusted Operating Systems by Ports and Garfinkel (HotSec'08) discusses how malicious behavior in each major OS subsystem can undermine application security and how this threat can possibly be mitigated

There Is No Free Phish: An Analysis of "Free" and Live Phishing Kits by Cova et al. (WOOT'08) analyzes "free" phishing kits like the famous Mr. Brain kits that contain backdoors

Insecure Context Switching: Inoculating Regular Expressions for Survivability by Drewry and Ormandy (WOOT'08) shows how regular expressions can be used in a malicious way, leading to complexity attacks

The full papers will be available a few days after the workshops took place.

USENIX Security'08

nospam@example.com (Thorsten Holz) — Mon, 28 Jul 2008 12:14:00 +0200

This week, the 17th USENIX Security Symposium takes place in San Jose, CA. Unfortunately I can not attend this year :-( But there are many interesting papers you should check out, for example:

All Your iFRAMEs Point to Us by Provos et al. analyzes the threat by malicious iframes injected into websites

Lest We Remember: Cold Boot Attacks on Encryption Keys by Halderman et al. is the paper about the now famous cold boot attack, for which the full source code was released last week by Jacob Appelbaum at The Last HOPE in New York City

CloudAV: N-Version Antivirus in the Network Cloud by Oberheide et al. deals with n-version AV-scanning (basically examining a given sample with n AV-scanners and behavior-analysis tools like CWSandbox or Norman Sandbox), thereby improving detection rates

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection by Gu et al. shows how botnets can be detected by correlating netflow data, finding similar behavior within the network traffic

Hypervisor Support for Identifying Covertly Executing Binaries by Litty et al. introduces a system to detect malicious code with the help of a hypervisor built on top of Xen.

And many others

The full papers will be available a few days after the conference took place. A really good conference this year with an exciting program! Looking forward to attend next year :-)

Observing Malware Outbreaks with Honeypots

nospam@example.com (Thorsten Holz) — Sat, 26 Jul 2008 13:05:00 +0200

Low-interaction honeypots like Nepenthes or Amun are good at capturing autonomous spreading malware that propagates via exploiting vulnerabilities in network services: by emulating specific vulnerabilities, these honeypots trick malware into exploiting the honeypot and we can capture a copy of the malware.
These honeypots also allow us to observe outbreaks of new malware samples: since quite many people run Nepenthes or Amun nowadays and also send the samples to cwsandbox.org for automated malware analysis, we can correlate the submissions of many different sensors at a central location. For example, we received the malware sample with MD5 sum cb032b12af742555e60124f6d7d2d2ea from a total of 57 different sensor at the timestamps depicted below:



Timestamp               Filename

2008-01-10 19:36:25     grospolinacb032b12af742555e60124f6d7d2d2eauLa1AA

2008-01-10 22:11:47     nepenthescb032b12af742555e60124f6d7d2d2easBj96A

2008-01-11 00:03:32     nepenthescb032b12af742555e60124f6d7d2d2easm4aaA

2008-01-11 00:18:58     nepenthescb032b12af742555e60124f6d7d2d2eaA

2008-01-11 00:22:22     nepenthescb032b12af742555e60124f6d7d2d2eayK4gcQ

2008-01-11 00:22:56     nepenthescb032b12af742555e60124f6d7d2d2eadOoZcA

2008-01-11 00:34:36     nepenthescb032b12af742555e60124f6d7d2d2eaf92wA

2008-01-11 00:44:56     nepenthescb032b12af742555e60124f6d7d2d2eaBmLfOg

2008-01-11 00:45:09     nepenthescb032b12af742555e60124f6d7d2d2eagv4WoQ

2008-01-11 00:53:59     nepenthescb032b12af742555e60124f6d7d2d2eaOewZcA

2008-01-11 01:11:01     nepenthescb032b12af742555e60124f6d7d2d2eaQANtUA

2008-01-11 01:56:59     nepenthescb032b12af742555e60124f6d7d2d2eaeEtIA

2008-01-11 04:48:11     nepenthescb032b12af742555e60124f6d7d2d2eaYO0fA

2008-01-11 05:32:44     nepenthescb032b12af742555e60124f6d7d2d2eadOoZcA

2008-01-11 06:35:31     nepenthescb032b12af742555e60124f6d7d2d2eaf0fA

2008-01-11 08:21:13     nepenthescb032b12af742555e60124f6d7d2d2eaze0fA

2008-01-11 08:49:09     nepenthescb032b12af742555e60124f6d7d2d2eaSu4fA

2008-01-11 09:25:49     nepenthescb032b12af742555e60124f6d7d2d2eaanj2kA

2008-01-11 09:41:40     nepenthescb032b12af742555e60124f6d7d2d2eaJ8ZcA

2008-01-11 12:00:10     cb032b12af742555e60124f6d7d2d2ea

2008-01-11 13:42:14     nepenthescb032b12af742555e60124f6d7d2d2ea1E4a6A

2008-01-11 14:15:43     nepenthescb032b12af742555e60124f6d7d2d2eaSHkgA

2008-01-11 14:37:06     grospolinacb032b12af742555e60124f6d7d2d2eamKgfA

2008-01-11 14:38:37     nepenthescb032b12af742555e60124f6d7d2d2eabGhXGQ

2008-01-11 18:30:29     nepenthescb032b12af742555e60124f6d7d2d2eaMPofKg

2008-01-11 18:39:25     nepenthescb032b12af742555e60124f6d7d2d2eaGSGoWQ

2008-01-11 20:33:26     nepenthescb032b12af742555e60124f6d7d2d2eab0fA

2008-01-12 04:19:46     nepenthescb032b12af742555e60124f6d7d2d2eauJQiA

2008-01-12 12:12:12     nepenthescb032b12af742555e60124f6d7d2d2eaGDoqMQ

2008-01-12 14:32:15     nepenthescb032b12af742555e60124f6d7d2d2eaSIUgA

2008-01-13 20:37:45     nepenthescb032b12af742555e60124f6d7d2d2eaYO0fA

2008-01-14 17:38:54     nepenthescb032b12af742555e60124f6d7d2d2eaQ8fA

2008-01-14 22:26:54     grospolinacb032b12af742555e60124f6d7d2d2ea2rqiGw

2008-01-15 06:27:12     nepenthescb032b12af742555e60124f6d7d2d2eaM0sA

2008-01-15 09:32:40     nepenthescb032b12af742555e60124f6d7d2d2eaM0sA

2008-01-18 10:20:58     nepenthescb032b12af742555e60124f6d7d2d2eaKEuA

2008-01-19 02:10:38     nepenthescb032b12af742555e60124f6d7d2d2eagfofkA

2008-01-20 05:37:39     nepenthescb032b12af742555e60124f6d7d2d2eaxeoZcA

2008-01-25 09:43:36     nepenthescb032b12af742555e60124f6d7d2d2eaLvAfA

2008-01-29 15:36:08     nepenthescb032b12af742555e60124f6d7d2d2eaBxofsA

2008-01-29 20:47:39     nepenthescb032b12af742555e60124f6d7d2d2eaJ00A

2008-02-01 18:48:12     nepenthescb032b12af742555e60124f6d7d2d2eaEcoA

2008-02-02 12:24:22     nepenthescb032b12af742555e60124f6d7d2d2eawcUgLg

2008-02-02 19:35:56     cb032b12af742555e60124f6d7d2d2ea

2008-02-07 13:59:24     cb032b12af742555e60124f6d7d2d2ea.dat

2008-02-08 15:48:30     nepenthescb032b12af742555e60124f6d7d2d2eaGfoWA

2008-02-14 14:14:03     cb032b12af742555e60124f6d7d2d2eacb032b12af742555...2ea

2008-02-21 14:20:01     nepenthescb032b12af742555e60124f6d7d2d2eaWN0fA

2008-02-28 16:56:53     nepenthescb032b12af742555e60124f6d7d2d2eaoexA

2008-03-03 15:15:39     nepenthescb032b12af742555e60124f6d7d2d2eaA

2008-03-11 02:56:00     nepenthescb032b12af742555e60124f6d7d2d2eaAfA

2008-03-14 11:11:51     nepenthescb032b12af742555e60124f6d7d2d2eaJgfA

2008-03-15 17:31:37     nepenthescb032b12af742555e60124f6d7d2d2eaGGYnA

2008-03-20 10:55:43     nepenthescb032b12af742555e60124f6d7d2d2eacb032b1...2ea

2008-03-20 17:05:07     nepenthescb032b12af742555e60124f6d7d2d2eaoflA

2008-03-31 12:12:02     nepenthescb032b12af742555e60124f6d7d2d2eaYO0fA

2008-04-07 07:06:12     nepenthescb032b12af742555e60124f6d7d2d2eaxMUg3A

2008-04-08 02:37:22     cb032b12af742555e60124f6d7d2d2ea

Each timestamp depicts the first point in time where the specific sensor captured a copy of the malware. As you can see, the malware outbreak happened presumably at January 10, 2008. From then on, honeypot sensors all around the world captured a copy of this specific bot. The CWSandbox report contains more detailed information about the botnet, e.g.:

The bot creates a file named C:\WINDOWS\system32\explorer.exe, which is a copy of itself

It creates a run key for the Windows registry such that the bot is started again after a reboot

The C&C server is located at the IP address 67.43.232.36 and listens on the TCP port 8080

C&C channel is #wawa and the command issued by the botmaster at the time of analysis is: ipscan s.s.s dcom2 -f -s

DIMVA'08 Slides

nospam@example.com (Thorsten Holz) — Tue, 22 Jul 2008 13:56:00 +0200

A quick follow-up to our DIMVA'08 paper on "Learning and Classification of Malware Behavior": the slides from Konrad's talk are now available and provide a quick overview of the topic.

In the near future, we will integrate the results of this paper to the webinterface of cwsandbox.org - stay tuned :)

Interesting Pattern in Storm Worm Traffic

nospam@example.com (Thorsten Holz) — Mon, 21 Jul 2008 17:52:00 +0200

Björn Weiland recently sent me a few graphs with interesting observations he made when tracking the Storm Worm botnet as part of his thesis on detection of advanced botnets.
The first graph visualizes the network communication of a Storm sample when executed on a machine with a private IP address. In that configuration, the bot typically sends out spam e-mails or participates in distributed denial-of-service attacks. The x-axis shows the time, while the y-axis shows the UDP/TCP destination port number the bot communicates on:

The graph shows that the bot first uses NTP to synchronize the clock of the victim's machine. Afterwards, it contacts many other machines, typically on TCP ports < 33.789 (strange port number?!?). After a few minutes, it also starts with spamming (lots of connections on TCP port 25). What is interesting are all the communications that happen on higher port numbers: we can, for example, identify an IP address hosted at Intercage. This IP address is part of the static backend of the botnet. In addition, an IP address related to the University of California in San Diego (UCSD) sticks out, presumably related to their Storm Worm research. I'm not yet sure what all the other IP addresses mean, but presumably all of them are also suspicious and somehow related to the botnet.

The second graph shows the network communication of a sample executed on a machine with a public IP address. In this configuration, the bot is typically used to relay messages or host services related to the botnet. Again, the x-axis depicts a timeline, whereas the y-axis show the TCP / UDP destination port number:

Here we can observe a completely different pattern compared to the first graph. Overall, the full port range is used, with some more dense and some more sparse parts. We can also observe more TCP communication and also quite a lot communication on TCP port 80, which is related to the web sites hosted by the botnet.

The port range between destination port 50,000 and 51,000 is far more dense compared to lower / higher ports as the following figure shows:

This port range is commonly used for RTP / RTCP as defined in RFC 4504 - presumably just a coincidence for Storm Worm.

Does anybody have an explanation for the distribution of destination ports used by Storm Worm? And thanks a lot to Björn for the permission to publish the figures!

New Storm Campaign: Amero

nospam@example.com (Thorsten Holz) — Mon, 21 Jul 2008 16:21:54 +0200

The Storm Worm botnet changed the propagation theme again and now uses a social engineering theme that builds on the weak US dollar and the ongoing financial crisis:

The text above the picture reads:

The U.S. Government began to realize the plan to replace the Dollar with the "Amero", the new currency of the North American Currency Union. Canada, the United States of America and Mexico have resolved to unit in order to resist the Worldwide Financial Crysis. You can become acquainted with the plan of the implementation of Amero, just click on the icon under this text.

From a technical point, nothing seems to change compared to previous versions of the binary. In the last few days, our crawler measured an effective size (i.e., how many bots are online at the moment) of the botnet between six and ten thousand machines. In total, the botnet is still bigger, we observe high churn rates between different crawls.

Fast-Flux Data

nospam@example.com (Thorsten Holz) — Wed, 16 Jul 2008 23:57:00 +0200

Back in February, we published a paper on fast-flux service networks at NDSS'08. The basic idea behind fast-flux networks is a fast change in the mapping between a domain name and the corresponding IP addresses. The attackers use this mechanism to build a proxy-network on top of compromised machines to maintain a robust hosting infrastructure for their services. For more information on this topic, see the paper by the Honeynet Project or our NDSS paper.

To foster research in this area, the data collected during our study is available for research purposes. Up to now, quite a few people mailed me and asked for the data. To make this process a bit more scalable and also minimize the amount of work needed at my side, we decided to simply publish all the data such that everyone can download the raw data and use it for whatever purpose. Today, I uploaded a tarball which contains a summary of the fast-flux data collected over a period of several weeks. The tarball contains a potpourri of different measurements and has a total size of 7.3 MB. It contains about 55K raw dig lookup files and has an unpacked size of about 220 MB. The archive contains the following data:

storm-qavoter.com.log: dig lookups for domain used by the Storm Worm botnet which uses fast-flux techniques

asprox-damnec-hydra.log: dig lookups for Asprox/Damnec botnet which also uses fast-flux techniques

lookups-ff: dig lookups for fast-flux domains, confirmed manually

lookups-spam: dig lookups for various domains found in spam e-mails

lookups-benign: dig lookups for (probable) benign domains, most of them collected via dmoz or Alexa

lookups-ndss: part of the domains used for the NDSS paper

lookups-ndss-ff: suspected fast-flux domains from NDSS paper

So if you are interested in this area and want to learn more about it, just download the archive (7.3 MB) and play with the files :)

#CCpower Only Scam?

nospam@example.com (Thorsten Holz) — Tue, 15 Jul 2008 10:32:00 +0200

Several days ago I blogged about a compromise of our honeypots in which the attacker joined the IRC channel #CCpower. Such a channel is commonly used by attackers to trade stolen credentials like credit cards, ATM pins, social security numbers, or similar things. Again, a small excerpt from within this channel:

- USA-DUMPS: I HAVE VIRGIN USA DUMPS FOR SHOPPING (WITHOUT PIN). LOOKING FOR REAL US CASHIER FOR LONG TERM RELATIONSHIP. MY YAHOO MESSENGER ID IS : DUMPS_SELLER ! RIPPERS DON'T WASTE MY TIME! CONTACT ME ONLY IF YOU'RE FOR REAL. THANK YOU!. - cards: Selling USA dumps for shopping /msg cards- for details.. - User2: Carti Fullz,Paypal Fullz,user eBay, Root,Remote Desktop, Loginuri Wells si boa Sockuri ...etc..Care esti afara sau ai ceva point de facut bani prv me!!POt sa dau Spam pe oRice BAnca NUMAI DE STATE inclusiv eBay si Paypal daca ai pont!!!. - vendors: Spamming for HSBC, Halifax, CIBC. e-trade bank logins. Selling UK, USA, Swedish, Australian cvvs.. - HenryMtcn: Cashouting Uk BanK Logins Halifax Abbey and Natwest Share Guarranted.. - zoRnking: I searching good deals.. with sure (100%) cashout - out rippers - because i work with money upfront on the first deal and the get back after cashout - /msg zoRnking if you accept my rules or add my YM: zornunhackXXX@yahoo.com. - MSR206: Selling atm skimmer + MSR206 with 5 blank magnetic cards , video available for checking the items pvt me for info. - Zenq: Vand Carti Fresh Full Info & Cvv2 (AU,CA,UK,US,IT,SP,EU),Dumpsuri With Pin and Track1,Track2 and Track3 Luate Cu Cipul sau cu Gura de Skimmeri.........Logine Full (Carte + user & password) (BOA,RBC,Desjardins,Paypal,Intesa,Poste.it,Wamu,Wachoavia,Chase,MoneyBookers),Usere Ebay(Seller & Buyer)..RIPPERS OUT (My Contact ICQ = 3972973XX)

Two comments on the previous blog entry pointed out that these channels are commonly used for scams. The first one:

And for the article, I was hanging around on different ccpower networks since the beginning, 90% of these deals are ripoffs. Poor scum nigerians and romanians try to make 20$ deals by ripping eachother off. This is just a PUG what you find on undernet and different networks like unixirc, linuxirc. These people not even criminals just losers in life. I wouldn't bother wasting too much time for watching them. Won't do any good. You will never find any serious criminal group on the internet, since their trust builds in real life.

And the second one:

lol he said the truth!! most of them are rippers and scum bags..and yes, trust is built in real life not on internet!

Does anybody have more information on this topic, for example evidence that the trading activity in these channels is commonly scam and also some kind of proof? I am interested in this topic since the implication would be that the paper by Franklin et al. on the underground economy ("An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants") is not completely right - it would greatly overestimate the real size of the underground economy. Please leave a comment or send me an e-mail to thorsten.holz [at] gmail.com.

Survival of the Fittest

nospam@example.com (Thorsten Holz) — Mon, 14 Jul 2008 20:47:00 +0200

The Internet Storm Center blogged about the Survival Time on the Internet today. The survival time is defined as:

The survivaltime is calculated as the average time between reports for an average target IP address. If you are assuming that most of these reports are generated by worms that attempt to propagate, an unpatched system would be infected by such a probe.
The average time between probes will vary widely from network to network. Some of our submitters subscribe to ISPs which block ports commonly used by worms. As a result, these submitters report a much longer 'survival time'. On the other hand, University Networks and users of high speed internet services are frequently targeted with additional scans from malware like bots. If you are connected to such a network, your 'survival time' will be much smaller.
The main issue here is of course that the time to download critical patches will exceed this survival time.

With the help of honeypots, we can measure the survival time. For example, we can use low-interaction honeypot such as nepenthes or amun that emulate common network-based vulnerabilities and deploy them at different locations. The average time it takes to download the first binary is an estimation of the survival time: The honeypots emulate known vulnerabilities and are thus exploited by different kinds of autonomous spreading malware - similar to an unpatched system. At our lab, we deployed ten honeypots in different network ranges and measured different things as I'll explain with the following graphs. These are all based on measurements between August 2007 and July 2008.

This plot shows the total number of attacks (blue) and of downloads (red) per sensor for the measurement period. We see that there are huge differences depending on the network location (e.g., whether or not the ISP filters specific ports). Furthermore, not all attacks are successful and we also observed quite a lot failed attacks.

This plot shows the percentage of attacks (red) and downloads (blue) per time of day. We can observe a clear diurnal pattern: lower attack volume during the night and higher attack volume during the day, following the typical behavior of humans.

This plot shows the attacks (blue) and the downloads (red) per weekday for all sensors during the measurement period. The values are given in percentage of the sum of all attacks/downloads over the chosen period of time. The attack traffic is slightly higher during the weekends.

Another interesting observation is whether or not the attacks originate from the same ASN as the honeypot as depicted in the above picture. The figure shows the percentage of attacks coming from the same ISP as the honeypot, e.g., for sensor 1, about 90% of the attacks originate from machines within the same autonomous system. The graph can be interpreted as many attacks being local - which makes sense since autonomous spreading malware often prefers to propagate locally. In some ASNs, however, it seems like most attacks originate from other ASNs.

Finally, this graph shows an estimation of the survival time: The graph shows the average amount of time for the honeypot to be attacked successfully. Red bars are honeypots with a static IP address, thus we have only one measurement point for these honeypots. For the blue bars, each honeypot had a dynamic IP address, e.g., a disconnect every 24 hours. The bar depicts the average time from obtaining a new DHCP lease to first download which can be interpreted as the time it would take for an unpatched system to be compromised. Compared to the survival time from the Internet Storm Center which is currently below five minutes, we measure a higher survival time. However, the time is still short and you need to patch a system before taking it online.

More information and many more graphs are available in the thesis from Laura Itzel (unfortunately in German only).

Update: I updated the description of the fourth figure to explain it a bit better for non-German speaking readers.

DIMVA'08: "Learning and Classification of Malware Behavior"

nospam@example.com (Thorsten Holz) — Thu, 10 Jul 2008 10:06:00 +0200

Today and tomorrow DIMVA'08 takes place in Paris. DIMVA'08 is the Fifth Conference on Detection of Intrusions and Malware & Vulnerability Assessment and organized by the special interest group SIDAR of the German Informatics Society (GI).

Our paper entitled "Learning and Classification of Malware Behavior" is a joint work with Konrad Rieck, Carsten Willems, Patrick Düssel, Pavel Laskov, and Felix Freiling. The paper deals with malware classification, i.e., how to automatically learn malware families using labels. We use (noisy) labels by an anti-virus product and then apply machine learning algorithms to classify malware based on execution traces generated with the help of CWSandbox. In an experiment with over 3,000 previously undetected malware binaries, our system correctly predicted almost 70% of labels assigned by an anti-virus scanner four weeks later. Our method also detects unknown behavior, so that malware families not present in the learning corpus are correctly identified as unknown. The analysis of prominent features inferred by our discriminative models has shown interesting similarities between malware families; in particular, we have discovered that Doomber and Gobot worms derive from the same origin, with Doomber being an extension of Gobot - all in an automated way.

Abstract:
Malicious software in form of Internet worms, computer viruses, and Trojan horses poses a major threat to the security of networked systems. The diversity and amount of its variants severely undermine the effectiveness of classical signature-based detection. Yet variants of malware families share typical behavioral patterns reflecting its origin and purpose. We aim to exploit these shared patterns for classification of malware and propose a method for learning and discrimination of malware behavior. Our method proceeds in three stages: (a) behavior of collected malware is monitored in a sandbox environment, (b) based on a corpus of malware labeled by an anti-virus scanner a malware behavior classifier is trained using learning techniques and (c) discriminative features of the behavior models are ranked for explanation of classification decisions. Experiments with different heterogeneous test data collected over several months using honeypots demonstrate the effectiveness of our method, especially in detecting novel instances of malware families previously not recognized by commercial anti-virus software.

The full paper is now available.

Storm Worm: World War III?

nospam@example.com (Thorsten Holz) — Wed, 9 Jul 2008 07:26:00 +0200

Tonight the Storm Worm botnet changed the propagation theme again. They have a bogus story, but an interesting picture:

Just now US Army's Delta Force and U.S. Air Force have invaded Iran. Approximately 20000 soldiers crossed the border into Iran and broke down the Iran's Army resistance. The video made by US soldier was received today morning. Click on the video to see first minutes of the beginning of the World War III. God save us.

The directory structure of the website is similar to the previous campaigns:

A file called ind.php is included which contains a couple of exploits for common web browser vulnerabilities.
The actual Storm Worm binary is called iran_occupation.exe and it behaves similar to previous versions

So actually nothing really new at the botnet side...
Warning: Please do not visit the website visible in the screenshot, it may harm your computer.

Sicherheit'08: "Monkey-Spider: Detecting Malicious Websites with Low-Interaction Honeyclients"

nospam@example.com (Thorsten Holz) — Sun, 6 Jul 2008 19:55:00 +0200

Back in April, our paper on low-interaction, client-side honeypots entitled "Monkey-Spider: Detecting Malicious Websites with Low-Interaction Honeyclients" was published at Sicherheit'08, the main security conference for the German speaking community. The paper presents a client-side honeypot that can be used to detect malicious web sites. The basic idea is to use the crawler Heritrix to download content efficiently and then analyze the downloaded content with different means, e.g., AV scanners, CWSandbox, or other tools. To our surprise, the paper won the best paper award of the conference :-)

Abstract:
Client-side attacks are on the rise: malicious websites that exploit vulnerabilities in the visitor’s browser are posing a serious threat to client security, compromising innocent users who visit these sites without having a patched web browser. Currently, there is neither a freely available comprehensive database of threats on the Web nor sufficient freely available tools to build such a database. In this work, we introduce the Monkey-Spider project. Utilizing it as a client honeypot, we portray the challenge in such an approach and evaluate our system as a high-speed, Internet-scale analysis tool to build a database of threats found in the wild. Furthermore, we evaluate the system by analyzing different crawls performed during a period of three months and present the lessons learned.

The full paper is now also available for download and the software is published at SourceForge: http://monkeyspider.sourceforge.net/. The software is released under the terms of GPLv3 and the maintainer is Ali Ikinci (ali at ikinci dot info).

WEIS'08: "Studying Malicious Websites and the Underground Economy on the Chinese Web"

nospam@example.com (Thorsten Holz) — Fri, 4 Jul 2008 10:32:00 +0200

The 7th Workshop on the Economics of Information Security (WEIS'08) took place last week at Dartmouth College's Tuck School of Business. Several interesting papers like "Security Economics and European Policy", "Do Data Breach Disclosure Laws Reduce Identity Theft?", or "The Impact of Incentives on Notice and Take-down" were presented during the workshop. Our paper entitled "Studying Malicious Websites and the Underground Economy on the Chinese Web" deals with several aspects of the underground economy within China's part of the World Wide Web. Amongst other techniques, we use client-side honeypots to study malicious websites.

Abstract:
The World Wide Web gains more and more popularity within China with more than 1.31 million websites on the Chinese Web in June 2007. Driven by the economic profits, cyber criminals are on the rise and use the Web to exploit innocent users. In fact, a real underground black market with thousand of participants has developed which brings together malicious users who trade exploits, malware, virtual assets, stolen credentials, and more. In this paper, we provide a detailed overview of this underground black market and present a model to describe the market. We substantiate our model with the help of measurement results within the Chinese Web. First, we show that the amount of virtual assets traded on this underground market is huge. Second, our research proves that a significant amount of websites within China’s part of the Web contain some kind of malicious content: our measurements reveal that about 1.49% of the examined sites contain malicious content that tries to attack the visitor’s browser.

The paper is a collaboration with several researchers from China (Jianwei Zhuge, Chengyu Song, Jinpeng Guo, Xinhui Han, and Wei Zou) and a revised version of our technical report on the same topic. The full version of the paper is now available.

Continue reading "WEIS'08: "Studying Malicious Websites and the Underground Economy on the Chinese Web""

Fast-Flux Techniques in .mobi

nospam@example.com (Thorsten Holz) — Thu, 3 Jul 2008 16:00:00 +0200

Danmec/Asprox is an SQL injection attack tool that is responsible for some aspects of the recent wave of SQL injections (full list maintained by ShadowServer). This malware also uses fast-flux techniques to host some facets of the attacks. Since a few days, the attackers also use the .mobi TLD - the first time I see this TLD being abused this way by malware. The following listing shows the results of a DNS lookup for one of the .mobi domains:

$ dig allocbn.mobi

; <<>> DiG 9.3.4 <<>> allocbn.mobi
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26203
;; flags: qr rd ra; QUERY: 1, ANSWER: 14, AUTHORITY: 4, ADDITIONAL: 0

;; QUESTION SECTION:
;allocbn.mobi. IN A

;; ANSWER SECTION:
allocbn.mobi. 600 IN A 200.167.230.85
allocbn.mobi. 600 IN A 69.247.175.135
allocbn.mobi. 600 IN A 71.56.42.87
allocbn.mobi. 600 IN A 72.187.108.240
allocbn.mobi. 600 IN A 74.138.199.132
allocbn.mobi. 600 IN A 75.66.193.0
allocbn.mobi. 600 IN A 75.143.150.108
allocbn.mobi. 600 IN A 76.175.178.111
allocbn.mobi. 600 IN A 98.165.213.34
allocbn.mobi. 600 IN A 98.192.74.13
allocbn.mobi. 600 IN A 98.223.61.12
allocbn.mobi. 600 IN A 99.233.217.232
allocbn.mobi. 600 IN A 118.160.173.122
allocbn.mobi. 600 IN A 190.18.116.54

The DNS answer has a short time to live (600 seconds - 10 minutes) and the IP addresses are located in many different networks - a typical sign for fast-flux techniques. Most IP addresses are located in dial-up networks like Comcast and Roadrunner, presumably these machines are infected and compromised machines. When doing a DNS lookup a couple of minutes later, a different set of IP addresses is returned:

;; ANSWER SECTION:
allocbn.mobi. 493 IN A 208.107.82.31 [NEW]
allocbn.mobi. 493 IN A 71.56.42.87
allocbn.mobi. 493 IN A 72.177.224.125 [NEW]
allocbn.mobi. 493 IN A 72.187.175.42 [NEW]
allocbn.mobi. 493 IN A 75.143.150.108
allocbn.mobi. 493 IN A 76.171.151.145 [NEW]
allocbn.mobi. 493 IN A 76.175.178.111
allocbn.mobi. 493 IN A 81.203.14.159 [NEW]
allocbn.mobi. 493 IN A 92.233.227.123 [NEW]
allocbn.mobi. 493 IN A 98.165.213.34
allocbn.mobi. 493 IN A 98.192.74.13
allocbn.mobi. 493 IN A 98.223.61.12
allocbn.mobi. 493 IN A 99.233.217.232
allocbn.mobi. 493 IN A 156.34.132.62 [NEW]

This indicates the "fluxiness" of the domain. By DNS mining, i.e., performing DNS lookups of this domain every TTL +1 seconds, we can observe the botnet behind this attack. In the past week, we found about 1,000 unique bot IP addresses this way.