Jan Göbel

Walowdac - Analysis of a Peer-to-Peer Botnet

A botnet is a network of compromised machines under the control of an attacker. Botnets are the driving force behind several misuses on the Internet, for example spam mails or automated identity theft. In this paper, we study the most prevalent peer-to-peer botnet in 2009: Waledac. We present our in ltration of the Waledac botnet, which can be seen as the successor of the Storm Worm botnet. To achieve this we implemented a clone of the Waledac bot named Walowdac. It implements the communication features of Waledac but does not cause any harm, i.e., no spam emails are sent and no other commands are executed. With the help of this tool we observed a minimum daily population of 55,000 Waledac bots and a total of roughly 390,000 infected machines throughout the world. Furthermore, we gathered internal information about the success rates of spam campaigns and newly introduced features like the theft of cre- dentials from victim machines.

Visual analysis of malware behavior using treemaps and thread graphs

We study techniques to visualize the behavior of malicious software (malware). Our aim is to help human analysts to quickly assess and classify the nature of a new malware sample. Our techniques are based on a parametrized abstraction of detailed behavioral reports automatically generated by sandbox environments. We then explore two visualization techniques: treemaps and thread graphs. We argue that both techniques can effectively support a human analyst (a) in detecting maliciousness of software, and (b) in classifying malicious behavior.

The InMAS Approach

The Internet Malware Analysis System (InMAS) is a modular platform for distributed, large-scale monitoring of malware on the Internet. InMAS integrates diverse tools for malware collection (using honeypots) and malware analysis (mainly using dynamic analysis). All collected information is aggregated and accessible through an intuitive and easy-to-use web interface. In this paper, we provide an overview of the structure of InMAS and the various tools it integrates. We also introduce the web frontend that displays all information on dierent levels of abstraction, from a coarse-grained overview down to highly detailed information on demand.

Towards Proactive Spam Filtering (Extended Abstract)

With increasing security measures in network services, remote exploitation is getting harder. As a result, attackers concentrate on more reliable attack vectors like email: victims are infected using either malicious attachments or links leading to malicious websites. Therefore efficient filtering and blocking methods for spam messages are needed. Unfortunately, most spam filtering solutions proposed so far are reactive , they require a large amount of both ham and spam messages to efficiently generate rules to differentiate between both. In this paper, we introduce a more proactive approach that allows us to directly collect spam message by interacting with the spam botnet controllers. We are able to observe current spam runs and obtain a copy of latest spam messages in a fast and efficient way. Based on the collected information we are able to generate templates that represent a concise summary of a spam run. The collected data can then be used to improve current spam filtering techniques and develop new venues to efficiently filter mails.

Mail-Shake

Many different methods to mitigate spam in the internet have been proposed. However, the most promising ones require fundamental changes to mail protocol itself. Other methods are based on filtering, but still require the end-user to verify the results. We propose a different approach, that requires email senders to traverse a kind of handshake before sending an initial email to a new contact.Our method, called Mail-Shake, is based on two facts. First,spammers need valid email addresses to deliver their spam to.Second, spammers do not require real inboxes for their sender addresses, as replies are not expected. This allows complete automation of the spamming process, sending email at almost no cost. If we can decrease the number of valid email addresses a spammer can collect and increase the cost of sending email,spamming becomes uninteresting as the effort is too high in contrast to the win.

Das Internet-Malware-Analyse-System (InMAS)

ZusammenfassungDas Ziel eines Frühwarnsystems besteht im Wesentlichen aus dem frühzeitigen Erkennen und Einschätzen von Bedrohungen aus dem Internet. Ein wichtiger Aspekt hierbei ist die Beobachtung und Verfolgung bösartiger Software. Mit dem Internet-Malware-Analyse-System (InMAS), das zwischen 2007 und 2009 an der Universität Mannheim entstand, lässt sich Schadsoftware automatisiert erkennen und analysieren. Die so gewonnenen Informationen liefern ein Lagebild des aktuellen Gefährdungsgrads der beobachteten Internet-Infrastruktur und können einen wichtigen Beitrag für ein nationales Frühwarnsystem leisten. Das Projekt wurde durch das Bundesamt für Sicherheit in der Informationstechnik (BSI) gefördert.