| Related sites for http://honeyblog.org/ |
| Klick-N-View Using this tool design and print professional quality business cards in a matter of minutes. Features are flexible multi-person information database, supports transparent graphics, full range of align | | FindFiles Replacement for the Windows XP search facility. Feature including multiple files renames, replace strings, and find multiple strings, preview pictures, text documents and movies with built in movie pl | | Broadband_Publisher Web publishing application service provider. Has workflow, XML import/export. | | Seagate_Technologies Disc product guide and disc storage news. | | Shih_Tree_Builder Modelling tool that analyzes data generating classification, regression or class probability prediction models. | | Object_Technology_Discontinues_ENVY/Developer Press release that ENVY/Developer lives on in IBM VisualAge Smalltalk. (June 1, 2001) | | RFC_0964 Some Problems with the Specification of the Military Standard Transmission Control Protocol. D.P. Sidhu. November 1985. | | Ertl,_Anton Research interests include compilers, constraint logic, and Linux filesystems. Links and essays. | | WebMedia Accessible and compliant web site design conforming to WCAG 1 guidelines. Includes range of services offered and lists company profile. | | RFC_0029 Response to RFC 28. R.E. Kahn. January 1970. | | Buzzword_Media Complete service for web site design, development, publishing, and hosting as well as photography, Flash, animated graphics, and video. Specializing in sites for performers and artists. | | Gmerlin A transcoding application for Linux with a modular structure supporting many input and output formats. | | telnet7 CMS WebCal, acustomizable Java Applet calendar, a puzzle game called Gemdrop, Internet Explorer Public PC Privacy Guard(IE-3PG), a Simple Linux fake shell for DOS, Random Reaper, a dmoz scrapper, Supe | | RFC_1920 Internet Official Protocol Standards. J. Postel. March 1996. | | The_Art_of_Texturing_Using_The_OpenGL_Shading_Language oZone3D's tutorials for using GLSL for dynamic texturing. Includes environment mapping, glass mapping and alpha mapping. | | Adding_\"extern_template\"_(Version_2) A number of compilers allow the programmer to suppress the implicit instantiation of templates by prefixing an explicit instantiation directive with the extern keyword. This document proposes specific | | S_T_E_P_S__Consulting Accelerated MCSE training in Windows 2000, Windows XP, and Windows .Net server. Located in Australia. | | idesignbusiness Provides Internet services for small business including website hosting, design, development, search engine marketing, and Email marketing. | | ZeRO_Web_Hosting_Inc_ Offers design, hosting, domain registration and custom programming. Based in Canada and the United States. | | Updated_CVS_manual Sean Dreilinger has formatted and updated the CVS manual. |
|
honeyblog honeyblog A blog on honeypots, honeynets, and more Call for Paper: 2nd Workshop on Large-scale Exploits and Emergent Threats (LEET '09) Thursday, October 9. 2008 The Call for Papers for the Second USENIX Workshop on Large-scale Exploits and Emergent Threats (LEET '09) is available since a couple of days. I am very proud to be one of the members of the program committee and hope that some readers of this blog also submit a paper to the workshop. LEET '09 will focus - similar to last year's workshop - on the underlying mechanisms used to compromise and control hosts, the large-scale "applications" being perpetrated upon this framework, and the social and economic networks driving these threats.
Important dates:
Paper submissions due: January 16, 2009, 11:59 p.m. EST
Notification to authors: March 2, 2009
Final papers due: March 30, 2009
Workshop: April 21, 2009 - Boston, MA, USA
The workshop will be will be held immediately before the 6th USENIX Symposium on Networked Systems Design and Implementation (NSDI '09), which will take place April 22–24, 2009.
Overview:
As the Internet has become a universal mechanism for commerce and communication, it has also become an attractive medium for online criminal enterprise. Today, widespread vulnerabilities in both software and user behavior allow miscreants to compromise millions of hosts (worms, viruses, drive-by exploits, etc.), conceal their activities with sophisticated system software (rootkits), and manage these resources via a distributed command and control framework (botnets). This platform in turn provides economics of scale for a wide range of criminal activities including spam, phishing, DDoS, click fraud, and so on.
Posted by Thorsten Holz in general, paper at 19:58 | Comments (0) | Trackbacks (0) CWSandbox vs. www.malwarechallenge.info Wednesday, October 8. 2008 Via the Internet Storm Center (thanks guys!) I found a link to the Malware Challenge 2008:
A system administrator within your organization has come to you because a user's PC was infected with malware. Unfortunately, anti-virus is unable to remove the malware. However, the administrator was able to recover the suspected malware executable. Your job is to analyze the malware.
Participants should download the malware sample and analyze it. The end result should be a document containing details on the analysis performed. The analysis document can be written in any form, but the questions and statements beow should be answered within it. Participants should note what questions are being answered.
The questions deal with typical binary analysis techniques, for example four questions that should be pretty easy to answer with CWSandbox:
[...]
- Describe the malware's behavior. What files does it drop? What registry keys does it create and/or modify? What network connections does it create? How does it auto-start, etc?
- What type of command and control server does the malware use? Describe the server and interface this malware uses as well as the domains and URLs accessed by the malware.
- What commands are present within the malware and what do they do? If possible, take control of the malware and run some of these commands, documenting how you did it.
- How would you classify this malware? Why?
[...]
A quick look at the CWSandbox submissions revealed that the malware samples had already been submitted to our system: https://cwsandbox.org/?page=report&analysisid=459732&password=dqvtg. The full report also contains process dumps and pcaps taken during the execution. To not spoil the challenge, I will not go into details - have fun at analyzing the sample :-) Posted by Thorsten Holz in malware at 00:04 | Comments (3) | Trackbacks (0) MALWARE'08: "As the Net Churns: Fast-Flux Botnet Observations" Tuesday, October 7. 2008 Together with Jose Nazario, I published a paper about fast-flux botnet observations at the 3rd International Conference on Malicious and Unwanted Software (Malware 2008). The paper contains information about different aspects of fast-flux service networks collected with the help of ATLAS, Arbor's Active Threat Level Analysis System. Since several months, ATLAS has the capability to monitor fast-flux service networks and a live view of the collected information is available at http://atlas.arbor.net/summary/fastflux.
Abstract:
While botnets themselves provide a rich platform for financial gain for the botnet master, the use of the infected hosts as webservers can provide an additional botnet use. Botnet herders often use fast-flux DNS techniques to host unwanted or illegal content within a botnet. These techniques change the mapping of the domain name to different bots within the botnet with constant shifting, while the bots simply relay content back to a central server. This can give the attackers additional stepping stones to thwart takedown and can obscure their true origins.
Evidence suggests that more attackers are adopting fast-flux techniques, but very little data has been gathered to discover what these botnets are being used for. To address this gap in understanding, we have been mining live traffic to discover new fast-flux domains and then tracking those botnets with active measurements for several months. We have identified over 900 fast-flux domain names from early to mid 2008 and monitored their use across the Internet to discern fast-flux botnet behaviors. We found that the active lifetimes of fast-flux botnets vary from less than one day to months, domains that are used in fast-flux operations are often registered but dormant for months prior to activation, that these botnets are associated with a broad range of online fraud and crime including pharmacy sites, phishing and malware distribution, and that we can identify distinct botnets across multiple domain names. We support our findings through an in-depth examination of an Internet-scale data continuously collected for hundreds of domain names over several months.
The full paper is now available. Unfortunately I can not attend MALWARE'08 which takes place today and tomorrow, but I hope everyone has a good time at the conference! Posted by Thorsten Holz in paper at 10:44 | Comment (1) | Trackbacks (0) IMF'08: "Reconstructing People's Lives: A Case Study in Teaching Forensic Computing" Thursday, October 2. 2008 Last week I attended the 4th International Conference on IT Incident Management & IT Forensics (IMF'08) which took place in Mannheim, Germany. IMF's focus is on different aspects of forensic and the program was a mix of academic and industry talks. Especially the invited talks were interesting, my personal highlight was FX's talk on router forensics (the slides from a similar talk at BlackHat DC are available at Recurity Labs).
Together with Felix Freiling and Martin Mink, I had a paper at IMF about the lessons we learned when teaching IT forensics at our university. The paper is now available and present some of the high-level findings.
At our lab, we regularly offer a lecture on IT forensics that deals with the principles of forensics, file system analysis, live analysis, and similar topics. Last time we had two main exercises: filesystem forensic on a prepared floppy disk and some hard disks we bought at eBay and a live analysis of a compromised honeypot. All slides used during the lecture on IT forensics are available at the website of our lab. Perhaps we can also publish more material (e.g., the exercises we used during the ecture), I need to check this...
We also regularly offer a lab on practical aspects of IT security and last time we also included a part on forensics. In theses exercises the students had to analyze used hard disks, flash drives, and mobile phones.
More information about these lectures and labs is available in the IMF'08 paper. Posted by Thorsten Holz in general, paper at 15:26 | Comments (0) | Trackbacks (0) Risky Omni(bus)iness #79 — GOVCERT.NL special Wednesday, October 1. 2008 I was a bit busy in the last few weeks, not much time for blogging :-/ But in the meantime I had some progress with my thesis, we submitted some work to a conference, and I attended a workshop on forensic. Thus there is some info I can blog about, I'll catch up with some recent developments in the next few days.
Recently the GOVCERT.NL Symposium 2008 took place in Rotterdam. I did not attend the conference, but heard several good stories about the event. ITRadio.com.au published a podcast with two interview related to honeypots:
GovCERT’s Carol Overes talks HoneySpiders — they’re basically client-side honeypots, but they could have some nifty commercial applications.
Lance Spitzner looks back at his experience running the Honeynet Project over the years. Honeynets showed some early promise as potential products, ala “bait and switch honeynets”. It never happened, so I asked Lance why.
Both interview are interested and worth hearing! Posted by Thorsten Holz in honeynets at 01:00 | Comments (0) | Trackbacks (0) (Page 1 of 41, totaling 202 entries) » next page About This weblog deals with IT-security related stuff and honeypots / honeynets in particular. In addition, the main focus is on malware and bots / botnets.
Currently, the main author is Thorsten Holz. I am one of the founders of the German Honeynet Project and a Ph.D. student at the Laboratory for Dependable Distributed Systems. You can reach me at thorsten.holz [at] gmail.com
Together with Niels Provos, I wrote a book on honeypots: "Virtual Honeypots: From Botnet Tracking to Intrusion Detection ".
 
You should also check out http://miscmag.com for information about MISC, a magazine dedicated to IT security. Calendar  October '08  Mon Tue Wed Thu Fri Sat Sun
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
Quicksearch Archives October 2008September 2008August 2008Recent...Older... Categories  administrativa general honeynets malware paper virtual-honeypotsAll categories Syndicate This Blog RSS 1.0 feed RSS 2.0 feed ATOM 1.0 feed Creative Commons  Original content in this work is licensed under a Creative Commons License My weblog is proudly powered by Serendipity. Design is Kubrick, by Michael Heilemann, ported by Tom Sommer. var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src="http://honeyblog.org//" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));var pageTracker = _gat._getTracker("UA-1822998-1");pageTracker._initData();pageTracker._trackPageview(); |
|
