The research results produced under the Cyber-TA project have had wide influence and visibility across the INFOSEC research community and U.S. Department of Defense.  Our team has operationalized many of our core research concepts and cond- ucted live experimentation with our research prototypes. To do this, we released several prototype systems and capabilities to DoD users, and to the broader public.  Success from these efforts has been reflected in the substantial media coverage of our work.

   URL: http://www.pcworld.com/businesscenter/article/163848/conficker_variant_expected_to_selfdestruct_soon.html
   "We’re starting to see some revenue generation," said Phillip Porras, program director in the computer sciences laboratory at SRI International, in a presentation he gave today at the RSA Conference here concerning Conficker.  "We’re starting to sees ome business models come out of it."  Porras said Conficker.C is involved in an elaborate process to sell fake anti-malware software. When it gets into infected machines, it can direct victims toward Web sites believed to be selling fraudware.  One of those sites appears to be registered in the Ukraine selling the SpywareProtect portfolio, associated with "Ukraine Bastion Trade Group,"  for example, he said.

   This blog reports that malware (malicious software) seems to be getting worse. According to the article, much of the current crop of malware is sophisticated and defends itself well. To see this up close and personal, the blog advises readers to look at the SRI International Technical Report, an analysis of Conficker's logic and rendezvous points. "It's obvious from the report how much care and effort went into constructing Conficker."

  This article reports that the Conficker worm managed to infect about 800 computers at the University of Utah last week, prompting the school to block Internet access temporarily to contain the infection. The worm is believed to have gained a foothold on the university's network through an infected USB device, said a spokesman with the university's school of health sciences. The first iteration of the worm, Conficker A, makes an effort to avoid infecting systems in a Ukrainian domain or using a Ukrainian keyboard layout, according to a report by SRI International. This suggests that the creators of the malware may live in that part of the world and may be exempting their home country to avoid attracting attention from local authorities.

  This article reports that "the Conficker worm, which has enslaved millions of computers worldwide and enraptured the media, finally showed its hand Thursday and proved itself to be all about the money." An undetermined number of infected machines had been updated with new instructions from the worm’s authors during the past week. The updates were delivered from other infected machines in a peer-to-peer methodology. "This is the first information I’ve seen of Conficker being used for profit," said researcher Phillip Porras of SRI International. "It’s too early to speculate on whether it’s cooperative subletting or all in the family."

   Conficker was supposed to cause 50,000 PCs around the world to rise up against their human masters on April 1, and since that failed to happen, has been called a hoax and "much ado about nothing."  But neither could be further from the truth. The likes of Ron Rivest and SRI International, which specializes in cybersecurity research, don't work feverishly through the night to find a fix for a figment of someone's imagination.

   Among security experts, the consensus seems to be that very little will happen Wednesay. This may be in part because of the high amount of publicity Conficker has received, but then again April 1 is not the first time Conficker has been programmed to change the way it operates. Similar trigger dates have already passed with little change, including January 1, according to according to Phil Porras, a program director with SRI International. Security experts at Symantec, the maker of Norton Antivirus, also believe the threat is overblown and says Conficker today will "start taking more steps to protect itself" and "use a communications system that is more difficult for security researchers to interrupt."

  This article reports that creators of the complex Conficker worm family now have a potential army of millions of infected computers. Security researchers aren't sure what they'll do or when ­ just that about every step taken to thwart Conficker has been confounded. SRI’s Phil Porras is quoted in the article.

   This article reports that according to a study of the Conficker worm done by SRI International, it contains code that enables "infected computers to act both as clients and servers and share files in both directions. The peer-to-peer design is also highly distributed, making it more difficult for security teams to defeat the system by disabling so-called super-nodes." 

  This article reports that if you can't get to Microsoft.com, Symantec.com, McAfee.com and SecureWorks.com, it's likely you've lost control of your computer to Conficker. According to the article, "The complete list of all 114 domains that the worm blocks can be found in SRI International's excellent analysis of Conficker C."

   April 1 is what Conficker researchers are calling a trigger date, when the worm will switch the way it looks for software updates. The worm has already had several such trigger dates, including Jan. 1, none of which had any direct impact on IT operations, according to Phil Porras, a program director with SRI International who has studied the worm. "Technically, we will see a new capability, but it complements a capability that already exists," Porras said. Conficker is currently using peer-to-peer file sharing to download updates, he added.

   "Usually by this time we have a reasonable understanding of what their business model is," said Phillip Porras, program director for SRI International in Menlo Park, who is an authority on the worm. Based on what we've seen from Conficker in the past, Wednesday (12 midnight PDT) should not be a cause for panic and there's no reason to stay off the Internet, Porras said.

   This article reports that April 1 is what Conficker researchers are calling a trigger date, when the worm will switch the way it looks for software updates. The worm has already had several such trigger dates, including January 1, none of which had any direct impact on IT operations, according to Phil Porras, a program director with SRI International who has studied the worm.

   This article reports, "It could be the biggest April Fool's joke ever played on the internet, or it could be one of the worst days ever for computers connected to the network." Security experts can't work out whether the Conficker virus --- which has infected more than 10 million Windows PCs worldwide --- will wreak havoc on April 1, or just let the day pass quietly. Others agree that Conficker may not activate immediately, preferring to lie in wait before receiving further orders to avoid scrutiny. "At its core, the main purpose of Conficker is to provide the authors with a secure binary updating service that effectively allows them instant control of millions of PCs worldwide," noted Philip Porras of SRI International.

   In their Conficker C Analysis, three researchers at SRI International found that the latest update to the Conficker worm, which started appearing on compromised systems on March 5, changed more than 80 percent of the B-version of the worm's code.  "In the best case, Conficker may be used as a sustained and profitable platform for massive Internet fraud and theft," wrote Phillip Porras, Hassen Saidi and Vinod Yegneswaran, all of SRI International. "In the worst case, Conficker could be turned into a powerful offensive weapon for performing concerted information warfare attacks that could disrupt, not just countries, but the Internet itself."

   This article reports that deep within the World Wide Web, there is an undercurrent of potential chaos building ­ a malicious piece of code that has already prompted the French military to ground some fighter planes, and Microsoft to offer $250,000 for information leading to the code's authors. A recent report by SRI International describes the wide spectrum of possible outcomes should Conficker achieve its authors' goals.

   The most detailed and thorough technical analysis of the worm's behaviour can be found in a paper by SRI International here.  SRI reckons that Conficker-A has infected 4.7m Windows PC over its lifetime, while Conficker-B has hit 6.7m IP addresses. These figures, as with other estimates, come from an analysis of call-backs made to pre-programmed update sites. Infected hosts get identified and cleaned up all the time, as new machines are created. Factoring this factor into account the botnet controlled by Conficker-A and Conficker-B respectively is reckoned to be around 1m and 3m hosts, respectively, about a third of the raw estimate.

   This blog post reports, You may have heard about Conficker, the rogue computer program that might do something dreadful on April 1. The truth is that the threat posed by Conficker is almost entirely theoretical, and that only a handful of dedicated professionals will notice anything out of the ordinary when that date comes around.  According to SRI International’s Program Director, Phil Porras, "I don’t see anything on April 1 that will cause any significant havoc. The most likely outcome is that the day will pass and no one will have noticed anything."

   This article reports that Conficker has become the boogeyman of the security industry over the last year. The latest variant of the worm, Conficker.C, is programmed to do something on April 1. According to the article, as this very large and thorough analysis of Conficker.C from SRI International says, "...Conficker C increases the number of daily domain names generated, from 250 to 50,000 potential Internet rendezvous points. Of these 50,000 domains, only 500 are queried, and unlike previous versions, they are queried only once per day."

   Such worms largely disappeared after 2004, as Microsoft (MSFT) improved its process for identifying new holes and quickly issuing patches. But last September, Chinese hackers began selling a $37.80 program for tapping into a newly discovered Windows hole on some 800 million machines worldwide, according to SRI International, a non-profit research firm. Conficker also took extraordinary measures to prevent each new bot from being disinfected by Microsoft or antivirus programs, or usurped by a rival botnet group. SRI found, for instance, that Conficker's encryption algorithm came from MIT's Ron Rivest, copied from a recently published research paper.


*  23 March 2009: PC Magazine: Conficker Variants Prompt Debate: Serious, or Not?
   URL:  http://www.pcmag.com/article2/0,2817,2341544,00.asp

    A report scheduled to be released Thursday by SRI International, a nonprofit research institute in Menlo Park, Calif., says that Conficker C constitutes a major rewrite of the software. Not only does it make it far more difficult to block communication with the program, but it gives the program added powers to disable many commercial antivirus programs as well as Microsoft's security update features.   “Perhaps the most obvious frightening aspect of Conficker C is its clear potential to do harm,” said Phillip Porras, a research director at SRI International and one of the authors of the report. “Perhaps in the best case, Conficker may be used as a sustained and profitable platform for massive Internet fraud and theft.” “In the worst case,” Mr. Porras said, “Conficker could be turned into a powerful offensive weapon for performing concerted information warfare attacks that could disrupt not just countries, but the Internet itself.”

   First discovered in November 2008, the worm has infected at least 11.4 million computer systems, according to a census of compromised Internet addresses carried out by SRI International.  Companies that monitor the domain names generated by infected computers have found about 3 million IP addresses contacting the domains each day, a level that seems to be stable over the last two weeks.

   This article reports that a new variant of the Conficker Internet worm is circulating that could allow an attacker to distribute malware to infected machines, the US-CERT organization warned. The article mentions that according to an SRI technical report, previous versions of Conficker have been busy. Conficker A has affected more than 4.7 million IP addresses, while its successor, Conficker B, has affected 6.7 million IP addresses, with infected hosts totaling fewer than 4 million computers for both. 

    This article reports that there's a new variant of the Conficker worm, but there's some dispute over how serious a problem it is. According to the article, the initial reports on "Conficker B++" noted two new techniques for downloading new software, but didn't detail them at all. The researchers at SRI who found the new variant wrote a detailed explanation of it (and earlier variants).

    This article reports that virus authors have released a new variant of the infamous Conficker (Downadup) worm with enhanced auto-update features. According to the article, “Conficker B++ is somewhat similar to Conficker B, with 294 of 297 sub-routines the same and 39 additional subroutines. The latest variant, first spotted on 16 February, is even more sneaky than its previous incarnations, SRI explains”.

   While traditional security software typically only inspects incoming communication and downloads for malware, a free security tool. BotHunter instead correlates the two-way communication between vulnerable computers and hackers. BotHunter "flips the security paradigm" by focusing on the egress, says Phillip Porras, a computer security expert at SRI International and one of its creators.

     Conficker, also known as Downadup and Kido, has surprised many security experts with its success in propagating across the Internet. First discovered in November 2008, the worm has infected at least 11.4 million computer systems, according to a census of compromised Internet addresses carried out by SRI International.

    Phillip Porras, director of the computer security lab at SRI International, also began tracking Conficker domains in late November. Porras and his team learned they could determine sets of domains sought by Conficker host systems in the past or the future, merely by rolling back or forward the system date setting on Microsoft Windows systems that they had purposesly infected in their test lab. As Porras's group began building lists of domains sought by Conficker that had already been registered, they found hundreds that traced back to security researchers and anti-virus companies.

     Phil Porras, program director at SRI International, said the worm has hit China, Brazil, Russia and Argentina the hardest. Interestingly, an earlier variant of Conficker would not attack victims who were using Ukrainian keyboards, but the latest version of the worm does. Huger said the worm's designer has written special code that operates a certain way on Chinese and Brazilian networks, meaning those two countries may have been targeted by the attackers. Nobody knows for sure why Asia and Latin America were so hard hit, but Huger and Porras both said countries with large amounts of pirated software were more likely to be affected. "I think that piracy plays a role, though I don't know if it's the key contributor," Huger said.

    One intriguing clue left by the malware authors is that the first version of the program checked to see if the computer had a Ukrainian keyboard layout. If it found it had such a keyboard, it would not infect the machine, according to Phillip Porras, a security investigator at SRI International who has disassembled the program to determine how it functioned.

   Analysis of the worm shows how this might work. Since the worm is programmed to contact a specific set of web addresses and wait to receive further code, hijacking these addresses could squish the worm before it does much damage. Phillip Porras a researcher at SRI international, who has been studying the spread of Conficker, says that some of the domains linked with the worm have already been registered by "white hat" hackers. These well-intentioned experts might be hoping to simply prevent the worm from receiving further commands, or they might be looking for a way to inject their own viral code into the Conficker network.

    One way to prevent unwanted access to or intrusion from known problem sites is configuration of firewall packet filters, based on IP address blacklists. However, general blacklisting is not always efficient. To enable organizations to be more proactive, and minimize firewall processor allocation for blacklist filtering, SRI International and the SANS Institute have developed highly predictive blacklists (HPB).

     The biggest threat is usually the one you don't see. If the IDS is quiet and all seems well, maybe the smartest adversaries are simply working under the radar, perhaps using one of their favorite tools: botnets. Botnets, typically run for profit, consist of thousands of compromised computers running malicious code under the control of an unseen botnet operator; a bot infection may occur from opening a poisoned email or visiting a poisoned Web page containing surreptitious malicious code.  This is why BotHunter was created.

     This article reports that online bad guys are out in force this holiday season, looking to sneak on to your PC. They hope to gain control and pull your computer into a bot network that uses your computer to compromise other PCs, spread spam and carry out denial of service attacks. They also often steal sensitive data, allowing them to access your credit cards, online banking or stock trading accounts, and your company's databases. According to the article, Phil Porras at SRI International also deserves kudos for recently releasing BotHunter, a free software tool that helps system administrators detect bot network activity within their corporate networks.

    Internet security is broken, and nobody seems to know quite how to fix it. Despite the efforts of the computer security industry and a half-decade struggle by Microsoft to protect its Windows operating system, malicious software is spreading faster than ever. The so-called malware surreptitiously takes over a PC and then uses that computer to spread more malware to other machines exponentially. Computer scientists and security researchers acknowledge they cannot get ahead of the onslaught...  ``To me it feels like job security,'' said Phillip Porras, an SRI program director and the computer security expert who led the design of the company's BotHunter program, available free at www.bothunter.net.

    A new tool from SRI International will help home users and network administrators detect botnet activity on their home networks.  The tool, BotHunter, is free and works on Windows, Mac, and Linux driven systems.

    There is a new downloadable malware-detection tool in town. And it's free. BotHunter, sponsored by the U.S. Army Research Office and developed by research and technology organization SRI International, helps to discover bots, malicious programs that aim to make fraudulent use of computers. The tool was released last week. BotHunter is described as ``a passive network monitoring tool designed to recognize the communication patterns of malware-infected computers within your network perimeter.'' What sets it apart from other devices is it looks for malware activity in both incoming and outgoing data.

    Most people whose computers have been turned into bots and linked to a botnet have no idea that their machines have been commandeered by cybercriminals. Their PCs send spam, steal information, and participate in denial-of-service attacks without any obvious sign. But new software, funded by a grant from the U.S. Army Research Office and developed by SRI International, promises to provide users with more insight into what their computers are doing.

    A 14-minute interview over two segments, on Washington DC Talk Radio 1500 AM.  WTOP is the most listened to radio station in the Washington, D.C. metro area.  Phil Porras did an interview to discuss BotHunter on Tom Temin's show, Federal Security Spotlight.  The show ran on Thursday, December 4th.

     A new tool is being used within the U.S. government and the Department of Defense to fight malware on their networks.  The free, downloadable malware-detection tool, called BotHunter, was sponsored by the U.S. Army Research Office, and there have been 35,000 downloads so far, Phillip Porras, program director of enterprise and infrastructure security at SRI International, a research and technology organization, and lead developer of the BotHunter project, told SCMagazineUS.com Tuesday.

     This article includes a round-up of interesting algorithms and looks at how they impact the community. Number nine on the list is blacklisting system architecture. According to the article, ``Using blacklists to prevent spammers or other malware distributors is nothing new. But researchers at SRI International and SANS Institute want to take such lists a bit further. Their system produces customized blacklists for individuals who choose to contribute data to a centralized log-sharing infrastructure. The ranking scheme measures how closely related an attack source is to a contributor, using that attacker's history and the contributor's recent log production patterns. The researchers said their ultimate goal is to yield individualized blacklists that not only produce significantly higher hit rates, but that also incorporate source addresses that pose the greatest potential threat.''

     Technology research firm SRI International released a free software tool on Monday to help system administrators detect botnet activity within their network. The program, called BotHunter, monitors the inside of a network to detect the two-way communications flows that are common between computers compromised by bot software and the command-and-control (C\&C) server that is used to send commands to each infected machine. ``The software keeps tabs on the suspicious requests and responses, which SRI International calls dialog events, and compares them with patterns of known bot software,'' said Phillip Porras, a Program Director at  SRI International.

   You know for all we as individuals complain about viruses, trojans and other such nasties imagine how it must be for government agencies where people don't care for the most part about what lands on their machines. This has proven to be enough of a problem I guess that the U.S. Army through its Research Office has gotten into fighting malware on its own instead of using off the shelf solutions.

    Researchers at SRI International announced a free tool this week that can help organizations battle botnets by tracking down infected hosts in their network. BotHunter monitors the two-way communication flows between compromised computers and external attackers and develops an evidence trail to identify botnet activity. The tool has a correlation engine that uses a customized version of Snort to track inbound scanning, outbound propagation and other activity that happens during the infection process.

     General blacklisting is not always efficient.  To enable organizations to be more proactive, and minimize firewall processor allocation for blacklist filtering, SRI International and the SANS Institute have developed highly predictive blacklists (HPB), creating a blacklist unique to each participant.

      The developers of botnet-tracking tool BotHunter have added several new features in Version 1.0.1 to help you track down bots on your own LAN even faster and more reliably. A dynamic update service is included that automatically passes new rules and blacklists to BotHunter, and a graphical interface to display any infected PCs.

    Bis zu 10 Millionen Zombies sind weltweit aktiv. Diese Computer horen nicht auf ihre Besitzer, sondern auf kriminelle Hintermanner, die manchmal uber ganze Herden von Zombies verfugen. Sie benutzen sie, um Spam zu verschicken, Server zu attackieren oder Accounts auszuspionieren.

     Using a link analysis algorithm similar to Google PageRank, researchers at the SANS Institute and SRI International have created a new Internet network defense service that completely revamps the way network blacklists are formulated and distributed.  The service, called Highly Predictive Blacklisting (.pdf), will be unveiled next week at the Usenix 17th Usenix Security Symposium.  An experimental version is currently available for free to all DShield contributors.

     Computer scientists from SRI International and the SANS Institute plan to present a paper next week on a technique that correlates an attacker's preference for victims' networks as a way to prioritize additions to a blacklist. The technique, dubbed ``highly predictive blacklists,'' allows network owners to correlate attacks on their network with attackers' preferences for other networks.

    Security researchers have taken a page out of Google's book in reinventing the blacklist, a tool for blocking internet attacks.  At this week's 17th Usenix Security Symposium, researchers from the Sans Institute and SRI International will present the results of their experiments with ``highly predictive blacklisting'' (HPB), a service that tailors blacklists for particular networks using an approach similar to Google's PageRank.

     It's easy to create a blacklist of sites that have initiated malware attacks on a server, and use that to configure a firewall to prevent further problems. But these blacklists are purely retrospective, since sources only appear in the blacklist after attacks have occurred. The DShield project is an attempt to improve upon this. System administrators can upload their firewall logs, which are then processed to identify sources of malware, allowing them to be blacklisted on servers they haven't attacked yet. Some computer scientists have now used the information present in DShield to make predictions of future attacks for specific servers based on the fact that malware displays some network effects.

     Researchers unveiled a new approach to Internet blacklisting that promises to protect corporate networks from malicious attackers better than traditional blacklist methods. The service, called highly predictive blacklisting (HPB), was introduced at the USENIX Security Symposium in San Jose by Jian Zhang, Phillip Porras, program director at SRI International, and Johannes Ullrich, chief research officer at the SANS Institute.

     The Army Research Office (ARO) is funding work by a consortium of private companies to develop predictive technologies that could improve the efficiency of cybersecurity tools.  The idea is to create a global system to gather and correlate security events, giving users early warning about coming attacks and aiding in the configuration of sensors, filters and other devices that detect and respond to these events, said Livio Ricciulli, chief scientist at MetaFlows, of Redlands, Calif.  MetaFlows is a member of the Cyber-Threat Analytics (Cyber-TA) project, funded by ARO. The goal of this program is a commercial service that could be used to help program security devices.  ``Obviously, there is a heavy focus on making it meet Army requirements as well,'' Ricciulli said. ``But there definitely is a commercial component.''

    ``If you look at the way [Storm] is used, it's clear that money is changing hands and that the software has gone through a testing and revision process,'' said Phillip Porras, a program director at SRI International, who has studied Storm's behaviour. "The botnet is out there to help some group of people make money. This kind of malware is an economy now. Storm is not meant to spread across the entire Internet. It's meant to compromise specific targets. It's a network that is very good at producing money."

     Computer scientists in Menlo Park are releasing a free diagnostic program today to help network administrators find PCs infected with an insidious new type of virus that has already tainted millions of computers and used them to generate billions of spam e-mails.

     A ``dialog-correlation-based'' tool called BotHunter has been released free to the Internet. BotHunter attempts to correlate network traffic patterns to identify likely bot-controlled systems within your network. The tool is the result of the Cyber-Threat Analytics research project. BotHunter runs on several different Linux platforms. Truly an excellent idea and well worth investigating. It is difficult to say whether this will become a standard feature of networks in the future, especially given that there is a patent pending on the ``dialog-correlation-based'' feature.

     If you want to keep up with the latest criminal exploits without having to collect malware yourself, take a look at SRI International's Cyber-Threat Analytics BotHunter Malware Analysis Web page.  Reporting on information and statistics collected from a research honeynet, the BotHunter Malware Analysis page makes daily infection logs from high-interaction honeypots available for anyone to view. Although the scale of the project and information collected is fairly small, this is a useful site for gaining more insight into crimeware and the world of bots.