research results produced under the Cyber-TA project have had wide
influence and visibility across the INFOSEC research community and U.S.
Department of Defense. Our team has operationalized many of our
core research concepts and cond- ucted live experimentation with our
research prototypes. To do this, we released several prototype
systems and capabilities to DoD users, and to the broader public.
Success from these efforts has been reflected in the substantial media
coverage of our work.
Here is a Summary of Cyber-TA Reserach in
April 2009: Network World: Conficker.E to self-destruct on May
"We’re starting to see some revenue generation," said
Phillip Porras, program director in the computer sciences laboratory at
SRI International, in a presentation he gave today at the RSA
Conference here concerning Conficker. "We’re starting to sees ome
business models come out of it." Porras said Conficker.C is
involved in an elaborate process to sell fake anti-malware software.
When it gets into infected machines, it can direct victims toward Web
sites believed to be selling fraudware. One of those sites
appears to be registered in the Ukraine selling the SpywareProtect
portfolio, associated with "Ukraine Bastion Trade Group," for
example, he said.
April 2009: ComputerWorld: Different Approaches to Removing Malware
This blog reports that malware (malicious software) seems to be getting
worse. According to the article, much of the current crop of malware is
sophisticated and defends itself well. To see this up close and
personal, the blog advises readers to look at the SRI International
Technical Report, an analysis of Conficker's logic and rendezvous
points. "It's obvious from the report how much care and effort went
into constructing Conficker."
April 2009: Information Week: Conficker Worm Hits University Of Utah
This article reports that the Conficker worm managed to infect about
800 computers at the University of Utah last week, prompting the school
to block Internet access temporarily to contain the infection. The worm
is believed to have gained a foothold on the university's network
through an infected USB device, said a spokesman with the university's
school of health sciences. The first iteration of the worm, Conficker
A, makes an effort to avoid infecting systems in a Ukrainian domain or
using a Ukrainian keyboard layout, according to a report by SRI
International. This suggests that the creators of the malware may live
in that part of the world and may be exempting their home country to
avoid attracting attention from local authorities.
April 2009: Financial Times: Conficker Has Something for Everyone:
Scareware and Spam Too
This article reports that "the Conficker worm, which has enslaved
millions of computers worldwide and enraptured the media, finally
showed its hand Thursday and proved itself to be all about the money."
An undetermined number of infected machines had been updated with new
instructions from the worm’s authors during the past week. The updates
were delivered from other infected machines in a peer-to-peer
methodology. "This is the first information I’ve seen of Conficker
being used for profit," said researcher Phillip Porras of SRI
International. "It’s too early to speculate on whether it’s cooperative
subletting or all in the family."
April 2009: Information Week: Are We Getting Con-Ficked?
Conficker was supposed to cause 50,000 PCs around the world to rise up
against their human masters on April 1, and since that failed to
happen, has been called a hoax and "much ado about nothing." But
neither could be further from the truth. The likes of Ron Rivest and
SRI International, which specializes in cybersecurity research, don't
work feverishly through the night to find a fix for a figment of
April 2009: Network World/InfoWorld/PC World: Conficker D-Day Arrives;
Worm Phones Home (Quietly)
Among security experts, the consensus seems to be that very little will
happen Wednesay. This may be in part because of the high amount of
publicity Conficker has received, but then again April 1 is not the
first time Conficker has been programmed to change the way it operates.
Similar trigger dates have already passed with little change, including
January 1, according to according to Phil Porras, a program director
with SRI International. Security experts at Symantec, the maker of
Norton Antivirus, also believe the threat is overblown and says
Conficker today will "start taking more steps to protect itself" and
"use a communications system that is more difficult for security
researchers to interrupt."
March 2009: Investor’s Business Daily: Most Say Conficker Worm Won't
Wreak April 1 Havoc
This article reports that creators of the complex Conficker worm family
now have a potential army of millions of infected computers. Security
researchers aren't sure what they'll do or when just that about
every step taken to thwart Conficker has been confounded. SRI’s Phil
Porras is quoted in the article.
March 2009: OS News: Conficker Worm: Hoax or Criminally Genius Scheme?
This article reports that according to a study of the Conficker worm
done by SRI International, it contains code that enables "infected
computers to act both as clients and servers and share files in both
directions. The peer-to-peer design is also highly distributed, making
it more difficult for security teams to defeat the system by disabling
March 2009: PC World: FAQ: What You Need to Know About Conficker --
This article reports that if you can't get to Microsoft.com,
Symantec.com, McAfee.com and SecureWorks.com, it's likely you've lost
control of your computer to Conficker. According to the article, "The
complete list of all 114 domains that the worm blocks can be found in
SRI International's excellent analysis of Conficker C."
March 2009: PC World: Fears of a Conficker Meltdown Greatly
April 1 is what Conficker researchers are calling a trigger date, when
the worm will switch the way it looks for software updates. The worm
has already had several such trigger dates, including Jan. 1, none of
which had any direct impact on IT operations, according to Phil Porras,
a program director with SRI International who has studied the worm.
"Technically, we will see a new capability, but it complements a
capability that already exists," Porras said. Conficker is currently
using peer-to-peer file sharing to download updates, he added.
March 2009: San Francisco Chronicle: Computer worm may turn nasty
"Usually by this time we have a reasonable understanding of what their
business model is," said Phillip Porras, program director for SRI
International in Menlo Park, who is an authority on the worm. Based on
what we've seen from Conficker in the past, Wednesday (12 midnight PDT)
should not be a cause for panic and there's no reason to stay off the
Internet, Porras said.
March 2009: Computer World: Fears of a Conficker Meltdown Greatly
This article reports that April 1 is what Conficker researchers are
calling a trigger date, when the worm will switch the way it looks for
software updates. The worm has already had several such trigger dates,
including January 1, none of which had any direct impact on IT
operations, according to Phil Porras, a program director with SRI
International who has studied the worm.
March 2009: The Guardian: Conficker Virus Could Be Deadly Threat - or
April Fool's Joke
This article reports, "It could be the biggest April Fool's joke ever
played on the internet, or it could be one of the worst days ever for
computers connected to the network." Security experts can't work out
whether the Conficker virus --- which has infected more than 10 million
Windows PCs worldwide --- will wreak havoc on April 1, or just let the
day pass quietly. Others agree that Conficker may not activate
immediately, preferring to lie in wait before receiving further orders
to avoid scrutiny. "At its core, the main purpose of Conficker is to
provide the authors with a secure binary updating service that
effectively allows them instant control of millions of PCs worldwide,"
noted Philip Porras of SRI International.
March 2009: Security Focus: Conficker's capabilities worry researchers
In their Conficker C Analysis, three researchers at SRI International
found that the latest update to the Conficker worm, which started
appearing on compromised systems on March 5, changed more than 80
percent of the B-version of the worm's code. "In the best case,
Conficker may be used as a sustained and profitable platform for
massive Internet fraud and theft," wrote Phillip Porras, Hassen Saidi
and Vinod Yegneswaran, all of SRI International. "In the worst case,
Conficker could be turned into a powerful offensive weapon for
performing concerted information warfare attacks that could disrupt,
not just countries, but the Internet itself."
March 2009: The Globe and Mail: Experts Try to Beat Vicious Computer
This article reports that deep within the World Wide Web, there is an
undercurrent of potential chaos building a malicious piece of
code that has already prompted the French military to ground some
fighter planes, and Microsoft to offer $250,000 for information leading
to the code's authors. A recent report by SRI International describes
the wide spectrum of possible outcomes should Conficker achieve its
March 2009: The Register (UK): Final countdown to Conficker
The most detailed and thorough technical analysis of the worm's
behaviour can be found in a paper by SRI International here. SRI
reckons that Conficker-A has infected 4.7m Windows PC over its
lifetime, while Conficker-B has hit 6.7m IP addresses. These figures,
as with other estimates, come from an analysis of call-backs made to
pre-programmed update sites. Infected hosts get identified and cleaned
up all the time, as new machines are created. Factoring this factor
into account the botnet controlled by Conficker-A and Conficker-B
respectively is reckoned to be around 1m and 3m hosts, respectively,
about a third of the raw estimate.
March 2009: Wall Street Journal: Conficker: Don’t Believe the Hype
This blog post reports, You may have heard about Conficker, the rogue
computer program that might do something dreadful on April 1. The truth
is that the threat posed by Conficker is almost entirely theoretical,
and that only a handful of dedicated professionals will notice anything
out of the ordinary when that date comes around. According to SRI
International’s Program Director, Phil Porras, "I don’t see anything on
April 1 that will cause any significant havoc. The most likely outcome
is that the day will pass and no one will have noticed anything."
* 26 March 2009: PC Magazine:
What Will Conficker Bring on April 1?
This article reports that Conficker has become the boogeyman of the
security industry over the last year. The latest variant of the worm,
Conficker.C, is programmed to do something on April 1. According to the
article, as this very large and thorough analysis of Conficker.C from
SRI International says, "...Conficker C increases the number of daily
domain names generated, from 250 to 50,000 potential Internet
rendezvous points. Of these 50,000 domains, only 500 are queried, and
unlike previous versions, they are queried only once per day."
* 25 March
2009: ABC News : Conficker Computer Worm Threatens Chaos
Who is behind this computer attack? And what do they want from us? Are
they trying to bring the world's computers to a halt? Or is the whole
thing just some elaborate April Fool's joke? "It's not an April
prank," said Phillip Porras, a program director at SRI International, a
major technology research firm. "We don't know much about how Conficker
is being used. We are not sure why Conficker was built."
25 March 2009: Information Week: Malware
Controlling Hardware Is Not A Necessity
Conficker is one recent
example. Exploiting a known vulnerability for which there is a patch,
Conficker continues to spread and according to analysis by
continues to evolve and demonstrates the creators ability to adapt and
enhance the malware. Conficker is sophisticated, to be sure, but it's
no where near the cutting edge exploit that a BIOS update or SMM
rootkit is. Yet, Conficker has much more potential.
March 2009: Last WatchDog: Countdown to Conficker’s April Fools Day
This article reports that two according to report published by
SRI International last week, the latest update stopped the Conficker
computer worm from spreading and, instead, set all infected PCs to work
connecting themselves in a vast P2P network, according to SRI program
director Phillip Porras.
24 March 2009: USA Today: PC security forces face April 1 showdown with
Such worms largely disappeared after 2004, as Microsoft (MSFT)
improved its process for identifying new holes and quickly issuing
patches. But last September, Chinese hackers began selling a $37.80
program for tapping into a newly discovered Windows hole on some 800
million machines worldwide, according to SRI International, a
non-profit research firm. Conficker also took extraordinary measures to
prevent each new bot from being disinfected by Microsoft or antivirus
programs, or usurped by a rival botnet group. SRI found, for instance,
that Conficker's encryption algorithm came from MIT's Ron Rivest,
copied from a recently published research paper.
* 23 March 2009: PC
Magazine: Conficker Variants Prompt Debate: Serious, or Not?
The initial reports (such as this one)
on "Conficker.B++" noted two new techniques for downloading new software,
but didn't detail them at all. The researchers at SRI who found the new
variant wrote a detailed
explanation of it (and earlier variants).
As the SRI report says, clearly the Conficker authors are trying to get
around the DNS changes limiting their distribution capability, but it
remains to be seen if B++ will do that. To quote the Microsoft
report "[t]his change may allow the author to distribute malware to
machines infected with this new variant...However, there doesn't appear
to be an easy way for the authors to upgrade the existing Conficker network
to the new variant."
* 22 March 2009: Red Orbit: Experts Team Up To Battle
This article reports that some of the world’s top computer
security experts are fighting a spectacular cat-and-mouse battle with
the brazen creator of a malicious software program known as Conficker,
according to a New York Times report. The article references a new
report released by SRI International that finds that Conficker C
constitutes a major rewrite of the original code. In addition to
making it far more difficult to block communication with the program,
it has additional capability to disable many commercial antivirus
programs and Microsoft’s security update features."Perhaps the most
obvious frightening aspect of Conficker C is its clear potential to do
harm," wrote the report’s author Phillip Porras, a research director at
* 21 March 2009: SlashDot: Researchers Ponder Conficker's
April Fool's Activation Date
This article reports that John
Markoff has a story in the New York Times speculating about what will
happen on April 1 when the Conficker worm is scheduled to activate.
Already on an estimated 12 million machines, conjectures about
Conficker's purpose ranges from the benign an April Fool's Day
prank to far darker notions. Some say the program will be used in
the 'rent-a-computer-crook' business, something that has been tried
previously by the computer underground. 'The most intriguing clue about
the purpose of Conficker lies in the intricate design of the
peer-to-peer logic of the latest version of the program, which security
researchers are still trying to completely decode,' writes Markoff.
According to a paper by researchers at SRI International, in the
Conficker C version of the program, infected computers can act both as
clients and servers and share files in both directions.
* 19 March 2009: Bits.NYTimes.Com:
The Conficker Worm: April Fool’s Joke or Unthinkable Disaster?
According to a
research addendum to be added Thursday to an earlier paper by
researchers at SRI International, in the Conficker C version of the
program, the infected computers can act both as clients and servers and
share files in both directions. The peer-to-peer design is also highly
distributed, making it more difficult for security teams to defeat the
system by disabling so-called super-nodes.
* 18 March 2009: NY
Times: Computer Experts Unite to Hunt Worm
A report scheduled to be released Thursday by SRI International, a
nonprofit research institute in Menlo Park, Calif., says that Conficker
C constitutes a major rewrite of the software. Not only does it make it
far more difficult to block communication with the program, but it
gives the program added powers to disable many commercial antivirus
programs as well as Microsoft's security update features.
“Perhaps the most obvious frightening aspect of Conficker C is its
clear potential to do harm,” said Phillip Porras, a research director
at SRI International and one of the authors of the report. “Perhaps in
the best case, Conficker may be used as a sustained and profitable
platform for massive Internet fraud and theft.” “In the worst case,”
Mr. Porras said, “Conficker could be turned into a powerful offensive
weapon for performing concerted information warfare attacks that could
disrupt not just countries, but the Internet itself.”
13 March 2009: The Tech Herald: Conficker Worm
fighting back - new variant disables security measures
Last month, SRI International
about new code in the variant of Conficker named B++, that foreshadowed
the possibility that the Worm’s authors were looking for ways to fight
the researchers. “Under Conficker B++, two new paths to binary
validation and execution have been introduced to Conficker drones, both
of which bypass the use of Internet Rendezvous points: an extension to
the netapi32.dll patch and the new named pipe backdoor. These changes
suggest a desire by the Conficker's authors to move away from a
reliance on Internet rendezvous points to support binary update, and
toward a more direct flash approach,” the SRI research stated.
March 2009: Security
Focus: Conficker update attempts to foil Cabal
First discovered in November 2008, the worm has infected at least 11.4
million computer systems, according to a census of compromised Internet
addresses carried out by SRI International. Companies that
monitor the domain names generated by infected computers have found
about 3 million IP addresses contacting the domains each day, a level
to be stable over the last two weeks.
February 2009: CNET: New Variant of Conficker Worm Circulates
This article reports that a new variant of the Conficker Internet worm
is circulating that could allow an attacker to distribute malware to
infected machines, the US-CERT organization warned. The article
mentions that according to an SRI technical report, previous versions
of Conficker have been busy. Conficker A has affected more than 4.7
million IP addresses, while its successor, Conficker B, has affected
6.7 million IP addresses, with infected hosts totaling fewer than 4
million computers for both.
23 February 2009:
PC Magazine: Conficker Variants Prompt Debate: Serious, or Not?
This article reports that there's a new variant of the Conficker worm,
but there's some dispute over how serious a problem it is. According to
the article, the initial reports on "Conficker B++" noted two new
techniques for downloading new software, but didn't detail them at all.
The researchers at SRI who found the new variant wrote a detailed
explanation of it (and earlier variants).
February 2009: New
York Times: New Version of Malicious Computer Program is Released
This article reports that the
author or authors of a malicious software program that has infected
more than 12 million computers since it was released last fall have
begun distributing a new version of the program after computer security
teams crippled the original’s ability to do damage. The new version,
known as Conficker B++, was spotted by security researchers at SRI
International, who reported last week that the software was an effort
by cybercriminals to find a new way to communicate with their programs
after they had succeeded in infecting target computers.
February 2009: The
Register: Conficker Variant Dispenses with Need to Phone Home
This article reports that virus authors have released a new variant of
the infamous Conficker (Downadup) worm with enhanced auto-update
features. According to the article, “Conficker B++ is somewhat similar
to Conficker B, with 294 of 297 sub-routines the same and 39 additional
subroutines. The latest variant, first spotted on 16 February, is even
more sneaky than its previous incarnations, SRI explains”.
February 2009: Indian
News Center: New Conficker Variant Emerges
This article reports that a new variant of the Conficker, or Downadup,
worm has emerged, and researchers believe it has been designed to
neutralize the efforts of an industry coalition that is trying to
prevent infected machines from receiving additional instructions or
code updates, according to a report this week from nonprofit research
institute SRI International.
2/19/2009: PC World: Monitor
Botnet Threats Your Antivirus Can't See
While traditional security software typically only
inspects incoming communication and downloads for malware, a free
security tool. BotHunter instead correlates the two-way communication
between vulnerable computers and hackers. BotHunter "flips the security
paradigm" by focusing on the egress, says Phillip Porras, a computer
security expert at SRI International and one of its creators.
2/13/2009: Security Focus: Cabal
Forms to Fight Conficker, Offers Bounty
Conficker, also known as Downadup and Kido, has surprised
many security experts with its success in propagating across the
Internet. First discovered in November 2008, the worm has infected at
least 11.4 million computer systems, according to a census of
compromised Internet addresses carried out by SRI International.
2/13/2009: Washington Post: Cyber
Security Community Joins
Forces to Defeat Conficker Worm
Phillip Porras, director of the computer security lab at
SRI International, also began tracking Conficker domains in late
November. Porras and his team learned they could determine sets of
domains sought by Conficker host systems in the past or the future,
merely by rolling back or forward the system date setting on Microsoft
Windows systems that they had purposesly infected in their test lab. As
Porras's group began building lists of domains sought by Conficker that
had already been registered, they found hundreds that traced back to
security researchers and anti-virus companies.
1/23/2009: PC World/Network World: Conficker Hitting
Hardest in Asia, Latin America
Phil Porras, program director at SRI International,
said the worm has hit China, Brazil, Russia and Argentina the hardest.
Interestingly, an earlier variant of Conficker would not attack victims
who were using Ukrainian keyboards, but the latest version of the worm
does. Huger said the worm's designer has written special code that
operates a certain way on Chinese and Brazilian networks, meaning those
two countries may have been targeted by the attackers. Nobody knows for
sure why Asia and Latin America were so hard hit, but Huger and Porras
both said countries with large amounts of pirated software were more
likely to be affected. "I think that piracy plays a role, though I
don't know if it's the key contributor," Huger said.
1/23/2009: New York Times: Worm Infects Millions of
One intriguing clue left by the malware authors is that
the first version of the program checked to see if the computer had a
Ukrainian keyboard layout. If it found it had such a keyboard, it would
not infect the machine, according to Phillip Porras, a security
investigator at SRI International who has disassembled the program to
determine how it functioned.
1/23/2009: MIT Technology Review: Why a "Good" Worm May be a
Analysis of the worm shows how this might work. Since the
worm is programmed to contact a specific set of web addresses and wait
to receive further code, hijacking these addresses could squish the
worm before it does much damage. Phillip Porras a researcher at SRI
international, who has been studying the spread of Conficker, says that
some of the domains linked with the worm have already been registered
by "white hat" hackers. These well-intentioned experts might be hoping
to simply prevent the worm from receiving further commands, or they
might be looking for a way to inject their own viral code into the
30 Dec 2008: ZDNet Asia: Highly
predictive blacklists: What, how, and
One way to prevent unwanted access to or intrusion from
known problem sites is configuration of firewall packet filters, based
on IP address blacklists. However, general blacklisting is not always
efficient. To enable organizations to be more proactive, and minimize
firewall processor allocation for blacklist filtering, SRI
International and the SANS Institute have developed highly predictive
* 22 Dec 2008:
TechTarget.com: Use BotHunter
for Botnet Detection
The biggest threat is usually the one you don't see.
If the IDS is quiet and all seems well, maybe the smartest adversaries
are simply working under the radar, perhaps using one of their favorite
tools: botnets. Botnets, typically run for profit, consist of thousands
of compromised computers running malicious code under the control of an
unseen botnet operator; a bot infection may occur from opening a
poisoned email or visiting a poisoned Web page containing surreptitious
malicious code. This is why BotHunter was created.
9 Dec 2008: USA Today Tech Blog: Slam Online Holiday Scams
This article reports that online bad guys are out in force
this holiday season, looking to sneak on to your PC. They hope to gain
control and pull your computer into a bot network that uses your
computer to compromise other PCs, spread spam and carry out denial of
service attacks. They also often steal sensitive data, allowing them to
access your credit cards, online banking or stock trading accounts, and
your company's databases. According to the article, Phil Porras at SRI
International also deserves kudos for recently releasing BotHunter, a
free software tool that helps system administrators detect bot network
activity within their corporate networks.
5 Dec 2008: The New York Times: Thieves
Internet security is broken, and nobody seems to
know quite how to fix it. Despite the efforts of the computer security
industry and a half-decade struggle by Microsoft to protect its Windows
operating system, malicious software is spreading faster than ever. The
so-called malware surreptitiously takes over a PC and then uses that
computer to spread more malware to other machines exponentially.
Computer scientists and security researchers acknowledge they cannot
get ahead of the onslaught... ``To me it feels like job
security,'' said Phillip Porras, an SRI program director and the
computer security expert who led the design of the company's BotHunter
program, available free at www.bothunter.net.
5 Dec 2008: The Tech Herald: Bot Hunting with
A new tool from SRI International will help home users and
network administrators detect botnet activity on their home
networks. The tool, BotHunter, is free and works on Windows, Mac,
and Linux driven systems.
1 Dec 2008: Collection Technology: Free Application from
U.S. Army Helps Unearth Malware
There is a new downloadable malware-detection tool
in town. And it's free. BotHunter, sponsored by the U.S. Army Research
Office and developed by research and technology organization SRI
International, helps to discover bots, malicious programs that aim to
make fraudulent use of computers. The tool was released last week.
BotHunter is described as ``a passive network monitoring tool designed
to recognize the communication patterns of malware-infected computers
within your network perimeter.'' What sets it apart from other devices
is it looks for malware activity in both incoming and outgoing data.
Nov 2008: Information Week: U.S. Army Goes Bot
Most people whose computers have been turned into bots and linked to a
botnet have no idea that their machines have been commandeered by
cybercriminals. Their PCs send spam, steal information, and participate
in denial-of-service attacks without any obvious sign. But new
software, funded by a grant from the U.S. Army Research Office and
developed by SRI International, promises to provide users with more
insight into what their computers are doing.
Nov 2008: Federal News Radio: Fighting
Code: BotHunter Interview
A 14-minute interview over two segments, on
Washington DC Talk Radio 1500 AM. WTOP is the most listened to
radio station in the Washington, D.C. metro area. Phil Porras did
an interview to discuss BotHunter on Tom Temin's show, Federal Security
Spotlight. The show ran on Thursday, December 4th.
Nov 2008: SC Magazine: New Free Tool Detects
Malware on Networks
A new tool is being used within the U.S. government
and the Department of Defense to fight malware on their networks.
The free, downloadable malware-detection tool, called BotHunter, was
sponsored by the U.S. Army Research Office, and there have been 35,000
downloads so far, Phillip Porras, program director of enterprise and
infrastructure security at SRI International, a research and technology
organization, and lead developer of the BotHunter project, told
Nov 2008: PC World: Top 10 Wicked
This article includes a round-up of
interesting algorithms and looks at how they impact the community.
Number nine on the list is blacklisting system architecture. According
to the article, ``Using blacklists to prevent spammers or other malware
distributors is nothing new. But researchers at SRI International and
SANS Institute want to take such lists a bit further. Their system
produces customized blacklists for individuals who choose to contribute
data to a centralized log-sharing infrastructure. The ranking scheme
measures how closely related an attack source is to a contributor,
using that attacker's history and the contributor's recent log
production patterns. The researchers said their ultimate goal is to
yield individualized blacklists that not only produce significantly
higher hit rates, but that also incorporate source addresses that pose
the greatest potential threat.''
Nov 2008: Security Focus: BotHunter
Aims to Find Bots for
Technology research firm SRI International released
a free software tool on Monday to help system administrators detect
botnet activity within their network. The program, called BotHunter,
monitors the inside of a network to detect the two-way communications
flows that are common between computers compromised by bot software and
the command-and-control (C\&C) server that is used to send commands
to each infected machine. ``The software keeps tabs on the suspicious
requests and responses, which SRI International calls dialog events,
and compares them with patterns of known bot software,'' said Phillip
Porras, a Program Director at SRI International.
Nov 2008: Inquisitr.com: U.S. Army
in the Anti-Malware
Biz - for Free
You know for all we as individuals complain about viruses,
trojans and other such nasties imagine how it must be for government
agencies where people don't care for the most part about what lands on
their machines. This has proven to be enough of a problem I guess that
the U.S. Army through its Research Office has gotten into fighting
malware on its own instead of using off the shelf solutions.
Nov 2008: TechTarget: Free Security
Tool Helps Track down Bots
Researchers at SRI International announced a free
tool this week that can help organizations battle botnets by tracking
down infected hosts in their network. BotHunter monitors the two-way
communication flows between compromised computers and external
attackers and develops an evidence trail to identify botnet activity.
The tool has a correlation engine that uses a customized version of
Snort to track inbound scanning, outbound propagation and other
activity that happens during the infection process.
Nov 2008: Tech Republic: Highly
Predictive Blacklists: What,
How, & Caveats
General blacklisting is not always efficient. To
enable organizations to be more proactive, and minimize firewall
processor allocation for blacklist filtering, SRI International and the
SANS Institute have developed highly predictive blacklists (HPB),
creating a blacklist unique to each participant.
Nov 2008: Antispyware.com: US
Army Research Office's
A free malware-detector called BotHunter, sponsored
by the US Army Research Office, “works so well that it has even found
infected Mac computers, much to the embarrassment of the Mac owners
who, of course, swear that their computers cannot be infected with
bots,” SC Magazine quotes Marcus Sachs, director at SANS Internet Storm
Center, as saying. And there have been 35,000 downloads so far, the
story has Phillip Porras, program director of enterprise and
infrastructure security at SRI International, a research and technology
organization, and lead developer of the BotHunter project, saying.
Nov 2008: IEEE Computer Magazine: New
Technique Improves Network Security
Researchers have developed an algorithm that
generates useful blacklists for networks by taking information from
victims of past network attacks and predicting which hacker sites are
likely to target specific networks in the future.
Nov 2008: Heise Security: BotHunter
Tracks Down Zombie
PCs on a LAN
English Version: http://www.heise-online.co.uk/security/BotHunter-tracks-down-zombie-PCs-on-a-LAN--/news/111891
German Version: http://www.heise.de/security/BotHunter-spuert-Zombie-PCs-im-LAN-auf--/news/meldung/118441
The developers of botnet-tracking tool BotHunter
have added several new features in Version 1.0.1 to help you track down
bots on your own LAN even faster and more reliably. A dynamic update
service is included that automatically passes new rules and blacklists
to BotHunter, and a graphical interface to display any infected PCs.
Nov 2008: WinFuture - Windows Online Magazine: BotHunter
Soll Zombie Rechner im LAN enttarnen
Der Software-Hersteller SRI International hat
neue Version seines Tools BotHunter veroffentlicht. Dieses soll in
lokalen Netzen Rechner identifizieren, die einem BotNetz angehoren.
Nov 2008: Weiner Zeitung: Software
Bis zu 10 Millionen Zombies sind weltweit aktiv. Diese
Computer horen nicht auf ihre Besitzer, sondern auf kriminelle
Hintermanner, die manchmal uber ganze Herden von Zombies verfugen. Sie
benutzen sie, um Spam zu verschicken, Server zu attackieren oder
07 July 2008: ZDNet: Researchers
Borrow from Google
PageRank for Network Defense Service
Using a link analysis algorithm similar to Google
PageRank, researchers at the SANS Institute and SRI International have
created a new Internet network defense service that completely revamps
the way network blacklists are formulated and distributed. The
service, called Highly Predictive Blacklisting (.pdf), will be unveiled
next week at the Usenix 17th Usenix Security Symposium. An
experimental version is currently available for free to all DShield
July 2008: Security Focus: Attackers'
Builds Better Blacklists
Computer scientists from SRI International and the
SANS Institute plan to present a paper next week on a technique that
correlates an attacker's preference for victims' networks as a way to
prioritize additions to a blacklist. The technique, dubbed ``highly
predictive blacklists,'' allows network owners to correlate attacks on
their network with attackers' preferences for other networks.
July 2008: Silicon.com: Internet
Security researchers have taken a page out of
Google's book in reinventing the blacklist, a tool for blocking
internet attacks. At this week's 17th Usenix Security Symposium,
researchers from the Sans Institute and SRI International will present
the results of their experiments with ``highly predictive
blacklisting'' (HPB), a service that tailors blacklists for particular
networks using an approach similar to Google's PageRank.
July 2008: Arc Technica: PageRank-like
Creates Predictive Malware Blacklist
It's easy to create a blacklist of sites that
have initiated malware attacks on a server, and use that to configure a
firewall to prevent further problems. But these blacklists are purely
retrospective, since sources only appear in the blacklist after attacks
have occurred. The DShield project is an attempt to improve upon this.
System administrators can upload their firewall logs, which are then
processed to identify sources of malware, allowing them to be
blacklisted on servers they haven't attacked yet. Some computer
scientists have now used the information present in DShield to make
predictions of future attacks for specific servers based on the fact
that malware displays some network effects.
July 2008: TechTarget: Researchers
Researchers unveiled a new approach to Internet
blacklisting that promises to protect corporate networks from malicious
attackers better than traditional blacklist methods. The service,
called highly predictive blacklisting (HPB), was introduced at the
USENIX Security Symposium in San Jose by Jian Zhang, Phillip Porras,
program director at SRI International, and Johannes Ullrich, chief
research officer at the SANS Institute.
20 May 2008: Government Computer News: Army Aims to Take
Guesswork Out of Cyberdefense
The Army Research Office (ARO) is funding work by a
consortium of private companies to develop predictive technologies that
could improve the efficiency of cybersecurity tools. The idea is
to create a global system to gather and correlate security events,
giving users early warning about coming attacks and aiding in the
configuration of sensors, filters and other devices that detect and
respond to these events, said Livio Ricciulli, chief scientist at
MetaFlows, of Redlands, Calif. MetaFlows is a member of the
Cyber-Threat Analytics (Cyber-TA) project, funded by ARO. The goal of
this program is a commercial service that could be used to help program
security devices. ``Obviously, there is a heavy focus on making
it meet Army requirements as well,'' Ricciulli said. ``But there
definitely is a commercial component.''
April 2008: Secuity Focus: Storm,
Nugache Lead Dangerous New
``If you look at the way [Storm] is used, it's clear
that money is changing hands and that the software has gone through a
testing and revision process,'' said Phillip Porras, a program director
at SRI International, who has studied Storm's behaviour. "The botnet is
out there to help some group of people make money. This kind of malware
is an economy now. Storm is not meant to spread across the entire
Internet. It's meant to compromise specific targets. It's a network
that is very good at producing money."
10 October 2007: KGO Radio Interview: BotHunter
Audio - http://www.csl.sri.com/users/porras/public/kgo-bothunter-snippet.mp3
Bay Area AM Radio.
08 October 2007: KTVU Channel 2 News: Interview -
Video - http://www.csl.sri.com/users/porras/public/KTVU_BotHunter.wmv
A 4-minute BotHunter Television
Interview. Bay Area Channel 2 News at 5.
8 October 2007: San Francisco Chronicle: Techies Take
on Spam Zombies
Computer scientists in Menlo Park are releasing a
free diagnostic program today to help network administrators find PCs
infected with an insidious new type of virus that has already tainted
millions of computers and used them to generate billions of spam
2007: Microsoft Certified Professional
Magazine: Free Tool Hunts Bots
A ``dialog-correlation-based'' tool called BotHunter has
been released free to the Internet. BotHunter attempts to correlate
network traffic patterns to identify likely bot-controlled systems
within your network. The tool is the result of the Cyber-Threat
Analytics research project. BotHunter runs on several different Linux
platforms. Truly an excellent idea and well worth investigating. It is
difficult to say whether this will become a standard feature of
networks in the future, especially given that there is a patent pending
on the ``dialog-correlation-based'' feature.
28 September 2007: ComputerWorld: Cool Tools
If you want to keep up with the latest criminal exploits
without having to collect malware yourself, take a look at SRI
International's Cyber-Threat Analytics BotHunter Malware Analysis Web
page. Reporting on information and statistics collected from a
research honeynet, the BotHunter Malware Analysis page makes daily
infection logs from high-interaction honeypots available for anyone to
view. Although the scale of the project and information collected is
fairly small, this is a useful site for gaining more insight into
crimeware and the world of bots.