Botnet Analytics Blog

When looking for Botnet Monitors, we found the following that sounded really interesting:

Infiltrator

Infiltrator v0.1

• Security

— Posted by zeroq @ 17:19 – 15 Nov, 2007

For those of you interested in little helpful tools, i uploaded my infiltrator script for quick and dirty botnet monitoring. There is no documentation available right now but usually a questionmark in front of a command gives some hints (e.g. ? show all).

Have fun: infiltrator.tar.gz

Source: http://zeroq.kulando.de/post/2007/11/15/infiltrator_v01#comments

Rishi Botnet Detection

Rishi is a botnet detection software, capable of detecting hosts infected with IRC based bots by passively monitoring network traffic. A webinterface provides additional information to found incidents.

Source: http://sourceforge.net/projects/rishi/

Both the tools listed above was created by Jan Goebel. Just thought of sharing it with our users. Thank you for choosing our blog!

When  searching for “Kneber Zeus”, the following resources were listed. They looked pretty cool, especially the Netwitness report. Check it out:

http://www.hackingtheuniverse.com/infosec/isnews/kneber-zeus

http://tech.yahoo.com/blogs/null/160728/beware-kneber-search-results-lead-to-malware/

http://www.symantec.com/connect/blogs/kneber-zeus

http://www.netwitness.com/resources/kneber.aspx

http://www.guardian.co.uk/technology/blog/2010/feb/19/kneber-zeus

http://www.pcworld.com/businesscenter/article/189772/protect_your_business_from_kneberstyle_botnets.html

http://www.sophos.com/blogs/gc/g/2010/02/19/zeus-kneber-botnet-unmasked/

Interestingly, there was one other link:

Firefox gives the following page when clicking on it:

Norton Safe Web report gives the following report:

The following is the Threat Report from Norton Safe Web [pretty comprehensive list of Roguewares]:

Drive-By Downloads (what’s this?)

Threats found: 21
Here is a sample:

JSunpack report can be viewed here: http://jsunpack.jeek.org/dec/go?report=2832f2dd4b93ada474e9c8a5c3e69625d03a7c97

The reason for writing this blog was:

• To aggregate the articles for Kneber Zeus at one place.
• To ensure that no one gets deceived by the fake antivirus/rogueware link.

We hope that you enjoyed reading our blogs. Thank you for choosing our blog!

In the current world, Botnets are widely spreading with a really great pace. In such situations, it is quite hard to keep up with the bad guys. This means that we need something that is proactive, than solutions that are reactive. BotHunter is a proactive tool that helps protect networks of computers from getting compromised due to botnets.

You can download or visit BotHunter from its original site: http://www.bothunter.net. This is how it looks:

About BotHunter [To read more, check out the Source: About]:

Regardless of how malware enters your network (through innocent web surfing, email attachments, direct exploit, or by attaching your laptop to the wrong wireless network), once a machine within your perimeter is compromised your whole network is under threat.  BotHunter helps you quickly identify and isolate these infected machines, and helps you figure out who really owns your computers.

What is BotHunter

BotHunter is NOT an intrusion detection system, firewall, spam blocker, or antivirus tool.  These tools generally don’t work in helping you rid your network of malware infections. Rather, BotHunter takes a different approach. It is an entirely new network defense  algorithm designed to help everyone from network administrators to individual Internet-connected PC users detect whether their systems are running coordination-centric malware (such as botnets, spambots, spyware, Trojan exfiltrators, worms, adware).   It is based on an algorithm called network dialog correlation, developed under the Cyber-TA research program (http://www.cyber-ta.org), by the Computer Science Laboratory at SRI International.

BotHunter monitors the two-way communication flows between hosts within your internal network and the Internet.  It aggressively classifies data exchanges that cross your network boundary as potential dialog steps in the life cycle of an ongoing malware infection.   BotHunter employs Snort as a dialog event generation engine, and Snort is heavily modified and customized to conduct this dialog classification process.   Dialog events are then fed directly into a separate dialog correlation engine, where BotHunter maps each host’s dialog production patterns against an abstract malware infection lifecycle model.  When enough evidence is acquired to declare a host infected, BotHunter produces an infection profile to summarize all evidence it has gathered regarding the infection.  In short, BotHunter helps you rapidly identify infected machines inside your network that are clearly and helplessly under the control of external malicious hackers.

Dialog correlation attempts to produce classification events for certain network traffic exchanges that are produced and received by your computers. While not all network traffic exchanges produce a dialog event, those that do contribute to an evidence trail that may lead to a malware infection diagnosis report for the associated computer. Dialog events are fed directly into a separate dialog correlation engine, where each host’s individual dialog production pattern is mapped and scored against an abstract malware infection life cycle model. When the dialog correlation algorithm determines that a host’s dialog production patterns maps sufficiently close to the life cycle mode, the host is declared infected, and an infection profile is generated to summarize all evidence regarding the infection.  See our Samples Page, for examples of infection profiles produced from a wide variety of Internet malware.

BotHunter is funded through the Cyber-Threat Analytics research grant from the U.S. Army Research Office, and is free to all end users to help you combat malware infections.  In addition, BotHunter includes an auto-update service that allows fielded systems to receive the latest threat intelligence regarding new sources for ad and spyware management, botnet control sites, backdoor and control ports, and malware-related domain name lookups. The update service also publishes new dialog analysis rules to help BotHunter recognize emerging exploits and malware communication patterns. Modern malware defenses need to be adaptive and aware of the latest strategies used by Internet malware, and BotHunter is ready to meet this challenge.

This project is being run by SRI International, which is an independent, nonprofit research institute conducting client-sponsored research and development for government agencies, commercial businesses, foundations, and other organizations. SRI also brings its innovations to the marketplace by licensing its intellectual property and creating new ventures. [Source: SRI]

SRI collects all the malware research data, analyzes them and displays them in their Malware Threat Center, a snapshot of which is pasted below:

SRI International has been doing great research with any malware in existence, especially the famous ones out there. They have been publishing great research from time-to-time. BotHunter’s UserGuide and GUIGuide are available Online. In their ‘Coming Soon‘ section of the website:

Here is a summary of what we are working on

o   BotHunter v2.0 is under development.  This version will introduce an entirely new user interface experience and will
support large-scale remote management.  This version will take Bot hunting to a whole new level.

o  Our research team anticipates forthcoming announcements on entirely new technologies to combat malware.

Thanks for your support!

The BotHunter’s Community Respository, is an open list of Botnet C&C IPs, location details[City, Region and Country], Domain/NetSpeed Servicer Provider, Forensics and Evindence Summary: Performed by the Botclient Victim. This is great stuff for people performing research and trying to shut down botnets out there. We hope that this blog post helped you to learn more about BotHunter. Thank you for choosing our blog!

This is a really good paper that I came across, when performing some research on finding information from FAIL messages. We people[security folks who follow RFC's] assume that RST means that someone is scanning and our system is dropping those packets with RST packet. What if we are wrong? What if those RST packets are generated by botnets or malware in the system and sent outbound to make you think that it is a DENY message? What if RST packets carry data or beacons? What if your firewall [both packet filter and stateful firewalls] lets the packet through since it thinks that it is a egress RST? What if it lets the traffic go ingress, thinking that it is a response traffic for a packet going outbound?

Though you would think that it is not possible in stateful firewall, it really depends on how the network is setup. In most enterprise network setup, one firewall is used for egress traffic and one other is used for ingress traffic. This could be to save the load[balancing load between inbound and outbound traffic filtering firewalls], to ensure that it performs only one duty[and does that duty pretty well], and for many other reasons justified by their scenario.

In this paper, I found an interesting concept of using such failure messages inside the network to perform analysis and detect enterprise zombies in your network. Their abstract is as follows:

Abstract. We propose failure information analysis as a novel strategy for uncovering malware activity and other anomalies in enterprise network traffic. A focus of our study is detecting self-propagating malware such as worms and botnets. We begin by conducting an empirical study of transport- and application-layer failure activity using a collection of long-lived malware traces. We dissect the failure activity observed in this traffic in several dimensions, finding that their failure patterns differ significantly from those of real-world applications. Based on these observations, we describe the design of a prototype system called Netfuse to automatically detect and isolate malware-like failure patterns. The system uses an SVM-based classification engine to identify suspicious systems and clustering to aggregate failure activity of related enterprise hosts. Our evaluation using several malware traces demonstrates that the Netfuse system provides an effective means to discover suspicious application failures and infected enterprise hosts. We believe it would be a useful complement to existing defenses.

The authors of this paper are really experienced in what they do. They are:

1. Zhaosheng Zhu – Department of Electrical and Computer Engineering, Northwestern University
2. Vinod Yegneswaran – Computer Science Laboratory, SRI International
3. Yan Chen – Department of Electrical and Computer Engineering, Northwestern University

To look into the paper, check out the Professor Yan Chen’s Publication section, or click here to directly go to the paper. Hope you enjoy the paper. We would definitely share what we learn, and definitely when we come across impressing paper like this one.

Thank you for choosing our blog!

BrowserDefender is a Threat Expert based web portal that is used for website safety lookup.The following is what they say:

Browser Defender™ Website Safety Lookup:

Web sites are tested for what we believe are excessive pop-ups, “phishing” and other fraudulent practices, and browser exploits. Downloads are tested for viruses and bundled adware, spyware or other possibly unwanted programs.

About:

Browser Defender™ was developed by the same team of professionals who created Threat Expert, the advanced automated threat analysis system.  Threat Expert is known to produce reports with the level of technical detail that matches or exceeds antivirus industry standards such as those found in online virus encyclopedias.

The following is the main page of the site:





The following is the sample report of the sites:





This is pretty good research portal to protect yourself from visiting malware sites, even if they have mistakenly been added in the top of the search results in Google search page. This is how the Browser Defender looks when it is installed in the browser, and when a search is performed:





Browser Defender is a really great tool to protect yourself from several types of malwares, especially the drive-by-download malwares. Thank you for choosing our blog!

ShadowServer has published an article few hours ago on Pushdo‘s update, as shown below:

Friday, 29 January 2010

Pushdo DDoS’ing or Blending In?

Is your site on the list we have posted here or in the table at the bottom of this page? If so you might have noticed a massive uptick in SSL connections to your website over the past week or so. What do I mean by massive? I mean you are likely seeing an unexpected increase in traffic by several million hits spread out across several hundred thousand IP addresses. No you didn’t read that wrong that is millions of hits and hundreds of thousands of IP addresses. This might be a big deal if you’re used to only getting a few hundred or thousands of hits a day or you don’t have unlimited bandwidth.

What’s going on here? Well it seems the Pushdo botnet recently made changes to its code to cause infected nodes to create junk SSL connections to approximately 315 different websites. Special thanks to Joe Stewart from SecureWorks for pointing this out earlier in the week when some of us were scratching our heads. Our friends over at ZeuS tracker noticed a big uptick in port 443 traffic to their website early this week. They thought they were being DDoS’d. Technically they are being attacked, although knocking the sites offline doesn’t seem to be the goal. The bots seem to start to initiate an SSL connection and a bit of junk to the websites and then disconnect. They do not actually request an resources from the website or do anything else other than repeat the cycle periodically. They are doing this to hundreds of sites all day long. We find it hard to believe this much activity would be used to make the bots blend in with normal traffic, but at the same time it doesn’t quite look like a DDoS either.

ZeuS tracker tells us they have counted multiple hundreds of thousands of unique IPs hitting their site in just over a 24 hour period. This is a lot of bots generating a lot of traffic. Check the list below or the link above to see if you too are a lucky recipient of this traffic.

Read more on ShadowServer’s – Pushdo DDoS’ing or Blending In?

Thank you for choosing our blog!

About EmergingThreats:

Emerging Threats is an open source community project. Through the support of our community we are able to produce the fastest moving and most diverse Snort Signature set and firewall rules available.  Other related projects find a home here as well. Matt Jonkman manages this project. ( jonkman@emergingthreats.net. This e-mail address is being protected from spambots. You need JavaScript enabled to view it )

Our content is free to use by any user or organization, commercial or private. We only ask that when you detect new threats in your environment or write new rules suitable for public release that you share that intelligence with the community at large. We update these rulesets as new information surfaces (usually several times a day 7 days a week) and highly recommend you update at least twice a week to stay up to date.  Daily is your best bet.

Emerging Threats has been in operation under several names since early 2003. We were formed originally as Bleeding Snort, but had to remove Snort from our name several years later for trademark issues. We then became Bleeding Threats. That project had to be abandoned and is defunct unfortunately because of some possible license conflicts that appeared to be arising, so the entire ruleset was moved here, to Emerging Threats. In 2008 we received grant funding from the Army Research Office and the National Science Foundation to continue this project and research.

Emerging Threats exists because of the contributions of intelligence and signatures by the community. We are grateful for our grant funding from the National Science Foundation and the Army Research Office. We give great thanks to those organizations for their support!

You can download our rulesets here, view our Documentation Wiki, or browse some of the other excellent projects that have found a home here.

We exist because of the community. These are your rules!

Sample botnet C&C rules from EmergingThreats:

alert tcp $HOME_NET any -> [109.74.196.127,110.44.26.158,112.216.12.244,115.165.178.40,
119.110.82.239,12.31.165.81,12.31.165.82,122.117.146.70,122.144.2.20,122.183.243.46,122.183.243.48,
124.158.128.129,124.40.3.92,125.160.17.71,125.160.17.72,125.40.126.201,128.121.20.113,128.194.112.48,
128.39.2.28,129.125.101.62,129.128.110.46,129.128.176.166,130.237.188.200,130.237.188.216,
130.239.18.157,130.240.22.201,137.82.84.68,139.175.160.252,140.211.166.64,141.213.238.252,
145.89.150.59,145.97.193.206,147.32.127.200,149.9.1.16,150.101.96.75,151.189.0.165,158.36.131.20,
158.38.8.251,163.178.205.7,163.19.14.2,173.45.124.226,173.45.124.227,174.120.182.86,174.129.139.32,
174.129.199.66,174.129.231.136,174.129.41.143,174.132.242.67,174.133.173.90,174.133.57.54,
174.133.63.91,174.137.55.10,174.138.58.102,174.139.16.131,174.139.16.132,174.139.16.134,
174.143.170.208,174.143.208.107,174.143.240.27,174.34.135.37] any (msg:"ET DROP Known Bot C&C Server
Traffic TCP (group 1) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src,
seconds 3600, count 1; classtype:trojan-activity; sid:2404000; rev:1791;)

alert udp $HOME_NET any -> [109.74.196.127,110.44.26.158,112.216.12.244,115.165.178.40,
119.110.82.239,12.31.165.81,12.31.165.82,122.117.146.70,122.144.2.20,122.183.243.46,122.183.243.48,
124.158.128.129,124.40.3.92,125.160.17.71,125.160.17.72,125.40.126.201,128.121.20.113,128.194.112.48,
128.39.2.28,129.125.101.62,129.128.110.46,129.128.176.166,130.237.188.200,130.237.188.216,
130.239.18.157,130.240.22.201,137.82.84.68,139.175.160.252,140.211.166.64,141.213.238.252,
145.89.150.59,145.97.193.206,147.32.127.200,149.9.1.16,150.101.96.75,151.189.0.165,158.36.131.20,
158.38.8.251,163.178.205.7,163.19.14.2,173.45.124.226,173.45.124.227,174.120.182.86,174.129.139.32,
174.129.199.66,174.129.231.136,174.129.41.143,174.132.242.67,174.133.173.90,174.133.57.54,
174.133.63.91,174.137.55.10,174.138.58.102,174.139.16.131,174.139.16.132,174.139.16.134,
174.143.170.208,174.143.208.107,174.143.240.27,174.34.135.37] any (msg:"ET DROP Known Bot C&C
Server Traffic UDP (group 1) "; reference:url,www.shadowserver.org; threshold: type limit,
track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404001; rev:1791;)

alert tcp $HOME_NET any -> [174.34.155.107,174.34.174.106,174.34.174.204,174.34.187.36,
174.34.187.37,174.34.187.44,174.34.187.46,174.36.194.109,188.165.47.211,188.40.203.43,
188.72.203.210,188.72.203.211,188.72.203.212,188.72.203.217,188.72.203.218,188.72.203.219,
188.72.203.231,188.72.211.171,188.72.212.42,188.72.218.74,188.72.226.31,188.72.236.123,
189.19.68.201,190.120.228.216,190.120.238.90,190.3.183.13,192.188.242.12,192.219.30.200,
193.104.94.11,193.108.43.213,193.109.122.77,193.136.119.33,193.136.216.101,193.138.215.226,
193.138.229.18,193.163.220.3,193.188.71.66,193.19.210.1,193.200.193.4,193.218.154.34,
193.219.61.23,193.27.229.245,193.33.179.4,193.34.88.17,193.40.58.131,193.43.88.137,193.43.88.138,
193.68.150.140,193.71.199.6,193.84.182.19,193.85.232.219,194.109.129.220,194.109.129.222,
194.109.20.90,194.109.206.106,194.109.206.107,194.109.64.131,194.117.246.5,194.124.229.59,
194.126.217.2] any (msg:"ET DROP Known Bot C&C Server Traffic TCP (group 2) ";
reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1;
classtype:trojan-activity; sid:2404002; rev:1791;)

According to the signature, these IPs were gathered from ShadowServer.org[reference:url,www.shadowserver.org;].

In the last 2 years, there has been a huge increase in the number of botnets. This means one or more of the following possibilities:

• Increase in the number of botnet herders.
• Increase in the amount of hosed macines/zombies.
• Increase in the number of vulnerable systems across the world.
• Increase in data-loss, data-theft and other bad stuff.
• Bot herders are significantly improving their expertise.
• The good side is loosing gradually, or is unable to catch up with the bad side.

In all the above cases, there is a hint of darkness/bad stuff. Drastic efforts has to be taken in order to bring this to an end. This could be done in the following ways:

• Sharing research data and findings.
• Security community should collectively fighting against bad guys.
• Money should not be the motive. Although for the effort that is put to do this, returns are good.
• Courts should increase the  severity of punishments, to deter the bot herders.
• All countries across the world should agree on shutting down Dynamic DNS servers that make into the list of botnet hosting C&C servers.

This should be a good start, for making drastic changes in this increasing botnet count.  EmergingThreats botnet C&C signatures were created with the intent of blocking outgoing traffic to the possible botnet command & control hosts. This blog was written with the intent of increasing the awareness of botnet C&C rules.

Thank you for choosing our blog!

EF

We noticed that there was a great report on Mariposa botnet analysis by Defense Intelligence. We have posted it in our blog to share it with our readers. Credit:  Defence Intelligence

About Defence Intelligence:

Defence Intelligence is a privately held information security firm specializing in compromise prevention and detection. Based in Ottawa, Canada, the founders of Defence Intelligence are globally recognized industry experts. They have headed information security for Fortune 50 companies, consulted with hundreds of private enterprises and government agencies, and have assisted in the capture and prosecution of international computer criminals.

The Defence Intelligence team consists of highly respected information security professionals who have been at the forefront of information security for the last fifteen years. Defence Intelligence team members have appeared on CNN, ABC, BBC, NBC, CBS, CBC, and Fox and been featured in national publications such as The Wall Street Journal, USA Today, The Washington Post, The Globe and Mail, and The National Post.

Chris Davis, CEO and founder, is “…one of the best in the business when it comes to cracking supposedly secure computer networks” according to CBC Fifth Estate.

The Advisory Board is very active and plays a pivotal role in the growth and development of Defence Intelligence. These industry leaders are involved on an ongoing basis and provide us with an unmatched wealth of knowledge and experience.

The following is the blog post on the official website:

Mariposa Botnet Analysis

Mariposa was first observed in May of 2009 by Defence Intelligence as an emerging botnet. In recent months, Mariposa has shown a significant increase in beaconing traffic to its command and control servers. This is indicative of an increasingly high number of compromised computers actively participating in the Mariposa botnet.

The most dangerous capability of this botnet is that arbitrary executable programs are downloaded and executed on command. This allows the bot master to infinitely extend the functionality of the malicious software beyond what is implemented during the initial compromise. In addition, the malware can be updated on command to a new variant of the binary, effectively reducing or eliminating the detection rates of traditional host detection methods.

Commands from the botnet master may be directed at participants in a specific country, individual computers, or all computers. As a result, the observation of the live command and control channel may not include all of the activity and capabilities of Mariposa.

The command and control channel employs custom encrypted UDP datagrams to receive instructions and transmit data. A detailed analysis of the encryption and message formats used by the protocol are presented in this paper.

During empirical analysis of internal controlled compromised systems, the following DNS domain names were observed as the command and control servers:

• lalundelau.sinip.es
• bf2back.sinip.es
• thejacksonfive.mobi
• butterfly.BigMoney.biz
• bfisback.sinip.es
• qwertasdfg.sinip.es

Over the last two weeks of analysis, two unique malicious programs were downloaded and executed on the compromised computers. One malware update was received during this period, introducing new command and control domain names, adding a ‘confirmation of download’ message, and renaming ASCII commands.

It has also been observed that the botnet participants are receiving Google custom search engine URL fragments in a command from the bot master. This indicates a possible hijacking of Google AdSense advertisement revenue.

This paper details the result of static binary analysis, a review of the command and control protocols including a breakdown of the encryption, and empirical behaviour analysis findings.

The full Mariposa Botnet Analysis is available in PDF form at defintel.com

This is an awesome contribution by Defence Intelligence to Botnet analysis. Thank you for choosing our blog!

EF

Attacks that check for multiple ways to exploit a software or a system, using a series of checks for combination of vulnerabilities comes under the scope of Blended threats. The attack can be performed by automated tools, semi-automated frameworks or worm infections. In current days, Drive-by download malware spread to the various clients visiting the malicious/hosed server by checking for the browser type, version & various vulnerabilities that exist on these versions. Blended threat seems to be like a long-lasting term in the threat landscape. Attackers would always always try various ways to perform successful exploitation by evading detection and prevention devices/softwares.

Since the current threat landscape defines botnets as the most critical threat, every enterprise might look at blended threats as possible botnet activity. It does not make sense right? Botnet life-cycle involves finding infection vector, compromising the system, setting up a network of zombies and communicating them for data theft, DDoS, etc. Blended attack involves compromising a system or software through various means. Although, this could be used as the first step of a botnet life-cycle [the "infection vector" stage], it is not fair to name a blended attack as a possible botnet to get customers attention. Some might think of this as a proactive measure to stop the attack at the first stage itself. This is the same with most domains where there is a very thin line of separation between the various terms. How do we broaden the lines of separation in such cases? It is something to think about…

Thank you for choosing our blog!

EF

Overview of BitBlaze [Source: Berkeley Page]:

Binary analysis is imperative for protecting COTS (common off-the-shelf) programs and analyzing and defending against the myriad of malicious code, where source code is unavailable, and the binary may even be obfuscated. Also, binary analysis provides the ground truth about program behavior since computers execute binaries (executable), not source code. However, binary analysis is challenging due to the lack of higher-level semantics. Many higher level techniques are often inadequate for analyzing even benign binaries, let alone potentially malicious binaries. Thus, we need to develop tools and techniques which work at the binary level, can be used for analyzing COTS software, as well as malicious binaries.

The BitBlaze project aims to design and develop a powerful binary analysis platform and employ the platform in order to (1) analyze and develop novel COTS protection and diagnostic mechanisms and (2) analyze, understand, and develop defenses against malicious code. The BitBlaze project also strives to open new application areas of binary analysis, which provides sound and effective solutions to applications beyond software security and malicious code defense, such as protocol reverse engineering and fingerprint generation.

The BitBlaze project consists of two central research directions: (1) the design and development of the underlying BitBlaze Binary Analysis Platform, and (2) applying the BitBlaze Binary Analysis Platform to real security problems. The two research focii drive each other: as new security problems arise, we develop new analysis techniques. Similarly, we develop new analysis techniques in order to better or more efficiently solve known problems. Below, we give an overview of the two research directions. Here is an overview paper of the BitBlaze project.

This is one of the most popular research group for researching botnets. BitBlaze publications page has a really good list of publications, such as the ones listed below:

• Dispatcher: Enabling Active Botnet Infiltration using Automatic Protocol Reverse-Engineering
• Emulating Emulation-Resistant Malware
• Towards Generating High Coverage Vulnerability-Based Signatures with Protocol-Level Constraint-Guided Exploration
• Loop-Extended Symbolic Execution on Binary Programs
• Measuring Channel Capacity to Distinguish Undue Influence
• Secure Content Sniffing for Web Browsers or How to Stop Papers from Reviewing Themselves
• BinHunt: Automatically Finding Semantic Differences in Binary Programs
• BitBlaze: A New Approach to Computer Security via Binary Analysis
• Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications
• HookFinder: Identifying and Understanding Malware Hooking Behaviors
• Polyglot: Automatic Extraction of Protocol Message Format using Dynamic Binary Analysis.
• Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis.
• Renovo: A Hidden Code Extractor for Packed Executables.
• Towards Automatic Discovery of Deviations in Binary Implementations with Applications to Error Detection and Fingerprint Generation.
• Creating Vulnerability Signatures Using Weakest Pre-conditions.
• Dynamic Spyware Analysis.
• Sweeper: a Lightweight End-to-End System for Defending against Fast Worms.
• Replayer: Automatic Protocol Replay by Binary Analysis.
• Towards Automatic Generation of Vulnerability Signatures.
• Vulnerability-Specific Execution Filtering for Exploit Prevention on Commodity Software.
• Dynamic Taint Analysis: Automatic Detection, Analysis, and Signature Generation of Exploit Attacks on Commodity Software.
• Automatically Identifying Trigger-based Behavior in Malware.
• Sting: an End-to-End Self-healing System for Defending against Internet Worms.
• Extracting Models of Security-Sensitive Operations using String-Enhanced White-Box Exploration on Binaries.
• BitScope: Automatically Dissecting Malicious Binaries.
• Sting: an End-to-End Self-healing System for Defending against Zero-day Worm Attacks on Commodity Software.

They have an online analysis page, where anyone could submit samples for analysis. This site lists W32.IRCbot and W32.Spybot.Worm analysis results as sample results. BitBlaze also has tons of current projects. Check it out when you get a chance.  Giuseppe Bonfa, who has been working in Malware Analytics project for the past year mentioned about BitBlaze to EvilFingers and we thought of sharing it our Blog readers. Thank you for choosing our blog!

Anushree