Computer Science Studies in Aachen

Studying is mostly fun, got a lot of new people to know in my first two weeks in Aachen. Lectures aren't too complicated yet and doing some math is fun so far. The `Programming' lecture is annoying for anybody, who touched a sourcecode before, though. Anyway, attendance is not enforced -- it's up to you and in fact, I haven't attended a single `Programming' lecture yet.

But studying is also time intensive. Working as Anti-Virus developer is also a time intensive job (that becomes very difficult, if you don't have Internet in your flat because your ISP bitches). But the dream of the perfect behavioural detection engine is just to great, to give it up just because of university!

The backside of all this is that my OpenSource development projects have to step back a bit. But the mwcollect Alliance will survive! ;)

botsnoopd - Sniffing on Botnets

botsnoopd is a project I have now been working on for quite some time. Initially, it was invented as a replacement for the ShadowServer's snoop infrastructure. But now that I was so slow and they put so much effort into their Perl script, it seems they want to keep it. So we're now going to use this in the mwcollect Alliance.

We are going to have a three tier approach consisting of

• nepenthes / other G.O.T.E.K. inputs
• CWSandbox / Norman Sandbox / other analysis devices
• botsnoopd

to efficiently catch and collect malware, analyse it in regards of extracting botnet C&C information and then finally sniff the bot herders' commands and store them.

Although it seems there were some rumors on the Virus Bulletin 2006 hallways that botsnoopd has been publically released, that is definitely not true. People might have been refering to a presentation we have been giving at Blackhat: Georg Wicherski & Thorsten Holz: «Catching Malware to Detect, Track and Mitigate Botnets». botsnoopd is not finished software yet and as new transport protocols for C&C emerge, new modules will be created (it's the same story as with nepenthes).

It is not our plan to ever publically release it anyway, since it might be a powerful tool for bot herders as well, the current idea is to release it as opensource to selected parties under a NDA.

Future of the mwcollect Alliance

Tonight, I finally managed to fix the bug in the G.O.T.E.K. submission architecture for the mwcollect Alliance. It was caused by a threading dead-lock; the buggy code was accidently installed on the Alliance server when recompiling gotekd from SVN due to the upgrade from libmysqlclient14 to libmysqlclient15. Binaries are now flowing again.

The initial idea was to migrate to our new backend (featured by Postgres) as soon as possible, but as I learned at Blackhat 2006, some companies are now really relying on the service we offer (for free, as a hobby). This means our tiny little `we share what we have' project now evolved to a real business case.

Eventhough some developers now would go like `Ka-Ching!' and try to sell this, we are going to keep this service free. This has the obvious positive side that researchers can freely use our binaries, but the backside of this is that the service provided is not guaranteed to be constant or whatever. However, some companies now offered us to support us by monetary means to allow us to focus our work on this (as we all have real jobs with higher priority).

We hope to migrate to the new backend soon, an inofficial and pre-beta preview may be found at the new Alliance page. The roadmap is to be finished soon; whenever this is, speaking as a lazy .org.

Vacation in Holland

Starting from today, I will be some three or four days in the Netherlands for vacation with my girlfriend. More specifically, we will be staying in her family's caravan in Kamperland.

If I already have the pictures of Tokyo at hand when I come back, I will post some here.

Reviewing Blachat Japan 06 / Tokyo

This trip was a blast! I already arrived on Wednesday -- one day before the conference -- and went out with Laurie from ShadowServer to do some shopping in Asakusa as he is a Tokyo local for two years now. Bought some nice stuff for my girlfriend and family there and also took the compulsionary tourist's fotos in front of one of the temples.

Later on that day, I went to Roppongi visiting the Gas Panic club, which really deserves the description ``foreigner meat market'' as it is called by some locals. I've been later on told by some other locals that it's not the most beautiful you'd get there, but nevertheless it would have been really easy as far as I can judge.

Thursday started with a huge hangover, a nearly missed press meeting and a hard one staying awake during the day, followed by going to bed right after the Blackhat social event. I talked to some people and attended some talks, as usual the topics at Blackhat were rather interesting but conferences are more for socializing...

Our talk at Friday morning went pretty well, apart the we totally messed up our botsnoopd demo as no botnets were showing activity and even #gentoo on FreeNode was silent during our presentation (we should have pre-recorded a video). So we could only show some simple management commands... Apart from that, it was said to be the second most popular presentation (right behind Joanna's talk on the virtualization rootkit), probably thanks to Thorsten's CWSandbox part of it.

The speakers party did not convince to much (especially not for 4500 Yen entrance fee), but we were going to the Air club later on were a Chicago DJ hat some insane set; we were there from 1:00 to 6:15, powered by Redbull and Orange Juice (and the other by Vodka Redbull, too). It was simply great.

So see you next year at some Blackhat conference! ;)

Blackhat Asia 2006 Last Preparations: botsnoopd

In order to pre-fix the jet-lag, I decided to work the whole night and sleep at the plane, so I'm ready to visit some stuff in Tokyo on Wednesday (my plane arrives 10:40 local time). Things that helped me so far are:

• Watching ``Crank'' in the Cinema at 23:00
• Bright Lights
• Splash of Ice-Cold Water into my face
• Taurine Shocks (-> Redbull)

But what the hell is that botsnoopd I'm working on? More on this later this week.