Jan Göbel

Bio: Jan Göbel is an academic researcher from University of Mannheim. The author has contributed to research in topics: Malware & Honeypot. The author has an hindex of 7, co-authored 19 publications receiving 268 citations. Previous affiliations of Jan Göbel include RWTH Aachen University.

Visual analysis of malware behavior using treemaps and thread graphs

Abstract: We study techniques to visualize the behavior of malicious software (malware) Our aim is to help human analysts to quickly assess and classify the nature of a new malware sample Our techniques are based on a parametrized abstraction of detailed behavioral reports automatically generated by sandbox environments We then explore two visualization techniques: treemaps and thread graphs We argue that both techniques can effectively support a human analyst (a) in detecting maliciousness of software, and (b) in classifying malicious behavior

Walowdac - Analysis of a Peer-to-Peer Botnet

Abstract: A botnet is a network of compromised machines under the control of an attacker. Botnets are the driving force behind several misuses on the Internet, for example spam mails or automated identity theft. In this paper, we study the most prevalent peer-to-peer botnet in 2009: Waledac. We present our in ltration of the Waledac botnet, which can be seen as the successor of the Storm Worm botnet. To achieve this we implemented a clone of the Waledac bot named Walowdac. It implements the communication features of Waledac but does not cause any harm, i.e., no spam emails are sent and no other commands are executed. With the help of this tool we observed a minimum daily population of 55,000 Waledac bots and a total of roughly 390,000 infected machines throughout the world. Furthermore, we gathered internal information about the success rates of spam campaigns and newly introduced features like the theft of cre- dentials from victim machines.

Amun : a python honeypot

Abstract: In this report we describe a low-interaction honeypot, which is capable of capturing autonomous spreading malware from the internet, named Amun. For this purpose, the software emulates a wide range of different vulnerabilities. As soon as an attacker exploits one of the emulated vulnerabilities the payload transmitted by the attacker is analyzed and any download URL found is extracted. Next, the honeypot tries to download the malicious software and store it on the local harddisc, for further analyses. As a result, we are able to collect at best unknown binaries of malware that automatically spreads across the network. The collected samples can for example be used to help anti-virus vendors improve their signatures.

Advanced honeypot-based intrusion detection

Abstract: In this diploma thesis, we introduce the setup of a high-interaction Honeynet, deployed at RWTH Aachen University. We show how the operation of the Honeywall Roo can greatly facilitate the process of building such a network of electronic decoys and present the benefits of this concept. In addition, we illustrate two intrusions that happened during the time of this thesis, and give an in-depth view on the tools and techniques used by the particular attackers. Furthermore, we take a look at the low-interaction Honeypot Nepenthes, and how it can be extended, to serve as an highly efficient Intrusion Detection sensor, to fit into our automated notification and handling system, called the Blast-oMat. In this context, we describe the added features and the distributed design of the new Blast-o-Mat version 4. Finally, we substantiate the effectiveness of our Honeynetbased Intrusion Detection system with concrete results, that we obtained during the last months.

The InMAS Approach

Abstract: The Internet Malware Analysis System (InMAS) is a modular platform for distributed, large-scale monitoring of malware on the Internet. InMAS integrates diverse tools for malware collection (using honeypots) and malware analysis (mainly using dynamic analysis). All collected information is aggregated and accessible through an intuitive and easy-to-use web interface. In this paper, we provide an overview of the structure of InMAS and the various tools it integrates. We also introduce the web frontend that displays all information on dierent levels of abstraction, from a coarse-grained overview down to highly detailed information on demand.

Malware images: visualization and automatic classification

Abstract: We propose a simple yet effective method for visualizing and classifying malware using image processing techniques. Malware binaries are visualized as gray-scale images, with the observation that for many malware families, the images belonging to the same family appear very similar in layout and texture. Motivated by this visual similarity, a classification method using standard image features is proposed. Neither disassembly nor code execution is required for classification. Preliminary experimental results are quite promising with 98% classification accuracy on a malware database of 9,458 samples with 25 different malware families. Our technique also exhibits interesting resilience to popular obfuscation techniques such as section encryption.

Detection of Malicious Code Variants Based on Deep Learning

Abstract: With the development of the Internet, malicious code attacks have increased exponentially, with malicious code variants ranking as a key threat to Internet security. The ability to detect variants of malicious code is critical for protection against security breaches, data theft, and other dangers. Current methods for recognizing malicious code have demonstrated poor detection accuracy and low detection speeds. This paper proposed a novel method that used deep learning to improve the detection of malware variants. In prior research, deep learning demonstrated excellent performance in image recognition. To implement our proposed detection method, we converted the malicious code into grayscale images. Then, the images were identified and classified using a convolutional neural network (CNN) that could extract the features of the malware images automatically. In addition, we utilized a bat algorithm to address the data imbalance among different malware families. To test our approach, we conducted a series of experiments on malware image data from Vision Research Lab. The experimental results demonstrated that our model achieved good accuracy and speed as compared with other malware detection models.

Eclipse attacks on Bitcoin's peer-to-peer network

Abstract: We present eclipse attacks on bitcoin's peer-to-peer network. Our attack allows an adversary controlling a sufficient number of IP addresses to monopolize all connections to and from a victim bitcoin node. The attacker can then exploit the victim for attacks on bitcoin's mining and consensus system, including N-confirmation double spending, selfish mining, and adversarial forks in the blockchain. We take a detailed look at bitcoin's peer-to-peer network, and quantify the resources involved in our attack via probabilistic analysis, Monte Carlo simulations, measurements and experiments with live bitcoin nodes. Finally, we present countermeasures, inspired by botnet architectures, that are designed to raise the bar for eclipse attacks while preserving the openness and decentralization of bitcoin's current network architecture.

Rishi: identify bot contaminated hosts by IRC nickname evaluation

Abstract: In this paper, we describe a simple, yet effective method to detect bot-infected machines within a given network that relies on detection of the communication channel between bot and Command & Control server (C&C server). The presented techniques are mainly based on passively monitoring network traffic for unusual or suspicious IRC nicknames, IRC servers, and uncommon server ports. By using n-gram analysis and a scoring system, we are able to detect bots that use uncommon communication channels, which are commonly not detected by classical intrusion detection systems. Upon detection, it is possible to determine the IP address of the C&C server, as well as, the channels a bot joined and the additional parameters which were set. The software Rishi implements the mentioned features and is able to automatically generate warning emails to report infected machines to an administrator. Within the 10 GBit network of RWTH Aachen university, we detected 82 bot-infected machines within two weeks, some of them using communication channels not picked up by other intrusion detection systems.