http://www.secuobs.com Observatoire de la securite Internet fr webmaster@secuobs.com 2014-01-10 09:25:41 - Blog postings from honeynet.org : Pietro wrote a nice post about him finding Android malware while visiting the theatre Thanks to Thug thank you Angelo and HoneyProxy, he was able to get some interesting details about their infrastructure I was curious what kind of malware you find in a theatre, so I quickly looked at one of the samples that he mentioned f6ad9ced69913916038f5bb94433848d Giraffe Chapter read more IMAGE http://www.secuobs.com/revue/news/490787.shtmlhttp://www.secuobs.com/revue/news/490787.shtml Secuobs.com : 2014-01-10 08:25:11 - Blog postings from honeynet.org - In this post I will analyze the Android APK files that my friend Pietro Delsante from the Honeynet Project Sysenter Chapter talks about in his previous post thank you Pietro The files are all named videoapk and these are the MD5 and SHA256 hashes read more IMAGE http://www.secuobs.com/revue/news/490782.shtmlhttp://www.secuobs.com/revue/news/490782.shtml Secuobs.com : 2014-01-07 23:30:36 - Blog postings from honeynet.org - Some nights ago I was heading to a local theater with some non-nerd friends We did not recall very well the address, so I brought out my phone LG Nexus 4 with Android 442 and Google Chrome and googled for it I found the theater's official site and started looking for the contact info, when Chrome suddenly opened a popup window pointing me to a Russian web site novostivkontakteru urging me to update my Flash Player I laughed loudly and showed them to my again, totally non-nerd friends saying that the site had been owned One of them went on and opened the site with her own phone Samsung Galaxy S Advance with Android 441 and the default Android WebKit browser To make a long story short, after a few instants her phone was downloading a file without even asking her for confirmation So Chrome on my Nexus 4 was using social engineering to have me click on a link and manually download the file Android's WebKit on her Galaxy S Advance was instead downloading the file straight away interesting However, we were a bit late and we had to run for the comedy, so I did not even bother to see what the heck she had downloaded, I only made sure she hadn't opened it I thought it was just the usual exploit kit trying to infect PCs by serving fake Flash Player updates, seen tons of those While waiting for the comedy to begin, I quickly submitted the compromised site to three different services, the first three ones that came to my mind HoneyProxy Client, Wepawet and Unmask Parasites, then turned off my phone and enjoyed the show Sysenter Chapter read more IMAGE http://www.secuobs.com/revue/news/490270.shtmlhttp://www.secuobs.com/revue/news/490270.shtml Secuobs.com : 2014-01-02 16:42:25 - Blog postings from honeynet.org - The Honeynet Project would like to cordially invite you to attend the 2014 Honeynet Project Security Workshop , held in Adgar Plaza Conference Center in Warsaw, Poland from 12-14 May 2014 The workshop is organized by The Honeynet Project and coordinating with CERT Polska under NASK read more IMAGE http://www.secuobs.com/revue/news/489385.shtmlhttp://www.secuobs.com/revue/news/489385.shtml Secuobs.com : 2013-11-25 10:31:42 - Blog postings from honeynet.org - read more IMAGE http://www.secuobs.com/revue/news/482860.shtmlhttp://www.secuobs.com/revue/news/482860.shtml Secuobs.com : 2013-10-07 09:50:20 - Blog postings from honeynet.org - Last week it was announced that Agelo Dell'Aera is elected as our new CEO Here is a brief description about Angelo read more IMAGE http://www.secuobs.com/revue/news/472962.shtmlhttp://www.secuobs.com/revue/news/472962.shtml Secuobs.com : 2013-07-31 23:32:24 - Blog postings from honeynet.org - On July 31, 2013, Jason Geffner of CrowdStrike will discuss a new tool called Tortilla that allows incident responders and computer security researchers to hide behind the ToR network as they poke and prod malicious software infrastructure Were I there hint, hint, to those who are I would ask Jason this question What things should I not do while using Tortilla, and why shouldn't I do them I know Jason and respect his technical skills, but if he and CrowdStrike don't have a good answer, that will say a lot about our field's collective ability to reason about actions along the Active Response Continuum D Dittrich and K E Himma Active Response to Computer Intrusions Chapter 182 in Vol III, Handbook of Information Security, 2005 http ssrncom abstract 790585 read more IMAGE http://www.secuobs.com/revue/news/460462.shtmlhttp://www.secuobs.com/revue/news/460462.shtml Secuobs.com : 2013-07-30 14:00:37 - Blog postings from honeynet.org - MalwareZ is a visualization project that is started as a YakindanEgitim YE project YE is a startup that me and some collegues mentor young people on specific projects, remotely It is announced as a local fork of Google Summer of Code, except neither mentors nor mentees are paid Gürcan Gerçek was the main developer for the MalwareZ project and my role was mentoring him read more IMAGE http://www.secuobs.com/revue/news/460039.shtmlhttp://www.secuobs.com/revue/news/460039.shtml Secuobs.com : 2013-06-28 06:33:24 - Blog postings from honeynet.org - The whole project is divided by two parts variable recovery and type inference the first week job is focus on variable recovery I put my project under Project directory There is a makefile under this directory and you can build it directly Source code is in Project code directory, currently, there is only one code file In the tools directory, there is the testing code a very simple C program github URL https githubcom Vectorlee binary_reverse_lib read more IMAGE http://www.secuobs.com/revue/news/454311.shtmlhttp://www.secuobs.com/revue/news/454311.shtml Secuobs.com : 2013-06-26 22:57:52 - Blog postings from honeynet.org - Hi everyone, I am Vincent ,and I am happy to start this project The progress of the first week as follow 1 Familiar with the system architecture and test environment First,It took me some time to understand the system architecture and related technologies like hpfeeds ,splunk,and d3js etc 2 Learning HeliosJS read more IMAGE http://www.secuobs.com/revue/news/453873.shtmlhttp://www.secuobs.com/revue/news/453873.shtml Secuobs.com : 2013-06-24 13:15:58 - Blog postings from honeynet.org - To have a better visibility of this years GSoC projects we have created a blog for the students and their mentors This blog is the place where students should post weekly updates about their progress It is also the place where students and mentors can share their findings and experiences about and during the GSoC projects as they happen The first updates have already started to drip in and it is getting interesting A hot summer, cool drinks and happy coding to all the participants http gsoc2013honeynetorg IMAGE http://www.secuobs.com/revue/news/453218.shtmlhttp://www.secuobs.com/revue/news/453218.shtml Secuobs.com : 2013-06-10 16:45:22 - Blog postings from honeynet.org - Two years are passed from the first commit and taking a look at the number of committed patches I realized that right now the patch number 1000 was committed Let me say it's really impressive realizing it In the last two years I had a lot of fun thinking and designing the future of this project and I'm really proud of what Thug turned to be I have to thank a lot of persons who contributed with their suggestions, ideas, bug reports and sometimes patches You know who you are Really thanks read more IMAGE http://www.secuobs.com/revue/news/450485.shtmlhttp://www.secuobs.com/revue/news/450485.shtml Secuobs.com : 2013-06-10 00:12:48 - Blog postings from honeynet.org - Howdy all, I've the pleasure to finally unveil the second version of Dorothy a malware botnet analysis framework written in Ruby Dorothy2 is a framework created for mass malware analysis Currently, it is mainly based on analyzing the network behavior of a virtual machine where a suspicious executable was executed However, static binary analysis and system behavior analysis will be shortly introduced in further versions Italian Chapter read more IMAGE http://www.secuobs.com/revue/news/450326.shtmlhttp://www.secuobs.com/revue/news/450326.shtml Secuobs.com : 2013-06-01 00:44:58 - Blog postings from honeynet.org - After a pretty hectic few weeks of student application review, setting and scoring coding challenges, and assessing proposals, mentoring organizations participating in GSoC 2013 had to confirm their student slot allocations and final short list of preferred candidates by Friday May 24th at 19 00 UTC read more IMAGE http://www.secuobs.com/revue/news/448849.shtmlhttp://www.secuobs.com/revue/news/448849.shtml Secuobs.com : 2013-05-28 02:11:38 - Blog postings from honeynet.org - This post expresses the personal opinion of the author and is not an official statement representing the Honeynet Project At the AusCERT 2013 conference, Dmitri Alperovich called for debate about, the kinds of actions that infosec professionals are allowed to take against attackers I agree with Dmitri, and in fact I made the same call, at the same conference on May 23, 2005 As one of the world's foremost experts on this topic, with over two decades of security operations experience, I welcome Dmitri to the debate What follows is adapted from the forthcoming book, The Active Response Continuum Ethical and Legal Issues of Aggressive Computer Network Defense, by David Dittrich I welcome any comments, suggested modifications and or additions There are many challenges facing those who are victimized by computer crimes, who are frustrated with what they perceive to be a lack of effective law enforcement action to protect them, and who want to unilaterally take some aggressive action to directly counter the threats to their information and information systems This has been called active defense, aggressive network self-defense, counter-attack, and even hacking back Regardless of the reasons why someone would want to take such actions, it is necessary to discuss the options, acknowledge the risk and benefit tradeoffs, and identify how aggressive actions can be taken in a manner that is safe, controlled, and justifiable as best this can be accomplished This cannot be accomplished, however, if everyone comes at the subject with their own individual frame of reference and language This was pointed out by more than one person at this year's Suits Spooks DC 2013 conference read more IMAGE http://www.secuobs.com/revue/news/447953.shtmlhttp://www.secuobs.com/revue/news/447953.shtml Secuobs.com : 2013-05-11 20:58:23 - Blog postings from honeynet.org - We proudly announce the first release of our Industrial Control System honeypot named Conpot Until now setting up an ICS honeypot required substantial manual work, real systems which are usually either inaccessible or expensive and lecture of quite tedious protocol specifications With implementing a master server for a larger set of common industrial communication protocols and virtual slaves which are easy to configure, we provide an easy entry into the analysis of threats against industrial infrastructures and control systems read more IMAGE http://www.secuobs.com/revue/news/444840.shtmlhttp://www.secuobs.com/revue/news/444840.shtml Secuobs.com : 2013-04-29 15:57:24 - Blog postings from honeynet.org - As you may know, the annual workshop is a key event to bring together top information security experts from around the globe to present their research efforts as well as discuss insights and strategies to combat new emerging threats The annual workshop held in February or March every year is a five-days event including a one-day briefing, two-days of hands-on training open to public and two-days of private meetings by invitation only read more IMAGE http://www.secuobs.com/revue/news/442455.shtmlhttp://www.secuobs.com/revue/news/442455.shtml Secuobs.com : 2013-04-09 00:27:31 - Blog postings from honeynet.org - Folks, the Honeynet Project Pacific Northwest Chapter has judged all submissions and results have been posted on the challenge page The winners are 1 Faure Bastien 2 Andrey Zed Zaikin Congratulations to the winners and thanks to the other participants Angelo Dell'Aera The Honeynet Project IMAGE http://www.secuobs.com/revue/news/438263.shtmlhttp://www.secuobs.com/revue/news/438263.shtml Secuobs.com : 2013-03-27 13:10:18 - Blog postings from honeynet.org - Today I've released version 03 of the Ghost USB honeypot, which introduces a lot of new features, including a completely rewritten core for better malware detection The new version is available on the project page This post outlines the major changes read more IMAGE http://www.secuobs.com/revue/news/436059.shtmlhttp://www.secuobs.com/revue/news/436059.shtml Secuobs.com : 2013-03-11 09:10:56 - Blog postings from honeynet.org - On March 4, 2013, a contest was held at the Nullcon conference in Goa, India, to see who could take over a botnet The Times of India reported that the prize money was provided by an Indian government official and was awarded to the Garage4Hackers team The co-founder of the Nullcon conference, Antriksh Shah, said At Nullcon Goa 2013, for the first time in the world the government has come forward and announced a bounty prize of Rs 35,000 to whoever provides critical information on the command and control servers of a malware recently found in one of the government installations in India, and then tweeted, Dawn of new infosec era Govt of India announced and actually paid first ever bounty Rs 35 k at nullcon to take down a c c When asked whether this was a live botnet, or a simulated botnet held within a safe and isolated virtual network where no harm could result, Nullcon tweeted, it was a live campaign up since a couple of yrs and the malware was found in a gov Infra read more IMAGE http://www.secuobs.com/revue/news/432671.shtmlhttp://www.secuobs.com/revue/news/432671.shtml Secuobs.com : 2013-02-17 11:40:22 - Blog postings from honeynet.org - Taking a look at the first submissions, it seems like more time is needed in order to solve the Forensic Challenge 13 - A Message In A Picture For this reason we decided to extend the submission deadline to 2013, March 15th Have fun Angelo Dell'Aera The Honeynet Project IMAGE http://www.secuobs.com/revue/news/428221.shtmlhttp://www.secuobs.com/revue/news/428221.shtml Secuobs.com : 2013-02-07 22:52:24 - Blog postings from honeynet.org - The broader picture a the conference will be given by a well known person in this field He will talk about Security 2020 This is Dr Anton Chuvakin, and he is a Research Director at Gartner's Gartner for Technical Professionals GTP Security and Risk Management Strategies team in his day job read more IMAGE http://www.secuobs.com/revue/news/426438.shtmlhttp://www.secuobs.com/revue/news/426438.shtml Secuobs.com : 2013-01-31 08:14:11 - Blog postings from honeynet.org - We have finally gotten an interview with Mark Schloesser This is the guy that does not say too much, but delivers as hell Less talk more code could easily describe him He will take you through Configuring an Environment for Threat Assessment This is building a functional and centralized threat intelligence framework We are really looking forward to this workshop Tell us Mark, why did you become a security expert read more IMAGE http://www.secuobs.com/revue/news/424910.shtmlhttp://www.secuobs.com/revue/news/424910.shtml Secuobs.com : 2013-01-25 12:11:51 - Blog postings from honeynet.org - We have interviewed Mahmud ab Rahman, who currently works as an Information Security Specialist for Malaysia Computer Emergency and Response Team MyCERT under the umbrella of CyberSecurity Malaysia His areas of focus are network security,botnet monitoring, and malware analysis read more IMAGE http://www.secuobs.com/revue/news/423860.shtmlhttp://www.secuobs.com/revue/news/423860.shtml Secuobs.com : 2013-01-24 16:36:00 - Blog postings from honeynet.org - HoneyProxy 11 - Dubai Ready for the Honeynet Project Meeting in February, we are pleased to announce our second release of HoneyProxy Started as a Google Summer of Code 2012 project, HoneyProxy is a lightweight tool that allows live HTTP and HTTPS traffic inspection and analysis This release features a new Report Editor which allows you to analyze your flows, aggregate data or search for anomalies in your traffic dumps read more IMAGE http://www.secuobs.com/revue/news/423678.shtmlhttp://www.secuobs.com/revue/news/423678.shtml Secuobs.com : 2013-01-19 23:28:03 - Blog postings from honeynet.org - We have interviewed Felix Leder, who works as an innovation and new technology architect for Norman ASA He has has presented classes around the world on malware analysis, reverse engineering, and anti-botnet approaches read more IMAGE http://www.secuobs.com/revue/news/422794.shtmlhttp://www.secuobs.com/revue/news/422794.shtml Secuobs.com : 2013-01-17 10:57:50 - Blog postings from honeynet.org - At the last BruCON conference in Ghent last year I had the pleasure to talk to Soraya Iggi , Bsides London co-organizer She convinced me into submitting a workshop proposal for the Bsides London 2013 And guess what, it got accepted So I will be doing a workshop on setting up a basic kippo SSH honeypot from Upi Tamminen http codegooglecom p kippo and if time permits, using Ioannis Koniaris Ion kippo visualization tool kippo-graph http bruteforcegr kippo-graph Bsides London will be held on April 24th 2013 at Kensington and Chelsea Town Hall South African Chapter read more IMAGE http://www.secuobs.com/revue/news/422346.shtmlhttp://www.secuobs.com/revue/news/422346.shtml Secuobs.com : 2013-01-11 09:21:44 - Blog postings from honeynet.org - We have interviewed Georg Wicherski, who is one of the speakers for the Honeynet Workshop in Dubai 10-12 of February Georg will give a briefing about Secure Exploit Payload Staging or how we did not kill an 0day at Defcon So Georg, why did you become a security expert Pathos Hacking is my second love after my family and working as a security person allows me to live my passion every day And what will you talk about read more IMAGE http://www.secuobs.com/revue/news/421177.shtmlhttp://www.secuobs.com/revue/news/421177.shtml Secuobs.com : 2013-01-09 19:56:30 - Blog postings from honeynet.org - We have interviewed Raffy, who is one of the teachers for the Honeynet Workshop in Dubai 10-12 of February Raffy will give the following talk How Big Data, Data Mining, and Visualization Enable Security Intelligence and a class on Information Visualization - Bridging the Gap Between Tufte and Firewalls So Marty, tell us, why did you become a security expert read more IMAGE http://www.secuobs.com/revue/news/420772.shtmlhttp://www.secuobs.com/revue/news/420772.shtml Secuobs.com : 2013-01-01 20:06:45 - Blog postings from honeynet.org - Let the Month of the Honeynet Project Tools begin The idea beyond the MoHPT is quite simple We would be really glad to involve more and more researchers out there in our research stuff and tools In order to encourage contributions we are proposing you to dive deep into one of the already existing Honeynet Project tool cited below and contribute with feedback, ideas, documentation and or code Ghost USB Honeypot Glastopf Thug read more IMAGE http://www.secuobs.com/revue/news/419364.shtmlhttp://www.secuobs.com/revue/news/419364.shtml Secuobs.com : 2013-01-01 19:16:04 - Blog postings from honeynet.org - Let's start the new year with a forensic challenge I am really pleased to announce Forensic Challenge 13 A Message in a Picture The challenge has been provided by the Honeynet Project Pacific Northwest Chapter Submission deadline is 2013, Feb 15th and we will be announcing winners around the first week of March 2013 Happy new year and have fun Angelo Dell'Aera The Honeynet Project IMAGE http://www.secuobs.com/revue/news/419362.shtmlhttp://www.secuobs.com/revue/news/419362.shtml Secuobs.com : 2012-12-29 23:39:52 - Blog postings from honeynet.org - For the last few years, I have been participating in a Department of Homeland Security sponsored effort to develop principles and applications for the evaluation of information and communication technology ICT research If you are not familiar with the Menlo Report, you can find a description in Michael Bailey, David Dittrich, Erin Kenneally, and Douglas Maughan The Menlo Report Security Privacy, IEEE, 10 2 71 75, March April 2012 I and two of my Menlo colleagues -- Wendy Vischer and Erin Kenneally -- recently taught a didactic course at the PRIM R Advancing Ethical Research conference in San Diego PRIM R is the conference for Institutional Review Board, or IRB, professionals, with the annual AER conference having thousands of attendees Our course primarily described the Menlo Report process to date, but we concluded with a mock IRB committee review of a fictional proposed research project in which researchers develop countermeasures to malicious botnets in social network platforms like Facebook using a combination of deception to build a social network of over 1 million users and to then use good bots that infiltrate the bad bots read more IMAGE http://www.secuobs.com/revue/news/419128.shtmlhttp://www.secuobs.com/revue/news/419128.shtml Secuobs.com : 2012-12-18 00:21:47 - Blog postings from honeynet.org - Over the last few weeks I've basically rewritten the core of Ghost, our system for USB malware detection While the new approach promises to be much more effective, it has a drawback It only works for Windows Vista and later systems As a consequence, there are now two flavors of Ghost in existence One supports Windows XP but won't receive much further development, whereas a lot of interesting new features will be implemented for the other one, which is dedicated to Vista and later In this post, I'm going to explain the reasoning behind the decision, describe the recent technical advances and outline some of our plans for the future read more IMAGE http://www.secuobs.com/revue/news/417471.shtmlhttp://www.secuobs.com/revue/news/417471.shtml Secuobs.com : 2012-12-10 08:44:34 - Blog postings from honeynet.org - This is a response to a CSO Online blog post by Jeff Bardin Caution Not Executing Offensive Actions Against Our Adversaries is High Risk, November 2012 , which is a rebuttal to a blog post by Jody Westby on Forbes online Caution Active Response to Cyber Attacks Has High Risk Mr Bardin is obviously playing on words in the title and I seriously doubt he believes that it is higher risk to not take aggressive actions than is to do so His post does not contain a reasoned proposal for how to change or work within existing legal and ethical norms to allow aggressive actions directed at computer network attackers It is instead a strident endorsement of a vaguely defined new approach of counter-attack using simplistic arguments based on emotion and a desire for retribution an unethical position to take , lacking sufficient discussion of appropriate rules of engagement, principle-based ethical justifications of any type beyond basic right of self-defense arguments, and including no oversight mechanisms to minimize the potential for abuse or collateral damage This response is quite long, including not only Mr Bardin's own words for context but also many references to materials apropos to the topic that Mr Bardin does not provide in his post Mr Bardin's blog post illustrates some of the problems with discussion of this topic that I have seen over and over since the first workshops I attended or lead on this topic in Seattle's Agora security group from 2001 to 2004 I have been studying and discussing these issues for over a decade and have seen the same simplistic arguments repeated in nearly every discussion Useful analogies in this realm are really hard to find and almost always fail Part of the problem stems from non-technical people trying to discuss extremely technical and complex issues of computer network attack and defense, combined with rushing to simple self defense analogies and appeals to emotion, suggesting we have to do something, anything, to get satisfaction Frequently left out is any meaningful discusison of ethics, rules of engagement, responsibility, or accountability If my response here comes across as vehement opposition, it is not intended that way If anything, it shares Mr Bardin's frustration that we have gotten to the point where intrusions are so widespread and pervasive, but we differ in explaining why and in proposing a viable path forward read more IMAGE http://www.secuobs.com/revue/news/416007.shtmlhttp://www.secuobs.com/revue/news/416007.shtml Secuobs.com : 2012-12-05 11:07:37 - Blog postings from honeynet.org - ORGANIZATION Active members - Sébastien Tricaud - Guillaume Arcas - Anthony Desnos - Franck Guénichot - François-René Hamelin - Christophe Grenier DEPLOYMENTS We have following technologies deployed - Kippo on honeycloud Goal of this deployment is to provide a centralized instance of Kippo share findings, logs, collected data - HoneyProxy on honeycloud - Honeeebox RESEARCH AND DEVELOPMENT New tools HoneyProxy as part of GSoC 2012 FAUP formerly furl OpenNormalizer PhotoRec TestDisk ARE AndroGuard Enhanced tools read more IMAGE http://www.secuobs.com/revue/news/415221.shtmlhttp://www.secuobs.com/revue/news/415221.shtml Secuobs.com : 2012-11-28 16:05:15 - Blog postings from honeynet.org - ENISA The European Network and Information Security Agency under the leadership of CERT Polska has published report on honeypots Its a hands-on guide on the various honeypot technologies out there looking at various operational aspects, such as extensibility, reliability, ease of deployment, etc If you are considering running a honeypot, this is a must read Check it out at http wwwenisaeuropaeu media press-releases new-report-by-eu-agency-enisa-on-digital-trap-honeypots-to-detect-cyber-attacks Great job, ENSIA read more IMAGE http://www.secuobs.com/revue/news/413867.shtmlhttp://www.secuobs.com/revue/news/413867.shtml Secuobs.com : 2012-11-24 14:02:10 - Blog postings from honeynet.org - ORGANIZATION Faiz Ahmad Shuja is founder and chapter lead of Pakistan Chapter and an active member since 2003 He is responsible for the management and maintenance of HP infrastructure as Chief Infrastructure Officer Muhammad Omar Khan is an active member and assists in various Honeynet deployment efforts Rehan Ahmed is our active member He assists in the management of Pakistan chapter and HP infrastructure Omar Khan has been involved in attacks analyses and reporting read more IMAGE http://www.secuobs.com/revue/news/413191.shtmlhttp://www.secuobs.com/revue/news/413191.shtml Secuobs.com : 2012-11-15 22:36:03 - Blog postings from honeynet.org - ORGANIZATION Brian Hay Chapter Lead, Full Member Kara Nance BoD Member, Full Member Chris Hecker Clark Harshbarger Matt Bishop Wesley McGrew Lucas McDaniel DEPLOYMENTS 1 Honeeebox in Alaska Purchased multiple other Honeeeboxes available for third party deployments Periodic Dionaea deployments in both public and private clouds for student and demonstration use RESEARCH AND DEVELOPMENT 1 Ongoing development of hypervisor-based honeypot monitoring using virtual machine introspection VMI on Xen and KVM platforms Alaskan Chapter read more IMAGE http://www.secuobs.com/revue/news/411735.shtmlhttp://www.secuobs.com/revue/news/411735.shtml Secuobs.com : 2012-11-11 19:31:36 - Blog postings from honeynet.org - ORGANIZATION Ahmad Alajail Chapter Lead Ahmad Hassan Member Anastasios Monachos - New Member Andrew Marrington New Member Majid Al Ali - Member DEPLOYMENTS we have successfully change all of our distributed Honeypots from Nepenthes to Dionaea and upgrade our honeypharm with reporting mechanism and the additional information received from Dionaea RESEARCH AND DEVELOPMENT United Arab Emirates Chapter read more IMAGE http://www.secuobs.com/revue/news/410790.shtmlhttp://www.secuobs.com/revue/news/410790.shtml Secuobs.com : 2012-11-06 15:13:14 - Blog postings from honeynet.org - ORGANIZATION Last year our chapter membership has gone through several changes some members moved to new places and new positions and are no longer a part of the honeynet chapter, while others Natalia Stakhanova came back Our current members include Ali Ghorbani, Natalia Stakhanova, Hadi Shiravi Unversity of New Brunswick and Sami Guirguis Toronto DEPLOYMENTS We currently have deployed a cluster of server honeypots and SGNET sensor Both are primarily used for capturing botnet network traffic RESEARCH AND DEVELOPMENT read more IMAGE http://www.secuobs.com/revue/news/409856.shtmlhttp://www.secuobs.com/revue/news/409856.shtml Secuobs.com : 2012-11-05 16:42:40 - Blog postings from honeynet.org - Spartan Devils Chapter Status Report For 2012 ORGANIZATION Our current membership includes Gail Joon Ahn Arizona State University Tom Holt, Michigan State University Max Kilger, and Napoleon Paxton, We are also happy to report that we added Paul Neff to our roster in the last few months DEPLOYMENTS In addition to all tools from honeynet site, we also installed Sandboxie on Vmware ESXi to automatically test malware and reset VMs RESEARCH AND DEVELOPMENT read more IMAGE http://www.secuobs.com/revue/news/409607.shtmlhttp://www.secuobs.com/revue/news/409607.shtml Secuobs.com : 2012-10-16 22:19:34 - Blog postings from honeynet.org - Folks, the Honeynet Project Alaska Chapter has judged all submissions and results have been posted on the challenge page The winners are 1 Shaun Zinck 2 Vadim Kotov and Alberto Boschetti 3 José Valentín Gutiérrez Boquete Congratulations to the winners and thanks to the other participants Angelo Dell'Aera The Honeynet Project IMAGE http://www.secuobs.com/revue/news/405904.shtmlhttp://www.secuobs.com/revue/news/405904.shtml Secuobs.com : 2012-10-16 19:44:29 - Blog postings from honeynet.org - Rapid7 have announced the selected projects for the second round of their Magnificent7 program The program sponsors open source efforts in the area of IT security over the course of a year and provides them with Rapid7's technological and marketing expertise read more IMAGE http://www.secuobs.com/revue/news/405872.shtmlhttp://www.secuobs.com/revue/news/405872.shtml Secuobs.com : 2012-10-01 22:46:25 - Blog postings from honeynet.org - HoneyMap Screenshot The HoneyMap shows a real-time visualization of attacks against the Honeynet Project's sensors deployed around the world It leverages the internal data sharing protocol hpfeeds as its data source Read this post to learn about the technical details and frequently asked questions Before going into explanations, take a look at the map itself maphoneynetorg Giraffe Chapter read more IMAGE http://www.secuobs.com/revue/news/402878.shtmlhttp://www.secuobs.com/revue/news/402878.shtml Secuobs.com : 2012-09-12 00:42:26 - Blog postings from honeynet.org - Finally it is good enough to announce my GSoC project - HpfeedsHoneyGraph which is a Splunk APP to display attack graph for hpfeeds logs It is not a easy project for me to complete in short time During the last three months, I have to learn several skills for implementation including HPfeeds logs correlation of several hpfeeds channels, Splunk frameworks, Splunk REST API , D3v2js graph library and fast-fluxing modules The most difficult challenge for me is to write javascript code I SUPER hate javascript read more IMAGE http://www.secuobs.com/revue/news/399058.shtmlhttp://www.secuobs.com/revue/news/399058.shtml Secuobs.com : 2012-09-11 08:41:49 - Blog postings from honeynet.org - Folks, the submission deadline for the Forensic Challenge 12 Hiding in Plain Sight put up by the Alaska Chapter under the leadership of Lucas McDaniel has passed We have received 4 submissions and will be announcing results on Mon, Oct 15th 2012 The top three submissions will be awarded little prizes Angelo Dell'Aera The Honeynet Project IMAGE http://www.secuobs.com/revue/news/398856.shtmlhttp://www.secuobs.com/revue/news/398856.shtml Secuobs.com : 2012-09-10 17:01:26 - Blog postings from honeynet.org - The updated version of APKInspector is a powerful static analysis tool for Android Malicious applications It provide convenient and various features for smartphone security engineers With the sensitive permission analysis, static instrumentation and easy-to-use graph-code interaction etc, they can get a thorough and deep understanding of the malicious applications on Android The improvement mainly focus on two categories User Interface and Security Analysis The goal is to build an easy-to-use tool with strong security analysis features read more IMAGE http://www.secuobs.com/revue/news/398670.shtmlhttp://www.secuobs.com/revue/news/398670.shtml Secuobs.com : 2012-09-04 14:43:43 - Blog postings from honeynet.org - We've just released version 02 of the Ghost USB honeypot for Windows XP and Windows 7 with a lot of great new features You can download the new version from the project page In this post, I'm going to give an overview of the changes Let's start with what you usually do first install Ghost Installing the honeypot has been tedious in the past, so we've built an installer that handles most of the work for you Just run it and enjoy read more IMAGE http://www.secuobs.com/revue/news/397470.shtmlhttp://www.secuobs.com/revue/news/397470.shtml Secuobs.com : 2012-08-28 04:24:51 - Blog postings from honeynet.org - 1 Introduction As the end of GSoC 2012 will come in the next few days, i am proud to announce IPv6-guard IPv6-guard is an IPv6 attack detector tool including some defense mechanisms to protect against most of recent attacks on ipv6 protocol suite 2 IPv6-Guard 21 How it works read more IMAGE http://www.secuobs.com/revue/news/396152.shtmlhttp://www.secuobs.com/revue/news/396152.shtml Secuobs.com : 2012-08-27 12:01:23 - Blog postings from honeynet.org - 6Guard is a honeypot-based IPv6 attack detector aiming at detecting the link-local level attacks, especially when the port-mirror feature of switch is unavailable read more IMAGE http://www.secuobs.com/revue/news/395964.shtmlhttp://www.secuobs.com/revue/news/395964.shtml Secuobs.com : 2012-08-23 21:00:22 - Blog postings from honeynet.org - I'm announcing the new features of Android dynamic analysis tool DroidBox as GSoC 2012 approaches the end In this release, I would like to introduce two parts of my work DroidBox porting and APIMonitor read more IMAGE http://www.secuobs.com/revue/news/395410.shtmlhttp://www.secuobs.com/revue/news/395410.shtml Secuobs.com : 2012-08-23 10:05:04 - Blog postings from honeynet.org - just the slides IMAGE http://www.secuobs.com/revue/news/395278.shtmlhttp://www.secuobs.com/revue/news/395278.shtml Secuobs.com : 2012-08-20 23:53:58 - Blog postings from honeynet.org - AfterGlow cloud has evolved further into another release with many improvements added to the initial version With GSoC 2012 approaching an end, we've covered all the additional features we planned for in the second phase of development, post mid-term Building up on the initial version, this post will run you through the general features and additional improvements covered A live demo of this release can be found here http andromedaayrusnet 8080 read more IMAGE http://www.secuobs.com/revue/news/394715.shtmlhttp://www.secuobs.com/revue/news/394715.shtml Secuobs.com : 2012-08-20 02:42:45 - Blog postings from honeynet.org - and the summer is over During the last three months I have tried to make sense of the highly unstructured data set that comes from merging the data streams of several hpfeeds channels I have had to learn the inner workings of Splunk, their SDKs, the D3js graphic library and explore different machine learning frameworks and clustering algorithms read more IMAGE http://www.secuobs.com/revue/news/394521.shtmlhttp://www.secuobs.com/revue/news/394521.shtml Secuobs.com : 2012-08-19 22:13:15 - Blog postings from honeynet.org - I'm proud to announce the release of new Capture HPC client module The new version - 09 beta implements totally new system monitoring method The old one - strace - was replaced by kernel module that intercepts some system calls to record events for later analysis read more IMAGE http://www.secuobs.com/revue/news/394508.shtmlhttp://www.secuobs.com/revue/news/394508.shtml Secuobs.com : 2012-08-19 22:13:15 - Blog postings from honeynet.org - As the GSOC approaches the end I would like to publish a beta version of my project for Network Malware Simulation The name for the new open source software is Imalse, which is the acronym of Integrated MALware Simulator Emulator The website for the project is http peoplebuedu wangjing open-source imalse html indexhtml, in which you can get detailed description, instructions for installation and demo videos read more IMAGE http://www.secuobs.com/revue/news/394507.shtmlhttp://www.secuobs.com/revue/news/394507.shtml Secuobs.com : 2012-08-19 21:29:27 - Blog postings from honeynet.org - There is a vm image, that you can import the appliance and see the application at your own machine You may download the ova file here http wwwloopbackinginfo ovizart To import the image, you will need VirtulBox installed read more IMAGE http://www.secuobs.com/revue/news/394505.shtmlhttp://www.secuobs.com/revue/news/394505.shtml Secuobs.com : 2012-08-19 20:45:07 - Blog postings from honeynet.org - Hi everyone, I am announcing an initial release of the Ovizart, Network Analyzer Project Ovizart OV - Open VİZual Analsis foR network Traffic is a web based application that will let users upload captured traffic in a PCAP format, analyze the traffic, and present the traffic in an intuitive manner The current development branch is located on Github https githubcom oguzy ovizart read more IMAGE http://www.secuobs.com/revue/news/394503.shtmlhttp://www.secuobs.com/revue/news/394503.shtml Secuobs.com : 2012-08-07 14:05:49 - Blog postings from honeynet.org - This is a short introduction to one of the features that the upcoming Ghost 02 will offer I expect to release the new version in late August or early September There is a command-line frontend for Ghost already that controls the honeypot's operation, but its capabilities are limited In particular, the only way to get feedback from Ghost is to read the command-line output That's only slightly inconvenient if you run the tool manually, but it's not at all suitable for automation, and it makes integrating Ghost into individual analysis setups unnecessarily complicated read more IMAGE http://www.secuobs.com/revue/news/392125.shtmlhttp://www.secuobs.com/revue/news/392125.shtml Secuobs.com : 2012-08-03 11:05:03 - Blog postings from honeynet.org - I am pleased to announce a new forensic challenge Forensic Challenge 12 Hiding in Plain Sight The challenge has been provided by the Alaska Chapter under the leadership of Lucas McDaniel Submission deadline is Sep 9th and we will be announcing winners around the first week of October 2012 Have fun Angelo Dell'Aera The Honeynet Project IMAGE http://www.secuobs.com/revue/news/391472.shtmlhttp://www.secuobs.com/revue/news/391472.shtml Secuobs.com : 2012-08-02 20:03:51 - Blog postings from honeynet.org - Folks, Georg Wicherski has judged the two really cool submissions and results have been posted on the challenge page The winners are 1 Ruud Schramp 15 Carl Pulley read more IMAGE http://www.secuobs.com/revue/news/391349.shtmlhttp://www.secuobs.com/revue/news/391349.shtml Secuobs.com : 2012-07-27 14:01:23 - Blog postings from honeynet.org - Quechua beta version Hello World All GSoC 2012 students, including those working for HoneyNet, started their projects a long time ago Since Midterm evaluation has passed too, I would like to share some experience and code with you Please keep in mind this is still a beta version and some things may change during the second part of coding period, however comments and tips will be helpful, as always - read more IMAGE http://www.secuobs.com/revue/news/390254.shtmlhttp://www.secuobs.com/revue/news/390254.shtml Secuobs.com : 2012-07-24 10:20:04 - Blog postings from honeynet.org - Good morning folks My apologies for the delay on this one It appears the the wily coyote has passed on his tricks to my Internet connection and as such I've been offline for a fairly large portion of time No matteronward to the readables Malware An in-depth code analysis of mssecmgrocx from the ESET folks is here read more IMAGE http://www.secuobs.com/revue/news/389336.shtmlhttp://www.secuobs.com/revue/news/389336.shtml Secuobs.com : 2012-07-14 14:58:34 - Blog postings from honeynet.org - As the first half of the HP summer of code has passed, I'd like to give a short update on the current status of the Ghost USB honeypot read more IMAGE http://www.secuobs.com/revue/news/387274.shtmlhttp://www.secuobs.com/revue/news/387274.shtml Secuobs.com : 2012-07-13 14:23:31 - Blog postings from honeynet.org - At the middle of GSoC 2012, we are happy and proud to release a beta version of HoneyProxy, a lightweight tool that allows live HTTP and HTTPS traffic inspection and analysis Unlike other network tools like WireShark that display flow packet by packet, HoneyProxy only displays application layer data Web objects then can be viewed through a browser read more IMAGE http://www.secuobs.com/revue/news/387096.shtmlhttp://www.secuobs.com/revue/news/387096.shtml Secuobs.com : 2012-07-10 22:57:44 - Blog postings from honeynet.org - With the marking of of the mid-term milestone in GSoC 2012, we're happy to announce a first version release of AfterGlow Cloud After a lot of discussions and review the project seems to be in a good position for an initial release The project in essential is based on AfterGlow 1 , a security visualization tool which facilitates generating visual graphs from data you upload The tool described at 1 is originally command-line based, the aim of this project, in general is to bring this tool and its options to the cloud -- so as to provide a neat interface for on-the-fly visualizations read more IMAGE http://www.secuobs.com/revue/news/386456.shtmlhttp://www.secuobs.com/revue/news/386456.shtml Secuobs.com : 2012-07-10 11:00:03 - Blog postings from honeynet.org - In this post I'd like to describe some aspects of the communication between kernel and user mode in the Ghost USB honeypot More specifically, I'll focus on how to realize blocking communication with the Windows Driver Frameworks WDF read more IMAGE http://www.secuobs.com/revue/news/386274.shtmlhttp://www.secuobs.com/revue/news/386274.shtml Secuobs.com : 2012-07-03 10:15:13 - Blog postings from honeynet.org - Folks, the submission deadline for the Forensic Challenge 11 Dive Into Exploit created by Georg Wicherski from Giraffe Chapter has passed We have received 2 good submissions and will be announcing results before the end of July Without doubt, this challenge was one of the most difficult ones the Honeynet Project provided in the last years so we are really glad about the submitted solutions which seems really high-level at a first glance Angelo Dell'Aera The Honeynet Project IMAGE http://www.secuobs.com/revue/news/385123.shtmlhttp://www.secuobs.com/revue/news/385123.shtml Secuobs.com : 2012-06-25 22:24:54 - Blog postings from honeynet.org - Another Monday has been and gone on this side of the world at least I thought I'd sit down again and share some of the interestingness yes, that's a word now that came through my various news feeds over the course of the weekend I'm hoping this week will be a little less malware focused, but I can't make any promises newssource twitter mboman New blog post MART - Malware Analyst Research Toolkit Cuckoo Sandbox read more IMAGE http://www.secuobs.com/revue/news/383676.shtmlhttp://www.secuobs.com/revue/news/383676.shtml Secuobs.com : 2012-06-25 21:34:08 - Blog postings from honeynet.org - Before we released the Ghost USB honeypot as open source software, we had quite some trouble to apply the GPL to our case Since there wasn't much information available for the very particular case of using the GPL for a Windows driver, I'll discuss our issues and solutions in this article This might not directly be applicable to other software, but it should provide the reader with general insights and will hopefully help people to sort out similar problems in the future read more IMAGE http://www.secuobs.com/revue/news/383659.shtmlhttp://www.secuobs.com/revue/news/383659.shtml Secuobs.com : 2012-06-18 21:07:22 - Blog postings from honeynet.org - Good evening morning folks It's been fairly busy here at HNP HQ for a number of reasons That said, there were a number of interesting articles over the weekend I thought I'd hilight here for your reading pleasure This week seems to be a week of malware so we will stick with that theme STORIES ABOUT BOTNETS - PART 1 Malware Hunting with the Sysinternals Tools video read more IMAGE http://www.secuobs.com/revue/news/382232.shtmlhttp://www.secuobs.com/revue/news/382232.shtml Secuobs.com : 2012-06-14 12:20:41 - Blog postings from honeynet.org - I'm very pleased to announce that we have released the first public version of the Ghost USB honeypot Ghost is a honeypot for malware that uses USB storage devices for propagation It is able to capture such malware without any further knowledge - especially, it doesn't need signatures or the like to accomplish its task Detection is achieved by emulating a USB flash drive on Windows systems and observing the emulated device The assumption is that on an infected machine the malware will eventually copy itself to the removable device read more IMAGE http://www.secuobs.com/revue/news/381537.shtmlhttp://www.secuobs.com/revue/news/381537.shtml Secuobs.com : 2012-06-04 09:19:44 - Blog postings from honeynet.org - Done last week Drawn up the project plan with mentors Started coding Planned for next week Submit some code to Github Record the thought from coding and improve the plan Blocking issues Undergraduate graduation thesis on Stateful IPv6-to-IPv6 NAT Fortunately this is the lask week for it IMAGE http://www.secuobs.com/revue/news/379279.shtmlhttp://www.secuobs.com/revue/news/379279.shtml Secuobs.com : 2012-05-31 16:37:00 - Blog postings from honeynet.org - Taking a look at the submissions we realized that mmh no submissions at all We already knew that solving this challenge requires high skills but it seems like more time is needed in order to solve the Forensic Challenge 11 - Dive Into Exploit For this reason we decided to extend the submission deadline to 2012, July 1st Have fun and don't be shy Angelo Dell'Aera The Honeynet Project IMAGE http://www.secuobs.com/revue/news/378770.shtmlhttp://www.secuobs.com/revue/news/378770.shtml Secuobs.com : 2012-05-20 21:46:16 - Blog postings from honeynet.org - In the last months I spent a lot of efforts in Thug development During these months a few interesting features and improvements were introduced but right now I want to spend some time for taking a look at the new plugin framework introduced in the version 030 If you ever thought about extending Thug with additional features but didn t know how to do it you should really keep on reading Let s start by taking a look a the code Taking a look at src thugpy we can now read these lines of code 216 if p 217 ThugPlugins PRE_ANALYSIS_PLUGINS, self read more IMAGE http://www.secuobs.com/revue/news/376581.shtmlhttp://www.secuobs.com/revue/news/376581.shtml Secuobs.com : 2012-05-07 10:12:00 - Blog postings from honeynet.org - Although it is still time for the official coding period start at GSoC 2012, i started to make my commits for the Network Analyzer project The output of the project will be a web based traffic analyzer It is aimed to let people upload their files from web interface and see the results Instead of the detail header information, network analyzer will be focusing on applicaiton level data for display read more IMAGE http://www.secuobs.com/revue/news/374035.shtmlhttp://www.secuobs.com/revue/news/374035.shtml Secuobs.com : 2012-05-02 08:24:57 - Blog postings from honeynet.org - We where glad to announce yet another tool during our annual workshop in San Francisco Glaspot is the third version of the web application honeypot Glastopf and it come with some very powerful new features A build-in PHP sandbox for code injection emulation, allowing us to bring vulnerability emulation to a new level Hooked up to the HPFeeds generic data feed system for centralized data collection and tight integration into our sandbox and web server botnet monitoring system Modular implementation Turn your web application into a honeypot with a few easy steps Runs in his own lightweight Python server or as a WSGI module in common web server environments Automated attack surface generation and expansion read more IMAGE http://www.secuobs.com/revue/news/373080.shtmlhttp://www.secuobs.com/revue/news/373080.shtml Secuobs.com : 2012-04-10 18:05:17 - Blog postings from honeynet.org - At the Honeynet Project workshop 2012, we raffled off a brand new Norman Malware Analyzer G2 Thanks everybody for participating in the raffle The winner of this year's raffle is Todd Straceski from Zynga Congratulations to Todd Thanks again to Norman to sponsoring the Honeynet Project workshop 2012 We hope to see you all again next year IMAGE http://www.secuobs.com/revue/news/369133.shtmlhttp://www.secuobs.com/revue/news/369133.shtml Secuobs.com : 2012-04-04 00:41:45 - Blog postings from honeynet.org - Students, the GSoc 2012 student application deadline is approaching April 06 at 19 00 UTC - you have 2 days and 20 hours to submit your application to https wwwgoogle-melangecom gsoc org google gsoc2012 honeynet We have an array of exciting open-source security projects posted on our ideas page, but feel free to submit your own idea as well best to discuss with potential mentors first though You can reach mentors on gsoc publichoneynetorg or on gsoc2012-honeynet on ircfreenodenet Hope to see your application soon If you are planning on submitting an application, we recommend to submit now and modify until the deadline You dont want to be shut out merely because of connection issues and such - the HP GSoc admin mentors read more IMAGE http://www.secuobs.com/revue/news/367883.shtmlhttp://www.secuobs.com/revue/news/367883.shtml Secuobs.com : 2012-04-04 00:41:45 - Blog postings from honeynet.org - If you have been following our blog you'll know that the Honeynet Project was very happy to have been accepted as a mentoring organization for Google Summer of Code GSoC 2012 read more IMAGE http://www.secuobs.com/revue/news/367882.shtmlhttp://www.secuobs.com/revue/news/367882.shtml Secuobs.com : 2012-04-02 02:06:46 - Blog postings from honeynet.org - On March 31, 2012, the Honeynet Project published a draft Code of Conduct and a statement about Ethics in Computer Security Research KelihosB HluxB botnet takedown The initial draft of the Code of Conduct was drawn from concepts described in the The Menlo Report Ethical Principles Guiding Information and Communication Technology Research that was published in the United States Federal Register on December 28, 2011 for public comment The Code of Conduct was refined through discussion within the Legal and Ethics Committee and volunteer Honeynet Project members to help make it workable within the structure of the Honeynet Project membership for evaluating the ethics of future research activities The following FAQ reflects how the Menlo Principles and proposed Honeynet Project Code of Conduct can be used to analyze and explain an action like the Kelihos Hlux sinkholing operation read more IMAGE http://www.secuobs.com/revue/news/367483.shtmlhttp://www.secuobs.com/revue/news/367483.shtml Secuobs.com : 2012-03-31 23:31:48 - Blog postings from honeynet.org - On Wednesday, March 21, 2012, an operation by security experts from Dell SecureWorks, CrowdStrike, Kaspersky, and the Honeynet Project was initiated to sinkhole infected computers in the KelihosB HluxB botnet The objective of this action was to remove from the attacker's control all computers currently infected with the KelihosB HluxB malware by poisoning the peer lists and routing tables in the lower layers of command and control This will prevent the botnet operator from doing any more harm with this set of infected computers Control of the botnet with over 129,000 infected hosts was successfully obtained These bots are no longer in control of the botherder, and, as a result, are no longer involved in sending spam, the primary malicious activity of this botnet The hosts resided primarily in Poland 24pourcents and were primarily running the old operating system Windows XP 84pourcents The command-and-control infrastructure has been abandoned by the gang that was operating the botnet two days after the operation We can say that the KelihosB HluxB botnet was successfully disabled For more information, we refer to http blogcrowdstrikecom 2012 03 p2p-botnet-kelihosb-with-100000-nodeshtml http newsroomkasperskyeu en texts detail article how-kaspersky-lab-and-crowdstrike-dismantled-the-second-hluxkelihos-botnet-success-story http wwwsecureworkscom research threats waledac_kelihos_botnet read more IMAGE http://www.secuobs.com/revue/news/367383.shtmlhttp://www.secuobs.com/revue/news/367383.shtml Secuobs.com : 2012-03-31 23:31:48 - Blog postings from honeynet.org - Earlier, we posted about our operation on the KelihosB HluxB botnet takedown that was conducted with by security experts from Dell SecureWorks, CrowdStrike, Kaspersky, and the Honeynet Project On initial view, the operation seems very clear cut the bad guys are running a botnet that is doing havoc on the Internet on the other side, are the good guys that have found a way to disable the botnet The situation is much more nuanced The Honeynet Project has been conducting security research for over a decade now and since our early days, we made it a priority to balance benefit and risks in our research You can trace this back to when the Honeynet Project first defined data control as one of the requirements for honeynet honeypot deployments The purpose of data control was to minimize potential harm to others resulting from honeypots, which by their nature are vulnerable systems we expect to be compromised and used by malicious actors We do what we do because people with malicious and criminal intent are compromising and abusing millions of computers around the globe These people do not act in ways that are moral, ethical, or legal But in trying to counter them, we cannot allow ourselves to similarly disregard our moral, ethical, or legal obligations If we do, we become no different than them We believe that pushing the boundaries in the computer security field and engaging in cutting edge research brings with it a responsibility to act in an ethical manner Risks may emerge from botnet takedowns and the Kelihos botnet takedown operation is no different What are the benefits What are the risks How do they balance each other Do our actions jeopardize legal investigations These are all questions that need to be considered and the outcome will determine how to proceed In the situation of the Kelihos botnet, the determination was to proceed with the botnet takedown see below for a detailed assessment In other situations, the determination and plan of action may be different In the instance of Zeus, for instance, legal action may be necessary The Honeynet Project is committed to conducting research in a model, ethical, and legal way Weighing risk benefits an important aspect to conduct research in such a way - is what every researcher implicitly does However, the risk of not considering all aspects of the research exists As a result, the Honeynet Project, under the leadership of our Chief Ethics and Legal Officer Dave Dittrich, has developed a code of conduct that guides researchers through the process in a systematic manner Today, we are publishing a draft of this code of conduct We hope you find the code of conduct useful and are looking forward to your thoughts and comments read more IMAGE http://www.secuobs.com/revue/news/367382.shtmlhttp://www.secuobs.com/revue/news/367382.shtml Secuobs.com : 2012-03-30 12:26:40 - Blog postings from honeynet.org - We are proud and happy to announce that Cuckoo Sandbox and AndroGuard were choosen by Rapid7 for his Magnificent7 Program, an initiative created to fuel the success of seven bleeding edge open source projects and backed by a fund of 100,000 Cuckoo Sandbox and AndroGuard are respectively developped by Claudio Guarnieri and Anthony Desnos and mentored during previous GSoC Congratulations to Claudio and Anthony read more IMAGE http://www.secuobs.com/revue/news/367132.shtmlhttp://www.secuobs.com/revue/news/367132.shtml Secuobs.com : 2012-03-28 07:22:58 - Blog postings from honeynet.org - On Sunday, March 25, Microsoft announced that for the fourth time, they had gone to a federal court and successfully obtained an ex parte temporary restraining order TRO to seize domain names from botnet operators For the second time, the court has also ordered US Marshals to accompany Microsoft and others to serve search warrants and seize evidence that can be used in future civil or criminal actions read more IMAGE http://www.secuobs.com/revue/news/366632.shtmlhttp://www.secuobs.com/revue/news/366632.shtml Secuobs.com : 2012-03-20 00:21:52 - Blog postings from honeynet.org - I'm glad to announce I finally publicly released a brand new low-interaction honeyclient I'm working on from a few months now The project name is Thug and it was publicly presented a few hours ago during the Honeynet Project Security Workshop in Facebook HQ in Menlo Park Please take a look at the attached presentation for details about Thug Just a few highlights about Thug DOM almost compliant with W3C DOM Core and HTML specifications Level 1, 2 and partially 3 and partially compliant with W3C DOM Events and Style specifications read more IMAGE http://www.secuobs.com/revue/news/364733.shtmlhttp://www.secuobs.com/revue/news/364733.shtml Secuobs.com : 2012-03-20 00:21:52 - Blog postings from honeynet.org - I am pleased to announce a new forensic challenge Forensic Challenge 11 - Dive Into Exploit The challenge has been created by Georg Wicherski from Giraffe Chapter Submission deadline is May 31th and we will be announcing winners if any around the last week of June 2012 Have fun Angelo Dell'Aera The Honeynet Project IMAGE http://www.secuobs.com/revue/news/364732.shtmlhttp://www.secuobs.com/revue/news/364732.shtml Secuobs.com : 2012-03-05 22:03:04 - Blog postings from honeynet.org - Early bird registration to our 2012 Honeynet Project Security Workshop ends today The workshop will be held at the Facebook offices in the SF Bay Area Secure your spot today for the workshop or one of the eleven hands-on training sessions we are offering You can check out the agenda and training sessions at https honeynetorg SecurityWorkshops 2012_SF_Bay_Area Hope to see you there Christian Seifert CEO, The Honeynet Project IMAGE http://www.secuobs.com/revue/news/361531.shtmlhttp://www.secuobs.com/revue/news/361531.shtml Secuobs.com : 2012-02-16 13:53:53 - Blog postings from honeynet.org - Folks, Ben Reardon has judged all submissions and results have been posted on the challenge page The winners are 1 Fabian Fischer 2 Chris Horsely 3 Fraser Scott 4 Dan Gleebits 5 Johnathan Tracz Take a look at Ben's blog post for additional details Congratulations to the winners and thanks to the other partecipants Angelo Dell'Aera The Honeynet Project IMAGE http://www.secuobs.com/revue/news/358207.shtmlhttp://www.secuobs.com/revue/news/358207.shtml Secuobs.com : 2012-02-16 12:23:16 - Blog postings from honeynet.org - While the quantity of submissions for FC10 was lower than usual - we had expected this because of the amount of work required to submit plus being over the Christmas break - the quality of the solutions was really inspiring Of course the hardest part was deciding the winners, and as expected the traditional scoring method was not ideal for this type of challenge because the challenge was about creating and developing ideas, rather than just answering a number of dry questions Quite a few people people used the challenge not so much to win a prize, but to have fun, develop an idea they've had, practice on some real datasets, learn, and teach This was exactly the spirit we'd hoped for, so thanks to everyone for putting in a big effort The Winners and their solutions Fabian Fischer - solution Chris Horsely - solution Fraser Scott - solution Dan Gleebits - solution Johnathan Tracz - solution The standout theme in the submissions for me was the use of interactive and flexible tools to analyse the data As we move further into the big data world, its going to be imperative to get inside the data interactively to understand it Some of the solutions focused on developing brand new applications frameworks to interactively data sets - Check out the submissions from Fabian and Chris as really good examples of this While Fraser put forward the idea of rendering images in 3D - which is not that far-out an idea actually, why not We hope that this challenge was enjoyable for those who participated, and for those downloading the submissions for inspiration These challenges have a long legacy, we see people downloading, attempting and referencing these challenges and the solutions for education purposes years afterwards, so they are an important program at the Honeynet Project It would be great to see solutions to future forensic challenges use visualization, not only to analyse and detect trends, but also to describe the problem space to the layperson With that said - the next Forensic challenge, FC11 should be released shortly - so stay tuned And lastly, if anyone wants to develop their ideas further, a good way ie get paid if you are accepted is to get involved in our upcoming Google Summer of Code program GSOC12 Australian Chapter read more IMAGE http://www.secuobs.com/revue/news/358193.shtmlhttp://www.secuobs.com/revue/news/358193.shtml Secuobs.com : 2012-01-25 17:58:32 - Blog postings from honeynet.org - We are proud and happy to announce that a new free malware analysis online service is born Malwrcom is based on Cuckoo Sandbox, a project mentored by the Honeynet Project, sponsored by GSoC and developped by Claudio nex Guarnieri botherder , Dario Fernandes and Alessandro jekil Tanasi jekil Malwrcom hosting is provided by ShadowServer If you want to test Cuckoo's flavor before installing it or if you're too lazy to deploy your own sandbox, just go there - http malwrcom http cuckooboxorg read more IMAGE http://www.secuobs.com/revue/news/354062.shtmlhttp://www.secuobs.com/revue/news/354062.shtml Secuobs.com : 2012-01-19 11:00:46 - Blog postings from honeynet.org - Folks, the submission deadline for the Forensic Challenge 10 Attack Visualization - put up by Ben Reardon from Australia Chapter - has passed We have received 3 submissions and will be announcing results on Wed, Feb 29th 2012 The top submissions will be awarded little prizes Angelo Dell'Aera The Honeynet Project IMAGE http://www.secuobs.com/revue/news/352928.shtmlhttp://www.secuobs.com/revue/news/352928.shtml Secuobs.com : 2012-01-03 09:00:10 - Blog postings from honeynet.org - Cuckoo Sandbox 031 has been released The most interesting improvements include Extensive book guiding from setup to customization Improved analysis results processing engine Modular reporting engine with default HTML, TXT and JSON reports being generated Minimal web server interface that allows you to browse, search and view HTML reports Introduction of support to URL submission UDP connections extraction A cool new logo - A lot of other things you can find listed in the CHANGELOG file read more IMAGE http://www.secuobs.com/revue/news/349998.shtmlhttp://www.secuobs.com/revue/news/349998.shtml Secuobs.com : 2011-12-19 15:28:40 - Blog postings from honeynet.org - Taking a look at the first submissions, it seems like more time is needed in order to solve the Forensic Challenge 10 - Attack Visualization For this reason we decided to extend the submission deadline to 2012, January 22th Have fun Angelo Dell'Aera The Honeynet Project IMAGE http://www.secuobs.com/revue/news/347984.shtmlhttp://www.secuobs.com/revue/news/347984.shtml Secuobs.com : 2011-12-07 14:46:26 - Blog postings from honeynet.org - Client honeypots are tools that actively search servers for malicious data like malware, exploits, malicious PDF files, etc The Polish Chapter just released a new version of Capture-HPC originally developed by Christian Seifert and Ramon Steenson of the New Zealand Chapter Capture-HPC focuses primarily on attacks against, or involving the use of, Web browsers It is available for download as binary Debian package on Polish Chapter webpage http plhoneynetorg Source code is made available via github read more IMAGE http://www.secuobs.com/revue/news/345834.shtmlhttp://www.secuobs.com/revue/news/345834.shtml Secuobs.com : 2011-11-25 13:34:22 - Blog postings from honeynet.org - Overview Cuckoo Sandbox is an Open Source automated dynamic malware analysis system designed to analyze and report on suspicious files Cuckoo started as a Google Summer of Code project in 2010 within The Honeynet Project It was designed and developed by Claudio Guarnieri who still maintains the project and lead its development efforts Cuckoo has been selected again this year for Google Summer of Code 2011 with The Honeynet Project and with Dario Fernandes who joined the team The work being done in the last months lead to the release of the 02 version read more IMAGE http://www.secuobs.com/revue/news/343808.shtmlhttp://www.secuobs.com/revue/news/343808.shtml Secuobs.com : 2011-11-17 09:31:52 - Blog postings from honeynet.org - GSoC 2011 8 project's goal was to add forensics features to the popular Wireshark network analyzer Wireshark is an open source network analyzer widely used for network debugging as well as security analysis Wireshark provides network analyzer with graphical interface as well as command line tools Wireshark also provides network protocol decoders and support filters that allow to search through packets with keywords GSoC plugins extend Wireshark capabilities when Wireshark is used to analyze network traffic with security and forensic in mind read more IMAGE http://www.secuobs.com/revue/news/341147.shtmlhttp://www.secuobs.com/revue/news/341147.shtml Secuobs.com : 2011-11-01 00:20:47 - Blog postings from honeynet.org - I am pleased to announce the next forensic challenge Forensic Challenge 10 - Attack Visualization The challenge has been created by Ben Reardon from Australia Chapter Submission deadline is December 18th and we will be announcing winners around the last week of January 2012 We have a few small prizes for the top three submissions Have fun Angelo Dell'Aera The Honeynet Project IMAGE http://www.secuobs.com/revue/news/337919.shtmlhttp://www.secuobs.com/revue/news/337919.shtml Secuobs.com : 2011-10-31 11:17:58 - Blog postings from honeynet.org - Folks, Frank, Mahmud, Azizan and Matt have judged all submissions and results have been posted on the challenge web site The winners are 1 Emilien Girault 2 Yuhao Luo, Wenbo Yang and Juanru Li 3 José Lopes Esteves Really congratulations to the winners and thanks to the other partecipants Stay tuned because a new challenge is going to start in the next hours Angelo Dell'Aera The Honeynet Project IMAGE http://www.secuobs.com/revue/news/337781.shtmlhttp://www.secuobs.com/revue/news/337781.shtml Secuobs.com : 2011-10-01 18:00:57 - Blog postings from honeynet.org - Folks, the submission deadline for the Forensic Challenge 9 Mobile Malware - put up by Franck Guenichot from French Chapter, Mahmud Ab Rahman and Ahmad Azizan Idris from Malaysia Chapter and Matt Erasmus from South Africa Chapter - has passed We have received 6 submissions and will be announcing results on Wed, Oct 31th 2011 The top three submissions will be awarded little prizes Angelo Dell'Aera The Honeynet Project IMAGE http://www.secuobs.com/revue/news/332136.shtmlhttp://www.secuobs.com/revue/news/332136.shtml Secuobs.com : 2011-09-27 09:40:42 - Blog postings from honeynet.org - The Honeynet Project had mentored 12 projects this year for the Google Summer of Code GSoC The 11th project was to extend the SIP module for Dionaea to handle SIP udp, tcp and even tls With the TLS part, the Dionaea can even emulate a Microsoft Lync server The TLS part was not part of the original scope, but the hard work made that possible as well Dionaea intention is to trap malware exploiting vulnerabilities exposed by services offered to a network, the ultimate goal is gaining a copy of the malware With the SIP read more IMAGE http://www.secuobs.com/revue/news/331229.shtmlhttp://www.secuobs.com/revue/news/331229.shtml Secuobs.com : 2011-09-11 15:21:32 - Blog postings from honeynet.org - The Beta version of HoneySink is out What is HoneySink HoneySink is an open source network sinkhole that provides a mechanism for detection and prevention of malicious traffic on a given network Able to be deployed both internally and externally it is designed to log and respond to incoming requests for a number of network protocols With configuration and scalability in mind, HoneySink was designed from the ground up with a non-blocking architecture to handle extremely large amounts of traffic while being able to perform customised interactions and logging Australian Chapter read more IMAGE http://www.secuobs.com/revue/news/328234.shtmlhttp://www.secuobs.com/revue/news/328234.shtml Secuobs.com : 2011-09-10 02:18:11 - Blog postings from honeynet.org - The last part of Google Summer of Code 2011 was used to implement a Windows Kernel Driver responsible for hiding files and folders This new component will be used to conceal Cuckoo Box components, present in the environment analysis With This measure it's possible to avoid that some malware detect CuckooBox through some environment check, looking for specific files or folders The Driver was implemented as a Filter Driver to maintain it independent of the Windows version used in the environment, not using any kind read more IMAGE http://www.secuobs.com/revue/news/328116.shtmlhttp://www.secuobs.com/revue/news/328116.shtml Secuobs.com : 2011-09-02 12:37:20 - Blog postings from honeynet.org - Beta version is out and the install instructions are available at the project webpage The new features are Prevent some emulator evasion techniques Added visualization of analysis results Automated app installation and execution Displaying analysis information about the APK Static pre-check extracts the app's registered Intents The following figures show the new visualization added to the beta version DroidBox treemapDroidBox behavior graph read more IMAGE http://www.secuobs.com/revue/news/326689.shtmlhttp://www.secuobs.com/revue/news/326689.shtml Secuobs.com : 2011-09-01 15:56:24 - Blog postings from honeynet.org - Taking a look at the small number of submissions we received it seems like August is a perfect month for the seaside but not for a Forensic Challenge For this reason we decided to extend the submission deadline to September 30th The submissions received before the old deadline September 4th will be granted a few extra bonus points Have fun Angelo Dell'Aera The Honeynet Project IMAGE http://www.secuobs.com/revue/news/326498.shtmlhttp://www.secuobs.com/revue/news/326498.shtml Secuobs.com : 2011-09-01 14:01:49 - Blog postings from honeynet.org - Folks, Guido and I have judged all submissions and results have been posted on the challenge web site The winners are 1 Lutz Schildt 2 Sebastian Eschweiler 3 Luka Milković This was one of the most difficult challenges we ever proposed so really congratulations to the winners and thanks to the other partecipants Angelo Dell'Aera The Honeynet Project IMAGE http://www.secuobs.com/revue/news/326480.shtmlhttp://www.secuobs.com/revue/news/326480.shtml Secuobs.com : 2011-08-30 22:36:23 - Blog postings from honeynet.org - As part of this year s Summer of Code, I programmed an extension for the shellcode detection and analysis library libemu The main goal of the project was to increase the performance when executing shellcode, with the help of a virtualizer Prior to this extension, libemu made use of a custom emulator, which supported only instructions mostly used in shellcode With this extension, libemu utilizes a full-blown, completely functioning virtualizer, which executes code presumably the same way a real CPU does read more IMAGE http://www.secuobs.com/revue/news/326142.shtmlhttp://www.secuobs.com/revue/news/326142.shtml Secuobs.com : 2011-08-28 01:43:29 - Blog postings from honeynet.org - We've set up a demonstration site for HoneyViz Project 3 at http 5016162188 6174 read more IMAGE http://www.secuobs.com/revue/news/325604.shtmlhttp://www.secuobs.com/revue/news/325604.shtml Secuobs.com : 2011-08-24 06:44:16 - Blog postings from honeynet.org - As the deadline of GSOC has passed, I would like to announce the APKinspector Beta10 APKinspector is a tool to help Android application analysts and reverse engineers to analyze the compiled Android packages and their corresponding codes You can review the Alpha version report and the page of this project to know more about it Click the picture below to watch a full demonstration video of APKInspector APKInspector Demo Video Chinese viewers may view the demo at http vyoukucom v_show id_XMjk3ODAwMzU2html Based on the Alpha release, APKinspector has added some features as follows RoT-1 Chapter read more IMAGE http://www.secuobs.com/revue/news/324858.shtmlhttp://www.secuobs.com/revue/news/324858.shtml Secuobs.com : 2011-08-19 19:29:04 - Blog postings from honeynet.org - We build up a project in google code, you can browse AxMock by the link http codegooglecom p axmock AxMock is a detection tool for malicious webpage attacking ActiveX controls It runs in Internet Explorer 7 and the formal version It is tested in Visual Studio 2008 and Python 26 with pywin32 package, though I believe that you can also compile it in later version For more using information, please check out Wiki in my project google code page read more IMAGE http://www.secuobs.com/revue/news/324120.shtmlhttp://www.secuobs.com/revue/news/324120.shtml Secuobs.com : 2011-08-12 16:13:42 - Blog postings from honeynet.org - While the pencil down date is approaching, i would like to announce the latest situation at Webviz project From the last time till time, there have been some changes at the visualization The size of the visualization increased A better map is located as base map Mesh working principle is changed from country based to IP based The returning database results are grouped by IP Legends are detailed For a better distributed results, an IP set that is collected for a long period is also added to the database The latest result is as below Webviz Preview read more IMAGE http://www.secuobs.com/revue/news/322743.shtmlhttp://www.secuobs.com/revue/news/322743.shtml Secuobs.com : 2011-08-11 19:38:18 - Blog postings from honeynet.org - The whole implementation is mainly consisted of 4 modules central controller, emulator, dummy control and list Central controller is a dynamic link library written in C Emulator and dummy control are COM components written in python and registered into registry by win32comserverregisterUseCommandLine List is a text file in a certain format to read and modify read more IMAGE http://www.secuobs.com/revue/news/322558.shtmlhttp://www.secuobs.com/revue/news/322558.shtml Secuobs.com : 2011-08-11 01:48:25 - Blog postings from honeynet.org - Cuckoo Sandbox is a malware analysis system capable to outline the behavior of a malware during its execution In order to generate such results, Cuckoo performs hooking of a number of selected Windows functions, intercept their calls and after storing the relevant informations and eventually performing additional actions, returns the exection to the original code Until now it made use of latest Microsoft Detours Express Part of the work of this Google Summer of Code was to implement a custom hooking engine to completely replace the old one read more IMAGE http://www.secuobs.com/revue/news/322381.shtmlhttp://www.secuobs.com/revue/news/322381.shtml Secuobs.com : 2011-08-03 19:51:21 - Blog postings from honeynet.org - I am pleased to announce the next forensic challenge Forensic Challenge 9 - Mobile Malware The challenge has been created by by Franck Guenichot from French Chapter, Mahmud Ab Rahman and Azizan from Malaysia Chapter and Matt Erasmus from South Africa Chapter Submission deadline is September 4th and we will be announcing winners around the third week of September We have a few small prizes for the top three submissions Have fun Angelo Dell'Aera The Honeynet Project IMAGE http://www.secuobs.com/revue/news/320863.shtmlhttp://www.secuobs.com/revue/news/320863.shtml Secuobs.com : 2011-08-01 17:46:25 - Blog postings from honeynet.org - Folks, the submission deadline for the Forensic Challenge 8 Malware Reverse Engineering - put up by Guido Landi and Angelo Dell'Aera from the Sysenter Chapter - has passed We have received 6 submissions and will be announcing results on Wed, Aug 31th 2011 The top three submissions will be awarded little prizes For your information a new Forensic Challenge will start in a few hours This time you will be asked to dive into the mobile malware world Stay tuned Angelo Dell'Aera The Honeynet Project IMAGE http://www.secuobs.com/revue/news/320348.shtmlhttp://www.secuobs.com/revue/news/320348.shtml Secuobs.com : 2011-07-26 04:51:47 - Blog postings from honeynet.org - The GUI tool for static analysis of Android malware is ready for an alpha release For more details regarding this project, check here In the alpha release, the following features have been finished 1 Show the CFG control flow graph for a given method 2 Show the smali codes for a given method 3 Show the Java codes for a given java file 4 Show the betecodes for a given method 5 Show all strings, methods and classes 6 Show the APK's related information 7 Drag and zoom in out the CFG read more IMAGE http://www.secuobs.com/revue/news/319220.shtmlhttp://www.secuobs.com/revue/news/319220.shtml Secuobs.com : 2011-07-14 21:14:41 - Blog postings from honeynet.org - The Android application sandbox is now ready for an alpha release Details on how to get DroidBox running are available at the project webpage At the moment, the following actions are logged during runtime File read and write operations Cryptography API activity Opened network connections Outgoing network traffic Information leaks through the following sinks network, file, sms Attempts to send SMS Phone calls that have been made read more IMAGE http://www.secuobs.com/revue/news/317041.shtmlhttp://www.secuobs.com/revue/news/317041.shtml Secuobs.com : 2011-07-08 22:29:03 - Blog postings from honeynet.org - By now, what I have done for Capture-HPC is read more IMAGE http://www.secuobs.com/revue/news/315912.shtmlhttp://www.secuobs.com/revue/news/315912.shtml Secuobs.com : 2011-07-08 11:18:22 - Blog postings from honeynet.org - For the forthcoming midterm evaluation of Gsoc2011, I made a lot of progress with the code and now I m about to publish the alpha release Before the alpha release is released, I have decided to post a blog to inform everyone about the progress of project 6 Static Analysis of Android Malware Our tool is written by PyQt, which is a great interface to Qt for Python It is very easy to design the UI by Qt Designer Qt contains lots of libraries to support pretty UI framework What s more, Qt supports cross platform applications Figure 1 The main Android Static Analysis UI window read more IMAGE http://www.secuobs.com/revue/news/315805.shtmlhttp://www.secuobs.com/revue/news/315805.shtml Secuobs.com : 2011-07-05 09:35:37 - Blog postings from honeynet.org - The review period is coming and i decided to write an entry to inform about the Webviz project Till now the first output of the project is a proof of concept work 1 requires WebGL supported browser, tested on Firefox 5 and Firefox 4, on other browsers i don't guarantee it works fine WebGl Globe Visualization for the hpfeeds data The figure displays the visualized data The elevations corresponds to the geograpical malware numbers The more malware detected the higher peeks are represented with changing color read more IMAGE http://www.secuobs.com/revue/news/315154.shtmlhttp://www.secuobs.com/revue/news/315154.shtml Secuobs.com : 2011-07-01 16:57:45 - Blog postings from honeynet.org - Conficker contains a piece of code that has been object of speculation It does not infect boxes located in the Ukraine Before sending an exploit, it performs a lookup against Maxmind's GeoIP database, which is freely available, and skips the host if the returned country code is UA While the B variant comes with a copy of the database embedded, the A variant downloads the file from Maxmind's server A couple of days ago Felix had the idea to deliver a specially crafted database that maps every IP address to the Ukrain Giraffe Chapter read more IMAGE http://www.secuobs.com/revue/news/314732.shtmlhttp://www.secuobs.com/revue/news/314732.shtml Secuobs.com : 2011-07-01 16:57:45 - Blog postings from honeynet.org - Hi everybody, our first Scan of the Month Challenge in 2010 is over We received 91 submissions in total, and some parts of the solutions are so interesting that I would like to publicly highlight them in this post Now that the winners are announced Congratulations Ivan, Franck, and Tareq , I think I also owe you an explanation why we asked the specific questions and what we expected as answers I am sure you will be surprised how many pieces of information you can dig up in a plain pcap - I was indeed when I had a look at the solutions we received Enjoy Giraffe Chapter read more IMAGE http://www.secuobs.com/revue/news/314731.shtmlhttp://www.secuobs.com/revue/news/314731.shtml Secuobs.com : 2011-07-01 10:44:32 - Blog postings from honeynet.org - We are realizing that the Forensic Challenge 8 - Malware Reverse Engineering - is really difficult to solve because right now we received just 5 submissions For this reason we decided to extend the submission deadline again to July 31th Those who already submitted a solution before June 30th are granted the possibility to submit again thus taking advantage of this one-month extra time Moreover a few extra bonus points will be assigned to them Have fun Angelo Dell'Aera The Honeynet Project IMAGE http://www.secuobs.com/revue/news/314668.shtmlhttp://www.secuobs.com/revue/news/314668.shtml Secuobs.com : 2011-06-27 11:21:54 - Blog postings from honeynet.org - Folks, Forensic Challenge 8 Malware Reverse Engineering put up by Guido Landi and Angelo Dell'Aera from the Sysenter Chapter is in full swing Submissions are due by June 30th, so if you want to participate, you have 4 days left We award little prizes for the top three submissions Hope to see your submission Angelo Dell'Aera The Honeynet Project IMAGE http://www.secuobs.com/revue/news/313723.shtmlhttp://www.secuobs.com/revue/news/313723.shtml Secuobs.com : 2011-06-22 16:02:16 - Blog postings from honeynet.org - One of the very first Android malwares, Geinimi has been analyzed in the application sandbox DroidBox that is currently being developed The project is part of GSoC 2011 in collaboration with Honeynet and as a master thesis The Geinimi application uses DES encryption, and it's possible to uncrypt statically the content, see picture below read more IMAGE http://www.secuobs.com/revue/news/312869.shtmlhttp://www.secuobs.com/revue/news/312869.shtml Secuobs.com : 2011-06-16 12:54:19 - Blog postings from honeynet.org - School project For one of my subject to school I had to work on project using netlink sockets I decided to work with netfilter subsystem, and one of possible use of netfilter is to get packets logged by the kernel packet filter ULOG NFLOG target read more IMAGE http://www.secuobs.com/revue/news/311584.shtmlhttp://www.secuobs.com/revue/news/311584.shtml Secuobs.com : 2011-06-14 07:20:40 - Blog postings from honeynet.org - In this week, I tried to hook CoGetClassObject CoCreateInstanceEx - two of system APIs - in capture-client Firstly, I modified the starting code of Internet Explorer Before my modification, the client opens up Internet Explorer by creating an COM instance Now I create a new process for each url's visiting, which same as what's done for safari processCommand L withdllexe d MySnifferdll processCommand L processCommand L C Program Files Internet Explorer iexploreexe processCommand L processCommand url - getUrl read more IMAGE http://www.secuobs.com/revue/news/310979.shtmlhttp://www.secuobs.com/revue/news/310979.shtml Secuobs.com : 2011-06-09 11:12:52 - Blog postings from honeynet.org - Taking a look at the first submissions it seems like the Forensic Challenge 8 - Malware Reverse Engineering - is quite difficult to solve For this reason we decided to extend the submission deadline to June 30th Have fun Angelo Dell'Aera The Honeynet Project IMAGE http://www.secuobs.com/revue/news/310114.shtmlhttp://www.secuobs.com/revue/news/310114.shtml Secuobs.com : 2011-06-08 04:35:10 - Blog postings from honeynet.org - The feature 1 about opening a apk file and showing its apk info in the APKInfo widget, has been finished You can see it in the pictures in the attachments If you have some suggestions, whether the content which should be showed in this APKInfo widget or the UI design, please tell me and I will make it better IMAGE http://www.secuobs.com/revue/news/309819.shtmlhttp://www.secuobs.com/revue/news/309819.shtml Secuobs.com : 2011-06-07 23:36:17 - Blog postings from honeynet.org - I have been dealing with visualizing hpfeeds data I had to change the feedpy file as if it will save the gathered information to the postgis database feedpy is working in simple way, connecting to a central machine and displaying the malware results at the screen It requires ident, secret, host IP and a channel name The channel should be registered After running the edited version of feedpy, i had some data at my database The model at the Django model is below url modelsURLField read more IMAGE http://www.secuobs.com/revue/news/309782.shtmlhttp://www.secuobs.com/revue/news/309782.shtml Secuobs.com : 2011-06-07 11:25:29 - Blog postings from honeynet.org - In this week, I was dealing with the Capture-HPC server items During building and running the development environment, I found out that Capture server needs to be modified to keep in a new version VMware VIX API read more IMAGE http://www.secuobs.com/revue/news/309580.shtmlhttp://www.secuobs.com/revue/news/309580.shtml Secuobs.com : 2011-06-07 07:29:43 - Blog postings from honeynet.org - Today Apple unveiled the next generation of OS X, Lion and new iOS 5 Among the features, I'm concerned about two features AriDrop and iCloud read more IMAGE http://www.secuobs.com/revue/news/309553.shtmlhttp://www.secuobs.com/revue/news/309553.shtml Secuobs.com : 2011-06-04 17:47:38 - Blog postings from honeynet.org - I have drew a initiatory UI framework by PyQt I use the multi-document window to draw two windows, which can be dragged and also can be maximized and minimized IMAGE http://www.secuobs.com/revue/news/309170.shtmlhttp://www.secuobs.com/revue/news/309170.shtml Secuobs.com : 2011-06-04 16:57:36 - Blog postings from honeynet.org - This is the CFG view by the Graphviz I'd like to build the CFG view just like this This picture is generated by the Androguard According to the xdot dot file provided by the Androguard, I can draw the CFG Because, there're much information about where and how to draw the line and the block node IMAGE http://www.secuobs.com/revue/news/309165.shtmlhttp://www.secuobs.com/revue/news/309165.shtml Secuobs.com : 2011-05-31 20:53:39 - Blog postings from honeynet.org - In the last week I was focused on learning about how to use distorm, a disassembly library, to get the number of bytes used by some instructions After understanding how to use it, I could gather how many bytes I need to ovewrite in the beginning of a Windows API so I can implement the inline hoking With the inline hooking, it will be possible to divert the execution flow of the API to a fuction that could log the parameters used in the API Done last week 1 - Deployed the development environment 2 - Learn how to work with distorm, a disassembly library read more IMAGE http://www.secuobs.com/revue/news/308234.shtmlhttp://www.secuobs.com/revue/news/308234.shtml Secuobs.com : 2011-05-15 20:10:30 - Blog postings from honeynet.org - Visualization is a niche area especially at the security analysis As mentioned in a well-known sentence A picture is worth a thousand words The importance and the power of the visualization in the security area stands out with the ability to define multi-dimensional data with a single shape When addressing the creating a mesh tiled 3D view on an Earth map, i was reading about the geoweb application development A geoweb application consists of some components Spatial Data read more IMAGE http://www.secuobs.com/revue/news/304931.shtmlhttp://www.secuobs.com/revue/news/304931.shtml Secuobs.com : 2011-05-10 01:33:17 - Blog postings from honeynet.org - This summer, I will be dealing with the malware analysis distribution from a visualization perspective at a timeline and geographic basis To collect data related with malwares, I installed the Dionaea, which is a successor of Nepenthes The documentation of the Dionaea is plain and easy to follow I chosed Debian Squeeze to install the honeypot on it Installing the base system from netinstall CD and following the documentation was enough till i got an error message during the compiling process of Dionaea read more IMAGE http://www.secuobs.com/revue/news/303652.shtmlhttp://www.secuobs.com/revue/news/303652.shtml Secuobs.com : 2011-05-09 13:18:26 - Blog postings from honeynet.org - I am pleased to announce the next forensic challenge Forensic Challenge 8 - Malware Reverse Engineering The challenge has been created by Angelo Dell'Aera and Guido Landi from the Sysenter Honeynet Project Chapter Submission deadline is June 15th and we will be announcing winners around the third week of July We have a few small prizes for the top three submissions Have fun Angelo Dell'Aera The Honeynet Project IMAGE http://www.secuobs.com/revue/news/303475.shtmlhttp://www.secuobs.com/revue/news/303475.shtml Secuobs.com : 2011-05-07 17:47:03 - Blog postings from honeynet.org - Folks, Guillame and Hugo have judged all submissions and results have been posted on the challenge web site The winners are 1 Devanand 2 Fernando Quintero Camilo Zapata 3 3 submissions Matt Erasmus, Joseph Kahlich and Kevin Mau Congratulations to the winners With challenge 7 completed, we are getting ready to launch challenge 8 on May 9th This challenge has been prepared by Guido Landi and Angelo Dell'Aera from the Sysenter Chapter and it deals with read more IMAGE http://www.secuobs.com/revue/news/303261.shtmlhttp://www.secuobs.com/revue/news/303261.shtml Secuobs.com : 2011-05-05 08:23:00 - Blog postings from honeynet.org - Project Description Proposed Capture-HPC Description Capture-HPC is a high-interaction client honeypot that is capable of seeking out and identifying client-side attacks It identifies these attacks by driving a vulnerable client to open a file or interact with a potentially malicious server As it processes the data, Capture-HPC monitors the system for unauthorized state changes that indicate a successful attack has occurred It is regularly used in surveys of malicious websites that launch drive-by-download attacks read more IMAGE http://www.secuobs.com/revue/news/302775.shtmlhttp://www.secuobs.com/revue/news/302775.shtml Secuobs.com : 2011-05-02 15:58:38 - Blog postings from honeynet.org - An important update for Forensic Challenge 7 challengers For reasons related to reviewers' everyday job committments the challenge results will be announced on Friday, May 6th 2011 and not on Friday, 29th April as announced in the previous blog post Thanks for your patience and regards Angelo Dell'Aera The Honeynet Project IMAGE http://www.secuobs.com/revue/news/301994.shtmlhttp://www.secuobs.com/revue/news/301994.shtml Secuobs.com : 2011-04-19 21:30:42 - Blog postings from honeynet.org - Just a quick note to you let everybody know that the videos from 2011 Honeynet Project Security Workshop has been posted The slides can be obtained at the same location IMAGE http://www.secuobs.com/revue/news/299488.shtmlhttp://www.secuobs.com/revue/news/299488.shtml Secuobs.com : 2011-04-05 21:15:18 - Blog postings from honeynet.org - Tillmann Werner from the Giraffe Honeynet Project chapter just released the first version of streams , a tool for browsing, mining and processing TCP streams in pcap files If you ever needed to process large pcap files on a session level, you will love this tool Have a look at the README to get an impression of its capabilities The README contains some sample output and tool description read more IMAGE http://www.secuobs.com/revue/news/296420.shtmlhttp://www.secuobs.com/revue/news/296420.shtml Secuobs.com : 2011-04-05 13:49:22 - Blog postings from honeynet.org - Folks the submission deadline for the Forensic Challenge 7 Forensic Analysis of a Compromised System - put up by Hugo Gonzalez from the Mexico Chapter and Guillaume Arcas from the French Chapter - has passed We have received 16 submissions and will be announcing results on Friday, Apr 29th 2011 The winners will get a copy of the book Virtual Honeypots - From Botnet Tracking to Intrusion Detection written by Niels Provos and Thorsten Holz Angelo Dell'Aera The Honeynet Project IMAGE http://www.secuobs.com/revue/news/296301.shtmlhttp://www.secuobs.com/revue/news/296301.shtml Secuobs.com : 2011-03-22 19:57:35 - Blog postings from honeynet.org - The Honeynet Project has been all over the media again lately, mostly due to our visualization research read more IMAGE http://www.secuobs.com/revue/news/293392.shtmlhttp://www.secuobs.com/revue/news/293392.shtml Secuobs.com : 2011-03-09 19:26:41 - Blog postings from honeynet.org - Just a reminder, there is still time to register for The 2011 Honeynet Project Security Workshop More information honeynetorg node 602 Register regonlinecom builder site Defaultaspx EventID 929631 About the event read more IMAGE http://www.secuobs.com/revue/news/290518.shtmlhttp://www.secuobs.com/revue/news/290518.shtml Secuobs.com : 2011-03-08 19:44:30 - Blog postings from honeynet.org - Not all of you might know it, but The Honeynet Project is well-represented on social media Apart from this blog, we have read more IMAGE http://www.secuobs.com/revue/news/290230.shtmlhttp://www.secuobs.com/revue/news/290230.shtml Secuobs.com : 2011-03-03 01:21:22 - Blog postings from honeynet.org - The plot As usual A Linux server was possibly compromised and a forensic analysis is required in order to understand what really happened Hard disk dumps and memory snapshots of the machine are provided in order to solve the challenge Are you up to the challenge All details are here Here are the questions that need your answers What service and what account triggered the alert 1pt What kind of system runs on targeted server OS, CPU, etc 1pt read more IMAGE http://www.secuobs.com/revue/news/289003.shtmlhttp://www.secuobs.com/revue/news/289003.shtml Secuobs.com : 2011-03-01 18:17:43 - Blog postings from honeynet.org - The following are the Top 5 popular blog posts from The Honeynet Project blog this month read more IMAGE http://www.secuobs.com/revue/news/288537.shtmlhttp://www.secuobs.com/revue/news/288537.shtml Secuobs.com : 2011-02-23 19:54:37 - Blog postings from honeynet.org - Here is another tool release from The Honeynet Project Cuckoo Box by Claudio Guarnieri Cuckoo is a binary analysis sandbox, designed and developed with the general purpose of automating the analysis of malware Read more about the tool here, grab the tool here but please read detailed setup guide here make sure to read it BTW, this tool is really well-documented, so make use of it before deploying it read more IMAGE http://www.secuobs.com/revue/news/287229.shtmlhttp://www.secuobs.com/revue/news/287229.shtml Secuobs.com : 2011-02-08 01:45:59 - Blog postings from honeynet.org - There is a paper at WOOT 10' described how to use smudges on the touch sceen of a smartphone to get largely decrease the time an attacker need to guess the right password to unlock the screen For example, by for 4 passcode based iPhone, one just need to try at most P 4,4 4 24 times before he get the right one read more IMAGE http://www.secuobs.com/revue/news/283544.shtmlhttp://www.secuobs.com/revue/news/283544.shtml Secuobs.com : 2011-02-01 19:43:33 - Blog postings from honeynet.org - It is with great pleasure I announce the first-ever Honeynet Project Public Conference, held alongside with the traditional Honeynet Project Annual Workshop The event will be held on March 21, 2011 in Paris For those who just want to register now, go here Date 21 March 2011 Monday 8 30AM 18 00PM GMT 1 read more IMAGE http://www.secuobs.com/revue/news/282194.shtmlhttp://www.secuobs.com/revue/news/282194.shtml Secuobs.com : 2010-12-20 21:48:05 - Blog postings from honeynet.org - ORGANIZATION The Spanish Honeynet Project chapter primary areas of interest and development are wireless honeynets, web honeypots, data collecting and analyzing and research technical papers to inform the community Our current members are read more IMAGE http://www.secuobs.com/revue/news/273195.shtmlhttp://www.secuobs.com/revue/news/273195.shtml Secuobs.com : 2010-12-20 19:58:20 - Blog postings from honeynet.org - Basically, The TWMAN is an automated behavioral malware analysis environment to analyze the malware targeted at Microsoft Windows, and it can develop a free and open source software, and the environment is built around Joe Stewart's TRUMAN sandnet Although, there are many services of analysis malware behavioral, such as the Norman Sandbox, CWSandbox, Threat Expert, etc For privacy and policy reasons, it must be treated as if they contain personally identifiable information Taiwan Chapter read more IMAGE http://www.secuobs.com/revue/news/273153.shtmlhttp://www.secuobs.com/revue/news/273153.shtml Secuobs.com : 2010-12-02 04:19:33 - Blog postings from honeynet.org - I'm developing a syscall interception tool for Android as a course's project While it is relatively simple to intercept calling into the system services introduced at the end , it is harder to get the syscall return The reason is, the latest Android emulator is build upon QEMU 01050, meaning it's TCG based So we cannot use the same way Qebek or TEMU uses to intercept the syscall return Therefore I looked into the new code to find if I could find a way to solve this problem Generally, in my understanding, in the old QEMU, the code translation is done as read more IMAGE http://www.secuobs.com/revue/news/268767.shtmlhttp://www.secuobs.com/revue/news/268767.shtml Secuobs.com : 2010-11-15 09:22:30 - Blog postings from honeynet.org - Folks, I am very pleased to announce the publication of our Know Your Tools paper Glastopf - A dynamic, low-interaction web application honeypot authored by Lukas Rist of the Chicago Honeynet Project Chaper and Sven Vetsch, Marcel Kossin, and Michael Mauer The paper is available from http honeynetorg papers KYT_glastopf Paper abstract Currently, attacks against web applications make up more than 60pourcents of the total number of attempted attacks on the Internet Organizations cannot afford to allow their websites be compromised, as this can result in serving malicious content to customers, or leaking customer's data Whether the particular web application is part of a company's website, or a personal web page, there are certain characteristics common to all web applications Most people trust in the reliability of web applications and they are often hosted on powerful servers with high bandwidth connections to the Internet Considering the large number of attacks and knowing the potential consequences of successful break-ins, we decided to put a bit more effort into the development of honeypots to better understand these attacks In this paper, we introduce Glastopf, a low-interaction web application honeypot capable of emulating thousands of vulnerabilities to gather data from attacks that target web applications The principle behind it is very simple reply to the attack using the response the attacker is expecting from his attempt to exploit the web application We provide an overview of the attacks on web applications, describe examples collected with Glastopf, and discuss possible usages of data collected Glastopf can be downloaded from http glastopforg and a mailing list for help suggestions and advice is available at https publichoneynetorg mailman listinfo glastopf read more IMAGE http://www.secuobs.com/revue/news/264829.shtmlhttp://www.secuobs.com/revue/news/264829.shtml Secuobs.com : 2010-11-10 21:13:36 - Blog postings from honeynet.org - We just finished grading the results of Project Honeynet Log Mysteries Challenge 5 and there are some useful lessons for BOTH future challenge respondents and to log analysts and incident investigators everywhere read more IMAGE http://www.secuobs.com/revue/news/264001.shtmlhttp://www.secuobs.com/revue/news/264001.shtml Secuobs.com : 2010-11-05 08:36:11 - Blog postings from honeynet.org - Christian Seifert CPRO of The Honeynet Project has just announced publication of our Know Your Tools series Qebek - Conceal the Monitoring, authored by Chengyu Song and Jianwei Zhuge from the Chinese Chapter and Brian Hay from the Alaskan Chapter The paper is based on Chengyu's hard work during the GSoC 2009, Brian Hay and me acted as his mentors for the Qebek GSoC Project Congrats to Chengyu and Chinese Chapter The paper is available from http honeynetorg papers KYT_qebek Paper abstract Chinese Chapter read more IMAGE http://www.secuobs.com/revue/news/262660.shtmlhttp://www.secuobs.com/revue/news/262660.shtml Secuobs.com : 2010-11-01 10:13:50 - Blog postings from honeynet.org - 取证分析挑战 6 分析恶意编码 PDF 档案 - 由来自马来西亚分支的Mahmud Ab Rahman和Ahmad Azizan Idris提供 利用含恶意编码 PDF档案进行的典型攻击 read more IMAGE http://www.secuobs.com/revue/news/261439.shtmlhttp://www.secuobs.com/revue/news/261439.shtml Secuobs.com : 2010-11-01 10:13:50 - Blog postings from honeynet.org - 鑑識分析挑戰 6 分析惡意編碼 PDF 檔案 - 由來自馬來西亞團隊的Mahmud Ab Rahman和Ahmad Azizan Idris提供 利用含惡意編碼 PDF檔案進行的典型攻擊 read more IMAGE http://www.secuobs.com/revue/news/261438.shtmlhttp://www.secuobs.com/revue/news/261438.shtml Secuobs.com : 2010-10-15 17:30:51 - Blog postings from honeynet.org - Before we are getting worser than Duke Nukem Forever, we decided to finally release the next generation of the web application honeypot Glastopf, aka GlastopfNG GSoC Project 8 - Web Application Honeypot read more IMAGE http://www.secuobs.com/revue/news/257345.shtmlhttp://www.secuobs.com/revue/news/257345.shtml Secuobs.com : 2010-10-15 14:20:12 - Blog postings from honeynet.org - The first one writing about this new threat was Marco Giuliani So, Murofet or Zeus Taking a look at a couple of samples we were able to identify - Same API hooks - Same encryption routine for configuration file RC4 - Pretty much the same configuration file format Sysenter Chapter read more IMAGE http://www.secuobs.com/revue/news/257283.shtmlhttp://www.secuobs.com/revue/news/257283.shtml Secuobs.com : 2010-09-19 16:03:49 - Blog postings from honeynet.org - A few weeks ago I started reviewing the PHoneyC DOM emulation code and realized it was turning to be hard to maintain and debug due to a huge amount of undocumented and sometimes awful hacks For this reason I decided it was time to patch and sometimes rewrite from scratch such code These posts will describe how the new DOM emulation code will work The patch is not available right now since I'm testing the code but plans exists to commit it in the PHoneyC SVN in the next days Sysenter Chapter read more http://www.secuobs.com/revue/news/249566.shtmlhttp://www.secuobs.com/revue/news/249566.shtml Secuobs.com : 2010-09-19 16:03:49 - Blog postings from honeynet.org - Dionaea is meant to be a Nepenthes successor, embedding Python as scripting language, using libemu to detect shellcodes, supporting IPv6 and TLS taken from Dionaea homepage Besides being the most interesting project for trapping malware exploiting vulnerabilities, Dionaea supports a really cool feature which allows it to log to XMPP services as described here TIP now exploits this feature receiving and storing such logs really thanks to Markus Koetter for his help and support Sysenter Chapter read more http://www.secuobs.com/revue/news/249565.shtmlhttp://www.secuobs.com/revue/news/249565.shtml Secuobs.com : 2010-09-19 16:03:49 - Blog postings from honeynet.org - I've been working on the GSOC Project 14 in recent months We are meant to start a new tool which can replay the collected exploit traces We know that during the process of exploit replay, there're many fields need to be changed in the original application messages Some of them are platform independent, and the others are platform specific Platform-independent variables are those changed each time we exploit, like timestamp, cookie, length, etc And platform-specific variables are those changed only if the target system is changed, like target address, return address point to the shellcode Chinese Chapter read more http://www.secuobs.com/revue/news/249564.shtmlhttp://www.secuobs.com/revue/news/249564.shtml Secuobs.com : 2010-09-19 16:03:49 - Blog postings from honeynet.org - A new improvement in PHoneyC DOM emulation code was committed in SVN r1624 The idea is to better emulate the DOM behaviour depending on the selected browser personality Let's take a look at the code starting from the personalities definition in configpy 39 UserAgents 40 1, 41 Internet Explorer 60 Windows 2000 , 42 Mozilla 40 compatible MSIE 60 Windows NT 50 NET CLR 114322 NET CLR 2050727 , 43 Mozilla , 44 Microsoft Internet Explorer , Sysenter Chapter read more http://www.secuobs.com/revue/news/249563.shtmlhttp://www.secuobs.com/revue/news/249563.shtml Secuobs.com : 2010-08-02 01:21:22 - Blog postings from honeynet.org - The first part to the format discovery is 90pourcents completed The program is now able to tokenize the sample packets and sort them to clusters according to token pattern The structure for a token looks like this definition of a node for initial tokenization struct sToken struct inferProperty sProperty struct inferSemantic sSemantic struct formatDistinguisher sFD struct sToken next struct inferProperty char szType 4 s-c c-s bin txt unsigned char pValue value of token Will include null and unicode, if there is read more IMAGE http://www.secuobs.com/revue/news/245750.shtmlhttp://www.secuobs.com/revue/news/245750.shtml Secuobs.com : 2010-06-02 06:12:19 - Blog postings from honeynet.org - The Honeynet Project 是一個國際知名的開源資訊安全研究團隊 致力於提升Internet的安全 Hong Kong Chapter IMAGE http://www.secuobs.com/revue/news/227765.shtmlhttp://www.secuobs.com/revue/news/227765.shtml Secuobs.com : 2010-06-02 05:02:02 - Blog postings from honeynet.org - The Honeynet Project是一个国际知名的开源信息安全研究团队 致力于提升Internet的安全 Chinese Chapter IMAGE http://www.secuobs.com/revue/news/227741.shtmlhttp://www.secuobs.com/revue/news/227741.shtml Secuobs.com : 2010-05-24 18:25:48 - Blog postings from honeynet.org - The last spreading malware version of Waledac, a notorious spamming botnet that has been taken down in a collaborative effort lead by Microsoft earlier this year, contained some neat anti-debugging tricks in order to make reverse-engineering more difficult Felix Leder and I have been presenting about the approach at the SIGINT 2010 in Cologne yesterday, and as the method seems to be not publicly known yet, I will quickly describe it here as well IMAGE http://www.secuobs.com/revue/news/225060.shtmlhttp://www.secuobs.com/revue/news/225060.shtml Secuobs.com : 2010-03-28 18:39:28 - Blog postings from honeynet.org - Challenge 3 - Banking Troubles - provided by Josh Smith and Matt Cote from The Rochester Institute of Technology Chapter, Angelo Dell'Aera from the Italian Chapter and Nicolas Collery from the Singapore Chapter is to investigate a memory image of an infected virtual machine Submit your solution at http wwwhoneynetorg challenge2010 using the submission templates provided below by 17 00 EST, Sunday, April 18th 2010 Results will be released on Wednesday, May 5th 2010 For inquiries you can contact forensicchallenge2010 honeynetorg Small prizes will be awarded to the top three submissions Skill Level Difficult The Challenge Company X has contacted you to perform forensics work on a recent incident that occurred One of their employees had received an email from a fellow co-worker that pointed to a PDF file Upon opening, the employee did not seem to notice anything, however recently they have had unusual activity in their bank account Company X was able to obtain a memory image of the employee s virtual machine upon suspected infection Company X wishes you to analyze the virtual memory and report on any suspected activities found Questions can be found below to help in the formal report for the investigation 1 List the processes that were running on the victim s machine Which process was most likely responsible for the initial exploit 2pts 2 List the sockets that were open on the victim s machine during infection Are there any suspicious processes that have sockets open 4pts 3 List any suspicious URLs that may be in the suspected process s memory 2pts 4 Are there any other processes that contain URLs that may point to banking troubles If so, what are these processes and what are the URLs 4pts 5 Were there any files that were able to be extracted from the initial process How were these files extracted 6pts 6 If there was a file extracted from the initial process, what techniques did it use to perform the exploit 8pts 7 List suspicious files that were loaded by any processes on the victim s machine From this information, what was a possible payload of the initial exploit be that would be affecting the victim s bank account 2pts 8 If any suspicious files can be extracted from an injected process, do any anti-virus products pick up the suspicious executable What is the general result from anti-virus products 6pts 9 Are there any related registry entries associated with the payload 4pts 10 What technique was used in the initial exploit to inject code in to the other processes 6pts Download hn_forensicstgz Sha1 8178921fd065ad2de9c6738fe062d2b37402c04a Share IMAGE IMAGE IMAGE IMAGE IMAGE IMAGE http://www.secuobs.com/revue/news/206248.shtmlhttp://www.secuobs.com/revue/news/206248.shtml Secuobs.com : 2010-02-17 05:39:01 - Blog postings from honeynet.org - Challenge 2 of the Honeynet Project Forensic Challenge has just been posted The challenge has been provided by Nicolas Collery from the Singapore Chapter and Guillaume Arcas from the French Chapter and is titled browsers under attack Submission deadline is March 1st and results will be released on Monday, March 15th 2010 Small prizes will be awarded to the top three submissions Have fun IMAGE http://www.secuobs.com/revue/news/192623.shtmlhttp://www.secuobs.com/revue/news/192623.shtml Secuobs.com : 2010-02-15 00:22:32 - Blog postings from honeynet.org - I am very pleased to announce the winners to the 1st Honeynet Project Forensic Challenge 2010 - pcap attack trace We had a total of 91 submissions and the top three submissions are true rock star submissions The winners are 1st Place Ivan Rodriguez Almuina Switzerland 2nd Place Franck Guenichot France 3rd Place Tareq Saade USA Congratulations to the winners Each winner will receive a signed book from one of our Honeynet Project authors A sample solution created by Tillmann, Markus, Hugo and Cameron is available on the forensic challenge web site at FC 2010 - Challenge 1 - Pcap attack trace On that page you will also find the submissions of the three winners Tillmann, who single handedly judged all submissions, will be summarizing highlights from various submissions in a blog post shortly All folks that have submitted a solution should have received an email with information about their individual score as well as placement Nicolas Collery from the Singapore Honeynet Chapter and Guillaume Arcas are finalizing the second forensic challengeThe challenge will be 'browsers under attack' and I personally am very excited about this challenge I hope we will receive many submissions from all who participated in challenge 1 and hopefully more I will post to our web site honeynetorg in the next few days Thanks again - looking forward to the next challenge Christian IMAGE http://www.secuobs.com/revue/news/191835.shtmlhttp://www.secuobs.com/revue/news/191835.shtml Secuobs.com : 2010-02-03 10:01:50 - Blog postings from honeynet.org - Glastopf On January the 22nd I met Sven Sven is a bachelor student at the Bern university of applied sciences and will write his thesis about Glastopf During his work he will rewrite the current Glastopf unstable version, but when he will be finished the new version will have at least the same features like the previous version The goals are A much better modular structure, this means there is one core which directs every request to the modules They store the data, emulating the vulnerability and compose the response which the core gives back to the attacker There will be a much better classification of incoming attacks and the rules used for this will be totally detached from the source code to distribute them easily between different sensors I will post some details as soon as we started the work This also means that we will freeze the current unstable version to put all effort into the new version Chicago Chapter IMAGE http://www.secuobs.com/revue/news/188051.shtmlhttp://www.secuobs.com/revue/news/188051.shtml Secuobs.com : 2010-01-18 09:13:52 - Blog postings from honeynet.org - Forensic Challenge 2010 Challenge 1 - pcap attack trace - provided by Tillmann Werner from the Giraffe Chapter is to investigate a network attack Send submissions please use the MS word submission template or the Open Office submission template forensicchallenge2010 honeynetorg no later then 17 00 EST, Monday, February 1st 2010 Results will be released on Monday, February 15th 2010 Small prizes will be awarded to the top three submissions Skill Level Intermediate The Challenge A network trace with attack data is provided Analyze and answer the following questions 1 Which systems ie IP addresses are involved 2pts 2 What can you find out about the attacking host eg, where is it located 2pts 3 How many TCP sessions are contained in the dump file 2pts 4 How long did it take to perform the attack 2pts 5 Which operating system was targeted by the attack And which service Which vulnerability 6pts 6 Can you sketch an overview of the general actions performed by the attacker 6pts 7 What specific vulnerability was attacked 2pts 8 What actions does the shellcode perform Pls list the shellcode 8pts 9 Do you think a Honeypot was used to pose as a vulnerable victim Why 6pts 10 Was there malware involved Whats the name of the malware We are not looking for a detailed malware analysis for this challenge 2pts 11 Do you think this is a manual or an automated attack Why 2pts Download attack-tracepcap_gz Sha1 0f5ddab19034b2656ec316875b527d9bff1f035f IMAGE http://www.secuobs.com/revue/news/182656.shtmlhttp://www.secuobs.com/revue/news/182656.shtml Secuobs.com : 2009-12-16 11:31:24 - Blog postings from honeynet.org - Folks, I would like to inform you all about our recent activities that we are attempting to achieve First of all, we have totally rebuilt our web site This new ones aim to be a central repository of all the external internal news concerning botnets mainly and malwares secondary We will use the blog for posting about our project developments, and for commenting reporting interesting news concerning the field that we are currently treating, so you can now add a new entry to your feeds reader Italian Chapter IMAGE http://www.secuobs.com/revue/news/172649.shtmlhttp://www.secuobs.com/revue/news/172649.shtml Secuobs.com : 2009-11-18 00:16:34 - Blog postings from honeynet.org - Second milestone reached Honeybrid has now all its functionalities working and it's time for testing In order to check that everything works efficiently, I deployed a Windows honeypot to receive traffic from five 24 unused subnets during half an hour Here are the details of this experiment Configuration Here is a overall diagram of the testing architecture Internet NATing Gateway with Honeybrid Windows Honeypot The NATing gateway was configured with the following iptables rules GSoC Project 6 - Develop Hybrid Honeypot Architecture IMAGE http://www.secuobs.com/revue/news/162293.shtmlhttp://www.secuobs.com/revue/news/162293.shtml Secuobs.com : 2009-11-18 00:16:34 - Blog postings from honeynet.org - Today I received a spam email from Sicherheits-Center security center with subject Vorsicht Ihr Paypal-Konto wurde begrenzt Attention Your paypal account has been restricted Not only the subject but the whole message was in really bad German - I am sure everybody had the chance to delete similar spams and you know what they look like The advertised link was already down and also already included in Google's Safe Browsing list of malicious URLs But the message contained a piece of interesting information which I think is interesting IMAGE http://www.secuobs.com/revue/news/162292.shtmlhttp://www.secuobs.com/revue/news/162292.shtml Secuobs.com : 2009-11-18 00:16:34 - Blog postings from honeynet.org - Today I make a retrospection on my work on the Glastopf Web Honeypot during the Google Summer of Code Program My goal was to push forward the development on a Honeypot for an attack vector in web security which is really underestimated in current discussions The main objectives could be merged into one intention Increasing our attractiveness and answering every request as close as possible to a real world system This got achieved with the new PHP file parser and the dynamic Google dork list which we provide for the Google crawler IMAGE http://www.secuobs.com/revue/news/162291.shtmlhttp://www.secuobs.com/revue/news/162291.shtml Secuobs.com : 2009-11-18 00:16:34 - Blog postings from honeynet.org - Hi all I have finished almost all the coding stuff of Project 1, now you can try out the new PHoneyC with shellcode heapspray detection here http codegooglecom p phoneyc source browse phoneyc phoneyc branches phoneyc-honeyjs Please feel free to report any bug or suggestion on shellcode heapspray detection to me Chinese Chapter IMAGE http://www.secuobs.com/revue/news/162290.shtmlhttp://www.secuobs.com/revue/news/162290.shtml Secuobs.com : 2009-11-18 00:16:34 - Blog postings from honeynet.org - We got a new milestone due 10082009 thread-pool works stream recording works shellcode detection using libemu works shellcode emulation using libemu works compiles on linux openbsd An exploit taken from a public repository, run against the software, is detected and emulated To shorten things, basically all required points are hit with current svn So, given the time we just saved, some words about how it works GSoC Project 10 - Develop and Improve the effectiveness of low Interaction Honeypots IMAGE http://www.secuobs.com/revue/news/162289.shtmlhttp://www.secuobs.com/revue/news/162289.shtml Secuobs.com : 2009-11-18 00:16:34 - Blog postings from honeynet.org - Here is a brief introduction on Qebek, answering some questions IMAGE http://www.secuobs.com/revue/news/162288.shtmlhttp://www.secuobs.com/revue/news/162288.shtml Secuobs.com : 2009-11-16 02:30:48 - Blog postings from honeynet.org - IMAGE http://www.secuobs.com/revue/news/161029.shtmlhttp://www.secuobs.com/revue/news/161029.shtml Secuobs.com : 2009-11-16 02:30:48 - Blog postings from honeynet.org - IMAGE http://www.secuobs.com/revue/news/161028.shtmlhttp://www.secuobs.com/revue/news/161028.shtml Secuobs.com : 2009-11-16 02:30:48 - Blog postings from honeynet.org - Some people say Reverse Engineering is an art Well, this might be true if you consider stuff like mathematics as art It is more an application of standard methods that evolve constantly Actually, everybody can learn these methods and start to RE executables With the RE-Google plugin for IDA Pro, even your granny can start reversing Giraffe Chapter IMAGE http://www.secuobs.com/revue/news/161027.shtmlhttp://www.secuobs.com/revue/news/161027.shtml Secuobs.com : 2009-11-05 02:23:15 - Blog postings from honeynet.org - The Philippine Honeynet Chapter is a group of Filipino volunteers whose mission is to promote information security, and to help individuals and organizations in the Philippines in protecting their computer and network systems through research, education, and training Our goals are read more IMAGE http://www.secuobs.com/revue/news/157547.shtmlhttp://www.secuobs.com/revue/news/157547.shtml Secuobs.com : 2009-11-05 02:23:15 - Blog postings from honeynet.org - The Dionaea honeypot got more and more mature during the last weeks As Markus blogged in Iteolih Miles and More the software is now able to detect shellcode via libemu and generates a nice shellcode profile out of this The SMB DCERPC implementation also got fairly mature and is now able to cope with all packet types and also most caveats and differences of implementations in exploits As I registered more and more RPC vulnerabilities in the module, it was definitely time to give libemu something to eat Giraffe Chapter IMAGE http://www.secuobs.com/revue/news/157546.shtmlhttp://www.secuobs.com/revue/news/157546.shtml Secuobs.com : 2009-11-05 02:23:15 - Blog postings from honeynet.org - The Italian Honeynet Project is a research group formed by professionals and scholars having whose main interests and activity lay in the information security field The Chapter has been officially constituted in May 2009 following the agreement with the main Honeynet Project s Board It is the result of the final development of The Dorothy Project, a research work started by Marco Riccardi in September 2008 and presented to the University of Milan as his Laurea Thesis in February 2009 Prof Marco Cremonini acted as his tutor for the thesis project read more IMAGE http://www.secuobs.com/revue/news/157545.shtmlhttp://www.secuobs.com/revue/news/157545.shtml Secuobs.com : 2009-11-05 02:23:15 - Blog postings from honeynet.org - IMAGE http://www.secuobs.com/revue/news/157544.shtmlhttp://www.secuobs.com/revue/news/157544.shtml Secuobs.com : 2009-11-05 02:23:15 - Blog postings from honeynet.org - Web sites are hacked all the time Web application, database, and cross-site scripting vulnerabilities expose a large attack surface that can be exploited to, among others, deface the web site, send spam, convert web site into bots, and serve drive-by-download attacks Glastopf is a low-interaction honeypot that emulates a vulnerable web server hosting many web pages and web applications with thousands of vulnerabilities Glastopf is easy to setup and once indexed by search engines, attacks will pour in by the thousands daily Glastopf has been developed as part of the 2009 Google of Summer Code by student Lukas Rist and mentored by Thorsten Holz of the German Honeynet Project Chapter It can be downloaded from the Glastopf trac site at http tracglastopforg trac More information on Glastopf can be found on the project site at http glastopforg IMAGE http://www.secuobs.com/revue/news/157543.shtmlhttp://www.secuobs.com/revue/news/157543.shtml Secuobs.com : 2009-11-05 02:23:15 - Blog postings from honeynet.org - FULL MEMBERS CHAPTER Anton Chuvakin Hawaii Chapter Antonio Montes Brazilian Chapter Arthur Clune UK Chapter Brian Engert Chicago Chapter Camilo Viecco Global Chapter Chris Lee GA Tech Chapter Christian Seifert read more IMAGE http://www.secuobs.com/revue/news/157542.shtmlhttp://www.secuobs.com/revue/news/157542.shtml Secuobs.com : 2009-11-05 02:23:15 - Blog postings from honeynet.org - IMAGE http://www.secuobs.com/revue/news/157541.shtmlhttp://www.secuobs.com/revue/news/157541.shtml Secuobs.com : 2009-11-05 02:23:15 - Blog postings from honeynet.org - IMAGE http://www.secuobs.com/revue/news/157540.shtmlhttp://www.secuobs.com/revue/news/157540.shtml