To learn the tools, tactics and motives involved in computer and network attacks, and share the lessons learned.

Blogs

Progress so far at the Network Analyzer

Although it is still time for the official coding period start at GSoC 2012, i started to make my commits for the Network Analyzer project . The output of the project will be a web based traffic analyzer. It is aimed to let people upload their files from web interface and see the results. Instead of the detail header information, network analyzer will be focusing on applicaiton level data for display.

Glastopf v3 aka Glaspot released

We where glad to announce yet another tool during our annual workshop in San Francisco. Glaspot is the third version of the web application honeypot Glastopf and it come with some very powerful new features:

  • A build-in PHP sandbox for code injection emulation, allowing us to bring vulnerability emulation to a new level
  • Hooked up to the HPFeeds generic data feed system for centralized data collection and tight integration into our sandbox and web server botnet monitoring system
  • Modular implementation: Turn your web application into a honeypot with a few easy steps
  • Runs in his own lightweight Python server or as a WSGI module in common web server environments
  • Automated attack surface generation and expansion

GSoC 2012 Accepted Students Officially Announced

Since my last post about the Google Summer Of Code 2012 Student Applications deadline closing and sharing some initial student applications statistics, all the GSoC 2012 mentoring organisations have been hard at work reviewing and scoring their student applications.

The Winner of the Norman Malware Analyzer G2 raffle is ...

At the Honeynet Project workshop 2012, we raffled off a brand new Norman Malware Analyzer G2. Thanks everybody for participating in the raffle.

The winner of this year's raffle is Todd Straceski from Zynga. Congratulations to Todd!

Thanks again to Norman to sponsoring the Honeynet Project workshop 2012. We hope to see you all again next year.

Google Summer Of Code 2012 Student Applications now closed and some statistics

After a slower than usual start, this years Google Summer of Code (GSoC) student applications period closed at 19:00 UTC on Friday April 6th, with a major application rush in the last couple of days which kept us busy right up to the deadline! Many thanks to all the interested students who applied, and our mentors and org admins for taking the time to respond to students on IRC, email and through Melange.

Google Summer Of Code 2012 Student Applications - Deadline Approaching

If you have been following our blog you'll know that the Honeynet Project was very happy to have been accepted as a mentoring organization for Google Summer of Code (GSoC) 2012.

If you are a student interested in applying to the Honeynet Project, the student application deadline is 19:00 UTC on Friday April 6th. So with 3 days to go, you need to be planning on submitting your project application vi the Melange system soon. To avoid disappointment, please don't leave your application until the last minute - you can edit as often as you want before the deadline.

FAQ on Kelihos.B/Hlux.B sinkholing

On March 31, 2012, the Honeynet Project published a draft Code of Conduct and a statement about Ethics in Computer Security Research: Kelihos.B/Hlux.B botnet takedown.

The initial draft of the Code of Conduct was drawn from concepts described in the The Menlo Report: Ethical Principles Guiding Information and Communication Technology Research that was published in the United States Federal Register on December 28, 2011 for public comment. The Code of Conduct was refined through discussion within the Legal and Ethics Committee and volunteer Honeynet Project members to help make it workable within the structure of the Honeynet Project membership for evaluating the ethics of future research activities.

The following FAQ reflects how the Menlo Report principles and proposed Honeynet Project Code of Conduct can be used to analyze and explain an action like the Kelihos/Hlux sinkholing operation.

Ethics in Computer Security Research: Kelihos.B/Hlux.B botnet takedown

Earlier, we posted about our operation on the Kelihos.B/Hlux.B botnet takedown that was conducted with by security experts from Dell SecureWorks, CrowdStrike, Kaspersky, and the Honeynet Project. On initial view, the operation seems very clear cut: the bad guys are running a botnet that is doing havoc on the Internet; on the other side, are the good guys that have found a way to disable the botnet.

The situation is much more nuanced. The Honeynet Project has been conducting security research for over a decade now and since our early days, we made it a priority to balance benefit and risks in our research. You can trace this back to when the Honeynet Project first defined "data control" as one of the requirements for honeynet/honeypot deployments. The purpose of data control was to minimize potential harm to others resulting from honeypots, which by their nature are vulnerable systems we expect to be compromised and used by malicious actors.

We do what we do because people with malicious and criminal intent are compromising and abusing millions of computers around the globe. These people do not act in ways that are moral, ethical, or legal. But in trying to counter them, we cannot allow ourselves to similarly disregard our moral, ethical, or legal obligations. If we do, we become no different than them.

We believe that pushing the boundaries in the computer security field and engaging in cutting edge research brings with it a responsibility to act in an ethical manner. Risks may emerge from botnet takedowns and the Kelihos botnet takedown operation is no different. What are the benefits? What are the risks? How do they balance each other? Do our actions jeopardize legal investigations? These are all questions that need to be considered and the outcome will determine how to proceed. In the situation of the Kelihos botnet, the determination was to proceed with the botnet takedown (see below for a detailed assessment.) In other situations, the determination and plan of action may be different. In the instance of Zeus, for instance, legal action may be necessary.

The Honeynet Project is committed to conducting research in a model, ethical, and legal way. Weighing risk/benefits – an important aspect to conduct research in such a way - is what every researcher implicitly does. However, the risk of not considering all aspects of the research exists. As a result, the Honeynet Project, under the leadership of our Chief Ethics and Legal Officer Dave Dittrich, has developed a code of conduct that guides researchers through the process in a systematic manner.

Today, we are publishing a draft of this code of conduct. We hope you find the code of conduct useful and are looking forward to your thoughts and comments.

Kelihos.B/Hlux.B botnet takedown

On Wednesday, March 21, 2012, an operation by security experts from Dell SecureWorks, CrowdStrike, Kaspersky, and the Honeynet Project was initiated to sinkhole infected computers in the Kelihos.B/Hlux.B botnet. The objective of this action was to remove from the attacker's control all computers currently infected with the Kelihos.B/Hlux.B malware by poisoning the peer lists and routing tables in the lower layers of command and control. This will prevent the botnet operator from doing any more harm with this set of infected computers.

Control of the botnet with over 129,000 infected hosts was successfully obtained. These bots are no longer in control of the botherder, and, as a result, are no longer involved in sending spam, the primary malicious activity of this botnet. The hosts resided primarily in Poland (24%) and were primarily running the old operating system Windows XP (84%). The command-and-control infrastructure has been abandoned by the gang that was operating the botnet two days after the operation. We can say that the Kelihos.B/Hlux.B botnet was successfully disabled.

For more information, we refer to:
http://blog.crowdstrike.com/2012/03/p2p-botnet-kelihosb-with-100000-nodes.html
http://newsroom.kaspersky.eu/en/texts/detail/article/how-kaspersky-lab-and-crowdstrike-dismantled-the-second-hluxkelihos-botnet-success-story/
http://www.secureworks.com/research/threats/waledac_kelihos_botnet/

Rapid7 Sponsors Androguard and Cuckoo Sandbox in the First Round of the Magnificent7 Program

We are proud and happy to announce that Cuckoo Sandbox and AndroGuard were choosen by Rapid7 for his Magnificent7 Program, an initiative created to fuel the success of seven bleeding edge open source projects and backed by a fund of $100,000.

Cuckoo Sandbox and AndroGuard are respectively developped by Claudio Guarnieri and Anthony Desnos and mentored during previous GSoC.

Congratulations to Claudio and Anthony !

Syndicate content