In this post I'd like to describe some aspects of the communication between kernel and user mode in the Ghost USB honeypot. More specifically, I'll focus on how to realize blocking communication with the Windows Driver Frameworks (WDF).
the submission deadline for the Forensic Challenge 11 "Dive Into Exploit" created by Georg Wicherski from Giraffe Chapter has passed.
We have received 2 good submissions and will be announcing results before the end of July. Without doubt, this challenge was one of the most difficult ones the Honeynet Project provided in the last years so we are really glad about the submitted solutions which seems really high-level at a first glance.
The Honeynet Project
Another Monday has been and gone (on this side of the world at least). I thought I'd sit down again and share some of the interestingness (yes, that's a word now) that came through my various news feeds over the course of the weekend. I'm hoping this week will be a little less malware focused, but I can't make any promises.
news.source == "twitter"
@mboman: New blog post: MART - Malware Analyst Research Toolkit: Cuckoo Sandbox:
Before we released the Ghost USB honeypot as open source software, we had quite some trouble to apply the GPL to our case. Since there wasn't much information available for the very particular case of using the GPL for a Windows driver, I'll discuss our issues and solutions in this article. This might not directly be applicable to other software, but it should provide the reader with general insights and will hopefully help people to sort out similar problems in the future.
Good evening/morning folks.
It's been fairly busy here at HNP HQ for a number of reasons. That said, there were a number of interesting articles over the weekend I thought I'd hilight here for your reading pleasure. This week seems to be a week of malware so we will stick with that theme.
I'm very pleased to announce that we have released the first public version of the Ghost USB honeypot.
Ghost is a honeypot for malware that uses USB storage devices for propagation. It is able to capture such malware without any further knowledge - especially, it doesn't need signatures or the like to accomplish its task.
Detection is achieved by emulating a USB flash drive on Windows systems and observing the emulated device. The assumption is that on an infected machine the malware will eventually copy itself to the removable device.
Taking a look at the submissions we realized that... mmh no submissions at all... We already knew that solving this challenge requires high skills but it seems like more time is needed in order to solve the Forensic Challenge 11 - "Dive Into Exploit". For this reason we decided to extend the submission deadline to 2012, July 1st.
Have fun (and don't be shy)!
The Honeynet Project
I am very pleased to announce the publication of another paper in our Know Your Enemy white paper series: "KYE - Social Dynamics of Hacking" authored by Thomas J. Holt and Max Kilger from our Spartan Devils Honeynet Project Chapter. In this paper, Tom and Max go to the roots of the Know Your Enemy series and shine light on the social groups that are involved in hacking.
Though most information security research focuses on current threats, tools, and techniques to defeat attacks, it is vital to recognize and understand the humans behind attacks. Individual attackers have various skills, motives, and social relationships that shape their actions and the resources they target. In this paper we will explore the distribution of skill in the global hacker community, the influence of on and off-line social relationships, motivations across attackers, and the near-future of threats to improve our understanding of the hacker and attacker community.
In the last months I spent a lot of efforts in Thug development. During these months a few interesting features and improvements were introduced but right now I want to spend some time for taking a look at the new plugin framework introduced in the version 0.3.0. If you ever thought about extending Thug with additional features but didn’t know how to do it you should really keep on reading. Let’s start by taking a look a the code.
Taking a look at src/thug.py we can now read these lines of code
Although it is still time for the official coding period start at GSoC 2012, i started to make my commits for the Network Analyzer project . The output of the project will be a web based traffic analyzer. It is aimed to let people upload their files from web interface and see the results. Instead of the detail header information, network analyzer will be focusing on applicaiton level data for display.