Polish Chapter Status Report 2013

ORGANIZATION
The Polish Chapter of the Honeynet Project was founded in November 2011. It consists of ten people:

  • Tomasz Grudziecki
  • Paweł Jacewicz
  • Łukasz Juszczyk
  • Piotr Kijewski
  • Adam Kozakiewicz
  • Krzysztof Lasota
  • Paweł Pawliński
  • Tomasz Sałaciński
  • Łukasz Siewierski
  • Maciej Szawłowski

The Polish Chapter of the Honeynet Project (find us at http://pl.honeynet.org) consists mostly of people whose daily job is focused on analysing new threats, designing and developing tools and researching methods for efficient mitigation of observed attacks.

Areas of research conducted by the members:

  • Anomaly detection
  • Reverse engineering
  • Honeypot technology
  • Web threats
  • Novel methods for threat tracking and identification

In late 2012 Maciej Szawłowski joined our Chapter and in 2013 we got another great member - Łukasz Siewierski. You can read more about them in the Members section of our Chapter web page.

DEPLOYMENTS
In the last year, our honeypot infrastructure was rebuild by Łukasz Siewierski. We started a cooperation with a university and we put one of our Honeeebox machines there. This machine was equipped with a kippo extensions, which supports sftp and ssh command execution, as well as dionaea. All the data was trasferred to our hpfriends account and is shared with responsible parties. We also created two other honeypots - one on the machine provided by a hosting partner and another one on Amazon Web Services account. This machines are configured in the same way as Honeeebox. We also started to work on yet another honeypot installed in CERT Polska infrastructure listening on several different Autonomous Systems.

All this work resulted in the discovery of a new botnet created for different platforms and specializing in performing DDoS attacks. It also allowed for us to collect several hundreds of malicious software samples. All of this data is shared using the CERT Polska n6 platform.

RESEARCH AND DEVELOPMENT
In late 2012 Maciej Szawłowski and Tomasz Sałaciński started the Heisenberg project. It is an attempt to create a debugging framework for a whole operating system which will not be affected by such issues as debugger detection by malware or heisenbugs, which are popular among conventional debuggers. Additionaly, we wanted to provide unified approach for debugging for different systems on different security levels (userland and kernel space). We also wanted to separate responsibilities of particular elements of a framework in order to conform fundamental principles of UNIX programming. We hope that these assumptions will let us create a useful, efficient, flexible and extensible tool for reverse engineers.

During the year 2013 we conducted research on possible projects that we would incorporate into Heisenberg. We analyzed their architecture, construction and mechanisms and formulated necessaary modifications, which were discussed with members of other chapters during Workshop in Dubai in 2013. Our first goal was to use the framework to effectively analyze some malware samples working under control of Windows XP. We achieved it in second half of 2013 year and presented our results on polish security conference Secure 2013.

We continue development of the project by working on refactoring and isolating our modifications into separate plugins. We plan to open the search for additional commiters and open the source code for general pulic. We also work on preparing several tutorials that could be used for demonstration and learning of Heisenberg framework.

Also in the beginning of 2013, as CERT Polska, we released the Honeyspider Network 2.0 together with sources which are available on CERT Polska Github. Also we released a preconfigured VM with the most important HSN 2.0 components ready to use out-of-the-box. There's a community of HSN 2.0 users, which can be accessed here. One can find help there in case HSN 2.0 misbehaves.

FINDINGS
Our current findings and analysis results are posted on CERT Polska blog at http://cert.pl.

PAPERS, PRESENTATIONS AND COMMUNITY ENGAGEMENTS
We started preparations for the 2014 Honeynet Workshop which will be held in Warsaw. Find more and register on http://warsaw2014.honeynet.org/.

GOALS
Our goal is to find new methods of efficient detection and fighting malware by conducting research on various security topics. We share our knowledge with the community by creating open source tools, publishing papers and giving presentations. We are also partly involved in creating awareness raising materials, like SANS OUCH! in Polish language and our members are engaged in creating security-related workshops and trainings.

MISC ACTIVITIES
As mentioned in the GOALS section we are involved in creation of various security workshops and trainings, security awareness materials and, as CERT Polska, we host an annual conference - SECURE.