Giraffe Chapter - Status Report 2008

This year, Felix Leder and Mark Schlösser joined our team. We are focused on active development of honeypot tools and for us writing code is a passion. The Giraffe Chapter now consists of the following people:

  • Paul Bächer
  • Markus Kötter
  • Felix Leder
  • Mark Schlösser
  • Tillmann Werner
  • Georg Wicherski

We have several nepenthes and honeytrap sensors deployed. Recorded attacks and malware samples get submitted to the mwcollect alliance database. One central nebula system is fed with attacks from our honeytrap sensors.

  • We improved our low-interaction honeypots nepenthes and honeytrap in various ways. A new nepenthes module for the MS08-067 server service buffer overflow vulnerability was developed.
  • nebula, a fully automated intrusion signature generator, was developed and initially published. It is also of great value for data analysis when used to extract common information from different inputs.
  • Further, we developed a sophisticated botnet monitoring tool called botsnoopd which we decided not to make publicly available (interested people should get in touch).
  • libemu's shellcode detection and profiling utility sctest was improved and is now one of our most important data analysis tools. We also worked on pyprofjsploit, a python interface to libemu, which is intended to be used in client honeypots for shellcode detection and profiling.
  • As integrating libemu with nepenthes and honeytrap is somewhat difficult, we are currently designing a new low-interactive honeypot as the successor of nepenthes and honeytrap. This honeypot will have libemu-based shellcode processing as one of its major components.
  • Version 0.2.0 of liblcfg, our lightweight configuration file library, was published. It includes some changes that make configuration file processing more flexible, features we want to use for our aforementioned new honeypot.
  • honeytrap sensors can now be integrated into a distributed setup using the submit-mwserv submission principle over HTTP, allowing us to feed their data to the mwcollect Alliance as well.
  • The backend and the webinterface of the mwcollect Alliance have been reworked to be much more performant overall, however these are behind-the-scenes changes that did not add functionality but stability.
    We published various attack or malware analysis reports and writeups about new ideas and methods:

    Evaluating recorded data remains the main challenge in honeypot research. For the immense amount of data, automating analysis is crucial but only few tools are available to date.
    The following presentations were given by us:

    • GovCERT Symposium, Rotterdam, 2008-09-16 - Intrusion Signature Generation
    • GovCERT Symposium, Rotterdam, 2008-09-16 - Effectively Spying on Botnets with botsnoopd
    • 25c3, Berlin, 2008-12-29 - Squeezing Attack Traces
    • 25c3, Berlin, 2008-12-29 - Stormfucker: Owning the Storm Botnet

    In 2009, we would like to publish a first release of our new low interaction honeypot (which still lacks a name -- we are open to suggestions).
    We developed a methodology and some tool to infiltrate and takeover the storm botnet. The code was published on the full-disclosure mailinglist.