Home

Portuguese Chapter Status Report for 2008

Sat, 01/10/2009 - 11:32 — rui.reis

ORGANIZATION

  1. Changes in the structure of your organization.
    • No structural changes.
  2. List current chapter members and their activities.
    • Pedro Inacio is a Security and Risk Assessment Team Leader working in a Portuguese IT Security Company.
    • Rui Reis is a Security Engineer working in a Portuguese IT Security Company and he is also an active OpenBSD Developer.
    • Tiago Mendo is a Security Engineer working in a Portuguese IT Security Company.
    • Pedro Simões is a Security Engineer working in a Portuguese IT Security Company.
    • Nuno Almeida is a Security Engineer working in a Portuguese IT Security Company.

DEPLOYMENTS

  1. List current technologies deployed.
    • We have been running some typical Gen III Honeynet based on Roo with Honeypots running Linux, Windows XP and OpenBSD based on Sebek on different ISP's.
    • Eight Nepenthes sensors were also deployed logging to our central repository.
    • One honeytrap sensor deployed and also logging to our central repository.
    • Besides, two nepenthes sensors are submitting captured malware to the mwcollect alliance.
    • One Web-based high interaction Honeypot.
  2. Activity timeline: Highlight attacks, compromises, and interesting information collected.
    • The most common malware detected is a family of polymorphic memory-resident vírus called "virut". Viruses belonging to this family infect files with .EXE and .SCR extensions. All viruses belonging to the Virut family also contain an IRC-based backdoor that provides unauthorized access to infected computers.
    • The vast majority of attacks are automated and random, Honeytrap and Nepenthes do a good job catching most of this kind of attacks.
    • Windows XP high interaction Honeypots are hard to maintain because they are always rebooting due to offset problems related to patch levels and operating system versions.
    • Most of the statistical information we collected over the last trimester was compiled here: http://www.honeynet.org.pt/index.php/Honeynet-PT:Stats

RESEARCH AND DEVELOPMENT

  1. List any new tools, projects or ideas you are currently researching or developing.
    • Legacy is a tool that builds a logic NxN-1 matrix of malware similarity. It's written in Ruby (previously C) and uses Clamav libraries to identify the malware. The data of logic matrix is stored in a MySQL database and can be restored again when the program starts.
    • We are still trying to finish a system that presents our findings in a cool fashion way. An experimental version is available here: http://www.honeynet.org.pt/index.php/Honeynet-PT:Stats
    • The Nepenthes module submit-nepenthes was modified to include information like the IP of the attacker, the IP of the collecting machine and the URL where the malware is downloaded.
    • We would like to research the use of similarity between new malware/known malware to fit it in categories. Knowing that a malware is close to another one already known, gives us the possibility to anticipate threats.
  2. List tools you enhanced during the last year
    • We kept the Honeymole development alive.
    • We enhanced the Nepenthes module we used to submit our findings to our central repository.
  3. Would you like to integrate this with any other tools, or you looking for help or collaboration with others in testing or developing the tool?
    • Integration between HoneyMole and HoneyWall is necessary in order to minimize the deployment time. It will be easier to have a menu in HoneyWall to configure Honeymole settings.
  4. Explain what kind of help or tools or collaboration you are interested in.
    • Access to a CWSandbox free version would be great.

FINDINGS

  1. Highlight any unique findings, attacks, tools, or methods.
    • Linux servers running vulnerable versions of Mambo, Joomla, awstats, and wordpress were exploited via known exploits.
    • A bunch Botnets were found and tracked.
    • The vast majority of attacks are automated and random.
  2. Any trends seen in the past year?
    • Lots of activity (brute force attacks) on port 22. Some stats available here: http://www.honeynet.org.pt/index.php/Honeynet-PT:Stats
    • Lots of web based attacks on insecure PHP tools (like Joomla, awstats, Mambo, phpnuke, wordpress, phpMyAdmin, phpBB2).
  3. What are you using for data analysis?
    • For Honeynet data analysis, we use standard analysis tools like tcpdump and Walleye.
    • For malware analysis we use Clamav, OllyDbg, IDA, and many sysinternals utilities.
    • For dynamic malware analysis we built a Sandbox that can be rebuilt in nearly 5 minutes using partimage. Since some malware would detect virtualized systems and refuse to run, we don't use any virtualized systems here.
    • For Botnet tracking specially tor, netcat, and different IRC clients.
  4. What is working well, and what is missing, what data analysis functionality would you like to see developed?
    • A free CWSandbox would be great.

PAPERS AND PRESENTATIONS

  1. Are you working on or did you publish any papers or presentations, such as KYE or academic papers? If yes, please provide a description and link (if possible)
    • We are working on a paper to present our new tool called Legacy (not public available yet).
  2. Are you looking for any data or people to help with your papers?
  3. Where did you present honeypot-related material? ( selected publications )
    • There's a portuguese magazine on security comming up very soon where we'll present some Honeypot/Honeynet material.

GOALS

  1. Which of your goals did you meet for the past year?
    • We have achieved the goal automatic collect and analysis of malware. However there is some work to be done specially on how to present the data.
    • We have improved our processes for Botnet discovery and tracking.
  2. Goals for the next year.
    • We aim to research and develop malware capture and analysis technologies to construct our own malware analysis platform.
    • Deliver some presentations.
    • Improve our Stats infrastructure.
    • Publish one KYE lite paper.
    • Development of HoneyMole. Check our website for more info.
    • Development of Legacy. More info available soon.

MISC ACTIVITIES

  • Keeping good relations with universities and helping them to defending their perimeter.
  • Search for related existing tools and projects before deciding to develop our own, and keep contributing to open source tools and projects.
  • Development of colaboration platforms with other portuguese organizations.