Australian Status Report
ORGANIZATION
===========================
1. Changes in the structure of your organization.
We had the addition of Ben R as another full time chapter member.
2. List current chapter members and their activities
Shaun - Chapter Lead
spam processing system, fast flux tracking system,
client honeypotting, malware processing system
Ben - Full time member
XSS Alerting System
Defacement Alerting System
DEPLOYMENTS
===========================
1. List current technologies deployed.
distributed nepenthes sensor network
xss tracking system
defacement tracking system
fast flux tracking system
malware submission and processing system
2. Activity timeline: Highlight attacks, compromises, and interesting information collected.
From our distributed nepenthes network we have seen that the majority
of attacks for 2008 have originated from Japan. They make up nearly 2/3
of all sources for network
based attacks targetting Australian IP Address Space.
RESEARCH AND DEVELOPMENT
===========================
1. List any new tools, projects or ideas you are currently researching or developing.
fast flux tracking system
edonkey malware scraping system -- fabled and when time permits
client honeypotting setup
hacked site identification
2. List tools you enhanced during the last year
spam processing system
fast flux tracker -> changed backend code
automatic identification of new fast-flux networks from processing spam feeds
3. Would you like to integrate this with any other tools, or you
looking for help or collaboration with others in testing or developing
the tool?
n/a
4. Explain what kind of help or tools or collaboration you are interested in.
Would very much like to spend more time developing scraping software for popular p2p networks to look for infected files there.
FINDINGS
===========================
1. Highlight any unique findings, attacks, tools, or methods.
Majority of network borne attacks originate from Japan.
2. Any trends seen in the past year?
3. What are you using for data analysis?
publicly available sandboxing technologies such as cws/threatexpert/anubis etc.
vtotal for identification/distribution
4. What is working well, and what is missing, what data analysis functionality would you like to see developed?
spam processing and fast-flux identification working great
distributed nepenthes submission system works really well. almost 0%
maintenance needed on the server side due to how it has been setup.
PAPERS AND PRESENTATIONS
===========================
1. Are you working on or did you publish any papers or presentations,
such as KYE or academic papers? If yes, please provide a description
and link (if possible)
Currently working on a presentation outlining the malicious events
observed for the year of 2008. To be presented at the 2009 Auscert
Conference
2. Are you looking for any data or people to help with your papers?
yes
3. Where did you present honeypot-related material? ( selected publications )
GOALS
===========================
1. Which of your goals did you meet for the past year?
bring the nepenthes component of the AU sensornet online
get supporters to run malware collection points for the nepenthes sensornet
create spam processing system
improve the fast flux tracking system
create an automated malware distribution system that takes in malware
collected from numerous sources and forwards onto necessary parties
such as sandbox vendors/ AV companies etc.
2. Goals for the next year.
expand infrastructure and bring in more data sources to help identify more malicious events in AU
continue to create new automated systems
MISC ACTIVITIES
===========================
Chapter members have attended the following conferences this year:
Auscert Conference
Defcon
BlackHat
