Sysenter Chapter - Status Report 2011

ORGANIZATION

The Sysenter Chapter was founded in August 2010 and currently consists of the following people:

  • Angelo Dell'Aera
  • Guido Landi
  • Patrik Lantz
  • Roberto Tanara

The Chapter members are interested in research projects covering the following topics:

  • Automated botnet tracking
  • Low-interaction client honeypots
  • Automated malware collection and analysis systems
  • Distributed honeynet deployment, operation and data analysis
  • Intrusion detection
  • Reverse engineering
  • Computer forensics
    • DEPLOYMENTS

      We have recently deployed an instance of TIP (see Section "Research and Development" for further details). Access is granted to trusted parties so interested people should get in touch.

      We have several Honeeebox sensors deployed. Recorded attacks and malware samples are submitted to the MWCollect Alliance database too.

      RESEARCH AND DEVELOPMENT

      • We improved TIP (Tracking Intelligence Project). TIP is an information gathering framework whose purpose is to autonomously collect, correlate and analyze data useful for understanding Internet threat trends.
      • We improved PhoneyC, a pure Python honeyclient implementation.
      • We improved Hale, a botnet Command & Control monitor tool developed during Google Summer of Code 2010.
      • We developed and publicly released pylibemu, a libemu wrapper coded in Cython.
      • We publicly released maltracer, a Win32 Python code for tracing malware activities on infected hosts.
      • We are currently designing and developing a completely new pure Python honeyclient implementation starting from the experience we had while developing PhoneyC. We hope to be able to release such project before the end of this year.
      • We are currently developing a new tool for malware analysis. The core of such tool is essentialy based on a sandbox but it opens the possibility to greatly enhance the analysis through specific plugins (currently plugins for Zeus and Spyeye are available).
      • We are currently designing and developing an Android application sandbox for dynamic analysis during the Google Summer of Code 2011.

      FINDINGS

      We identified a new reliable technique for real-time Fast-Flux botnets clusterization. The algorithm is already implemented and running within the TIP framework but it is still not public. We are currently thinking about writing a paper which describes this technique.

      PAPERS AND PRESENTATIONS

      We contributed to the following ENISA papers:

      • Botnets: Measurement, Detection, Disinfection and Defence
        Editor: Dr. Giles Hogben
        Authors: Daniel Plohmann, Elmar Gerhards-Padilla, Felix Leder
      • Botnets: 10 Tough Questions
        Editor: Dr. Giles Hogben
        Authors: Daniel Plohmann, Elmar Gerhards-Padilla, Felix Leder
      • The following presentation was given by us:

        Moreover we were frequently engaged for educational presentations or for teaching university classes on new emerging threats-related topics.

        GOALS

        In 2011 we would like to continue improving the tools we have already released. Moreover we hope to able to release the new tools we are working on (see Section "Research and Development" for further details).

        MISC ACTIVITIES

        We are currently leading the Forensic Challenge organization efforts.