Iranian Chapter Status Report For 2011

ORGANIZATION

1. Changes in the structure of your organization.
No changes

2. List current chapter members and their activities

  • Adel Karimi: Chapter Lead, Research (Botnet detection, New trends and so on), Honeypots deployment, Data Analysis.
  • Amirreza Aminsalehi: Development, Malware analysis and RCE, Honeypots deployment, Data analysis.
  • Shahriyar Jalayeri: Development, Malware analysis, Research (Sandbox detection, Android Malwares and Vulnerabilities, …)
  • Vahid Ghayoumi: Research (Web-based attacks and web honeypots), Development, Honeypots deployment.
  • Mehdi Mousavi: Research, Data analysis.
  • Ali Zand (PhD Student @UCSB): Research guide.

DEPLOYMENTS

1. List current technologies deployed.
During the last year we deployed and evaluated these honeypots / tools:

  • Dionaea
  • Amun
  • Glastopf
  • Nepenthes
  • Kippo SSH honeypot
  • PhoneyC
  • Honeywall
  • SurfIDS

As we are a new chapter, we don't have a large number of honeypots yet. Recently we have found two sponsors (they donated two servers, Internet access and some IP addresses). Thanks to them we can deploy our honeypots by the end of this year.

2. Activity timeline: Highlight attacks, compromises, and interesting information collected.
However we had a few honeypots, we captured a lot of attacks and malwares.
We would be happy to share our collected data through HPfeed.

RESEARCH AND DEVELOPMENT

1. List any new tools, projects or ideas you are currently researching or developing.

  • B0xSh0t
  • We developed a framework (just as a PoC) to show vulnerabilities in online malware analysis systems (e.g. Anubis, JoeBox, Comodo, CWSandbox and ThreatExpert). B0xSh0t collected some data from online sandboxes (e.g. Mac Address, Injected DLLs, Sandbox Processes, etc.), and then we created some fingerprints for each sandbox based on the collected data. It is possible to detect these online malware analyzers using the created fingerprints.
    We provided some sandbox developers with prevention methods. Currently we are in process of writing a Know Your Enemy paper on it.
    B0xSh0t is only available for some Honeynet Project members and sandbox developers for research purposes.
  • Melpomene (a dynamic malware analysis system)
  • We had started this project as a user-mode malware analyzer. But because of some reasons, we stopped the project and decided to improve an existing one (e.g. Cuckoo sandbox).

      2. List tools you enhanced during the last year
      We have developed a vulnerability module for Amun honeypot to test the module creation in Amun. Due there wasn't documentation about creating advanced vulnerability modules for Amun, we started with a classic case (Warftpd). You can download this module at http://irhoneynet.org/files/warftpd_modul.py. Also we did some improvements on Amun's HTTP module for testing.
      We are looking for a good LI honeypot to improve (mwcollectd / Dionaea / Amun!?)

      3. Explain what kind of help or tools or collaboration you are interested in.

      • We are interested to cooperate in Dionaea development/improvement (e.g. HTTP module).
      • Collaboration in Botnet related researches (Fast-flux tracking, Botnet tracking and so on).

      FINDINGS

      1. Highlight any unique findings, attacks, tools, or methods. None
      Most of the attacks were from the IP addresses in China and Russia.

      2. What are you using for data analysis?
      Online malware analysis services (E.g. Anubis, ThreatExpert and CWsandbox), Streams, Tshark, TCPdump, Capsa, Sguil, Foremost and Custom scripts, …

      PAPERS AND PRESENTATIONS

      1. Are you working on or did you publish any papers or presentations, such as KYE or academic papers? If yes, please provide a description and link (if possible)

      2. Where did you present honeypot-related material? ( selected publications )

      • Mazandaran University Of Science And Technology
      • Snoop security magazine (www.snoopmag.net)

      GOALS

      1. Which of your goals did you meet for the past year?

      • Deploy and evaluate different Honeypots (e.g. Dionaea, Mwcollect, Nepenthes, Amun, PhoneyC, …)
      • Presenting honeypot-related materials
      • Finding sponsors for deploying our Honeypots

      2. Goals for the next year.

      • Presenting more honeypot-related materials at local universities and conferences
      • Write a KYE Paper on Sandbox/DMAS detection methods and mitigations
      • Research on Botnet tracking, VM Introspection (for malware analysis), VoIP attacks, Android malwares and so on.
      • Deploy our honeypots and data analysis system
      • Improve a LI Honeypot
      • Publish a special issue of SnoopMag on Honeynet-related topics (Botnets, Malwares, Honeypots, Forensics, …)