2010 Chapter Report

Following is a brief summary of our activity and contributions during 2010:

Organisation
2010 saw the addition of David Zielezna as a contributor to the Project.
We are now:
- Shaun Vlassis, HP full member, Chapter lead.
- Ben Reardon. HP full member, member of the HP Public relations and membership committees
- David Zielezna. Contributor, and in charge of AHP infrastructure.

2010 Annual Honeynet project workshop, Mexico City
Shaun and Ben attended the 2010 Annual workshop and presented to the group on VOIP attacks and honeypots, development of malware data visualization techniques, and defacement tracking.

Forensic challenge 4
Development of Forensic challenge FC4, which dealt with VOIP attacks.

GSOC 2010
Participation as a co-admin and mentor for the Honeynet Project's Google funded GSOC 2010 initiative.

Conferences

  • The Australian High Tech Crime Conference, HTCC2010 8 September 2010
    Presentation: VOIP Honeypots
  • Melbourne Branch: Australian Information Security Association (AISA) 12 August 2010
    Presentation: The Honeynet project and Data Visualization for Security Purposes
  • Sydney Branch: Australian Information Security Association (AISA) 15 September 2010
    Presentation: HiTech Crime and Honeypots
  • Ballarat Innovation, Communication and Technology Cluster 15 June 2010
    Presentation : Honeynet Project
  • AusCERT Conference, Gold Coast Queensland. May 2010
  • References
    We were pleased to see work on VOIP attack analysis referenced in academic paper delivered at the Australian Digital Forensics Conference by Craig Valli "An Analysis of Malfeasant Activity Directed at VoIP Honeypots"

    Highlights of 2010

  • Sharing our work at the Annual workshop
  • Collaboration with the Norway Chapter on VOIP honeypots, and Forensic Challenge FC4
  • Collaboration with the many students and mentors during GSOC 2010
  • Developing new ways of understanding malicious activity by using data visualization tools
  • Collection and analysis of honeypot data indicating a substantial malicious activity against VOIP (SIP) servers.
  • Continued development of Honey Client system Trigona
  • Goals for 2011

  • Seek to identify and analyse NEW and less understood data sets and attack vectors
  • Attend and present at the first ever Public Honeynet Project workshop in March 2011
  • Continue development of data visualization techniques on data sets
  • Continue VOIP activity research
  • Continue development of Trigona and other tools
  • ____________________________________PAST REPORTS________________________________

    Jan 2010 report
    ORGANIZATION
    ===========================
    1. Changes in the structure of your organization.
    We had the addition of Ben R as another full time chapter member.
    2. List current chapter members and their activities
    Shaun - Chapter Lead
    spam processing system, fast flux tracking system,
    client honeypotting, malware processing system
    Ben - Full time member
    XSS Alerting System
    Defacement Alerting System
    DEPLOYMENTS
    ===========================
    1. List current technologies deployed.
    distributed nepenthes sensor network
    xss tracking system
    defacement tracking system
    fast flux tracking system
    malware submission and processing system
    2. Activity timeline: Highlight attacks, compromises, and interesting information collected.
    From our distributed nepenthes network we have seen that the majority
    of attacks for 2008 have originated from Japan. They make up nearly 2/3
    of all sources for network
    based attacks targetting Australian IP Address Space.
    RESEARCH AND DEVELOPMENT
    ===========================
    1. List any new tools, projects or ideas you are currently researching or developing.
    fast flux tracking system
    edonkey malware scraping system -- fabled and when time permits
    client honeypotting setup
    hacked site identification
    2. List tools you enhanced during the last year
    spam processing system
    fast flux tracker -> changed backend code
    automatic identification of new fast-flux networks from processing spam feeds
    3. Would you like to integrate this with any other tools, or you
    looking for help or collaboration with others in testing or developing
    the tool?
    n/a
    4. Explain what kind of help or tools or collaboration you are interested in.
    Would very much like to spend more time developing scraping software for popular p2p networks to look for infected files there.
    FINDINGS
    ===========================
    1. Highlight any unique findings, attacks, tools, or methods.
    Majority of network borne attacks originate from Japan.
    2. Any trends seen in the past year?
    3. What are you using for data analysis?
    publicly available sandboxing technologies such as cws/threatexpert/anubis etc.
    vtotal for identification/distribution
    4. What is working well, and what is missing, what data analysis functionality would you like to see developed?
    spam processing and fast-flux identification working great
    distributed nepenthes submission system works really well. almost 0%
    maintenance needed on the server side due to how it has been setup.
    PAPERS AND PRESENTATIONS
    ===========================
    1. Are you working on or did you publish any papers or presentations,
    such as KYE or academic papers? If yes, please provide a description
    and link (if possible)
    Currently working on a presentation outlining the malicious events
    observed for the year of 2008. To be presented at the 2009 Auscert
    Conference
    2. Are you looking for any data or people to help with your papers?
    yes
    3. Where did you present honeypot-related material? ( selected publications )
    GOALS
    ===========================
    1. Which of your goals did you meet for the past year?
    bring the nepenthes component of the AU sensornet online
    get supporters to run malware collection points for the nepenthes sensornet
    create spam processing system
    improve the fast flux tracking system
    create an automated malware distribution system that takes in malware
    collected from numerous sources and forwards onto necessary parties
    such as sandbox vendors/ AV companies etc.
    2. Goals for the next year.
    expand infrastructure and bring in more data sources to help identify more malicious events in AU
    continue to create new automated systems
    MISC ACTIVITIES
    ===========================
    Chapter members have attended the following conferences this year:
    Auscert Conference
    Defcon
    BlackHat