OCERT Chapter Status Report for 2012

ORGANIZATION

OCERT Honeynet is operated by Threat Analysis Center Team in Oman National CERT(OCERT) . OCERT was officially launched in April 2010 to analyze risks and security threats that may be present in cyberspace and communicates this information to users of Internet services and technical information outlets, whether they are public or private institutions, or individuals. The members of OCERT Chapter are : ::

• Yousuf Alsiyabi

• Nasser Salim Al Hadhrami

• Suliman Al Hinai

RESEARCH AND DEVELOPMENT

Low interaction honey pot technology are deployed as follows :

- A few Dionaea sensors were deployed to capture the malware and find the infected systems in country cyber space .

-Cuckoo : The latest stable version of cuckoo sandbox (0.4.2) is deployed .This version shows great features and enhancement compared to the previous version . We add virus scan result to cuckoo report through the integration of with VirusTotal's API .

-Glastopf : It was deployed as web application honeypot . The latest version Glaspot v3 is tested and will be deployed in production environment .

RESEARCH AND DEVELOPMENT:

-Intelligence Gathering Portal (IGP): Web interface application developed in-house to gather information from deployed honeypot .This application use database of deployed honeynet (SQlite , Mysql ) as source of information and represent them in web interface .The application represent different types of attacks and provide global view of different attacks in the word in multi color based on type of attacks .some features of application are :
1. IGP can show three main types of attacks Malware , web attacks and Network attacks
2. It contains dashboard that gather all statics yearly and monthly.
3. It details every type of attacks such as Top source countries of attacks, top attacker IP.
4. IGP has the Search capabilities based on certain criteria such as, Month, Year, IP address and Country.
5. It has online malware analysis capabilities .

FINDINGS:

We observe increasing number of compromised IP addresses in relationship with the botbets such as Nitol botnet and zbot botnet .A noticeable increase of capture unique malware samples compared to last year .Due to above observation , we initiate Cyber Clean Program in order to increase the awareness and help infected people to address this thread through providing them the right tools and best procedure .The Cyber Clean Program is still in initial stages and we hope to activate it through cooperation with other entities such as ISP and local law enforcement .

GOALS:

Our goal for the next year is to deploy some of other client side honeypot tools that we are still testing currently such as Capture-HPC. In addition, we plan to develop an application that detect web threats such injected malicious script that embedded with certain websites .Moreover , We plan to enhance cooperation with other security communities who are interested in Botnet detection and monitoring .