The Honeynet Project

ORGANIZATION

The Sysenter Chapter was founded in August 2010 and currently consists of the following people:

• Angelo Dell'Aera
• Charlie Hurel
• Gianluca Guida
• Guido Landi
• Patrik Lantz
• Pietro Delsante
• Roberto Tanara

The Chapter members are interested in research projects covering the following topics:

• Automated botnet tracking
• Low-interaction client honeypots
• Automated malware collection and analysis systems
• Distributed honeynet deployment, operation and data analysis
• Intrusion detection
• Reverse engineering
• Mobile malware analysis
• Virtualization
• Computer forensics

DEPLOYMENTS

• We have recently deployed an instance of TIP in the Honeycloud (see Section "Research and Development" for further details). Access is granted to trusted parties so interested people should get in touch.
• We have deployed several Honeeebox sensors. Recorded attacks and malware samples are submitted to HPFeeds.
• We have deployed a Splunk instance to collect and monitor HPFeeds data and started the evaluation of some visualization modules.
• We are in the process of finalizing the deployment of an instance of CuckooBox with a large set of virtual machines, with custom analyzer modules that should help us tracking the latest Infostealer menaces (Citadel, Ice IX, Murofet, Zeus, SpyEye, etc).

RESEARCH AND DEVELOPMENT

• We released Thug, a new Python low-interaction honeyclient during the Honeynet Project Annual Workshop 2012 in San Francisco Bay Area.
• We started working on Buttinsky, a new botnet monitoring tool. The project was selected for the second round of Rapid7 Magnificent7 program.
• We improved Droidbox, an Android application sandbox. Outcome from this work includes APIMonitor and porting DroidBox to support Android 2.3.
• We improved TIP (Tracking Intelligence Project). TIP is an information gathering framework whose purpose is to autonomously collect, correlate and analyze data useful for understanding Internet threat trends.
• We improved Pylibemu, a Libemu wrapper coded in Cython.
• We are strictly monitoring the development of the ZeuS malware variants appeared after the release of the source code of ZeuS 2.0.8.9: Citadel, Ice IX, Murofet and several other custom variants with a smaller media
  impact but with new interesting features added.

FINDINGS

We identified a new reliable technique for real-time Fast-Flux botnets clusterization. The algorithm is already implemented and running within the TIP framework but it is still not public. We are currently thinking about writing a paper which describes this technique.

PAPERS, PRESENTATIONS AND COMMUNITY ENGAGEMENTS

We contributed to the following (to be published) ENISA papers:

• Proactive Detection of Security Incidents - Honeypots
• Honeypots CERT Exercise Toolset

The following presentation was given by us:

• Honeynet Project Security Workshop, San Francisco Bay Area, March 19th 2012 - Thug: a new low-interaction honeyclient

Moreover we were frequently engaged for educational presentations or for teaching university classes on new emerging threats-related topics.

GOALS

In 2012 we would like to continue improving the tools we have already released (see Section "Research and Development" for further details).

MISC ACTIVITIES

• We are currently leading the Forensic Challenge organization efforts.

MENTORING

• GSoC 2012 project 3. Improvements for Droidbox. Outcome from this work includes APIMonitor and porting DroidBox to support Android 2.3.