Iranian Chapter Status Report For 2012

ORGANIZATION

Current chapter members:

  • Adel Karimi (Chapter Lead; Research on Botnet detection and new attack trends, Honeypot deployment, Writing/Presenting Honeypot related materials)
  • Shahriyar Jalayeri (Lead Developer; Research, Honeypot development, Malware and attack analysis)
  • Amirreza Aminsalehi (Development, Honeypot deployment, Malware analysis and RCE)
  • Vahid Ghayoumi (Research on Web-based attacks and web honeypots, Development)
  • Mehdi Mousavi (PhD Student; Research guide)
  • Ali Zand (PhD Student @UCSB; Research guide)

- No changes in the structure of IR/HP.

DEPLOYMENTS

1 HonEeeBox Sensor (connected to HPfeeds)
15 x Dionaea Sensor,
1 x Kippo Sensor,
2 x Amun Sensor,
1 x Cuckoo Sandbox.

We are going to use HPfeeds for monitoring our sensors and writing a backend for it (supporting Dionaea, Glaspot and Kippo). Please let me know if you're also working on this (if you can share your code/experience) - we need something like carniwwwhore for HPfeeds!

RESEARCH AND DEVELOPMENT

  • MCEDP High-Interaction HoneyClient (aka PwnyPot)
  • MCEDP is a novel high interaction client honeypot that detects Drive-by download attacks at exploit stage (as opposed to detect malicious servers based on monitoring system changes such as file system modifications and invoked/killed processes).
    We still have a lot to do with this project. Please try it out and let us know your opinions / suggestions.
    You can find more info @http://www.irhoneynet.org/?page_id=116.
    Github Repository (Use “/MCEDP Setup/Release/MCEDP Setup.msi” for installation):
    https://github.com/shjalayeri/MCEDP
  • pinStalk : Tracing Program Execution Flow
  • PinStalk is a tool for analyzing the execution procedure of an executable. It uses Dynamic Binary Instrumentation to trace the program behavior. Using this technology, it can see and analyze each instruction before execution, so one can analyze the program’s behavior in basic-block and instruction levels. pinStalk uses Pintool (from Intel) and IDA Pro to do its job.
    More info @http://www.irhoneynet.org/?p=75

      PAPERS, PRESENTATIONS AND COMMUNITY ENGAGEMENTS

      We had some presentations at local research centers and universities:

      • "Emerging Trends in Botnets"
      • "Use Honeypots to know your enemies"
      • 1-day Practical Honeypot Workshop
      • Security Awareness Training

      We also contributed to the following ENISA paper:

      • Proactive Detection of Security Incidents - Honeypots

      GOALS

      - Goals the chapter met for the past year:

      • Developing new tools
      • Presenting more honeypot-related materials at local universities
      • Deploying our honeypot sensors

      - Goals for the next year:

      • Publish papers/presentations on our new client honeypot
      • Finishing the management component of MCEDP and developing a web interface for it
      • Run our own HPfeeds server for monitoring our honeypots

      MENTORING

      We guide some graduate students in their thesis (Honeypot and Botnet related subjects)!