**Mon 5 May 2014 : :
We are very proud to announce that ticket sales are beyond our expectations ! So hurry up if you are planning to attend and http://warsaw2014.honeynet.org/register.html for registration !

Wed 9 April 2014 : : FIRST.org joins the 2014 workshop Sponsorship team
The honeynet project is proud to announce that the annual workshop in Warsaw will be sponsored by FIRST.org! The Forum of Incident Response and Security Teams (FIRST www.first.org ) is the premier organization and recognized global leader in incident response. Membership in FIRST enables incident response teams to more effectively respond to security incidents reactive as well as proactive. FIRST brings together a variety of computer security incident response teams from government, commercial, and educational organizations. FIRST aims to foster cooperation and coordination in incident prevention, to stimulate rapid reaction to incidents, and to promote information sharing among members and the community at large.

Over the past five years, The Honeynet Project has been had the pleasure of mentoring over 70 lucky bachelors, masters and PhD students from all over the world through Google Summer of Code (GSoC), Google’s ongoing programme of support for international students working on free open source software (FOSS). Together we have worked on a large number of information security tools, including some that have gone on to be the leading examples of tools in their chosen field. Overall it has been a hugely positive experience for us and our students, and has resulted in many becoming active long term members of our community. We very much hope that will continue in the future.

In this post I will analyze the Android APK files that my friend Pietro Delsante from the Honeynet Project Sysenter Chapter talks about in his previous post (thank you Pietro). The files are all named “video.apk” and these are the MD5 and SHA256 hashes:

video.apk 10859e82697955eb2561822e14460463 a36ecd528ecd80dadf3b4c47952aede7df3144eb9d2f5ba1d3771d6be2261b62 video.apk 91f302fd7c2d1b8fb54248ea128d19e0 8e0a2f6b7101e8caa61a59af4fdfc5b5629b8eac3a9aafcc1d0c8e56b4ddad15 video.apk f6ad9ced69913916038f5bb94433848d 4c7c0bd7ed69614cb58908d6a28d2aa5eeaac2ad6d03cbcad1a9d01f28a14ab9

The three APKs are almost identical: they share the same certificate and much more (I will cover the differences later). I started by having a look at the first sample 10859e82697955eb2561822e14460463, this is the content of the AndroidManifest.xml file:

Pietro wrote a nice post about him finding Android malware while visiting the theatre. Thanks to Thug (thank you Angelo) and HoneyProxy, he was able to get some interesting details about their infrastructure. I was curious what kind of malware you find in a theatre, so I quickly looked at one of the samples that he mentioned: f6ad9ced69913916038f5bb94433848d.

Virus Total already provides some nice information for Android.

The SEND_SMS permissions already gives a solid hint that this application is probably sending to premium numbers. But why would the app also need RECEIVE_SMS permissions. That sparked my interest to take it apart completely. So I dug out dex2jar and jad and decompiled it. Yes, I know, there are better tools out there, but I’m old (school). I even use Emacs for browsing the decompiled code ;) For those who like to have other tools mentioned, I’ll put some at the end of the post (please send me suggestions if you have more worth mentioning).

Some nights ago I was heading to a local theater with some (non-nerd) friends. We did not recall very well the address, so I brought out my phone (LG Nexus 4 with Android 4.4.2 and Google Chrome) and googled for it. I found the theater’s official site and started looking for the contact info, when Chrome suddenly opened a popup window pointing me to a Russian web site (novostivkontakte.ru) urging me to update my Flash Player. I laughed loudly and showed them to my (again, totally non-nerd) friends saying that the site had been owned. One of them went on and opened the site with her own phone (Samsung Galaxy S Advance with Android 4.4.1 and the default Android WebKit browser). To make a long story short, after a few instants her phone was downloading a file without even asking her for confirmation. So: Chrome on my Nexus 4 was using social engineering to have me click on a link and manually download the file; Android’s WebKit on her Galaxy S Advance was instead downloading the file straight away: interesting! However, we were a bit late and we had to run for the comedy, so I did not even bother to see what the heck she had downloaded, I only made sure she hadn’t opened it. I thought it was just the usual exploit kit trying to infect PCs by serving fake Flash Player updates, seen tons of those. While waiting for the comedy to begin, I quickly submitted the compromised site to three different services, the first three ones that came to my mind: HoneyProxy Client, Wepawet and Unmask Parasites, then turned off my phone and enjoyed the show.

The Honeynet Project would like to cordially invite you to attend the 2014 Honeynet Project Security Workshop, held at the Adgar Plaza Conference Center in Warsaw, Poland from 12-14 May 2014. The workshop is organized by The Honeynet Project in coordination with CERT Polska under NASK. Interested in sponsoring the workshop? Download the workshop brochure now!

Each year, the workshop brings together experts in the field of information security from around the world to share the latest advances and threats in information security research. The 2014 workshop will include two days of plenaries along with live demonstrations, as well as an additional day of hands-on training sessions. This year’s plenaries feature some great researchers and world-class speakers from The Honeynet Project, including Raffael Marty (security visualization), Anton Chuvakin (PCI DSS), David Watson (honeynet/honeypot), Felix Leder (malware analysis), Tillmann Werner (botnet takedown), Brian Hay (virtualization security), Christian Seifert (web security), and Mahmud Ab Rahman (mobile malware). Attendees will also be able to register for training sessions led by many of these experts where they can learn new skills through practical hands-on training sessions.

SHIVA (Spam Honeypot with Intelligent Virtual Analyzer) is an open-source, high interaction spam honeypot developed in Python2.7 and is released under GNU GPL v3.

SHIVA provides the capability of collecting and analyzing all spam thrown at it. Analysis of data captured can be used to get information on phishing attacks, scamming campaigns, malware campaigns, spam botnets, spammers identity etc. Following are the features which describes the functionality of SHIVA:

• Intelligence: A lot of research has been done to develop SHIVA and to counter the techniques used by spammers. There are lots of counter techniques and workarounds that SHIVA uses to pose itself as an authentic open relay SMTP host. These techniques have been researched and deduced from spam analyzed by SHIVA and from the spammers themselves.

Last week it was announced that Angelo Dell’Aera is elected as our new CEO. Here is a brief description about Angelo.

Angelo Dell’Aera is currently employed as Information Security Officer at International Fund for Agricultural Development (IFAD), a specialized agency of the United Nations. He’s currently Chief Executive Officer at Honeynet and leads the Sysenter Honeynet Project Chapter. His interests are mainly related to botnet tracking, honeyclient technologies and malware analysis. Angelo started working as an independent researcher in networking and security research in 1998 focusing his research both on attack and defense techniques mainly focusing on *NIX platforms. Meanwhile he worked as researcher in Politecnico of Bari until June 2004 where his main research argument was TCP congestion control algorithms. His research led to the design of the TCP Westwood+ algorithm and the implementation of its support in the official Linux kernel. He’s the lead developer of the low-interaction honeyclient Thug.

On July 31, 2013, Jason Geffner of CrowdStrike discussed a new tool called “Tortilla” that allows incident responders and computer security researchers to hide behind the Tor network as they poke and prod malicious software infrastructure. Were I there, I would have asked Jason this question: What things should I not do while using Tortilla, and why shouldn’t I do them? I know Jason and respect his technical skills, but if he and CrowdStrike don’t have a good answer, that will say a lot about our field’s collective ability to reason about actions along the Active Response Continuum. [D. Dittrich and K. E. Himma. Active Response to Computer Intrusions. Chapter 182 in Vol. III, Handbook of Information Security, 2005. http://ssrn.com/abstract=790585.]

MalwareZ is a visualization project that is started as a YakindanEgitim (YE) project. YE is a startup that me and some collegues mentor young people on specific projects, remotely. It is announced as a local fork of Google Summer of Code, except neither mentors nor mentees are paid.

Gürcan Gerçek was the main developer for the MalwareZ project and my role was mentoring him.

MalwareZ project idea arose from the 2011 GSoC project idea. The aim was to generate 3D visualizations of malware visualizations with heatmap mesh grids. It has been a while since the project is not edited and become more usable so the idea is used instead.