MalwareZ is a visualization project that is started as a YakindanEgitim (YE) project. YE is a startup that me and some collegues mentor young people on specific projects, remotely. It is announced as a local fork of Google Summer of Code, except neither mentors nor mentees are paid.

Gürcan Gerçek was the main developer for the MalwareZ project and my role was mentoring him.

MalwareZ project idea arose from the 2011 GSoC project idea. The aim was to generate 3D visualizations of malware visualizations with heatmap mesh grids. It has been a while since the project is not edited and become more usable so the idea is used instead.

To have a better visibility of this years GSoC projects we have created a blog for the students and their mentors. This blog is the place where students should post weekly updates about their progress. It is also the place where students and mentors can share their findings and experiences about and during the GSoC projects as they happen. The first updates have already started to drip in and it is getting interesting.

Two years are passed from the first commit and taking a look at the number of committed patches I realized that right now the patch number 1000 was committed. Let me say it’s really impressive realizing it. In the last two years I had a lot of fun thinking and designing the future of this project and I’m really proud of what Thug turned to be. I have to thank a lot of persons who contributed with their suggestions, ideas, bug reports and sometimes patches. You know who you are. Really thanks! Stay tuned because I’m already moving towards patch number 2000 with a lot of new features and ideas like the Thug Honeyclient Distributed Task Queing.

Howdy all,
I’ve the pleasure to *finally* unveil the second version of Dorothy: a malware/botnet analysis framework written in Ruby.

Dorothy2 is a framework created for mass malware analysis. Currently, it is mainly based on analyzing the network behavior of a virtual machine where a suspicious executable was executed. However, static binary analysis and system behavior analysis will be shortly introduced in further versions.
Dorothy is a multi-thread framework: it is able to execute as many concurrent analysis processes as the number of the VMs present in vSphere. So if you have 5 VMs for example, 5 binaries will be analyzed at time, by giving you 5 different output folders containing their network traffic and screenshots accordingly.
It is a very modular framework, and customizing/extending it can be very easy.

After a pretty hectic few weeks of student application review, setting and scoring coding challenges, and assessing proposals, mentoring organizations participating in GSoC 2013 had to confirm their student slot allocations and final short list of preferred candidates by Friday May 24th at 19:00 UTC. This is always one of the most difficult periods for us, with many tough decisions required trying to balance the best mix of students/projects/mentors into a limited number of student slots. It is always less that we would ideally like, making it impossible to keep everyone happy, and often pretty challenging. This year was no different, with a lot of late nights and last minute debate.

[This post expresses the personal opinion of the author and is not an official statement representing the Honeynet Project.]

At the AusCERT 2013 conference, Dmitri Alperovich called for debate about, “the kinds of actions that infosec professionals are allowed to take against attackers.” I agree with Dmitri, and in fact I made the same call, at the same conference on May 23, 2005! (AusCERT invited me to speak on an emerging topic and I chose to speak for the first time publicly at AusCERT 2005 about the Active Response Continuum research I had been doing with funding from Cisco.) As one of the world’s foremost experts on this topic, with over two decades of security operations experience, I welcome Dmitri to the debate. :)

We proudly announce the first release of our Industrial Control System honeypot named Conpot.

Until now setting up an ICS honeypot required substantial manual work, real systems which are usually either inaccessible or expensive and lecture of quite tedious protocol specifications. With implementing a master server for a larger set of common industrial communication protocols and virtual slaves which are easy to configure, we provide an easy entry into the analysis of threats against industrial infrastructures and control systems.

Having being very pleased to be accepted once again by Google as one of the lucky mentoring organization for GSoC 2013, we had eagerly awaited the student application period starting and the excitement (and occasional drama) that always brings. Once again we were not disappointed, with a steady stream of students getting in touch with us via our public mailing list or IRC channel (#gsoc-honeynet on irc.freenode.net) and exploring project ideas with us.

Google had made a number of changes to the usual process for GSoC 2013, including moving the program start date (and therefore also the student application period) backwards by about a month, and reducing the number of individual student applications to a maximum of five per student. These changes were likely to make the program more attractive to European students (who generally have later summer holidays), and also hopefully reduce the amount of last minute spam applications by encouraging more detailed proposal writing.

With less that 24 hours now remaining until the official deadline for Google Summer of Code (GSoC) 2013 student applications (19:00 UTC Friday May 3rd 2013), this is our final call for interested and eligible GSoC students. If you are interested or intend to get involved, please apply now.

For anyone new to the GSoC program, or anyone who has already talked to us on IRC (#gsoc-honeynet on irc.freenode.net) or on our public GSoC mailing list, please remember that you must still submit your student application the Google’s official GSoC 2013 form in Melange for it to be official.

As you may know, the annual workshop is a key event to bring together top information security experts from around the globe to present their research efforts as well as discuss insights and strategies to combat new emerging threats. The annual workshop held in February or March every year is a five-­days event including a one-­day briefing, two-­days of hands-­on training open to public and two-­days of private meetings by invitation only. Past annual workshops have been held at government, university and private company venues in Dubai (2013), San Francisco (2012), Paris (2011), Mexico City (2010) and Kuala Lumpur (2009), attracting more than 400 participants from around the world.