As the first half of the HP summer of code has passed, I’d like to give a short update on the current status of the Ghost USB honeypot.

While Ghost has been able to report possible infections with USB malware by means of an emulated USB flash drive before, it is now able to collect information about the process that writes data to the bait device. This information includes the process ID and a list of all modules (i.e. executables, such as EXE and DLL files) that are currently loaded into the process. We extract the data directly from the kernel’s internal structures, so it will be hard for malware to shield it from the honeypot. Knowing the process that the malware resides in is interesting for analysis, and having a list of modules that the process uses can give us a hint as to where the malicious code is stored on disk.

At the middle of GSoC 2012, we are happy and proud to release a beta version of HoneyProxy, a lightweight tool that allows live HTTP and HTTPS traffic inspection and analysis.

Unlike other network tools like WireShark that display flow packet by packet, HoneyProxy only displays application layer data. Web objects then can be viewed through a browser.

HoneyProxy can be installed on a gateway or a bridge between analyzed computers and external networks like Internet, or on a Host to analyze HTTP/S connections from/to a Virtual Machine. It is intended to be used for malware analysis or network forensics/investigation.

With the marking of the mid-term milestone in GSoC 2012, we’re happy to announce a first version release of AfterGlow Cloud. After a lot of discussions and review the project seems to be in a good position for an initial release. The project in essential is based on AfterGlow [1], a security visualization tool which facilitates generating visual graphs from data you upload. The tool described at [1] is originally command-line based, the aim of this project, in general is to bring this tool and its options to the cloud – so as to provide a neat interface for on-the-fly visualizations.

In this post I’d like to describe some aspects of the communication between kernel and user mode in the Ghost USB honeypot. More specifically, I’ll focus on how to realize blocking communication with the Windows Driver Frameworks (WDF).

Ghost consists of a kernel-mode component that does the main work of emulating a USB flash drive and listening for attempts to write data to the device, and there is a user-mode component that allows the user to control the honeypot and to view the results. Now we want the (kernel-mode) driver to communicate any results to the (user-mode) frontend as soon as they’re available. Unfortunately, there is no convenient way to call user-mode code from kernel space. So the frontend has to ask for the information.

Folks,
the submission deadline for the Forensic Challenge 11 “Dive Into Exploit” created by Georg Wicherski from Giraffe Chapter has passed.

We have received 2 good submissions and will be announcing results before the end of July. Without doubt, this challenge was one of the most difficult ones the Honeynet Project provided in the last years so we are really glad about the submitted solutions which seems really high-level at a first glance.

Another Monday has been and gone (on this side of the world at least). I thought I’d sit down again and share some of the interestingness (yes, that’s a word now) that came through my various news feeds over the course of the weekend. I’m hoping this week will be a little less malware focused, but I can’t make any promises.

news.source == “twitter”

@mboman: New blog post: MART - Malware Analyst Research Toolkit: Cuckoo Sandbox:
When I analyze potentially malicious so…

Before we released the Ghost USB honeypot as open source software, we had quite some trouble to apply the GPL to our case. Since there wasn’t much information available for the very particular case of using the GPL for a Windows driver, I’ll discuss our issues and solutions in this article. This might not directly be applicable to other software, but it should provide the reader with general insights and will hopefully help people to sort out similar problems in the future.

Good evening/morning folks.

It’s been fairly busy here at HNP HQ for a number of reasons. That said, there were a number of interesting articles over the weekend I thought I’d hilight here for your reading pleasure. This week seems to be a week of malware so we will stick with that theme.

STORIES ABOUT BOTNETS - PART 1

Malware Hunting with the Sysinternals Tools (video)

Obfuscation #2: Playing entrypoint hide & seek game with dyld

I’m very pleased to announce that we have released the first public version of the Ghost USB honeypot.

Ghost is a honeypot for malware that uses USB storage devices for propagation. It is able to capture such malware without any further knowledge - especially, it doesn’t need signatures or the like to accomplish its task.

Detection is achieved by emulating a USB flash drive on Windows systems and observing the emulated device. The assumption is that on an infected machine the malware will eventually copy itself to the removable device.

Taking a look at the submissions we realized that… mmh no submissions at all… We already knew that solving this challenge requires high skills but it seems like more time is needed in order to solve the Forensic Challenge 11 - “Dive Into Exploit”. For this reason we decided to extend the submission deadline to 2012, July 1st.

Have fun (and don’t be shy)!

Angelo Dell’Aera
The Honeynet Project