On Wednesday, March 21, 2012, an operation by security experts from Dell SecureWorks, CrowdStrike, Kaspersky, and the Honeynet Project was initiated to sinkhole infected computers in the Kelihos.B/Hlux.B botnet. The objective of this action was to remove from the attacker’s control all computers currently infected with the Kelihos.B/Hlux.B malware by poisoning the peer lists and routing tables in the lower layers of command and control. This will prevent the botnet operator from doing any more harm with this set of infected computers.

We are proud and happy to announce that Cuckoo Sandbox and AndroGuard were choosen by Rapid7 for his Magnificent7 Program, an initiative created to fuel the success of seven bleeding edge open source projects and backed by a fund of $100,000.

Cuckoo Sandbox and AndroGuard are respectively developped by Claudio Guarnieri and Anthony Desnos and mentored during previous GSoC.

Congratulations to Claudio and Anthony !

Rapid7 Sponsors Androguard and Cuckoo Sandbox in the First Round of the Magnificent7 Program
Cuckoo Sandbox
AndroGuard

On Sunday, March 25, Microsoft announced that for the fourth time, they had gone to a federal court and successfully obtained an ex parte temporary restraining order (TRO) to seize domain names from botnet operators. For the second time, the court has also ordered U.S. Marshals to accompany Microsoft and others to serve search warrants and seize evidence that can be used in future civil or criminal actions. Critics of earlier such actions who decried them as “vigilantism”, said this was an incomplete takedown of the entire population of Zeus botnets, or had little impact on delivery of spam after a takedown, do not understand some subtle points about these actions. And they fail to learn some lessons from them.

I am pleased to announce a new forensic challenge: Forensic Challenge 11 - “Dive Into Exploit”

The challenge has been created by Georg Wicherski from Giraffe Chapter.

Submission deadline is May 31th and we will be announcing winners (if any) around the last week of June 2012.

Have fun!

Angelo Dell’Aera
The Honeynet Project

I’m glad to announce I finally publicly released a brand new low-interaction honeyclient I’m working on from a few months now. The project name is Thug and it was publicly presented a few hours ago during the Honeynet Project Security Workshop in Facebook HQ in Menlo Park. Please take a look at the (attached) presentation for details about Thug.

Just a few highlights about Thug:

• DOM (almost) compliant with W3C DOM Core and HTML specifications (Level 1, 2 and partially 3) and partially compliant with W3C DOM Events and Style specifications

We have just been notified by Google that the Honeynet Project has - once again - been accepted as one of the mentoring organization for Google Summer of Code 2012 (in total 180 organizations were selected). We are very excited and are looking forward to a great summer! Already a big thank you to Google for their continued support!

While student applications are not officially open yet, interested students are encouraged to check out our ideas page and get in contact with us via [email protected] and/or IRC (#gsoc2012-honeynet on irc.freenode.net) in the next few ideas to meet the mentors and discuss project ideas. Student applications officially open on March 26th 2012 and close on April 6th 2012.

Frasier, who participated in our recent visualization forensic challenge has released his visualization tool WoLF Viz at http://code.google.com/p/wolf-viz/. WoLF Viz works by parsing arbitrary text log files into a network (graph) of words, where the words are nodes and the edges are adjacent word pairs. The edge weights are based on how often the two words are seen next to each other. It then draws a map of log file, looking at each word-pair as it moves through the log file, using colours to represent the edge weights of each word-pair. Finally, it draws the selected log file text on top of the edge map and uses transparency to switch between views. . A demo can be found at http://3a29.net. Its pretty neat! Great work Frasier!

Early bird registration to our 2012 Honeynet Project Security Workshop ends today. The workshop will be held at the Facebook offices in the SF Bay Area. Secure your spot today for the workshop or one of the eleven hands-on training sessions we are offering. You can check out the agenda and training sessions at https://honeynet.org/SecurityWorkshops/2012_SF_Bay_Area.

Hope to see you there!

Christian Seifert
CEO, The Honeynet Project

While the quantity of submissions for FC10 was lower than usual - we had expected this because of the amount of work required to submit plus being over the Christmas break - the quality of the solutions was really inspiring.

Of course the hardest part was deciding the winners, and as expected the traditional scoring method was not ideal for this type of challenge because the challenge was about creating and developing ideas, rather than just answering a number of dry questions. Quite a few people people used the challenge not so much to win a prize, but to have fun, develop an idea they’ve had, practice on some real datasets, learn, and teach. This was exactly the spirit we’d hoped for, so thanks to everyone for putting in a big effort.

Identifying unknown files by using fuzzy hashing

Over the last couple of years I have captured about 2 gigabytes of malware using the Dionaea honeypot. Analysing and identifying those files can mostly be done by sites as Virustotal, Anubis or CWsandbox. By modifying the ihandler section in the dionaea.conf this can be done fully automated.
Every now and then even these excellent analysis sites come up with nothing. No result or whatsoever. This could be because its a brand new sample of malware which simply isn’t recognised yet or it is a morphed sample of a known and existing one.