Identifying unknown files by using fuzzy hashing

14 Feb 2012 Leon van der Eijk fuzzy-hashing

Identifying unknown files by using fuzzy hashing

Over the last couple of years I have captured about 2 gigabytes of malware using the Dionaea honeypot. Analysing and identifying those files can mostly be done by sites as Virustotal, Anubis or CWsandbox. By modifying the ihandler section in the dionaea.conf this can be done fully automated.
Every now and then even these excellent analysis sites come up with nothing. No result or whatsoever. This could be because its a brand new sample of malware which simply isn’t recognised yet or it is a morphed sample of a known and existing one.

Malwr.com: powered by Cuckoo

25 Jan 2012 Guillaume Arcas gsoc malware-sandbox-cuckoo

We are proud and happy to announce that a new free malware analysis online service is born.

Malwr.com is based on Cuckoo Sandbox, a project mentored by the Honeynet Project, sponsored by GSoC and developped by Claudio “nex” Guarnieri (@botherder), Dario Fernandes and Alessandro “jekil” Tanasi (@jekil). Malwr.com hosting is provided by ShadowServer.

If you want to test Cuckoo’s flavor before installing it or if you’re too lazy to deploy your own sandbox, just go there ! :-)

2012 Honeynet Project Security Workshop @ Facebook, Inc. - SF Bay Area, CA, USA - March 19th/20th 2012

24 Jan 2012 Christian Seifert workshop facebook


The Honeynet Project will hold its 2nd public security workshop at Facebook, Inc. in the San Francisco Bay Area. The workshop is going to be a two day event filled with technical presentations and hands-on tutorial training. On day 1 of the workshop, Honeynet Project members and Facebook will present on a wide range of information security topics: from honeypots and social networks to cybercrime and mobile malware. Day 2 will be a day of hands-on tutorial training. Our members will teach a total of 8 courses in forensics, honeypots, and visualization. For those who want to further hone their skills in a competitive setting, we will also host a capture-the-flag event on day 2.

Cuckoo 0.3.1 released

03 Jan 2012 Guillaume Arcas cuckoo-sandbox-malware-analysis

Cuckoo Sandbox 0.3.1 has been released.

The most interesting improvements include:

  • Extensive book guiding from setup to customization.

  • Improved analysis results processing engine.

  • Modular reporting engine with default HTML, TXT and JSON reports being generated.

  • Minimal web server/interface that allows you to browse, search and view HTML reports.

  • Introduction of support to URL submission.

  • UDP connections extraction.

  • A cool new logo. :-)

  • A lot of other things you can find listed in the CHANGELOG file.

HoneySpider Network Capture-HPC NG is out!

07 Dec 2011 Guillaume Arcas capture-hpc-honeyclient-honeyspider

Client honeypots are tools that actively search servers for malicious data like malware, exploits, malicious PDF files, etc.

The Polish Chapter just released a new version of Capture-HPC originally developed by Christian Seifert and Ramon Steenson of the New Zealand Chapter. Capture-HPC focuses primarily on attacks against, or involving the use of, Web browsers.

It is available for download as binary Debian package on Polish Chapter webpage:
http://pl.honeynet.org

Source code is made available via github:
git://github.com/cert-pl/HSN-Capture-HPC-NG.git

A new Cuckoo hatched his egg!

25 Nov 2011 Guillaume Arcas dynamic-malware-analysis-virtuaization-cuckoo-gsoc

Overview

Cuckoo Sandbox is an Open Source automated dynamic malware analysis system designed to analyze and report on suspicious files.
Cuckoo started as a Google Summer of Code project in 2010 within The Honeynet Project. It was designed and developed by Claudio Guarnieri who still maintains the project and lead its development efforts.

Cuckoo has been selected again this year for Google Summer of Code 2011 with The Honeynet Project and with Dario Fernandes who joined the team. The work being done in the last months lead to the release of the 0.2 version.

WireShnork - A Snort plugin for Wireshark

17 Nov 2011 Guillaume Arcas forensics gsoc snort wireshark wireshnork

GSoC 2011 #8 project’s goal was to add forensics features to the popular Wireshark network analyzer.

Overview

Wireshark is an open source network analyzer widely used for network debugging as well as security analysis. Wireshark provides network analyzer with graphical interface as well as command line tools. Wireshark also provides network protocol decoders and support filters that allow to search through packets with keywords.

GSoC plugins extend Wireshark capabilities when Wireshark is used to analyze network traffic with security and forensic in mind.

Android Reverse Engineering (A.R.E.) Virtual Machine available for download now!

01 Nov 2011 Christian Seifert android

The Honeynet Project is happy to announce the release of the Android Reverse Engineering (A.R.E.) Virtual Machine.

Do you need to analyze a piece of Android malware, but dont have all your analysis tools at hand? The Android Reverse Engineering (A.R.E.) Virtual Machine, put together by Anthony Desnos from our French chapter, is here to help. A.R.E. combines the latest Android malware analysis tools in a readily accessible toolbox.

Tools currently found on A.R.E. are: