Folks,
the submission deadline for the Forensic Challenge 9 – “Mobile Malware” - put up by Franck Guenichot from French Chapter, Mahmud Ab Rahman and Ahmad Azizan Idris from Malaysia Chapter and Matt Erasmus from South Africa Chapter - has passed. We have received 7 submissions and will be announcing results on Wed, Oct 31th 2011. The top three submissions will be awarded little prizes.

Angelo Dell’Aera
The Honeynet Project

The Honeynet Project had mentored 12 projects this year for the Google Summer
of Code (GSoC). The 11th project was to extend the SIP module for
Dionaea to handle SIP udp, tcp and even tls. With the TLS part, the
Dionaea can even emulate a Microsoft Lync server. The TLS part was not
part of the original scope, but the hard work made that possible as
well!

[Dionaea] intention is to trap malware
exploiting vulnerabilities exposed by services offered to a network,
the ultimate goal is gaining a copy of the malware. With the SIP
module, you can answer the SIP attacks, record the information. It is
also possible to make “real” users, so the attacker will get different
answers depending on which accounts he tries to hack. If you would
fake a Microsoft Lync installation, you could add some of the real
user names from your server and see if somebody is doing a targeted
attack towards you. (but of course, don’t use the same passwords…. )

The Beta version of HoneySink is out!

What is HoneySink?

HoneySink is an open source network sinkhole that provides a mechanism for detection and prevention of malicious traffic on a given network.

Able to be deployed both internally and externally it is designed to log and respond to incoming requests for a number of network protocols.

With configuration and scalability in mind, HoneySink was designed from the ground up with a non-blocking architecture to handle extremely large amounts of traffic while being able to perform customised interactions and logging.

The last part of Google Summer of Code 2011 was used to implement
a Windows Kernel Driver responsible for hiding files and folders.
This new component will be used to conceal Cuckoo Box components,
present in the environment analysis. With this measure it’s possible to
avoid that some malware detect CuckooBox through some environment check,
looking for specific files or folders.

The Driver was implemented as a Filter Driver to maintain it independent
of the Windows version used in the environment, not using any kind
of hooking which may cause problems when using different versions of
Windows. The Filter Driver act on the file system IRP requisitions,
checking if a process marked for monitoring is doing requests that
involve opening an handle or searching for any file or folder that must
be filtered.
If so, the response is changed, informing the process that the file or
folder doesn’t exist. The IRP requisitions filtered are, IRP_MJ_CREATE,
IRP_MJ_QUERY_INFORMATION and IRP_MJ_DIRECTORY_CONTROL, which are the
most commonly used to search for files and opening handles.
Processes and files inspected by the Filter Driver are passed by an
user land program, using the communication port created by the Filter
Driver. Messages accepted are only FileAdd and ProcAdd, which inform
that a new file or folder must be filtered or an new process must be
monitored.

Beta version is out and the install instructions are available at the project webpage. The new features are:

• • Prevent some emulator evasion techniques
• • Added visualization of analysis results
• • Automated app installation and execution
• • Displaying analysis information about the APK
• • Static pre-check extracts the app’s registered Intents

The following figures show the new visualization added to the beta version.

Image to the left is a PoC for classifying malwares and their similarity. The second image should assist in the analysis to learn in which order operations are performed. The timestamp is relative to the analysis starting time and operation details can then be located in the analysis output.

Taking a look at the small number of submissions we received it seems like August is a perfect month for the seaside but not for a Forensic Challenge. For this reason we decided to extend the submission deadline to September 30th. The submissions received before the old deadline (September 4th) will be granted a few extra bonus points.

Have fun!

Angelo Dell’Aera
The Honeynet Project

As part of this year’s Summer of Code, I programmed an extension for the shellcode detection and analysis library libemu. The main goal of the project was to increase the performance when executing shellcode, with the help of a virtualizer. Prior to this extension, libemu made use of a custom emulator, which supported only instructions mostly used in shellcode. With this extension, libemu utilizes a full-blown, completely functioning virtualizer, which executes code presumably the same way a real CPU does.

We’ve set up a demonstration site for HoneyViz (Project #3) at

http://50.16.162.188:6174/

HoneyViz is an interactive java applet which visualizes sensor data (similar to Project #4). The goal of this project has been to allow the end user to select a set of data that is of interest and generate a variety of useful visualizations based off of this selection in realtime.

The site offers some user-level documentation to explain how the tool works and provides suggestions for a few interesting visualizations we have found. Although, the best way to become familiar with the tool is simply to play with it – select different sets of events, make menu or color changes, select regions on the map, etc.

As the deadline of GSOC has passed, I would like to announce the APKinspector Beta1.0. APKinspector is a tool to help Android application analysts and reverse engineers to analyze the compiled Android packages and their corresponding codes. You can review the Alpha version report and the page of this project to know more about it.

Click the picture below to watch a full demonstration video of APKInspector:

Chinese viewers may view the demo at: http://v.youku.com/v_show/id_XMjk3ODAwMzU2.html

We build up a project in google code, you can browse AxMock by the link
http://code.google.com/p/axmock

AxMock is a detection tool for malicious webpage attacking ActiveX controls. It runs in Internet Explorer 7 and the formal version.

It is tested in Visual Studio 2008 and Python 2.6 with pywin32 package, though I believe that you can also compile it in later version.

For more using information, please check out Wiki in my project google code page.