The first part to the format discovery is 90% completed.
The program is now able to tokenize the sample packets and sort them to clusters according to token pattern.
The structure for a token looks like this:
// definition of a node for initial tokenization
struct sToken {
struct inferProperty* sProperty;
struct inferSemantic* sSemantic;
struct formatDistinguisher* sFD;
struct sToken* next;
};
struct inferProperty {
char szType[4]; //“s-c/c-s” / “bin” / “txt”
The 4th Forensic Challenge on VoIP has come to an end. We had a total of 21 submissions with several submissions from Chinese speakers which has been made possible by Julia, Jianwei and Roland from the Chinese speaking chapters.
The winners of the 4th Forensic Challenge 2010 VoIP are:
Franck Guenichot (France) Fabio Panigatti (Italy) Shaun Zinck (USA) We have posted their submissions onto the challenge web site so you can see what top notch submissions they provided.
Folks, the submission deadline for our Forensic Challenge 4 - VoIP is quickly approaching. The deadline is this Wednesday and so you have another 4 days to submit your solution.
The challenge is quite different than our previous challenges. It was provided by Ben Reardon from the Australian and Sjur Eivind Usken from Norwegian Chapter - and takes you into the realm of voice communication on the Internet. Thanks to our Chinese speaking chapters, it is also available in simplified Chinese and traditional Chinese.
The Honeynet Project 是一個國際知名的開源資訊安全研究團隊,致力於提升Internet的安全。鑑識分析挑戰(Forensic Challenge)是 The Honeynet Project 向安全社區推出的一個重要專案,其目的是讓安全社區有機會能夠分析從 Internet 上捕獲的實際攻擊並分享他們的調查結果,通過參與鑑識分析挑戰,安全人士和團隊不僅可以瞭解最新的 Internet 安全威脅,也能學習到如何對它們進行分析,更好的是,他們還可以從其他提交者的分析結果和過程中,學習到分析攻擊的新工具和新技術。而最好的是,鑑識分析挑戰中的攻擊都是在我們的成員從 Internet 上野外捕獲到的真實攻擊。
The Honeynet Project 在幾年前成功舉辦Scan of the month 鑑識分析挑戰之後,在2010年開始重啟鑑識分析挑戰項 目,將包含對最新的作業系統和服務的伺服器端攻擊、用戶端攻擊、VoIP攻擊、Web應用攻擊等一系列的攻擊場景。鑑識分析挑戰歡迎安全社區人士積極參與,並將對最好的3個提交解答送出獎品。 我們的成員也將提供一份解答樣例,以公開的最新工具來分析挑戰內容。
然而可能由於語言壁壘的問題,華語世界安全社區很少參與到 The Honeynet Project 的鑑識分析挑戰中。在墨西哥的 The Honeynet Project 年會之後,我們來自華語世界的分支團隊(臺灣團隊的Julia Cheng,中國大陸團隊的諸葛建偉,香港團隊的Roland Cheung,新加坡團隊的Eugene Teo)將聯合推出The Honeynet Project鑑識分析挑戰中文版,與英文版採用同樣的時間安排並行,提供簡體中文版和繁體中文版的鑑識分析挑戰內容,也將接受以中文撰寫的提交解答(當然我們還是推薦華語世界的安全人士用英語參與 The Honeynet Project 鑑識分析挑戰),對中文提交的解答,我們也將評出最佳解答, 並提供獎勵。我們希望借此機會讓華語世界的安全人士更積極的參與 The Honeynet Project 以及世界開源安全社區的活動,獲得更多的收穫。
2010 年第四次挑戰(中文版的第一次)已於6月1日在我們的鑑識分析挑戰網站上發佈,我們將有1個月的時間接受提交解答,提交截止時間為香港時間 2010年6月30日23:59。我們預計將在2010年7月21日發佈結果,The Honeynet Project 將對最好的3個英文提交解答進行獎勵,也將對最好的中文提交解答進行獎勵。
期待香港及華語世界的人士參與,謝謝!
The last spreading malware version of Waledac, a notorious spamming botnet that has been taken down in a collaborative effort lead by Microsoft earlier this year, contained some neat anti-debugging tricks in order to make reverse-engineering more difficult. Felix Leder and I have been presenting about the approach at SIGINT 2010 in Cologne yesterday, and as the method seems to be not publicly known yet, I will quickly describe it here as well.
Folks, the submission deadline for the Forensic Challenge 3 – “Banking Troubles” has passed. We have received 22 submissions and will be announcing results on Wednesday, May 12th 2010. With the 3rd challenge coming to an end, we would love to get your feedback on the challenges: Which challenge did you enjoy in particular and why? Do you have any suggestions on how to improve the challenge? Is there a particular challenge you would like to see in the future?
Today, Steven Adair from Shadowserver imformed us about a new piece of malware that looks like a new version of the infamous Storm Worm. Storm was one of the first serious peer-to-peer botnets, it was sending out spam for more than two years until its decline in late 2008. Mark Schloesser, Tillmann Werner, Georg Wicherski, and I [Stormfucker](http://www.h-online.com/security/news/item/Storm-Worm-botnet-cracked-wide-open-739607.html>did some work on how to take down Storm back then, so the rumors about a new version caught our interest.
After a few slow days for student applicants everywhere, and some difficult decisions on the final slot allocations for our mentors, the long wait is finally over and the GSoC 2010 official student selections are public. The Honeynet Project are very excited to have received 17 GSoC slots this year (up from 9 last year), so many thanks to Google for their fantastic support again this year.
We hope that this summer will see significant development on both low and high interaction honeypots, as well as with supporting tools.