The first part to the format discovery is 90% completed.
The program is now able to tokenize the sample packets and sort them to clusters according to token pattern.
The structure for a token looks like this:

// definition of a node for initial tokenization
struct sToken {
struct inferProperty* sProperty;
struct inferSemantic* sSemantic;
struct formatDistinguisher* sFD;
struct sToken* next;
};

struct inferProperty {
char szType[4]; //“s-c/c-s” / “bin” / “txt”
unsigned char* pValue; //value of token. Will include

The 4th Forensic Challenge on VoIP has come to an end. We had a total of 21 submissions with several submissions from Chinese speakers which has been made possible by Julia, Jianwei and Roland from the Chinese speaking chapters.

The winners of the 4th Forensic Challenge 2010 VoIP are:

1. Franck Guenichot (France)
2. Fabio Panigatti (Italy)
3. Shaun Zinck (USA)

We have posted their submissions onto the challenge web site so you can see what top notch submissions they provided. Franck, Fabio and Shaun will be awarded with small book prizes. Congratulations!

Folks, the submission deadline for our Forensic Challenge 4 - VoIP is quickly approaching. The deadline is this Wednesday and so you have another 4 days to submit your solution.

The challenge is quite different than our previous challenges. It was provided by Ben Reardon from the Australian and Sjur Eivind Usken from Norwegian Chapter - and takes you into the realm of voice communication on the Internet. Thanks to our Chinese speaking chapters, it is also available in simplified Chinese and traditional Chinese.

The Honeynet Project 是一個國際知名的開源資訊安全研究團隊，致力於提升Internet的安全。鑑識分析挑戰(Forensic Challenge)是 The Honeynet Project 向安全社區推出的一個重要專案，其目的是讓安全社區有機會能夠分析從 Internet 上捕獲的實際攻擊並分享他們的調查結果，通過參與鑑識分析挑戰，安全人士和團隊不僅可以瞭解最新的 Internet 安全威脅，也能學習到如何對它們進行分析，更好的是，他們還可以從其他提交者的分析結果和過程中，學習到分析攻擊的新工具和新技術。而最好的是，鑑識分析挑戰中的攻擊都是在我們的成員從 Internet 上野外捕獲到的真實攻擊。

The Honeynet Project 在幾年前成功舉辦Scan of the month 鑑識分析挑戰之後，在2010年開始重啟鑑識分析挑戰項 目，將包含對最新的作業系統和服務的伺服器端攻擊、用戶端攻擊、VoIP攻擊、Web應用攻擊等一系列的攻擊場景。鑑識分析挑戰歡迎安全社區人士積極參與，並將對最好的3個提交解答送出獎品。 我們的成員也將提供一份解答樣例，以公開的最新工具來分析挑戰內容。

然而可能由於語言壁壘的問題，華語世界安全社區很少參與到 The Honeynet Project 的鑑識分析挑戰中。在墨西哥的 The Honeynet Project 年會之後，我們來自華語世界的分支團隊（臺灣團隊的Julia Cheng，中國大陸團隊的諸葛建偉，香港團隊的Roland Cheung，新加坡團隊的Eugene Teo）將聯合推出The Honeynet Project鑑識分析挑戰中文版，與英文版採用同樣的時間安排並行，提供簡體中文版和繁體中文版的鑑識分析挑戰內容，也將接受以中文撰寫的提交解答（當然我們還是推薦華語世界的安全人士用英語參與 The Honeynet Project 鑑識分析挑戰），對中文提交的解答，我們也將評出最佳解答， 並提供獎勵。我們希望借此機會讓華語世界的安全人士更積極的參與 The Honeynet Project 以及世界開源安全社區的活動，獲得更多的收穫。

2010 年第四次挑戰（中文版的第一次）已於6月1日在我們的鑑識分析挑戰網站上發佈，我們將有1個月的時間接受提交解答，提交截止時間為香港時間 2010年6月30日23:59。我們預計將在2010年7月21日發佈結果，The Honeynet Project 將對最好的3個英文提交解答進行獎勵，也將對最好的中文提交解答進行獎勵。

期待香港及華語世界的人士參與，謝謝!

The Honeynet Project是一个国际知名的开源信息安全研究团队，致力于提升Internet的安全。取证分析挑战(Forensic Challenge)是The Honeynet Project向安全社区推出的一个重要项目，其目的是让安全社区有机会能够分析从Internet上捕获的实际攻击并分享他们的调查结果，通过参与取证分析挑战，安全人士和团队不仅可以了解最新的Internet安全威胁，也能学习到如何对它们进行分析，更好的是，他们还可以从其他提交者的分析结果和过程中，学习到分析攻击的新工具和新技术。而最好的是，取证分析挑战中的攻击都是在我们的成员从Internet上野外捕获到的真实攻击。

The Honeynet Project在几年前成功举办Scan of the month取证分析挑战之后，在2010年开始重启取证分析挑战项目，将包含对最新的操作系统和服务的服务器端攻击、客户端攻击、VoIP攻击、Web应用攻击等一系列的攻击场景。取证分析挑战欢迎安全社区人士积极参与，并将对Top 3的提交解答送出奖品。我们的成员也将提供一份解答样例，以公开的最新工具来分析挑战内容。

然而可能由于语言壁垒的问题，华语世界安全社区很少参与到The Honeynet Project的取证分析挑战中。在Mexico的The Honeynet Project年会之后，我们来自华语世界的分支团队（发起人：台湾团队的Julia Cheng，中国大陆团队的Jianwei Zhuge诸葛建伟，香港团队的Roland Cheung）将联合推出The Honeynet Project取证分析挑战中文版，与英文版采用同样的时间安排并行，提供简体中文版和繁体中文版的取证分析挑战内容，也将接受以中文撰写的提交解答（当然我们还是推荐华语世界的安全人士用英语参与The Honeynet Project取证分析挑战），对中文提交的解答，我们也将评出最佳解答，并提供奖励。我们希望借此机会让华语世界的安全人士更积极的参与The Honeynet Project以及世界开源安全社区的活动，获得更多的收获。

2010年第四次挑战 - VoIP（中文版的第一次）由来自澳大利亚团队的Ben Reardon和来自挪威团队的 Sjur Eivind Usken提供，将带您进入Internet上的语音通讯世界。本次挑战已于6月1日在我们的取证分析挑战网站上发布，我们将有1个月的时间接受提交解答，提交截止时间为北京时间2010年6月30日23:59。我们预计将在2010年7月21日发布结果，The Honeynet Project将对最好的3个英文提交解答进行奖励，也将对最好的中文提交解答进行奖励。

期待您的参与，谢谢！

The last spreading malware version of Waledac, a notorious spamming botnet that has been taken down in a collaborative effort lead by Microsoft earlier this year, contained some neat anti-debugging tricks in order to make reverse-engineering more difficult. Felix Leder and I have been presenting about the approach at SIGINT 2010 in Cologne yesterday, and as the method seems to be not publicly known yet, I will quickly describe it here as well.

Folks, the submission deadline for the Forensic Challenge 3 – “Banking Troubles” has passed. We have received 22 submissions and will be announcing results on Wednesday, May 12th 2010. With the 3rd challenge coming to an end, we would love to get your feedback on the challenges: Which challenge did you enjoy in particular and why? Do you have any suggestions on how to improve the challenge? Is there a particular challenge you would like to see in the future? Send your feedback to [email protected].

The 2010 Honeynet Workshop has kicked off, in the wonderful surroundings of UNAM, Mexico City. Many thanks to our hosts!

Today, Steven Adair from Shadowserver imformed us about a new piece of malware that looks like a new version of the infamous Storm Worm. Storm was one of the first serious peer-to-peer botnets, it was sending out spam for more than two years until its decline in late 2008. Mark Schloesser, Tillmann Werner, Georg Wicherski, and I [Stormfucker](http://www.h-online.com/security/news/item/Storm-Worm-botnet-cracked-wide-open-739607.html> did some work on how to take down Storm back then, so the rumors about a new version caught our interest. Mark, Tillmann, and me started to take the sample apart, and it looks very much like Storm indeed. It even uses the same configuration file, stored under C:\WINDOWS\herjek.config (the same filename as used by the last Storm version), but as the command-and-control channel has been replaced with an HTTP based version, there is no peer list included anymore. When we looked at it, just contained two lines:

After a few slow days for student applicants everywhere, and some difficult decisions on the final slot allocations for our mentors, the long wait is finally over and the GSoC 2010 official student selections are public. The Honeynet Project are very excited to have received 17 GSoC slots this year (up from 9 last year), so many thanks to Google for their fantastic support again this year.

We hope that this summer will see significant development on both low and high interaction honeypots, as well as with supporting tools. During the next few weeks of the community bonding period we’ll be helping our students and mentors prepare for their projects and engage with our members. Once development officially begins on May 24th we’ll be having regular blogs here from all of our students again, along with regular summaries of progress on our GSoC projects.