Monday, February 1st, the submission deadline for challenge 1 of the Forensic Challenge 2010 has passed. We have received 88 submissions and Tillmann who has been judging them mentioned there were some excellent submissions in the mix. Tillmann will be highlighting some answers when we announce the results on the 15th of February.

I have acknowledged receipt of each submission received via email. If you have not received a confirmation mail from me, please contact me at [email protected] and I will check whether we have received it.

Glastopf:
On January the 22nd I met Sven. Sven is a bachelor student at the Bern university of applied sciences and will write his thesis about Glastopf. During his work he will rewrite the current Glastopf unstable version, but when he will be finished the new version will have at least the same features like the previous version. The goals are: A much better modular structure, this means there is one core which directs every request to the modules. They store the data, emulating the vulnerability and compose the response which the core gives back to the attacker. There will be a much better classification of incoming attacks and the rules used for this will be totally detached from the source code to distribute them easily between different sensors. I will post some details as soon as we started the work. This also means that we will freeze the current unstable version to put all effort into the new version.

We have just posted the first challenge of the Forensic Challenge 2010. The first challenge deals with a network attack. It has been provided by Tillmann Werner from the Giraffe Chapter. It is accessible at https://honeynet.org/node/504. Submissions are due on Monday, February 1st 2010 and results will be released on Monday, February 15th 2010. The top three submissions will be awarded with small prizes. Check it out!

I am very happy to announce the Honeynet Project Forensic Challenge 2010. The purpose of the Forensic Challenges is to take learning one step farther. Instead of having the Honeynet Project analyze attacks and share their findings, Forensic Challenges give the security community the opportunity to analyze attacks and share their findings. In the end, individuals and organizations not only learn about threats, but also learn how to analyze them. Even better, individuals can access the write-ups from other individuals, and learn about new tools and techniques for analyzing attacks. Best of all, the attacks of the Forensic Challenge are attacks encountered in the wild, real hacks, provided by our members.

Folks,

I would like to inform you all about our recent activities that we are attempting to achieve.

First of all, we have totally rebuilt our web site. This new ones aim to be a central repository of all the (external/internal) news concerning botnets (mainly) and malwares (secondary).
We will use the blog for posting about our project developments, and for commenting/reporting interesting news concerning the field that we are currently treating, so you can now add a new entry to your feeds reader :)
The repository section aims to maintain a complete library of all the publications redacted (by us or others) until today about botnets. Each one can be tagged and classified for giving an easy way for searching what a researcher needs. If you have a paper/doc about botnets, we will be proud to upload it here!
The Dorothy section is the web GUI of the framework developed by me about irc-botnet tracking through interactive visualization. Maybe you have seen it before (I’ve posted the link in this mailing list some months ago), since that I’ve improved the GUI adding a “malwares” task for each C&C, and providing an afterglow graph for each malware and for each C&C .
We are also maintaining a Wiki, here you can find all information about our tools/activities: you are all invited to contribute on it. The wiki has been recently “plugged” with the GUI giving the possibility to create a new page for each C&C, in this way, every researcher can write about his own investigation about it.

Parvinder Bhasin asked us to post an announcement about his new tool. While not officially a tool developed by the Honeynet Project, we thought you should know about some of the great work he is doing. Nepenthes PHARM is a perfect companion to your Nepenthes honeypot installations. PHARM is an Open Source client/server and web portal package, which provides central reporting and analysis of your distributed Nepenthes based honeypots. PHARM Clients are installed on along with your Nepenthes installs, PHARM clients listen for any changes in nepenthes log files (logged_submissions and nepenthes.log) and sends over the logged data and malware collected over to the server running the PHARM server. PHARM server munges all the data collected from PHARM Clients and provides analysis/report of your honeypots through the PHARM Web portal. On the analytical part, Pharm actually queries Virus total’s publicly available data to report back the detail of the malware collected.

We are very excited to announce the publication of our first paper in the new Know Your Tools paper series: “KYT: use Picviz to find attacks” authored by Sebastien Tricaud from the French Chapter and Victor Amaducci from the University of Campinas.

The paper can be downloaded at Know Your Tools: use Picviz to find attacks.

_Paper Abstract

Picviz is a parallel coordinates plotter which enables easy scripting from various input (tcpdump, syslog, iptables logs, apache logs, etc..) to visualize data and discover interesting aspects of that data quickly. Picviz uncovers previously hidden data that is difficult to identify with traditional analysis methods.

Some people say “Reverse Engineering is an art”. Well, this might be true if you consider stuff like mathematics as art. It is more an application of standard methods that evolve constantly. Actually, everybody can learn these methods and start to RE executables. With the RE-Google plugin for IDA Pro, even your granny can start reversing :)

Reverse engineering is like solving a jigsaw puzzle. In order to see the whole picture you need to find the corner pieces, then the frame, and then work your way forward from there. The corner pieces for reversing are strings, constants and function names. The function names that people normally start with are the one’s imported from shared libraries (e.g. Dlls). Strings contain human readable hints about the functionality. Specific constants add more clues to solve the puzzle or can sometimes even be used to identify certain (types of) algorithms. The imported functions tell about the actions performed by it.

We are excited to announce the latest chapter coming on Board, the United Arab Emirates Chapter, hosted and formed by aeCERT.  This is the very first Chapter to be joining from the middle-east, we are very excited to have them on board and expect great things from them!

Shucran!

lance

The Dionaea honeypot got more and more mature during the last weeks. As Markus blogged in Iteolih: Miles and More the software is now able to detect shellcode via libemu and generates a nice shellcode profile out of this.

The SMB / DCERPC implementation also got fairly mature and is now able to cope with all packet types and also most caveats and differences of implementations in exploits. As I registered more and more RPC vulnerabilities in the module, it was definitely time to give libemu something to eat! :)