Conficker contains a piece of code that has been object of speculation: It does not infect boxes located in the Ukraine. Before sending an exploit, it performs a lookup against Maxmind’s GeoIP database, which is freely available, and skips the host if the returned country code is UA. While the B variant comes with a copy of the database embedded, the A variant downloads the file from Maxmind’s server. A couple of days ago Felix had the idea to deliver a specially crafted database that maps every IP address to the Ukrain. The database format is actually quite simple, and he managed to create a valid database that places the whole Internet around Kiev.

Mid-term Report on PHoneyC GSoC project 1

Introduction

PHoneyC is a low-interaction honeyclient written by Jose Nazario. The
shellcode (SC for short) and heapspray (HS for short) detection module
for PHoneyC is listed on the GSoC this year and I feel lucky to be
chosen to implement it. This report is the main idea about how to
detect SC/HS in PHoneyC and how to build and run this version of
PHoneyC. Note that this module (I call it honeyjs) is far from
complete currently and this report is only for midterm evaluation. So
it is possible that the way to build and run it won’t work in the
future.

What is TIP? TIP stands for Tracking Intelligence Project. In my most beautiful dreams, TIP should be an information gathering
framework whose purpose is to autonomously collect Internet threat
trends. It’s entirely written in Python using Twisted and bound to the Django framework in order to abstract the underlying database and to easily build a web interface to the data.

TIP is made up of a few modules which are totally independent one from the other but with each one feeding the other ones. Its design is based on a core module which acts as a kind of scheduler which schedules what we can call “first level modules” at a precise time in future or in response to a particular event.

Honeypots have been actively used by the security community for over ten years now.  They are used for a variety of purposes, but now a days primarily for information gathering.   When honeypots first were being used they generated a great deal of discussion about the legal issues.  However, through the years this debate has died down, most organizations feeling these issues are minor.  I just wanted to share an update on these thoughts.

This week I completed an important step which is to integrate a parser in Honeybrid. There are now two new files in the source code:

• rules.l which defines the different tokens to analyze,

• rules.y which defines the configuration language and the different subroutines to call when a specific combination of tokens is detected.

Flex and Bison compile these two files and generate rules.c and rules.h which are then used by honeybrid to parse its configuration. The great advantages of having a parser are to have a flexible configuration file and to better handle configuration errors with a short volume of code.

UPDATE: the log data is posted here.  A notification group about new log sharing is here.

This WASL 2009 workshop reminded me that I always used to bitch that some academic researchers use antediluvian data sets for their research (Lincoln labs 1998 set used in 2008 “security research”  makes me want to just curse and kick people in the balls, then laugh, then cry, then cry more…).

However, why are they doing it? Don’t they realize that testing their “innovative intrusion detection” or “neural network-based log analysis” on such prehistoric data will not render it relevant to today’s threats? And will only ensure ensuing hilarity :-)

This phenomenon is first observed when I tried the NtReadFile test last week, sometimes when the postNtReadFile is called, the handle value, buffer address and buffer size got from the stack is quite different from values got in preNtReadFile. I didn’t pay much attention to this problem that time, but, when I tried to debug the NtSecureConnectPort API with WinDBG today, this phenomenon appeared again. So I did a further study on it.

I know I said that I would post a screenshot a week ago, but it’s been a little busy, but here’s an older attached image. One of the reasons there was a delay is that the code that I was using was based on one of the wxPython demo programs, hence the RunDemo title bar. I’m in the process of revamping that code into something that’s a little more standalone.

This is supposed to be the first Qebek blog, but unfortunately, it cannot pass the check of mod_security (even today), so I posted here.

Hi folks,

It took me a long time to work on the data model, the back-end, to setup all my framework
(Tapestry+hibernate+Spring+ACEGI+Maven) but it’s done right now.

So I will post once a week I guess about new features I added.

I’d like to speak a bit about how my webapp works. The main goal is to separate every layer of my web.
e.g front-end/business/back-end :

Layers model

This week, you I added