Hi all!
As defined in gsoc proposal the first step was prepare PicViz-Gui to allow change axes order, including add duplicated axes. Even before start the codification process this feature is done. I hope this is a little sinal of we’ll have success in all tasks that were defined. See a shot:
axis0, As first and last.
Axes reorder
I have no time for this yet, but soon I’ll post new shots of these feature.
Finally updated the roo-base rpm to point at http://yum.honeynet.org/roo/repo-1.4/ for the location of the yum repository. Once I have access to the server, someone with an old deployment of roo 1.4, will be able to upgrade their honeywall as follows:
rpm -i http://yum.honeynet.org/roo/repo-1.4/roo-base-5-36.hw.noarch.rpm
yum update
This will update the honeywall with all updated system rpms effective 25 April 2009.
I also placed a new iso with updated rpms on: https://projects.honeynet.org/honeywall/attachment/wiki/WikiStart/roo-1.4.hw-20090425114542.iso.
Many people have asked us, how Conficker looks like. That’s a tough question for something that’s hidden and tries to be as stealthy as possible. The last time somebody asked me: “Can you show me Conficker?”, I decided to visualize Conficker. Here is a little video that shows the evil core of Conficker.C.
The video is a 3D animation of the functions inside Conficker.C and their functional relationships. Yellow balls are functions found inside Conficker.
Earlier this week I had the good fortune to be in Boston for LEET09, a workshop on exploits, malware, and large-scale trends. I presented on PhoneyC, the Python honeyclient I’ve been working on. The paper describes the architecture and features of the tool and a real world evaluation and test. The talk was well received, and many thanks to the organizers of the conference and the PC for their helpful reviews.
The results for Google Summer of Code 2009 are out and the Honeynet Project are very excited to have been allocated 9 official slots by Google. You can view the project selection here:
http://socghop.appspot.com/org/home/google/gsoc2009/honeynet
Congratulations to all the students accepted for GSoC 2009, and commiserations to those who didn’t make it this time. We had many more applicants than slots, making the final selection very tough, so we hope everyone who applied will still consider getting involved in open source software and honeynet research.
Today we released version 2 of our Simple Conficker Scanner (SCSv2). It contains a new scanning method which allows for detection of machines infected with the recent Conficker version (D or E, depending on the naming scheme - the tool calls it D). Although the patch to the vulnerable function NetpwPathCanonicalize() was updated in the new variant, the RPC response codes for specially crafted requests are still different for infected machines.
The Honeynet Project is very excited to be a member of the Google Summer of Code. We are sponsoring at least eight GSoC projects and potentially more, depending on how many other ideas we received. Google has just closed the application period, we are thrilled to see we received 55 applications. Our mentors will spend the next week reviewing and ranking each application. Then, on 15 April Google will select our top applicants.
Joe Stewart from the Conficker Working Group has created an eye chart that allows for online identification of Conficker B and C infections. The idea of trying to load content from sites that are blocked by Conficker is really smart. We wrote our own page based on their method with the goal to make the results as clear as possible (note this only requires a substring match on a pattern in Conficker’s blacklist, rather than a complete domain name match).
The Honeynet Project is very excited to announce a new scanning tool for detecting Conficker and an upcoming Know Your Enemy paper detailing how to contain Conficker. Both the paper and the tool have been developed by Honeynet Project members Tillmann Werner and Felix Leder. The tool was developed over the weekend, in co-ordination with Dan Kamisnky, and this tool is now publicly available and is in the process of being integrated into most major vulnerability scanning tools, including Nmap.
As you know, bad things are going to happen on April 1st: people will be sending out emails to their friends, telling silly jokes and putting MTAs under a higher load. Besides that (but not quite that bad), Conficker will activate its domain name generation routine to contact command-and-control servers. We have been researching this piece of malware recently, with a focus on how to detect Conficker-infected machines. Felix and I had a discussion with Dan Kaminsky about the possibilities to actively detect Conficker and wrote a scanner for this task.