To learn the tools, tactics and motives involved in computer and network attacks, and share the lessons learned.

Blogs

Another great step forward

“Dionaea is meant to be a Nepenthes successor, embedding Python as scripting language, using libemu to detect shellcodes, supporting IPv6 and TLS” (taken from Dionaea homepage). Besides being the most interesting project for trapping malware exploiting vulnerabilities, Dionaea supports a really cool feature which allows it to log to XMPP services as described here. TIP now exploits this feature receiving and storing such logs (really thanks to Markus Koetter for his help and support).

PHoneyC DOM Emulation - Window

A few weeks ago I started reviewing the PHoneyC DOM emulation code and realized it was turning to be hard to maintain and debug due to a huge amount of undocumented (and sometimes awful) hacks. For this reason I decided it was time to patch (and sometimes rewrite from scratch) such code. These posts will describe how the new DOM emulation code will work. The patch is not available right now since I'm testing the code but plans exists to commit it in the PHoneyC SVN in the next days.

TraceExploit

The first part to the format discovery is 90% completed.
The program is now able to tokenize the sample packets and sort them to clusters according to token pattern.
The structure for a token looks like this:

// definition of a node for initial tokenization
struct sToken {
struct inferProperty* sProperty;
struct inferSemantic* sSemantic;
struct formatDistinguisher* sFD;
struct sToken* next;
};

struct inferProperty {
char szType[4]; //"s-c/c-s" / "bin" / "txt"
unsigned char* pValue; //value of token. Will include

null and unicode, if there is

The winners of the 4th Forensic Challenge 2010 VoIP are ...

The 4th Forensic Challenge on VoIP has come to an end. We had a total of 21 submissions with several submissions from Chinese speakers which has been made possible by Julia, Jianwei and Roland from the Chinese speaking chapters.

The winners of the 4th Forensic Challenge 2010 VoIP are:

  1. Franck Guenichot (France)
  2. Fabio Panigatti (Italy)
  3. Shaun Zinck (USA)

We have posted their submissions onto the challenge web site so you can see what top notch submissions they provided. Franck, Fabio and Shaun will be awarded with small book prizes. Congratulations!

Thanks to all who participated in the challenge in particular Ben Reardon from the Australian and Sjur Eivind Usken from Norwegian Chapter who made this challenge possible.

Forensic Challenge 2010/4 - VoIP - 4 days left!

Folks, the submission deadline for our Forensic Challenge 4 - VoIP is quickly approaching. The deadline is this Wednesday and so you have another 4 days to submit your solution.

The challenge is quite different than our previous challenges. It was provided by Ben Reardon from the Australian and Sjur Eivind Usken from Norwegian Chapter - and takes you into the realm of voice communication on the Internet. Thanks to our Chinese speaking chapters, it is also available in simplified Chinese and traditional Chinese.

The Honeynet Project 鑑識分析挑戰中文版啟航

The Honeynet Project 是一個國際知名的開源資訊安全研究團隊,致力於提升Internet的安全。

The Honeynet Project取证分析挑战中文版启航,欢迎华语世界安全人士参与

The Honeynet Project是一个国际知名的开源信息安全研究团队,致力于提升Internet的安全。

Forensic Challenge 2010/4 - VoIP is now live

Challenge 4 of the Honeynet Project Forensic Challenge - titled "VoIP" - is now live. This challenge 4 - provided by Ben Reardon from the Australian and Sjur Eivind Usken from Norwegian Chapter - takes you into the realm of voice communications on the Internet. VoIP with SIP is becoming the de-facto standard. As this technology becomes more common, malicious parties have more opportunities and stronger motives to take control of these systems to conduct nefarious activities. This Challenge is designed to examine and explore some of attributes of the SIP and RTP protocols.

Note that our Chinese speaking chapters (Julia Cheng from the Taiwanese Chapter, Jianwei Zhuge from the Chinese Chapter and Roland Cheung from the Hongkong Chapter) have taken great initiative and translated the challenge into Chinese, which is available from the simplified Chinese and traditional Chinese pages (will be posted by EOD today.)

With this challenge, we are getting on a firm 2 month cycle. You will have one month to submit (deadline is June 30th 2010) and results will be released approximately 3 weeks later. Small prizes will be awarded to the top three submissions.

Enjoy the challenge!

Waledac's Anti-Debugging Tricks

The last spreading malware version of Waledac, a notorious spamming botnet that has been taken down in a collaborative effort lead by Microsoft earlier this year, contained some neat anti-debugging tricks in order to make reverse-engineering more difficult. Felix Leder and I have been presenting about the approach at SIGINT 2010 in Cologne yesterday, and as the method seems to be not publicly known yet, I will quickly describe it here as well.

Forensic Challenge 2010/3 - "banking troubles" - and the winners are ....

Josh, Angelo, Matt and Nicolas finished evaluating the submissions for FC2010/3 banking troubles. Again, lots of great submissions! We had a total of 22 and the top performers for FC2010/3 are:

  1. Mario Pascucci (Italy)
  2. Tyler Hudak (USA)
  3. Carl Pulley (UK)

Congratulations to the winners and all the folks that participated in the challenge - this was not an easy one. Each winner will receive a signed book from one of our Honeynet Project authors. We have posted the submissions of the winners and sample solution on the FC2010/3 web page. All participants should have also received an email today with information about their individual score as well as placement.

Syndicate content