To learn the tools, tactics and motives involved in computer and network attacks, and share the lessons learned.

Blogs

Waledac is wishing merry christmas

Waledac is wishing merry christmas
There is a new bot in town. It's called Waledac. The way it is spreading reminds a lot of people of the good old storm botnet: An email is sent containing a "christmas card" in form of the executable "postcard.exe".
Waledac social engineering
A preliminary view on the binary has been given by the Shadowserver guys (Steve Adair).

I had the chance to have a first look at the binary (MD5 ccddda141a19d693ad9cb206f2ae0de9) and want to note down some of my few findings to let the hunt begin.

Annual Honeynet Project Workshop

Once a year the Honeynet Project brings together members from around the world for a one week workshop on honeyopt research, development and deployments.  We are excited that for this year's event the workshop will be sponsored and hosted by the International Multilateral Partnership Against Cyber-Threats (IMPACT), a public-private alliance against cyber threats.  IMPACT is based in Cyberjaya, Malaysia.  We are very excited for this opportunity as it will be the first time we have hosted the event in Asia.  We would like to thank IMPACT for t

libemu: Detecting selfencrypted shellcode in network streams

As libemu had it's second release (0.2.0) lately, I'll try to introduce it to the audience who did not hear about it yet.
libemu is a small library written in c offering basic x86 emulation and shellcode detection using GetPC heuristics. Intended use is within network intrusion/prevention detections and honeypots.
This post is split into four parts:

  • Practical libemu usecase, showing how it executes shellcode and which information we get from it
  • Explanation of libemu and how it detects shellcode
  • High level shellcode profiling and pre-requirements for this step
  • API call hooking internals

My usenix WASL 2008 slides are available

I gave a lecture on Picviz during the Usenix Workshop on the Analysis of System Logs (WASL 2008).
My slides 'Picviz: finding a needle in a haystack' are available right here.
I also ran for the Cray log analysis contest analysis. Slides of stuff I discovered are here.
 

Welcome To The Honeynet Project Website!

Welcome to our new website as we enter the age of Web 2.0.  We have created a more dynamic website to allow our membes to create and publish their own content.  We have so many different activities going on with our various members that it can be challenging even for us to keep up.  The goal is that each member can now publish and share with the community whenever they like.  In addition we still have all the old content on the website.  We are still in the process of moving some content over, such as some of our KYE papers.  If you find content missing, a broken link or have any sugg

MS08-067 exploitation in the wild

(This article was originally published at http://honeytrap.mwcollect.org/msexploit.)
If you followed IT security related blogs or mailinglists lately, you are aware that a critical server service vulnerability in Microsoft operating systems was published recently. I'm not going to talk about the details here, there are great resources available elsewhere (and the "reversing the ms08-067 patch" article isn't the only advice about exploiting holes you get on that page).
OK, what have we got this time? One of our honeytrap sensors caught an MS08-067 exploitation attempt today which we take as an example to show how to perform a quick analysis and check what it does. If you want to play along, get the (sanitized) pcap from here.

ipv6 local-link scope is a mess

I've been looking on ipv6 lately, and even though I got a global /64 for free from he.net, I'm not that amused about ipv6 yet.

HeX 2.0 “Bonobo” is now!

packet monkey
After long development, we have finally managed to produce release version 2 of HeX, codename “Bonobo”. What’s news in HeX 2.0? Check out https://trac.security.org.my/hex/wiki/WhatsNew. Official announcement at http://groups.google.com/group/HeX-liveCD/browse_thread/thread/9a70e96591639ff9

The search for open VoIP gateways intensifies!

Got several calls from customers today. Their end-customers were calling them telling that their phone is ringing in the middle of the night. When some of them answers, there is no one there. We do some traces on it from our VoIP platform but can not find anything, and concludes there is random SIP INVITES beeing sent directly to the adapter.

This is a common way of searching for open VoIP gateways. They send a SIP INVITE with a real number that they control. If the SIP INVITE is making a successful call to this destination, the traffic suddenly increases after a while.

HeX LiveCD to be 2.0-RC2 soon.

As effort of the Honeynet Project Malaysian chapter and the RawPacket team initiative, HeX LiveCD was created. It is a Network Security Monitoring (NSM) centric Live CD, built based on the principles of NSM, for analysts, by analysts. This project will be eventually forked to Hex Sensor and Hex Server to complete the cycle of NSM processes. Besides, HeX LiveCD is the blueprint for HornyD. HornyD and HoneySuckle are the toolkits for the Malaysia Distributed Honeynet Project.

Syndicate content