Giraffe Chapter

Welcome to the natural habitat of the Giraffe Honeynet Project, a chapter of the international Honeynet Project. Our main interest lies in developing code for applications in the area of honeynets and malware research. Some of our projects are:

We also (co) authored the Know Your Enemy: Tracking Botnets and the Know Your Enemy: Containing Conficker paper.

libemu: Detecting selfencrypted shellcode in network streams

As libemu had it's second release (0.2.0) lately, I'll try to introduce it to the audience who did not hear about it yet.
libemu is a small library written in c offering basic x86 emulation and shellcode detection using GetPC heuristics. Intended use is within network intrusion/prevention detections and honeypots.
This post is split into four parts:

  • Practical libemu usecase, showing how it executes shellcode and which information we get from it
  • Explanation of libemu and how it detects shellcode
  • High level shellcode profiling and pre-requirements for this step
  • API call hooking internals

ipv6 local-link scope is a mess

I've been looking on ipv6 lately, and even though I got a global /64 for free from he.net, I'm not that amused about ipv6 yet.

No more emulation!

Emulation is an important technology in honeypots and honeynets. It's not always what we want, though, and here's why. As you might know, most bots perform attacks in multiple stages, i.e., they

  • send some exploit code to the victim that opens a shell,
  • connect to that shell or let the shell connect back,
  • invoke commands to download the actual malware binary,
  • execute the malware.

Catching the exploit and providing a fake shell isn't too hard, as shown in this post. But we certainly don't want a malware to get executed on our honeypot, not even in an emulated environment. Instead, we want to do different things with it, e.g., submit it to a central service for automated analysis.

Giraffe Honeynet Project Status Report October 2008

ORGANIZATIONAL

Changes in the structure of your organization.

TEXT

List current chapter members and their activities

  • Jane Doe ...
  • John Doe ...

DEPLOYEMENTS

Current technologies deployed.

Location: Berlin

Alias: TEXT
Description: TEXT
Technology:TEXT

About The Honeynet Project

The Honeynet Project is a leading international 501c3 non-profit security research organization, dedicated to investigating the latest attacks and developing open source security tools to improve Internet security. With Chapters around the world, our volunteers have contributed to fight against malware (such as Confickr), discovering new attacks and creating security tools used by businesses and government agencies all over the world.

Syndicate content