Taiwan Chapter Status Report For 2008

ORGANIZATION
Taiwan Honeynet Chapter founded in November 2008. Four staff from NCHC, National Center for High-performance Computing, are responsible for Taiwan Honeynet Chapter so far. Another two full-time staff will join the working group contributed to honeynet development and botnet research on March 2009. Until now, we don't have any full member of the Honeynet Project. Below we diagramed our organization.

Chapter leader guides the Taiwan Honeynet Project. The structure of the chapter can be separate into a working group and members. Chapter leader may appoint a Chief Executive Officer (CEO) to direct the working group for overall organization and its day-to-day activities. The working group will maintain the operation of chapter, research projects and large-scale honeynet deployment. Taiwan chapter members can propose their security research projects and take part in training courses and workshops.

  • Current chapter members and their activities
    1. Eugene Yeh: Chapter Leader, Director of NCHC, to manage business and affairs of Taiwan Honeynet Project.
    2. Dan Chang: CEO, to lead working group to achieve the research projects, communicate to other chapters and cooperate with research projects
    3. Yi-Lang Tsai: Contributor, Full-time Staff, operation and development focusing on emerging Internet threats, distributed honeypot deployment and monitoring technique.
    4. Yu-Chin Cheng: Contributor, Full-time Staff, research and development of malware collection and automatic analysis platform

DEPLOYMENTS
Our current deployment is a GenIII Honeynet with ROO Version 1.3. ROO honeywall. Honeywall is used like a gateway to centrally control and monitor various honeypots overall six Class C networks. This deployment makes inbound and outbound honeynet traffic more secure and provides an efficient method in catching different attack activities. Under the honeywall, four kinds of honeypots are installed.

  • Low-Interaction Honeypots: Honeyd and Nepenthes.
  • High-Interaction Honeypots: Seven versions of windows O.S.
  • Others Honeypot: HIHAT, HoneyBot
  • Automatic Malware Collection: Capture-HPC for exploring malicious websites.

Our honeynet facilities are placed in a high-quality computer room with stable power, air conditioners and authorized access control.  It also is 7x24 monitored by NCHC Security Operation Center.

RESEARCH AND DEVELOPMENT
In this year, we focus on honeypots deployment for capturing attack activities. Besides, we are working on two projects:

  • Project 1: Distributed Honeypot DeploymentDevelop a honeypot Live-CD to deploy distributed honeypots for capturing network attacking activities and detecting botnet in Taiwan. The Live-CD is developed based on honeyd and nepenthes. We also dedicate in P2P service scripts for honeyd. Moreover, the central analysis site is developed. It gathers the collection of distributed honeypots and automatically correlates malware data and honeyd logs. Our Live-CD will assist different users to deploy honeypots promptly and simply on different networks. To deploy distributed honeypots from end-user to backbone network will help us gather more traffic to correlate the neighborhood of botnet and analyze malware behavior embedded on the bot.
  • Project 2: Malware explorer We explore malware websites based on Capture-HPC. As we have experienced on performance and accuracy issues with Capture-HPC, we will improve the web-spider function into the tool. We also make Capture-HPC portable on various Windows platforms.

In the next year, we will focus on virtual machine honeypot solutions in large-scale networks, especially in management and monitoring. Secondly, we hope we can cooperate with other chapters to research on p2p botnet tracking. Finally, all capturing data will integrate into Arcsight analysis system in NCHC SOC.
 
FINDING

  • We have collected 25 malware samples and maintained an active malicious server blacklist from our honeynet. From our honeynet collection, worm spread is the major threat to infect hosts and then form the botnet, especially in p2p communication.
  • Data Analysis Tools:We use Gen 3 Walleye, human inspection, tcpdump and simple scripts to analyze honeynet data. For malware analysis, we don’t have enough time and ability to estimate malware behavior. We submit our malware samples to on-line anti-virus software to determine what kinds of malware is.
  • In 2009, we are planning to use graph theory and machine learning techniques for data analysis

PAPERS AND PRESENTATIONS

  • None. We hope we can publish papers on good reputation conferences in 2009.

GOALS

  • In 2009, distributed honeypots Live-CD will be finished and released on a stable version. We hope we can have at least 20 distributed honeypots deployed in Taiwan.
  • Maintain an active malicious website blacklist and share with other chapters.
  • We hope we can collaborate with other chapters for botnet tracking. Afterward we will propose an useful and low-cost mechanism to mitigate botnet threat in Taiwan
  • Lesson learn from Honeynet Project. To realize the details of hacking technology and investigating the infection of malware.
  • To popularize honeynet project in Taiwan by translating KYE papers into traditional Chinese, holding Taiwan chapter workshop and training courses.

MISC ACTIVITIES

  • None