CyberSecurity Malaysia Chapter Status Report for 2008

 
1.0 Organization
We'd like to welcome a new member is this report, Adnan Shukor. He will be working on more client side threat research.  So far we have six (6) members, who are full time staff with CyberSecurity Malaysia and Malaysia CERT:

  • Adli Abdul Wahid (adli[at]cybersecurity.my)
  • Adnan Shukor (adnan[at]cybersecurity.my)
  • Mahmud Ab Rahman (mahmud[at]cybersecurity.my)
  • Megat Muazzam Megat Mutallib (megat[at]cybersecurity.my)
  • Mohd Hafiz Md Thabrani (hafiz[at]cybersecurity.my)
  • Mohd Shah Hatta (mshah[at]cybersecurity.my)

 
2.0 Deployment
The following are the some components that currently being deployed

  • SurfIDS - provides a good front-end for visualizing trends in our honeynet. Slowly replacing stand-alone nepenthes sensors
  • Nfsen/nfdump - allows us to visualize and analyze netflow data
  • HIHAT - for capturing web based attacks
  • Honeytrap

 3.0    Research and Development
Other than working on to get the infrastructure ready, we have done some work in the following areas:
a.    VisualizationDue to the amount of data (read logs) produced by our honeynet, some team members spend some time to enhance visualization of the data collected. You can view some of these samples in the URL mentioned below.
i.    Malware (based on md5hash) Location  - https://honeynet.org.my/live/malreport/index.php
ii.   Traffic inbound/outbound   - https://honeynet.org.my/live/attackreport/index.php
iii.   Netflow Visualization (data collected via SANCP from Sguil’s component) b.    Malicious PDF parserWe started developing a tool for analyzing malicious PDF files. Our tool depends to pdftk toolkit to decompress the pdf file and  look for any suspicious strings inside the file. We intend to release the tool in the beginning of Q3 2009.
c.    RFIpot
We have modified the backend of HIHAT and integrated it  with a custom script (credits to folks at ShadowServer) for picking up RFI inclusion attacks to our honeynet. We also intend to share this with the community in Q3 2009.
 
4.0    Findings
We definitely need to spend more time to analyze what we collect. :-)
a.  Malware Collection
We have collected quite a number of malware samples last year and made many new friends through our samples sharing initiative.
We intend to start blogging our findings more regularly in 2009.
 
5.0    Paper and Presentation
In 2008, our teams has conducted training and talks on topic relevant to our honeynet deployment at conferences such as FIRST TC in Tokyo, APCERT AGM in Hong Kong, Infosec.MY (CyberSecurity Malaysia event), local universities and a few other closed sessions.
 
6.0    Goals
In 2009, we intend to start looking in to honeyclient and establish partnership with more organizations locally and abroad.
7.0 Misc Activities
Nothing to report at this point