Brazilian Chapter Status Report For 2008

ORGANIZATION

The Brazilian Chapter currently spawns three locations: Information Technology Research Center (CTI, Campinas), National Institute for Space Research (INPE, São José dos Campos) and Cert.br (São Paulo), the first two maintaining independent honeynets and the last one administering the Brazilian Distributed Honeypots Project. Unfortunately, INPE's honeynet was out of operation during 2008 due to building renovation works, but should be back up in 2009.  Our current members are:

  • Antonio Montes (PhD), chapter lead and Senior Researcher Officer at the Information Systems Security Division of CTI. Oversees the overall organization and functioning of the Brazilian Chapter. Associated with the Honeynet Alliance since 2002 and member of the R&D and Membership Committees.
  • Cristine Hoepers (PhD) is Technical Manager ot the Cert.br. Her current research focus is on the development of a data exchange protocol for honeypot data.
  • Klaus Steding-Jessen (PhD) is Technical Manager Cert.br. His current research interest is in the improvement of malicious activities' data collection using spampots.
  • Luiz Otavio Duarte (MSc) is Security Analyst at CTI. He has been working in the development of a hybrid honeyclient using high-interaction honeypots.
  • Marcelo Henrique Chaves (MSc) is Incident Responder at Cert.br. He has been working on data analysis and visualization for the Brazilian Distributed Honeypots Project.
  • Ricardo Makino is System and Network Administrator at CTI. He maintains CTI's honeynet and low-interaction honeypots (honeyd and nepenthes).
  • Tiago Barabasz is Malware Analyst at CTI. He carries out malware analysis, reverse engineering, and has been working in the development of a sandnet for malware analysis.

In addition to the members listed above, the Brazilian Chapter has the following collaborators: Andre Andrade Bicudo (malware analysis), Daniel Bragion (data visualization), Dario Fernandes (hybrid honeyclient), Diego Bassani de Souza (malware analysis), Ferrucio de Franco Rosa (Sebek-NG), Mikal Yen Matsumoto (data analysis), Miriam Von Zuben (data collection and analysis), Watson Yuuma Sato (data visualization).

DEPLOYMENTS

  1. List current technologies deployed.
    • In addition to Honeyd, we are using several Honeynet Project's tools, such as Honeywall, Capture-BAT and Nepenthes. Both our honeynets run in /24 IP blocks, one uses Gen III architecture and has several high-interaction honeypots running various versions of Windows, Linux and OpenBSD in physical and virtual hosts.
    • The Brazilian Distributed Honeypots Project uses honeyd running on OpenBSD machines and has currently 39 associated institutions (http://www.honeypots-alliance.org.br), with a minimum of /28 IP addresses per institution.
  2. Activity timeline: Highlight attacks, compromises, and interesting information collected.

RESEARCH AND DEVELOPMENT

  1. List any new tools, projects or ideas you are currently researching or developing.
    • Design and implementation of a Oracle database running on Solaris for honeyd data (in progress).
    • Implementation of new data visualization for the Brazilian Distributed Honeypots Project (in progress).
    • Design and implementation of a sandnet for automated malware analysis, including a malware database and web interface (in progress).
  2. List tools you enhanced during the last year
  3. Would you like to integrate this with any other tools, or you
    looking for help or collaboration with others in testing or developing
    the tool?
  4. Explain what kind of help or tools or collaboration you are interested in.

FINDINGS

  1. Highlight any unique findings, attacks, tools, or methods.
  2. Any trends seen in the past year?
  3. What are you using for data analysis?
  4. What is working well, and what is missing, what data analysis functionality would you like to see developed?

PAPERS AND PRESENTATIONS

  1. Are you working on or did you publish any papers or presentations,
    such as KYE or academic papers?  If yes, please provide a description
    and link (if possible).
    • JESSEN, Klaus Steding ; VIJAYKUMAR, Nandamudi Lankalapalli ; MONTES,
      Antonio . Using Low-Interaction Honeypots to Study the Abuse of Open
      Proxies to Send Spam
      . INFOCOMP (UFLA), v. 7, p. 45-53, 2008. (http://www.dcc.ufla.br/infocomp/artigos/v7.1/art06.pdf).
    • HOEPERS, Cristine ; VIJAYKUMAR, Nandamudi Lankalapalli ; MONTES,
      Antonio . HIDEF: a Data Exchange Format for Information Collected in
      Honeypots and Honeynets
      . INFOCOMP (UFLA), v. 7, p. 87-96, 2008. (http://www.dcc.ufla.br/infocomp/artigos/v7.1/art11.pdf).
  2. Are you looking for any data or people to help with your papers?
  3. Where did you present honeypot-related material? ( selected publications ).
    • Implantação de Honeypots de Baixa Interatividade com Honeyd
      e Nepenthes
      , Klaus Steding-Jessen e Marcelo
      H. P. C. Chaves, Campus Party Brasil, São Paulo, Fevereiro de
      2008. (http://www.honeynet.org.br/presentations/hnbr-campusparty2008.pdf).

GOALS

  1. Which of your goals did you meet for the past year?
    • Setup and train a malware collection and analysis group dedicated to study malware attacks against Brazilian internet users.
    • Design an automated sandnet for malware analysis.
    • Start the implementation of an infrastructure to collect malware, including the installation of two nepenthes collectors. Establish a collaboration with Brazilian banks and other interested parties for the exchange of malware and associated intelligence.
    • Improve the storage and analysis of honeyd data.
  2. Goals for the next year.
    • Design and implement a hybrid honeyclient ("bare-metal" sandbox operating as a high-interaction honeypot) to study directed attacks against Brazilian institutions.
    • Setup an automated malware analysis process and publish daily information about collected malware.
    • Put in operation newly adquired SUN database server and publish daily statistics of the Brazilian Distributed Honeypots Project data.
    • Install a GDH node.

MISC ACTIVITIES