Chapter Status Report for 2010

New Zealand Chapter Status Report For 2010

Report covering activities from January 2009 to October 2010. 


ORGANIZATION


Changes in the structure of your organization.


Peter Komisarczuk and Ian Welch from Victoria University have taken on the lead role in the Chapter for 2009-10. Our Auckland members have stepped down due to work commitments.

Unfortunately because of workload the leadership has not been particularly active in national coordination. Peter has recently moved to the UK. We would like to acknowledge Dr Christian Seifert who has recently completed his PhD.

The chapter remains fairly informal. At Victoria University we have two PhD students working on developing mobile exploit detection and AI tools for analysis and have several other contributors at graduate level. 
There are several other members across New Zealand and some collaboration with Cardiff University.

The chapter is developing plans for the further R&D of client honeyclient technology, and continues some measurement of drive-by-downloads and analysis tools.
 


List current chapter members and their activities:


  • Dr Ian Welch, Senior Lecturer, Victoria University of Wellington, coordinator/supervisor

  • Dr Peter Komisarczuk, Professor of Computing, Thames Valley University, UK, supervisor
.
  • Mr Radek Hes, Programmer, Victoria University of Wellington, developer.
  • Mr Ramon Steenson, associated with Victoria University of Wellington, developer of Capture.

  • Mr Fahim Abbasi, PhD student, Massey University, researcher in honeypots/honeynets.

  • Mr Van Lam Le, PhD student, Victoria University of Wellington, researcher AI techniques for honeyclient analysis, developer and client honeypot operations 2009-10.

  • Mr Pacharawit Topark-Ngarm, PhD student, Victoria University of Wellington, researcher mobile client honeypots, developer and client honeypot operations 2009-10.

  • Recent student members and summer research assistants:


  • Mr Sam Russell, Honours student, Victoria University of Wellington, Win32 API hooking.
  • Mr Dong Xia, Honours student, Victoria University of Wellington, deployment of Capture-HPC.
  • Mr Jan von Mulert, Honours student, Victoria University of Wellington, testing framework for Capture-HPC.
  • DEPLOYMENTS


    List current technologies deployed.


    A client honeypot deployment is provided through the University of Wellington (sponsored partially by InternetNZ). The client honeypot has been deployed and operational since April 2008. Several reports have been written and presentations provided at InternetNZ. The funding ceased in early 2010.

    Fahim Abbasi at Massey University has been developing and deploying honeypots. The project identified and investigated design problems in building Virtual Honeynets. Special emphasis was laid on planning to achieve maximum logging capability within the available resources.

    See the presentations and papers listed for highlights of results primarily from the client honeypot deployment.

    RESEARCH AND DEVELOPMENT

    List any new tools, projects or ideas you are currently researching or developing.


    The focus from Victoria University has been on developing Capture-HPC. Some work on Capture-BAT and HoneyC (updates) to be considered.

    As part of fourth year individual student projects, we have been developing tools that could be integrated with Capture-HPC/Capture-BAT. Note that all these tools are more proof-of-concept than distributable prototypes. Reports have been produced for each of these by the students and can be made available to interested parties.

    The first project is an installer and disk image distribution that contains all required Capture-HPC components except for Windows XP. The current proof-of-concept requires some work to fix problems being encountered with Python Bindings for VMWare VIX that is preventing automation of installation of Capture-BAT within the Windows XP image.

    The second project is a generic hooking mechanism for Win32 that allows the loading of ActiveX controls to be hooked and monitored. This makes use of DLL injection to allow this to take place transparently at runtime. This mechanism could be used with Capture-BAT to provide monitoring that is difficult to bypass and provides a detailed view of runtime execution of potentially malicious web pages. A more detailed view of runtime execution would allow us to improve support for malware analysis.

    The third project is a testing framework for Capture-HPC that makes use of Metasploit for test cases. A proof-of-concept system has been developed and we have funding to employ the same student over the NZ summer to turn this into a distributable prototype.

    Mobile client honeypot research preparation begun in late 2008 and will carry on through to 2011/12. We are working with the Android platform and are currently exploring the use of AspectJ to instrument Android APIs to allow runtime monitoring.
    AI analysis tools for automated client honeypot analysis began in late 2008 and will carry on through to 2011/12. We are carrying out evaluation of different machine learning techniques for identifying malicious webpages using static features. A paper on this topic has been accepted for publication at the Australasian Information Security Conference 2011.

    List tools you enhanced during the last year
.

    Capture-HPC is a high interaction client honeypot system. It has been greatly enhanced in 2009. See https://projects.honeynet.org/capture-hpc/wiki/Releases for current release information and prior releases.
Capture-HPC has been extended in a number of areas:

  • Hooking the network API to collect further network events was added in 2009. A GSoC project began in 2010 to look at supporting this feature in Windows 7.
  • Making Capture state-full, with database support, including the capture-client sending the malicious page/code to the capture-server. Allows us to start, pause, stop execution, etc. was developed in 2009.
  • In February-March 2010, Felix Leder from the Giraffe chapter visited and contributed to capture-HPC development by writing proxy functionality, so that a single deployment could access servers through remotely deployed proxies.
  • Future options for development work on Capture-HPC are documented at https://projects.honeynet.org/capture-hpc/wiki/Proposals.

    Capture-BAT is a behavioral analysis tool of applications for the Win32 operating system family. Capture BAT is able to monitor the state of a system during the execution of applications and processing of documents, which provides an analyst with insights on how the software operates even if no source code is available. Capture-BAT is the analysis tool at the heart of Capture-HPC client. See https://www.honeynet.org/node/315.
Capture-BAT will be updated to include the functionality to be released in the next major release of Capture-HPC. It is our aim to keep Capture-BAT and Capture-HPC development in step as far as possible.


    
HoneyC is a low interaction client honeypot framework that allows us to find malicious web servers on a network. Instead of using a fully functional operating system and client to perform this task, HoneyC uses emulated clients that are able to solicit as much of a response from a server that is necessary for the analysis of malicious content. Version 1.3.0 was released on 19th January 2008, see https://projects.honeynet.org/honeyc/wiki/Releases, for more information. No development plans are currently in place to extend HoneyC. 


    Would you like to integrate this with any other tools, or are you looking for help or collaboration with others in testing / developing tool?
 


    We are open to work with other chapters, depending on available (usually manpower) resources. We are looking to extend the analysis offered through Capture-HPC by including for example geo-location of malicious servers and exploit servers, perhaps reuse some components from various other projects such as Nepenthese (asn, geoip), ffdetect, and add in statistics and graphs.

    We also are interested in updating Capture-HPC to use more recent components such as Internet Explorer 8.

    We would be happy to receive guidance and information on potential tools that could be used.

    Explain what kind of help or tools or collaboration you are interested in.


    We are open to work with other chapters, depending on available (usually manpower) resources. As we develop our analysis tools we will need further data sets for AI training purposes.


    FINDINGS


    Highlight any unique findings, attacks, tools, or methods.

    As part of the API hooking project, we have discovered that function table rewriting in Win32 appears to be disallowed by Internet Explorer 8. A project report detailing our findings has been developed as part of this work that details this and other results.

    What is working well, and what is missing, what data analysis functionality would you like to see developed?


    We need to work on coordination with other members of the chapter and the maintenance and updating of our tools to work with current Windows Internet browsers.


    PAPERS AND PRESENTATIONS


    Are you working on or did you publish any papers or presentations, such as KYE or academic papers? If yes, please provide a description and link (if possible)


    We are working on several papers related to client honeypots, two have been submitted to conferences in 2011. 


    1. Van Lam Le, Welch I, Gao X, Komisarczuk (2011), Identification of Potential Malicious Web Pages, accepted for publication in Australasian Information Security Conference, Perth, 17-20th January 2011.
    2. Komisarczuk P, Welch, I, (2010), Internet Sensor Grid, in proceedings of Networks of the Future (NF), IFIP WCC, Brisbane Australia, 20-24th September 2010.
    3. Komisarczuk, P, Weich I, Gao Xiaoying, Van Lam Le, Pacharawit Topark-Ngarm, (2010), Developing Honeyclients, New Zealand Computer Society, 50th Anniversary Conference, Rotorua, New Zealand, 16-17th September 2010.
    4. Komisarczuk, P (2010), Using Honeyclients for Teaching, CFET 2010, Christchurch University, Canterbury, UK, 2-3rd September 2010.
    5. Seifert C, Delwadia V, Komisarczuk P, Stirling D, Welch I, Measurement Study on Malicious Web Servers in the .nz Domain: Final Report September 2009, last accessed 27th January 2010, http://www.internetnz.net.nz/workstreams/honeypot/Internet%20NZ%20Study%20final.pdf
    6. Seifert, C., Komisarczuk, P., Welch, I., (2009) “Measurement Study on Malicious Web Servers in the .nz Domain”, at ACISP, Brisbane, July 2009.
    7. Seifert, C., Komisarczuk, P., Welch, I., (2009) “True Positive Cost Curve: A Cost-Based Evaluation Method for High-Interaction Client Honeypots”. in SECUREWARE, Athens, June 2009.
    8. Stirling D, Welch I, Komisarczuk P, Seifert C, (2009) “Automating Malware Scanning using Workflows”, The 9th IEEE ccGrid 2009 Conference, Workflow Systems in e-Science Workshop (WSES), China, May 2009.
    9. Van Lam Le, Komisarczuk P, Gao Xiaoying, (2009) “Applying AI to Improve the Performance of Client Honeypots”, Passive and Active Measurements Conference 2009, Seoul Korea, April 2009.

    Are you looking for any data or people to help with your papers?


    Data from other client honeypot deployments would be of interest.
We are particuarily interested in data from experiments with low interaction honeyclients.

    Where did you present honeypot-related material? (selected publications)

    In addition to the conferences above we have presented client honeypots and the .nz scan at the following meetings, (i) NZ-BTF, (ii) Kiwicon (Hacker conference), (iii) InternetNZ (sponsors of the .nz scan), (iv) seminar at Privacy Commissioner, New Zealand.


    GOALS


    Which of your goals did you meet for the past year?


    We increased the visibility of our work in New Zealand, we were awarded several small grant from InternetNZ to study the .nz domain for malicious servers. We have increased the number of students working on honeypot technology and have written a number papers, so generally met our goals.
 


    Goals for the next year.


    1 Continue to extend our chapter and develop students with honeynet knowledge.

    2 Further develop our tools and integrate with third party tools as appropriate.

    3 Continue the .nz domain scan (seeking funding). Share data as appropriate.

    4 Apply for funding to support future R&D.

    5 Maintain our research and development and develop linkages with other researchers.
 


    MISC ACTIVITIES


    None