CyberSecurity Malaysia Chapter Status Report For 2011

CyberSecurity Malaysia Chapter Status Report For 2011

List current chapter members and their activities.
• Adli Abdul Wahid (adli[at]
• Adnan Mohd Shukor (adnan[at]
• Alip Aswalid Asri (alip[at]
• Lee Ling Chuan (lc.lee[at]
• Mahmud Ab Rahman (mahmud[at] - Current Chapter Lead
• Mohd Hafiz Md Thabrani (hafiz[at]
• Nur Mohammad Kamil Bin Mohammad Alta (kamil[at]
• Ahmad Azizan Idris ( (azizan[at]
• Tan Kean Siong (tankeansiong[at] - New member from GSoc 2010 project

List changes in the structure of your chapter (alumnus).
• Salahudin Wan Khairuzzaman


List current technologies deployed.
The following are some of the components that are currently being deployed
• RFIPot - for capturing web based attacks
• Dionaea for malware collection and incident handling (CERT Part).
• Gallus for malicious pdf detection and collection

• Our chapter conducted research on reverse engineering android malware. Please check for presentations links. We provided a class for reversing android malware during Honeynet Workshop 2011.
• We continue to explore on possibility to provide proof of concept on interception network at NDIS layer. We published our analysis and finding in the article "Interception and Automating Blocking of Malicious Traffic Based on NDIS Intermediate Driver".
• MyPHPIPS (MyPHP Intrusion Prevention System) is an open source PHP Web Application Intrusion Prevention System. It was based on PHPIDS ( MyPHPIPS is a portable and less-hassle framework that serves as an extra security layer to defend against invalid/malicious requests to the web application or content management systems. Please check the code released here:
• We continue to spend our time on malicious pdf detection. Improving and adding new features to address new discovered methods to abuse PDF. See our presentation at Defcon for obfuscation techniques on malicious pdf.


• Android malware is popular for 2011. Many infection methods rely on modded legitimate applications. The modded application will be repackage and uploaded into android market (Google Play and many more)
• Collecting and analyzing network data from NDIS layer is possible and stealthier. Many works are still required such protocols decoder to make captured data more meaningful.
• Providing IPS for PHP is possible with PHPIDS patch called MyPHPIPS. MyPHPIPS is possible to prevent/drop any requests matched with rules provided by phpids rules.

List published papers and presentations.

• "Interception and Automating Blocking of Malicious Traffic Based on NDIS Intermediate Driver" -
• "Reversing Android Malware", The latest is here:

• Sneaky PDF, Video and Slide for Defcon 19,

List interactions with the security community.

1. Presentation and training with SAHNET Chapter
2. Presentation on Android Malware analysis with Taiwan Honeynet Chapter

List possibilities to interact with your chapter (e.g. chapter web page).
2. we always at #honeynet irc. :)

List the goals the chapter meet for the past year.
• We manage to finish the research on NDIS driver for detection and sniffing the traffic.
• We achieved the goal on gaining knowledge on android malware.
• We released a tool called myphpids to help web admin to improve their web server security.

State your chapter goals for the next year.

1. Kernel and Font type vulnerability analysis
2. Malicious Flash document analysis
3. ROP shell code analysis
4. Dynamic android analysis


Tan Kean Siong spending his time mentoring GSOC 2011 project.