The Honeynet Project

At the Honeynet Project workshop 2012, we raffled off a brand new Norman Malware Analyzer G2. Thanks everybody for participating in the raffle.

The winner of this year's raffle is Todd Straceski from Zynga. Congratulations to Todd!

Thanks again to Norman to sponsoring the Honeynet Project workshop 2012. We hope to see you all again next year.

Earlier, we posted about our operation on the Kelihos.B/Hlux.B botnet takedown that was conducted with by security experts from Dell SecureWorks, CrowdStrike, Kaspersky, and the Honeynet Project. On initial view, the operation seems very clear cut: the bad guys are running a botnet that is doing havoc on the Internet; on the other side, are the good guys that have found a way to disable the botnet.

The situation is much more nuanced. The Honeynet Project has been conducting security research for over a decade now and since our early days, we made it a priority to balance benefit and risks in our research. You can trace this back to when the Honeynet Project first defined "data control" as one of the requirements for honeynet/honeypot deployments. The purpose of data control was to minimize potential harm to others resulting from honeypots, which by their nature are vulnerable systems we expect to be compromised and used by malicious actors.

We do what we do because people with malicious and criminal intent are compromising and abusing millions of computers around the globe. These people do not act in ways that are moral, ethical, or legal. But in trying to counter them, we cannot allow ourselves to similarly disregard our moral, ethical, or legal obligations. If we do, we become no different than them.

We believe that pushing the boundaries in the computer security field and engaging in cutting edge research brings with it a responsibility to act in an ethical manner. Risks may emerge from botnet takedowns and the Kelihos botnet takedown operation is no different. What are the benefits? What are the risks? How do they balance each other? Do our actions jeopardize legal investigations? These are all questions that need to be considered and the outcome will determine how to proceed. In the situation of the Kelihos botnet, the determination was to proceed with the botnet takedown (see below for a detailed assessment.) In other situations, the determination and plan of action may be different. In the instance of Zeus, for instance, legal action may be necessary.

The Honeynet Project is committed to conducting research in a model, ethical, and legal way. Weighing risk/benefits – an important aspect to conduct research in such a way - is what every researcher implicitly does. However, the risk of not considering all aspects of the research exists. As a result, the Honeynet Project, under the leadership of our Chief Ethics and Legal Officer Dave Dittrich, has developed a code of conduct that guides researchers through the process in a systematic manner.

Today, we are publishing a draft of this code of conduct. We hope you find the code of conduct useful and are looking forward to your thoughts and comments.

On Wednesday, March 21, 2012, an operation by security experts from Dell SecureWorks, CrowdStrike, Kaspersky, and the Honeynet Project was initiated to sinkhole infected computers in the Kelihos.B/Hlux.B botnet. The objective of this action was to remove from the attacker's control all computers currently infected with the Kelihos.B/Hlux.B malware by poisoning the peer lists and routing tables in the lower layers of command and control. This will prevent the botnet operator from doing any more harm with this set of infected computers.

Control of the botnet with over 129,000 infected hosts was successfully obtained. These bots are no longer in control of the botherder, and, as a result, are no longer involved in sending spam, the primary malicious activity of this botnet. The hosts resided primarily in Poland (24%) and were primarily running the old operating system Windows XP (84%). The command-and-control infrastructure has been abandoned by the gang that was operating the botnet two days after the operation. We can say that the Kelihos.B/Hlux.B botnet was successfully disabled.

For more information, we refer to:
http://blog.crowdstrike.com/2012/03/p2p-botnet-kelihosb-with-100000-nodes.html
http://newsroom.kaspersky.eu/en/texts/detail/article/how-kaspersky-lab-and-crowdstrike-dismantled-the-second-hluxkelihos-botnet-success-story/
http://www.secureworks.com/research/threats/waledac_kelihos_botnet/

We have just been notified by Google that the Honeynet Project has - once again - been accepted as one of the mentoring organization for Google Summer of Code 2012 (in total 180 organizations were selected). We are very excited and are looking forward to a great summer! Already a big thank you to Google for their continued support!

While student applications are not officially open yet, interested students are encouraged to check out our ideas page and get in contact with us via gsoc@public.honeynet.org and/or IRC (#gsoc2012-honeynet on irc.freenode.net) in the next few ideas to meet the mentors and discuss project ideas. Student applications officially open on March 26th 2012 and close on April 6th 2012.

We are looking forward to hearing from you!

Frasier, who participated in our recent visualization forensic challenge has released his visualization tool WoLF Viz at http://code.google.com/p/wolf-viz/. WoLF Viz works by parsing arbitrary text log files into a network (graph) of words, where the words are nodes and the edges are adjacent word pairs. The edge weights are based on how often the two words are seen next to each other.

Early bird registration to our 2012 Honeynet Project Security Workshop ends today. The workshop will be held at the Facebook offices in the SF Bay Area. Secure your spot today for the workshop or one of the eleven hands-on training sessions we are offering. You can check out the agenda and training sessions at https://honeynet.org/SecurityWorkshops/2012_SF_Bay_Area. Hope to see you there!
Christian Seifert
CEO, The Honeynet Project

The Honeynet Project will hold its 2nd public security workshop at Facebook, Inc. in the San Francisco Bay Area. The workshop is going to be a two day event filled with technical presentations and hands-on tutorial training. On day 1 of the workshop, Honeynet Project members and Facebook will present on a wide range of information security topics: from honeypots and social networks to cybercrime and mobile malware. Day 2 will be a day of hands-on tutorial training. Our members will teach a total of 8 courses in forensics, honeypots, and visualization. For those who want to further hone their skills in a competitive setting, we will also host a capture-the-flag event on day 2.

Event details and registration information can be found at https://honeynet.org/SecurityWorkshops/2012_SF_Bay_Area. We hope to see you there!


Share:

The Honeynet Project is happy to announce the release of the Android Reverse Engineering (A.R.E.) Virtual Machine.

Do you need to analyze a piece of Android malware, but dont have all your analysis tools at hand? The Android Reverse Engineering (A.R.E.) Virtual Machine, put together by Anthony Desnos from our French chapter, is here to help. A.R.E. combines the latest Android malware analysis tools in a readily accessible toolbox.

Tools currently found on A.R.E. are:

• Androguard
• Android sdk/ndk
• APKInspector
• Apktool
• Axmlprinter

In 2011, the Honeynet Project had once again the opportunity to participate in the Google Summer of Code program. In the last few weeks, we wrapped up all projects, beta tested the code, wrote documentation, and prepared releases.

To quickly recap: GSoc (Google Summer of Code) is an annual summer program sponsored by Google, in which Google pairs up students with organizations committed to open-source. Google supports each project with 5000USD of which the students receive the lion's share. The Honeynet Project has participated in GSoc since 2009. Visit http://honeynet.org/gsoc2009 and http://honeynet.org/gsoc2010 to get an idea on what we have accomplished through this program in the last couple of years.

This year, we were able to spin up and execute 12 projects! While there are still a couple of projects that are preparing their release as part of the larger underlying project, we would like to point you to the following links that provide a summary and references to the projects that already resulted in releases:

• cHook - The new CuckooBox Hooking Engine and cHide
• AxMock is released for your review
• Webviz is out for your reviews
• APKInspector BETA Release & Demo Video
• HoneyViz demo is out for your viewing pleasure
• Beta release of libemu qemu extension
• DroidBox: beta release
• HoneySink: beta release
• SIP Module for Dionaea
• Extending Wireshark Analysis

These projects address a wide array of security problems. APKInspector and DroidBox greatly simplify mobile malware analysis; Webviz and HoneyViz explore the space of visualization of data for the security analyst; HoneySink is the first open-source sinkhole solution available; sip module for dionaea extends the capability of this honeypot into the VoIP area; cHook & cHide makes the malware analysis platform Cuckoobox more resilient against detection & evasion; AxMock is a ActiveX emulation/detection module which can be used - for example to detect drive-by-download attacks with client honeypots, such as Capture-HPC - ; the libemu extension made shellcode analysis & execution much more performant; and the wireshark plugins extend the wireshark network monitoring tool with additional forensic and analysis capabilities, such as the integration with rules from the popular intrusion detection system Snort.

This is a really impressive list of projects!

The credit really goes to our awesome students that participated in GSoc this year. We want thank them for participating in this program and choosing the Honeynet Project as their mentoring organization. They all did a great job and I very impressed with their dedication and professionalism. I think the projects speak for themselves and some of the students will continue to be involved with these projects and our community long term! The students this year were:

• Youzhi Bao (AxMock)
• György Kohut (Honeeebox)
• Lucas McDaniel (HoneyViz)
• Oguz Yarimtepe (WebViz)
• Patrik Lantz (DroidBox)
• Cong Zheng (APKInspector)
• Adam (Sinkhole)
• Jakub Zawadzki (Wireshark Plugins)
• Dario Fernandes (Cuckoobox)
• Brandon Marken (HyperVisor)
• PhiBo (VoIP module for dionaea)
• Florian Schmitt (libemu qemu extension)

Also, we would like to thank the mentors and technical advisors who volunteered their time to support and mentor the students to be successful over the summer....

• Ian Welch from the New Zealand Chapter (AxMock)
• David Watson from the UK Chapter (Honeeebox)
• Kara Nance from the Alaska Chapter (HoneyViz)
• Ben Reardon from the Australian Chapter (WebViz)
• Anthony Desnos from the French Chapter (DroidBox)
• Ryan Smith from the RoT-1 Chapter (APKInspector)
• Shaun Vlassis from the Australian Chapter (Sinkhole)
• Guillaume Arcas from the French Chapter (Wireshark Plugins)
• Claudio Guarnieri from the Global Chapter (Cuckoobox)
• Brian Hay from the Alaska Chapter (HyperVisor)
• Sjur Usken from the Norwegian Chapter (VoIP module for dionaea)
• Markus Koetter, HP alumni (dionaea)
• Felix Leder from the Giraffe Chapter (libemu qemu extension)

... and last but not least, we thank Google. The program greatly supports organizations like ours that are committed to open-source and trying to make a positive difference. We hope to be back next year :)

Christian Seifert
CEO, The Honeynet Project

Folks, Google has just announced the accepted projects on the GSoc website. We had an excellent line up of students and proposals this year and were able to accept 12 projects! Thanks for all the students who have applied this year and congratulations to all accepted!

Christian