The Honeynet Project

2008 Status Report

ORGANIZATION
===========================
1. Changes in the structure of your organization.
We had the addition of Ben R as another full time chapter member.
2. List current chapter members and their activities
Shaun - Chapter Lead
spam processing system, fast flux tracking system,
client honeypotting, malware processing system
Ben - Full time member
XSS Alerting System
Defacement Alerting System

DEPLOYMENTS
===========================
1. List current technologies deployed.
distributed nepenthes sensor network
xss tracking system
defacement tracking system
fast flux tracking system
malware submission and processing system
2. Activity timeline: Highlight attacks, compromises, and interesting information collected.
From our distributed nepenthes network we have seen that the majority of attacks for 2008 have originated from Japan. They make up nearly 2/3 of all sources for network
based attacks targetting Australian IP Address Space.

RESEARCH AND DEVELOPMENT
===========================
1. List any new tools, projects or ideas you are currently researching or developing.
fast flux tracking system
edonkey malware scraping system -- fabled and when time permits
client honeypotting setup
hacked site identification
2. List tools you enhanced during the last year
spam processing system
fast flux tracker -> changed backend code
automatic identification of new fast-flux networks from processing spam feeds
3. Would you like to integrate this with any other tools, or you looking for help or collaboration with others in testing or developing the tool?
n/a
4. Explain what kind of help or tools or collaboration you are interested in.
Would very much like to spend more time developing scraping software for popular p2p networks to look for infected files there.

FINDINGS
===========================
1. Highlight any unique findings, attacks, tools, or methods.
Majority of network borne attacks originate from Japan.
2. Any trends seen in the past year?

3. What are you using for data analysis?
publicly available sandboxing technologies such as cws/threatexpert/anubis etc.
vtotal for identification/distribution
4. What is working well, and what is missing, what data analysis functionality would you like to see developed?
spam processing and fast-flux identification working great
distributed nepenthes submission system works really well. almost 0% maintenance needed on the server side due to how it has been setup.

PAPERS AND PRESENTATIONS
===========================
1. Are you working on or did you publish any papers or presentations, such as KYE or academic papers? If yes, please provide a description and link (if possible)
Currently working on a presentation outlining the malicious events observed for the year of 2008. To be presented at the 2009 Auscert Conference
2. Are you looking for any data or people to help with your papers?
yes
3. Where did you present honeypot-related material? ( selected publications )

GOALS
===========================
1. Which of your goals did you meet for the past year?
bring the nepenthes component of the AU sensornet online
get supporters to run malware collection points for the nepenthes sensornet
create spam processing system
improve the fast flux tracking system
create an automated malware distribution system that takes in malware collected from numerous sources and forwards onto necessary parties such as sandbox vendors/ AV companies etc.
2. Goals for the next year.
expand infrastructure and bring in more data sources to help identify more malicious events in AU
continue to create new automated systems

MISC ACTIVITIES
===========================
Members have attended the following conferences this year
Auscert Conference
Defcon
BlackHat