Folks, I am very pleased to announce the publication of our Know Your Tools paper: Glastopf - A dynamic, low-interaction web application honeypot authored by Lukas Rist of the Chicago Honeynet Project Chaper and Sven Vetsch, Marcel Kossin, and Michael Mauer.
The paper is available from http://honeynet.org/papers/KYT_glastopf.
Currently, attacks against web applications make up more than 60% of the total number of attempted attacks on the Internet. Organizations cannot afford to allow their websites be compromised, as this can result in serving malicious content to customers, or leaking customer's data. Whether the particular web application is part of a company's website, or a personal web page, there are certain characteristics common to all web applications. Most people trust in the reliability of web applications and they are often hosted on powerful servers with high bandwidth connections to the Internet. Considering the large number of attacks and knowing the potential consequences of successful break-ins, we decided to put a bit more effort into the development of honeypots to better understand these attacks.
In this paper, we introduce Glastopf, a low-interaction web application honeypot capable of emulating thousands of vulnerabilities to gather data from attacks that target web applications. The principle behind it is very simple: reply to the attack using the response the attacker is expecting from his attempt to exploit the web application. We provide an overview of the attacks on web applications, describe examples collected with Glastopf, and discuss possible usages of data collected.
Glastopf can be downloaded from http://glastopf.org/ and a mailing list for help/suggestions and advice is available at https://public.honeynet.org/mailman/listinfo/glastopf.
I am very pleased to announce another publication of our Know Your Tools series: Qebek - Conceal the Monitoring authored by Chengyu Song and Jianwei Zhuge from the Chinese Chapter and Brian Hay from the Alaskan Chapter.
The paper is available from http://honeynet.org/papers/KYT_qebek.
For the last few years, while low-interaction (LI) honeypot systems like Nepenthes and PHoneyC are getting more and more powerful, the progress of high-interaction (HI) honeypot technology has been somewhat slower. This is especially true for Sebek, the de-facto HI honeypot monitoring tool. In this KYT paper, we introduce Qebek, a QEMU based HI honeypot monitoring tool which aims at improving the invisibility of monitoring the attackers’ activities in HI honeypots.
Another challenge is ready to be tackled by forensic analysts, students, hackers and alike. This time, we present you with an attack vector that has become quite successful: malicious PDF files!
For challenge 6 of our series (provided by Mahmud Ab Rahman and Ahmad Azizan Idris from the Malaysia Honeynet Project Chapter) we present you with a pcap file that contains network traffic generated by the following scenario: An unsuspecting user opens a compromised web page, which redirects the user's web browser to a URL of a malicious PDF file. As the PDF plug-in of the browser opens the PDF, the unpatched version of Adobe Acrobat Reader is exploited and, as a result, downloads and silently installs malware on the user's machine.
We prepared a set of questions that requires you to dive deep into the portable document format. Submit your solution by November 30th 2010. The top three submissions will receive small prizes.
Chief Communications Officer
The Honeynet Project
Folks, Sebastien, Anton, Raffy and Julia have judged all submissions and results have been posted on the challenge web site. The winners are:
Congratulations to the winners.
Apparently challenge 5 was a true challenge. While we had many folks hit the challenge web site, we only received 7 submissions in total and quite a few participants missed more subtle attacks embedded in the deep corner of the logs. This illustrates how difficult log analysis is and a reason why we included it in the mix of challenges. The original challenge files remain on the web site and we have posted the top three submissions from Wiliam, Nikunj and David. Take a look and see whether you would have been able to identify all attacks in the logs.
With challenge 5 completed, we are getting ready to launch challenge 6 on November 1st. This challenge has been prepared by Mahmud and Ahmad from the Malaysian Chapter. It deals with 'Analyzing Malicious Portable Destructive File' and we hope to see you participating.
Chief Communications Officer
The Honeynet Project
The deadline for the Forensic Challenge 2010/5 - Log Mysteries is quickly approaching. It seems like this challenge is a hard nut to crack as we only received a few submissions so far. If you like a challenge, give it a try. The deadline is September 30th 2010. You can access the challenge at http://honeynet.org/challenges/2010_5_log_mysteries. Did I mention there are prizes?
After a short break, I am pleased to announce the next forensic challenge: Forensic Challenge 5 - Log Mysteries. This challenge takes you into the world of virtual systems and confusing log data. Figure out what happened to a virtual server using all the logs from a possibly compromised server.
Challenge 5 has been created by Raffael Marty from the Bay Area Chapter, Anton Chuvakin from the Hawaiian Chapter, and Sebastien Tricaud from the French Chapter. It is a bit more open ended than the last challenges, so I am really looking forward to some creative answers!
Submission deadline is September 30th and we will be announcing winners around October 21st. We have a few small prizes for the top three submission.
The 4th Forensic Challenge on VoIP has come to an end. We had a total of 21 submissions with several submissions from Chinese speakers which has been made possible by Julia, Jianwei and Roland from the Chinese speaking chapters.
The winners of the 4th Forensic Challenge 2010 VoIP are:
We have posted their submissions onto the challenge web site so you can see what top notch submissions they provided. Franck, Fabio and Shaun will be awarded with small book prizes. Congratulations!
Thanks to all who participated in the challenge in particular Ben Reardon from the Australian and Sjur Eivind Usken from Norwegian Chapter who made this challenge possible.
Folks, the submission deadline for our Forensic Challenge 4 - VoIP is quickly approaching. The deadline is this Wednesday and so you have another 4 days to submit your solution.
The challenge is quite different than our previous challenges. It was provided by Ben Reardon from the Australian and Sjur Eivind Usken from Norwegian Chapter - and takes you into the realm of voice communication on the Internet. Thanks to our Chinese speaking chapters, it is also available in simplified Chinese and traditional Chinese.
Challenge 4 of the Honeynet Project Forensic Challenge - titled "VoIP" - is now live. This challenge 4 - provided by Ben Reardon from the Australian and Sjur Eivind Usken from Norwegian Chapter - takes you into the realm of voice communications on the Internet. VoIP with SIP is becoming the de-facto standard. As this technology becomes more common, malicious parties have more opportunities and stronger motives to take control of these systems to conduct nefarious activities. This Challenge is designed to examine and explore some of attributes of the SIP and RTP protocols.
Note that our Chinese speaking chapters (Julia Cheng from the Taiwanese Chapter, Jianwei Zhuge from the Chinese Chapter and Roland Cheung from the Hongkong Chapter) have taken great initiative and translated the challenge into Chinese, which is available from the simplified Chinese and traditional Chinese pages (will be posted by EOD today.)
With this challenge, we are getting on a firm 2 month cycle. You will have one month to submit (deadline is June 30th 2010) and results will be released approximately 3 weeks later. Small prizes will be awarded to the top three submissions.
Enjoy the challenge!
Josh, Angelo, Matt and Nicolas finished evaluating the submissions for FC2010/3 banking troubles. Again, lots of great submissions! We had a total of 22 and the top performers for FC2010/3 are:
Congratulations to the winners and all the folks that participated in the challenge - this was not an easy one. Each winner will receive a signed book from one of our Honeynet Project authors. We have posted the submissions of the winners and sample solution on the FC2010/3 web page. All participants should have also received an email today with information about their individual score as well as placement.