To learn the tools, tactics and motives involved in computer and network attacks, and share the lessons learned.

Blogs

Ethics in Computer Security Research: Kelihos.B/Hlux.B botnet takedown

Earlier, we posted about our operation on the Kelihos.B/Hlux.B botnet takedown that was conducted with by security experts from Dell SecureWorks, CrowdStrike, Kaspersky, and the Honeynet Project. On initial view, the operation seems very clear cut: the bad guys are running a botnet that is doing havoc on the Internet; on the other side, are the good guys that have found a way to disable the botnet.

The situation is much more nuanced. The Honeynet Project has been conducting security research for over a decade now and since our early days, we made it a priority to balance benefit and risks in our research. You can trace this back to when the Honeynet Project first defined "data control" as one of the requirements for honeynet/honeypot deployments. The purpose of data control was to minimize potential harm to others resulting from honeypots, which by their nature are vulnerable systems we expect to be compromised and used by malicious actors.

We do what we do because people with malicious and criminal intent are compromising and abusing millions of computers around the globe. These people do not act in ways that are moral, ethical, or legal. But in trying to counter them, we cannot allow ourselves to similarly disregard our moral, ethical, or legal obligations. If we do, we become no different than them.

We believe that pushing the boundaries in the computer security field and engaging in cutting edge research brings with it a responsibility to act in an ethical manner. Risks may emerge from botnet takedowns and the Kelihos botnet takedown operation is no different. What are the benefits? What are the risks? How do they balance each other? Do our actions jeopardize legal investigations? These are all questions that need to be considered and the outcome will determine how to proceed. In the situation of the Kelihos botnet, the determination was to proceed with the botnet takedown (see below for a detailed assessment.) In other situations, the determination and plan of action may be different. In the instance of Zeus, for instance, legal action may be necessary.

The Honeynet Project is committed to conducting research in a model, ethical, and legal way. Weighing risk/benefits – an important aspect to conduct research in such a way - is what every researcher implicitly does. However, the risk of not considering all aspects of the research exists. As a result, the Honeynet Project, under the leadership of our Chief Ethics and Legal Officer Dave Dittrich, has developed a code of conduct that guides researchers through the process in a systematic manner.

Today, we are publishing a draft of this code of conduct. We hope you find the code of conduct useful and are looking forward to your thoughts and comments.

Kelihos.B/Hlux.B botnet takedown

On Wednesday, March 21, 2012, an operation by security experts from Dell SecureWorks, CrowdStrike, Kaspersky, and the Honeynet Project was initiated to sinkhole infected computers in the Kelihos.B/Hlux.B botnet. The objective of this action was to remove from the attacker's control all computers currently infected with the Kelihos.B/Hlux.B malware by poisoning the peer lists and routing tables in the lower layers of command and control. This will prevent the botnet operator from doing any more harm with this set of infected computers.

Control of the botnet with over 129,000 infected hosts was successfully obtained. These bots are no longer in control of the botherder, and, as a result, are no longer involved in sending spam, the primary malicious activity of this botnet. The hosts resided primarily in Poland (24%) and were primarily running the old operating system Windows XP (84%). The command-and-control infrastructure has been abandoned by the gang that was operating the botnet two days after the operation. We can say that the Kelihos.B/Hlux.B botnet was successfully disabled.

For more information, we refer to:
http://blog.crowdstrike.com/2012/03/p2p-botnet-kelihosb-with-100000-nodes.html
http://newsroom.kaspersky.eu/en/texts/detail/article/how-kaspersky-lab-and-crowdstrike-dismantled-the-second-hluxkelihos-botnet-success-story/
http://www.secureworks.com/research/threats/waledac_kelihos_botnet/

Rapid7 Sponsors Androguard and Cuckoo Sandbox in the First Round of the Magnificent7 Program

We are proud and happy to announce that Cuckoo Sandbox and AndroGuard were choosen by Rapid7 for his Magnificent7 Program, an initiative created to fuel the success of seven bleeding edge open source projects and backed by a fund of $100,000.

Cuckoo Sandbox and AndroGuard are respectively developped by Claudio Guarnieri and Anthony Desnos and mentored during previous GSoC.

Congratulations to Claudio and Anthony !

Thoughts on the Microsoft's "Operation b71" (Zeus botnet civil legal action)

On Sunday, March 25, Microsoft announced that for the fourth time, they had gone to a federal court and successfully obtained an ex parte temporary restraining order (TRO) to seize domain names from botnet operators. For the second time, the court has also ordered U.S. Marshals to accompany Microsoft and others to serve search warrants and seize evidence that can be used in future civil or criminal actions.

Forensic Challenge 11 - "Dive Into Exploit"

I am pleased to announce a new forensic challenge: Forensic Challenge 11 - "Dive Into Exploit"

The challenge has been created by Georg Wicherski from Giraffe Chapter.

Submission deadline is May 31th and we will be announcing winners (if any) around the last week of June 2012.

Have fun!

Angelo Dell'Aera
The Honeynet Project

Low-interaction honeyclient Thug released!

I'm glad to announce I finally publicly released a brand new low-interaction honeyclient I'm working on from a few months now. The project name is Thug and it was publicly presented a few hours ago during the Honeynet Project Security Workshop in Facebook HQ in Menlo Park. Please take a look at the (attached) presentation for details about Thug.

Just a few highlights about Thug:

  • DOM (almost) compliant with W3C DOM Core and HTML specifications (Level 1, 2 and partially 3) and partially compliant with W3C DOM Events and Style specifications

Google Soc 2012 - Honeynet Project Accepted

We have just been notified by Google that the Honeynet Project has - once again - been accepted as one of the mentoring organization for Google Summer of Code 2012 (in total 180 organizations were selected). We are very excited and are looking forward to a great summer! Already a big thank you to Google for their continued support!

While student applications are not officially open yet, interested students are encouraged to check out our ideas page and get in contact with us via gsoc@public.honeynet.org and/or IRC (#gsoc2012-honeynet on irc.freenode.net) in the next few ideas to meet the mentors and discuss project ideas. Student applications officially open on March 26th 2012 and close on April 6th 2012.

We are looking forward to hearing from you!

Release of WoLF Viz

Frasier, who participated in our recent visualization forensic challenge has released his visualization tool WoLF Viz at http://code.google.com/p/wolf-viz/. WoLF Viz works by parsing arbitrary text log files into a network (graph) of words, where the words are nodes and the edges are adjacent word pairs. The edge weights are based on how often the two words are seen next to each other.

Last chance for early bird registration

Early bird registration to our 2012 Honeynet Project Security Workshop ends today. The workshop will be held at the Facebook offices in the SF Bay Area. Secure your spot today for the workshop or one of the eleven hands-on training sessions we are offering. You can check out the agenda and training sessions at https://honeynet.org/SecurityWorkshops/2012_SF_Bay_Area. Hope to see you there!
Christian Seifert
CEO, The Honeynet Project

Forensic Challenge 10 - "Attack Visualization" - And the winners are...

Folks,
Ben Reardon has judged all submissions and results have been posted on the challenge page. The winners are:

1. Fabian Fischer
2. Chris Horsley
3. Fraser Scott
4. Dan Gleebits
5. Johnathan Tracz

Take a look at Ben's blog post for additional details. Congratulations to the winners and thanks to the other participants!

Angelo Dell'Aera
The Honeynet Project

Syndicate content