- About us
- Code of Conduct
- Google SoC
- Recent posts
- Security Workshops
The Beta version of HoneySink is out!
What is HoneySink?
HoneySink is an open source network sinkhole that provides a mechanism for detection and prevention of malicious traffic on a given network.
Able to be deployed both internally and externally it is designed to log and respond to incoming requests for a number of network protocols.
With configuration and scalability in mind, HoneySink was designed from the ground up with a non-blocking architecture to handle extremely large amounts of traffic while being able to perform customised interactions and logging.
The last part of Google Summer of Code 2011 was used to implement
a Windows Kernel Driver responsible for hiding files and folders.
This new component will be used to conceal Cuckoo Box components,
present in the environment analysis. With this measure it's possible to
avoid that some malware detect CuckooBox through some environment check,
looking for specific files or folders.
The Driver was implemented as a Filter Driver to maintain it independent
of the Windows version used in the environment, not using any kind
Beta version is out and the install instructions are available at the project webpage. The new features are:
The following figures show the new visualization added to the beta version.
Taking a look at the small number of submissions we received it seems like August is a perfect month for the seaside but not for a Forensic Challenge. For this reason we decided to extend the submission deadline to September 30th. The submissions received before the old deadline (September 4th) will be granted a few extra bonus points.
The Honeynet Project
Guido and I have judged all submissions and results have been posted on the challenge web site. The winners are:
1. Lutz Schildt
2. Sebastian Eschweiler
3. Luka Milković
This was one of the most difficult challenges we ever proposed so really congratulations to the winners and thanks to the other partecipants!
The Honeynet Project
As part of this year’s Summer of Code, I programmed an extension for the shellcode detection and analysis library libemu. The main goal of the project was to increase the performance when executing shellcode, with the help of a virtualizer. Prior to this extension, libemu made use of a custom emulator, which supported only instructions mostly used in shellcode. With this extension, libemu utilizes a full-blown, completely functioning virtualizer, which executes code presumably the same way a real CPU does.
We've set up a demonstration site for HoneyViz (Project #3) at
As the deadline of GSOC has passed, I would like to announce the APKinspector Beta1.0. APKinspector is a tool to help Android application analysts and reverse engineers to analyze the compiled Android packages and their corresponding codes. You can review the Alpha version report and the page of this project to know more about it.
Chinese viewers may view the demo at: http://v.youku.com/v_show/id_XMjk3ODAwMzU2.html
Based on the Alpha release, APKinspector has added some features as follows:
We build up a project in google code, you can browse AxMock by the link
AxMock is a detection tool for malicious webpage attacking ActiveX controls. It runs in Internet Explorer 7 and the formal version.
It is tested in Visual Studio 2008 and Python 2.6 with pywin32 package, though I believe that you can also compile it in later version.
For more using information, please check out Wiki in my project google code page.
While the "pencil down" date is approaching, i would like to announce the latest situation at Webviz project. From the last time till time, there have been some changes at the visualization:
* The size of the visualization increased
* A better map is located as base map
* Mesh working principle is changed from country based to IP based. The returning database results are grouped by IP.
* Legends are detailed
* For a better distributed results, an IP set that is collected for a long period is also added to the database.
The latest result is as below: