To learn the tools, tactics and motives involved in computer and network attacks, and share the lessons learned.


Forensic Challenge 9 – “Mobile Malware” - And the winners are...

Frank, Mahmud, Azizan and Matt have judged all submissions and results have been posted on the challenge web site. The winners are:

1. Emilien Girault
2. Yuhao Luo, Wenbo Yang and Juanru Li
3. José Lopes Esteves

Really congratulations to the winners and thanks to the other partecipants.

Stay tuned because a new challenge is going to start in the next hours!

Angelo Dell'Aera
The Honeynet Project

Google Summer of Code 2011- Wrap up

In 2011, the Honeynet Project had once again the opportunity to participate in the Google Summer of Code program. In the last few weeks, we wrapped up all projects, beta tested the code, wrote documentation, and prepared releases.

To quickly recap: GSoc (Google Summer of Code) is an annual summer program sponsored by Google, in which Google pairs up students with organizations committed to open-source. Google supports each project with 5000USD of which the students receive the lion's share. The Honeynet Project has participated in GSoc since 2009. Visit and to get an idea on what we have accomplished through this program in the last couple of years.

This year, we were able to spin up and execute 12 projects! While there are still a couple of projects that are preparing their release as part of the larger underlying project, we would like to point you to the following links that provide a summary and references to the projects that already resulted in releases:

These projects address a wide array of security problems. APKInspector and DroidBox greatly simplify mobile malware analysis; Webviz and HoneyViz explore the space of visualization of data for the security analyst; HoneySink is the first open-source sinkhole solution available; sip module for dionaea extends the capability of this honeypot into the VoIP area; cHook & cHide makes the malware analysis platform Cuckoobox more resilient against detection & evasion; AxMock is a ActiveX emulation/detection module which can be used - for example to detect drive-by-download attacks with client honeypots, such as Capture-HPC - ; the libemu extension made shellcode analysis & execution much more performant; and the wireshark plugins extend the wireshark network monitoring tool with additional forensic and analysis capabilities, such as the integration with rules from the popular intrusion detection system Snort.

This is a really impressive list of projects!

The credit really goes to our awesome students that participated in GSoc this year. We want thank them for participating in this program and choosing the Honeynet Project as their mentoring organization. They all did a great job and I very impressed with their dedication and professionalism. I think the projects speak for themselves and some of the students will continue to be involved with these projects and our community long term! The students this year were:

  • Youzhi Bao (AxMock)
  • György Kohut (Honeeebox)
  • Lucas McDaniel (HoneyViz)
  • Oguz Yarimtepe (WebViz)
  • Patrik Lantz (DroidBox)
  • Cong Zheng (APKInspector)
  • Adam (Sinkhole)
  • Jakub Zawadzki (Wireshark Plugins)
  • Dario Fernandes (Cuckoobox)
  • Brandon Marken (HyperVisor)
  • PhiBo (VoIP module for dionaea)
  • Florian Schmitt (libemu qemu extension)

Also, we would like to thank the mentors and technical advisors who volunteered their time to support and mentor the students to be successful over the summer....

  • Ian Welch from the New Zealand Chapter (AxMock)
  • David Watson from the UK Chapter (Honeeebox)
  • Kara Nance from the Alaska Chapter (HoneyViz)
  • Ben Reardon from the Australian Chapter (WebViz)
  • Anthony Desnos from the French Chapter (DroidBox)
  • Ryan Smith from the RoT-1 Chapter (APKInspector)
  • Shaun Vlassis from the Australian Chapter (Sinkhole)
  • Guillaume Arcas from the French Chapter (Wireshark Plugins)
  • Claudio Guarnieri from the Global Chapter (Cuckoobox)
  • Brian Hay from the Alaska Chapter (HyperVisor)
  • Sjur Usken from the Norwegian Chapter (VoIP module for dionaea)
  • Markus Koetter, HP alumni (dionaea)
  • Felix Leder from the Giraffe Chapter (libemu qemu extension)

... and last but not least, we thank Google. The program greatly supports organizations like ours that are committed to open-source and trying to make a positive difference. We hope to be back next year :)

Christian Seifert
CEO, The Honeynet Project Read more »

Forensic Challenge 9 - "Mobile Malware" - Submission deadline passed

the submission deadline for the Forensic Challenge 9 – “Mobile Malware” - put up by Franck Guenichot from French Chapter, Mahmud Ab Rahman and Ahmad Azizan Idris from Malaysia Chapter and Matt Erasmus from South Africa Chapter - has passed. We have received 7 submissions and will be announcing results on Wed, Oct 31th 2011. The top three submissions will be awarded little prizes.

Angelo Dell'Aera
The Honeynet Project

SIP Module for Dionaea

The Honeynet Project had mentored 12 projects this year for the Google Summer
of Code (GSoC). The 11th project was to extend the SIP module for
Dionaea to handle SIP udp, tcp and even tls. With the TLS part, the
Dionaea can even emulate a Microsoft Lync server. The TLS part was not
part of the original scope, but the hard work made that possible as

[Dionaea] intention is to trap malware
exploiting vulnerabilities exposed by services offered to a network,
the ultimate goal is gaining a copy of the malware. With the SIP Read more »

HoneySink: Beta Release

The Beta version of HoneySink is out!

What is HoneySink?

HoneySink is an open source network sinkhole that provides a mechanism for detection and prevention of malicious traffic on a given network.

Able to be deployed both internally and externally it is designed to log and respond to incoming requests for a number of network protocols.

With configuration and scalability in mind, HoneySink was designed from the ground up with a non-blocking architecture to handle extremely large amounts of traffic while being able to perform customised interactions and logging. Read more »

cuckooHide - Hiding CuckooBox from trivial detection mechanism

The last part of Google Summer of Code 2011 was used to implement
a Windows Kernel Driver responsible for hiding files and folders.
This new component will be used to conceal Cuckoo Box components,
present in the environment analysis. With this measure it's possible to
avoid that some malware detect CuckooBox through some environment check,
looking for specific files or folders.

The Driver was implemented as a Filter Driver to maintain it independent
of the Windows version used in the environment, not using any kind Read more »

DroidBox: beta release

Beta version is out and the install instructions are available at the project webpage. The new features are:

  • Prevent some emulator evasion techniques
  • Added visualization of analysis results
  • Automated app installation and execution
  • Displaying analysis information about the APK
  • Static pre-check extracts the app's registered Intents

The following figures show the new visualization added to the beta version.

DroidBox treemapDroidBox behavior graph Read more »

Forensic Challenge 9 - "Mobile Malware" - Deadline Extended

Taking a look at the small number of submissions we received it seems like August is a perfect month for the seaside but not for a Forensic Challenge. For this reason we decided to extend the submission deadline to September 30th. The submissions received before the old deadline (September 4th) will be granted a few extra bonus points.

Have fun!

Angelo Dell'Aera
The Honeynet Project

Forensic Challenge 8 – “Malware Reverse Engineering” - And the winners are...

Guido and I have judged all submissions and results have been posted on the challenge web site. The winners are:

1. Lutz Schildt
2. Sebastian Eschweiler
3. Luka Milković

This was one of the most difficult challenges we ever proposed so really congratulations to the winners and thanks to the other partecipants!

Angelo Dell'Aera
The Honeynet Project

Beta release of libemu qemu extension

As part of this year’s Summer of Code, I programmed an extension for the shellcode detection and analysis library libemu. The main goal of the project was to increase the performance when executing shellcode, with the help of a virtualizer. Prior to this extension, libemu made use of a custom emulator, which supported only instructions mostly used in shellcode. With this extension, libemu utilizes a full-blown, completely functioning virtualizer, which executes code presumably the same way a real CPU does. Read more »

Syndicate content