- About us
- Code of Conduct
- Google SoC
- Recent posts
- Security Workshops
Folks, Sebastien, Anton, Raffy and Julia have judged all submissions and results have been posted on the challenge web site. The winners are:
Congratulations to the winners.
Apparently challenge 5 was a true challenge. While we had many folks hit the challenge web site, we only received 7 submissions in total and quite a few participants missed more subtle attacks embedded in the deep corner of the logs. This illustrates how difficult log analysis is and a reason why we included it in the mix of challenges. The original challenge files remain on the web site and we have posted the top three submissions from Wiliam, Nikunj and David. Take a look and see whether you would have been able to identify all attacks in the logs.
With challenge 5 completed, we are getting ready to launch challenge 6 on November 1st. This challenge has been prepared by Mahmud and Ahmad from the Malaysian Chapter. It deals with 'Analyzing Malicious Portable Destructive File' and we hope to see you participating.
Chief Communications Officer
The Honeynet Project
Before we are getting worse than Duke Nukem Forever, we decided to finally release the next generation of the web application honeypot Glastopf, aka GlastopfNG!
The first one writing about this new threat was Marco Giuliani. So, Murofet or Zeus++?
Taking a look at a couple of samples we were able to identify:
- Same API hooks
- Same encryption routine for configuration file (RC4)
- Pretty much the same configuration file format
I'm interested in infostealers and specifically in banking-trojans so I didn't want to miss this one. Samples of Carberp are floating around at least since last spring but in late September we saw such numbers increasing.
Taking a look at how Carberp hooks API it looks like yet another Zeus "clone". What I found interesting is how it hooks system calls. This is how a normal syscall looks like
The deadline for the Forensic Challenge 2010/5 - Log Mysteries is quickly approaching. It seems like this challenge is a hard nut to crack as we only received a few submissions so far. If you like a challenge, give it a try. The deadline is September 30th 2010. You can access the challenge at http://honeynet.org/challenges/2010_5_log_mysteries. Did I mention there are prizes?
After a short break, I am pleased to announce the next forensic challenge: Forensic Challenge 5 - Log Mysteries. This challenge takes you into the world of virtual systems and confusing log data. Figure out what happened to a virtual server using all the logs from a possibly compromised server.
Challenge 5 has been created by Raffael Marty from the Bay Area Chapter, Anton Chuvakin from the Hawaiian Chapter, and Sebastien Tricaud from the French Chapter. It is a bit more open ended than the last challenges, so I am really looking forward to some creative answers!
Submission deadline is September 30th and we will be announcing winners around October 21st. We have a few small prizes for the top three submission.
I'll tell you the truth: Export Address Table Filtering, the feature of the upcoming release of EMET, "designed to break nearly all shell code in use today", intrigued me a bit.
A new improvement in PHoneyC DOM emulation code was committed in SVN r1624. The idea is to better emulate the DOM behaviour depending on the selected browser personality. Let's take a look at the code starting from the personalities definition in config.py.
The Discoverer module (see zhongjie's blog entry) has been completed.
It consists of 2 programs, the Format Discovery and Pre-Replay processing.
Format Discovery is pretty much what i've blogged about in my earlier post.
Since that entry, I've completed the to-do tasks:
1) have a function to summarise all output for this program.
2) solve a memory leak problem in this program.
3) match replay packet to format, and if length segment changes (eg: due to shellcode change), then length field needs to change.
4) from replay ip, find IP tokens and change it.