To learn the tools, tactics and motives involved in computer and network attacks, and share the lessons learned.


The Honeynet Project Releases New Tool: PhoneyC

Here is another new release from the Project: a release of a new tool called PhoneyC, a virtual client honeypot.
PhoneyC is a virtual client honeypot, meaning it is not a real application (that can be compromised by attackers and then monitored for analysis of attacker behavior), but rather an emulated client, implemented in Python. The main thing it does is scour web pages looking for those that attack the browser. Read more »

Improve the security of unlocking your smartphone

There is a paper at WOOT 10' described how to use smudges on the touch sceen of a smartphone to get largely decrease the time an attacker need to guess the right password to unlock the screen. For example, by for 4 passcode based iPhone, one just need to try at most P(4,4) = 4! = 24 times before he get the right one. Read more »

First-ever Honeynet Project Public Conference–Paris 2011

It is with great pleasure I announce the first-ever Honeynet Project Public Conference, held alongside with the traditional Honeynet Project Annual Workshop. The event will be held on March 21, 2011 in Paris. For those who just want to register now, go here.

21 March 2011 (Monday)

8:30AM ~ 18:00PM (GMT+1) Read more »

Forensic Challenge 2010/5 - Log Mysteries - What Apache version was used?

Carl Pulley, a loyal follower of our Forensic Challenges, has written up an analysis on how could one determine the Apache version that generated the logs. His analysis can be found at and Check it out!

New version of honeypot monitoring tool Qebek available

Folks, Chengyu Song has been busy the last few weeks and made some upgrades to the honeypot monitoring tool Qebek. He has ported it from QEMU 0.9.1 to QEMU 0.13.0. As a result, Qebek's performance (boot time) is better and it no longer requires gcc 3.4. You can check it out

svn co

If you don't know what Qebek is or how to use it, take a look at our whitepaper at

Forensic Challenge 2010/6 - Analyzing Malicious Portable Destructive Files - The winners are ...

Folks, holiday greetings from forensic challenge headquarter in Seattle. Mahmud and Ahmad from the Malaysian Chapter have judged all submissions and results have been posted on the challenge web site. The winners are:

1. Vos from Russia with perfect score!
2. Codrut from Romania
3. Mike from Canada


We received a total of 21 submissions and they were very competitive. The top three submissions came within a point of a perfect score and Vos from Russia actually received a perfect score. We have posted the top three submissions from Vos, Cordut and Mike on the challenge web site . As I said, these submissions are top notch and I encourage you to read through them.

With the forensic challenge 2010 coming to an end, we will be taking a little break for the holidays, but will be back in full force in early 2011.

Happy Holidays.

Christian Seifert
Chief Communications Officer
The Honeynet Project Read more »

TaiWan Malware Analysis Net

Basically, The TWMAN is an automated behavioral malware analysis environment to analyze the malware targeted at Microsoft Windows, and it can develop a free and open source software, and the environment is built around Joe Stewart's TRUMAN sandnet. Although, there are many services of analysis malware behavioral, such as the Norman Sandbox, CWSandbox, Threat Expert, etc. For privacy and policy reasons, it must be treated as if they contain personally identifiable information. Read more »

Another possible way to intercept function calls in QEMU

I'm developing a syscall interception tool for Android as a course's project. While it is relatively simple to intercept calling into the system services (introduced at the end), it is harder to get the syscall return. The reason is, the latest Android emulator is build upon QEMU 0.10.50, meaning it's TCG based. So we cannot use the same way Qebek or TEMU uses to intercept the syscall return. Therefore I looked into the new code to find if I could find a way to solve this problem.

Generally, in my understanding, in the old QEMU, the code translation is done as: Read more »

Announcing the publication of Know Your Tools: Glastopf - A dynamic, low-interaction web application honeypot

Folks, I am very pleased to announce the publication of our Know Your Tools paper: Glastopf - A dynamic, low-interaction web application honeypot authored by Lukas Rist of the Chicago Honeynet Project Chaper and Sven Vetsch, Marcel Kossin, and Michael Mauer.

The paper is available from

Paper abstract
Currently, attacks against web applications make up more than 60% of the total number of attempted attacks on the Internet. Organizations cannot afford to allow their websites be compromised, as this can result in serving malicious content to customers, or leaking customer's data. Whether the particular web application is part of a company's website, or a personal web page, there are certain characteristics common to all web applications. Most people trust in the reliability of web applications and they are often hosted on powerful servers with high bandwidth connections to the Internet. Considering the large number of attacks and knowing the potential consequences of successful break-ins, we decided to put a bit more effort into the development of honeypots to better understand these attacks.

In this paper, we introduce Glastopf, a low-interaction web application honeypot capable of emulating thousands of vulnerabilities to gather data from attacks that target web applications. The principle behind it is very simple: reply to the attack using the response the attacker is expecting from his attempt to exploit the web application. We provide an overview of the attacks on web applications, describe examples collected with Glastopf, and discuss possible usages of data collected.

Glastopf can be downloaded from and a mailing list for help/suggestions and advice is available at

Read more »

Project Honeynet “Log Mysteries” Challenge Lessons

We just finished grading the results of Project Honeynet “Log Mysteries” Challenge #5 and there are some useful lessons for BOTH future challenge respondents and to log analysts and incident investigators everywhere. Read more »

Syndicate content