To learn the tools, tactics and motives involved in computer and network attacks, and share the lessons learned.


Announcing the publication of Know Your Tools: Qebek - Conceal the Monitoring

I am very pleased to announce another publication of our Know Your Tools series: Qebek - Conceal the Monitoring authored by Chengyu Song and Jianwei Zhuge from the Chinese Chapter and Brian Hay from the Alaskan Chapter.

The paper is available from

Paper abstract
For the last few years, while low-interaction (LI) honeypot systems like Nepenthes and PHoneyC are getting more and more powerful, the progress of high-interaction (HI) honeypot technology has been somewhat slower. This is especially true for Sebek, the de-facto HI honeypot monitoring tool. In this KYT paper, we introduce Qebek, a QEMU based HI honeypot monitoring tool which aims at improving the invisibility of monitoring the attackers’ activities in HI honeypots. Read more »

取证分析挑战 6 - 分析恶意编码 PDF 档案

取证分析挑战 6:分析恶意编码 PDF 档案 - (由来自马来西亚分支的Mahmud Ab Rahman和Ahmad Azizan Idris提供) 利用含恶意编码 PDF档案进行的典型攻击。
Read more »

鑑識分析挑戰 6:分析惡意編碼 PDF 檔案

鑑識分析挑戰 6:分析惡意編碼 PDF 檔案 - (由來自馬來西亞團隊的Mahmud Ab Rahman和Ahmad Azizan Idris提供) 利用含惡意編碼 PDF檔案進行的典型攻擊。
Read more »

Forensic Challenge 2010/6 - Analyzing Malicious Portable Destructive Files is now live

Another challenge is ready to be tackled by forensic analysts, students, hackers and alike. This time, we present you with an attack vector that has become quite successful: malicious PDF files!

For challenge 6 of our series (provided by Mahmud Ab Rahman and Ahmad Azizan Idris from the Malaysia Honeynet Project Chapter) we present you with a pcap file that contains network traffic generated by the following scenario: An unsuspecting user opens a compromised web page, which redirects the user's web browser to a URL of a malicious PDF file. As the PDF plug-in of the browser opens the PDF, the unpatched version of Adobe Acrobat Reader is exploited and, as a result, downloads and silently installs malware on the user's machine.

We prepared a set of questions that requires you to dive deep into the portable document format. Submit your solution by November 30th 2010. The top three submissions will receive small prizes.


Christian Seifert
Chief Communications Officer
The Honeynet Project Read more »

Forensic Challenge 2010/5 - Log Mysteries - Results are in ...

Folks, Sebastien, Anton, Raffy and Julia have judged all submissions and results have been posted on the challenge web site. The winners are:

  1. William Söderberg (sweden)
  2. Nikunj Shah (USA)
  3. David Bernal Michelena (Mexico)

Congratulations to the winners.

Apparently challenge 5 was a true challenge. While we had many folks hit the challenge web site, we only received 7 submissions in total and quite a few participants missed more subtle attacks embedded in the deep corner of the logs. This illustrates how difficult log analysis is and a reason why we included it in the mix of challenges. The original challenge files remain on the web site and we have posted the top three submissions from Wiliam, Nikunj and David. Take a look and see whether you would have been able to identify all attacks in the logs.

With challenge 5 completed, we are getting ready to launch challenge 6 on November 1st. This challenge has been prepared by Mahmud and Ahmad from the Malaysian Chapter. It deals with 'Analyzing Malicious Portable Destructive File' and we hope to see you participating.

Christian Seifert
Chief Communications Officer
The Honeynet Project

GlastopfNG release

Before we are getting worse than Duke Nukem Forever, we decided to finally release the next generation of the web application honeypot Glastopf, aka GlastopfNG! Read more »

Murofet, Zeus++ or just Zeus 2.1?

The first one writing about this new threat was Marco Giuliani. So, Murofet or Zeus++?

Taking a look at a couple of samples we were able to identify:
- Same API hooks
- Same encryption routine for configuration file (RC4)
- Pretty much the same configuration file format Read more »

Trojan Carberp

I'm interested in infostealers and specifically in banking-trojans so I didn't want to miss this one. Samples of Carberp are floating around at least since last spring but in late September we saw such numbers increasing.

Taking a look at how Carberp hooks API it looks like yet another Zeus "clone". What I found interesting is how it hooks system calls. This is how a normal syscall looks like

MOV EAX,0xce                     // ZwResumeThread syscall id
Read more »

Forensic Challenge 2010/5 - Log Mysteries - just a few days left to submit your solution

The deadline for the Forensic Challenge 2010/5 - Log Mysteries is quickly approaching. It seems like this challenge is a hard nut to crack as we only received a few submissions so far. If you like a challenge, give it a try. The deadline is September 30th 2010. You can access the challenge at Did I mention there are prizes?

Is that PDF so scary?

- "it bypasses DEP and ASLR using impressive tricks and unusual methods" - Vupen

- "it uses a previously unpublished technique to bypass ASLR" - Metasploit Blog

- "exploit uses the ROP technique to bypass the ASLR and DEP" - ZDnet/Kasperky
Read more »

Syndicate content