The Honeynet Project

ORGANIZATION

The Sysenter Chapter was founded in August 2010 and currently consists of the following people:

• Angelo Dell'Aera
• Charlie Hurel
• Gianluca Guida
• Guido Landi
• Patrik Lantz
• Pietro Delsante
• Roberto Tanara

The Chapter members are interested in research projects covering the following topics:

• Automated botnet tracking
• Low-interaction client honeypots

ORGANIZATION

The Sysenter Chapter was founded in August 2010 and currently consists of the following people:

• Angelo Dell'Aera
• Guido Landi
• Patrik Lantz
• Roberto Tanara

The Chapter members are interested in research projects covering the following topics:

• Automated botnet tracking
• Low-interaction client honeypots
• Automated malware collection and analysis systems
• Distributed honeynet deployment, operation and data analysis

The first one writing about this new threat was Marco Giuliani. So, Murofet or Zeus++?

Taking a look at a couple of samples we were able to identify:
- Same API hooks
- Same encryption routine for configuration file (RC4)
- Pretty much the same configuration file format

I'm interested in infostealers and specifically in banking-trojans so I didn't want to miss this one. Samples of Carberp are floating around at least since last spring but in late September we saw such numbers increasing.

Taking a look at how Carberp hooks API it looks like yet another Zeus "clone". What I found interesting is how it hooks system calls. This is how a normal syscall looks like

- "it bypasses DEP and ASLR using impressive tricks and unusual methods" - Vupen

- "it uses a previously unpublished technique to bypass ASLR" - Metasploit Blog

- "exploit uses the ROP technique to bypass the ASLR and DEP" - ZDnet/Kasperky

I'll tell you the truth: Export Address Table Filtering, the feature of the upcoming release of EMET, "designed to break nearly all shell code in use today", intrigued me a bit.

A new improvement in PHoneyC DOM emulation code was committed in SVN r1624. The idea is to better emulate the DOM behaviour depending on the selected browser personality. Let's take a look at the code starting from the personalities definition in config.py.

“Dionaea is meant to be a Nepenthes successor, embedding Python as scripting language, using libemu to detect shellcodes, supporting IPv6 and TLS” (taken from Dionaea homepage). Besides being the most interesting project for trapping malware exploiting vulnerabilities, Dionaea supports a really cool feature which allows it to log to XMPP services as described here. TIP now exploits this feature receiving and storing such logs (really thanks to Markus Koetter for his help and support).

A few weeks ago I started reviewing the PHoneyC DOM emulation code and realized it was turning to be hard to maintain and debug due to a huge amount of undocumented (and sometimes awful) hacks. For this reason I decided it was time to patch (and sometimes rewrite from scratch) such code. These posts will describe how the new DOM emulation code will work. The patch is not available right now since I'm testing the code but plans exists to commit it in the PHoneyC SVN in the next days.