Iranian Chapter Status Report For 2013

ORGANIZATION

Current chapter members:

  • Adel Karimi (Chapter Lead; Research on Botnets and new attack trends, Honeypot deployment, Writing/Presenting Honeypot related materials)
  • Shahriyar Jalayeri (Lead Developer; Research, Honeypot development, Malware and attack analysis)
  • Amirreza Aminsalehi (Development, Honeypot deployment, Malware analysis and RCE)
  • Vahid Ghayoumi (Research on Web-based attacks and web honeypots, WAF)
  • Mehdi Mousavi (PhD Student; Research guide)
  • Ali Zand (PhD Student @UCSB; Research guide)

- No changes in the structure of IR/HP.

DEPLOYMENTS

1 x Cuckoo Sandbox
1 x Pwnypot HoneyClient (Integrated with Cuckoo)
4 x Dionaea Sensor,
4 x Kippo Sensor,
4 x Amun Sensor,
1 x Conpot
1 x Central [honeynet] Management & Monitoring System

RESEARCH AND DEVELOPMENT

  • Pwnypot Client Honeypot [improvement]
  • We proposed two GSoC projects for improving the Pwnypot. One of them ("PwnyPot management integration with Cuckoo") successfully completed by Tobias Jarmuzek (special thanks to Georg, Shahriyar, Mark and Jamie). Here you can find the Pwnypot document and installation instruction:
    http://jamu.info/pwnypot/docs/pwnypot/index.html. Feel free to use it and send us your feedback.
  • Email-Flux
  • We proposed a command and control technique that uses the disposal temporary email services (e.g. Mailinator). We named it Email-Flux as it uses an automatic string generation algorithm (like DGA in Domain-Fluxes). Whereas micro-blogging, internet clipboards (e.g. pastebin) and other similar services have been used as the C&C channel in malwares, to our knowledge there isn't any malware in the wild that uses Email-Flux.
    (A simple PoC *for research purposes*: https://github.com/shjalayeri/Honeynet/blob/master/Mail%20Flux/mail_flux.py)
  • DNS-Based Approach for Botnet Detection and Tracking
  • Adel's M.S. Thesis
  • A Novel Shellcode Detection Technique
  • (Will be published soon)

PAPERS, PRESENTATIONS AND COMMUNITY ENGAGEMENTS

  • A. Karimi, “Honeypots: Challenges and Future Directions”, 18th National CSI Computer Conference (workshop section), Sharif University of Technology, Tehran; March 12, 2013.
  • A. Karimi, “PwnyPot (a.k.a. MCEDP): A New Approach to Client Honeypots”, 2013 Honeynet Project Workshop (private section), Dubai; Feb 2013.
  • A. Karimi, “Honeypot and Emerging Trends in Botnets”, AmirKabir University of Technology (for M.S. students - Fall, Winter 2013)

We also have some unpublished papers / reports ("Pwnypot: A New Approach to Client Honeypot", ...).

GOALS

- Goals the chapter met for the past year:

  • Paper/presentation on our new client honeypot
  • Improving Pwnypot (Management component and Web UI)
  • Implementing a system for monitoring and management of our honeypot sensors

- Goals for the next year:

  • Developing new tools (We already started working on two new projects/tools)