Sysenter Chapter - Chapter Status Report for 2014

ORGANIZATION

The Sysenter Chapter was founded in August 2010 and currently consists of the following people:

  • André Vorbach
  • Andrea De Pasquale
  • Angelo Dell'Aera
  • Charlie Hurel
  • Gianluca Guida
  • Guido Landi
  • Jeff Nathan
  • Jose Miguel Esparza
  • Markus Schmall
  • Patrik Lantz
  • Pietro Delsante
  • Roberto Tanara
  • Sebastian Pöplau
  • Will Metcalf
  • Yuriy Khvyl

The Chapter members are interested in research projects covering the following topics:

  • Automated botnet tracking
  • Low-interaction client honeypots
  • Automated malware collection and analysis systems
  • Distributed honeynet deployment, operation and data analysis
  • Intrusion detection
  • Reverse engineering
  • Mobile malware analysis
  • Virtualization
  • Computer forensics

DEPLOYMENTS

We have deployed several Honeeebox sensors. Recorded attacks and malware samples are submitted to HPFeeds.

RESEARCH AND DEVELOPMENT

We are currenty developing Thug, a Python low-interaction honeyclient. A lot of intestering feature were added during 2014 such as Thug plugins for PDF and JAR analysis. We are currently planning of adding new features related to web client tracking detection.

We have contributed to the Conpot project, by developing the management interface of the Kamstrup smart meter device.

We are currently developing Droidbox, an Android application sandbox.

We improved Pylibemu, a Libemu wrapper written in Cython.

We studied some samples of mobile malware and some exploit kits serving APKs instead of regular PE executables. We found some evidences even in the very first days of 2015 but we got them too late to reach the APKs.

We have been studying the behaviour of the Dridex infostealer malware, finding a way to automatically dump its configuration and analyze it through Cuckoo.

We have developed Nodepot, a nodeJS based web honeypot.

We are developing LightTower, a monitoring/scan solution based on Thug, Arachni, Docker, etc. Idea is to scan webpages constantly for threats.

We started a new project called Rumal, aimed to be a simple web GUI for Thug (it can be run on a local machine with a single user), but also as a sort of social network where you can share your analyses, results and metadata with others. Rumal is currently under heavy development and will be released as an opensource project as soon as it reaches the alpha stage.

PAPERS, PRESENTATIONS AND COMMUNITY ENGAGEMENTS

We held a invited lecture on honeyclient technologies during EuroSec 2014 (European Workshop on Systems Security) held on the 13th of April, 2014, in Amsterdam, The Netherlands. This also gave us the opportunity to promote GSoC and The Honeynet Project for the students.

Moreover we were frequently engaged for educational presentations or for teaching university classes on new emerging threats-related topics.

GOALS

In 2015 we would like to continue improving the tools we have already released (see Section "Research and Development" for further details).

We would also like to revive our Cuckoo deployment, bringing it back to full operation and adding new analyzers to it.

MISC

We are currently involved in maintaining the Honeynet Project infrastructure.

We are currently involved in planning and organizing the Honeynet Project Workshop 2015 to be held in Stavanger, Norway.

We are involved in the design and implementation of the KYM (Know Your Mates) project, with the goal of fostering collaboration among Honeynet members.