OCERT Honeynet Chapter Report for 2014

ORGANIZATION:
 
OCERT Honeynet is Oman National CERT (OCERT). OCERT chapter was officially launched in April 2010 to analyze risks and security threats that may be present in Oman cyberspace. The members of OCERT Chapter are:

  • Yousuf Al Siyabi
  • Mazin Al Abri
  • Nasser Salim Al Hadhrami

 
DEPLOYMENTS:
 
Low interaction honey pot technologies are deployed as follows:

  • Dionaea  : A number Dionaea sensors were deployed to capture the malware and find the infected systems in country cyber space. The feeds from sensors is collected through xmpp server
  • Cuckoo : The version of cuckoo sandbox (version 0.6) is deployed .
  • Glastopf : It was deployed as web application honeypot .
  • SurfIDS : SurfIDS collects the data picked up from different sensors placed within the network, of malware , webattack . SurfIDS : SurfIDS collects the data picked up from different sensors placed within the network, of malware , webattack .
  • Kippo is  SSH honeypot designed to log brute force attacks  and futher information about the attempts.

 
RESEARCH AND DEVELOPMENT:
 
Cyber Threat Intelligence Gathering System – Phase.2: The Phase.2 of project aims to complete integration and automation of collecting, classifying the botnet information that are received from different feeds .The system has started last years and has complete integration with some of security feeds . There current Work is focusing in enhancing the integration and resolve the technical challenges that show up after completing the integration with security feeds  .
 
 
PAPERS, PRESENTATIONS AND COMMUNITY ENGAGEMENTS:
 

  • OIC-CERT Cyber Security Drill 2014 , Muscat
  • ITU Regional Cybersecurity Summit -2014, Muscat
  • Global CyberLympics 2014.
  • 1st  Cybersecurity Trends Conference -2014, Yemen.

 
FINDINGS:
 
We have detected numerous  types of malware coming from 52 countries.
However based on BitDefender, Kaspersky and Microsoft definition the most frequent malware seen by our systems are:

  •      TrojanSpy,
  •      TrojanDownloader /OpenConnection.JS,
  •      W32.Sality,
  •      EMAIL Worm,
  •      W32.Bumble,
  •      Win32/Parite,
  •      W32/MTWB.A.gen!Eldorado

 
We also noticed that there are some malware not detected by most of Antivirus system.
 
We also found out that most of compromised IP addresses are infected by one of the following:

  • Zeus
  • Sality
  • Swizzor botnet
  • Graftor virus
  • SpyBot
  • nfostealer
  • GameOver_Zeus
  • zeus-p2p
  • Pushdo_SpamBot

 
The high level statics is shown in OCERT chapter website: http://cert.gov.om/honeynet    
 
GOALS:
 

  • Enhance  the dashboard of CyberThreat Intelligence Gathering System
  • Integrate different security feeds with current system
  • Enhance the cooperation with security communities