Chicago Chapter Status Report For 2008


  1. Changes in the structure of your organization.
    • Jose Nazario from Arbor Networks joined the Chicago Chapter.
  2. List current chapter members and their activities.
    • Lance Spitzner is currently on the Board of Directors and acting President and CEO.  In addition he does independent consulting through his company HoneyTech.
    • Michael Davis has assisted in the past with development of Win32 Seberk and is the CEO of SavidTech.
    • Paul Neff is currently the Chief Security Officer at Williams Lea.
    • Kirby Kuehl is leading IPS development at Cisco.
    • Jose Nazario is the bothunting and DDOS stud at Arbor Networks.


  1. List current technologies deployed.
  2. Activity timeline: Highlight attacks, compromises, and interesting information collected.

The Chicago Chapter currently does not have any technologies deployed nor any data collected as part of a Chapter.  However, individual member are actively involved in data collection and analysis, most notably Jose Nazario and his work at Arbor Networks.


  1. List any new tools, projects or ideas you are currently researching or developing.
    • Jose Nazario: phoneyc, pure python virtual honeyclient. help always appreciated!
  2. List tools you enhanced during the last year
  3. Would you like to integrate this with any other tools, or you looking for help or collaboration with others in testing or developing the tool?
  4. Explain what kind of help or tools or collaboration you are interested in.


  1. Highlight any unique findings, attacks, tools, or methods.
    • Jose Nazario: RU-GE ddos attacks, Church of Scientology attacks, CNN.Com attacks, RSPlug OS X malware
  2. Any trends seen in the past year?
  3. What are you using for data analysis?
    • Jose Nazario: CWSanbox, ATLAS, IDAPro, FLASM, pdftk, and a lot of Python.
  4. What is working well, and what is missing, what data analysis functionality would you like to see developed?


  1. Are you working on or did you publish any papers or presentations, such as KYE or academic papers?  If yes, please provide a description and link (if possible)
    • Jose Nazario: fast flux paper with thorsten (appeared at malware 2008)
    • Jose Nazario: Towards an Understanding of Anti-virtualization and Anti-debugging Behavior in Modern Malware with X Chen, J Andersen, ZM Mao, M Bailey
    • Jose Nazario: Keynoted at USENIX Security in the USA Bay Area this year.
  2. Are you looking for any data or people to help with your papers?
  3. Where did you present honeypot-related material? ( selected publications )
    • Lance Spitzner:  Presented on honeypots and did a full day training sessions with David Watson at


  1. Which of your goals did you meet for the past year?
    • We expanded our membership (with one of the best with Jose Nazario).  However we did not have a team meeting in Chicago, which we had hoped for.
  2. Goals for the next year.
    • Jose Nazario: scaling the good guys, working more with people to make our efforts sustainable and effective. this hit or miss approach is unsustainable.
    • Lance Spitzner:  Number one goal for me is to get new funding for the Honeynet Project.  By increasing our funding we can support more research and development projects, fund more team get togethers, improve collaboration with other organizations.