Chinese Chapter Status Report (Period Apr 2007 to Dec 2008)

The Honeynet Project Chinese Chapter Status Report (Period Apr 2007 to Dec 2008)


1. Changes in the structure of your organization.
All members of Chinese Chapter (i.e. The Artemis Project) are still from ERCIS, Institute of Computer Science and Technology, Peking University, China. Although we are seaking for contributors from other organizations.
The structure of Chinese Chapter has minor change during the last period. Now we have 2 faculties, 2 staffs, 6 master students and 2 undergraduate students. Jianwei Zhuge and Chengyu Song are Full Members of the Honeynet Project. The size of Chinese Chapter will remain stable within 5 faculties/staffs and 10 students in the next several years.
We are seeking for experienced Chinese researchers or developers to join our team, we provide full-time job positions, Ph.D. and Master student programs of Peking University, and intern positions.
2. List current chapter members and their activities

  • 1) Jianwei Zhuge: Team Leader, Assistant Professor, research and development focusing on measurement of emerging Internet threats, malware analysis and defense
  • 2) Xinhui Han: Team Manager, Senior Engineer
  • 3) Chengyu Song: Master Student, research and development of malware dynamic analysis techniques based on lightweight sandbox and kernel API hooking, research on honeypot monitoring technique.
  • 4) Jinpeng Guo: Full-time Staff, development and operation of Matrix Chinese Distributed Honeynet.
  • 5) Zhiyin Liang: Full-time Staff, development and operation of Malware automatic analysis platform.
  • 6) Qiushi Wang: Master Student, helps in operation of Matrix Chinese Distributed Honeynet, prototypes malicious website detection system, will leave at July, 2009.
  • 7) Tengfei Lu: Master Student, helps in development of Icarus Honeyfarm system prototype, will leave at July, 2009.
  • 8) Yaxin Liu: Master Student, development of mobile honeypots.
  • 9) Jinhui Zhong: Master Student, development of HTTP-based BotNet detection and tracking system.
  • 10) Ruifei Yu: Master Student, helps in hacker community profiling.
  • 11) Shixiong Zhu: Undergraduate Student, helps in development of Icarus Honeyfarm system prototype.
  • 12) Zhijie Chen: Undergraduate Student, helps in development of Icarus Honeyfarm system prototype.

1. List current technologies deployed.
1) Low-Interaction Honeypots:
• Nepenthes
2) High-Interaction Honeypots:
• HoneyBow
• Typical Gen 3 Honeynet
• Client-side High-Interaction Honeypots for malicious website measurement.
3) Distributed Honeypots/Honeynets:
• Matrix Chinese Distributed Honeynet for CNCERT/CC (~200 honeypots, 50+ nodes distributed at 30+ provinces).
• GDH Phase One CNA node: the only GDH node in China
• Beijing node.
4) Mobile Honeypots for Bluetooth, WiFi, and MMS - Prototype
2. Activity timeline: Highlight attacks, compromises, and interesting information collected.

  • 1) Autonomous Spreading Malware measurement, see our ICICS'07 paper, and FIRST'08 paper on Matrix for detail. With the help of the Matrix Chinese distributed honeynet integrating Nepenthes, HoneyBow and GenIII Honeynet, we had a hit count of about 1,244,000 autonomous spreading malware infections. The hit count specifies the total number of downloaded samples, i.e., how often we successfully captured a binary, disregarding multiple copies of the same binary. As a metric for uniqueness we use the MD5sum. Using this metric, we collected nearly 180,000 unique sample binaries during the measurement period of twelve months (Year 2007). This means that we have on average about 3,408 collected and 496 new unique binaries per day.
  • 2) Botnets measurement, see our Botnet measurement TR, and FIRST'08 paper on Matrix for detail. One of the most important applications of our Chinese Matrix Distributed Honeynet is the measurement on IRC-based Botnets, which are very common on the Chinese Internet. We have discovered 2,687 unique botnets on the China public Internet during the whole year of 2007. Uniqueness is defined in this context as a unique combination of DNS name, port number and channel name.
  • 3) Malicious websites measurement, see our WEIS'08 paper for detail.Based on the malicious websites measurement setup based on high-interaction client honeypots, we identified a total of 2,149 malicious websites (i.e. 1.49%) from 144,587 distinct hosts which represent the most commonly visited websites by normal Chinese Internet users.

1. List any new tools, projects or ideas you are currently researching or developing.

  • 1) Exploit detection and analysis techniques based on Virtual Machine Introspection.
  • 2) Mobile honeypots, to collect the mobile malware samples transmit via Bluetooth, WiFi and MMS (GSM/CDMA).

2. List tools you enhanced during the last year

  • 1) Matrix Chinese Distributed Honeynet, which combines the low-interaction honeypots (Nepenthes) and the high-interaction honeypots (HoneyBow), to build fully automated and integrated malware measurement architecture. At the central site, it provides the collection of distributed submitted malware captures (HoneyBow Svr), the automatic malware analysis platform (HoneyBox), as well as botnet tracking functionality (HoneyBot).
  • 2) Sebek Win32 version, several bugs including sys_socket accept event miss reported as connection, incorrect ProcessID for accept event, GetProcessInfo may cause BSOD when target process' PEB has been paged out and several memory leak problem have been busted and fixed. The improved version is still under testing and we plan to take the responsiblity of maintaining Sebek Win32 version after the workshop.
  • 3) phoneyc, two functions are added. The first one is recursive embeded link analysis, i.e. when meets a iframe or frame tag, new PageParser will automatically download that page, parse it and merge it into the base page. The second one is script output analysis: when meets a script end tag, new PageParser will execute self.js_body collected so far and treat the output as a new page which will be parsed and merged; the javascript file included by script tag will also be automatically downloaded and appended to the js_body.
  • 4) Argos, a HIDS powered by dynamic taint analysis from Virje University. The original version only supports NE2000 ethernet adapter which is not compatible with Sebek Win32 version and the only compatible adpater PCNet does not have dynamic taint function. So we add this function to the PCNet ethernet adapter emulator.

3. Would you like to integrate this with any other tools, or you looking for help or collaboration with others in testing or developing the tool?
Not currently.
4. Explain what kind of help or tools or collaboration you are interested in.
We have proposed Sebek improvement project, to improve current Sebek with better stability and invisibility, we propose two different honeypot monitoring solutions for both commonly used high-interaction honeypot deployment approaches. Firstly, we propose to improve current Sebek win32 version to provide Direct-on-System honeypot monitoring solution for both physical honeypot deployment and virtual machine honeypot deployment. Secondly, we will research and prototyping Virtualization-based honeypot monitoring solution for virtual machine honeypots.

1. Highlight any unique findings, attacks, tools, or methods.
See our papers for details.
2. Any trends seen in the past year?
Web-based Malware has becomes the major security threat to the normal Internet users in China, and the phenomenon is driven by the blackhat underground economy.
3. What are you using for data analysis?

  • 1) For honeynet data analysis, we use standard analysis tools including tcpdump, wireshark and Gen 3 Walleye, as well as some home-made immature scripts implementing statistical analysis, baseline analysis, cluster analysis, and correlation analysis methods.
  • 2) For malware analysis, we use our former HoneyBox platform and current MwAnalyzer platform.
  • 3) For IRC based BotNet tracking, we use our own developed HoneyBot tool. For HTTP-based BotNet tracking, we use our own developed tracking scripts.
  • 4) For malicious website analysis and measurement, we use our home-made high-interaction honeypot system integrating MwSniffer, MwScanner and HoneyBow.

4. What is working well, and what is missing, what data analysis functionality would you like to see developed?
We are experimenting with some kinds of data analysis techniques such as cluster analysis (and further root cause analysis), baseline analysis and correlation analysis, aiming to provide practical methods for identifying high-level attack events from the huge dataset collected by the distributed honeynet. We think such high-level data analysis methods (integrating with low-level data analysis techniques and drill-in mechanisms) need further research and development, especially for the distributed honeynet deployment such as GDH and Matrix.

1. Are you working on or did you publish any papers or presentations, such as KYE or academic papers?  If yes, please provide a description and link (if possible)
English Papers

  • 1.J. Zhuge, T. Holz,C. Song,J. Guo, X. Han and W. Zou, Studying Malicious Websites and the Underground Economy on the Chinese Web,the 7th Workshop on the Economics of Information Security (WEIS'08), Hanover, NH, USA, June 2008.[pdf]. Peking University & University of Mannheim Technical Report, Nov 2007. [pdf]
  • 2. J. Zhuge, Y. Zhou,J. Guo. et al, Malicous Websites on the Chinese Web: Overview and Case Study, 20th Annual FIRST Conference (FIRST'08), British Columbia, Canada, June 2008. (Dr. M. Wang from CNCERT/CC presented at FIRST'08 on the behalf of the authors)
  • 3. Y. Zhou, J. Zhuge, N. Xu. et al, Matrix, a Distributed Honeynet and its Applications, 20th Annual FIRST Conference (FIRST'08), British Columbia, Canada, June 2008. (Mr. Y. Zhou from CNCERT/CC presented at FIRST'08 on the behalf of the authors)
  • 4. J. Zhuge, T. Holz, X. Han, C. Song, and W. Zou. Collecting Autonomous Spreading Malware Using High-interaction Honeypots, In Proceedings of 9th International Conference on Information and Communications Security (ICICS'07), Zhengzhou, China, Dec 2007. [pdf]
  • 5. Z. Liang,T. Wei,Y. Chen, X. Han, J. Zhuge, and W. Zou. Component Similarity Based Methods for Automatic Analysis of Malicious Executables, In Proceedings of Virus Bulletin Conference 2007 (VB'07), Vienna, Austria, Sep 2007. [pdf]
  • 6. J. Zhuge, T. Holz, X. Han, J. Guo, and W. Zou. Characterizing the IRC-based Botnet Phenomenon, Peking University & University of Mannheim Technical Report, Nov 2007. [pdf]

Chinese Journal Papers

  • 7. J. Zhuge, X. Han, Y. Zhou, Z. Ye and W. Zou. Botnet Research Survey, Chinese Journal of Software, 19(3):702~715, 2008.
  • 8. J. Zhuge, X. Han, Y. Zhou, C. Song, J. Guo and W. Zou. HoneyBow: An Automated Malware Collection Tool based on the High-Interaction Honeypot Principle, Chinese Journal of Communication, 28(12):8~13, 2007.
  • 9. X. Han, J. Guo, Y. Zhou, J. Zhuge, D. Cao, and W. Zou. An Investigation on the Botnets Activities, Chinese Journal of Communication, 28(12):167~172, 2007.

Chinese Conference Papers

  • 10. J. Zhong, J. Zhuge, J. Guo, and Z. Ye. Research and Implementation of HTTP-based Botnet Detection Technique. In Proceedings of the 2008 China National Computer Conference (CNCC'08), Xian, China, Sep 2008.
  • 11. F. Zhang, J. Zhuge, X. Han, Z. Ye, and N. Xu. Honeynet Data Baseline Analysis Method for Internet Security Incident Detection. In Proceedings of the 2008 China National Computer Conference (CNCC'08), Xian, China, Sep 2008.
  • 12. Z. Liang, D. Si, C. Li, J. Mao, Y. Chen and J. Zhuge. Detecting High-Level Interactive Honeypots. In Proceedings of the 2007 Chinese Symposium on Network and Information Security (NetSec'07), Qingdao, China, Aug 2007.

Chinese Magazine Articles

  • 13. J. Zhuge. Measurement on Botnets, Computer World - CSO & Information Security Magazine, Invited Article, Dec 2007.
  • 14. J. Zhuge. Honeypot Technology and its Latest Progress, Computer World - CSO & Information Security Magazine, Invited Article, Oct 2007.
  • 15. J. Zhuge. Strike Malware using Honeypot Technology, Computer World - CSO & Information Security Magazine, Invited Article, Oct 2007.

Accepted or On Submission

  • 16. T. Lu, Z. Chen, J. Zhuge, X. Han, and W. Zou, Research and Implementation of Network Attack Flow Redirection Mechanism in the Honeyfarm Environment, accepted by CCICS'09. Be nominated to Journal of Nanjing University of Posts and Telecommunications.
  • 17. Y. Liu, F. Wang, S. Dai, and J. Zhuge, Research and Design of Mobile Honeypot for Collecting of Bluetooth Virus, accepted by CCICS'09.
  • 18. J. Zhuge. C. Song, J. Guo, X. Han, and Y. Zhou, Trojan Network on the Chinese Web: Investigation and Measurement, submitted to Chinese Journal of Communication.

2. Are you looking for any data or people to help with your papers?
We collaborated with Thorsten Holz of German Honeynet Project on three papers, and successfully got two of them accepted by academic conferences (WEIS'08 and ICICS'07), and another one released as Joint Technical Report. Thorsten helped us much on the paper writing and reviewing.
We are looking for further collaboration with him and/or other researchers on co-authoring academic or technical papers, especially on malware analysis, web-based malware detection and measurement, and exploit detection/analysis.
3. Where did you present honeypot-related material? ( selected publications )
Presentations In English:

  • 1.Chengyu Song, Studying Malicious Websites and the Underground Economy on the Chinese Web,WEIS'08, Hanover, NH, USA, June 2008.
  • 2. Jianwei Zhuge, Collecting Autonomous Spreading Malware Using High-interaction Honeypots, ICICS'07, Zhengzhou, China, Dec 2007.
  • 3. Tao Wei, Component Similarity Based Methods for Automatic Analysis of Malicious Executables, VB'07, Vienna, Austria, Sep 2007.

Presentations In Chinese:

  • 4. Jianwei Zhuge. HoneyBow: An Automated Malware Collection Tool based on the High-Interaction Honeypot Principle, NetSec'07, Qingdao, China, Aug 2007.
  • 5. Xinhui Han. An Investigation on the Botnets Activities, NetSec'07, Qingdao, China, Aug 2007.
  • 6. Jianwei Zhuge. Detecting High-Level Interactive Honeypots, NetSec'07, Qingdao, China, Aug 2007.
  • 7. Jianwei Zhuge. Malicious Websites Measurement Techniques and Practice, Invited technical training at Chinese Science and Technology Network Training Class, June. 2008.
  • 8. Jianwei Zhuge. An Introduction to Virtual Machine, Peking University Security Seminar, Apr. 2008.

1. Which of your goals did you meet for the past year?
1). We have finished the project on automatic malware analysis tool successfully, designed and developed an integrated malware automatic analysis platform, including static analysis/signature generation (Anity labs), dynamic analysis (Artemis) and network analysis (CCERT). We developed a feather-weight virtual machine based sandbox, for parallel dynamic analysis of large amount of malware samples on a single native host. No open publications available yet, add oil Chengyu and Zhiyin :).
2). We have enlarged Matrix Chinese Distributed Honeynet system to have up to 50 honeynets and up to 200 honeypots distributed at more than 30 provinces in China. The system has become one of the Internet threats measurement infrastructures for CNCERT/CC. Thanks CNCERT/CC to provide us such a great opportunity. Good job done, Jinpeng and Qiushi.
3). We have got further funds from CNCERT/CC on a botnet and malicious website measurement project. We also wrote proposals for NSFC funds and other funding opportunities, two failed and one (only several thousand dollars) success. We need big funds or donations to obtain necessary resources, to cover our expenses, and to improve the salary level for staff members, also subsidy level for the students. Funding or donation information goes to Jianwei please.
4). We have published 15 papers and articles during this period (since Apr 2007 to Dec 2008), including 5 conference papers and 1 technical report in English, 6 journal and conference papers in Chinese, and another 3 magazine articles. Another 3 papers accepted or on submission. More members presented at various conferences, workshops and seminars. Thanks Thorsten Holz for help with co-authoring papers.
5). Based on our Seminar on Hacking Analysis and Forensics during the past whole academic year, Jianwei Zhuge teaches a course "Network Hacking and Defense: Technology and Practice" for the graduate and senior undergraduate students majoring in Computer Science.
2. Goals for the next year.
1). Finish the current funded projects successfully, and seek for future funds and/or donations. We need funds and resources to maintain and enlarge our team for further research and development.
2). Deeper and harder research and development, and get at least one paper accepted by the rank A/rank A+ academic journals and conferences. Collaboration proposal on co-authoring papers are welcome, drop Jianwei a line.
3). Help CNCERT/CC and other security organizations in China to build Internet threats measurement and response solutions and systems. Especially on Web-based Malware.
4). Further development and research on honeypot monitoring techniques (Sebek).

1) Translated the new KYEs into Chinese.
2) Due to Jianwei's efforts, our institute (ICST@PKU) received the software donation (MSDN Developer Academic Alliance 1 year) from Microsoft. Thanks Microsoft and Ms. Na Zeng.