Pakistan Chapter Status Report For 2008


  1. Changes in the structure of your organization.
  2. List current chapter members and their activities.
    • Faiz Ahmad Shuja is founder of Pakistan Chapter and an active member since 2003. Also, he runs his company, Rewterz, which offers professional security consulting services.
    • Muhammad Omar Khan is an active member and assisted in various development efforts.
    • Omar Khan has been involved in attacks analyses and reporting. In addition, he works as Manager Information Security at CYBERNET.
    • Ayaz Ahmed Khan has been involved in the development of various custom tools and writing research papers.
    • Muhammad Ahmed Siddiqui is an active member involved in tools research and development.
    • Musarrat Ali Khan has assisted in various Honeynet deployments.


  1. List current technologies deployed.
    We have been moving our infrastructure to another datacenter and plan to have it running by next month. Though, we had following technologies deployed during past year:
    • Low-interaction honeypots using Nepenthes with 8 IPs
    • High-interaction virtual honeynet based on latest Honeywall with 8 IPs

  2. Activity timeline: Highlight attacks, compromises, and interesting information collected.
    • We have been focusing on attacks towards Pakistan’s networks and analyzing the activities of attackers targeting this side of the world.
    • We have been successful in identifying various groups of attackers running phishing attacks on Pakistani networks.
    • Though, most of the groups operating from Pakistan are targeting users outside the country and are part of international blackhat groups.
    • We also identified a few local targeted attacks towards financial institutions and helped local government authority focusing on investigating cyber crimes. 


  1. List any new tools, projects or ideas you are currently researching or developing.
    • We are working on enhancing the reporting and analysis of collected data and enabling tools to be more useful. We are working on options which generate useful meanings from the collected data and enable us to do trending more efficiently.
    • We have developed customized data analysis interfaces for a few organizations to help them understand the attacks towards their network.
    • We are now actively working with various organizations to deploy country-wide distributed Honeypots/Honeynets to collect and correlate data.
  2. List tools you enhanced during the last year
    • We did a few commercial deployments of Honeynet and developed customized data analysis interfaces.
    • We enhanced our internal data analysis and reporting platform to fetch data from diverse log sources and import into our central database.

  3. Would you like to integrate this with any other tools, or you looking for help or collaboration with others in testing or developing the tool?
    • We would like to actively develop and improve GDH data analysis capabilities and use capabilities that we have developed.

  4. Explain what kind of help or tools or collaboration you are interested in.
    • We would like to contribute in the GDH development and deployment. 


  1. Highlight any unique findings, attacks, tools, or methods.
    • We focused on analyzing various web application attacks and observed that attacker mostly exploited PHP-based applications using various techniques.
    • Moreover, unexpectedly some of the largest financial institutions in Pakistan experienced high-bandwidth DDoS attacks on their websites.
  2. Any trends seen in the past year?
    • We have seen continuous web application attacks dominating throughout the year. We experienced lot of automated (worm) and manual exploitation on various PHP-based web applications.
    • Specifically related to Pakistan, we surprisingly noticed targeted high-bandwidth DDoS attacks towards local financial institutions.

  3. What are you using for data analysis?
    • Our custom built data analysis interface
    • Walleye
    • Wireshark
    • Tcpdump
    • Custom scripts
  4. What is working well, and what is missing, what data analysis functionality would you like to see developed?
    • We would like to see a centralized data analysis platform for GDH and have all members contributing into it.


  1. Are you working on or did you publish any papers or presentations, such as KYE or academic papers?  If yes, please provide a description and link (if possible)
    • CIO Magazine Pakistan interviewed Faiz Ahmad Shuja
    • CIO Magazine Pakistan published our paper: “Pakistani Attackers Profile”
    • Dawn Sci-Tech Newspaper interviewed Faiz Ahmad Shuja
    • Spider Magazine interviewed Faiz Ahmad Shuja
    • GEO and Dawn TV News channels interviewed Faiz Ahmad Shuja
  2. Are you looking for any data or people to help with your papers?
  3. Where did you present honeypot-related material? ( selected publications )
    • Faiz Ahmad Shuja presented on Data Analysis using Honyenets at ISS World Dubai
    • Faiz Ahmad Shuja presented on Data Analysis using Honeynets at PAKCON 2007
    • Muhammad Omar Khan presented on Web Application Worms at PAKCON 2007
    • Ayaz Ahmed Khan presented on How Attackers go Undetected at PAKCON 2007


  1. Which of your goals did you meet for the past year?
    • Updated our popular Virtual Honeynet How-To paper
    • Made several changes in the functionality of our Data Analysis Interface
    • Tested and deployed the latest Honeywall release
    • Organized Pakistan’s largest security conference, PAKCON 2007
  2. Goals for the next year.
    • Deploy a GDH node
    • Deploy Honeynet on new virtualization technologies, such as Hyper-V
    • Test out Honeynet on Cloud Computing and Grid Computing
    • Expand our team so that we can contribute to research more actively
    • Update our Virtual Honeynet How-To paper
    • Create a video tutorial based on our Virtual Honeynet How-To paper

Most of the Pakistan Chapter members organize yearly Pakistan’s largest security conference, PAKCON, and plan to have its 4th episode in 2009.