We'd like to welcome a new member is this report, Adnan Shukor. He will be working on more client side threat research. So far we have six (6) members, who are full time staff with CyberSecurity Malaysia and Malaysia CERT:
The following are the some components that currently being deployed
3.0 Research and Development
Other than working on to get the infrastructure ready, we have done some work in the following areas:
a. VisualizationDue to the amount of data (read logs) produced by our honeynet, some team members spend some time to enhance visualization of the data collected. You can view some of these samples in the URL mentioned below.
i. Malware (based on md5hash) Location - https://honeynet.org.my/live/malreport/index.php
ii. Traffic inbound/outbound - https://honeynet.org.my/live/attackreport/index.php
iii. Netflow Visualization (data collected via SANCP from Sguil’s component) b. Malicious PDF parserWe started developing a tool for analyzing malicious PDF files. Our tool depends to pdftk toolkit to decompress the pdf file and look for any suspicious strings inside the file. We intend to release the tool in the beginning of Q3 2009.
We have modified the backend of HIHAT and integrated it with a custom script (credits to folks at ShadowServer) for picking up RFI inclusion attacks to our honeynet. We also intend to share this with the community in Q3 2009.
We definitely need to spend more time to analyze what we collect. :-)
a. Malware Collection
We have collected quite a number of malware samples last year and made many new friends through our samples sharing initiative.
We intend to start blogging our findings more regularly in 2009.
5.0 Paper and Presentation
In 2008, our teams has conducted training and talks on topic relevant to our honeynet deployment at conferences such as FIRST TC in Tokyo, APCERT AGM in Hong Kong, Infosec.MY (CyberSecurity Malaysia event), local universities and a few other closed sessions.
In 2009, we intend to start looking in to honeyclient and establish partnership with more organizations locally and abroad.
7.0 Misc Activities
Nothing to report at this point