German Honeynet Project

 

ORGANIZATION 

  1. Most people are based at the University of Mannheim (Laboratory for Dependable Distributed Systems) and work on their Ph.D. thesis

DEPLOYMENTS

  1. Gen III Honeynet with Honeywall and several virtual honeypots running Windows / Linux
  2. Large Malware Collector Honeynet based on "Amun: Python Honeypot" (http://amunhoney.sf.net/)
  3. Hosting CWSandbox (http://cwsandbox.org) which is used by many honeynet installations worldwide
  4. One sensor within the Leurré.com project
  5. Several honeyclients based on Capture-HPC
  6. Different spamtraps to collect spam emails

RESEARCH AND DEVELOPMENT

  1. Different kinds of malware collectors: Omnivora (http://sourceforge.net/projects/omnivora/) and Amun (http://amunhoney.sf.net/)
  2. Automated Malware Analysis: CWSandbox (http://cwsandbox.org)
  3. Tracking of Fast-flux service networks (no public interface yet, will follow)
  4. Using honeypots to learn more about RFI attacks
  5. Adopted honeyclients to our needs, basically small enhancements to Capture-HPC and development of Monkey-Spider
  6. Spamtraps to collect spam mails that can then be used together with honeyclients or automated malware analysis
  7. Studying keyloggers and different kinds of botnets in details

FINDINGS

  1. We studied Storm Worm in detail and published our results in a paper entitled "Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm" (LEET'08)
  2. We studied Fast-Flux service networks and published several papers on the topic: "Measuring and Detecting Fast-Flux Service Networks" (NDSS'08) and "As the Net Churns: Fast-Flux Botnet Observations" (Malware'08)
  3. In-depth study of keyloggers and the data stolen by this kind of malware: "Learning more about the underground economy: A case study of keyloggers and dropzones"
  4. Several compromises at our high-interaction honeypot, in which we could for example study credit card trading
  5. Lots of malware binaries were collected (> 600.000 unique binaries in our database at cwsandbox.org). We thus developed some tools for automated malware classification ("Learning and Classification of Malware Behavior") and are currently working on automated malware clustering.
  6. More data analysis tools are needed. Analyzing incidents at high-interaction honeypots still takes lots of time, more automation would be nice. Furthermore, applying data mining techniques on the huge volume of data generated by automated malware analysis would be helpful to extract high-level information.

PAPERS AND PRESENTATIONS

  1. "As the Net Churns: Fast-Flux Botnet Observations"
  2. "Learning and Classification of Malware Behavior"
  3. "Studying Malicious Websites and the Underground Economy on the Chinese Web"
  4. "Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm"
  5. "Monkey-Spider: Detecting Malicious Websites with Low-Interaction Honeyclients"
  6. "Measuring and Detecting Fast-Flux Service Networks"
  7. "Know Your Enemy: Malicious Web Servers"
  8. "Measurement and Analysis of Autonomous Spreading Malware in a University Environment"
  9. "Toward Automated Dynamic Malware Analysis Using CWSandbox"
  10. "Rishi: Identify Bot Contaminated Hosts by IRC Nickname Evaluation"
  11. And lots of presentations...

GOALS

  1. Better data analysis tools are needed - perhaps ideas from the area of data visualization could help, too
  2. More automation / correlation of the collected data
  3. Find more time to work on honeypots, don't get distracted too much ;-)