Pakistan Chapter Status Report For 2009/2010

ORGANIZATION

  • Faiz Ahmad Shuja is founder and chapter lead of Pakistan Chapter and an active member since 2003. He is responsible for the management and maintenance of HP infrastructure.
  • Muhammad Omar Khan is an active member and assists in various Honeynet deployment efforts.
  • Rehan Ahmed is our new and active member. He assists in the management of Pakistan chapter and HP infrastructure.
  • Omar Khan has been involved in attacks analyses and reporting.
  • Muhammad Ahmed Siddiqui is an active member involved in attacks research and analysis.
  • Musarrat Ali Khan assists in various Honeynet deployments.
  • Ayaz Ahmed Khan has been involved in writing research papers.

DEPLOYMENTS
We have following technologies deployed:

  • Honeebox sensor on 4 IPs
  • Low-interaction honeypots using Dionaea on 4 IPs
  • Low-interaction honeypots using Nepenthes on 4 IPs
  • High-interaction virtual honeynet based on Honeywall on 2 IPs
  • MITRE Honeyclient to analyze malicious .pk websites (disengaged in July 2010)

RESEARCH AND DEVELOPMENT

  • We are working with Pakistan’s CERT to deploy country-wide distributed Honeypots/Honeynets sensors to collect and correlate data.
  • We enhanced our internal data analysis and reporting platform to fetch data from diverse log sources and import into our central database.
  • We are interested to contribute in the Honeywall and Honeeebox development and enhancements.

FINDINGS

  • We have been monitoring and analyzing attacks being initiated from Pakistan’s IP ranges. We have identified large number of IPs/nodes part of botnets and being used in various attacks. Most of the groups operating from Pakistan are targeting users outside the country and are part of international blackhat groups. Though, recently we have seen rise in local blackhat groups doing defacements for political reasons.
  • We have also been focusing on analyzing attacks towards Pakistan’s networks. We have seen rise in phishing attacks against Pakistani banks being launched by local and international groups both. We also investigated a few targeted DDoS attacks towards financial institutions and helped them mitigate those.
  • We analyzed various client-side malware, such as for IE, Word, Adobe, and identified that they are getting sophisticated day by day. With the rise of FUD encryptors and encoders to evade protection mechanisms, attacks are getting sophisticated and complicated.

PAPERS AND PRESENTATIONS

  • Dawn News TV interviewed Faiz Ahmad Shuja and Muhammad Omar Khan
  • Express Newspaper interviewed Faiz Ahmad Shuja
  • CIO Magazine Pakistan interviewed Faiz Ahmad Shuja
  • CIO Web Studio interviewed Faiz Ahmad Shuja
  • Pakistan Today Newspaper interviewed Faiz Ahmad Shuja
  • Faiz Ahmad Shuja presented on Honyenets at ISS World Dubai
  • Faiz Ahmad Shuja presented on Client-side Attacks at PAKCON
  • Faiz Ahmad Shuja presented on Honeyents at SZABIST University
  • Faiz Ahmad Shuja presented on Mobile Threats at Mobile Banking Conference, Pakistan
  • Faiz Ahmad Shuja invited for discussion panel on Latest Security Threats at E-Banking Conference, Pakistan

GOALS

  • Actively participate in development and enhancement of Honeywall
  • Contribute to the distributed Honeeebox deployment
  • Expand our sensors country-wide with Pakistan’s CERT
  • Enhance our data analysis capabilities

MISC ACTIVITIES
We have also been actively involved in managing and monitoring the Honeynet Project infrastructure which consists of official website, internal portal, mail server, mailing lists, IRC, trac, svn and few others.