Sysenter Chapter Status Report 2013

ORGANIZATION

The Sysenter Chapter was founded in August 2010 and currently consists of the following people:

  • Angelo Dell'Aera
  • Andrea De Pasquale
  • Charlie Hurel
  • Gianluca Guida
  • Guido Landi
  • Patrik Lantz
  • Pietro Delsante
  • Roberto Tanara
  • Yuriy Khvyl

The Chapter members are interested in research projects covering the following topics:

  • Automated botnet tracking
  • Low-interaction client honeypots
  • Automated malware collection and analysis systems
  • Distributed honeynet deployment, operation and data analysis
  • Intrusion detection
  • Reverse engineering
  • Mobile malware analysis
  • Virtualization
  • Computer forensics

DEPLOYMENTS

  • We finalized the deployment of an instance of CuckooBox with a large set of virtual machines, with custom analyzer modules that should help us tracking the latest Infostealer menaces (Citadel, Ice IX, Murofet, Zeus, SpyEye, etc). We also contributed to the development of Cuckoo 1.0 with several commits.
  • We have deployed several Honeeebox sensors. Recorded attacks and malware samples are submitted to HPFeeds.
  • We have deployed a Splunk instance to collect and monitor HPFeeds data and started the evaluation of some visualization modules.

RESEARCH AND DEVELOPMENT

  • We are currenty developing Thug, a Python low-interaction honeyclient. Moreover we are currently planning developing Thug plugins for PDF and JAR analysis.
  • We are current developing Buttinsky, a botnet monitoring tool. The project was selected for the second round of Rapid7 Magnificent7 program. Some documentation and what steps we want to take next are listed here. The main feature we would like to implement in the next future is about the possibility to infer the message format and state machine using machine learning of an unknown protocol. 
  • We improved Droidbox, an Android application sandbox.
  • We improved TIP (Tracking Intelligence Project), an information gathering framework whose purpose is to autonomously collect, correlate and analyze data useful for understanding Internet threat trends.
  • We improved Pylibemu, a Libemu wrapper written in Cython.
  • We are strictly monitoring the development of the ZeuS malware variants appeared after the release of the source code of ZeuS 2.0.8.9: Citadel, Ice IX, Murofet and several other custom variants with a smaller media impact but with new interesting features added.
  • We studied some new samples of mobile malware and some new exploit kits serving APKs instead of regular PE executables

PAPERS, PRESENTATIONS AND COMMUNITY ENGAGEMENTS

We held a lecture on Android dynamic analysis and specifically DroidBox during UbiCrypt (reverse-engineering summer school) hosted by Ruhr-Universität Bochum and Thorsten Holz research group. This also gave us the opportunity to promote GSoC and The Honeynet Project for the students.

Moreover we were frequently engaged for educational presentations or for teaching university classes on new emerging threats-related topics.

GOALS

In 2014 we would like to continue improving the tools we have already released (see Section "Research and Development" for further details).

MISC ACTIVITIES

  • We are currently leading the Forensic Challenge organization efforts.
  • We are currently involved in maintaining the Honeynet Project infrastructure.

MENTORING