libemu: Detecting selfencrypted shellcode in network streams

10 Dec 2008 Markus Koetter libemu shellcode
As libemu had it’s second release (0.2.0) lately, I’ll try to introduce it to the audience who did not hear about it yet. libemu is a small library written in c offering basic x86 emulation and shellcode detection using GetPC heuristics. Intended use is within network intrusion/prevention detections and honeypots. This post is split into four parts: Practical libemu usecase, showing how it executes shellcode and which information we get from it Explanation of libemu and how it detects shellcode High level shellcode profiling and pre-requirements for this step API call hooking internals Example the input shellcode The shellcode was created using metasploit 3, it is a windows bindshell decrypted with a xor chain.

My usenix WASL 2008 slides are available

08 Dec 2008 Sebastien Tricaud
I gave a lecture on Picviz during the Usenix Workshop on the Analysis of System Logs (WASL 2008). My slides ‘Picviz: finding a needle in a haystack’ are available right here. I also ran for the Cray log analysis contest analysis. Slides of stuff I discovered are here. I lost the contest by 1 vote only, but I was fighting against someone who knew a lot about Cray. He had in my opinion a better talk than mine, but I just started the contest after my morning lecture and I preferred talking with people during lunch than doing the contest ;-)

Welcome To The Honeynet Project Website!

07 Dec 2008 Lance Spitzner
Welcome to our new website as we enter the age of Web 2.0. We have created a more dynamic website to allow our membes to create and publish their own content. We have so many different activities going on with our various members that it can be challenging even for us to keep up. The goal is that each member can now publish and share with the community whenever they like.

MS08-067 exploitation in the wild

04 Nov 2008 Tillmann Werner
(This article was originally published at If you followed IT security related blogs or mailinglists lately, you are aware that a critical server service vulnerability in Microsoft operating systems was published recently. I’m not going to talk about the details here, there are great resources available elsewhere (and the “reversing the ms08-067 patch” article isn’t the only advice about exploiting holes you get on that page). OK, what have we got this time?

ipv6 local-link scope is a mess

20 Oct 2008 Markus Koetter ipv6-d51 link-local
I’ve been looking on ipv6 lately, and even though I got a global /64 for free from, I’m not that amused about ipv6 yet. ipv6 link-local scope : if you have multiple interfaces with ipv6 link-local addresses, the operating system does not know which interface to use, so you have to append the interface to the hostname/ip when connecting hosts in link-local scope. If you do not use getaddrinfo, this information has to be passed to the bind/connect using

HeX 2.0 “Bonobo” is now!

06 Oct 2008 Kevin Foo hex malaysian-honeynet-chapter
After long development, we have finally managed to produce release version 2 of HeX, codename “Bonobo”. What’s news in HeX 2.0? Check out Official announcement at Thanks to all the raWPacket members who have put the effort in HeX 2.0 development, you guys are always rocking! You can grab the latest ISO (Malaysian master) Malaysian mirror at Multimedia University (Thanks to Zamri Besar) http://archive.

HeX LiveCD to be 2.0-RC2 soon.

04 Sep 2008 Kevin Foo hex
As effort of the Honeynet Project Malaysian chapter and the RawPacket team initiative, HeX LiveCD was created. It is a Network Security Monitoring (NSM) centric Live CD, built based on the principles of NSM, for analysts, by analysts. This project will be eventually forked to Hex Sensor and Hex Server to complete the cycle of NSM processes. Besides, HeX LiveCD is the blueprint for HornyD. HornyD and HoneySuckle are the toolkits for the Malaysia Distributed Honeynet Project.

The search for open VoIP gateways intensifies!

04 Sep 2008 Sjur Usken
Got several calls from customers today. Their end-customers were calling them telling that their phone is ringing in the middle of the night. When some of them answers, there is no one there. We do some traces on it from our VoIP platform but can not find anything, and concludes there is random SIP INVITES beeing sent directly to the adapter. This is a common way of searching for open VoIP gateways.

No more emulation!

27 Aug 2008 Tillmann Werner
Emulation is an important technology in honeypots and honeynets. It’s not always what we want, though, and here’s why. As you might know, most bots perform attacks in multiple stages, i.e., they send some exploit code to the victim that opens a shell, connect to that shell or let the shell connect back, invoke commands to download the actual malware binary, execute the malware. Catching the exploit and providing a fake shell isn’t too hard, as shown in this post.

Our New Website

12 Aug 2008 Lance Spitzner
Greetings! First I want to start off by thanking Steve Mumford, Christine Kilger, Jamie Riden, David Watson and Markus Koetter, they are the people that made our new website possible. Second, I wanted to share with you how excited I am about this. One of the challenges we have had for years is coordinating all the different research projects are members are doing. This site will allow each person to share as much as they want, however they want.