Join us for the Honeynet Workshop 2024: May 27th–29th, Copenhagen, Denmark

Improving dynamic analysis coverage in Android with DroidBot

23 Feb 2016 Roberto Tanara android droidbot droidbox gsoc
Hi there, my name is Li Yuanchun and I’m glad to introduce DroidBot, a tool to improve the coverage of dynamic analysis. As it is the case for malware targeting the desktop, static and dynamic analysis are also used for detection of Android malware. However, existing static analysis tools such as FlowDroid or DroidSafe lack accuracy because of specific characteristics of the Android framework like ICC (Inter-Component Communication), dynamic loading, alias, etc.

dpkt v2.0

22 Feb 2016 Kiran Bandla dpkt gsoc python
What is dpkt? dpkt is a Python library that helps with “fast, simple packet creation/parsing, with definitions for the basic TCP/IP protocols”. It supports a lot of protocols (currently about 63) and has been increasingly used in a lot of network security projects. It is 44x faster than Scapy2, and 5x faster than Impacket3. With Scapy no longer in development, dpkt is the only network creation/parsing library for Python that is active.

Rumal, a web GUI for Thug

22 Feb 2016 Pietro Delsante gsoc rumal thug
As you may know, Thug is a handy tool for studying exploit kits, as it emulates a real browser complete of a set of plugins like Adobe Reader, Flash and Java. When you feed Thug with the URL of a suspicious web page, it “crawls” it and starts fetching and executing any internal or external JavaScript, following redirects and downloading files just like a browser would do. When Thug encounters some files it cannot analyze by itself (like Flash, Java and PDF), it passes them to external tools.

Adding a scoring system in peepdf

19 Feb 2016 Roberto Tanara gsoc peepdf
peepdf is a Python tool to explore PDF files in order to find out if the file can be harmful or not. The aim of this tool is to provide all the necessary components that a security researcher could need in a PDF analysis without using 3 or 4 tools to make all the tasks. With peepdf it’s possible to see all the objects in the document showing the suspicious elements, supports the most used filters and encodings, it can parse different versions of a file, object streams and encrypted files.

Google Summer of Code 2016

19 Feb 2016 David Watson gsoc
Although it is still winter in much of the northern hemisphere, for students and open source software developers, the gradually lengthing days mean that spring will soon be with us - and of course that means another chance to potentially get involved in Google Summer of Code (GSoC). After successfully participating in GSoC between 2009 and 2015, and having created or extended many honeynet technologies that have since gone on to become industry standard tools, we are very happy to annouce that The Honeynet Project has applied to be a mentoring organization once again in GSoC 2016.

mitmproxy: HTTP/2 Support and GSoC 2016

15 Feb 2016 Maximilian Hils gsoc mitmproxy
We are happy to announce the immediate availability of mitmproxy 0.16! As a major new feature, Thomas Kriechbaumer – who joined us as a Google Summer of Code (GSoC) Student last year – contributed a brand new HTTP/2 implementation built on top of hyper-h2. HTTP/2 requests now blend into the mitmproxy UI just like regular HTTP 1 requests, making mitmproxy the first interactive HTTPS proxy with HTTP/2 support! All HTTP/2 features from RFC7540 are supported - including PUSH_PROMISE, RST_STREAM, and as many concurrent streams as you want.

ARTDroid: an easy-to-use framework for hooking under ART

02 Feb 2016 Cong Zheng android art dynamic-analysis gsoc hook malware
During Google Summer of Code 2015, in the Honeynet Project open-source org, Valerio Costamagna and Cong Zheng (mentor) worked on ARTDroid, an easy-to-use framework for hooking virtual-method under latest Android runtime (ART). Introduction We propose ARTDroid, a framework which allows to analyze Android apps without modifications to both Android framework and apps. The core technology is the library injection and virtual methods hooking by vtable tampering after getting the root privilege.

The Spamhattan Project

11 Jan 2016 Jop van der Lelie
Let’s develop a nextgen spamtrap and create intel feeds for .NL A rising amount of criminals are spreading cryptoware in order to ‘make money’. Cryptoware is ransomware that secretly encrypts files, like documents and pictures, of innocent users. The criminals make money by selling the decryption key. Most of the cryptoware is spread via email. Virus-scanners and anti-spam solutions have a hard time in defending against those threats and often there are no Indicators of Compromise (IoC) that help detecting infected devices in an early phase.

Improved logging capabilities of dionaea

14 Dec 2015 Stanislav Barta dionaea frontend honeypot
Hello, recently I made fork of dionaea and DionaeaFR. Changes that I did are related with remote logging to relational database. Dionaea honeypot can now log remotely to postgresql database. In DionaeaFR frontend I had to do some changes, so it could support reading data from postgresql. Links are github.com/GovCERT-CZ/dionaea and github.com/GovCERT-CZ/DionaeaFR. I think that some one could use that so I write this post. Have a nice day, Stanislav Bárta

Frontends for shockpot and wordpot

04 Dec 2015 Stanislav Barta frontend honeypot shockpot wordpot
Hello, recently I published forks of shockpot and wordpot on GitHub. These new versions include support for logging to postgresql database. I also created two frontends. One for shockpot with a name Shockpot-Frontend and second for wordpot with a name Wordpot-Frontend. Both frontends are based of great tool Kippo-Graph. You can find them also on GitHub. Links are github.com/GovCERT-CZ/Shockpot-Frontend and github.com/GovCERT-CZ/Wordpot-Frontend. These frontends require data from honeypots stored in postgresql database and that’s why I made forks of those honeypots.