SpamScope (https://github.com/SpamScope/spamscope) is a fast and advanced tool for email analysis developed by Fedele Mantuano (@fedelemantuano).  The analysis engine it’s based on Apache Storm and Streamparse.

Why use Apache Storm?

Apache Storm works with streams, and in this case we analyze a stream of email messages.  Apache Storm allows you to start small and scale horizontally as you grow. Simply add more workers, that can be on different hosts.

An application is designed as a “topology” in the shape of a directed acyclic graph (DAG) with spouts and bolts acting as the graph vertices. Together, the topology acts as a data transformation pipeline.

Introduction

This blog post is a follow up to an earlier article, where I set out to conceive a system that could deliver the data needs to answer 5 specific questions.

The setup

To provide the data needed for this analysis, my setup consisted of 4 VPS situated respectively at Amazon EC2, Azure, MeeBox and a Danish ISP end-user connection. Even though the same 4 VPS were used throughout the data collection, 6 different IP addresses were used for the honeypots - the reason for this was that one of the honeypots had a dynamically assigned IP address. As mentioned in an earlier article all honeypots were running Heralding. The technical setup was automated with ansible.

Hi there, my name is Li Yuanchun and I’m glad to introduce DroidBot, a tool to improve the coverage of dynamic analysis.
As it is the case for malware targeting the desktop, static and dynamic analysis are also used for detection of Android malware. However, existing static analysis tools such as FlowDroid or DroidSafe lack accuracy because of specific characteristics of the Android framework like ICC (Inter-Component Communication), dynamic loading, alias, etc.  While dynamic analysis is more reliable because it executes the target app in a real Android environment and monitors the behaviors during runtime, its effectiveness relays on the amount of code it is able to execute, this is, its *coverage*. Because some malicious behaviors only appear at certain states, the more states covered, the more malicious behaviors detected. The goal of DroidBot is to help achieving a higher coverage in automated dynamic analysis. In particular, DroidBox works like a robot interacting with the target app and tries to trigger as many malicious behaviors as possible.
The Android official tool for this kind of analysis used to be  Monkey, which behaves similarly by generating pseudo-random streams of user events like clicks,touches, or gestures, as well as a number of system-level events. However, Monkey interacts with an Android app pretty much like its name indicates and lacks any context or semantics of the views (icons, buttons, etc.) in each app.

After some time without releasing any new version here is peepdf v0.3. It is not that I was not working in the project, but since the option to update the tool from the command line was released creating new versions became a secondary task. Besides this, since January 2014 Google removed the option to upload new downloads to the Google Code projects, so I had to figure out how to do it. From now on, all new releases will be hosted at eternal-todo.com, in the releases section.

Howdy all,
I’ve the pleasure to *finally* unveil the second version of Dorothy: a malware/botnet analysis framework written in Ruby.

Dorothy2 is a framework created for mass malware analysis. Currently, it is mainly based on analyzing the network behavior of a virtual machine where a suspicious executable was executed. However, static binary analysis and system behavior analysis will be shortly introduced in further versions.
Dorothy is a multi-thread framework: it is able to execute as many concurrent analysis processes as the number of the VMs present in vSphere. So if you have 5 VMs for example, 5 binaries will be analyzed at time, by giving you 5 different output folders containing their network traffic and screenshots accordingly.
It is a very modular framework, and customizing/extending it can be very easy.

For the forthcoming midterm evaluation of Gsoc2011, I made a lot of progress with the code and now I’m about to publish the alpha release. Before the alpha release is released, I have decided to post a blog to inform everyone about the progress of project 6 (Static Analysis of Android Malware).

Our tool is written by PyQt, which is a great interface to Qt for Python. It is very easy to design the UI by Qt Designer. Qt contains lots of libraries to support pretty UI framework. What’s more, Qt supports cross platform applications.

Basically, The TWMAN is an automated behavioral malware analysis environment to analyze the malware targeted at Microsoft Windows, and it can develop a free and open source software, and the environment is built around Joe Stewart’s TRUMAN sandnet. Although, there are many services of analysis malware behavioral, such as the Norman Sandbox, CWSandbox, Threat Expert, etc. For privacy and policy reasons, it must be treated as if they contain personally identifiable information.

One difference in Qebek from other existing virtualization based honeypot monitoring tool is that I want to ‘hook’ the function of system service instead of the dispatcher, more precisely, the ‘sysenter’ or ‘int 2e’ instruction. This is similar to the difference between SSDT (System Service Descriptor Table) hook and kernel inline hook. However, doing it this way must face a problem: how to get the function address? One way is get it directly from SSDT. Under Windows, since SDT (Service Descriptor Table) can be referenced by the exported symbol ‘KeServiceDescriptorTable’, this is a very simple task. So the problem for me is how to get the SDT address in QEMU without any ‘symbol’.

Earlier this week I had the good fortune to be in Boston for LEET09, a workshop on exploits, malware, and large-scale trends. I presented on PhoneyC, the Python honeyclient I’ve been working on. The paper describes the architecture and features of the tool and a real world evaluation and test. The talk was well received, and many thanks to the organizers of the conference and the PC for their helpful reviews.
Usenix has made the full paper available to all for free.

=== ORGANIZATION ===

The Mexican HP Chapter members are:

Miguel Hernández y López (miguel_at_honeynet.org.mx)

Hugo Gonzalez Robledo (hugo_at_honeynet.org.mx)

=== DEPLOYMENTS ===

* Capture HP deployment and a nepenthes sensor in several networks.

* Working with different government agencies in Argentina to implement Nepenthes sensors and honeynets Nepenthes within their networks

* Implementation of several sensors and catch malware samples of many within the National Network for Electronic Banking

=== RESEARCH AND DEVELOPMENT ===