We’ve finally managed to compile our annual status report for 2008. Much of the information in it have previously been published as entries on our blog. But some of the details regarding what type of tools we’re using and what kind of systems we’re running, and especially perhaps our lessons learned and changes to the organization are all new stuff. As the report unfortunately states, we’ve not been able to get our GDH-2 node operational. This is by no means a technical issue, but rather as a result of limit time and various practicalities. Malicious VoIP, malicious PDFs, SSH brute force attacks, SQL-injection and executables obfuscated as JPEG are some of the highlighted cases in the report.
The complete report can be found here: annual_status_report_2008.txt
Our status report for 2007 didn’t include any significant finding. Our honeynet has been under heavy maintenance and has been moved to another network in a new datacentre with stable and redundant power and proper AC. We have also installed a de-centralized ssh-server for collecting statistics on ssh-activty/brute-forcing. And we finally got sponsoring for GDH infrastructure, and are in the process of installing the GDH node.
The complete report can be found here: bi-annual_statusreport_2007-1.txt
Our first bi-annual status report for 2006 is now public. We’d like to give some extra attention to the Dasher.B case. Honeynor sent an email to the alliance December 15th (2005) about port 1025/tcp activity, after we had monitored this traffic for some weeks. It was identified as unknown DCOM activities from China, and we requested a working vulnerability emulator on the alliance list. Georg Wicherski from the German Honeynet Project hacked together a tool on a short notice, and captured the first sample of Dasher.B.
This case demonstrated how the teams can work together. This case involved the Norwegian, German and Chinese teams.
The entire report can be found here: bi-annual_statusreport_2006-1.txt
Our Q4 status report for 2005 is now made public. The findings of local-language spesific bruteforcing of SSH logon credentials was particular interesting. Until now all SSH bruteforcing has be done using foreign usernames (mostly english-based), so it was interessting to see that also typical norwegian names (torbjørn, harald, sverre, etc..) were being used.
The entire report can be found here: bi-annual_statusreport_2005q4.txt