+------------------------------------------------------------------------------+ | /\ | | /\\//\ | | \//\\/ | | \/ | | honeynor | | a norwegian honeynet project | | | | http://www.honeynor.no | | | | -- | | | | Bi-annual status report | | 2007-#1 | +------------------------------------------------------------------------------+ 1.0 DEPLOYEMENTS 1.1 Current technologies deployed. Describe anything that you have deployed that is collecting information, including honeynets, client honeypots, honeyd, mwcollect, or anything else honeypot related. * Our current honeynet is a GenIII honeynet with Roo and various various operating systems running as honeypots on VMWare Server. Most of the honeynet is redesigned and reinstalled in the last period in new datacentre with stable power and proper AC. * Honeynor has a central nepenthes honeypot with distributed malware collectors. * De-centralised ssh-server for collecting statistics on ssh-activty/brute- forcing 2.0 FINDINGS 2.1 Highlight any unique findings, attacks, tools, or methods. * SSH brute force attacks continue to happen. Again we observe brutef force attacks with norwegian usernames (ref. our previous status report). * Malware collection from Nepenthes continues. Top three malwares are SDBot, PoeBot, Virut. Analysis with anti-virus scanners shows 70% detection rate (past 12 months of data). Malware submitted to Norman Sandbox on regular basis and CWSandbox on ad-hoc basis for analysis. Manual malware analysis using Olly debug et. al. 2.2 Any trends seen in the past six months. * No significant trends observed. 3.0 LESSONS LEARNED 3.1 What new positive things can you share with the community, so they can replicate your success? * VOIP/Asterisk works well for conferencing if all members can not participate in person on meetings. 3.2 What new mistakes can you share with the community, so they don't make the same mistakes? 3.3 Are there any research ideas you would like to see developed? 4.0 TECHNOLOGY 4.1 What tools or functionality are we lacking, what do we need to work on? * It would be great with a SIP honeypot. One that actually answers on SIP INVITEs and records the conversation. 4.2 What new tools or technology are you working on? 4.3 Would you like to integrate this with any other tools, or you looking for help or collaboration with others in testing or developing the tool? 5.0 PAPERS AND PRESENTATIONS 5.1 Are you working any papers to be published, such as KYE or academic papers? * None. 5.2 Are you looking for any data or people to help with your papers? * No. 5.3 Where did you publish/present honeypot-related material? * Honeynor presented at the Norwegian Information Security Forum (ISF) and on Syscom Security Forum on honeynet technologies and botnets. * Honeynor representatives presented on honeynet technologies, malware and botnets for companies (internal presentations) 6.0 ORGANIZATIONAL 6.1 Changes in the structure of your organization. * One new member; Morten Kråkvik, currently working at Telenor Security Operations Center (TSOC). 6.2 Your feedback on Alliance activities. 6.3 Any suggestions for improving the Alliance? 7.0 GOALS 7.1 Which of your goals did you meet for the last six months? * Honeynet infrastructure successfully migrated to new datacenter * Held internal course/training on malware analysis for members on two dedicated meetings. 7.2 Which of your goals did you not meet for the last six months? * Set up a full VoIP honeypot for tracking down SPIT (SPAM over Internet Telephony) and other exploits. 7.3 Goals for the next six months * Continued focus on malware analysis, automation of collecting samples and training of team members in analysis and reverse engineering. * Get infrastructure running properly in new datacentre * New deployments of honeypots, with focus on getting sebek-integrated honeypots and the first VOIP honeypot up and running. * Participation in GDH network. 8.0 MISC ACTIVITIES 8.1 Anything else not covered you would like to share. * Got sponsoring for GDH infrastructure, and are in the process of installing the GDH node.