ollowing is a brief summary of our activity and contributions during 2010:
Organisation
2010 saw the addition of David Zielezna as a contributor to the Project.
We are now:
– Shaun Vlassis, HP full member, Chapter lead.
– Ben Reardon. HP full member, member of the HP Public relations and membership committees
– David Zielezna. Contributor, and in charge of AHP infrastructure.
2010 Annual Honeynet project workshop, Mexico City
Shaun and Ben attended the 2010 Annual workshop and presented to the group on VOIP attacks and honeypots, development of malware data visualization techniques, and defacement tracking.
Forensic challenge 4
Development of Forensic challenge FC4, which dealt with VOIP attacks.
GSOC 2010
Participation as a co-admin and mentor for the Honeynet Project’s Google funded GSOC 2010 initiative.
Conferences
- The Australian High Tech Crime Conference, HTCC2010 8 September 2010
Presentation: VOIP Honeypots - Melbourne Branch: Australian Information Security Association (AISA) 12 August 2010
Presentation: The Honeynet project and Data Visualization for Security Purposes - Sydney Branch: Australian Information Security Association (AISA) 15 September 2010
Presentation: HiTech Crime and Honeypots - Ballarat Innovation, Communication and Technology Cluster 15 June 2010
Presentation : Honeynet Project - AusCERT Conference, Gold Coast Queensland. May 2010
References
We were pleased to see work on VOIP attack analysis referenced in academic paper delivered at the Australian Digital Forensics Conference by Craig Valli “An Analysis of Malfeasant Activity Directed at VoIP Honeypots”
Highlights of 2010
- Sharing our work at the Annual workshop
- Collaboration with the Norway Chapter on VOIP honeypots, and Forensic Challenge FC4
- Collaboration with the many students and mentors during GSOC 2010
- Developing new ways of understanding malicious activity by using data visualization tools
- Collection and analysis of honeypot data indicating a substantial malicious activity against VOIP (SIP) servers.
- Continued development of Honey Client system Trigona
Goals for 2011
- Seek to identify and analyse NEW and less understood data sets and attack vectors
- Attend and present at the first ever Public Honeynet Project workshop in March 2011
- Continue development of data visualization techniques on data sets
- Continue VOIP activity research
- Continue development of Trigona and other tools
____________________________________PAST REPORTS________________________________
Jan 2010 report
ORGANIZATION
===========================
1. Changes in the structure of your organization.
We had the addition of Ben R as another full time chapter member.
2. List current chapter members and their activities
Shaun – Chapter Lead
spam processing system, fast flux tracking system,
client honeypotting, malware processing system
Ben – Full time member
XSS Alerting System
Defacement Alerting System
DEPLOYMENTS
===========================
1. List current technologies deployed.
distributed nepenthes sensor network
xss tracking system
defacement tracking system
fast flux tracking system
malware submission and processing system
2. Activity timeline: Highlight attacks, compromises, and interesting information collected.
From our distributed nepenthes network we have seen that the majority
of attacks for 2008 have originated from Japan. They make up nearly 2/3
of all sources for network
based attacks targetting Australian IP Address Space.
RESEARCH AND DEVELOPMENT
===========================
1. List any new tools, projects or ideas you are currently researching or developing.
fast flux tracking system
edonkey malware scraping system — fabled and when time permits
client honeypotting setup
hacked site identification
2. List tools you enhanced during the last year
spam processing system
fast flux tracker -> changed backend code
automatic identification of new fast-flux networks from processing spam feeds
3. Would you like to integrate this with any other tools, or you
looking for help or collaboration with others in testing or developing
the tool?
n/a
4. Explain what kind of help or tools or collaboration you are interested in.
Would very much like to spend more time developing scraping software for popular p2p networks to look for infected files there.
FINDINGS
===========================
1. Highlight any unique findings, attacks, tools, or methods.
Majority of network borne attacks originate from Japan.
2. Any trends seen in the past year?
3. What are you using for data analysis?
publicly available sandboxing technologies such as cws/threatexpert/anubis etc.
vtotal for identification/distribution
4. What is working well, and what is missing, what data analysis functionality would you like to see developed?
spam processing and fast-flux identification working great
distributed nepenthes submission system works really well. almost 0%
maintenance needed on the server side due to how it has been setup.
PAPERS AND PRESENTATIONS
===========================
1. Are you working on or did you publish any papers or presentations,
such as KYE or academic papers? If yes, please provide a description
and link (if possible)
Currently working on a presentation outlining the malicious events
observed for the year of 2008. To be presented at the 2009 Auscert
Conference
2. Are you looking for any data or people to help with your papers?
yes
3. Where did you present honeypot-related material? ( selected publications )
GOALS
===========================
1. Which of your goals did you meet for the past year?
bring the nepenthes component of the AU sensornet online
get supporters to run malware collection points for the nepenthes sensornet
create spam processing system
improve the fast flux tracking system
create an automated malware distribution system that takes in malware
collected from numerous sources and forwards onto necessary parties
such as sandbox vendors/ AV companies etc.
2. Goals for the next year.
expand infrastructure and bring in more data sources to help identify more malicious events in AU
continue to create new automated systems
MISC ACTIVITIES
===========================
Chapter members have attended the following conferences this year:
Auscert Conference
Defcon
BlackHat