Tools

Tracker
The Tracker System was devised simply to find Fast Flux domains. The criteria used to identify fast flux domains is if it had more than “x” new IP addresses resolved in under 5 seconds. It has been very effective at finding the “Storm” fast flux domains and their IP’s.
Version 1.1 can be found here.
Version 1.0 can be found here.

Spam Processor
The Spam Processor was devised to perform the following:
1) Extract out all URL’s from SPAM emails.
2) Attempt to pick the correct sender of the spam.
3) Tie the sender and the URL together.
4) Save the information in a database for later viewing/reporting.
Version 1.0 can be found here.

Trigona
The “Trigona” bee, is the largest genus of stingless bees. Native to Australia, they are much smaller than the common bee, and yet still benefit humankind by producing honey while not carrying a sting! The perfect bee. If you are interested in this, read further.

The Trigona System was created to help us ascertain whether or not a URL is malicious. We defined ‘malicious url’ as a url that would perform an attack on a browser and install an executable on the user s machine.
Instead of reinventing the wheel for sandboxing we chose to create a scheduling system around the Sandboxie software. Through using this we are able to have multiple IE’s open at the same time in their own sandbox instance browsing malicious urls. The sandbox could then be closed, and the file system examined for any suspicious changes. If those changes are new binaries, then the file system contents are zipped up and the URL is flagged in a database as being suspicious.
We may be posting the code in the future for those interested.

**UPDATE**
See BLOG entry
http://honeynet.org.au/?q=node/63

http://honeynet.org.au/release/Trigona/TRIGONA-v1.0.zip

**/UPDATE**