Archive for December, 2007

Amun low interaction honeypot released

Thursday, December 13th, 2007

A new low interaction honeypot called Amun was released last week, by a German researcher called Jan Göbel at the University of Aachen. Amun takes a similar approach to nepenthes and is also designed to collect samples of autonomous spreading malware by emulating vulnerable network services and then downloading malicious payloads for analysis. It is python and XML based, so should be easy to extend, and can be downloaded here. Worth checking out.

Honeynet Project annual workshop

Monday, December 10th, 2007

The Honeynet Project holds an annual workshop every year, which is always an excellent opportunity for members from all around the world to get together in person and discuss their research.

For the first time, this year’s event was hosted by members of the Costa Rican Honeynet Project and held outside of the US, in Heredia, Costa Rica. Thirty five members of the Honeynet Project met for four days, including Jamie and David from the UK group. As part of the first day’s shared presentations, David updated the group on the current state of our Global Distributed Honeynet (GDH). The last two days were spent on various R&D tracks, of which the largest was the initial planning session for GDH Phase Two in 2008.

Overall the event was excellent, with many participants feeling that this was the best annual workshop yet, and hopefully we’ll see the fruits of our collective activities next year.

Global Distributed Honeynet talk at PacSec07

Monday, December 3rd, 2007

I was the first international speaker at PacSec07 in Tokyo last week, and gave our initial public talk about the first phase of our Global Distributed Honeynet (GDH) research.

The abstract for the talk was:

A review of Phase One of the Honeynet Project’s latest research
initiative, the deployment and operation of a global network of
distributed high interaction research honeypots. An overview of the
architecture, challenges faced, technical tools and new
analysis/reporting procedures developed. Discussion of observed
malicious activity during operation of eleven high interaction research
honeynets around the world for six months (Jan-Jun 2007), including
attacker activity, malware collection summary, etc. Sharing of practical
operational experiences gained to date, unsolved issues and goals for
the future.

GDH was the first (publicly declared) real world distributed high
interaction research honeynet with nodes on most continents, designed
and operated by the Honeynet Project. It enables the rapid deployment of
identical honeypots over wide ranges of IP network space, monitoring of
network activity and analysis of attacks against a range of distributed
systems. The techniques and operational experience should be useful to
many organizations interested in global sensor networks and better
understanding the threats posed to their networks. A “Know Your Enemy:
GDH” white paper and other supporting material will be released in 2008.

Slides will be available online from the both the PacSec07 and Honeynet Project web sites shortly, or they can be downloaded directly from here.

The presentation was an hour long, and hopefully provided an introduction to what GDH Phase One was, why and how we built and operated it, then summarized some of our initial results and plans for the future. The audience questions were of a good standard, as were follow-up discussions at the party afterwards. Any offline feedback or questions are also welcome.

Overall the conference was enjoyable, with good presentations in a number of areas and an interesting mix of both Japanese and international attendees (and the obligatory late night social activities). Hopefully we’ll see some spin off honeynet research in 2008 in a couple of areas. It was also great to have the opportunity to visit Tokyo and meet local security researchers, plus presenting to a Japanese audience with live translation was entertaining. I’d particularly like to thank Ryo Hirosawa and the other translators for all their last minute help with slide translation. Thanks once again guys!

You can find further coverage and some photographs of the event here:

  • Cedric Blancher’s Blog
  • Cedric Blancher’s Photos
  • Ryo Hirosawa’s Photos
  • Toshiharu Harada’s Photos