honeynets

GSoC'09: Some Updates for Glastopf

Monday, July 20. 2009

Today Lukas commited some major changes to glastopf, his Google Summer of Code project. The goal of glastopf is to learn more about attacks against web applications, mainly by attracting remote file inclusion attacks. The new version now features a new parser that should be able to handle more attacks and respond in a more flexible way. Furthermore, the connection to a central database was improved and the daemon now also drops privileges after starting up.

The software is constantly collecting information and in the next couple of weeks more analysis tools will be implemented to also process the collected data. The current glastopf implementation logs status messages to Twitter: "Got 142 attacks in the last 30 minutes!". More than 13,000 IP addresses were observed and thousands of requests processed.

Posted by Thorsten Holz in honeynets at 23:28 | Comments (0) | Trackbacks (0)

GSoC Update

Tuesday, April 21. 2009

Yesterday the results of Google Summer of Code (GSoC) were released and the Honeynet Project will mentor nine students during the summer who work on different projects: http://socghop.appspot.com/org/home/google/gsoc2009/honeynet. More information is also available at the Honeynet Project GSoC site.

I'm happy to mentor Lukas Rist, who will work on Glastopf. The goal of the project is to learn more about attacks by emulating vulnerabilities in web applications ("We have two goals: First, collecting and analyzing data and second, trying to inform compromised web page owner. Actually we are mainly collecting Remote File Inclusion attacks, but others will follow."). The source code is available at http://trac.1durch0.de/trac and will be improver during the GSoC period.

Posted by Thorsten Holz in honeynets at 16:00 | Comments (2) | Trackback (1)

LEET'09 Taking Place Soon

Tuesday, April 7. 2009

Join us at the 2nd USENIX Workshop on Large-Scale Exploits and Emergent Threats: Botnets, Spyware, Worms, and More (LEET'09), which will take place in Boston, MA, on April 21, 2009. LEET '09 will focus on the underlying mechanisms used to compromise and control hosts, the large-scale "applications" being perpetrated upon this framework, and the social and economic networks driving these threats. Sessions include Malware Analysis, Ethics in Botnet Research, Malware Behavior, and more.

The full program is available at http://www.usenix.org/events/leet09/tech/.

LEET '09 will also include a session for Work-in-Progress reports. We encourage you to submit an abstract or proposal for a 5-minute presentation on your preliminary work to leet09wips@usenix.org.

Connect with the broad community of researchers and practitioners who focus on worms, bots, spam, spyware, phishing, DDoS, and the ever-increasing palette of large-scale Internet-based threats in fostering the development of preliminary work in this diverse area and stimulating discussion of thought-provoking ideas.

Find out more and register today at http://www.usenix.org/leet09/

Posted by Thorsten Holz in honeynets, malware, paper at 08:38 | Comment (1) | Trackback (1)

Google Summer of Code 2009

Monday, March 23. 2009

The Honeynet Project was selected for this year's Google Summer of Code. If you are a student and interested in participating in the program, please take a look at http://www.honeynet.org/gsoc. There you will find all information about the projects related to the Honeynet Project. Google will begin accepting applications from students beginning today, thus you need to be quick...

Posted by Thorsten Holz in honeynets at 14:14 | Comments (0) | Trackbacks (0)

Learning more about RFI Attacks

Saturday, March 21. 2009

As part of the work at our lab we started to work on methods to learn more about remote file inclusion (RFI) attacks. The Internet Storm Center has developed a web-based honeypot which is available in a beta version. This honeypot can be used to collect information about different kinds of attacks, but requires the participant to install and maintain a honeypot on his own. For example, it is possible to deploy this honeypot on a OpenWrt router.
Since we are aiming only at RFI attacks, an easier approach is to redirect incoming malicious request to a central honeypot which then aggregates the information. Jan already blogged about this idea, this posting is meant to spread the word.

You can help us by using the following .htaccess file on your web server:

Options +FollowSymlinks
RewriteEngine on
RewriteCond %{QUERY_STRING} (.+=http:\/\/.+)
RewriteRule ^(.+)$ http://link.informatik.uni-mannheim.de/$1?%1 [R,NC]

The script checks if the incoming request looks like an RFI attack (RewriteCond) and then redirects this request to one of our honeypots (RewriteRule). Please let us know if you have any questions or ideas.

Posted by Thorsten Holz in honeynets at 10:59 | Comments (0) | Trackback (1)