Malaysia Honeynet Project

The trac and wiki site for HornyD and HoneySuckle (the toolkits for the Malaysia Distributed Honeynet Project) are available here. You can register, view and submit tickets, and browse the source codes. svn is currently read-only, which is available at http://svn.my-honeynet.org/. svn commit will be given to contributors who has show commitment, working patches, and the skills necessary to become HornyD/HoneySuckle developers.

This update has been a long time coming, but we've finally moved to a new server and new ISP! This is due to our generous sponsors (spoonfork: thanks for the brand new server, takizo: thanks for the hosting).

We've been very busy lately - no worries - we've plans for my-honeynet. This will be revealed soon enough. Stay tuned.

More photos are available here. Congratulations to SaoVang from Vietnam, WsLabi from Switzerland and Padocon from Korea for finishing 1st, 2nd and 3rd respectively in the CTF game. I will follow-up this post with more blog posts soon - right now I just want to have some sleep.

UPDATE: The capture the flag portal is at http://ctf2007.security.org.my

The mailing list for Malaysia Honeynet Project has been created. If you are interested in honeynet research and contributing to the project, please join!

http://groups.google.com.my/group/my-honeynet?hl=en

Finally, I managed to perform simple static analysis of over 2000 malwares that I've collected for the past one year. They are archived http://mwdb.my-honeynet.org. This is a beta version. Lots of things still needs to be done, specifically:

- automatically updating the db with the latest captured malware
- perdr analysis
- strings output
- behavorial analysis (this requires building a sandnet)
- a more detailed statistics and automated reporting

Comments, please!

Here's a simplistic statistics of results using various anti-virus products against 2614 malware collected by nepenthes.

Antivir: 2327 / 89.02 %
AVG: 2309 / 88.33 %
ClamAV: 1890 / 72.30 %
F-Prot : 1890 / 72.30 %

Total number of binaries that were not identified by all of the antivirus products: 201. Alternatively, you can view the statistics by the nepenthes team:

Rank Product Hit Rate Trend
1 Antivir 99,04% +7,07%
2 BitDefender 96,23% +1,52%
3 VirusBlokAda 95,17% +1,42%
4 F-Prot 94,02% +2,39%
4 Authentium 94,02% new
5 Norman Virus Control 93,78% +1,19%
6 Fortinet 87,29% +2,35%
7 F-Secure Antivirus 85,22% +5,99%
8 Kaspersky 85,10% +5,73%
9 VirusBuster 82,53% +11,76%
10 Trend Micro 76,19% +5,14%
11 ClamAV 71,41% -0,85%
12 NOD32 70,06% +4,05%
13 Sophos SWEEP 68,58% +2,45%
14 eTrust 63,97% new

This paper, titled "Automated Classification and Analysis of Internet Malware" is a good read describing the limitations and inconsistencies of anti-virus malware detection across several AV products. It offers a good solution: describing and classifying malwares based on their behaviors (hence, behavorial analysis).

Speaking of behavorial analysis, I would like to point out that this is one of the two long term projects that the Malaysia Honeynet Project plans to undertake. The other project is deployment of high interaction honeypots. These two projects however, requires sponsorships, specifically hardware, bandwidth and network. I will write more about this.

Previously, I've showed how you can install some free and open source anti-virus software for Linux. Now I'm gonna show how to use them. This is pretty straighforward:

ClamAV:
clamscan -d /var/lib/clamav -r directory -l clamav.log
-d - load virus definition dictionary from the directory (/var/lib/clamav)
-r - scan subdirectories recursively
-l - log report to a file (clamav.log)

This is the most straighforward use of ClamAV. It has a lot of other options, clamscan -h will display all the available options.

Avira Antivir
antivir --scan-mode=all -s -r3 -rf antivirscan.log directory
This will use the 'all' scan mode (scan all files regardless of their name or contents), -r3 is to log scan results to file (via the -rf switch) and directory is the direcotry to scan (-s for recursion)

f-prot
f-prot -a f-prot.log -collect directory|file
Pretty straighforward: -a is to append report to a log file (in this case, you have to issue a touch f-prot.log first), -collect is to scan a collection, and then specify the files or directory that you want to scan.

avg
avgscan -scan directory|file -report avgscan.log
Pretty straightforward as well.

While there isn't a need for using anti-virus software on Unix and Linux boxes (and if you're like me, Macbook ), anti-virus software is useful for static malware analysis. Here I will present to you three free and one Open Source anti-virus software. My working environment is a Ubuntu Linux virtual machine. The anti-virus softwares that I use are:

• Clam AntiVirus - http://www.clamav.net/


• AVG - http://free.grisoft.com


• F-Prot - http://www.f-prot.com/products/home_use/linux/


• Avira Antivir - http://www.free-av.com/

With the exception of the Open Source ClamAV, the rest of the products are free for personal use. Installation on a Ubuntu system is pretty straightforward. I ran the following commands:

sudo apt-get install clamav

sudo apt-get install f-prot-linux-ws

sudo apt-get install avg75fld

For Avira Antivir, I downloaded the package file from the free-av website. The filename is antivir-workstation-pers.tar.gz.

tar xzvf antivir-workstation-pers.tar.gz

cd antivir-workstation-pers-2.1.10-15

./install

Next, I proceeded to update the definitions.

ClamAV - freshclam --debug -v --config-file=/etc/clamav/freshclam.conf
AVG - avgupdate -o -c /etc/avg.conf
Avira Antivir - antivir --update -C /etc/avupdater.conf
F-Prot - perl /usr/local/f-prot/tools/check-update.pl

NOTE: I installed F-Prot manually using the deb file downloaded from the website instead of using apt-get. If you used apt-get, the location of check-update.pl and the configuration files may be different

If you are behind a proxy or authenticating proxy such as ISA, you can edit the corresponding config files with the necessary proxy host, proxy port, username and password. The config files for all of the anti-virus products are very well commented. The updates can also be put into cron.

As far as installation and updating go, I have not met any caveats or errors.

From here onwards, you can use the four anti-virus products to identify malware.

Here are the list of our sponsors:

• Meling Mudin (spoonfork) - server hardware


• Paul Ooi (takizo) - server co-location

The current active members of the Malaysia Honeynet Project are:

• spoonfork (mel at hackinthebox dot org)


• takizo (paul at paulooi dot com)


• geek00l (geek00l at gmail dot com)


• xwings (xwings at xwings dot net)


• red dragon (rd at vnsecurity dot net)

We accept non-financial and non-monetary fundings and sponsorship for the time being. However, we accept fundings and donations for the following:

• Old PCs and computer equipments


• Server co-location and hosting


• Software: Windows operating systems licenses


• Software: VMWare Workstation licenses


• Software: Commercial anti-virus software for Linux and Windows

Sponsors will be acknowledged in the Sponsors page. If you are interested in sponsoring, please contact mel (mel at hackinthebox dot org)

The Malaysia Honeynet Project was founded in 2007 as a volunteer not-for-profit research organisation. Our aim is to provide research, analysis and information regarding computer and network security threats and vulnerabilities in the Malaysian network. We aim to learn the tools, trade, tactics and motives of the blackhat community, specifically with regards to Malaysia's computer network, and share our findings with the public and IT security community. We also aim to contribute to the global honeynet project.