[AusNOG] Introduction: The Australian honeynet project

contact at honeynet.org.au contact at honeynet.org.au
Fri Jun 27 18:03:51 EST 2008


Hi Ausnog.

I was chatting to Skeeve and he thought that it would cool for us to post
this on Ausnog as its fairly relevant to the list, and there may be some
interest in this initiative.

We are a group of security/cybercrime researchers in Sydney and Melbourne
presently. We are working on building the "Australian Chapter of the
Honeynet Project".

The AU Honeynet Project is essentially a not for profit, volunteer band of
white-hats trying to make a safer AU cyber experience for the mums and
dads, as well as for business.

We currently partner really well with Law enforcement, Banks and CERTs,
but one area where we've identified a big gap in our penetration is with
ISP's.

We offer a few services on a best effort basis to LE, ISP's, CERTS, and
other stakeholders we identify. We are developing new and exciting ideas
all the time, but here are a few we offer now.
- Alerting of AU botnet DDOS targets, as well as AU based Command &
Control Servers and network scanning drones (in partnership with our good
mates at shadowserver.org)
- Alerting of AU sites hosting malware and phishing sites.
- Alerting of publically "outed" AU based website defacements and Cross
site scripting vulnerabilities, and files being served that strongly
indicate that an SQL injection attack has occurred.
- Malware collection and analysis of network-borne malware (This one is
interesting if you are a network person and having looked at this yet). It
involves setting up (any old hardware is fine) a unix app called
"nepenthes" that listens of a set of defined ports, and *emulates*
commonly exploited vulnerabilities. It then harmlessly pulls off the wire
any binaries that are sent to it by adjacent or remote IP's that are
actively scanning and sending exploits. "pwned every 60 seconds..".
Essentially it imitates an unpatched PC with no firewall (rare?...)

If you are interested in any of this, and want to support us or chat more
about the services we offer - drop us an email and we'll go from there.

We are always in need of hosting (currently OS - cough), spam feeds,
malware urls and other malware related Intel. Another really great need is
for more people with AU black IP space to set up nepenthes listeners that
are configured to send malware to our central server. We have scripted
sending these pieces of malware to 32 AV companies, conducting surface
level analysis, behavioral analysis and then we catalogue all this data
for some smart person with some time to pick trends and research the
collective data. All who run a listener and contribute are offered access
to the collective data set and analysis if they want and need it.

Once again, if you are not interested we hope we've not wasted too much of
your time.

cheers
the Australian Honeynet Project
http://www.honeynet.org.au
contact at honeynet.org.au




More information about the AusNOG mailing list