We will provide live commit logs here soon. Until then feel free to view the mwcollect.org repository with Trac.
Recently, the SANS ICS and others reported a spike in 8800/tcp traffic. As there is only few information available about what is going on on that port all of a sudden, we take the chance and demonstrate how to use tools from mwcollect to get some insights.
The first thing we need is packets, ideally captures of complete sessions. Hint: Ask your local honeynet guy - he is hopefully running honeytrap. If so, chances are good that he can provide packet dumps and session captures like the one below, recorded on 8800/tcp on 2008-06-08:
Nepenthes has just been released in version 0.2.2, grab your copy from SourceForge.
The pesky Allaple worm has bugged us long enough. Since it is polymorphic, each instance of this binary has a new, unique MD5 hash and hence appears as a new binary in the mwcollect Alliance repository. However, developing a certain hash function, I was able to group most of the Allaple binaries together, now appearing as a mere of 33 distinct entries in the Browse Specimens view:
I will disclose some of the details behind this in my talk on DeepSec.
teamSparta (Hans-Christian Ebke, Dennis Mohr, Jan-Thorsten Peter, Mark Schloesser, Georg Wicherski) won the first place in the C.I.P.H.E.R. CTF Hacking Challenge. Was a great game!
The main mwcollect.org server is now fully operational again after a downtime of more than a week. One of the harddrives failed during sunday afternoon and it took some time to get new ones and replace the old ones.
During this reinstall, beta.mwcollect.org also now became the official alliance.mwcollect.org.
The new mwcollect Alliance Webinterface (still work in progress) has moved to a new server, where fonts are properly installed. Thus the image in the header of this page has a legend again.
I hope to finish the new webinterface with Markus and Paul at our mini GetTogether, we will have from 23rd to 26th of March in Aachen. Tillmann, who recently joined the mwcollect.org Crew, will also be there. Sounds like gonna be fun!
mwcollect Alliance member Teleservice Skåne AB was so kind to provide us with another testing platform (2x 733 MHz, 2 GB RAM) with a /23 attatched for developing and testing nepenthes. This box runs FreeBSD, so we will try to add some optimizations for FreeBSD users as well.
The Chinese Honeynet Project is proud to announce the release of HoneyBow sensor v0.1.0, a malware collection tool based on the high interaction honeypot principle, published under GPL license. HoneyBow sensor is released under the name of mwcollect.org, and it can be integrated with nepenthes (based on the low interaction honeypot principle) and the mwcollect Alliance’s GOTEK architecture, to achieve a most integrated malware collection solution.
This is our new mwcollect.org meta-page, hosting our blog and giving you a rough overview about what is happening at the mwcollect.org projects in these nifty sidebars.
Enjoy!
From time to time it's worth crawling the dark sides of the web for input, and sometimes there are intresting, sometimes funny things.
Excuse the excessive use of aolbonics in the screenshot; apart from blacking the IPs we did not touch it, Microsoft's leetspeak guide might help you getting an idea what was said here:
Playing with the honeytrap module, I saw some strange behaviour from hosts attacking nepenthes. They connected, exploitet to gain shell, connected the shell, and run a ftp command. Nepenthes connected the viris ftp server, and asked for the file, providing the port where to send the file via the PORT command (active ftp). In some cases, the virus would send the file to a very different port, the honeytrap module kicked it, and we got the file send to a shell emulation.
So, we checked if there was a bug when sending the PORT command in nepenthes, and found none, having a look on some sdbot forks ftpd code, we got this:
Finally, blackhats have adopted to using nepenthes. Recent postings on the ryan1918 forums clearly show that kiddies are running nepenthes with the submit-norman module to find other's botnets.
Let's hope, they're only going to shut down each other.
Thanks to Stargazer's batch submission and everyone linking their sensors now, the Alliance got far beyond 10k in-the-wild samples. Current number at 18:26 CET is 12587 samples. Thanks everyone for contributing!
The mwcollectd and nepenthes teams are proud to announce the end of the independant co-existance of two tools sharing the same aim. mwcollectd will be finished to v3.0.4 soon; development will be discontinued afterwards. nepenthes will be the official successor of mwcollectd.
mwcollect.org will become a top-level community covering malware collection efforts, nepenthes will become the official software used for malware collection and be part of mwcollect.org. The mwcollect Alliance will continue to exist with existing mwcollect v3.0.3 sensor and nepenthes sensors later on.