• Tracking Intelligence Project (TIP)

TIP is an information gathering framework whose purpose is to autonomously collect, correlate and analyze data useful for understanding Internet threat trends. It is implemented in the Python language using the Twisted Application Framework for the core engine implementation and the Django framework in order to abstract the underlying database and to easily build a web interface to the data. Moreover, a component-based architecture was designed for modules developing. Such architecture is based on the Zope3 interfaces and adapters. The tracking activities are performed through a totally asynchronous core engine which controls few additional modules which are really specific in their purpose. TIP was designed in order to be able to run each of these modules on a separate host if needed, given a central database. This feature allows the overall architecture to scale really easily if new work-intensive modules are needed thus giving the possibility to deploy TIP without requiring a single central highly performant computer. Moreover, TIP was designed in order to allow modules hotplug so that adding (or removing) a module does not require the core engine restart. TIP code is available as source code within The Honeynet Project organization and plans exist to release it publicly in the next months under GNU Public License.


    • Hale

Hale is a botnet command & control monitor/spy with a modular design to easily develop new modules that monitor new protocols used by C&C servers. Hale comes with IRC and HTTP monitors developed with Twisted to handle scalability of a large amount of connections. These modules have configurable protocol grammar and bot settings but can also be modified to fit your needs. All captured logs and files are saved to a database and in case of IRC, tracked IP numbers too. To hide the location of the operator, connections can be made through SOCKSv5 proxies and this is configurable via the web interface where also all the logs are available to browse together with statistical charts and timelines. The interface was developed with Django and Google Visualization API. Some extras in the web ui are support for a RESTful API with OAuth support and a search engine. The main idea with Hale is to help botnet hunting and research to collaborate by creating a network of sensors (Hale monitors). To improve this idea, a XMPP bot is available to connect to a centralized XMPP server where currently two different grouprooms are used for coordinating between sensors and a room for sharing logs and files. The coordination room makes use of botnet hashes that are made out of the unique keys in the botnet settings, in this way, two botnets dont have to be monitored simultaneously that have the same hash (identity) and improves utilization. To help 3rd parties to make use of this network, a bot can join the coordination room and ask a sensor to start tracking a botnet if its untracked by sending the configurations for it. Additionally, in the share room, 3rd party bots can get their hands on logs and files captured by the sensors in realtime. To assist with log history the web API can be used that support GET requests. Hale source code is available here.


    • Thug

Thug is a Python low-interaction honeyclient and it was publicly presented during the Honeynet Project Security Workshop in Facebook HQ in Menlo Park in March 2012. Thug is based on an hybrid static/dynamic analysis approach and provides a DOM implementation which is (almost) compliant with W3C DOM Core, HTML, Events and Views specifications (Level 1, 2 and partially 3) and partially compliant with W3C DOM Style specifications. Thug makes use of the Google V8 Javascript engine wrapped through PyV8 in order to analyze malicious Javascript code and of the Libemu library wrapped through Pylibemu in order to detect and emulate shellcodes. Currently 6 Internet Explorer personalities are emulated and about 90 vulnerability modules (ActiveX controls, core browser functionalities, browser plugins) are provided. Thug source code is available here.


    • Pylibemu

Pylibemu is a Cython wrapper for the Libemu library. Libemu is a small library written in C offering basic x86 emulation and shellcode detection using GetPC heuristics. Pylibemu source code is available here.


    • Droidbox

DroidBox is developed to offer dynamic analysis of Android applications. The following information is shown in the results, generated when analysis is ended:

  • Hashes for the analyzed package
  • Incoming/outgoing network data
  • File read and write operations
  • Started services and loaded classes through DexClassLoader
  • Information leaks via the network, file and SMS
  • Circumvented permissions
  • Cryptography operations performed using Android API
  • Listing broadcast receivers
  • Sent SMS and phone calls

The source code is available here.


    • Buttinsky

Botnet monitoring is a process of actively joining a botnet infrastructure in order to learn about its inner workings for research and analysis purposes. One clear distinction between a real bot and a monitoring bot is that the monitoring bot does not perform any harmful actions when instructed to by the bot herder. If the monitoring bot can collect information we will be able to understand what is going on inside the botnet and also find weaknesses and design flaws of the botnet protocol. This information can then be used for botnet takedown.

There are currently two available but very specialized tools from project members, both with a different approach and goal. Hale with the more manual and customizable approach and the automated and IRC botnet specific WSBS. In this proposed project we want to build a strong monitoring framework based on a combined version of the previous solutions.

With Buttinsky we are building a versatile monitoring platform which will provide the cornerstones for your customized solution. The features will include but are not restricted to:

  • Modular framework Network layer, event library, communication protocol and behavior are exchangeable
  • Data management Possibilities including relational and NoSQL databases and generic data feeds
  • Bot mimicking Using behavior patterns generated from collected data leveraging machine learning techniques
  • Automated distribution Monitoring clients all ove the globe to improve scalability and camouflage
  • Data Gathering auxiliary data to increase the in depth knowledge about the monitored target
  • Interfaces Use what you are used to for follow-up analysis and threat assessment

The source code is available here.


    • Ghost USB Honeypot

Ghost is a honeypot for malware that spreads via USB storage devices. It detects infections with such malware without the need of any further information. The honeypot was first developed for a bachelor thesis at Bonn University in Germany. Now development is continued by the same developer within the Honeynet Project. Ghost was recently selected for Rapid7’s Magnificent7 program. Our goal for the next year is to extend the honeypot to a USB protection system, i.e. a system that protects networked computer environments from the threat of USB malware.

The source code is available here.