STATUS REPORT Philippine Honeynet Project 1.0 DEPLOYEMENTS ================= 1.1 Current technologies deployed. Describe anything that you have deployed that is collecting information, including honeynets, client honeypots, honeyd, mwcollect, or anything else honeypot related. - We are using a Globally Distributed Honeynet (GDH), and we have installed two GDH nodes. 1.2 Activity timeline: Highlight attacks, compromises, and interesting information collected. - Our Nepenthes Honeypot have collected 737 malware samples (as of April 19, 2007). We test each sample using both a well known commercial anti-virus software and a freely downloadable anti-virus software. - One of the College that hosts our GDH node coordinates with their anti-virus provider in the analysis of unknown malwares. Below is a partial list of malwares captured and identified by their anti-virus provider: BKDR_IRCBOT.YB BKDR_POEBOT.QU BKDR_POEBOT.QU BKDR_POEBOT.QV BKDR_POEBOT.QV TROJ_Generic TROJ_Generic TROJ_IRCBRUTE.M WORM_RBOT.FFW WORM_RBOT.FRA WORM_RBOT.FRB WORM_RBOT.FRF WORM_RBOT.FRI WORM_RBOT.FRJ WORM_SDBOT.EGY WORM_SDBOT.EGY WORM_SDBOT.EGY WORM_SDBOT.EGY WORM_SDBOT.EHB WORM_SDBOT.EHD WORM_SDBOT.EHE WORM_SDBOT.EHG WORM_SDBOT.EHH WORM_SDBOT.EHJ WORM_SDBOT.EHK 2.0 FINDINGS ============= 2.1 Highlight any unique findings, attacks, tools, or methods. - One of our Fedora Core Honeypot was compromised last March 29, 2007, the first human attacker on our GDH nodes. A file named scr.tgz was recovered, it contains a port scanner, and trojaned sshd, find, and pico. 2.2 Any trends seen in the past six months. - Port 445 (microsoft-ds) remains the most attacked port, this is the port attacked by worms/viruses that where collected by our GDH nodes. 2.3 What are you using for data analysis? What is working well, and what is missing, what data analysis functionality would you like to see developed? - We are using the tools found in Kanga (e.g., snort-a-log, HoneySnap, etc.), Microsoft Excel, and Ethereal/Wireshark to help us in our analysis. - We are, also, studying other tools such as SPSS. 3.0 LESSONS LEARNED ==================== 3.1 What new positive things can you share with the community, so they can replicate your success? 3.2 What new mistakes can you share with the community, so they don't make the same mistakes? - Make sure that you have a spare hard drive available. We have been busy with studying the data collected by our GDH nodes and failed to check that one of our GDH nodes already have no more disk space, good thing we have a spare hard drive. 3.3 Are there any research ideas you would like to see developed? - None as of the moment. 4.0 NEW TOOLS ============== 4.1 What new tools or technology are you working on? - We are developing new visualization tools that automatically generate graphs that will represent Honeynet activity (http://www.philippinehoneynet.org/data.php). 4.2 Would you like to integrate this with any other tools, or you looking for help or collaboration with others in testing or developing the tool? - We would like to ask for advice in linking the tool to our GDH node to get real-time statistics. 5.0 PAPERS AND PRESENTATIONS ============================= 5.1 Are you working any papers to be published, such as KYE or academic papers? - Currently, Anthony Salazar is working on his master's thesis which is about using the GDH to help secure the network and systems infrastructure. 5.2 Are you looking for any data or people to help with your papers? 5.3 Where did you publish/present honeypot-related material? 6.0 ORGANIZATIONAL =================== 6.1 Changes in the structure of your organization. - Mr. Ryan Talabis is now in the Hawaii Honeynet Project, and Mr. Anthony Salazar is now the new lead analyst for the Philippine Honeynet Project. - Full Members: Anthony Salazar John Ruero Carlo Monteverde Rolly Tayabas Ryan Labrador - Contributors: John Paul Vergara, Ph.D. Mida Guillermo William Emmanuel S. Yu Ernesto "Boogie" Boydon Ariz C. Jacinto 6.2 Your feedback on Alliance activities. - None. 6.3 Any suggestions for improving the Alliance? - None as of the moment. 7.0 GOALS ========== 7.1 Which of your goals did you meet for the last six months? 7.2 Which of your goals did you not meet for the last six months? 7.3 Goals for the next six months - Organize the data and contents for our website. - Improve our current Honeynet visualization tools, or evaluate new tools in visualizing Honeynet data that will help us in our analysis. 8.0 MISC ACTIVITIES ==================== 8.1 Anything else not covered you would like to share.