Virus Blog

The Honeynet Project and Research Alliance are excited to
announce the release of Honeywall 1.2.  This new version
addresses a variety of bugs and adds new features, including

 o Based on Fedora Core 6
 o Newer version of Snort including VRT Ruleset & automated
   ruleset updates
 o Additional options for controlling the level of detail of
   data captured.
 o Build environment was updated to make it easier to build an
   entire roo from SVN (coming soon)

You can learn more at

HW 1.2 Download
http://www.honeynet.org/tools/cdrom

HW 1.2 Manual
http://www.honeynet.org/tools/cdrom/roo/manual

Bug Reporting
https://bugs.honeynet.org  (CDROM-roo-1.2)

Our Botnet Detection Software named Rishi is available now. We release the current version under the terms of the GPL. The webseite is here. If you decide to use Rishi in your network and encounter any bugs, please feel free to contact me. Any other kind of feedback is also welcome.

The current version of Rishi is implemented using Python but we are considering to switch to c/c++ to further improve the performance.

We are currently monitoring many hosts infected with the spyware called MapKon. As soon as installed the software frequently issues WHOIS requests for all kinds of domains. This way the malware author can register so called typo-domains or domains which recently became available due to errors or missed payment. Once such a domain is registered it is used for further distribution of the spyware.

Currently the spyware is available at www.archivierungsprogramme.com and installs itself invisible with the archieve software like winace. If you read the user agreements carefully you will notice a few sentences stating that you agree in sharing bandwith and the installation of a browser helper object. This browser helper object is responsible for the WHOIS requests, which are made whenever the browser is running.