We will provide live commit logs here soon. Until then feel free to view the mwcollect.org repository with Trac.
Recently, the SANS ICS and others reported a spike in 8800/tcp traffic. As there is only few information available about what is going on on that port all of a sudden, we take the chance and demonstrate how to use tools from mwcollect to get some insights.
The first thing we need is packets, ideally captures of complete sessions. Hint: Ask your local honeynet guy - he is hopefully running honeytrap. If so, chances are good that he can provide packet dumps and session captures like the one below, recorded on 8800/tcp on 2008-06-08:
Nepenthes has just been released in version 0.2.2, grab your copy from SourceForge.
The pesky Allaple worm has bugged us long enough. Since it is polymorphic, each instance of this binary has a new, unique MD5 hash and hence appears as a new binary in the mwcollect Alliance repository. However, developing a certain hash function, I was able to group most of the Allaple binaries together, now appearing as a mere of 33 distinct entries in the Browse Specimens view:
I will disclose some of the details behind this in my talk on DeepSec.
teamSparta (Hans-Christian Ebke, Dennis Mohr, Jan-Thorsten Peter, Mark Schloesser, Georg Wicherski) won the first place in the C.I.P.H.E.R. CTF Hacking Challenge. Was a great game!
The main mwcollect.org server is now fully operational again after a downtime of more than a week. One of the harddrives failed during sunday afternoon and it took some time to get new ones and replace the old ones.
During this reinstall, beta.mwcollect.org also now became the official alliance.mwcollect.org.