Friday, June 27, 2008

Reply for previous Purdue/CERIAS admission's pos

taken from here

Since the commenter using blogger's profile but I can't access his blog, this Prof might suits the profile > here

What an honour to have his visit to my lair here.. anyway this were his words:

All students are charged an application fee to help cover processing costs. As it is, there are many thousands of applications to the university each year.

Applications for grad programs at Purdue are considered by committees of faculty. They look at issues such as transcripts of grades, quality of undergrad program, the student essays, and especially the recommendations. Scores on tests are examined -- especially TOEFL -- and some departments look at GRE scores.

The admissions committee picks the students who the committee believes will do well in the program. If there are more qualified candidates than there are positions in the incoming class, then the students are ranked by the committee and the top ones taken to fill out the class.

If you meet the minimum requirements for a program, whether you get accepted depends on how many other people apply that year, and how you rank among them (if there are a lot).




p/s: We need more Malaysian doing phd degress in United States... for real!

Wednesday, June 25, 2008

hmm... in my dreamm..!

The admission committee makes the decision in October
for spring admission
and in January for fall admission for applicants
who have submitted their
applicaiton.
You must decide on your own whetherto apply
or not.

Make sure you met the admission requirements
listed here:


Regards,
R


----------------------------------------
R
Department of Computer Science
Lawson Computer Science Building
Room 1137 B
Purdue University
305 North University Street
West Lafayette, IN 47907-2107
USA

Phone: (765)494-xxxx
Fax: (765)494-xxxx
E-mail: xxx@cs.purdue.edu
www.cs.purdue.edu/academic_programs/graduate


-----Original Message-----
From: me
Sent: Wednesday, June 25, 2008 6:25 AM
To: R
Subject: Re: Phd in CS/Cerias

Hello, I would like to know how do you select the students,
since I've to
pay USD55 for the application-so I've to be sure that
chances probability
to get in.

I ask this since CERIAS did not require GRE results
for admission, but it
seems that the it received quite a number
of applications.

If I got a place secured in Purdue,
I'll be sponsored by the government of
Malaysia, the sponsorships stipulating
the student's fee, living allowance
etc for the whole study period.

Plan to begin mid of 2009.

Thanks :-)

comment: No, I do not think worth it to gamble.. better go elsewhere.. be your own hero... rather spending your hard-earned bucks for unsure stuffs... ahahahaa
[nepenthes] Using Anubis Python script

We can use this python script to automate/mocking the automated submission triggered by Nepenthes...


root@nuvox:~/binaries# ./submit_to_anubis.py * -e mailaku @ gmail.com
Successfully submitted the sample.
Get the task result at http://analysis.seclab.tuwien.ac.at/result.php?taskid
=f474d3ae50475c6451031f37d2d283fd
Successfully submitted the sample.
Get the task result at http://analysis.seclab.tuwien.ac.at/result.php?taskid
=357c926ee5bfeb6471185f4fb403b55c
Successfully submitted the sample.
Get the task result at http://analysis.seclab.tuwien.ac.at/result.php?taskid
=0c75b6d90af30124155cf3c69cce504b
Could not submit the sample.
Successfully submitted the sample.
Get the task result at http://analysis.seclab.tuwien.ac.at/result.php?taskid
=fd7ca9e064aef6d499121a4956a2d9fa
Could not submit the sample.
Could not submit the sample.
Successfully submitted the sample.
Get the task result at http://analysis.seclab.tuwien.ac.at/result.php?taskid
=639c177e1ee45b44e1a472b9adcd5654
Successfully submitted the sample.
Get the task result at http://analysis.seclab.tuwien.ac.at/result.php?taskid
=eb7e2f28889e51d4e5fa0b7903e76a30
Could not submit the sample.

Some of the binaries are malformed.. you will received the same notification from the other sandbox provider given you use the default submit_norman.conf submission as well.


Also, by using this way the malware analysis submission reports do not have any nepenthes- prefix at all.

Tuesday, June 17, 2008

Monday, June 16, 2008

[nepenthes] Emulating physical nodes

Since the higher number of sensor we get, the huge coverage of outbreak we can cover, so I opt to choose the Neil's and his pal way of doing things:

for i in `seq 230 254`;do ip addr add X.X.X.$i/24 brd + dev eth0;done


This of course just cover the range of X.X.X.230 until X.X.X.254 .

Still finding method to simulate say 10,000 nodes since IPv6 address will be fine. Nobody really use ipv6 here, I guess.

Run, ip add show

You should see things similar like this:

1: lo: mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: mtu 1500 qdisc pfifo_fast qlen 1000

inet X.X.X.139/24 brd X.X.X.255 scope global eth0
inet X.X.X.230/24 brd X.X.X.255 scope global secondary eth0
inet X.X.X.231/24 brd X.X.X.255 scope global secondary eth0
inet X.X.X.232/24 brd X.X.X.255 scope global secondary eth0
inet X.X.X.233/24 brd X.X.X.255 scope global secondary eth0
inet X.X.X.234/24 brd X.X.X.255 scope global secondary eth0
inet X.X.X.235/24 brd X.X.X.255 scope global secondary eth0
inet X.X.X.236/24 brd X.X.X.255 scope global secondary eth0
inet X.X.X.237/24 brd X.X.X.255 scope global secondary eth0
inet X.X.X.238/24 brd X.X.X.255 scope global secondary eth0
inet X.X.X.239/24 brd X.X.X.255 scope global secondary eth0
inet X.X.X.240/24 brd X.X.X.255 scope global secondary eth0
inet X.X.X.241/24 brd X.X.X.255 scope global secondary eth0
inet X.X.X.242/24 brd X.X.X.255 scope global secondary eth0
inet X.X.X.243/24 brd X.X.X.255 scope global secondary eth0
inet X.X.X.244/24 brd X.X.X.255 scope global secondary eth0
inet X.X.X.245/24 brd X.X.X.255 scope global secondary eth0
inet X.X.X.246/24 brd X.X.X.255 scope global secondary eth0
inet X.X.X.247/24 brd X.X.X.255 scope global secondary eth0
inet X.X.X.248/24 brd X.X.X.255 scope global secondary eth0
inet X.X.X.249/24 brd X.X.X.255 scope global secondary eth0
inet X.X.X.250/24 brd X.X.X.255 scope global secondary eth0
inet X.X.X.251/24 brd X.X.X.255 scope global secondary eth0
inet X.X.X.252/24 brd X.X.X.255 scope global secondary eth0
inet X.X.X.253/24 brd X.X.X.255 scope global secondary eth0
inet X.X.X.254/24 brd X.X.X.255 scope global secondary eth0

IPs obfuscated for anonimity

You should able to see this host "alive" given you scan from the other node. I did scan using Windows Nmap via my lappie to the honeypot sensors.

Saturday, June 14, 2008

[darknet-cymru] meet ryan conolly







I volunteering myself in any way for Cymru's Darknet Project. Actually before I attended Ryan's talk in Westin Hotel Imbi, I already read about the Cymru, IMS and CAIDA stuffs but hardly to get the picture. Now that since Ryan replying my emails and why not for a meetup.

So I asked Sharuzzaman to accompany me and we met just 11am this morning. Wow, it lasts around 3 hours, as if there was a business negotiation (laugh). Ryan nicely shared his experiences and darknet's implementation stuffs.

So I offered him whether it's possible for educational JV and why not for a "academic" talk on Darknet/security advosaries stuffs. Hope you'll arrive here in Gombak, I'll arrange a slot for, if possible. Students would be happy then.

Script to create and resize to 640x480 resolution that I used for pix above:

for i in *.jpg;do convert -size 640x480 -font helvetica -fill white -pointsize 16 -draw 'text 10,550 "Meeting with Darknet-Cymru Ryan Conolly@Starbuck KLCC 14 June 2008"' $i new-$i;done


[clamav] submission added

source

Submission-ID: 3571791
Sender: me
Added: Trojan.Kolabc.BFY
Virus name alias:
Net-Worm.Win32.Kolabc.bfy (Kaspersky AVP)

Friday, June 13, 2008

[clamav] Submission not added

source

Erk.. somebody else already made it.

Submission-ID: 3026528
Sender: me
Submission notes: Already detected as Worm.Kolab-284
Added: No
Virus name alias:
Net-Worm.Win32.Kolabc.sd (Kaspersky AVP),
Trojan.Packed.470 (Drweb),
Packer.XComp.A (Bitdefender)

Thursday, June 12, 2008

[nepenthes] New binary notification

Description Risk
Autostart capabilities: This executable registers processes to be executed at system start. This could result in unwanted actions to be performed automatically. medium
Changes security settings of Internet Explorer: This system alteration could seriously affect safety surfing the World Wide Web. medium
Joins IRC Network: The executable connects to an IRC network, most probably functioning as a zombie in a botnet. high
Performs Address Scan: The executable scans a range of IP Addresses. In most cases these scans identify more potential vulnerable targets. high


The analysis of your file is finished.
You can find your report at http://analysis.seclab.tuwien.ac.at/result.php?taskid=81e476fbfdfa581435e56c5242ea22cb


[CWsandbox-mannheim and nepenthes]

Just this morning I was being alerted by the email sent by CWsandbox-mannheim. At last I received analysis email from them. It seems that one of these malwares which they analyzed considered *known* already since I already sent the binary manually to ClamAV:

click here

analysis details for Sdbot-8639 <-- just wondering where the rest 5 binaries' report..shouldn't they being analyzed as well?

analysis from different AV vendors




Tuesday, June 10, 2008

[clam-av and nepenthes]

Sharuzzaman mentioned to me that instead of using virustotal, we can help clam-av (which however given on Windows, I prefer to use AVG since Clam-av definition considered pretty much obselete), to update clam-av's virus definition. However, if you refer to my previous post, AVG on Linux detect less malware compared to Clam-av.

This is awesome! Means that, the new malware that I got from the junkyard in /var/lib/nepenthes, given it was/*they were* signaled by Clam-av as "OK" I must send them straight away. (Well, if you have spare time. Consider this as your social community service ;) ).

Though the submission per person restricted only up to TWO files only, you can manually email the personnel to send more than that.

Interested to help? Send using this form

Sample submission report (both malware accepted), click here

Submission-ID: 3434478
Sender: nama aku
Added: Trojan.SdBot-8639
Virus name alias:
Net-Worm.Win32.Kolabc.aws (Kaspersky AVP),
Packer.XComp.A (Bitdefender)

Submission-ID: 3278336
Sender: nama aku
Added: Trojan.SdBot-8638
Virus name alias:
Net-Worm.Win32.Kolabc.afj (Kaspersky AVP),
Packer.XComp.A (Bitdefender)

Monday, June 09, 2008

[nepenthes] scanning with AVG

root@nuvox:/var/lib/nepenthes/binaries# ls -l
total 280
-rw-r--r-- 1 nepenthes nepenthes 41928 2008-06-09 07:43 0c6734accaf1d500a388f690a1ef3a76
-rw-r--r-- 1 nepenthes nepenthes 41928 2008-06-05 20:16 381dd5ff2ef3993bd92923626ee7948a
-rw-r--r-- 1 nepenthes nepenthes 51664 2008-06-04 14:03 3d39a29913a2fe54009d491b89b01ab4
-rw-r--r-- 1 nepenthes nepenthes 41936 2008-06-03 11:04 8e072862754ef6e80831d2fd50376b43
-rw-r--r-- 1 nepenthes nepenthes 41928 2008-06-02 16:38 ba106399aad8b515319f52fac4794a73
-rw-r--r-- 1 nepenthes nepenthes 51664 2008-06-02 16:00 c2f699282a7a16ecf554cfbaa2724204


root@nuvox:/var/lib/nepenthes/binaries# avgscan *
AVG7 Anti-Virus command line scanner
Copyright (c) 2007 GRISOFT, s.r.o.
Program version 7.5.51, engine 442
Virus Database: Version 270.0.0/1491 2008-06-09
License type is TRIAL for WORKSTATION.
Number of days to expiration: 30
3d39a29913a2fe54009d491b89b01ab4 Virus found Win32/Virut
c2f699282a7a16ecf554cfbaa2724204 Virus found Win32/Virut
Tested: 6 files, 0 sectors
Infections: 2
Errors: 0


Seems that AVG detected only 2 malwares, while ClamAV 3.
[nepenthes] New malware coming in

I just wondering why my ClamAV did not detect the fetched malware as "malware", instead just OK. But then since nepenthes already classified it as "suspicious binary".. and why would a binary being sent to my honeypot anyway?

I also create a cron job to ensure that ClamAV updates its definition, sixth times per day.

This is the first time I was being alerted by the malware submission after I enabled the submit_norman.so line.

my very own 1st automated malware submission

The other links was being redirected to joebox.. it just shows this stuffs along with the zip file contains reports of the analyzed malware:

The attached zip document contains all kind of behaviour information which Joebox has detected.
Please note that Joebox currently only analyse file system, registry system and process system behaviour.
Analysis information about network, services and thread activities will be added in the next months.
The analysis machine which executes your submitted binaries has no access to the internet.
An all time available internet connection is a too high risk either to be detected (via dns) or to be controlled by malware (we use real machines for analysis) which bypasses our used disk protection tools.

Best regards

Joe Security


Hehe.. nice ;) .. you know that, this submission alert was received after the power trip/network problem here was resolved. It means, I should get this alert earlier..

It seems that this network segment contains a lot of "harta karun" or "hidden treasure" which unexplored.... looking at this ClamAV scan, 3 binaries yet to be defined..

root@nuvox:/var/lib/nepenthes/binaries# clamscan *
0c6734accaf1d500a388f690a1ef3a76: OK
381dd5ff2ef3993bd92923626ee7948a: OK
3d39a29913a2fe54009d491b89b01ab4: W32.Virut.ca FOUND
8e072862754ef6e80831d2fd50376b43: Trojan.DsBot-15 FOUND
ba106399aad8b515319f52fac4794a73: OK
c2f699282a7a16ecf554cfbaa2724204: W32.Virut.ci FOUND

----------- SCAN SUMMARY -----------
Known viruses: 309947
Engine version: 0.92.1
Scanned directories: 0
Scanned files: 6
Infected files: 3
Data scanned: 0.25 MB
Time: 12.340 sec (0 m 12 s)


Friday, June 06, 2008

[nepenthes] submit_norman.conf config file

This was sent by Lucas

submit-norman
{
// this is the address where norman sandbox reports will be sent
email "email_aku gmail.com";
urls

("http://onlineanalyzer.norman.com/nepenthes_upload.php",
"http://luigi.informatik.uni-mannheim.de/submit.php?action=verify",
"http://147.86.135.178/joeboxservlet/submit",
"http://anubis.iseclab.org/nepenthes_action.php");
};

Thursday, June 05, 2008

[Nepenthes] GOT CHA!

Living in protected LAN.. I thought I am pretty safe.. not so! I rarely checked my nepenthes /var/lib until today.. after I upgraded my Ubuntu Gutsy to Hordy... wooow...

root@nuvox:/var/lib/nepenthes/binaries# ls -l
total 192
-rw-r--r-- 1 nepenthes nepenthes 51664 2008-06-04 14:03 3d39a29913a2fe54009d491b89b01ab4
-rw-r--r-- 1 nepenthes nepenthes 41936 2008-06-03 11:04 8e072862754ef6e80831d2fd50376b43
-rw-r--r-- 1 nepenthes nepenthes 41928 2008-06-02 16:38 ba106399aad8b515319f52fac4794a73
-rw-r--r-- 1 nepenthes nepenthes 51664 2008-06-02 16:00 c2f699282a7a16ecf554cfbaa2724204



Lemme check...!

Doesn't seems that it is clean as expected

root@nuvox:/var/lib/nepenthes/binaries# clamscan *
3d39a29913a2fe54009d491b89b01ab4: W32.Virut.ca FOUND
8e072862754ef6e80831d2fd50376b43: Trojan.DsBot-15 FOUND
ba106399aad8b515319f52fac4794a73: OK
c2f699282a7a16ecf554cfbaa2724204: W32.Virut.ci FOUND

----------- SCAN SUMMARY -----------
Known viruses: 306262
Engine version: 0.92.1
Scanned directories: 0
Scanned files: 4
Infected files: 3
Data scanned: 0.17 MB
Time: 9.410 sec (0 m 9 s)

Wednesday, June 04, 2008

Phd Quest? :=p

It's royal pain in the back (weh, it should be harsher). Sent e-mails to the prospective supervisor.. asking for updates..

Edith Cowan Univ: My friend said better go for public univ in Western AU.. but I did checked in Wiki ECU is a public univ.. well said, since ECU having good time doing research in network security... asked and the Dr said please apply..

Victoria Wellington: NOT YET!

RMIT:
     Dear mnajem,
Sure.... I am happy to supervise you.
Have you already applied to
RMIT International?
As you will starting in next year,
it would be great to do some
english courses for reading and writing,
even if you have a good IELTS.

I am currently a research project in the area
of security in "X"
systems (with other schools - Engineering and Maths),
sponsored by
the university.
It involves the protection of entreprise//"X"
networks again all the various attacks.
IDS are one of the
techniques, but there are other ones.
The security researchers in RMIT did pretty much VERY QUICK YET MADE ME LIVING WITH A JOY in a short while.. aha.... might be I am destined for RMIT ahahaa

Previously before he responded actually I did email his pal as well, he responded:

Dear mnajem
Thanks for your inquire. Your research interest fits into my group.
However, I'm not
involved in the application procedure.
Please contact our program coordinator Vic on
this CC list for further advice. Good luck,

Which means.. for now I will concentrate on realizing getting in RMIT.. RMIT at least get ranked in THES you know... though as you know 4 season in .au is a no no... huhu... why get yourself cold in snow : you've to pay gas for the heater. Get yourself somewhere tropica alike and mix around with that mat saleh.. however it seems my prospective SV is Asian-alike living in Mat Saleh land...

*just had meeting.. now somebody in my room doing make-up coursework stuff...

Monday, June 02, 2008

Nice Updates

-I'm in the office of Deputy Dean Student Affair now. For some unknown reason I was being appointed. Work as usual.

-Will attend marriage course this week.. pfft I chose to go outside which worth RM80 because I'm too shy for RM20 course provided along with the student. Well, you know, I might get my face red ... blushing haha.

-For the Phd Quest(as what Usin said), yesterday Dr Colin told me he will ask for Dr George Mohay consideration for my application... hopefully I can get the answer faster. Victoria Wellington still yet to answer my email.. be patient.

To my fellow friend, I'll be happy if you can come to my hometown in Perak.. ;)


(Well, just wondering who'll drop to my blog anyway.. the traffic feeds seems so busy but hardly to get my writings commented)

EOF.