Skip to main content


Showing posts from June, 2008
Reply for previous Purdue/CERIAS admission's pos

taken from here

Since the commenter using blogger's profile but I can't access his blog, this Prof might suits the profile > here

What an honour to have his visit to my lair here.. anyway this were his words:

All students are charged an application fee to help cover processing costs. As it is, there are many thousands of applications to the university each year.

Applications for grad programs at Purdue are considered by committees of faculty. They look at issues such as transcripts of grades, quality of undergrad program, the student essays, and especially the recommendations. Scores on tests are examined -- especially TOEFL -- and some departments look at GRE scores.

The admissions committee picks the students who the committee believes will do well in the program. If there are more qualified candidates than there are positions in the incoming class, then the students are ranked by the committee and the top ones taken to fill …
hmm... in my dreamm..!

The admission committee makes the decision in October
for spring admission
and in January for fall admission for applicants
who have submitted their
You must decide on your own whetherto apply
or not.
Make sure you met the admission requirements
listed here:


Department of Computer Science
Lawson Computer Science Building
Room 1137 B
Purdue University
305 North University Street
West Lafayette, IN 47907-2107

Phone: (765)494-xxxx
Fax: (765)494-xxxx

-----Original Message-----
From: me
Sent: Wednesday, June 25, 2008 6:25 AM
To: R
Subject: Re: Phd in CS/Cerias

Hello, I would like to know how do you select the students,
since I've to
pay USD55 for the application-so I've to be sure that
chances probability
to get in.

I ask this since CERIAS did not require GRE results
for admission, but it
seems that the it received quite a number
of applications.

If I got…
[nepenthes] Using Anubis Python script

We can use this python script to automate/mocking the automated submission triggered by Nepenthes...

root@nuvox:~/binaries# ./ * -e mailaku @
Successfully submitted the sample.
Get the task result at
Successfully submitted the sample.
Get the task result at
Successfully submitted the sample.
Get the task result at
Could not submit the sample.
Successfully submitted the sample.
Get the task result at
Could not submit the sample.
Could not submit the sample.
Successfully submitted the sample.
Get the task result at
[nepenthes] Screen shot of hex dumps

[nepenthes] Emulating physical nodes

Since the higher number of sensor we get, the huge coverage of outbreak we can cover, so I opt to choose the Neil's and his pal way of doing things:

for i in `seq 230 254`;do ip addr add X.X.X.$i/24 brd + dev eth0;done

This of course just cover the range of X.X.X.230 until X.X.X.254 .

Still finding method to simulate say 10,000 nodes since IPv6 address will be fine. Nobody really use ipv6 here, I guess.

Run, ip add show

You should see things similar like this:

1: lo: mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: mtu 1500 qdisc pfifo_fast qlen 1000

inet X.X.X.139/24 brd X.X.X.255 scope global eth0
inet X.X.X.230/24 brd X.X.X.255 scope global secondary eth0
inet X.X.X.231/24 brd X.X.X.255 scope global secondary eth0
inet X.X.X.232/24 brd X.X.X.255 scope global secondary eth0
inet X.X.X.23…
[darknet-cymru] meet ryan conolly

I volunteering myself in any way for Cymru's Darknet Project. Actually before I attended Ryan's talk in Westin Hotel Imbi, I already read about the Cymru, IMS and CAIDA stuffs but hardly to get the picture. Now that since Ryan replying my emails and why not for a meetup.

So I asked Sharuzzaman to accompany me and we met just 11am this morning. Wow, it lasts around 3 hours, as if there was a business negotiation (laugh). Ryan nicely shared his experiences and darknet's implementation stuffs.

So I offered him whether it's possible for educational JV and why not for a "academic" talk on Darknet/security advosaries stuffs. Hope you'll arrive here in Gombak, I'll arrange a slot for, if possible. Students would be happy then.

Script to create and resize to 640x480 resolution that I used for pix above:

for i in *.jpg;do convert -size 640x480 -font helvetica -fill white -pointsize 16 -draw 'text 10,550 "Meeting with Darkn…
[clamav] submission added


Submission-ID: 3571791
Sender: me
Added: Trojan.Kolabc.BFY
Virus name alias:
Net-Worm.Win32.Kolabc.bfy (Kaspersky AVP)
[clamav] Submission not added


Erk.. somebody else already made it.

Submission-ID: 3026528
Sender: me
Submission notes: Already detected as Worm.Kolab-284
Added: No
Virus name alias: (Kaspersky AVP),
Trojan.Packed.470 (Drweb),
Packer.XComp.A (Bitdefender)
[nepenthes] New binary notification

Description Risk Autostart capabilities: This executable registers processes to be executed at system start. This could result in unwanted actions to be performed automatically. Changes security settings of Internet Explorer: This system alteration could seriously affect safety surfing the World Wide Web. Joins IRC Network: The executable connects to an IRC network, most probably functioning as a zombie in a botnet. Performs Address Scan: The executable scans a range of IP Addresses. In most cases these scans identify more potential vulnerable targets.

The analysis of your file is finished.
You can find your report at…
[CWsandbox-mannheim and nepenthes]

Just this morning I was being alerted by the email sent by CWsandbox-mannheim. At last I received analysis email from them. It seems that one of these malwares which they analyzed considered *known* already since I already sent the binary manually to ClamAV:

click here

analysis details for Sdbot-8639 <-- just wondering where the rest 5 binaries' report..shouldn't they being analyzed as well?

analysis from different AV vendors

[clam-av and nepenthes]

Sharuzzaman mentioned to me that instead of using virustotal, we can help clam-av (which however given on Windows, I prefer to use AVG since Clam-av definition considered pretty much obselete), to update clam-av's virus definition. However, if you refer to my previous post, AVG on Linux detect less malware compared to Clam-av.

This is awesome! Means that, the new malware that I got from the junkyard in /var/lib/nepenthes, given it was/*they were* signaled by Clam-av as "OK" I must send them straight away. (Well, if you have spare time. Consider this as your social community service ;) ).

Though the submission per person restricted only up to TWO files only, you can manually email the personnel to send more than that.

Interested to help? Send using this form

Sample submission report (both malware accepted), click here

Submission-ID: 3434478
Sender: nama aku
Added: Trojan.SdBot-8639
Virus name alias: (Kaspersky AVP),
Packer.XComp.A (B…
[nepenthes] scanning with AVG

root@nuvox:/var/lib/nepenthes/binaries# ls -l
total 280
-rw-r--r-- 1 nepenthes nepenthes 41928 2008-06-09 07:43 0c6734accaf1d500a388f690a1ef3a76
-rw-r--r-- 1 nepenthes nepenthes 41928 2008-06-05 20:16 381dd5ff2ef3993bd92923626ee7948a
-rw-r--r-- 1 nepenthes nepenthes 51664 2008-06-04 14:03 3d39a29913a2fe54009d491b89b01ab4
-rw-r--r-- 1 nepenthes nepenthes 41936 2008-06-03 11:04 8e072862754ef6e80831d2fd50376b43
-rw-r--r-- 1 nepenthes nepenthes 41928 2008-06-02 16:38 ba106399aad8b515319f52fac4794a73
-rw-r--r-- 1 nepenthes nepenthes 51664 2008-06-02 16:00 c2f699282a7a16ecf554cfbaa2724204

root@nuvox:/var/lib/nepenthes/binaries# avgscan *
AVG7 Anti-Virus command line scanner
Copyright (c) 2007 GRISOFT, s.r.o.
Program version 7.5.51, engine 442
Virus Database: Version 270.0.0/1491 2008-06-09
License type is TRIAL for WORKSTATION.
Number of days to expiration: 30
3d39a29913a2fe54009d491b89b01ab4 Virus found Win32/Virut
c2f699282a7a16ecf554cfbaa2724204 Virus found Win32/Virut
[nepenthes] New malware coming in

I just wondering why my ClamAV did not detect the fetched malware as "malware", instead just OK. But then since nepenthes already classified it as "suspicious binary".. and why would a binary being sent to my honeypot anyway?

I also create a cron job to ensure that ClamAV updates its definition, sixth times per day.

This is the first time I was being alerted by the malware submission after I enabled the line.

my very own 1st automated malware submission

The other links was being redirected to joebox.. it just shows this stuffs along with the zip file contains reports of the analyzed malware:

The attached zip document contains all kind of behaviour information which Joebox has detected.
Please note that Joebox currently only analyse file system, registry system and process system behaviour.
Analysis information about network, services and thread activities will be added in the next months.
The analysis machine which executes…
[nepenthes] submit_norman.conf config file

This was sent by Lucas

// this is the address where norman sandbox reports will be sent
email "email_aku";

[Nepenthes] GOT CHA!

Living in protected LAN.. I thought I am pretty safe.. not so! I rarely checked my nepenthes /var/lib until today.. after I upgraded my Ubuntu Gutsy to Hordy... wooow...

root@nuvox:/var/lib/nepenthes/binaries# ls -l
total 192
-rw-r--r-- 1 nepenthes nepenthes 51664 2008-06-04 14:03 3d39a29913a2fe54009d491b89b01ab4
-rw-r--r-- 1 nepenthes nepenthes 41936 2008-06-03 11:04 8e072862754ef6e80831d2fd50376b43
-rw-r--r-- 1 nepenthes nepenthes 41928 2008-06-02 16:38 ba106399aad8b515319f52fac4794a73
-rw-r--r-- 1 nepenthes nepenthes 51664 2008-06-02 16:00 c2f699282a7a16ecf554cfbaa2724204

Lemme check...!

Doesn't seems that it is clean as expected

root@nuvox:/var/lib/nepenthes/binaries# clamscan *
3d39a29913a2fe54009d491b89b01ab4: FOUND
8e072862754ef6e80831d2fd50376b43: Trojan.DsBot-15 FOUND
ba106399aad8b515319f52fac4794a73: OK
c2f699282a7a16ecf554cfbaa2724204: FOUND

----------- SCAN SUMMARY -----------
Known viruses: 306262
Engine version: 0.92.1
Scanned directories…
Phd Quest? :=p

It's royal pain in the back (weh, it should be harsher). Sent e-mails to the prospective supervisor.. asking for updates..

Edith Cowan Univ: My friend said better go for public univ in Western AU.. but I did checked in Wiki ECU is a public univ.. well said, since ECU having good time doing research in network security... asked and the Dr said please apply..

Victoria Wellington: NOT YET!

Dear mnajem,
Sure.... I am happy to supervise you.
Have you already applied to
RMIT International?
As you will starting in next year,
it would be great to do some
english courses for reading and writing,
even if you have a good IELTS.

I am currently a research project in the area
of security in "X"
systems (with other schools - Engineering and Maths),
sponsored by
the university.
It involves the protection of entreprise//"X"
networks again all the various attacks.
IDS are one of the
techniques, but there are other ones.The security researchers in RMIT did pretty much VERY Q…
Nice Updates

-I'm in the office of Deputy Dean Student Affair now. For some unknown reason I was being appointed. Work as usual.

-Will attend marriage course this week.. pfft I chose to go outside which worth RM80 because I'm too shy for RM20 course provided along with the student. Well, you know, I might get my face red ... blushing haha.

-For the Phd Quest(as what Usin said), yesterday Dr Colin told me he will ask for Dr George Mohay consideration for my application... hopefully I can get the answer faster. Victoria Wellington still yet to answer my email.. be patient.

To my fellow friend, I'll be happy if you can come to my hometown in Perak.. ;)

(Well, just wondering who'll drop to my blog anyway.. the traffic feeds seems so busy but hardly to get my writings commented)