Wednesday, February 29, 2012

mwserv support in mwcollectd, dionaea and perhaps some other honeypots

For some reasons, the configuration of mwserv in say, dionaea is perhaps among the mysterious question that I could find when I want to know the info.

Few years ago, I registered my honeypot as a "freelance" at Mwcollect Alliance. Here, the maintainer (from Giraffe Honeynet - Germany based honeynet chapter) needs you to contribute back. In my case, I turned on the mwserv config in my honeypot.

In dionaea.conf (or any honeypot that you have, let say, mwcollectd), you need to uncomment mwserv in the ihandlers section:

        ihandlers = {

            handlers = ["ftpdownload", "tftpdownload", "emuprofile", "cmdshell", "store", "uniquedownload",




//            "submit_http",

//            "logxmpp",


//            "p0f",

//            "surfids",

//            "fail2ban"


Next, once your registration approved in mwcollect alliance, you will be able to create your honeypot sensors.

      mwserv = {                      // ask your mwserv backend provider for needed values

                        url = ""           // the url to send the submission requests to

                        maintainer = ""     // username of the maintainer of this sensor

                        guid = ""               // guid of this sensor, as generated serverside; typically 8 chars

                        secret = ""

        // shared secret used for authentication aka password; typically 48 chars


Perhaps, people hard to find the url for mwserv, so as for last few years, it always been "" .. this couldn't be find anywhere as far as I know, unless you hang out in #nepenthes channel at

You can filter the verbose output once your start you dionaea sensor:

dionaea -l all,-debug -L 'mwserv'


[01032012 08:24:41] mwserv dionaea/ mwserv _heartbeat
[01032012 08:24:45] mwserv dionaea/ mwserv heartbeatresult: b'OK: 120'
[01032012 08:26:41] mwserv dionaea/ mwserv _heartbeat
[01032012 08:26:47] mwserv dionaea/ mwserv heartbeatresult: b'OK: 120'
[01032012 08:28:41] mwserv dionaea/ mwserv _heartbeat
[01032012 08:28:47] mwserv dionaea/ mwserv heartbeatresult: b'OK: 120'
[01032012 08:30:41] mwserv dionaea/ mwserv _heartbeat
[01032012 08:30:48] mwserv dionaea/ mwserv heartbeatresult: b'OK: 120'
[01032012 08:32:41] mwserv dionaea/ mwserv _heartbeat
[01032012 08:32:46] mwserv dionaea/ mwserv heartbeatresult: b'OK: 120'
[01032012 08:34:41] mwserv dionaea/ mwserv _heartbeat

Saturday, February 25, 2012

"Data Mining Tools for Malware Detection" book

I recently bought this fresh, new book on the application of Data Mining for malware detection.

I bought it on-line from UK as it is not available yet in Malaysia. Perhaps you can try the following method to get the book:

CRC Press

Friday, February 24, 2012

Paper accepted at UKSIM 2012, Cambridge, UK

My paper was submitted at UKSIM 2012, Cambridge, UK and was accepted
To quote, use to following BibTeX:
AUTHOR="Muhammad Najmi {Ahmad Zabidi}",
TITLE="Malware Analysis with Multiple Features",
BOOKTITLE="UKSim 14th International Conference on Computer Modelling and Simulation,
UKSim2012 (UKSim2012)",
ADDRESS="Cambridge, United Kingdom",
KEYWORDS="malware, static analysis, feature selection",
ABSTRACT="Malware analysis process is being categorized into static analysis and
dynamic analysis. Both static and dynamic analysis have their own strengths
and weaknesses. In this paper, we present a tool written in Python
programming language called as pi-ngaji, which could assist the work of
malware analyst to get the static features of malware. pi-ngaji contains
several modules - Application Programming Interface (API) calls extractor,
binary entropy information, anti virtual machine and anti debugger detector
and XOR encrypted strings decryptor. pi-ngaji was developed in order to
assist our work in getting malware features. pi-ngaji is focusing on
ripping Microsoft Windows executable binaries' malicious features."

Sunday, February 12, 2012


Ni le bukunya...
Baucer ada baki, top up sikit beli kertas
Sebagai seorang pelajar saya menerima baucer buku 1 malaysia berjumlah rm200 yang saya telah manfaatkan untuk membeli sebuah buku berkaitan penyelidikan saya. Buku tersebut adalah mahal, jadi dengan baucer itu saya hanya memperoleh buku berkenaan sahaja.

Published with Blogger-droid v2.0.4

Saturday, February 4, 2012

Virus mengubah DNS

Krebs, seorang jurnalist di dalam bidang keselamatan komputer mengupas sejenis malware yang mengubah alamat DNS - Domain Name System. Malware ini mampu menyah-aktifkan perisian anti virus dan menyebabkan sistem sasaran tidak boleh mengemaskini sistem operasi Microsoft mereka.

Nama malware, DNSChanger