Moved to Berkeley

February 20th, 2011

As I'm now in Berkeley starting my career as a Ph.D in computer security. I don't have time maintaining this blog and the modified version of micolog. Please find my new homepage here:



Kevin Zhijie Chen


Posted in Misc

The Honeynet Project Forensic Challenge 2010 - 1

January 18th, 2010

Original URL:


Challenge 1 of the Forensic Challenge 2010 - pcap attack trace

Forensic Challenge 2010

Challenge 1 - pcap attack trace - (provided by Tillmann Werner from the Giraffe Chapter) is to investigate a network attack.
Send submissions (please use the MS word submission template or the Open Office submission template) no later then 17:00 EST, Monday, February 1st 2010. Results will be released on Monday, February 15th 2010. Small prizes will be awarded to the top three submissions.

Skill Level: Intermediate

The Challenge:
A network trace with attack data is provided. Analyze and answer the following questions:

  1. Which systems (i.e. IP addresses) are involved? (2pts)
  2. What can you find out about the attacking host (e.g., where is it located)? (2pts)
  3. How many TCP sessions are contained in the dump file? (2pts)
  4. How long did it take to perform the attack? (2pts)
  5. Which operating system was targeted by the attack? And which service? Which vulnerability? (6pts)
  6. Can you sketch an overview of the general actions performed by the attacker? (6pts)
  7. What specific vulnerability was attacked? (2pts)
  8. What actions does the shellcode perform? Pls list the shellcode. (8pts)
  9. Do you think a Honeypot was used to pose as a vulnerable victim? Why? (6pts)
  10. Was there malware involved? Whats the name of the malware? (We are not looking for a detailed malware analysis for this challenge) (2pts)
  11. Do you think this is a manual or an automated attack? Why? (2pts)
Posted in Security

Happy New Year 2010!

January 2nd, 2010

Wish everyone a happy, productive new year!:)

Posted in Misc

Computer Security Conference Paper Submission Due

December 29th, 2009

According to Prof. Guofei Gu's Computer Security Conference Ranking and Statistic

Posted in Security

How to Merge Directories

September 9th, 2009

(cd /path/to/src && tar cf - .) | (cd /path/to/dst && tar xpf -)

Posted in Misc

How nerdy r u?

September 7th, 2009



I am nerdier than 96% of all people. Are you a nerd? Click here to take the Nerd Test, get geeky images and jokes, and write on the nerd forum!

Posted in Misc

What's new on PHoneyC (4): Try it out!

August 11th, 2009

Hi all:
I have finished almost all the coding stuff of Project #1, now you can try out the new PHoneyC with shellcode/heapspray detection here:

Please feel free to report any bug or suggestion on shellcode/heapspray detection to me.

As Geng and his partner is still working on the DOM simulation of PHoneyC (Project #2), I will do more test and write an overall introduction to the ideas and structure of the new PHoneyC after merging in his final commit.

NOTICE: The DOM simulation part of PHoneyC in the svn may change a lot in the following days, so please checkout revision 1433 of the for a stable version.

Here is the current installation manual, you can also find it in the README file:

Compile the modules:
cd modules
make install
NOTE: Don't need to have root privilege when running make install.
Run it:
PYTHONPATH=lib/python python URL-you-what-to-examine

Tags: gsoc libemu phoneyc shellcode spidermonkey Posted in Web-based Malware Security

3 0days

July 15th, 2009
1.MS Internet Explorer 7 DirectShow (msvidctl.dll) Heap Spray

2. Mozilla Firefox 3.5 (Font tags) Remote Buffer Overflow Exploit

3.Microsoft Office Web Components (OWX10.Spreadsheet) (owc10.dll) 0Day

Another wave of drive-by downloads storm is around the corner~

Posted in Web-based Malware

What's new on phoneyc (3)--- Mid-term Evaluation

July 6th, 2009
Info: See <> for project details.
Author: Zhijie Chen (Joyan) <>
Mentor: Jose Nazario
Acknowledgments: Jose Nazario, Jianwei Zhuge, Georg Wicherski, The Honeynet Chinese Chapter
Description: Mid-term Report on PHoneyC GSoC project 1. This report describes what I have done on the PHoneyC's libemu integration for shellcode and heapspray detection during the first half of the GSoC. Till now, the main ideas on this feature has been fast-implemented (actually I mean poor coding style) and the whole flow works well, with some code rewriting and performance optimization needed in the future.


PHoneyC is a low-interaction honeyclient written by Jose Nazario. The shellcode (SC for short) and heapspray (HS for short) detection module for PHoneyC is listed on the GSoC this year and I feel lucky to be chosen to implement it. This report is the main idea about how to detect SC/HS in PHoneyC and how to build and run this version of PHoneyC. Note that this module (I call it honeyjs) is far from complete currently and this report is only for midterm evaluation. So it is possible that the way to build and run it won't work in the future. As for the introduction to PHoneyC, I think I'd better quote what the original developer said in his paper 'PhoneyC: A Virtual client Honeypot':

This paper presents PhoneyC, a honeyclient tool that can provide visibility into new and complex client-side attacks. PhoneyC is a virtual honeyclient, meaning it is not a real application but rather an emulated client. By using dynamic analysis, PhoneyC is able to remove the obfuscation from many malicious pages. Furthermore, PhoneyC emulates specific vulnerabilities to pinpoint the attack vector. PhoneyC is a modular framework that enables the study of malicious HTTP pages and understands modern vulnerabilities and attacker techniques.

My Approach

My approach to detection shellcode and heapspray can be simply described as:

1. Firstly I have modified the python-spidermonkey v0.0.1a (written in Pyrex) to let the Javascript Virtual Machine interrupted on each assignment. 2. Then I check if the r-value of this assignment is a string. If so, I use libemu to check for shellcodes in this string. If there are shellcode within the string, it will append an alert message into the alert list. 3. A series of shellcode alerts relating to one variable will be summarized into a potential heapspray alert. 4. After the execution of the Javascripts, phoneyc will analyze the shellcodes for mal-download URLs and other information using libemu.

Also there are some optimizations such as mal-value hash table to avoid duplicate check to the same value and dataflow tracking (e.g. the concatenation of a mal-string (string that contains shellcodes) with any other string will result in a mal-string). The above is all I have done in the first half of this GSoC, and the python module I implemented is named honeyjs.


Tags: gsoc phoneyc shellcode spidermonkey libemu Posted in Security

What's new on phoneyc (2)--- Shellcode and Heapspray Dectection

June 1st, 2009

Hi folks:
I have done some basic shellcode and heapspray detection codes in the phoneyc's 'honeyjs' javascript engine (based on python-spidermonkey, with extra tracing and auditing works). And also I have made a presentation on the local honeynet chinese chapter last weeked. Details about my current approaches can be found on this slide:

Z. Chen (Joyan)

Tags: gsoc phoneyc shellcode spidermonkey Posted in Web-based Malware Security