Integrating Google Hack and GenIII Honeypots

Thursday, January 19. 2006
Together with Ryan McGeehan from the Google Hack Honeypot (GHH) team I have written a short summary of how current Gen III honeynets and GHHs could be integrated. Essentially, we are adding advertisement to honeypot technology. That is all this really comes down to. The tricky part is how it is advertised to reduce false positives, which we will design after we know what resources we will be using. But due to this advertisement, we will be able to attract a new class of attackers and learn about new tools.

Furthermore, this is a way to learn more about targeted attacks. So instead of blind scanning, this is more like a hitlist that is generated with the help of different search engines. This is a new aspect in the area of "classical" GenIII honeypots since they have no real way to attract attackers and to learn more about targeted attacks.

The basic ideas are

  • Redirecting traffic from GHHs to GenIII honeypots

  • Analyzing GHH logfiles with the help of GenIII honeypots

  • Generating GHHs with the help of information collected with GenIII honeypots

  • Cooperation with Google or other search engines to improve data capture capabilities


There is also an elaborated version available.

Continue reading "Integrating Google Hack and GenIII Honeypots"

Posted by Thorsten Holz in honeynets at 09:46 | Comments (-7) | Trackbacks (5)

Sebek 3: Tracking the Attackers

Wednesday, January 18. 2006
SecurityFocus has published a new article by Raul Siles entitled Sebek 3: Tracking the Attackers. The article deals with the basics of Sebek 3 and gives detailed information about the mechanism behind this tool. In addition, several challenges of Sebek are presented. Most of these challenges have already been covered in previous articles published at SecurityFocus:


Introduction of the article:
It has become increasingly important for security professionals to deploy new detection mechanisms to track and capture an attacker's activities. Third Generation (GenIII) Honeynets provide all the components and tools required to gather this information at the deepest level. Sebek is the primary data capture tool for GenIII Honeynets.

The first of this two-part series will discuss what Sebek is and what makes it so interesting. We'll start by looking at the latest Sebek release, version 3, its new capabilities, the Sebek protocol specification and how it integrates with GenIII Honeynet infrastructures. The second article will briefly address how to install and use Sebek on Linux and Windows. It will then focus on a Sebek patch developed by this article's author that makes possible not only to watch what the attacker types but also the response received.
Posted by Thorsten Holz in paper at 01:24 | Comments (0) | Trackbacks (0)

MISC Magazine

Saturday, January 14. 2006
If you speak French or German, you should take a look at MISC magazine. I am the editor in chief for the German version. What MISC is can be described with the following summary (German description):

"Das Magazin MISC widmet sich der Sicherheit in der Informatik mit all ihren Aspekten (wie System, Netzwerk oder Programmierung) überall dort, wo technische und wissenschaftliche Perspektiven eine ausschlaggebende Rolle spielen. Es werden jedoch auch damit verbundene Problemstellungen betrachtet (beispielsweise juristische Aspekte oder IT-Bedrohungen), was MISC zu einer Zeitschrift macht, die sowohl die wachsende Komplexität in der IT als auch die damit verbundenen Sicherheitsprobleme aufgreift."
Posted by Thorsten Holz in administrativa at 07:48 | Comments (-3) | Trackbacks (0)

Automatically Analyzing Malware

Friday, January 13. 2006
With the help of tools like mwcollect, nepenthes, and Multipot it is very easy to collect binary samples of spreading worms, bots, and other malware. These samples are often not recognized by current anti-virus engines and therefore it is often necessary to analyze the binaries by hand. This is a time-consuming and error prone task.

A quick and dirty analysis of a captured binary can be performed with the help of the Norman Sandbox (technical whitepaper). This tool executes the binary in an emulated environment and extracts information during runtime. A sample report and more live data are available at the website. You will notice that it is possible to automatically submit binaries captured with the help of nepenthes to the sandbox.

While this is a nice tool, it would be more interesting to be able to carry out such an analysis at home, without the need to submit the binary to a central server. In the diploma thesis entitled "Automatic Behaviour Analysis of Malware" Carsten Willems will implement such a tool. More information can be found in the description of the thesis and I will regularly publish updates here.
Posted by Thorsten Holz in honeynets at 08:30 | Comments (0) | Trackback (1)

EUSecWest: Security Masters Dojo on Honeynets

Friday, January 13. 2006
An announcement from me: Maximillian Dornseif and I will teach a security masters dojo entitled Advanced Honeypot Tactics during EUSecWest in February. In this one day seminar we will focus on low-interaction honeynets: Maximillian will talk about honeyd and its uses, and I will teach you how to use nepenthes / mwcollect. Moreover, we show how honeypots can be used to protect the infrastructure of a company and several other applied techniques. The seminar will be a hands-on course with lots of exercises.

Continue reading "EUSecWest: Security Masters Dojo on Honeynets"

Posted by Thorsten Holz in administrativa at 07:13 | Comments (0) | Trackbacks (0)
« previous page   (Page 2 of 3, totaling 14 entries) » next page