Detecting Honeypots and other Suspicious Environments

Thursday, April 13. 2006
When running a honeypot, the operator should also know the constraints given by currenty honeypot-based techniques. Back in 2004, we showed as part of the NoSEBrEaK project how an attacker can detect, disable and circumvent Sebek, the primary Data Capture tool used by honeynet researchers to capture the attacker's activities on a honeypot. Since then, Sebek has been improved and most of the attacks do not work anymore.

Last year, Frederic Raynal and I published a paper about detection of honeypots and other suspicious environments, e.g., whether a program runs under a debugger. We give examples how to detect the presence of UML, VMWare, Softice, and OllyDbg. For example, Agobot uses the following piece of code to detect software breakpoints:



mov esi, address  ; load function address 

mov al, [esi]     ; load the opcode 

cmp al, 0xCC      ; check if the opcode is 0xCC 

je BPXed          ; yes, there is a breakpoint 

                  ; jump to return true 

xor eax, eax      ; false, 

jmp NOBPX         ; no breakpoint 

BPXed: 

mov eax, 1        ; breakpoint found 

NOBPX:

Continue reading "Detecting Honeypots and other Suspicious Environments"

Posted by Thorsten Holz in honeynets at 17:33 | Comments (-4) | Trackback (1)

Steganography in Botnet Command & Control

Sunday, April 2. 2006
In his blog entry "Security/C#: Demonstration of Steganography Messages to Evade IDS Detection", John Ware explains a technique how botnet C&C could use steganography to enable stealth communication. To quote him:

"This technique uses steganography to embed a simple command protocol into image files. When combined with methods for determining proxy configurations (Windows stores this internally, you can set them under Internet Explorer under Tool, Internet Options, Connections, and Lan Settings, or under the Control Panel), clients can use the existing egress rules to retrieve said embedded file remotely through approved outbound ports and proxy servers. To any passive observer, this is simple web traffic retrieving graphics that are embedded into everyday web pages. Clients than can be set to retrieve graphics from a location or locations at random or set intervals."


Nice idea, however this is nothing really new. Back in 2001, a bot called Xot introduced a technique called DRSS (Dynamic Remote Settings Stub). With DRSS, the botnet controller embedded (actually appended) the information about the central botnet C&C server to an image file. This file is then uploaded to a web site and the bots just retrieve it to obtain their configuration. Not as sophisticated as the method from the blog entry - but hey, it's 5 years ago. And really stealth communication can presumably be reached with a custom protocol and some other techniques, but more on that in a later blog entry...

You can read more about this feature at http://www.megasecurity.org/trojans/x/xot/Xot0.5b2.html or in an article I wrote a while ago entitled "A Short Visit to the Bot Zoo".

Continue reading "Steganography in Botnet Command & Control"

Posted by Thorsten Holz in honeynets at 14:39 | Comments (-2) | Trackbacks (0)
« previous page   (Page 2 of 2, totaling 7 entries)