honeynets

A tool announcement:

The Honeynet Project and School of Mathematics, Statistics and Computer Science at Victoria University of Wellington have just released version 2.1 of Capture-HPC, a tool that is able to find and investigate the increasing problem of client-side computer attacks. This new software release increases the features and speeds performance allowing anyone to investigate a larger range and quantity of client-side computer attacks. Capture-HPC is freely available from the main Honeynet Project web site at: https://projects.honeynet.org/capture-hpc/wiki. It is written and distributed under the GNU General Public License, v2.

Capture-HPC is a computer security product that allows anyone to: investigate client-side computer attacks; security researchers to find and study malicious servers; virus and malware researchers to collect malware pushed by malicious servers; network administrators to monitor their systems for client-side attacks; and web site operators to monitor their web sites for unauthorized modifications with client-side attack code.

Together with a few researchers from the Chinese Honeynet Project, we published a paper about capturing autonomous spreading malware with high-interaction honeypots at the 9th International Conference on Information and Communications Security (ICICS 2007) which is now available.

Abstract: Autonomous spreading malware in the form of worms or bots has become a severe threat in today’s Internet. Collecting the sample as early as possible is a necessary precondition for the further treatment of the spreading malware, e.g., to develop antivirus signatures. In this paper, we present an integrated toolkit called HoneyBow, which is able to collect autonomous spreading malware in an automated manner using high-interaction honeypots. Compared to low-interaction honeypots, HoneyBow has several advantages due to a wider range of captured samples and the capability of collecting malware which propagates by exploiting new vulnerabilities. We validate the properties of HoneyBow with experimental data collected during a period of about nine months, in which we collected thousands of malware binaries. Furthermore, we demonstrate the capability of collecting new malware via a case study of a certain bot.

Keywords: Honeypots - Intrusion Detection Systems - Malware

Full Paper: Collecting Autonomous Spreading Malware Using High-Interaction Honeypots (LNCS 4861)

After several months of development, a new version of the Honeywall is available: The Honeywall CDROM is a bootable CD that installs onto a hard drive and comes with all the tools and functionality for you to implement data capture, control, and analysis.

You can get the ISO image for testing here: http://www.honeynet.org/tools/cdrom/roo/iso/test/roo-1.3.hw-b1.iso

More information about the Honeywall development is available at the public Trac reachable via https://projects.honeynet.org/honeywall

Today, Jan Göbel released his tool Amun. The tool is similar to nepenthes and designed to collect samples of autonomous spreading malware. The basic idea is to simulate vulnerable network service and trick an incoming exploitation attempt into thinking that the honeypot is a real system.

Amun is implemented in Python and thus it is quite easy to add additional vulnerability modules. The tool can be downloaded via http://zero.ram.rwth-aachen.de/amun/download.php.

Storm Worm was quiet in the last few days, nothing really exiting happened at the honeypots infected with the bot. Many of the spam mails sent by the bot are stock spam messages which advertise a certain stock. An example of an attachment sent some time ago is Complaint.pdf which advertizes Score One Inc. (SREA.OB), a small company traded over the counter.

Many of the fast-flux domains used by Storm Worm are currently non-functional, only two seem to resolve:

$ dig yxbegan.com



; <<>> DiG 9.4.1-P1 <<>> yxbegan.com

;; global options:  printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59661

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 12, ADDITIONAL: 0



;; QUESTION SECTION:

;yxbegan.com.                   IN      A



;; ANSWER SECTION:

yxbegan.com.            0       IN      A       74.134.155.14



;; AUTHORITY SECTION:

yxbegan.com.            172800  IN      NS      ns13.yxbegan.com.

yxbegan.com.            172800  IN      NS      ns2.yxbegan.com.

yxbegan.com.            172800  IN      NS      ns3.yxbegan.com.

yxbegan.com.            172800  IN      NS      ns4.yxbegan.com.

yxbegan.com.            172800  IN      NS      ns5.yxbegan.com.

yxbegan.com.            172800  IN      NS      ns6.yxbegan.com.

yxbegan.com.            172800  IN      NS      ns7.yxbegan.com.

yxbegan.com.            172800  IN      NS      ns8.yxbegan.com.

yxbegan.com.            172800  IN      NS      ns9.yxbegan.com.

yxbegan.com.            172800  IN      NS      ns10.yxbegan.com.

yxbegan.com.            172800  IN      NS      ns11.yxbegan.com.

yxbegan.com.            172800  IN      NS      ns12.yxbegan.com.



;; Query time: 4376 msec

;; SERVER: X.X.X.X#53(X.X.X.X)

;; WHEN: Thu Dec  6 08:59:53 2007

;; MSG SIZE  rcvd: 265

In consecutive lookups, always a new A record is returned:

yxbegan.com.            0       IN      A       69.224.113.183

yxbegan.com.            0       IN      A       123.215.78.167

yxbegan.com.            0       IN      A       168.188.56.76

yxbegan.com.            0       IN      A       220.129.76.210

yxbegan.com.            0       IN      A       59.23.185.81

More info to follow :)

Together with the researchers from the Chinese Honeynet Project, we also examined the extend of malicious websites on the Chinese Web. Using high- and low-interaction honeyclients, we were able to find about 2,500 sites (1,49% of overall examined sites) that tried to compromise an unpatched system. Furthermore, we also studied the underground black market which is used to trade exploits, malware, and stolen virtual goods. Several measurements provide an insight into the black market on the Chinese Web and show that the attackers are organized pretty well. We published our findings as a technical report to share the lessons we learned.

Abstract:

The World Wide Web gains more and more popularity within China with more than 1.31 million websites on the Chinese Web in June 2007. Driven by the economic profits, cyber criminals are on the rise and use the Web to exploit innocent users. In fact, a real underground black market with thousand of participants has developed which brings together malicious users who trade exploits, malware, virtual assets, stolen credentials, and more. In this paper, we provide a detailed overview of this underground black market and present a model to describe the market. We substantiate our model with the help of measurement results within the Chinese Web. First, we show that the amount of virtual assets traded on this underground market is huge. Second, our research proofs that a significant amount of websites within China's part of the Web are malicious: our measurements reveal that about 1.49% of the examined sites contain some kind of malicious content.

The complete report is available as TR-2007-011.

Together with a few researchers from China, we studied IRC-based botnets in order to understand the extent of this phenomenon. Using different kinds of honeypots and several sensors deployed across different regions in China, we were able to collect thousands of bot binaries. With the help of a behavior-based analysis mechanism similar to CWSandbox, we could extract the Command & Control (C&C) server in an automated way. In a third step, we used this information to connect to the actual C&C server and passively monitored the activity in the channel. Furthermore, we also actively probed the C&C servers to find out other characteristics of these machines. The complete setup and our results are described in a technical report we just published.

Abstract:

Botnets, networks of compromised machines that can be remotely controlled by an attacker, are one of the most common attack platforms nowadays. They can, for example, be used to launch distributed denial-of-service (DDoS) attacks, steal sensitive information, or send spam emails. A long-term measurement study of botnet activities is useful as a basis for further research on global botnet mitigation and disruption techniques. We have built a distributed and fully-automated botnet measurement system which allows us to collect data on the botnet activity we observe in China. Based on the analysis of tracking records of 3,290 IRC-based botnets during a period of almost twelve months, this paper presents several novel results of botnet activities which can only be measured via long-term easurements. These include. amongst others, botnet lifetime, botnet discovery trends and distributions, command and control channel distributions, botnet size and end-host distributions. Furthermore, our measurements confirm and extend several previous results from this area.

Our results show that the botnet problem is of global scale, with a scattered distribution of the control infrastructure and also a scattered distribution of the victims. Furthermore, the control infrastructure itself is rather flexible, with an average lifetime of a Command & Control server of about 54 days. These results can also leverage research in the area of botnet detection, mitigation, and disruption: only by understanding the problem in detail, we can develop efficient counter measures.

The complete report is available as TR-2007-010. And more information regarding the Chinese Honeynet Project is available at the website of the Artemis Project.

The status report of the Honeynet Project for the fiscal year 2007 is online since a couple of days. It contains an overview of what the Honeynet Project has done in the past year, together with links to the status report of each chapter. If you want to know what was done during the last couple of months, this is a good starting point.

Christian Seifert just mailed me and told me about the new release of Capture-HPC. Lots of new features are included in the release, which, hopefully, lowers the bar to get into research about malicious servers as well as expand the possibilities of the research... Here a (partial) list of specific new features:

• support for any client application that is http protocol aware (for example, Microsoft Excel)


• ability to automatically collect malware


• ability to automatically collect network traffic on the client


• ability to push exclusion lists from the Capture Server to the Capture Client


• improved control of Internet Explorer: obtain HTML error codes; specify visitation delay after page has been retrieved; retry visitation of URLs in case of time outs or network errors, ...


• support for plug-in architecture, that allows to create fine grained control of clients (for example, as provided for Internet Explorer), but also allows for integration of client applications that require complex interactions to retrieve content from the web ( e.g. Safari is such an application. It doesn't allow retrieval of web content by passing the URL as a parameter)

The tool and the source code are available from https://www.client-honeynet.org/creleases.html.

The Honeynet Project & Research Alliance are excited to announce the release of a new paper in our Know Your Enemy series, "KYE: Malicious Web Servers". In this paper, we take an in-depth look at malicious web servers that attack web browsers, and we evaluate several defensive strategies that can be employed to counter this threat of client-side attacks. All the malicious web servers identified in this study were found with our client honeypot Capture-HPC.

Besides providing the information of this paper, we also publish the complete data set. We hope that Capture-HPC and the data enable the security community to easily become involved in studying the phenomenon of malicious servers.