honeynets

GSoC Update

Tuesday, April 21. 2009

Yesterday the results of Google Summer of Code (GSoC) were released and the Honeynet Project will mentor nine students during the summer who work on different projects: http://socghop.appspot.com/org/home/google/gsoc2009/honeynet. More information is also available at the Honeynet Project GSoC site.

I'm happy to mentor Lukas Rist, who will work on Glastopf. The goal of the project is to learn more about attacks by emulating vulnerabilities in web applications ("We have two goals: First, collecting and analyzing data and second, trying to inform compromised web page owner. Actually we are mainly collecting Remote File Inclusion attacks, but others will follow."). The source code is available at http://trac.1durch0.de/trac and will be improver during the GSoC period.

Posted by Thorsten Holz in honeynets at 16:00 | Comments (0) | Trackback (1)

LEET'09 Taking Place Soon

Tuesday, April 7. 2009

Join us at the 2nd USENIX Workshop on Large-Scale Exploits and Emergent Threats: Botnets, Spyware, Worms, and More (LEET'09), which will take place in Boston, MA, on April 21, 2009. LEET '09 will focus on the underlying mechanisms used to compromise and control hosts, the large-scale "applications" being perpetrated upon this framework, and the social and economic networks driving these threats. Sessions include Malware Analysis, Ethics in Botnet Research, Malware Behavior, and more.

The full program is available at http://www.usenix.org/events/leet09/tech/.

LEET '09 will also include a session for Work-in-Progress reports. We encourage you to submit an abstract or proposal for a 5-minute presentation on your preliminary work to leet09wips@usenix.org.

Connect with the broad community of researchers and practitioners who focus on worms, bots, spam, spyware, phishing, DDoS, and the ever-increasing palette of large-scale Internet-based threats in fostering the development of preliminary work in this diverse area and stimulating discussion of thought-provoking ideas.

Find out more and register today at http://www.usenix.org/leet09/

Posted by Thorsten Holz in honeynets, malware, paper at 08:38 | Comments (0) | Trackback (1)

Google Summer of Code 2009

Monday, March 23. 2009

The Honeynet Project was selected for this year's Google Summer of Code. If you are a student and interested in participating in the program, please take a look at http://www.honeynet.org/gsoc. There you will find all information about the projects related to the Honeynet Project. Google will begin accepting applications from students beginning today, thus you need to be quick...

Posted by Thorsten Holz in honeynets at 14:14 | Comments (0) | Trackbacks (0)

Learning more about RFI Attacks

Saturday, March 21. 2009

As part of the work at our lab we started to work on methods to learn more about remote file inclusion (RFI) attacks. The Internet Storm Center has developed a web-based honeypot which is available in a beta version. This honeypot can be used to collect information about different kinds of attacks, but requires the participant to install and maintain a honeypot on his own. For example, it is possible to deploy this honeypot on a OpenWrt router.
Since we are aiming only at RFI attacks, an easier approach is to redirect incoming malicious request to a central honeypot which then aggregates the information. Jan already blogged about this idea, this posting is meant to spread the word.

You can help us by using the following .htaccess file on your web server:

Options +FollowSymlinks
RewriteEngine on
RewriteCond %{QUERY_STRING} (.+=http:\/\/.+)
RewriteRule ^(.+)$ http://link.informatik.uni-mannheim.de/$1?%1 [R,NC]

The script checks if the incoming request looks like an RFI attack (RewriteCond) and then redirects this request to one of our honeypots (RewriteRule). Please let us know if you have any questions or ideas.

Posted by Thorsten Holz in honeynets at 10:59 | Comments (0) | Trackback (1)

Using Honeypots to Study Web-based Attacks

Wednesday, January 14. 2009

The Internet Storm Center has an interesting entry on how to use honeypots to capture attacks against web-applications: "Roundcube Webmail follow-up":

A fermented honeypot is one that has been set up based on exploit attempts identified by a first stage honeypot. What happens is that the attacker(s) get all sticky in the original honeypot and when they come back for more sweetness, they get the fermented honeypot too. Now, along with getting all sticky in the first honeypot, they get all drunk on excitement in the fermented honeypot. [...] Development of a fermented honeypot is not without effort. There is no typical Win32 click-n-create nonsense. A fermented honeypot must be specifically crafted to correctly emulate the focused attack. The author, or 'brew master', is well capable of taking a traditional honeypot and fermenting it accordingly.

Basically they first observe the scanning/exploitation attempts against the Roundcube html2text.php vulnerability and then set up a second-stage honeypot that responds to these scanning attempts, offering more bait for the attacker. This is a good example how honeypots work and it also helps them to observe the actual infection of a vulnerable system.

Posted by Thorsten Holz in honeynets at 23:08 | Comments (0) | Trackbacks (0)