Honeypots, Honeynets, Honeypots, Honeynets, Bots and BotenetsBots and Botenets

Source: The HoneyNet Project http://www.honeynet.org/

Why HoneyPotsWhy HoneyPots A great deal of the security profession

and the IT world depend on honeypots. Honeypots◦ Build anti-virus signatures.◦ Build SPAM signatures and filters.◦ ISP’s identify compromised systems.◦ Assist law-enforcement to track criminals.◦ Hunt and shutdown botnets.◦ Malware collection and analysis.

What are HoneypotsWhat are HoneypotsHoneypots are real or emulated

vulnerable systems ready to be attacked.

Primary value of honeypots is to collect information.

This information is used to better identify, understand and protect against threats.

Honeypots add little direct value to protecting your network.

Types of HoneyPotTypes of HoneyPotServer: Put the honeypot on the

Internet and let the bad guys come to you.

Client: Honeypot initiates and interacts with servers

Other: Proxies

Types of HoneyPotTypes of HoneyPotLow-interaction

◦ Emulates services, applications, and OS’s.◦ Low risk and easy to deploy/maintain, but

capture limited information.

High-interaction◦ Real services, applications, and OS’s◦ Capture extensive information, but high

risk and time intensive to maintain.

Types of HoneyPotTypes of HoneyPotProduction

◦ Easy to use/deploy◦ Capture limited information◦ Mainly used by companies/corporations◦ Placed inside production network w/other

servers◦ Usually low interaction

Research◦ Complex to maintain/deploy◦ Capture extensive information◦ Primarily used for research, military, or govt.

orgs

Examples Of HoneypotsExamples Of Honeypots

BackOfficer FriendlyKFSensorHoneydHoneynets

Low Interaction

High Interaction

HoneynetsHoneynetsHigh-interaction honeypot designed to

capture in-depth information.Information has different value to

different organizations.Its an architecture you populate with

live systems, not a product or software.

Any traffic entering or leaving is suspect.

How It WorksHow It Works A highly controlled network where

every packet entering or leaving is monitored, captured, and analyzed.◦ Data Control◦ Data Capture◦ Data Analysis

Honeynet ArchitectureHoneynet Architecture

Data ControlData Control• Mitigate risk of honeynet being used to

harm non-honeynet systems.• Count outbound connections.• IPS (Snort-Inline)• Bandwidth Throttling

No Data ControlNo Data Control

Internet

No Restrictions

No Restrictions

Honeypot

Honeypot

Data ControlData Control

Internet

Honeywall

Honeypot

Honeypot

No Restrictions

Connections Limited Packet Scrubbed

Data CaptureData CaptureCapture all activity at a variety of

levels.Network activity.Application activity.System activity.

SebekSebekHidden kernel module that

captures all host activityDumps activity to the network.Attacker cannot sniff any traffic

based on magic number and dst port.

Sebek ArchitectureSebek Architecture

Honeywall CDROMHoneywall CDROMAttempt to combine all

requirements of a Honeywall onto a single, bootable CDROM.

May, 2003 - Released EeyoreMay, 2005 - Released Roo

Roo Honeywall CDROMRoo Honeywall CDROMBased on Fedora Core 3Vastly improved hardware and

international support.Automated, headless installationNew Walleye interface for web based

administration and data analysis.Automated system updating.

InstallationInstallationJust insert CDROM and boot, it installs

to local hard drive.After it reboots for the first time, it

runs a hardening script based on NIST and CIS security standards.

Following installation, you get a command prompt and system is ready to configure.

Further InformationFurther Informationhttp://www.honeynet.org/http://www.honeynet.org/book

Network TelescopeNetwork TelescopeAlso known as a darknet, internet motion

sensor or black hole Allows one to observe different large-scale

events taking place on the Internet. The basic idea is to observe traffic targeting the

dark (unused) address-space of the network.Since all traffic to these addresses is suspicious,

one can gain information about possible network attacks ◦ random scanning worms, and DDoS backscatter

As well as other misconfigurations by observing it.

HoneytokenHoneytokenhoneytokens are honeypots that are not

computer systems. Their value lies not in their use, but in their

abuse. As such, they are a generalization of such ideas

as the honeypot and the canary values often used in stack protection schemes.

Honeytokens can exist in almost any form, ◦ from a dead, fake account to a ◦ database entry that would only be selected by malicious

queries, ◦ making the concept ideally suited to ensuring data integrity—

any use of them is inherently suspicious if not necessarily malicious.

HoneytokenHoneytokenIn general, they don't necessarily

prevent any tampering with the data, ◦ but instead give the administrator a further

measure of confidence in the data integrity.An example of a honeytoken is a fake

email address used to track if a mailing list has been stolen

HoneymonkeyHoneymonkeyHoneyMonkey,

◦ short for Strider HoneyMonkey Exploit Detection System, is a Microsoft Research honeypot.

The implementation uses a network of computers ◦ to crawl the World Wide Web searching for websites that use

browser exploits to install malware on the HoneyMonkey computer.

◦ A snapshot of the memory, executables and registry of the honeypot computer is recorded before crawling a site.

◦ After visiting the site, the state of memory, executables, and registry is compared to the previous snapshot.

◦ The changes are analyzed to determine whether the visited site installed malware onto the honeypot computer.

HoneymonkeyHoneymonkeyHoneyMonkey is based on the honeypot

concept, with the difference that it actively seeks websites that try to exploit it.

The term was coined by Microsoft Research in 2005.

With honeymonkeys it is possible to find open security holes that aren't yet publicly known but are exploited by attackers.

TarpitTarpitA tarpit (also known as Teergrube, the

German word for tarpit) is a service on a computer system (usually a server) that delays incoming connections for as long as possible.

The technique was developed as a defense against a computer worm, and

the idea is that network abuses such as spamming or broad scanning are less effective if they take too long.

The name is analogous with a tar pit, in which animals can get bogged down and slowly sink under the surface.

BotnetsBotnets

byMohammad M. Masud

BotnetsBotnetsIntroductionHistoryHow to they spread?What do they do?Why care about them? Detection and Prevention

BotBotThe term 'bot' comes from 'robot'.

In computing paradigm, 'bot' usually refers to an automated process.

There are good bots and bad bots.Example of good bots:

◦ Google bot◦ Game bot

Example of bad bots:◦ Malicious software that steals information

BotnetBotnetNetwork of compromised/bot-

infected machines (zombies) under the control of a human attacker (botmaster) IRC Server

Botmaster

IRC channel

CodeServer

Updates

Vulnerable machines

Attack

IRC channelC&C traffic

BotNet

HistoryHistory In the beginning, there were only good bots.

◦ ex: google bot, game bot etc.

Later, bad people thought of creating bad bots so that they may◦ Send Spam and Phishing emails◦ Control others pc◦ Launch attacks to servers (DDOS)

Many malicious bots were created◦ SDBot/Agobot/Phatbot etc.

Botnets started to emerge

TimeLineTimeLine

1989 1999 2000 2002 2003 Present2006

RPCSS

GM (by Greg, Operator)

recognized as first IRC bot.

Entertained clients with games

GT bots

combined

mIRC client, hacking scripts & tools (port -scanning, DDos)

W32/Agobot bot

family added

modular

design and significant functionality

W32/Mytob hybrid bot,

major

e-mail outbreak

W32/PrettyPark

1st worm to

use IRC as

C&C.

DDoS capable

W32/Sdbot

First family

of bots developed

as a single binary

Russian named sd

W32/Spybot family emerged

2001 2004 2005

Cases in the newsCases in the newsAxel Gembe

◦Author or Agobot (aka Gaobot, Polybot)◦21 yrs old◦Arrested from Germany in 2004 under

Germany’s computer Sabotage law

Jeffry Parson◦Released a variation of Blaster Worm◦Infected 48,000 computers worldwide◦18 yrs old◦Arrested , sentenced to 18 month &

3yrs of supervised released

How The Botnet GrowsHow The Botnet Grows

How The Botnet GrowsHow The Botnet Grows

How The Botnet GrowsHow The Botnet Grows

How The Botnet GrowsHow The Botnet Grows

Recruiting New MachinesRecruiting New MachinesExploit a vulnerability to execute a short

program (exploits) on victim’s machine◦ Buffer overflows, email viruses, Trojans etc.

Exploit downloads and installs actual botBot disables firewall and A/V softwareBot locates IRC server, connects, joins

◦ Typically need DNS to find out server’s IP address

◦ Authentication password often stored in bot binary

Botmaster issues commands

Recruiting New MachinesRecruiting New Machines

What Is It Used ForWhat Is It Used ForBotnets are mainly used for only

one thing

How Are They UsedHow Are They UsedDistributed Denial of Service (DDoS)

attacksSending SpamsPhishing (fake websites)Addware (Trojan horse)Spyware (keylogging, information

harvesting)Storing pirated materials

Example : SDBotExample : SDBotOpen-source MalwareAliases

◦ Mcafee: IRC-SDBot, Symantec: Backdoor.Sdbot Infection

◦ Mostly through network shares◦ Try to connect using password guessing

(exploits weak passwords)Signs of Compromise

◦ SDBot copies itself to System folder - Known filenames: Aim95.exe, Syscfg32.exe etc..

◦ Registry entries modified ◦ Unexpected traffic : port 6667 or 7000◦ Known IRC channels: Zxcvbnmas.i989.net etc..

Example : RBotExample : RBotFirst of the Bot families to use encryptionAliases

◦ Mcafee: W32/SDbot.worm.gen.g, Symantec: W32.Spybot.worm

Infection◦ Network shares, exploiting weak passwords◦ Known s/w vulnerabilities in windows (e.g.: lsass

buffer overflow vulnerability)Signs of Compromise

◦ copies itself to System folder - Known filenames: wuamgrd.exe, or random names

◦ Registry entries modified ◦ Terminate A/V processes◦ Unexpected traffic: 113 or other open ports

Example : AgobotExample : AgobotModular Functionality

◦ Rather than infecting a system at once, it proceeds through three stages (3 modules) infect a client with the bot & open backdoor shut down A/V tools block access to A/V and security related sites

◦ After successful completion of one stage, the code for the next stage is downloaded

Advantage? ◦ developer can update or modify one

portion/module without having to rewrite or recompile entire code

Example : AgobotExample : AgobotAliases

◦ Mcafee: W32/Gaobot.worm, Symantec: W32.HLLW.Gaobot.gen

Infection◦ Network shares, password guessing◦ P2P systems: Kazaa etc..◦ Protocol: WASTE

Signs of Compromise◦ System folder: svshost.exe, sysmgr.exe etc..◦ Registry entries modification◦ Terminate A/V processes◦ Modify %System\drivers\etc\hosts file

Symantec/ Mcafee’s live update sites are redirected to 127.0.0.1

Example : AgobotExample : AgobotSigns of Compromise (contd..)

◦Theft of information: seek and steal CD keys for popular games like “Half-Life”, “NFS” etc..

◦Unexpected Traffic: open ports to IRC server etc..

◦Scanning: Windows, SQL server etc..

DDos AttackDDos AttackGoal: overwhelm victim machine and deny

service to its legitimate clientsDoS often exploits networking protocols

◦ Smurf: ICMP echo request to broadcast address with spoofed victim’s address as source

◦ Ping of death: ICMP packets with payloads greater than 64K crash older versions of Windows

◦ SYN flood: “open TCP connection” request from a spoofed address

◦ UDP flood: exhaust bandwidth by sending thousands of bogus UDP packets

DDoS attackDDoS attackCoordinated attack to specified

host

Victim

Attacker

Master (IRC Server) machines

Zombie machines

Why DDoS attack?Why DDoS attack?Extortion

◦Take down systems until they pay◦Works sometimes too!

Example: 180 Solutions – Aug 2005◦Botmaster used bots to distribute

180solutions addware◦180solution shutdown botmaster◦Botmaster threatened to take down

180solutions if not paid◦When not paid, botmaster use DDoS ◦180Solutions filed Civil Lawsuit against

hackers

Botnet DetectionBotnet DetectionHost BasedIntrusion Detection Systems (IDS)Anomaly DetectionIRC NicknamesHoneyPot and HoneyNet

Host-based detectionHost-based detection

Virus scanning

Watching for SymptomsModification of windows hosts fileRandom unexplained popupsMachine slownessAntivirus not working

Watching for Suspicious network trafficSince IRC is not commonly used, any IRC traffic is suspicious. Sniff these IRC trafficCheck if the host is trying to communicate to any Command and Control (C&C) Center

Through firewall logs, denied connections

Network Intrusion Network Intrusion Detection SystemsDetection Systems

Example Systems: Snort and BroSniff network packets, looks for specific

patterns (called signatures) If any pattern matches that of a malicious

binary, then block that traffic and raise alertThese systems can efficiently detect

virus/worms having known signaturesCan't detect any malware whose signature is

unknown (i.e., zero day attack)

Anomaly DetectionAnomaly DetectionNormal traffic has some patterns

Bandwidth/Port usageByte-level characteristics (histograms)Protocol analysis – gather statistics about

TCP/UDP src, dest address

Start/end of flow, Byte count

DNS lookup

First learn normal traffic pattern

Then detect any anomaly in that pattern

Example systems: SNMP, NetFlow

Problems: PoisoningStealth

IRC NicknamesIRC NicknamesBots use weird nicknames

But they have certain pattern (really!)

If we can learn that pattern, we can detect bots & botnets

Example nicknames:USA|016887436 or DE|028509327Country | Random number (9 digit)RBOT|XP|48124Bot type | Machine Type | Random number

Problem: May be defeated by changing the nickname randomly

HoneyPot and HoneyNetHoneyPot and HoneyNet

HoneyPot is a vulnerable machine, ready to be attackedExample: unpatched windows 2000 or windows XPOnce attacked, the malware is caught insideThe malware is analyzed, its activity is monitoredWhen it connects to the C&C server, the server’s identity is revealed

HoneyPot and HoneyNetHoneyPot and HoneyNetThus many information about the bot is obtained

C&C server address, master commandsChannel, Nickname, Password

Now Do the followingmake a fake bot join the same IRC channel with the same nickname/passwordMonitor who else are in the channel, thus observer the botnetCollect statistics – how many botsCollect sensitive information – who is being attacked, when etc..

HoneyPot and HoneyNetHoneyPot and HoneyNetFinally, take down the botnetHoneyNet: a network of honeypots (see the ‘HoneyNet Project’)Very effective, worked in many casesThey also pose great security risk

If not maintained properly - Hacker may use them to attack othersMust be monitored cautiously