Honeynet.BR

Status Report: May 2006 -- April 2007

DEPLOYMENTS

Current honeynet deployed

Currently we have one honeynet deployed with a topology comprised of:

One administrative network comprised of three machines: one operating in bridge-mode running pf and capturing all incoming and outgoing traffic; one capturing all the traffic in the Honeynet; and a machine dedicated to forensics.
The honeynet itself, composed of several machines running different operating systems and services. The following i386 systems were deployed in our honeynet in the past months:
- 1 Windows 2000 Pro (pt-BR)
- 1 Windows XP Professional (en)
- 1 Windows XP Professional (pt-BR)
- 2 Linux Slackware 11.0

Current Status of the Brazilian Honeypots Alliance -- Distributed Honeypots Project

The Honeynet.BR team has been deeply involved in the maintenance and expansion of the Brazilian Honeypots Alliance -- a network comprised of distributed low-interaction honeypots (Honeyd), deployed in academic, commercial, governmental and military institutions.

The objective of this project is to increase the capacity of incident detection, event correlation and trend analysis in the Brazilian Internet space.

Since last April 2006 several new partner institutions joined the alliance:

PoP-PR -- Paraná State Point of Presence of the Brazilian Research Network;
UFPA -- Federal University of Pará;
UOL -- Universo OnLine Service Provider;
PUCPR -- Paraná Catholic University;
Unisinos -- University of Vale do Rio dos Sinos;

Currently we have 36 partner institutions in the project, and new prospective ones are in the final phase of deployment.

New Project: SpamPots

The SpamPots Project objective is to measure the abuse of end-user machines to send spam. This project is conducted by CERT.br and sponsored by NIC.br, the executive branch of the Brazilian Internet Steering Committee.

In this project we are using 10 low-interaction honeypots, placed in 5 different broadband/cable providers, to collect data about the use of home computers with broadband connectivity as part of the spam infrastructure. The architecture of the project, as well as preliminary data that have already been collected and analyzed, will be released publicly on two presentations in May 2007:

AusCERT Asia Pacific Information Technology Security Conference, May 23, 2007, Gold Coast, Australia.
LACNIC X Network Security Forum, May 23, 2007, Isla Margarita, Venezuela.

As part of this project we are working on better ways to collect and correlate data seen in different networks and, together with a Brazilian Federal University, developing new data mining algorithms to process spam.

FINDINGS

Number and type of systems compromised

We had 3 machines compromised:

1 Windows 2000 Pro (pt-BR)
- Compromised by an attack similar to the one performed by sasser worm
2 Linux Slackware 11.0
- Compromised by SSH brute force

Trends seen in the past months

In the past few months we have seen that the number of brute force attacks against SSH servers have remained steady, as weel as bot activities. Scanning for Open Proxies (SOCKS) was really high on the low-interaction honeypots of the Brazilian Honeypots Alliance.
Daily and weekly statistics are publicly available at our website:
http://www.honeypots-alliance.org.br/stats/

The Slackware High-interaction Honeypots have been compromised by SSH brute force attacks (dictonary has been gathered). The Windows 2000 has been compromised by a vulnerability similiar to that exploited by the Sasser worm.

The intruders have installed IRC clients on the Windows 2000 and in one of the Linux compromised honeypots. After compromised, both honeypots joined a botnet.

As soon as we redeployed the honeypots, the attackers quickly installed their botclient on them, the same way they did the first time.

MISC ACTIVITIES

Presenting at conferences and giving workshops

English

Honeypots Workshop, presented at Q-CERT, Doha, Qatar, Cristine Hoepers and Klaus Steding-Jessen, April, 2007.
This was a 2-day hands-on workshop with 14 attendees from the Middle East region. The attendees were from the Qatar Telecom, CISCO Qatar and Q-CERT, the National CERT for Qatar, that is also fostering the creation of other CSIRTs in the region, and plan to start deployment of honeypots soon.
[PDF presentation]
The Brazilian Honeypots Alliance, presented at FIRST Technical Colloquium, Doha, Qatar, Cristine Hoepers and Klaus Steding-Jessen, April, 2007.
[PDF presentation]
Distributed Honeypots Network Implementation based on OpenBSD and Free Software Tools, presented at fisl8.0 -- 8th International Free Software Forum, Porto Alegre, Brazil, Marcelo H. P. C. Chaves, April, 2007.
[PDF presentation ] [Portuguese version]
Honeypots as a Tool to Improve Incident Response Readiness at USP, presented at Educause Security Professionals Conference, Denver, Alberto Camili and Isabel Chagas April, 2007.
[PDF presentation]
The Brazilian Honeypots Alliance, presented at RIPE 53, Amsterdam, Netherlands, Marcelo H. P. C. Chaves, October, 2006.
[PDF presentation]
Distributed Honeypots Project: How It's Being Useful for CERT.br, presented at the Collaboration Meeting for CSIRTs with National Responsibility, Pittsburgh, PA, Cristine Hoepers and Klaus Steding-Jessen, July, 2006.
[PDF presentation]

Portuguese

Implementação de uma Rede de Honeypots Distribuídos Utilizando OpenBSD e Ferramentas de Software Livre, Marcelo H. P. C. Chaves, fisl8.0 -- 8° Fórum Internacional Software Livre, Porto Alegre, Abril de 2007.
[PDF presentation ] [English version]

Tools under development

Still working on improvements in the public statistics. The current public statistics are generated from flows of malicious activity from 24 hour period. We are currently working on the generation of new public statistics, from shorter periods and more detailed information about ports and trends observed. The work is progressing slower that planned because we need to overcome difficulties regarding partners honeypots bandwidth and disk space limitation, among others.
The work on our Honeyd listener to emulate the SOCKS 4/5 protocol to be used as a spamtrap has evolved a lot during this period of testing in the SpamPots Project. As soon as it is ready for release it will be posted on the website
We have developed a graphic visualization tool for all events monitored on the honeynet throught a timeline diagram. The analyst can interact with the diagram by a web interface refining data for analysis.
A type of honeyclient has been developed to harvest malicious binaries. Using this system we merged previous malware gathered through compromised honeypot forensics to new malware actively gathered by the honeyclient, producing a repository with thousands of binaries.
Botnets protocol identification and study methods have been developed and will be published soon.

Other

Data usage in Incident Handling
The data collected in these honeypots are being used by CERT.br to notify network administrators whose networks are involved in malicious activities.
We have been using and testing Honeymole and Honeywall according to our needs.

LESSONS LEARNED

Most of the activities are continuously being conducted by automated bots/worms or spammers looking for open proxies.

FUTURE GOALS

In the next months we intend to focus the work in these tasks:

Improve the statistics of the Brazilian Honeypots Alliance -- Distributed Honeypots Project;
Continuously expand the network of distributed honeypots, gathering new partners and covering a larger portion of the Brazilian Internet address space;
Considering joining the GDH initiative in the next 6 months;
Publish a report about the findings of the SpamPots Project.

| Previous Reports |