[Honeynet.BR logo]

Home

Brazilian Honeypots Alliance

Project Timeline
Papers
White papers
Presentations
Status Reports

Links
Tools

Team Members
Coordination
Mascot

Press

Status Report: January -- August 2004

| Deployments | Findings | Misc Activities | Lessons Learned | Future Goals | Previous Reports |

DEPLOYMENTS

Current technologies deployed

Last January we deployed a second honeynet, running in a different address space from the first.

Both honeynets use the same topology, comprised of:

  • One administrative network comprised of three machines: one operating in bridge-mode running pf and capturing all incoming and outgoing traffic; one capturing all the traffic in the Honeynet; and a machine dedicated to forensics.

  • The honeynet itself, composed of several machines running different operating systems and services. The following i386 systems were deployed in our honeynets in the past months:

    • 2 OpenBSD 3.4
    • 3 Linux Red Hat 7.2
    • 1 Linux Fedora Core 1
    • 3 Win 2000 Server en
    • 1 Win 2000 Pro pt-BR
    • 1 Win 2000 Advanced Server

Positive aspects of the technology applied

We see the use of OpenBSD based technology for data control as very a positive thing. Testing and developing tools and procedures for data control with OpenBSD we are contributing for the heterogeneity of honeynet technologies.

Improvements needed in the technology

  • The honeynet technology is lacking better ways to sanitize data. This is very important to allow the proper share of information between organizations that are deploying honeynets around the world.

    Sanitization of data is specially important for organizations that are not able to change the honeynet's address space frequently, and therefore need to maintain this network in anonymity as long as possible. Also, sanitization is very important to allow the exchange of data obtained on high-value honeynets, once these data can carry sensitive information.

  • With the increase of scam related activity (see the Findings section below) maybe it would be necessary to research newer methods of data control for cases of attempts to host fraudulent websites in a honeynet.

  • There should be improvements in the release of documentation and tools related to other technologies than Linux for data control in honeynets.

FINDINGS

Number and type of systems compromised

We had four machines compromised:

  • 3 Linux Red Hat 7.2 machines compromised several times over the period. The following vulnerabilities were exploited:
    • The Apache/SSL vulnerability
    • wu-ftpd vulnerability
  • 1 Windows 2000 Server
    • Compromised by the Blaster worm

Trends seen in the past months

In the past few months we have seen an increase in the number of compromises related to phishing and carding activities.

These activities involved attempts to use the honeynets to send mass mailing related to phishing and also the attempt to use the honeynets as a hosting site for phony financial websites.

MISC ACTIVITIES

Presenting at conferences

English

Portuguese

  • Honeypots e Honeynets: Contra-inteligência no Ciberespaço, Antonio Montes, Workshop de Segurança da Informação DT-ABIN/CPqD, Brasília, Junho de 2004.
    [PDF presentation]

  • SMaRT: Resultados da Monitoração de Atividades Hostis em uma Máquina Preparada para ser Comprometida, Luiz Gustavo C. Barbato e Antonio Montes, I WorkComp Sul - Unisul - Universidade do Sul de Santa Catarina, Florianópolis, Maio de 2004.
    [PDF presentation]

  • Procedimentos e Ferramentas para Manutenção de Honeypots de Alta Interatividade, Lucio Henrique Franco e Antonio Montes, I WorkComp Sul - Unisul - Universidade do Sul de Santa Catarina, Florianópolis, Maio de 2004.
    [PDF presentation]

  • Uso de Honeypots de Baixa Interatividade na Resposta a Incidentes de Segurança, NIC BR Security Office -- Brazilian Computer Emergency Response Team, Reunião do GTS (Grupo de Trabalho de Segurança do Comitê Gestor da Internet), São Paulo, 20 de abril de 2004.
    [PDF presentation]

  • Tutorial: Instalação e Uso de Honeypot de Baixa Interatividade, Lucio Henrique Franco, Luiz Gustavo C. Barbato e Antonio Montes, Reunião do GTS (Grupo de Trabalho de Segurança do Comitê Gestor da Internet), São Paulo, 18 de abril de 2004.
    [PDF presentation]

Developing, testing or releasing code

The Honeynet.BR team was involved in the developing of the following tools:
  • HOACD -- the implementation of a low-interaction honeypot, based on Honeyd, that runs directly from a CD and stores its logs and configuration files on a hard disk. It is composed of a couple of applications defined by the Brazilian Distributed Honeypots Project.

  • honeydsum.pl -- a tool written in Perl designed to generate a text summary from Honeyd logs. The summaries may be produced using different parameters as filters, such as ports, protocols, IP addresses or networks. It shows the top source and port access and the number of connections per hour, and supports input from multiple log files. The script can also correlate events from several honeypots.

  • kuang2.pl -- a Honeyd module that emulates the backdoor installed by the Kuang2 virus. It saves uploaded files and also logs attempts to use Kuang2 backdoor commands, like file download, execution, deletion, etc.

  • mydoom.pl -- a simple Perl script, that works with Honeyd, to emulate the backdoor installed by the Mydoom virus. It saves uploaded files and also logs attempts to use the Mydoom backdoor proxy capability (socks4).

Publication of papers

Portuguese

  • SMaRT: Resultados da Monitoração de Atividades Hostis em uma Máquina Preparada para ser Comprometida, Luiz Gustavo C. Barbato e Antonio Montes, I WorkComp Sul - Unisul - Universidade do Sul de Santa Catarina, Florianópolis, Maio de 2004.
    [PDF] [Abstract] [Resumo] [BibTeX] [PDF presentation]

  • Procedimentos e Ferramentas para Manutenção de Honeypots de Alta Interatividade, Lucio Henrique Franco e Antonio Montes, I WorkComp Sul - Unisul - Universidade do Sul de Santa Catarina, Florianópolis, Maio de 2004.
    [PDF] [BibTeX] [PDF presentation]

Other

The Honeynet.BR team has been deeply involved in the maintenance and expansion of the Brazilian Honeypots Alliance. This is a network comprised of distributed low-interaction honeypots (Honeyd), covering a broad part of the Brazilian Internet.

The objective of this project is to increase the capacity of incident detection, event correlation and trend analysis in the Brazilian Internet space.

Currently the data collected in these honeypots is being used by NBSO/Brazilian CERT to notify network administrators whose networks are involved in malicious activities.

LESSONS LEARNED

As we describe in some papers, to maintain a honeynet is a time consuming task, because of this it is very important to have procedures in place to deploy and maintain the honeypots. Specially procedures to make images of a honeypot in the moment of the deployment and also after a compromise has happened. Other candidates to have strict procedures are the record of activities and capture of tools used by the intruders.

With these procedures in place and being followed, it is much easier to maintain the honeynet, to deploy new honeypots, and to remove compromised honeypots from the network when it is decided to do so.

FUTURE GOALS

In the next six months we intend to focus the work in this three major tasks:

  • Deploy a third honeynet, on a yet different address space, but with basically the same topology;
  • Continuously expand the network of distributed honeypots, gathering new partners and covering a larger portion of the Brazilian Internet address space;
  • Work on the correlation between the data gathered in the honeynet and in the network of distributed honeypots.

| Previous Reports |

| Brazilian Honeypots Alliance | Honeynet.BR Project |

Valid XHTML 1.0! Valid CSS! Honeynet.BR Project
$Id: 2004.html,v 1.3 2008/01/28 20:27:41 jessen Exp $