Status Report: September 2004 -- March 2005

| Deployments | Findings | Misc Activities | Lessons Learned | Future Goals | Previous Reports |

DEPLOYMENTS

Current honeynets deployed

Currently we have two honeynets, running in different address spaces.

Both honeynets use the same topology, comprised of:

• One administrative network comprised of three machines: one operating in bridge-mode running pf and capturing all incoming and outgoing traffic; one capturing all the traffic in the Honeynet; and a machine dedicated to forensics.
  
  
• The honeynet itself, composed of several machines running different operating systems and services. The following i386 systems were deployed in our honeynets in the past months:
  
  
  • 1 OpenBSD 3.4
  • 1 OpenBSD 3.6
  • 1 FreeBSD 4.7
  • 3 Linux Red Hat 7.2
  • 4 Linux Fedora Core 1
  • 3 Windows 2000 Server (en)
  • 1 Windows XP Professional (pt-BR)
  • 1 Windows XP Professional (en)
  • 1 Windows 2000 Server/Windows 2000 Advanced Server (en)

Current Status of the Brazilian Honeypots Alliance -- Distributed Honeypots Project

The Honeynet.BR team has been deeply involved in the maintenance and expansion of the Brazilian Honeypots Alliance -- a network comprised of distributed low-interaction honeypots (Honeyd), deployed in academic, commercial, governmental and military institutions.

The objective of this project is to increase the capacity of incident detection, event correlation and trend analysis in the Brazilian Internet space.

We recently announced the daily stats page:

      http://www.honeypots-alliance.org.br/stats/flows/all/

These stats are based on network flow data captured on several honeypots deployed on Brazilian networks, as part of the Brazilian Honeypots Alliance.

The following categories are available (bytes/s and packets/s):

• Top 10 destination TCP ports
• Top 10 destination UDP ports
• Top 10 source country codes (according to RIRs allocation data)
• Top source OS (windows, non windows, etc)

Currently the data collected in these honeypots is being used by NBSO/Brazilian CERT to notify network administrators whose networks are involved in malicious activities.

FINDINGS

Number and type of systems compromised

We had 5 machines compromised: (some of them multiple times)

• Linux Red Hat 7.2
  • wu-ftpd heap overflow exploit
• Linux Red Hat 7.2
  • OpenSSL Buffer overflow exploit (twice)
• Linux Red Hat 7.2, compromised several times
  • wu-ftpd heap overflow exploit
  • OpenSSL Buffer overflow exploit (3 times)
• Windows 2000 Server (en)
  • compromised by the W32/Rbot-HR
• Windows 2000 Professional (pt-BR)
  • compromised by a bot (probably rBot/rxBot), using DCOM RPC vulnerability
  • TFTP back to get the svhost.exe file
  • honeypot connected to IRC and got the command to start scanning port 445/TCP

Trends seen in the past months

In the past few months we have seen an increase in the number of scans in the following ports:

• 22/TCP: SSH
• 42/TCP: Microsoft WINS
• 1433/TCP: MS-SQL
• 3306/TCP: MySQL
• 4899/TCP: Radmin Remote administrator software
• 6101/TCP: Veritas Backup Exec Name Service
• 11768/TCP, 15118/TCP: dipnet worm
• 41523/TCP: CA BrightStor ARCserve Backup

The scan rate for 21/TCP (FTP) and 443/TCP (SSL) remained the same. We have also observed an increase in bot related activity and search for the awstats vulnerability.

MISC ACTIVITIES

Presenting at conferences

Portuguese

• Técnicas de Ocultação de Tráfego de Rede em Honeypots de Alta Interatividade, Luiz Gustavo C. Barbato e Antonio Montes, Anais do VI Simpósio sobre Segurança em Informática (SSI'2004), (São José dos Campos, SP), Novembro de 2004.
  
  [PDF presentation]
  
  

Developing, testing or releasing code

• HOACD 1.1 -- new version of the implementation of a low-interaction honeypot, based on Honeyd, that runs directly from a CD and stores its logs and configuration files on a hard disk. It is composed of a couple of applications defined by the Brazilian Distributed Honeypots Project. This tool will be continuously improved, as new versions of the softwares used become available.
  
  
• cmdexe.pl is a Honeyd module that emulates a DOS command prompt. It is useful to emulate a simple Windows "shell" backdoor, as used by many worms nowadays.
  
  
• some of the Honeyd listeners developed by the Honeynet.BR team, mydoom.pl, kuang2.pl and cmdexe.pl are now shipped with Honeyd 1.0 (released 2005-01-02), inside its scripts contrib directory.
  
  
• Artifacts Database: a database created to store the information about the artifact's analysis, like description, MD5 and SHA1 hashes, version, operating system, vulnerability explored, capture date, strings output and creation/last alteration date. The artifacts are divided into categories, like DoS tool, exploit, rootkit, etc. Finally, all this information is available in a web page (at this moment for Honeynet.BR Project members only).

Tools under development (to be released soon)

• Honeypot Deployment Script is a shell script designed to deploy a high-interaction honeypot using an ISO image of an operating system. It also includes the processes of erasing the hard disk and creating a new partition.
  
  
• Honeypot Configuration Script is a shell script designed to configure the honeypot after the installation of the operating system. It includes the processes of defining the root password, configuring the network and creating the user's accounts.
  
  
• MD5 and SHA1 Hash Generation Script is a shell script designed to generate the MD5 and SHA1 hashes of all files in a given directory.
  
  
• Honeypot Cleanup Script is a shell script designed to generate MD5 and SHA1 hashes of some given directories, generate the system's status, clean up all traces and export the generated information to a loghost.
  
  
• High-Interaction Honeypot Deployment CD-ROM is a bootable CD-ROM based on the Slax Linux distribution that includes the four scripts described above to deploy a high-interaction honeypot. The CD-ROM was originally developed to deploy Red Hat Linux honeypots, however it was designed to be used with other distributions and operating systems as well.
  
  
• Operation Monitoring Script is a shell script designed to automate and standardize the process of generating the honeypot's status.
  
  
• Artifact Static Analysis Script is a Perl script designed to ease the static analysis of an artifact. It creates a file containing information about the artifact's compilation, operating system it was compiled in, the compiler's name and version (if available), and finally relevant strings obtained in the artifact.

Publication of papers

English

• A National Early Warning Capability Based on a Network of Distributed Honeypots, Cristine Hoepers, Klaus Steding-Jessen, Luiz E. R. Cordeiro, Marcelo H. P. C. Chaves, to be presented at the 17th Annual Computer Security Conference, to be held in Singapore, June 26 to July 1, 2005.
  
  
• Honeynet Maintenance Procedures and Tools, Carlos Henrique P C Chaves, Lucio Henrique Franco, Antonio Montes, submitted to the 6th IEEE Information Assurance Workshop, to be held in West Point, June 15 to 17, 2005.

Portuguese

• Técnicas de Ocultação de Tráfego de Rede em Honeypots de Alta Interatividade, Luiz Gustavo C. Barbato e Antonio Montes, Anais do VI Simpósio sobre Segurança em Informática (SSI'2004), (São José dos Campos, SP), Novembro de 2004.
  
  [PDF] [Abstract] [Resumo] [BibTeX] [PDF presentation]

Other

• Master Thesis: Development of Methodologies and Tools for Attack Redirection
  
  This system aims to detect malicious traffic directed to the servers of an organization and to switch it to a mirror of the target system, without alerting the attacker. This is done by a system composed of a network based intrusion detection system (NIDS), a session control system, a honeynet and an integration and control module. This system stores the active session in memory, identifies the malicious traffic, through the NIDS, and switch it to a honeypot, with no interruption to the hostile session. The system also intents to detect new attacks and trends to other applications installed in the compromised system during the initial attack.
  
  
• The Honeynet.BR team has been involved in the development of the following procedures:
  
  
  • Honeypot Deployment
  • Post-Deployment
  • Honeypot Monitoring
  • Honeypot Deactivation

LESSONS LEARNED

If we don't deploy any Red Hat 7.2 in our honeynets, they remain quiet for a long time. Despite the fact that Red Hat 7.2 is a extremely old system, it appears to continue popular among intruders. We think, however, that it is time to move to new technologies like honeyclients, and focus on the latest released systems.

Artifact analysis isn't an easy job. It demands high knowledge in operating systems architecture and design, compilation techniques, reverse engineering and programming. The Artifact Static Analysis Script helps to find the name of the artifact's source code, and a Google search usually find it. So it could be compiled and the binary generated compared with the artifact found in order to identify it.

FUTURE GOALS

In the next six months we intend to focus the work in these tasks:

• Improve the statistics of the Brazilian Honeypots Alliance -- Distributed Honeypots Project;
• Deploy a third honeynet on a yet different address space, but with basically the same topology;
• Continuously expand the network of distributed honeypots, gathering new partners and covering a larger portion of the Brazilian Internet address space;
• Work on the correlation between the data gathered in the honeynet and in the network of distributed honeypots;
• Design and implement a new version of honeydsum.pl to include new graphics and filter methods;
• Design and implement a new version of the High-Interaction Honeypot Deployment CD-ROM to deal with honeypots of other Linux distributions and other operating systems;
• Deploy Solaris and Kurumin Linux honeypots in Honeynet.BR Project honeynets.

| Previous Reports |