[Honeynet.BR logo]

Home

Brazilian Honeypots Alliance

Project Timeline
Papers
White papers
Presentations
Status Reports

Links
Tools

Team Members
Coordination
Mascot

Press

Status Report: April 2005 -- October 2005

| Deployments | Findings | Misc Activities | Lessons Learned | Future Goals | Previous Reports |

DEPLOYMENTS

Current honeynets deployed

Currently we have two honeynets, running in different address spaces.

Both honeynets use the same topology, comprised of:

  • One administrative network comprised of three machines: one operating in bridge-mode running pf and capturing all incoming and outgoing traffic; one capturing all the traffic in the Honeynet; and a machine dedicated to forensics.

  • The honeynet itself, composed of several machines running different operating systems and services. The following i386 systems were deployed in our honeynets in the past months:

    • 1 OpenBSD 3.4
    • 1 OpenBSD 3.6
    • 1 FreeBSD 4.7
    • 1 Linux Red Hat 7.2
    • 2 Linux Red Hat 9
    • 4 Linux Fedora Core 1
    • 3 Windows 2000 Server (en)
    • 1 Windows XP Professional (pt-BR)
    • 1 Windows XP Professional (en)
    • 1 Windows 2000 Server/Windows 2000 Advanced Server (en)

Current Status of the Brazilian Honeypots Alliance -- Distributed Honeypots Project

The Honeynet.BR team has been deeply involved in the maintenance and expansion of the Brazilian Honeypots Alliance -- a network comprised of distributed low-interaction honeypots (Honeyd), deployed in academic, commercial, governmental and military institutions.

The objective of this project is to increase the capacity of incident detection, event correlation and trend analysis in the Brazilian Internet space.

Currently the data collected in these honeypots is being used by CERT.br to notify network administrators whose networks are involved in malicious activities.

FINDINGS

Number and type of systems compromised

We had 4 machines compromised:

  • 1 Windows 2000 Server (en)
    • Compromised several times by the IIS UTF/UNICODE directory traversal exploit.
  • 1 Linux Red Hat 9
    • Compromised by the AWStats "configdir" Remote Command Execution Exploit.
      The attacker downloaded a bot written in perl and executed it. This bot tried to connect to a IRC Network, but didn't succeed.
  • 1 Linux Red Hat 7.2
    • Compromised by the OpenSSL Buffer Overflow Exploit.
  • 1 Windows 2000 Server/Windows 2000 Advanced Server (en)
    • Compromised by the W32.Esbot.B.
      The bot connected to a IRC server, then joined a passworded channel, and started scanning for port 445/tcp.

Trends seen in the past months

In the past few months we have seen an increase in the number of brute force attacks against SSH servers, and an increase in bots' activities. The rate of scans looking for vulnerable mod-SSL remains the same.

MISC ACTIVITIES

Presenting at conferences

English

  • Incident Response and Early Warning Initiatives in Brazil, Marcelo H. P. C. Chaves, presented at International Information Security Conference, Buenos Aires, Argentina, October, 2005.

  • Honeynet.BR and the National Early Warning Capability Based on a Network of Distributed Honeypots, Cristine Hoepers, presented at SIG^2 Seminar, Singapore, June, 2005.
    [PDF Presentation]

  • A National Early Warning Capability Based on a Network of Distributed Honeypots, Cristine Hoepers, presented at 17th Annual FIRST Conference on Computer Security Incident Handling, Singapore, June, 2005.
    [PDF Presentation]

  • Honeynet Maintenance Procedures and Tools, Carlos Henrique P. C. Chaves, Lucio Henrique Franco and Antonio Montes, presented at 6th IEEE Information Assurance Workshop, West Point, NY, June, 2005.
    [PDF Presentation]

Portuguese

  • Eficácia de honeypots no combate a worms em instituições, Luiz Otávio Duarte, André Ricardo Abed Grégio, Antonio Montes e Adriano Mauro Cansian, Reunião do GTS (Grupo de Trabalho de Segurança do Comitê Gestor da Internet), São Paulo, Julho de 2005.
    [PDF presentation]

  • O Perfil da Segurança na Internet Através da Análise das Estatísticas do Consórcio Brasileiro de Honeypots, Émerson Salvadori Virti, Liane Tarouco e Leandro Márcio Bertholdo, Reunião do GTS (Grupo de Trabalho de Segurança do Comitê Gestor da Internet), São Paulo, Julho de 2005.
    [PDF presentation]

Tools under development (to be released soon)

  • SSH daemon adapted to run as a listener under Honeyd
    • logs users and passwords
    • can start a fake shell


  • Honeyd listener to collect malware propagating through ports 135/TCP and 445/TCP.

Publication of papers

English

  • A National Early Warning Capability Based on a Network of Distributed Honeypots, Cristine Hoepers, Klaus Steding-Jessen, Luiz E. R. Cordeiro and Marcelo H. P. C. Chaves, presented at 17th Annual FIRST Conference on Computer Security Incident Handling, (Singapore), June, 2005.

  • Honeynet Maintenance Procedures and Tools, Carlos Henrique P. C. Chaves, Lucio Henrique Franco and Antonio Montes, presented at 6th IEEE Information Assurance Workshop, (West Point, NY), June, 2005.

  • A Honeypot Implementation as Part of the Brazilian Distributed Honeypots Project and Statistical Analysis of Attacks Against a University's Network, Claudia J. Barenco Abbas, Alessandra Lafetá, Giuliano Arruda and Luis Javier Garcia Villalba, presented at International Workshop on Security in Information Systems (WOSIS 2005), May, 2005.

Other

  • Master Thesis: Monitoring Activities in Hosts Prepared to be Compromised (Honeypots), Luiz Gustavo C. Barbato, Instituto Nacional de Pesquisas Espaciais), São José dos Campos, SP.
    Not long ago, information systems security was closely associated with passive protection, always assuming a purely defensive stance. Nowadays, this approach is changing. Reactive measures are helping to improve systems security, with the use of hosts prepared to be compromised (honeypots) providing information about the techniques used by the attackers, from the attackers themselves. Based on this new approach to information systems security, the present work aims to develop a system to stealthily monitor all the attackersn activities in the honeypots and transfer this information to monitoring stations.
    [PDF publication] (Portuguese)

LESSONS LEARNED

Most of the activities are being conducted by automated bots/worms, therefore we need to develop better methods to collect malware and other artifacts related to these types of attacks.

FUTURE GOALS

In the next six months we intend to focus the work in these tasks:

  • Continue to analyse the artifacts collected in the compromised honeypots. The results will be included in the Artifacts Database maintained by the project;
  • Improve the statistics of the Brazilian Honeypots Alliance -- Distributed Honeypots Project;
  • Continuously expand the network of distributed honeypots, gathering new partners and covering a larger portion of the Brazilian Internet address space;
  • Work on the correlation between the data gathered in the honeynet and in the network of distributed honeypots.

| Previous Reports |

| Brazilian Honeypots Alliance | Honeynet.BR Project |

Valid XHTML 1.0! Valid CSS! Honeynet.BR Project
$Id: 2005-2.html,v 1.2 2008/01/28 20:27:41 jessen Exp $