THE HONEYNET PROJECT Norwegian Chapter -------------------------------------------------------------------------------- Annual Status Report - 2008 -------------------------------------------------------------------------------- 1.0 DEPLOYEMENTS 1.1 Current technologies deployed. Describe anything that you have deployed that is collecting information, including honeynets, client honeypots, honeyd, mwcollect, or anything else honeypot related. Our current honeynet is a GenIII honeynet with Roo and various various operating systems running as honeypots on VMWare Server. Most of the honeynet is redesigned and reinstalled in the last period in a new data center with stable power and proper AC. As we've experienced some performance issues with the roo-1.3 version of the honeywall, we've implemented our own ad-hoc solution; a dedicated server bridging the honeynet and the Internett whilst running Ubuntu 7.10 server with Daemonlogger, Snort, Barnyard, Softflowd and NfSen. This gives us an adequate overview and easy access to data going in and out of the honeynet. We have a central nepenthes honeypot with distributed malware collectors. We are also experimenting with various high-interaction applications honeypots, like; Wordpress-honeypot and MySQL-honeypot. In addition we've also deployed five ssh-honeypots on different ISP networks throughout Norway. These honeypots records authentication attempts only, and not what the attacker may do after gaining access. The honeypots are based on a modified OpenSSH 4.1 and do not allow any authentication to succeed. All authentication attempts are stored and forwarded to a centralized MySQL database. Currently this database holds a total of 4.2 Million attacks. The ssh-bruteforce honeynet has been running for almost one year. 2.0 FINDINGS 2.1 Highlight any unique findings, attacks, tools, or methods. * SSH Brute Force Attacks SSH brute force attacks are happening all the time. In this period we've also observed brute force attacks using Norwegian user names, very similar to what we reported in our last status report. In the 11 months we've had our ssh-honeynet operational, we've recorded attacks from 1584 different IP-address. Attacks from 202 of these 1584 address have been seen on all five honeypots (note that these are all located on different large ISP networks throughout Norway, all with different address space allocations). The country distribution of the the 1584 addresses is shown in the graph at: http://www.honeynor.no/img/2008_annual_report_SSH_attacking_cc.png In our blog (http://www.honeynor.no/2008/07/23/size-definitely-matters/), we've got an entry about the observed length of the passwords used against our pots, and the distribution is shown in the graph at: http://www.honeynor.no/img/2008_annual_report_SSH_pwlen.png Not surprisingly, most of the attacks are targeting passwords in the range 4-8 characters. Notice the significant drop after 8 characters, this is probably due to the fact that a lot of systems still enforces an 8-character upper limit. Another reason could be related to human laziness in selecting the lowest amount of characters allowed by the policy, which in all most every case sets the lower limit to 6, 7 or 8 characters. Most policies also defines the recommended length equal to the lower limit. Restricting the length of the password to an upper limit of 6-8 characters is fortunately no longer the case for modern operating systems, but as lower limits and recommendations are still kept at this length, it will be the main target for brute force attacks. An interesting piece of information extracted from the ssh-database is the password composition distribution as shown in the graph at: http://www.honeynor.no/img/2008_annual_report_SSH_pwstats.png In this graph we examine the composition of each password. By 'characters' we mean alphabetic characters [a-zA-Z] and digits comprise of numbers between 0 and 9. A staggering 71.2 % of all recorded password contained only alphabetic characters! While the usual recommended passwords consisting of both alphanumeric and special characters are only seen in 4.4 % of the cases. * Malware collected Malware collection from Nepenthes continues. Top three malwares are SDBot, PoeBot, Virut. Analysis with anti-virus scanners shows 70% detection rate (past 12 months of data). Malware submitted to Norman Sandbox on regular basis and CWSandbox on ad-hoc basis for analysis. Manual malware analysis using e.g. Olly debug and IDA. * Malicious VoIP We have investigated several attacks targeted against VoIP equipment. At one specific corporate network here in Norway, we've experimented with a custom VoIP honeypot with sipsak (http://sipsak.org/) that answers on the first SIP INVITE. This should trigger the attacker to continue to probe that server for any possible combinations of numbers that will allow the attacker to call onto the POTS network. We've also made some of the finding public on our blog at http://www.honeynor.no/2008/10/19/voip-attacks-are-escalating * Malicious PDF As a result of the increasing amount of malicious PDF documents used in attacks, we constructed an extensive video (ca. 20 minutes long) showing how to analyze a malicious PDF file, extracting shellcode embedded in it, and doing further analysis on that shellcode. This video demonstration has been very well received, and is one of our top visited blog entries. It's located at http://www.honeynor.no/2008/08/24/analysing-malicious-pdf-documents-and- \ shellcode/ The PDF document analyzed in this video is a real malware sample trying to exploit the following vulnerabilities; CVE-2008-0655, CVE-2007-5659, CVE-2007-5663, CVE-2007-5666, CVE-2008-0667, CVE-2008-0726, CVE-2008-2042. All vulns are related to Adobe Acrobat, read more at NVD (http://nvd.nist.gov) for more details about these vulnerabilites. IDA Pro, HT, SpiderMonkey and some small custom python scripts were used to perform this analysis. * EXE obfuscated as JPEG Previously this year, we came across a downloader (win32.exe) that was making some effort in hiding its traffic. The downloader was making GET requests to files, such as search.jpg, winlogon.jpg, tibs.jpg and tool.jpg. Using tools like chaosreader and foremost to extract the files from the recorded pcap, we found out that these files indeed were valid jpeg files. However, when we looked more closely, we found that these files had something more interesting appended past the JPEG data. When we analyzed the superflous contents of the file, we discoved that by doing a simple XOR with the hex value of 31 on the entire image file, the result was a standard microsoft executeable (the malware). We’ve also seen this kind of obfuscation before, then with the image of a green frog. Now, what winlogon.jpg (..or the executable inside it) did, was to install BraveSentry, a rogue anti-virus/spyware product that claims to have found malware on your system in order to trick you to purchase their product. This is not a new obfuscation technique, but it seems to be a characteristic for this group of spyware creators, that are pushing these rogue security programs. We made a blog entry about this finding, and we also created a video demonstration of how this image file was de-obfuscated using standard unix power tools (http://www.honeynor.no/2008/05/04/obfuscating-downloads/). 2.2 Any trends seen in the past six months. * SIP There has been a couple of servers doing port scan on port 5060. It is not much at the moment, but will most likely explode in the next year. * SQL-injection We've been looking at the results of quite a few of the different SQL-injection (and XSS attacks) successfully performed against norwegian and danish servers. The attacks have several common properties: - injects a javascript to the attacked page - the script is obfuscated - the scripts loads several iframes and other scripts - the end exploits are ActiveX, .swf or .pdf attacks The javascripts are usually pointing to a russian or chinese server. They are obfuscated in different ways. Some simply use url-encoding of the actual script combined with unescape() and eval(), while others use complex encryption functions including long encrypted strings that are decrypted by shifting parts of the string and combining parts in different ways. The first script usually loads several different other scripts from servers, often contacted by IP. Many of these servers are probably zombies, and a lot of the servers were no longer serving any scripts (the zombies may have been cleaned out). The attackers were using scripts from several different servers, in case one of their zombies go down. So it’s basically a “hacker cluster” for availability. The end scripts usually contain several different attacks. I’ve seen scripts trying to exploit up to ten different activeX-components, and many of the scripts use both activeX and flash (.swf) attacks. We've written more details of some actual attacks in addition to various mitigation strategies against SQL-injection on our blog at http://www.honeynor.no/2008/11/11/looking-at-some-sql-injection-attacks/ 3.0 LESSONS LEARNED 3.1 What new positive things can you share with the community, so they can replicate your success? VOIP/Asterisk works well for conferencing if all members can not participate in person on meetings. Using a wiki-software (we use MediaWiki) makes it so much easier to gather documentation, analysis and notes from various meetings. We've also had a big success of deploying a chapter specific blog (we currently use WordPress). Not only has this gained more attention here in Norway to our chapter and HP as an organization, but maybe more importantly it has increased the enthusiasm of the members of our chapter. Database-ify all the data you can. It makes storing and analyzing the data so much easier. 3.2 What new mistakes can you share with the community, so they don't make the same mistakes? Not any significant mistakes to write home about. 3.3 Are there any research ideas you would like to see developed? We are looking into a VoIP honeypot. You can use Sipsak to answer the SIP INVITE, but you also need a separate port to capture the RTP traffic from the host. It would also be great to send a fake conversation as an RTP stream to the other end (first the ringing, then somebody that answers...). 4.0 TECHNOLOGY 4.1 What tools or functionality are we lacking, what do we need to work on? It would be great with a SIP honeypot. One that actually answers on SIP INVITEs and records the conversation. 4.2 What new tools or technology are you working on? Currently not much development of tools. We did release a patch to Daemonlogger 1.0.1 (http://www.honeynor.no/2008/08/01/daemonlogger-patch/), but the patch is no longer relevant as the functionality was quickly implemented into Daemonlogger 1.1, and subsequently 1.2.1. 4.3 Would you like to integrate this with any other tools, or you looking for help or collaboration with others in testing or developing the tool? N/A 5.0 PAPERS AND PRESENTATIONS 5.1 Are you working any papers to be published, such as KYE or academic papers? We are planning to write and publish a paper on SSH bruteforce attacks, kind of a follow-up on the Clarkson Univ. paper called "A Study of Passwords and Methods Used in Brute-Force SSH Attacks" from 2007. We don't yet have a time frame for when it might be finished, as everyone in our chapter have a full-time (and beyond) job to deal with. 5.2 Are you looking for any data or people to help with your papers? We have initiated some collaboration with other chapters, but a lot depends on us to actually get some available time. 5.3 Where did you publish/present honeypot-related material? We presented at a private security conference with 20 people about VoIP security. This was people from different state organizations. We also presented at the Norwegian ISF-conference. More info and slides at http://www.honeynor.no/2008/09/08/talk-about-data-analysis/ 6.0 ORGANIZATIONAL 6.1 Changes in the structure of your organization. This year we've got one new member; Erlend Oftedal. He is working for Bekk Consulting and is maintaining his blog at http://erlend.oftedal.no/blog in addition to ours. He's an expert in web application security. Also, Christian Stigen Larsen has left our chapter. 6.2 Your feedback on Alliance activities. Excellent that we finally got our own SILC server... 6.3 Any suggestions for improving the Alliance? ...though we would wish more of the chapters would use it (ref. 6.2.). 7.0 GOALS 7.1 Which of your goals did you meet for the last six months? Honeynet infrastructure successfully migrated to new datacenter. We've held internal course/training on malware analysis for members on two occasions. 7.2 Which of your goals did you not meet for the last six months? We did not participate in the GDH phase 2 as we had planned, but this is strictly our own fault. We have the necessary hardware readily available and we have the GDH DVD, but unfortunately we've not had the time to get it up and running. 7.3 Goals for the next six months Continued focus on malware analysis, automation of collecting samples and training of team members in analysis and reverse engineering. Get infrastructure running properly in new datacentre. New deployments of honeypots, with focus on getting sebek-integrated honeypots and the first VOIP honeypot up and running. But also more high-level third-party application honeypots. Let's deploy pots for whatever is currently "hot". And finally we have to get more active in the participation of GDH. 8.0 MISC ACTIVITIES 8.1 Anything else not covered you would like to share. Got sponsoring for some high-end hardware which are to be used in GDH infrastructure (but it's in the process of being installed). EOF