+------------------------------------------------------------------------------+ | /\ | | /\\//\ | | \//\\/ | | \/ | | honeynor | | a norwegian honeynet project | | | | http://www.honeynor.no | | | | -- | | | | Bi-annual status report | | 2005-Q4 | +------------------------------------------------------------------------------+ 1.0 DEPLOYEMENTS 1.1 Current technologies deployed. Please include diagrams, so others could re- plicate your methods. If this has not changed since the last report, please link to the information so readers can reference (and learn from it). * Current honeynets are based on Roo with various operating systems running as honeypots on VMWare. * Also deployed are mwcollect/honeyd nodes for capturing malware activity. In addition, we're also trying out nepenthes for capturing malware. 1.2 Lessons learned from the technology, what you like about it. * Walleye is easy to use, and is a powerful tool to work with honeynet data. * Roo allows to create small honeynets (see 3.1). VMWare gives unique ability to create physically small environments. 1.3 Lessons learned from the technology, what is lacking, what you would like to see improved. * Roo on VMWare was found not to be performing well under high load. 2.0 FINDINGS 2.1 Number and type of systems compromised during six month period. * None reported. 2.2 Highlight any unique findings, attacks, tools, or methods. * Piping nepenthes results directly into sandbox-technology for automatic analysis of malware. The sandbox sends a report back to us and the most interesting piece of information is ports used by malware (either in the attack-vector, backdoors or botnet connections). 2.3 Any trends seen in the past six months; * Local-language spesific bruteforcing of SSH logon credentials. Until now all SSH bruteforcing has be done using foreign usernames (mostly english- based), so it was interessting to see that also typical norwegian names (torbjørn, harald, sverre, etc..) were being used. * Detected the new wave of Windows Messaging Service pop-up SPAM at the same time as other sources observed it. Ports 1028, 1029 and 1030 (all UDP) are being used to deliver the pop-up spam. Almost every attempt we detected originates from a China. Most messages are commercial advertisment and are trying to get users to access certain websites. 2.4 Document data analysis tools and methods being used. * Walleye is used to monitor all honeypots. * chaosreader - Reads tcpdump capture files, and prints them as HTML. (http://chaosreader.sourceforge.net/) * Norman SandBox * tcpdump * Passive DNS Replication (http://www.enyo.de/fw/software/dnslogger/) 2.5 For data analysis what tools work well, and what still needs to be developed. * The combination of Walleye and Ethereal works well for most cases. 3.0 MISC ACTIVITIES 3.1 Presenting at conferences * Einar Oftedal gave a presentation on "Honeynet research" on a security conference in Gol, Norway. * Roger Carlsen and Einar Oftedal gave a presentation on "Honeynor, a Norwegian Honeynet Project" on the ISF conference. Temporary deployment of a honeynet was done during the conference. It consisted of Honeywall (roo) and two honeypots (unpatched WinXP and RedHat 7.3). No systems were compromised but network mapping activity was observed. * Einar Oftedal gave a presentation on "Honeynor, a Norwegian Honeynet Project" at BEKK Consulting. 3.2 Developing, testing or releasing code * None. 3.3 Publication of papers * None. 3.4 Involvement in SotM challenges. * We have not participated. 3.5 Other * Nothing 4.0 ORGANIZATIONAL 4.1 Changes in your structure of your organization. * None 5.0 LESSONS LEARNED 5.1 What positive things can you share with the community, so they can repli- cate your success. * We've started using MediaWiki (http://www.mediawiki.org/wiki/MediaWiki) internally for collaborative information sharing (MediaWiki is the same software used by the Wikipedia Encyclopedia (http://www.wikipedia.org)). Everything is being documented there, even this very report. We've found it to be extremly efficient to store and maintain information with this software. * Using vmware for running honeypots works well - advanced features like snapshots make administration and rollback of hosts easy. Honeypots can easily be moved between honeynets. 5.2 What mistakes can you share with the community, so they don't make the same mistakes. * Don't underestimate the work needed to setup, configure, run and analyze honeypots and honeynets. 6.0 FUTURE GOALS 6.1 Plans/Goals for next six months * If legaly accepted, deploy a Tor exit node with snort-inline IPS to detect if the Tor-anonymizing-network is being used for malicious activities. * More focus on analysing our data and filtering out "noise". * We plan to create a database where we insert information we get from the nepenthes/sandbox solution described in 2.2. This database can then be used for port-lookups and statistics. * Stabilize honeynets with planned hardware donations. * Research on advanced botnet * Deploy win32 honeyneypots