+------------------------------------------------------------------------------+ | /\ | | /\\//\ | | \//\\/ | | \/ | | honeynor | | a norwegian honeynet project | | | | http://www.honeynor.no | | | | -- | | | | Bi-annual status report | | 2006-#1 | +------------------------------------------------------------------------------+ 1.0 DEPLOYEMENTS 1.1 Current technologies deployed. Describe anything that you have deployed that is collecting information, including honeynets, client honeypots, honeyd, mwcollect, or anything else honeypot related. * Current honeynets are based on Roo with various operating systems running as honeypots on VMWare. Most of the honeynet is redesigned and reinstalled with hardware from a recent generous donation. * Honeynor has a central nepenthes honeypot with distributed malware collectors. 2.0 FINDINGS 2.1 Highlight any unique findings, attacks, tools, or methods. * Another SSH brute force attack with norwegian usernames was detected (ref. our previous status report). The malicious activity was successfully traced back to its origin in co-operation with an ISP. The activity was generated by a bot scanning the local network. * Dasher.B story: Honeynor sent an email to the alliance December 15th about port 1025/tcp activity, after we had monitored this traffic for some weeks. It was identified as unknown DCOM activities from China, and we requested a working vulnerability emulator on the alliance list. Georg Wicherski from the German Honeynet Project hacked together a tool on a short notice, and captured the first sample of Dasher.B. This case demonstrated how the teams can work together. This case involved the Norwegian, German and Chinese teams. 2.2 Any trends seen in the past six months. * A good proporsion of the malware we've captured over the last 4 months uses port 7000/TCP to connect to a C&C. 2.3 What are you using for data analysis? What is working well, and what is missing, what data analysis functionality would you like to see developed? * Walleye is used to monitor all honeypots. * chaosreader - Reads tcpdump capture files, and prints them as HTML. (http://chaosreader.sourceforge.net/) * Norman SandBox * Passive DNS Replication (http://www.enyo.de/fw/software/dnslogger/) * IDA Pro * Ollydbg 3.0 LESSONS LEARNED 3.1 What new positive things can you share with the community, so they can replicate your success? * Honeynor has deployed two VMware Server (beta). We won't be using workstation anymore. 3.2 What new mistakes can you share with the community, so they don't make the same mistakes? * Label your network connections/cabling and servers in a Honeynet. 3.3 Are there any research ideas you would like to see developed? * None at this time 4.0 NEW TOOLS 4.1 What new tools or technology are you working on? * Christian Stigen Larsen from Honeynor has started participating in the development of nephenthes. * We've developed a sandbox parser which automatically processes the malware reports sent to us from Norman. The malware is collected using nepenthes and the submit-norman plugin. On regular intervals all un-processed mail from Norman is parsed and the data put into a MySQL database. Then we present this data on our webside using various charts and tables (Link: http://www.honeynor.no/research/sandbox). 4.2 Would you like to integrate this with any other tools, or you looking for help or collaboration with others in testing or developing the tool? * Not at this time. 5.0 PAPERS AND PRESENTATIONS 5.1 Are you working any papers to be published, such as KYE or academic papers? * No, not at the moment. 5.2 Are you looking for any data or people to help with your papers? * No. 5.3 Where did you publish/present honeypot-related material? * We held a presentation at Hackcon 1, a norwegian security conference. * Gave a presentation at the International Research Institute of Stavanger AS (IRIS). 6.0 ORGANIZATIONAL 6.1 Changes in the structure of your organization. * A new member, Øystein Fladby, has joined our team. He's currently working at Norman as a virus analyst. 6.2 Your feedback on Alliance activities. * None at this time 6.3 Any suggestions for improving the Alliance? * Nothing to suggest at this time 7.0 GOALS 7.1 Which of your goals did you meet for the last six months? * We created a database where we insert information we get from the nepenthes/sandbox system. This database can then be used for port-lookups and statistics. * Our honeynet has been re-designed with new hardware. * We've deployed several Win32 honeypots 7.2 Which of your goals did you not meet for the last six months? * If legaly accepted, deploy a Tor exit node with snort-inline IPS to detect if the Tor-anonymizing-network is being used for malicious activities. This has unfortunatly been postponed, however we do plan to investigate this issue further. 7.3 Goals for the next six months * More focus on analysing our data and filtering out "noise". * Continue the development of a Distributed Malware Collection System and deploy enough sensors to cover a large IP-space in Norway. * Implement a centralized database for honeynet data. 8.0 MISC ACTIVITIES 8.1 Anything else not covered you would like to share. * Honeynor has established a close cooperation with Norman, a Norwegian anti- virus company. Norman is recognized for their SandBox technology, an excellent tool to analyze malware samples collected in honeynets. Honeynor will expand the cooperation with the engineers at Norman. At the moment we're looking on ways to normalize malware.