Transcript Lecture 17

Honeypots, Honeynets, Bots and
Botenets
Source: The HoneyNet Project
http://www.honeynet.org/
Why HoneyPots
A great deal of the security profession and the IT
world depend on honeypots. Honeypots
◦
◦
◦
◦
◦
◦
Build anti-virus signatures.
Build SPAM signatures and filters.
ISP’s identify compromised systems.
Assist law-enforcement to track criminals.
Hunt and shutdown botnets.
Malware collection and analysis.
What are Honeypots
Honeypots are real or emulated vulnerable
systems ready to be attacked.
 Primary value of honeypots is to collect
information.
 This information is used to better identify,
understand and protect against threats.
 Honeypots add little direct value to protecting
your network.

Types of HoneyPot
Server: Put the honeypot on the Internet and
let the bad guys come to you.
 Client: Honeypot initiates and interacts with
servers
 Other: Proxies

Types of HoneyPot

Low-interaction
◦ Emulates services, applications, and OS’s.
◦ Low risk and easy to deploy/maintain, but capture
limited information.

High-interaction
◦ Real services, applications, and OS’s
◦ Capture extensive information, but high risk and time
intensive to maintain.
Types of HoneyPot

Production
◦
◦
◦
◦
◦

Easy to use/deploy
Capture limited information
Mainly used by companies/corporations
Placed inside production network w/other servers
Usually low interaction
Research
◦ Complex to maintain/deploy
◦ Capture extensive information
◦ Primarily used for research, military, or govt. orgs
Examples Of Honeypots
Low Interaction




BackOfficer Friendly
KFSensor
Honeyd
Honeynets
High Interaction
Honeynets
High-interaction honeypot designed to capture
in-depth information.
 Information has different value to different
organizations.
 Its an architecture you populate with live
systems, not a product or software.
 Any traffic entering or leaving is suspect.

How It Works

A highly controlled network where every
packet entering or leaving is monitored,
captured, and analyzed.
◦ Data Control
◦ Data Capture
◦ Data Analysis
Honeynet Architecture
Data Control
Mitigate risk of honeynet being used to
harm non-honeynet systems.
• Count outbound connections.
• IPS (Snort-Inline)
• Bandwidth Throttling
•
No Data Control
Data Control
Data Capture
Capture all activity at a variety of levels.
 Network activity.
 Application activity.
 System activity.

Sebek
Hidden kernel module that captures all
host activity
 Dumps activity to the network.
 Attacker cannot sniff any traffic based on
magic number and dst port.

Sebek Architecture
Honeywall CDROM

Attempt to combine all requirements of a
Honeywall onto a single, bootable
CDROM.
May, 2003 - Released Eeyore
 May, 2005 - Released Roo

Roo Honeywall CDROM





Based on Fedora Core 3
Vastly improved hardware and international
support.
Automated, headless installation
New Walleye interface for web based
administration and data analysis.
Automated system updating.
Installation
Just insert CDROM and boot, it installs to local
hard drive.
 After it reboots for the first time, it runs a
hardening script based on NIST and CIS
security standards.
 Following installation, you get a command
prompt and system is ready to configure.

Further Information
http://www.honeynet.org/
 http://www.honeynet.org/book

Network Telescope
Also known as a darknet, internet motion
sensor or black hole
 Allows one to observe different large-scale events
taking place on the Internet.
 The basic idea is to observe traffic targeting the
dark (unused) address-space of the network.
 Since all traffic to these addresses is suspicious,
one can gain information about possible network
attacks

◦ random scanning worms, and DDoS backscatter

As well as other misconfigurations by observing it.
Honeytoken
honeytokens are honeypots that are not
computer systems.
 Their value lies not in their use, but in their abuse.
 As such, they are a generalization of such ideas as
the honeypot and the canary values often used in
stack protection schemes.
 Honeytokens can exist in almost any form,

◦ from a dead, fake account to a
◦ database entry that would only be selected by malicious queries,
◦ making the concept ideally suited to ensuring data integrity—any
use of them is inherently suspicious if not necessarily malicious.
Honeytoken

In general, they don't necessarily prevent any
tampering with the data,
◦ but instead give the administrator a further measure of
confidence in the data integrity.

An example of a honeytoken is a fake email
address used to track if a mailing list has been
stolen
Honeymonkey

HoneyMonkey,
◦ short for Strider HoneyMonkey Exploit Detection
System, is a Microsoft Research honeypot.

The implementation uses a network of computers
◦ to crawl the World Wide Web searching for websites that use
browser exploits to install malware on the HoneyMonkey computer.
◦ A snapshot of the memory, executables and registry of the
honeypot computer is recorded before crawling a site.
◦ After visiting the site, the state of memory, executables, and registry
is compared to the previous snapshot.
◦ The changes are analyzed to determine whether the visited site
installed malware onto the honeypot computer.
Honeymonkey
HoneyMonkey is based on the honeypot concept,
with the difference that it actively seeks websites
that try to exploit it.
 The term was coined by Microsoft Research in
2005.
 With honeymonkeys it is possible to find open
security holes that aren't yet publicly known but
are exploited by attackers.

Tarpit
A tarpit (also known as Teergrube, the German
word for tarpit) is a service on a computer system
(usually a server) that delays incoming connections
for as long as possible.
 The technique was developed as a defense against
a computer worm, and
 the idea is that network abuses such as spamming
or broad scanning are less effective if they take too
long.
 The name is analogous with a tar pit, in which
animals can get bogged down and slowly sink
under the surface.

Botnets
by
Mohammad M. Masud
Botnets
Introduction
 History
 How to they spread?
 What do they do?
 Why care about them?
 Detection and Prevention

Bot





The term 'bot' comes from 'robot'.
In computing paradigm, 'bot' usually refers to an
automated process.
There are good bots and bad bots.
Example of good bots:
◦ Google bot
◦ Game bot
Example of bad bots:
◦ Malicious software that steals information
Botnet

Network of compromised/botinfected machines (zombies) under
the control of a human attacker
(botmaster)
Botmaster
IRC Server
IRC channel
Code
Server
IRC channel
C&C traffic
Updates
Attack
Vulnerable
machines
BotNet
History




In the beginning, there were only good bots.
◦ ex: google bot, game bot etc.
Later, bad people thought of creating bad bots so
that they may
◦ Send Spam and Phishing emails
◦ Control others pc
◦ Launch attacks to servers (DDOS)
Many malicious bots were created
◦ SDBot/Agobot/Phatbot etc.
Botnets started to emerge
TimeLine
GM (by Greg,
Operator)
recognized as first
IRC bot.
Entertained clients
with games
RPCSS
1989
W32/PrettyPark
1st worm to
use IRC as
C&C.
DDoS capable
GT bots
combined
mIRC client,
hacking scripts &
tools (port scanning, DDos)
1999
2000
2001
2002
W32/Agobot bot
family added
modular
design and significant
functionality
2003
W32/Sdbot
First family
of bots developed
as a single binary
Russian named sd
2004
2005
W32/Mytob
hybrid bot,
major
e-mail outbreak
2006 Present
W32/Spybot
family emerged
Cases in the news

Axel Gembe
◦ Author or Agobot (aka Gaobot, Polybot)
◦ 21 yrs old
◦ Arrested from Germany in 2004 under
Germany’s computer Sabotage law

Jeffry Parson
◦
◦
◦
◦
Released a variation of Blaster Worm
Infected 48,000 computers worldwide
18 yrs old
Arrested , sentenced to 18 month & 3yrs
of supervised released
How The Botnet Grows
How The Botnet Grows
How The Botnet Grows
How The Botnet Grows
Recruiting New Machines





Exploit a vulnerability to execute a short program
(exploits) on victim’s machine
◦ Buffer overflows, email viruses, Trojans etc.
Exploit downloads and installs actual bot
Bot disables firewall and A/V software
Bot locates IRC server, connects, joins
◦ Typically need DNS to find out server’s IP
address
◦ Authentication password often stored in bot
binary
Botmaster issues commands
Recruiting New Machines
What Is It Used For

Botnets are mainly used for only one
thing
How Are They Used
Distributed Denial of Service (DDoS)
attacks
 Sending Spams
 Phishing (fake websites)
 Addware (Trojan horse)
 Spyware (keylogging, information
harvesting)
 Storing pirated materials

Example : SDBot
Open-source Malware
 Aliases
◦ Mcafee: IRC-SDBot, Symantec: Backdoor.Sdbot
 Infection
◦ Mostly through network shares
◦ Try to connect using password guessing (exploits
weak passwords)
 Signs of Compromise
◦ SDBot copies itself to System folder - Known
filenames: Aim95.exe, Syscfg32.exe etc..
◦ Registry entries modified
◦ Unexpected traffic : port 6667 or 7000
◦ Known IRC channels: Zxcvbnmas.i989.net etc..

Example : RBot




First of the Bot families to use encryption
Aliases
◦ Mcafee: W32/SDbot.worm.gen.g, Symantec:
W32.Spybot.worm
Infection
◦ Network shares, exploiting weak passwords
◦ Known s/w vulnerabilities in windows (e.g.: lsass
buffer overflow vulnerability)
Signs of Compromise
◦ copies itself to System folder - Known filenames:
wuamgrd.exe, or random names
◦ Registry entries modified
◦ Terminate A/V processes
◦ Unexpected traffic: 113 or other open ports
Example : Agobot


Modular Functionality
◦ Rather than infecting a system at once, it proceeds
through three stages (3 modules)
 infect a client with the bot & open backdoor
 shut down A/V tools
 block access to A/V and security related sites
◦ After successful completion of one stage, the code
for the next stage is downloaded
Advantage?
◦ developer can update or modify one
portion/module without having to rewrite or
recompile entire code
Example : Agobot



Aliases
◦ Mcafee: W32/Gaobot.worm, Symantec:
W32.HLLW.Gaobot.gen
Infection
◦ Network shares, password guessing
◦ P2P systems: Kazaa etc..
◦ Protocol: WASTE
Signs of Compromise
◦ System folder: svshost.exe, sysmgr.exe etc..
◦ Registry entries modification
◦ Terminate A/V processes
◦ Modify %System\drivers\etc\hosts file
 Symantec/ Mcafee’s live update sites are
redirected to 127.0.0.1
Example : Agobot

Signs of Compromise (contd..)
◦ Theft of information: seek and steal CD
keys for popular games like “Half-Life”,
“NFS” etc..
◦ Unexpected Traffic: open ports to IRC
server etc..
◦ Scanning: Windows, SQL server etc..
DDos Attack


Goal: overwhelm victim machine and deny service
to its legitimate clients
DoS often exploits networking protocols
◦ Smurf: ICMP echo request to broadcast address
with spoofed victim’s address as source
◦ Ping of death: ICMP packets with payloads greater
than 64K crash older versions of Windows
◦ SYN flood: “open TCP connection” request from a
spoofed address
◦ UDP flood: exhaust bandwidth by sending
thousands of bogus UDP packets
DDoS attack

Coordinated attack to specified host
Attacker
Master (IRC Server) machines
Zombie machines
Victim
Why DDoS attack?

Extortion
◦ Take down systems until they pay
◦ Works sometimes too!

Example: 180 Solutions – Aug 2005
◦ Botmaster used bots to distribute
180solutions addware
◦ 180solution shutdown botmaster
◦ Botmaster threatened to take down
180solutions if not paid
◦ When not paid, botmaster use DDoS
◦ 180Solutions filed Civil Lawsuit against
hackers
Botnet Detection
Host Based
 Intrusion Detection Systems (IDS)
 Anomaly Detection
 IRC Nicknames
 HoneyPot and HoneyNet

Host-based detection
Virus scanning
Watching for Symptoms
Modification of windows hosts file
Random unexplained popups
Machine slowness
Antivirus not working
Watching for Suspicious network traffic
Since IRC is not commonly used, any IRC traffic
is suspicious. Sniff these IRC traffic
Check if the host is trying to communicate to
any Command and Control (C&C) Center
Through firewall logs, denied connections
Network Intrusion Detection
Systems
Example Systems: Snort and Bro
 Sniff network packets, looks for specific patterns
(called signatures)
 If any pattern matches that of a malicious binary,
then block that traffic and raise alert
 These systems can efficiently detect virus/worms
having known signatures
 Can't detect any malware whose signature is
unknown (i.e., zero day attack)

Anomaly Detection
Normal traffic has some patterns
Bandwidth/Port usage
Byte-level characteristics (histograms)
Protocol analysis – gather statistics about
TCP/UDP src, dest address
Start/end of flow, Byte count
DNS lookup
First learn normal traffic pattern
Then detect any anomaly in that pattern
Example systems: SNMP, NetFlow
Problems:
Poisoning
Stealth
IRC Nicknames
Bots use weird nicknames
But they have certain pattern (really!)
If we can learn that pattern, we can detect bots &
botnets
Example nicknames:
USA|016887436 or DE|028509327
Country | Random number (9 digit)
RBOT|XP|48124
Bot type | Machine Type | Random number
Problem: May be defeated by changing the
nickname randomly
HoneyPot and HoneyNet
HoneyPot is a vulnerable machine,
ready to be attacked
Example: unpatched windows 2000
or windows XP
Once attacked, the malware is caught
inside
The malware is analyzed, its activity
is monitored
When it connects to the C&C server,
the server’s identity is revealed
HoneyPot and HoneyNet
Thus many information about the bot is obtained
C&C server address, master commands
Channel, Nickname, Password
Now Do the following
make a fake bot
join the same IRC channel with the same
nickname/password
Monitor who else are in the channel, thus observer
the botnet
Collect statistics – how many bots
Collect sensitive information – who is being
attacked, when etc..
HoneyPot and HoneyNet
Finally, take down the botnet
HoneyNet: a network of honeypots (see
the ‘HoneyNet Project’)
Very effective, worked in many cases
They also pose great security risk
If not maintained properly - Hacker may
use them to attack others
Must be monitored cautiously