Report:Apr-2007

From Honeynet-PT

Contents 1 DEPLOYMENTS 2 FINDINGS 3 LESSONS LEARNED 4 NEW TOOLS 5 PAPERS AND PRESENTATIONS 6 ORGANIZATIONAL 7 GOALS 8 MISC ACTIVITIES

DEPLOYMENTS

1.1 Current technologies deployed

We have been running some typical Gen III Honeynet based on Roo with Honeypots running Linux, Windows XP and OpenBSD based on Sebek on different ISP's. Eight Nepenthes sensors were also deployed logging to our central repository. Two nepenthes sensors are submitting captured malware to the mwcollect alliance.

One traffic redirector based on HoneyMole 2.0 RC3.

1.2 Lessons learned from the technology, what we like about it.

HoneyMole 2.0 proves to be the tool for traffic redirection.

1.3 Lessons learned from the technology, what is lacking, what we would like to see improved.

Windows XP high interaction Honeypots are hard to maintain because they are always rebooting due to offset problems related to patch levels and operating system versions.

Walleye interface needs to be improved in order to be really useful and usable.

FINDINGS

2.1 Number and type of systems compromised during six month period.

Linux servers running vulnerable versions of Mambo were exploited via known exploits. Twenty seven Botnets were found and tracked.

2.2 Highlight any unique findings, attacks, tools, or methods

2.3 Any trends seen in the past six months

Lot of activity (brute force attacks) on port 22. Many web based attacks on insecure PHP tools (like Mambo, PostNuke, PHPNuke, WordPress, PHPGroupWare).

2.4 Data analysis tools and methods being used.

For Honeynet data analysis, we use standard analysis tools like tcpdump and Walleye. For malware analysis we use Clamav and Bit Defender. For Botnet tracking specially tor and netcat.

2.5 What are you using for data analysis? What is working well, and what is missing, what data analysis functionality would you like to see developed?

A free CWSandbox would be great.

LESSONS LEARNED

3.1 What new positive things can you share with the community, so they can replicate your success?

Keep good relations with universities and help them to defend their perimeter. Search for related existing tools and projects before decide to develop our own and keep contributing to open source tools and projects.

3.2 What new mistakes can you share with the community, so they don't make the same mistakes?

3.3 Research ideas

Measurement security threats based on client-side honeypot technology. The use of similarity of new malware/known malware to fit it in categories. Knowing that a malware is close to another one already known, gives us the possibility to anticipate threats.

NEW TOOLS

4.1 What new tools or technology are you working on?

Legacy is a tool that relates worms and other sort of malware. The relation is built with the NCD (Normal Compression Distance) formula. Two worms are more similar if the result of the NCD between them is close to zero. The program that makes the calculations it's written in Ruby using Clamav library to identify the malware. The relations results and malware information are stored in a MySQL database.

The Nepenthes module submit-nepenthes was changed to include information like the IP of the attacker, the IP of the collecting machine and the URL where the malware is downloaded.

HoneyMole 2.0, our primary tool for traffic redirection will be announced very soon to the general public and will have the following major changes:

- Server binary multiple client support

- Traffic shaper per client

- Syslogd support

- The same binary does not act as server or client anymore via argument option

- No more arguments at command line, everything is configured in configuration files

4.2 Would you like to integrate this with any other tools, or you looking for help or collaboration with others in testing or developing the tool?

PAPERS AND PRESENTATIONS

5.1 Are you working any papers to be published, such as KYE or academic papers?

5.2 Are you looking for any data or people to help with your papers?

5.3 Where did you publish/present honeypot-related material?

Upcoming:

May 2007 - VII Portuguese OpenBSD Users Meeting, Coimbra, Portugal.

ORGANIZATIONAL

6.1 Changes in the structure of your organization

The structure of the Portuguese Honeynet Project has changed. Five members joined the organization. At least two Universities are going to have very close relations with our project.

6.2 Your feedback on Alliance activities.

6.3 Any suggestions for improving the Alliance?

GOALS

7.1 Which of your goals did you meet for the last six months????

We have achieved the goal of malware automatically collecting and analyzing. However there is some further work to be done. We have developed some processes for Botnet discovery and tracking.

7.2 Which of your goals did you not meet for the last six months?

7.3 Goals for the next six months

Research and development on malware capture and analysis technologies to construct our own malware analysis platform. Deliver some presentations.

MISC ACTIVITIES

8.1 Presenting at conferences.

8.2 Developing, testing or releasing code.

Development of HoneyMole. Check our website for more info.

8.3 Publication of papers.

8.4 Involvement in SotM challenges.

8.5 Other.