Honeypots, Honeynets, Bots and Botenets Source: The HoneyNet Project
Post on 20-Jan-2016
218 Views
Preview:
Transcript
Honeypots, Honeynets, Honeypots, Honeynets, Bots and BotenetsBots and Botenets
Source: The HoneyNet Project http://www.honeynet.org/
Why HoneyPotsWhy HoneyPots A great deal of the security profession
and the IT world depend on honeypots. Honeypots◦ Build anti-virus signatures.◦ Build SPAM signatures and filters.◦ ISP’s identify compromised systems.◦ Assist law-enforcement to track criminals.◦ Hunt and shutdown botnets.◦ Malware collection and analysis.
What are HoneypotsWhat are HoneypotsHoneypots are real or emulated
vulnerable systems ready to be attacked.
Primary value of honeypots is to collect information.
This information is used to better identify, understand and protect against threats.
Honeypots add little direct value to protecting your network.
Types of HoneyPotTypes of HoneyPotServer: Put the honeypot on the
Internet and let the bad guys come to you.
Client: Honeypot initiates and interacts with servers
Other: Proxies
Types of HoneyPotTypes of HoneyPotLow-interaction
◦ Emulates services, applications, and OS’s.◦ Low risk and easy to deploy/maintain, but
capture limited information.
High-interaction◦ Real services, applications, and OS’s◦ Capture extensive information, but high
risk and time intensive to maintain.
Types of HoneyPotTypes of HoneyPotProduction
◦ Easy to use/deploy◦ Capture limited information◦ Mainly used by companies/corporations◦ Placed inside production network w/other
servers◦ Usually low interaction
Research◦ Complex to maintain/deploy◦ Capture extensive information◦ Primarily used for research, military, or govt.
orgs
Examples Of HoneypotsExamples Of Honeypots
BackOfficer FriendlyKFSensorHoneydHoneynets
Low Interaction
High Interaction
HoneynetsHoneynetsHigh-interaction honeypot designed to
capture in-depth information.Information has different value to
different organizations.Its an architecture you populate with
live systems, not a product or software.
Any traffic entering or leaving is suspect.
How It WorksHow It Works A highly controlled network where
every packet entering or leaving is monitored, captured, and analyzed.◦ Data Control◦ Data Capture◦ Data Analysis
Honeynet ArchitectureHoneynet Architecture
Data ControlData Control• Mitigate risk of honeynet being used to
harm non-honeynet systems.• Count outbound connections.• IPS (Snort-Inline)• Bandwidth Throttling
No Data ControlNo Data Control
Internet
No Restrictions
No Restrictions
Honeypot
Honeypot
Data ControlData Control
Internet
Honeywall
Honeypot
Honeypot
No Restrictions
Connections Limited Packet Scrubbed
Data CaptureData CaptureCapture all activity at a variety of
levels.Network activity.Application activity.System activity.
SebekSebekHidden kernel module that
captures all host activityDumps activity to the network.Attacker cannot sniff any traffic
based on magic number and dst port.
Sebek ArchitectureSebek Architecture
Honeywall CDROMHoneywall CDROMAttempt to combine all
requirements of a Honeywall onto a single, bootable CDROM.
May, 2003 - Released EeyoreMay, 2005 - Released Roo
Roo Honeywall CDROMRoo Honeywall CDROMBased on Fedora Core 3Vastly improved hardware and
international support.Automated, headless installationNew Walleye interface for web based
administration and data analysis.Automated system updating.
InstallationInstallationJust insert CDROM and boot, it installs
to local hard drive.After it reboots for the first time, it
runs a hardening script based on NIST and CIS security standards.
Following installation, you get a command prompt and system is ready to configure.
Further InformationFurther Informationhttp://www.honeynet.org/http://www.honeynet.org/book
Network TelescopeNetwork TelescopeAlso known as a darknet, internet motion
sensor or black hole Allows one to observe different large-scale
events taking place on the Internet. The basic idea is to observe traffic targeting the
dark (unused) address-space of the network.Since all traffic to these addresses is suspicious,
one can gain information about possible network attacks ◦ random scanning worms, and DDoS backscatter
As well as other misconfigurations by observing it.
HoneytokenHoneytokenhoneytokens are honeypots that are not
computer systems. Their value lies not in their use, but in their
abuse. As such, they are a generalization of such ideas
as the honeypot and the canary values often used in stack protection schemes.
Honeytokens can exist in almost any form, ◦ from a dead, fake account to a ◦ database entry that would only be selected by malicious
queries, ◦ making the concept ideally suited to ensuring data integrity—
any use of them is inherently suspicious if not necessarily malicious.
HoneytokenHoneytokenIn general, they don't necessarily
prevent any tampering with the data, ◦ but instead give the administrator a further
measure of confidence in the data integrity.An example of a honeytoken is a fake
email address used to track if a mailing list has been stolen
HoneymonkeyHoneymonkeyHoneyMonkey,
◦ short for Strider HoneyMonkey Exploit Detection System, is a Microsoft Research honeypot.
The implementation uses a network of computers ◦ to crawl the World Wide Web searching for websites that use
browser exploits to install malware on the HoneyMonkey computer.
◦ A snapshot of the memory, executables and registry of the honeypot computer is recorded before crawling a site.
◦ After visiting the site, the state of memory, executables, and registry is compared to the previous snapshot.
◦ The changes are analyzed to determine whether the visited site installed malware onto the honeypot computer.
HoneymonkeyHoneymonkeyHoneyMonkey is based on the honeypot
concept, with the difference that it actively seeks websites that try to exploit it.
The term was coined by Microsoft Research in 2005.
With honeymonkeys it is possible to find open security holes that aren't yet publicly known but are exploited by attackers.
TarpitTarpitA tarpit (also known as Teergrube, the
German word for tarpit) is a service on a computer system (usually a server) that delays incoming connections for as long as possible.
The technique was developed as a defense against a computer worm, and
the idea is that network abuses such as spamming or broad scanning are less effective if they take too long.
The name is analogous with a tar pit, in which animals can get bogged down and slowly sink under the surface.
BotnetsBotnets
byMohammad M. Masud
BotnetsBotnetsIntroductionHistoryHow to they spread?What do they do?Why care about them? Detection and Prevention
BotBotThe term 'bot' comes from 'robot'.
In computing paradigm, 'bot' usually refers to an automated process.
There are good bots and bad bots.Example of good bots:
◦ Google bot◦ Game bot
Example of bad bots:◦ Malicious software that steals information
BotnetBotnetNetwork of compromised/bot-
infected machines (zombies) under the control of a human attacker (botmaster) IRC Server
Botmaster
IRC channel
CodeServer
Updates
Vulnerable machines
Attack
IRC channelC&C traffic
BotNet
HistoryHistory In the beginning, there were only good bots.
◦ ex: google bot, game bot etc.
Later, bad people thought of creating bad bots so that they may◦ Send Spam and Phishing emails◦ Control others pc◦ Launch attacks to servers (DDOS)
Many malicious bots were created◦ SDBot/Agobot/Phatbot etc.
Botnets started to emerge
TimeLineTimeLine
1989 1999 2000 2002 2003 Present2006
RPCSS
GM (by Greg, Operator)
recognized as first IRC bot.
Entertained clients with games
GT bots
combined
mIRC client, hacking scripts & tools (port -scanning, DDos)
W32/Agobot bot
family added
modular
design and significant functionality
W32/Mytob hybrid bot,
major
e-mail outbreak
W32/PrettyPark
1st worm to
use IRC as
C&C.
DDoS capable
W32/Sdbot
First family
of bots developed
as a single binary
Russian named sd
W32/Spybot family emerged
2001 2004 2005
Cases in the newsCases in the newsAxel Gembe
◦Author or Agobot (aka Gaobot, Polybot)◦21 yrs old◦Arrested from Germany in 2004 under
Germany’s computer Sabotage law
Jeffry Parson◦Released a variation of Blaster Worm◦Infected 48,000 computers worldwide◦18 yrs old◦Arrested , sentenced to 18 month &
3yrs of supervised released
How The Botnet GrowsHow The Botnet Grows
How The Botnet GrowsHow The Botnet Grows
How The Botnet GrowsHow The Botnet Grows
How The Botnet GrowsHow The Botnet Grows
Recruiting New MachinesRecruiting New MachinesExploit a vulnerability to execute a short
program (exploits) on victim’s machine◦ Buffer overflows, email viruses, Trojans etc.
Exploit downloads and installs actual botBot disables firewall and A/V softwareBot locates IRC server, connects, joins
◦ Typically need DNS to find out server’s IP address
◦ Authentication password often stored in bot binary
Botmaster issues commands
Recruiting New MachinesRecruiting New Machines
What Is It Used ForWhat Is It Used ForBotnets are mainly used for only
one thing
How Are They UsedHow Are They UsedDistributed Denial of Service (DDoS)
attacksSending SpamsPhishing (fake websites)Addware (Trojan horse)Spyware (keylogging, information
harvesting)Storing pirated materials
Example : SDBotExample : SDBotOpen-source MalwareAliases
◦ Mcafee: IRC-SDBot, Symantec: Backdoor.Sdbot Infection
◦ Mostly through network shares◦ Try to connect using password guessing
(exploits weak passwords)Signs of Compromise
◦ SDBot copies itself to System folder - Known filenames: Aim95.exe, Syscfg32.exe etc..
◦ Registry entries modified ◦ Unexpected traffic : port 6667 or 7000◦ Known IRC channels: Zxcvbnmas.i989.net etc..
Example : RBotExample : RBotFirst of the Bot families to use encryptionAliases
◦ Mcafee: W32/SDbot.worm.gen.g, Symantec: W32.Spybot.worm
Infection◦ Network shares, exploiting weak passwords◦ Known s/w vulnerabilities in windows (e.g.: lsass
buffer overflow vulnerability)Signs of Compromise
◦ copies itself to System folder - Known filenames: wuamgrd.exe, or random names
◦ Registry entries modified ◦ Terminate A/V processes◦ Unexpected traffic: 113 or other open ports
Example : AgobotExample : AgobotModular Functionality
◦ Rather than infecting a system at once, it proceeds through three stages (3 modules) infect a client with the bot & open backdoor shut down A/V tools block access to A/V and security related sites
◦ After successful completion of one stage, the code for the next stage is downloaded
Advantage? ◦ developer can update or modify one
portion/module without having to rewrite or recompile entire code
Example : AgobotExample : AgobotAliases
◦ Mcafee: W32/Gaobot.worm, Symantec: W32.HLLW.Gaobot.gen
Infection◦ Network shares, password guessing◦ P2P systems: Kazaa etc..◦ Protocol: WASTE
Signs of Compromise◦ System folder: svshost.exe, sysmgr.exe etc..◦ Registry entries modification◦ Terminate A/V processes◦ Modify %System\drivers\etc\hosts file
Symantec/ Mcafee’s live update sites are redirected to 127.0.0.1
Example : AgobotExample : AgobotSigns of Compromise (contd..)
◦Theft of information: seek and steal CD keys for popular games like “Half-Life”, “NFS” etc..
◦Unexpected Traffic: open ports to IRC server etc..
◦Scanning: Windows, SQL server etc..
DDos AttackDDos AttackGoal: overwhelm victim machine and deny
service to its legitimate clientsDoS often exploits networking protocols
◦ Smurf: ICMP echo request to broadcast address with spoofed victim’s address as source
◦ Ping of death: ICMP packets with payloads greater than 64K crash older versions of Windows
◦ SYN flood: “open TCP connection” request from a spoofed address
◦ UDP flood: exhaust bandwidth by sending thousands of bogus UDP packets
DDoS attackDDoS attackCoordinated attack to specified
host
Victim
Attacker
Master (IRC Server) machines
Zombie machines
Why DDoS attack?Why DDoS attack?Extortion
◦Take down systems until they pay◦Works sometimes too!
Example: 180 Solutions – Aug 2005◦Botmaster used bots to distribute
180solutions addware◦180solution shutdown botmaster◦Botmaster threatened to take down
180solutions if not paid◦When not paid, botmaster use DDoS ◦180Solutions filed Civil Lawsuit against
hackers
Botnet DetectionBotnet DetectionHost BasedIntrusion Detection Systems (IDS)Anomaly DetectionIRC NicknamesHoneyPot and HoneyNet
Host-based detectionHost-based detection
Virus scanning
Watching for SymptomsModification of windows hosts fileRandom unexplained popupsMachine slownessAntivirus not working
Watching for Suspicious network trafficSince IRC is not commonly used, any IRC traffic is suspicious. Sniff these IRC trafficCheck if the host is trying to communicate to any Command and Control (C&C) Center
Through firewall logs, denied connections
Network Intrusion Network Intrusion Detection SystemsDetection Systems
Example Systems: Snort and BroSniff network packets, looks for specific
patterns (called signatures) If any pattern matches that of a malicious
binary, then block that traffic and raise alertThese systems can efficiently detect
virus/worms having known signaturesCan't detect any malware whose signature is
unknown (i.e., zero day attack)
Anomaly DetectionAnomaly DetectionNormal traffic has some patterns
Bandwidth/Port usageByte-level characteristics (histograms)Protocol analysis – gather statistics about
TCP/UDP src, dest address
Start/end of flow, Byte count
DNS lookup
First learn normal traffic pattern
Then detect any anomaly in that pattern
Example systems: SNMP, NetFlow
Problems: PoisoningStealth
IRC NicknamesIRC NicknamesBots use weird nicknames
But they have certain pattern (really!)
If we can learn that pattern, we can detect bots & botnets
Example nicknames:USA|016887436 or DE|028509327Country | Random number (9 digit)RBOT|XP|48124Bot type | Machine Type | Random number
Problem: May be defeated by changing the nickname randomly
HoneyPot and HoneyNetHoneyPot and HoneyNet
HoneyPot is a vulnerable machine, ready to be attackedExample: unpatched windows 2000 or windows XPOnce attacked, the malware is caught insideThe malware is analyzed, its activity is monitoredWhen it connects to the C&C server, the server’s identity is revealed
HoneyPot and HoneyNetHoneyPot and HoneyNetThus many information about the bot is obtained
C&C server address, master commandsChannel, Nickname, Password
Now Do the followingmake a fake bot join the same IRC channel with the same nickname/passwordMonitor who else are in the channel, thus observer the botnetCollect statistics – how many botsCollect sensitive information – who is being attacked, when etc..
HoneyPot and HoneyNetHoneyPot and HoneyNetFinally, take down the botnetHoneyNet: a network of honeypots (see the ‘HoneyNet Project’)Very effective, worked in many casesThey also pose great security risk
If not maintained properly - Hacker may use them to attack othersMust be monitored cautiously
top related