Nov 11, 2014
Niels van Eijck Principal Consultant, NCIM
[email protected] @nvaneijck
2
Java Developer Principal Consultant @NCIM Currently @Dutch National Cyber Security
Centre (NCSC-NL)
Introduction HoneySpider Network Service Development Demo Summary
3
Every piece of software contains vulnerabilities! Browsers (IE, Firefox, Chrome, Opera, WGET) Flash, Acrobat Reader, etc.
4
5
Benign content
Benign content
HoneySpider Network
Early warning system Scan periodically Trusted websites
Benign content
6
Malicious content
Benign content
Benign content
HoneySpider Network
Early warning system Scan periodically Trusted websites Detect malicious content Report
7
8
9
Intelligence gathering
Inject exploit in selected sites
Drop malware on vulnerable
systems
Initiate malicious activity
10
3
Images courtesy of chanpipat / FreeDigitalPhotos.net
1
2
3
4
Major news sites
NU.nl
Telegraaf.nl
Government sites
whitehouse.gov
dol.gov
Political related sites
rsf.org
11
12 Source: threatpost.com / netsecurity.org
February 2013 Clients exploited via Java6 vulnerability Apple, Facebook & Twitter compromised
13
14 Source: zdnet.com / foxit.com
August 2013 First noticed at conrad.nl Visitors are redirected to site serving
Blackhole exploit kit (PDF & Java) Turns out conrad.nl is not the only one
15
Hosting provider targeted by phishing email
PDF containing malware
One client got compromised Credentials obtained for DNS registrar
DNS Nameserver entry changed
Legitimate action…
16
17
All this shows a need to invest in early detection and analysis of attacks on clients
Meet HoneySpiderNetwork 2 (HSN)
18
Introduction HoneySpider Network Service Development Demo Summary
19
Started as joint venture
CERT-Polska
Dutch National Cyber Security Centre (NCSC-NL)
Work on version 2 started in 2011
Code released under GPL license in january 2013
20
Early warning system
Detects attacks on client applications
Webpages
Files
Supports variety of services & analyzers
Flexible configuration
Scalable
Open architecture
21
Operational
22
HoneySpider Network
Services Services
Services
Services Services
Jobs
Reporting
Report DB
Web interface
CLI
export
Communication RabbitMQ (AMQP) Google Protocol Buffers
Workflows Activiti Git
Storage Apache CouchDB JSON documents
Programming languages Java Python C++
23
24
HSN Workflow Language (HWL) XML
25
Process
• File with URLs
Each URL
• Service “A”
• Service “B”
Reporter
• Aggregate results from services
• Store in database
Input / Output
26
Feeder (file / url)
Reporter
Web Clients
HtmlUnit Thug
Honeypots
Capture HPC Cuckoo
Scanners
Antivirus Shellcode
Analyzers
JavaScript PDF
MS Office Flash
High interaction honeypot
Vulnerable system visits website
Activity is recorded
Uses virtualization software Analysis plugins Reporting plugins
27
Django framework Supports scheduling of jobs Basic statistics RSS feeds of malicious results
28
Introduction HoneySpider Network Service Development Demo Summary
29
package nl.ncim.hsn2.service;
import ...;
public class DemoService implements org.apache.commons.daemon.Daemon {
private GenericService service = null;
@Override
public void init(DaemonContext context) throws DaemonInitException, Exception {
this.service = new GenericService(new DemoServiceTaskFactory(), ...);
}
@Override
public void start() throws Exception {
...
service.run();
...
}
}
30
package nl.ncim.hsn2.service;
import ...;
public class DemoService implements org.apache.commons.daemon.Daemon {
private GenericService service = null;
@Override
public void init(DaemonContext context) throws DaemonInitException, Exception {
this.service = new GenericService(new DemoServiceTaskFactory(), ...);
}
@Override
public void start() throws Exception {
...
service.run();
...
}
}
31
package nl.ncim.hsn2.service;
import ...;
public class DemoServiceTaskFactory implements TaskFactory {
@Override
public Task newTask(TaskContext jobContext, ParametersWrapper parameters,
ObjectDataWrapper data) throws ParameterException {
return new DemoServiceTask(jobContext, data);
}
}
32
package nl.ncim.hsn2.service;
import ...;
public class DemoServiceTaskFactory implements TaskFactory {
@Override
public Task newTask(TaskContext jobContext, ParametersWrapper parameters,
ObjectDataWrapper data) throws ParameterException {
return new DemoServiceTask(jobContext, data);
}
}
33
package nl.ncim.hsn2.service;
import ...;
public class DemoServiceTaskFactory implements TaskFactory {
@Override
public Task newTask(TaskContext jobContext, ParametersWrapper parameters,
ObjectDataWrapper data) throws ParameterException {
return new DemoServiceTask(jobContext, data);
}
}
34
package nl.ncim.hsn2.service;
import ...
/**
* The task class for the HSN2 Demo Service.
* This is the place where the actual work is being done.
*/
public class DemoServiceTask implements Task {
private TaskContext jobContext;
private String url;
public DemoServiceTask(TaskContext jobContext, ObjectDataWrapper data) {
this.jobContext = jobContext;
this.url = data.getString("url_original");
}
@Override
public void process() throws ParameterException, ResourceException,
StorageException {
jobContext.addAttribute("statement", "J-Fall Rocks!");
}
}
35
package nl.ncim.hsn2.service;
import ...
/**
* The task class for the HSN2 Demo Service.
* This is the place where the actual work is being done.
*/
public class DemoServiceTask implements Task {
private TaskContext jobContext;
private String url;
public DemoServiceTask(TaskContext jobContext, ObjectDataWrapper data) {
this.jobContext = jobContext;
this.url = data.getString("url_original");
}
@Override
public void process() throws ParameterException, ResourceException,
StorageException {
jobContext.addAttribute("statement", "J-Fall Rocks!");
}
}
36
package nl.ncim.hsn2.service;
import ...
/**
* The task class for the HSN2 Demo Service.
* This is the place where the actual work is being done.
*/
public class DemoServiceTask implements Task {
private TaskContext jobContext;
private String url;
public DemoServiceTask(TaskContext jobContext, ObjectDataWrapper data) {
this.jobContext = jobContext;
this.url = data.getString("url_original");
}
@Override
public void process() throws ParameterException, ResourceException,
StorageException {
jobContext.addAttribute("statement", "J-Fall Rocks!");
}
}
37
{
"type":"analysis",
"job":<<@|hsn-job-id>>,
"service":"demo-service",
"node":<<@|hsn-node-ref>>,
"classification":"benign",
"details":
{
"structure":"list",
"name":"Analysis details of Demo Service",
"value":
[
{
"structure":"text",
"name":"Statement",
"value":<<statement>>
},
]
}
}
38
Introduction HoneySpider Network Service Development Demo Summary
39
Java SE 7 JRE Exploit (CVE-2012-4681)
Vulnerabilities in the JRE allow attackers to escape from the sandbox environment
Fixed in Java SE 7 JRE update 7
currently at 7u45... https://oracleus.activeevents.com/2013/connect/sessionDetail.ww?SESSION_ID=3122
40
41
HoneySpider Network
Cuckoo Service
VM with Metasploit
Cuckoo
42
HoneySpider Network
Cuckoo Service
Job
VM with Metasploit
Cuckoo
43
HoneySpider Network
Cuckoo Service
Job
VM with Metasploit
Cuckoo Windows XP
virtual machine
Windows XP virtual machine
44
HoneySpider Network
Cuckoo Service
Job
VM with Metasploit
Cuckoo
45
HoneySpider Network
Cuckoo Service
Report
VM with Metasploit
Cuckoo
Calc.exe aka Hello, world! A hacker would execute more serious stuff
> format C:
botnet client
keylogger
46
47
Introduction HoneySpider Network Service Development Demo Summary
48
HoneySpiderNetwork; a Java based system
to hunt down malicious websites
Visit www.honeyspider.net Feel free to try it
Appliance (virtualbox)
Installation Guide
Github (https://github.com/CERT-Polska/hsn2-bundle)
Call for developers!
49