Using Honeypots to Study Web-based Attacks

Wednesday, January 14. 2009
The Internet Storm Center has an interesting entry on how to use honeypots to capture attacks against web-applications: "Roundcube Webmail follow-up":
A fermented honeypot is one that has been set up based on exploit attempts identified by a first stage honeypot. What happens is that the attacker(s) get all sticky in the original honeypot and when they come back for more sweetness, they get the fermented honeypot too. Now, along with getting all sticky in the first honeypot, they get all drunk on excitement in the fermented honeypot. [...] Development of a fermented honeypot is not without effort. There is no typical Win32 click-n-create nonsense. A fermented honeypot must be specifically crafted to correctly emulate the focused attack. The author, or 'brew master', is well capable of taking a traditional honeypot and fermenting it accordingly.

Basically they first observe the scanning/exploitation attempts against the Roundcube html2text.php vulnerability and then set up a second-stage honeypot that responds to these scanning attempts, offering more bait for the attacker. This is a good example how honeypots work and it also helps them to observe the actual infection of a vulnerable system.


Posted by Thorsten Holz in honeynets at 23:08 | Comments (0) | Trackbacks (0)

Fast-Flux Data from ATLAS

Friday, January 9. 2009
Yesterday Jose blogged about "2008 H2 Fast Flux Data Analysis" based on the information collected by ATLAS. They discover on average between 40 and 50 new fast-flux domains per day and found the following trends:
We’re seeing two trends of note with respect to 2008 with fast flux domain registrations and use. The first is the growth of .CN as a fast flux TLD. Most of the .CN domains we see registered and fluxing come through a registrar like BIZCN, whom we now treat with some suspicion. [...] The second big trend over 2008 is the migration away from .COM and .CN to a lot more TLDs.

It's interesting to see the new developments in this area compared to our paper from late 2007 and the measurement results from ATLAS. Our fast-flux tracking system will be online again in the next few days, I will also blog about some updates in the future.
Posted by Thorsten Holz in honeynets, malware, paper at 10:03 | Comments (0) | Trackbacks (0)

25C3: "Banking Malware 101" Slides

Tuesday, December 30. 2008
The slides I used for my presentation at the 25th Chaos Communication Congress (25C3) are now available for download. The presentation was also recorded and should be available in the next few days at http://ftp.ccc.de/congress/25c3/pre-release/. The congress was a lot of fun, unfortunately I had to leave earlier...

An interesting presentation is scheduled for today at 15:15 CET: Jacob and Alex talk about Making the theoretical possible. Not many details are available (see the "abstract" at the left-hand side), but it seems like they found something big that basically affects everyone. Rumors are that they broke a Root CA key that is included in major browsers - the truth will be revealed in a couple of hours...
Posted by Thorsten Holz in honeynets, malware at 11:47 | Comments (0) | Trackbacks (0)

Client-Side Honeypots

Wednesday, December 17. 2008
A client-side honeypot is a type of honeypots that is designed to collect information about client-side attacks. Typically such a honeypot uses Internet Explorer and continuously surfs the Web in an automated way. During the surfing, the system activity is closely monitored for changes such a new files on the hard disk or new processes since such changes indicate a successful drive-by download. In such a case, a malicious website has compromised the web browser by just visiting the site. Examples of client-side honeypots are Capture-HPC and the MITRE Honeyclient.

We run several client-side honeypots in our lab and find new malicious website frequently. At the moment, we find quite often sites that use malicious PDF files to exploit our browser. In such an attack, a vulnerability in the Adobe Acrobat Reader is exploited in order to execute code on the victim's machine. To illustrate such an exploit, I created a quick movie that shows a live exploit. In the future, I hope to cover client-side exploits more frequently. With exploits such as the current MS08-078 vulnerability I'm sure that we will observe more malicious sites in the future...
Posted by Thorsten Holz in honeynets, malware at 21:18 | Comments (4) | Trackback (1)

Old Entries / Honeypot Presentation

Tuesday, December 2. 2008
admin
Getting the old entries back is not as easy as expected :-/ I'm currently busy with my thesis (I hope to finish by the end of the year...) and thus I have not much time to focus on the blog, sorry. But I will start with new blog entries and later on add the old entries once I have a bit more time.

In the meantime: I recently did a lecture on honeypots at the University of Mannheim that provides an introduction to different kinds of honeypots and honeynets. The slides are 5 MB in size and now available in PDF format.

Posted by Thorsten Holz in admin, honeynets at 11:12 | Comments (0) | Trackbacks (0)
« previous page   (Page 4 of 5, totaling 21 entries) » next page