honeyblog - honeynets

2011 Honeynet Project Security Workshop Slides + Videos

nospam@example.com (Thorsten Holz) — Tue, 26 Apr 2011 23:06:18 +0200

The slides and videos from the 2011 Honeynet Project Security Workshop (Paris) are now available! You can get the material from http://www.honeynet.org/SecurityWorkshops/2011_Paris.

About the workshop:

The workshop brought together experts in the field of information security from around the world to share the latest advances in security research. Our members covered topics such as new honeyclients, mobile malware, new reversing techniques, VOIP attacks and even social behavior of attackers. And besides the presentation, Felix Leder and Mark Schloesser from our Giraffe chapter and Guillaume Arcas from our French chapter put up some hands on exercises that allowed participants to test their skillz.

Chaosradio Express #155

nospam@example.com (Thorsten Holz) — Thu, 10 Jun 2010 18:07:40 +0200

Recently I recorded a longer podcast together with Tim Pritlove on malware and botnets. It was published a few days ago as Chaosradio Express #155. The podcast is in German and lasts for about 2.5 hours. The podcast is available at http://chaosradio.ccc.de/cre155.html and you can also get it via iTunes.

Here the German description:

Malware hat sich in den letzten 10 Jahren von einem Forschungsfeld zu einer globalen Bedrohung der internationalen Dateninfrastruktur entwickelt. Botnetze stellen dabei die bedauerliche Krönung der kriminellen Aktivitäten dar und es erfordert einen großen Aufwand, diesen Systemen nachzugehen und sie wieder auszuschalten. Trotz eines fortwährenden Katz- und Mausspielchens gelingt es den Sicherheitsforschern immer wieder, große Botnetze vom Netz zu nehmen. Im Gespräch mit Tim Pritlove erläutert Thorsten Holz Geschichte und technische Hintergründe zu Malware und Botnetzen.

Themen: wie sich Malware über die Zeit vom Experiment zum Werkzeug von Kriminellen entwickelt hat; welche Sicherheitslücken ausgenutzt werden; welche Methoden Betriebssysteme haben, sich gegen Malware zu wehren; das Layer-8-Problem; die Antiviren-Industrie; was Microsoft für seine Sicherheit getan hat; Botnetze und Spam und andere Formen der Monetarisierung; wie sich Botnetze gegen Aufklärung schützen; wie man ein Botnetz ausforscht, austrickst und lahmlegt; Botnetze aufspüren mit Honeypots; Botnetze in Behörden und Botschaften; Kommunikation und Kollaboration von Securitygruppen; technische und moralische Probleme beim Herunterfahren eines Botnets; Kooperation mit ISPs; Botnetzbekämpfung vs. Zensurinfrastruktur; Botnetze und der Mac; Konzepte für sichere Betriebssysteme; Security Usability; Automatisierte Malware Analyse.

Challenge 4 of the Forensic Challenge 2010 - VoIP

nospam@example.com (Thorsten Holz) — Thu, 10 Jun 2010 16:38:56 +0200

Quick blog posting about the new forensic challenge by the Honeynet Project:

Challenge 4 - VoIP - (provided by Ben Reardon from the Australian and Sjur Eivind Usken from Norwegian Chapter) takes you into the world of voice communications on the Internet. VoIP with SIP is becoming the de-facto standard for voice communication on the Internet. As this technology becomes more common, malicious parties have more opportunities and stronger motives to take control of these systems to conduct nefarious activities. This Challenge is designed to examine and explore some of attributes of the SIP and RTP protocols. Enjoy the challenge.

You can find all info at http://honeynet.org/challenges/2010_4_voip. Submission deadline is June 30th 2010 - thus you still have some time to work on the challenge. You can win books, for example a signed copy of "Virtual Honeypots: From Botnet Tracking to Intrusion Detection" by Niels and me.

Call for Papers: LEET'10

nospam@example.com (Thorsten Holz) — Mon, 25 Jan 2010 09:03:00 +0100

The submissions deadline for the 3rd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET '10) is quickly approaching. Please submit your work by Thursday, February 25, 2010, 11:59 p.m. PST. The full call for papers is available at http://www.usenix.org/events/leet10/cfp/, see an overview below:

Topics
Now in its third year, LEET continues to provide a unique forum for the discussion of threats to the confidentiality of our data, the integrity of digital transactions, and the dependability of the technologies we increasingly rely on. We encourage submissions of papers that focus on the malicious activities themselves (e.g., reconnaissance, exploitation, privilege escalation, rootkit installation, attack), our responses as defenders (e.g., prevention, detection, and mitigation), or the social, political, and economic goals driving these malicious activities and the legal and ethical codes guiding our defensive responses.

Overview
Information technology (IT) adds $2 trillion annually to the US economy alone. While these technologies have enabled significant global economic growth, they have become rich targets for malicious activity. The US Federal Bureau of Investigation (FBI) indicated that cyber crime reached an all-time high in 2008; cyber crime now ranks as the FBI's third highest priority, behind such dramatic threats as counter-terrorism and counter-espionage. Much of this malicious activity is driven by economic incentives, but recently we have seen the emergence of highly visible, politically motivated attacks. While the motivations for malicious behavior and the technical mechanisms that enable them remain rich areas of research, it is clear that today our global society is faced with a wide range of cyber criminal activities: spam, phishing, denial of service, click fraud, etc.

Workshop Format
LEET aims to be a true workshop, with the twin goals of fostering the development of preliminary work and helping to unify the broad community of researchers and practitioners who focus on worms, bots, spam, spyware, phishing, DDoS, and the ever-increasing palette of large-scale Internet-based threats. Intriguing preliminary results and thought-provoking ideas will be strongly favored; papers will be selected for their potential to stimulate discussion in the workshop. Each author will have 15 minutes to present his or her work, followed by 15 minutes of discussion with the workshop participants.

"Studying Aspects of the Underground Economy"

nospam@example.com (Thorsten Holz) — Wed, 20 Jan 2010 06:53:00 +0100

Today I gave a talk at the International Computer Science Institute (ICSI) that focussed on some of the research I did in the past year. The slides are now available.

Abstract:
With the growing digital economy, it comes as no surprise that criminal activities in digital business have lead to a digital underground economy. Because it is such a fast-moving field, tracking and understanding this underground economy is difficult and most information in this area is vague. In this talk, we discuss several approaches to study the structure of these underground markets. In particular, we present a method with which it is possible to directly analyze the amount of data harvested through keylogger-based attacks in a highly automated fashion. Based on real-world data, we can get a glimpse into the digital underground economy. However, many open questions remain that will be discussed in the last part of the talk.

You can get the slides at http:///honeyblog.org/junkyard/presentations/10_underground-economy_ICSI.pdf.

Challenge 1 posted - Signed books as prizes!

nospam@example.com (Thorsten Holz) — Mon, 18 Jan 2010 08:56:00 +0100

The first challenge of the Honeynet Forensic Challenge 2010 has been posted at http://honeynet.org/node/504. The task is to analyze a packet capture that was collected by a honeypot. Analyze and answer the following questions:

Which systems (i.e. IP addresses) are involved? (2pts)
What can you find out about the attacking host (e.g., where is it located)? (2pts)
How many TCP sessions are contained in the dump file? (2pts)
How long did it take to perform the attack? (2pts)
Which operating system was targeted by the attack? And which service? Which vulnerability? (6pts)
Can you sketch an overview of the general actions performed by the attacker? (6pts)
What specific vulnerability was attacked? (2pts)
What actions does the shellcode perform? Pls list the shellcode. (8pts)
Do you think a Honeypot was used to pose as a vulnerable victim? Why? (6pts)
Was there malware involved? Whats the name of the malware? (We are not looking for a detailed malware analysis for this challenge) (2pts)
Do you think this is a manual or an automated attack? Why? (2pts)

Get the pcap at http://honeynet.org/files/attack-trace.pcap_.gz, they were provided together with the questions by Tillmann Werner. Deadline for submissions is Monday, February 1st 2010 at 17:00 EST. There will be some small prizes, among them signed copies of our book "Virtual Honeypots: From Botnet Tracking to Intrusion Detection". Full information is available at http://honeynet.org/node/504.

Honeynet Project Forensic Challenge 2010

nospam@example.com (Thorsten Holz) — Tue, 12 Jan 2010 20:22:00 +0100

Finally, after several years without any Honeynet Project Challenges, there will finally be new Forensic Challenges starting next Monday (January 18th, 2010). Here is the official announcement:

I am very happy to announce the Honeynet Project Forensic Challenge 2010. The purpose of the Forensic Challenges is to take learning one step farther. Instead of having the Honeynet Project analyze attacks and share their findings, Forensic Challenges give the security community the opportunity to analyze attacks and share their findings. In the end, individuals and organizations not only learn about threats, but also learn how to analyze them. Even better, individuals can access the write-ups from other individuals, and learn about new tools and techniques for analyzing attacks. Best of all, the attacks of the Forensic Challenge are attacks encountered in the wild, real hacks, provided by our members.
It has been several years since we provided Forensic Challenges and with the Forensic Challenge 2010, we will provide desperately needed upgrades. The Forensic Challenge 2010 will include a mixture of server-side attacks on the latest operating systems and services, attacks on client-side attacks that emerged in the past few years, attacks on VoiP systems, web applications, etc. At the end of challenge, we will provide a sample solution created by our members using the state-of-the-art tools that are publicly available, such as libemu and dionaea.
The first challenge (of several for 2010) will be posted on our Forensic Challenges web site on Monday, January 18th 2010. We will be open to submissions for about two weeks and announce the winners by February 15th 2010. This year, we will also award the top three submissions with prizes! Please check the web site on Monday, January 18th 2010 for further details….

Christian Seifert

Full details will be published at http://honeynet.org/challenges.

Update: The date was apparently wrong, I corrected it from January 15th to January 18th.

Know Your Tools: Use Picviz to Find Attacks

nospam@example.com (Thorsten Holz) — Thu, 26 Nov 2009 11:59:00 +0100

A new series of papers is available from the Honeynet Project: "Know Your Tools" deals with specific types of honeypots and explains how to use them. The first paper in this series deals with Picviz, a tool to visualize data based on parallel coordinates plots.

Picviz is a parallel coordinates plotter which enables easy scripting from various input (tcpdump, syslog, iptables logs, apache logs, etc..) to visualize data and discover interesting aspects of that data quickly. Picviz uncovers previously hidden data that is difficult to identify with traditional analysis methods.

The paper is available at http://www.honeynet.org/node/499".

Abstract:
This document explains how Picviz can be used to spot attacks. We will use three examples in this paper; analysis of ssh connection logs, demonstration of the graphical interface on network data generated by a port scanner and the use of Picviz command line to discover attacks towards an Apache web server. Picviz can handle large amounts of data, as illustrated by the last example in which two years of raw Apache access logs are analyzed. We will show how we can find attacks that previously have been hidden and discover them in a very short time!
We hope Picviz will make you more efficient in analyzing any kind of log files, including network traffic, and able to spot abnormalities even with large dataset.

GSoC'09: Glastopf

nospam@example.com (Thorsten Holz) — Fri, 23 Oct 2009 11:17:00 +0200

Here an announcement regarding the end of GSoC'09:

Web sites are hacked all the time. Web application, database, and cross-site scripting vulnerabilities expose a large attack surface that can be exploited to, among others, deface the web site, send spam, convert web site into bots, and serve drive-by-download attacks. Glastopf is a low-interaction honeypot that emulates a vulnerable web server hosting many web pages and web applications with thousands of vulnerabilities. Glastopf is easy to setup and once indexed by search engines, attacks will pour in by the thousands daily. Glastopf has been developed as part of the 2009 Google of Summer Code by student Lukas Rist (and mentored by me). It can be downloaded from the Glastopf trac site at http://trac.glastopf.org/trac. More information on Glastopf can be found on the project site at http://glastopf.org/.

"Towards Proactive Spam Filtering"

nospam@example.com (Thorsten Holz) — Fri, 31 Jul 2009 12:08:00 +0200

A common technique employed by spammers is to send spam mails with the help of botnets. In a typical setting, the spammer uses so called template-based spamming: the attacker sends the bots a spam template that describes the structure of the spam message to be sent. Furthermore, the attacker sends meta-data like recipient list, subject list, and a list of URLs that are used to ﬁll in variables in the template. The bots then construct an email based on the template and the meta-data, and send this email to the targets. As a result, the actual work of handling the SMTP communication is moved from the control server to the bots. Nowadays this technique is used by most large spam botnets, like Waledac, Bobax, Rustock, Cutwail, and a lot of the other major spam botnets as Joe Stewart explained in detail.

Since spammers nowadays use such a tactic, we can also collect spam mails in a more efficient way: Instead of waiting at the end-user's mailboxes or spamtraps for mail messages to arrive and then decide whether or not this is spam, we directly interact with the servers that are used to send spam messages. The basic idea is that we execute spambots, i.e., malicious software dedicated to sending spam emails, in a controlled (honeypot) environment and collect all email messages sent by the bots. This enables us to directly interfere with botnet control servers to collect current spam messages sent by a speciﬁc botnet.

We describe this idea in more detail in a short paper that was published at DIMVA'09. The paper is also available on this blog.

Abstract: With increasing security measures in network services, remote exploitation is getting harder. As a result, attackers concentrate on more reliable attack vectors like email: victims are infected using either malicious attachments or links leading to malicious websites. Therefore eﬃcient ﬁltering and blocking methods for spam messages are needed. Unfortunately, most spam ﬁltering solutions proposed so far are reactive, they require a large amount of both ham and spam messages to eﬃciently generate rules to diﬀerentiate between both. In this paper, we introduce a more proactive approach that allows us to directly collect spam message by interacting with the spam botnet controllers. We are able to observe current spam runs and obtain a copy of latest spam messages in a fast and eﬃcient way. Based on the collected information we are able to generate templates that represent a concise summary of a spam run. The collected data can then be used to improve current spam ﬁltering techniques and develop new venues to eﬃciently ﬁlter mails.

GSoC'09: Some Updates for Glastopf

nospam@example.com (Thorsten Holz) — Mon, 20 Jul 2009 23:28:00 +0200

Today Lukas commited some major changes to glastopf, his Google Summer of Code project. The goal of glastopf is to learn more about attacks against web applications, mainly by attracting remote file inclusion attacks. The new version now features a new parser that should be able to handle more attacks and respond in a more flexible way. Furthermore, the connection to a central database was improved and the daemon now also drops privileges after starting up.

The software is constantly collecting information and in the next couple of weeks more analysis tools will be implemented to also process the collected data. The current glastopf implementation logs status messages to Twitter: "Got 142 attacks in the last 30 minutes!". More than 13,000 IP addresses were observed and thousands of requests processed.

GSoC Update

nospam@example.com (Thorsten Holz) — Tue, 21 Apr 2009 16:00:00 +0200

Yesterday the results of Google Summer of Code (GSoC) were released and the Honeynet Project will mentor nine students during the summer who work on different projects: http://socghop.appspot.com/org/home/google/gsoc2009/honeynet. More information is also available at the Honeynet Project GSoC site.

I'm happy to mentor Lukas Rist, who will work on Glastopf. The goal of the project is to learn more about attacks by emulating vulnerabilities in web applications ("We have two goals: First, collecting and analyzing data and second, trying to inform compromised web page owner. Actually we are mainly collecting Remote File Inclusion attacks, but others will follow."). The source code is available at http://trac.1durch0.de/trac and will be improver during the GSoC period.

LEET'09 Taking Place Soon

nospam@example.com (Thorsten Holz) — Tue, 07 Apr 2009 08:38:00 +0200

Join us at the 2nd USENIX Workshop on Large-Scale Exploits and Emergent Threats: Botnets, Spyware, Worms, and More (LEET'09), which will take place in Boston, MA, on April 21, 2009. LEET '09 will focus on the underlying mechanisms used to compromise and control hosts, the large-scale "applications" being perpetrated upon this framework, and the social and economic networks driving these threats. Sessions include Malware Analysis, Ethics in Botnet Research, Malware Behavior, and more.

The full program is available at http://www.usenix.org/events/leet09/tech/.

LEET '09 will also include a session for Work-in-Progress reports. We encourage you to submit an abstract or proposal for a 5-minute presentation on your preliminary work to leet09wips@usenix.org.

Connect with the broad community of researchers and practitioners who focus on worms, bots, spam, spyware, phishing, DDoS, and the ever-increasing palette of large-scale Internet-based threats in fostering the development of preliminary work in this diverse area and stimulating discussion of thought-provoking ideas.

Find out more and register today at http://www.usenix.org/leet09/

Google Summer of Code 2009

nospam@example.com (Thorsten Holz) — Mon, 23 Mar 2009 14:14:00 +0100

The Honeynet Project was selected for this year's Google Summer of Code. If you are a student and interested in participating in the program, please take a look at http://www.honeynet.org/gsoc. There you will find all information about the projects related to the Honeynet Project. Google will begin accepting applications from students beginning today, thus you need to be quick...

Learning more about RFI Attacks

nospam@example.com (Thorsten Holz) — Sat, 21 Mar 2009 10:59:00 +0100

As part of the work at our lab we started to work on methods to learn more about remote file inclusion (RFI) attacks. The Internet Storm Center has developed a web-based honeypot which is available in a beta version. This honeypot can be used to collect information about different kinds of attacks, but requires the participant to install and maintain a honeypot on his own. For example, it is possible to deploy this honeypot on a OpenWrt router.
Since we are aiming only at RFI attacks, an easier approach is to redirect incoming malicious request to a central honeypot which then aggregates the information. Jan already blogged about this idea, this posting is meant to spread the word.

You can help us by using the following .htaccess file on your web server:

Options +FollowSymlinks
RewriteEngine on
RewriteCond %{QUERY_STRING} (.+=http:\/\/.+)
RewriteRule ^(.+)$ http://link.informatik.uni-mannheim.de/$1?%1 [R,NC]

The script checks if the incoming request looks like an RFI attack (RewriteCond) and then redirects this request to one of our honeypots (RewriteRule). Please let us know if you have any questions or ideas.